Saturday, October 16, 2021

Throughput calculator for Cisco ASA

Hi, I have ASA firewall, it has 4 ISP connected. I often seen packets drops in one of the interface when hitting 90% utilization(1G link). As per document this firewall supports 4G throughput. I using 4 interfaces out of 8.

I need to know the easy way to calculate throughput in the firewall. Can you suggest please.



Aruba InstantOn handoff improvement tips?

Working with small office client that has a wifi network consisting of 6 Aruba InstantOn AP22 access points. They chose these devices for ease of management and cost given their size. All well and good, but the handoffs for devices seem atrocious. Cell phones and laptops will stay connected to a weak AP and suffer service degradation rather than handing over.

They have a messaging display in the lobby that basically loses its connection a couple times a day, seemingly because it is in range of two APs and at some point either tries to hand off and fails or otherwise experiences an issue that basically locks the display OS.

Looking at the AP management interface, it is obviously dialed down for simple management. I'm going to dig into them some more tomorrow, but in the meantime I wanted to see if anyone has experience with these devices and could offer some tips for improvement. I would expect this system to function significantly better since it supports WiFi-6 and therefore 802.11k, r, & v.



What configuration or setup to the network is needed to add squid for content filter

Our network is setup as the below

ISP (Huawei AR2200 Router) then Cisco switch(2960) then desktops and one server is connected(win server 2019) ; .

I want to add squid(or other if you recommend) to the server for content filtering .

Do we need to change the current network setup like should all network flow through the server(win2019) in order to filter content?



Struggling with HP VLANs and tagging.

Apologies if this is too basic. It's not homelab related as I'm reviewing switches in a production but it's probably very basic for this group. Feel free to close/delete it if it's too simple for this group.

Hey everyone, I've started a new job and networking is something I will finally start doing. I will be managing a variety of Cisco and HP switches. I took the CCNA & CCNP courses back in college (8+ years ago) but I never was able to get into a networking role within my city.

I was reviewing a very basic configuration on a HP Switch within the office and I'm struggling with a few items regarding VLANs and Tagging.

This is what the config looks like:

VLAN 1

**Name "Default VLAN"** **no untagged 5,7** **untagged 1-4,6,8-10** **ip address 10.10.10.15** **255.255.0.0** **exit** 

VLAN 40

**Name "VLAN40"** **tagged 1-10** **no ip address** **exit** 

VLAN 50

**Name "VLAN50"** **Untagged 5,7** **Tagged 10** **No IP Address** **Exit** 

Now from what I've read, the terminology between Cisco and HP differs.

Cisco Speak = Procurve (most industry) speak :
Access port = untagged port
Trunk port = tagged port (802.1Q)
Etherchannel/FEC = Trunk or LACP

So reviewing the configuration, I'm a bit confused on the HP speak.

VLAN 1 shows that ports 1-4,6,8-10 are "untagged" thus making them access ports.
VLAN 1 shows no untagged 5,7 this means that ports 5,7 are a trunk?

VLAN 40 has ports 1-10 tagged, so all ports are trunks

VLAN 50 has ports 5,7 as access ports
VLAN 50 also has a trunk on ports 10

What is confusing me are these tagged ports. VLAN 40 has 1-10 tagged and vlan 50 has port 10 tagged.



Device that provides console over ethernet like IPMI.

Hi,

I have a mac mini and a Ubuntu box that I run headless. However, there are times I need to plug in a monitor + keyboard and mouse so I physically need to be next to that computer.

Does anyone know of a device where I can plug into the HDMI port for the mac mini and USB (to emulate keyboard and mouse), and also a Ubuntu desktop which is DisplayPort and USB, and it tricks those machines into thinking I have a keyboard and mouse + monitor plugged into it, and then with software, I can access those devices on my mac mini and ubuntu desktop to remote control them so I don't have to physically plug a keyboard, mouse, and monitor into them?

Basically run software on macOS and load up the screen as if I was at the physical console - its all done over my network.

Best analogy I can think of is something like IPMI.



blocked websites on normal browsing, but websites are not blocked while incognito

I have successfull been able to block some websites by their domain name using my BT Home Router, but when I try to accessing the websites using a incognito window I can open the websites like they were not being blocked at all.

I am just curious in how the connection on a incognito window works.
Using an incognito window would not the rules that are applied on the router take effect as well ? Should not the websites that are blocked on the normal winow, also be blocked on the incognito window?

If anybody knows why this happens it would be great to read your explanation.

Thanks



10G Cable Tester

Hello /r/networking community!

I was looking at (potentially) purchasing a 10G cable tester. The reason I am posting here is I was curious how different 10G testers compare to each other. I understand that these are not cable certifiers, and currently I do not require a certifier, but having cables tested to see if they can meet certain speeds would be helpful. Why I am posting here instead of just google the answers is honestly cause I feel that these products do not have too much information about them available. I have seen different videos on YouTube regarding them (mostly just about a general overview), and read a few articles about them too (but most of these are about very specific things regarding them). I mostly just want to know in real world examples how people have faired with these products, and maybe what industry you are in while using them (ie, IT, AV, CCTV, Automation)?

 

The 10G testers in question are:

Fluke LinkIQ: https://www.fluke.com/en-ca/product/network-cable-testers/copper/linkiq-100

Cost: $2,500 (cad) for just unit

Info: A relatively new product (I think to replace the CableIQ?). Looks extremely basic in function, able to test if a cable works, what speeds it gets, has POE, has network on it, and tone cables.

 

netAlly Etherscope nXG (EXG-200): https://www.netally.com/products/etherscopenxg/

Cost: $10,500 (usd) for just unit

Info: Real advance unit it seems, either ethernet and Wi-Fi testing capabilities. I saw that netAlly seems to greatly support this unit with lots features and upgrades in it. Can test cables, WiFi, check speeds, check networking issues, fiber testing. I got mixed information with whether it does POE testing.

 

netAlly Linkrunner 10G (LR10G): https://www.netally.com/products/linkrunner10g/

Cost: $7,800 (cad) for kit including IntelliTone

Info: Seems to be a Etherscope nXG without any WiFi stuff. I don't understand what else is different.

 

Trend Networks SignalTek 10G Pro (157003): https://www.trend-networks.com/can/product/signaltek-10g/

Cost: $7,000 (usd) for just unit

Info: All around cable testing unit with fiber testing too. Seems to focus on good fiber testing and POE testing at 10G, and nearly ever ad I saw regarding it mentions testing cables for WiFi access points.

 

I know there are some other other (like from EXFO and such), so if you think there is another option worth mentioning, please do!

Thanks!

 

Edit: I tried to clean up the formatting, lol



Wide area network file shares

We have someone trying to improve SMB file transfer speeds to a file share from the USA to Europe and Asia from a windows 10 machine. Within the US the speeds are acceptable due to the lower latency. I remember back in the day when I was still messing a bit with AD that distributed file shares were a thing to synchronize file shares across multiple sites. It’s been 8 years though and things might have changed. What is the best way to provide lower latency synchronized shares to clients? We use NetApp a lot, we’re a global enterprise with on-prem AD / Azure AD, O365, Secure AWS access to 12 regions, etc. What are some of the best current methods to provide this ensuring files are kept in-sync between different regions and allow for some form of version control or conflict resolution in case of file-changes on both ends at the same time?



A question about nmap and egress traffic

In another sub we are talking about egress traffic on port 25 in Oracle Cloud Infrastructure instances. I suggested to check if this traffic is allowed by running the following test:

telnet in-v3.mailjet.com 25 

OP told me that they ran the following test, with success, showing that egress traffic on port 25 is allowed:

nmap -p 25 in-v3.mailjet.com 25 

My first reaction was to say that this test proves that the other server, the remote, allows ingress traffic on port 25, and that's not what we are looking for. But is it right? I have no idea how nmap works. Does the successful "Host is up" result imply that local egress traffic on port 25 is also open?

Running both in my own OCI instance, the telnet test fails and the nmap test shows "Host is up". Running the telnet test in my computer at home, I can successfully connect to the same remote server.

Originally we were using other remote servers, but I put the MailJet here for consistency. I also tried another remote server with the same results: they can allow telnet on port 25 because I also tested from my home, telnet fails for both from OCI, nmap works for both on OCI.



A question about nmap and egress traffic

In another sub we are talking about egress traffic on port 25 in Oracle Cloud Infrastructure instances. I suggested to check if this traffic is allowed by running the following test:

telnet in-v3.mailjet.com 25 

OP told me that they ran the following test, with success, showing that egress traffic on port 25 is allowed:

nmap -p 25 in-v3.mailjet.com 25 

My first reaction was to say that this test proves that the other server, the remote, allows ingress traffic on port 25, and that's not what we are looking for. But is it right? I have no idea how nmap works. Does the successful "Host is up" result imply that local egress traffic on port 25 is also open?

Running both in my own OCI instance, the telnet test fails and the nmap test shows "Host is up". Running the telnet test from another location, I can successfully connect to the same remote server.

Originally we were using other remote servers, but I put the MailJet here for consistency. I also tried another remote server with the same results: they can allow telnet on port 25 because I also tested from another location, telnet fails for both from OCI, nmap works for both on OCI.

P.S.: I forgot to mention: the following works from the OCI instance, if it makes any difference:

telnet in-v3.mailjet.com 587 


looking for a side business in networking on weekend

looking for a side business in networking on weekends. Does anyone have something for me? Thank you



Are BGP announcements available on the internet?

The recent facebook outage got me curious and reading up on BGP.

Is there a way to see BGP advertisements and routing tables etc on the internet? Or is it private/something only meant for network admins with router access?

Thanks



Best way to connect Windows 10 OS computers to a Filesystem server

Hey guys. First of all, please don't mind my ignorance, I know very little about networking. I am doing a research for a philanthropic organization that I am helping, and they have this demand to connect their computers to a filesystem server (those computers are not in a LAN, but in a WAN).

A little background, this organization (https://www.iges.org.br/) helps people with mental disorders, people who cannot take care of themselves, and so this organization have homes with caretakers and medical staff, and they take care of those people. I come from a web-developer background, so I can get my way around tech, but I confess that I know very little about networking (yes, shame on me, sry about that).

So, we have this demand to connect computers using windows 10, the goal is to have a main computer, acting as a server, hosting the files. I believe this is done using a server to be the filesystem host server.

Searching for how to solve this problem, I saw that I would need to have a server with a router and make use of a l2tp VPN. This is correct? About the server, I could use a Linux Server (something like a Ubuntu, for instance), or I would need to go with something like a Windows Server (or even a normal windows 10 distribution)?

About the router, I searched a little bit and I got saw that those Mikrotik routers would do the job. About the VPN protocol, I searched a little bit more and I saw that the protocol OpenVPN would be better than the l2tp. Till now, I did nothing, all I have is those clues and directions. I still have some doubts, like: can a Linux Server be the host for Windows computers (using windows 10) to connect and put and retrieve files there? It is possible to connect those windows machine at the OS level, using this "stack" I mentioned? If I am going in the wrong direction to accomplish our demand, can someone point me in a correct direction?



TCP/IP before OSI

When TCP/IP model was developed before OSI model and it was a practical model and working successfully then why ISO designed OSI model after a decade?



What the hell happened to wifi networks in 2019?

WiFis worked well before 2019 and since then they haven't worked anywhere well, at school, workplace, home, friends? many others experience the same.



Why do OSPF packets not arrive?

I am new to OSPF and multicast. I have two machines in the same L2 net (first one Linux box with bird, second one Mikrotik running RouterOS OSPF).

On station 1 I can see the OSPF Hello messages with tcpdump. But they never arrive at Station 2.

On station 2 I can see the OSPF messages as well. But they never arrive at Station 1.

Ping et.al. works flawlessly. No packet filter on Linux box. On Mikrotik, ospf unconditionally allowed as first rule (number of packets matched: 0).

Do I miss anything with multicast?



Friday, October 15, 2021

FortiGate vs SonicWall

I am deciding between 2 options:

Option 1: (1) FG-100F for our HQ + FG-60F for each of our branch sites (2)

Option 2: (3) TZ-600 for all of our branches

Our branch sites aren't expecting any further growth in the future according to our company. They currently have 20-30 employees, of which probably 1-10 of them connect over the site-to-site VPN's for VoIP and data traffic.
I am being pushed by my vendor to get the Gen 7 firewalls, but I am reading a lot of negative posts on Sonic OS 7. I'd appreciate it if anyone can shine some light on this.
My plan is to get the FortiGates, because they are a lot more newer, Forti OS 7 is better than Sonic OS 7, and the firewalls appear to be an upgrade from our current TZ 300s in terms of throughput. Would you recommend the FortiGates too?



Del Conpellent ISCSI to Cisco ACI leaf

Hi, I am attempting to get the iscsi ports on a complement to work on an aci leaf, Documentation and dell support is abysmal. I have the ports connected, show connected. The ports are IPed but they cannot long the gateway. We have set this up in the same iscsi fault domain and tried both virtual and physical.

The gateway is up and reachable from other subnet in and out of aci. arp is resolving for the ports/IPs. But we cannot long those IPs set to those ports



Got a couple of C9300X-24Y's with NM-2C's, Odd Interface Output

Hello all,

Recently got lucky enough to get my shipment of 9300X's after 7 months. Went to insert some QSFP-40G-LR4's, don't see any light. Ports are not shut. Also seeing in the running-config there are a number of ports that were never provisioned or configured there such as twe1/1/1-16, te1/1/1-8, and hu1/1/1-4. This is a 24 port switch with only a module with two 40/100 QSFP ports.

No matter what I do, I cannot get the ports to come up. I'm using SMF LC-LC connectors and I'm assuming the standard SMF cable is PC? Do I need to purchase LC (UPC) cables? I notice the cisco compatability matrix is now showing a difference between PC and UPC cabling.



Aruba 6200, all port lights flashing in unison, over entire network.

We have Aruba 6200s in every IDF on our campus, 20 switches total, 2 in each IDF as edge switches trunked to Cisco 4505 core switches.

They are all blinking in unison , as in all the lights for port status are blinking green at the same time, about 1 second on, 1 second off.

Google-foo is really no help and we made no changes to STP or VLANs or anything else that I know of.

Anyone experienced this before?

Any help appreciated.



if you had a one question to spot fake CCIE in an interview what that question would be?

if you had a one question to spot fake CCIE in an interview what that question would be?



VPN vs ZTNA - where is FW applied in ZTNA if on-prem?

Hi All
We are traditional user with edge firewalls deployed and our VPNs terminate there. So all traffic from employees laptop terminates on firewall, gets inspected, and then forwarded to desired server in DC. We have edge firewall in AWS for direct VPN from users to access cloud VMs. We have NAC deployed as well for segmentation.

All this is working solution; yes complicated but built over time and had to scale VPNs when everybody went remote.

New vendors are pushing for ZTNA solution. In that solution, as per our understanding, instead of VPN client on laptop, you have ZTNA client. Now there are two options:

1) install agents on each of DC servers.. and then from ZTNA client from laptop T-bones into ZTNA cloud and connects via some proprietary tunnel to that server's agent.

2) Or, you can install a (or set of) proxy near those servers, and tunnel from laptops again after T-bones into these proxies.

Of course, segmentation policies can be applied which are I think implemented in cloud at T point. Or may be downloaded into agents/proxies. Either way.

Question: Where does the traffic gets inspected before hitting servers?

A) I'm using on-prem edge firewalls and do not intend to replace them in future, these proxies or agent on servers bypassed the firewall inspection due to encrypted tunnel passing through them.

B) I asked the vendor if somebody is using their cloud based NGFW, does inspection happens at T point before traffic is forwarded to DC. He said no? I am assuming person doesn't know and that may be an option.

This is my understanding of the subject and quite likely I may be missing some big piece here. Any help or pointers are appreciated.

Thanks



can you master multiple areas?

so im starting at environment where i have multiple projects, F5(LTM WAF) firepower ASA ACI and ISE( i will not be asked to touch voice but i will love to learn it too), should i just learn the administration skills for each of them and go deep on the most important technology (the technology that doesn't have experts handling it), or should i go wild and try to go as deep as i can get in all of these? if so should i get certified in them? i had been advised by colleagues and some seniors to not try master a multiple areas because you will fail and waste your time and career just stick with one or two and know the bear minimum on the rest, I'm really passionate about networking but i don't want to make career mistake here



VLAN Gateway forwarding to the wrong IP

Hello!

Im running a Edgecore ECS2100 switch, and have 3 vlans on it, vlan10, vlan20 and vlan100. Got a DHCP server running behind vlans 10 and 20 (on a trunk port), got a router on vlan 100 for internet.

Vlans 10 and 20 have svi's configured as 10.10.10.1 and 10.10.20.1, vlan 100 is 10.10.100.2, and the router behind it runs 10.10.100.1. That routers other interface runs 192.168.0.1 (fake IP obviously) to connect to the internet.

PC A (example) is connected on vlan10, gets IP 10.10.10.249, default gateway 10.10.10.1. It can ping all the 3 SVIs (so inter-vlan routing should be working ok), AND can ping 10.10.100.1 (so the switch is forwarding data to the router).

Trace routing to 10.10.100.1 gives me 10.10.0.1 -> 10.10.100.1

Trace routing to 192.168.0.1 gives me 10.10.0.1 -> 10.10.0.254 (vlan 10 DHCP's ip) -> 192.168.0.1

Tracerouting anything behind that is a no-go (obviously)

The switch routing table is the following (interface, destination, mask, next hop, metric, protocol):

VLAN 100 0.0.0.0 0.0.0.0 10.10.100.1 0 Static

VLAN 10 10.10.0.0 255.255.255.0 -- 0 Local

VLAN 20 10.10.20.0 255.255.255.0 -- 0 Local

VLAN 100 10.10.100.0 255.255.255.0 -- 0 Local

Switch's default gateways's set to 10.10.100.1 (via CLI, web interfaces got nowhere to config that)

Can't find much info or community for that switch, and cant figure out why its forwarding for a totally stupid IP, instead of to the default route on the routing table - anyone can shed me some light in that?



Zscaler vs Palo Alto Prisma Access vs Cloudflare Teams

We're currently looking at coming up with security solutions for our mostly remote workforce and wanted to get people's opinions on the big players out there. We are currently looking at the companies in the title.

I could be wrong, but here are my notes so far:

Zscaler

  • Seems like they were the first to do it
  • Proxy-based - Inbound VPN is a separate product that needs some sort of Linux server on-prem
  • Ticks all the security boxes
  • Cost might be nuts

Palo Alto Prisma

  • Basically Global protect in the Google cloud
  • Relying on ~5 gateways being up vs. Zscalers entire network
  • Full fledged VPN, option for Proxy
  • Easy enough to do inbound VPN to on-prem assets
  • Cost seems reasonable for what you get

Cloudflare Teams

  • Newer to the game
  • Dead simple to setup Cloudflare Gateways via DNS and WARP client
  • Cloudflared tunnels are really cool
  • Security Policy controls seem a little less capable than Palo or Zscaler
  • Comparatively cheap.

Most of our stuff is SaaS or Public cloud. We have a small subset of users who need inbound VPN to some on-prem assets, which can just be taken care of with our on-prem firewalls. We really just need to control content filtering/DNS and want to be able to perform endpoint compliance checks to gain access to our SSO portals.

That makes me lean towards Cloudflare, but I am worried about how capable the product really is. I have Cloudflare Teams running in my lab, and it works great, but I'm not doing anything too crazy with it.

Anyone done comparisons with these? What do you like? What don't you like?



15 Second delay on Cloud Hosted Solution

Hello all - I have a question for the collective. We have folks that access a server in the cloud, and I have provided SW graphs, hourly graphs, of the times that they are experiencing issues. Utilization on a 1GB DIA circuit is well below 25% for both transmit and receive. The data clearly shows we are not even coming close to saturating our BW. The Management for this team wants to compare data from next week on how the utilization compares when the employees are experiencing a 15 second delay when pulling records, up to 30 second delay. There is another geographically different location that has their own instance in the cloud hosted solution, that has no delay. My thoughts is that there are too many records in the database, that is accessed and it simply takes that long for a records request due to the number of records in whichever database they are accessing.

So, the question is how can I show that this 15 to 30 second delay when requesting a record on this cloud hosted solution, is not the local network or Internet connection to non-IT folks? Further info, this is an Internet based cloud solution, not AWS, Azure, etc.



Can't access switch from IP after adding an IP to a different VLAN

So, I started a new job recently. This is my first one as THE network admin for a company. My previous networking jobs have all been grunt level. I am starting to figure out what is going on with the network, but this is causing me headaches, and I was hoping someone might be able to point me in the right direction of where to look.

As I was trying to figure out something else, I come across a switch (which I will call S1) I can't SSH into by using the documented IP address. Get a PuTTY Fatal Error: "Network error: Software caused connection abort." I can console in just fine, and its right around the corner, so its not a huge problem. Also figure out I can SSH into S1 if I am connected to it directly. (The drop at my desk has a switch between it and S1, with a trunk line between the two)

Then, I am throwing some commands at a different switch (S2, which is the one between me and S1), and I lose access to it. Same PuTTY error. Come to realize that the command that lost me access was putting an IP on the VLAN (VlanA) that the port my computer is on. The IP I had been using to access it was for a management VLAN (VlanB). Remove the IP from VlanA, can once again SSH into S2 using the IP for VlanB. Put the IP back on VlanA, have to use the IP for VlanA to access it.

Realizing that, I look at the Running-Config I had output to text when I was consoled into S1, and find that VlanA has an IP attached to it. I use that, and am able to SSH in.

I am also having issues accessing switches at other sites using the documented IP, so I am suspicious that this is a related issue.

For reference: My Computer ----VlanA---> S2 ------Trunk---> S1 -------Trunk-----> Firewall/router

In my experience so far, simply adding an IP to the VLAN I am directly on shouldn't have stopped me from using the IP of the other VLAN to SSH into the switch. Either I should have access using that IP, or not due to ACLs, routing, or Firewall rules, but I am new to this level of Network administration, so that could be wrong.

Any tips/clues/pointers/educated questions would be appreciated.



I'M FU*KED. I need 4 sets of nexus 3064x rails for a deployment tomorrow and no one has them on this short of notice. Willing to pay for overnight shipping + rails. PHX AZ

Mods, if this isn't allowed, please remove.

We've got a deployment tomorrow that involves rack mounting 4 cisco nexus 3064x switches. Everything's in a truck driving in from across the country for the deployment tomorrow. The on site guys just now informed me that these switches don't have rack mount rails with it. (Due to the rack layout, I can't really support 4 of these things on-top of a single server weight wise.)

It looks like n2k rails or n5k rails might work too from looking at pictures.

We're willing to pay for the rails no problem.

They have the rack-mount ears but not the rails that slide into the back, they are also missing the bracket that the rail slides into.

If you're anywhere near PHX Arizona I will drive to come pick them up. If you aren't nearby, I will happily pay for overnight early morning delivery to the site. or provide an account number for UPS.

We don't have spare rails on site that we can use for this.

Thanks guys.



TCP Closing session with wrong SEQ and ACK

Hi ,

While troubleshooting an issue with a connexion towards our LTM , I did a packet capture and I was intrigued by the way our LTM is closing it's TCP sessions.

The client sends a FIN,ACK , the LTM responds with a ACK then a FIN,ACK and finally the client sends a ACK and the session is closed and everyone is happy... except Wireshark !

The LTM seems not to be using the wrong SEQ and ACK numbers in its FIN,ACK and Wireshark flags both packets as TCP out of order ( since the numbers don't match up )

Here is an example :

[IMG on my F5-BigIP Post ]

https://devcentral.f5.com/s/question/0D51T00008w3avySAA/tcp-closing-session-with-wrong-seq-and-ack

We are running : BIG-IP 12.1.5.3 Build 0.16.5 Engineering Hotfix

Anyone have an Idea why are we seeing this odd behavior ?

Thanks ,



Question about adding a Switch before the company Router/Network

Apologies if this isnt the correct subreddit to be posting this but figured id give it a shot.

I work at a print shop that has 15+ hardwired printers and desktop machines on one subnet and another 10 devices on wireless on another subnet. We host our own exchange server and run our Routing on Windows Server 2016 i believe. The owner of the company's uncle set up the entire network and is constantly out of town/unreachable for me to pick his brain. Now, I have some networking experience with Ubiquiti and PFSense routing but never with Windows Server hosted routing. The issue is both subnets, wired and wireless are constantly dropping connections/Email server not getting emails and I have been tasked with at least getting stable wireless up and running until the uncle can come in and troubleshoot everything himself.

Im hesitant to even touch the network.

My question is, as an immediate stop-gap, can i just branch off from where our Wan-In comes into the building with a cheap gigabit Switch and buy a Wireless Router for our wireless devices? My gut is telling me it wont be this easy without knocking everything else out of whack.

The other thought I had is, they are running a Cyberroam AP, which support ended for in 2017, and Im wondering if a new AP would be able to just plug and play/replace the Cyberroam AP.

Just figured I would ask the community for some input on this. Thank you.



Anyone know what the locks do on SNS Evo?

What do the locks on the far right on the individual drives do? Does this just lock them into their place? https://www.dropbox.com/s/t3fouj02y9vc5ol/Photo%20Oct%2015%2C%2011%2014%2005%20AM.jpg?dl=0



Having issues running a script using Ciscoconfparse, need help/feedback

Hello, I constructed a script using netmiko and ciscoconfparse to pull a running config, edit the config, and copy it back to the running-config of a swtich. I want to scan the config for misconfigured ports on all interfaces and change them.The problem is that ciscoconfparse performs inconsistently and will sometimes add erroneous text or add commands twice. Also, when I copy the config file to the switch using tftp, some interfaces remain unchanged, even though the new config text has the correct commands. I'm new to automation so please tell me if I missed something obvious and if there there better alternatives for what I'm trying to do. Here is a link to the code.



Shared networks between datacenters for migration

I am currently planning a new datacenter and all that entails. This datacenter is in the same city and is less than 2ms latency. The old datacenter and new datacenter will be connected with a VPLS circuit terminated on CISCO ISRs. The datacenter use vmware and all machines need to be vmotioned to the new datacenter.

Each datacenter has a pair of Nexus switches hosting the layer 3 datacenter networks configured with HSRP on each DC.

HSRP requires layer 2 connectivity to properly share the HSRP packets. Since the VPLS is terminated on an ISR, the packets do not flow between the 2 sites and they do not share a floating IP.

Is there a method to setup a HSRP style network between these 2 datacenters to allow easy migration without giving new IPs to the workloads?



How does a client authenticate a RADIUS server vs How does a Radius server authenticate a client?

So here I am, trying to connect to a radius server after lectures on radius servers. The professor skipped on how a client verifies that the server is authentic and not a ‘rogue access point/evil twin.’

More in depth question: How does one protect themselves from this MITM attack if they have never connected to said networks WiFi RADIUS server vs if they have before?

TUIA!



Airgap solutions - airgap.io in particular

Does anyone have any knowledge on a company called Airgap.io? Our company is looking into it and I'm not sure how it will scale. Basically they spin up a VM and it will be our new DHCP server. It will assign ALL clients as a /32 and all traffic will be broadcast traffic back to that VM. Then that VM will route it to the appropriate VLAN. I don't understand how this can scale because it will be so much traffic. The business idea is for network segmentation. There is a software piece where you can assign who can talk to who, and also a kill switch where you can shut the whole network off in a second (if you get ransomware). Does anyone see how this would actually work?



BGP with BIRD on Ubuntu 18.04

Hi all

I've got a little lab running to sink my teeth into BGP and BIRD. The topology can be seen at: https://ibb.co/VpQhK87

The left and centre router exchange routing information quite happily, however, the right and centre routers are not happy. They've recognised themselves as neighbours, and the advertised route from right is added to the route table on centre, however, right will not receive routes from centre - show protocol all says the route was rejected.

When I show routes in BIRD on the centre router, it has added the route to right on the enp0s8 interface, rather than the interface where it forms the adjacency - enp0s9. Indeed, when I try to ping, it tries to send packets from enp0s8. I wonder if this might be the problem (or at least the beginning of them!) but I can't find a way to instruct routes to interfaces. Can anyone offer any guidance on this or shed some light on the issue?

The configuration files follow.

With thanks in advance for any pointers,
Moses

left bird.conf

router id 192.168.220.1;
protocol device {
scan time 10;
}
protocol kernel {
metric 64;
import none;
export all;
persist;
scan time 20;
}
protocol bgp {
import all;
export where proto = "static_bgp";
local as 3000;
neighbor 192.168.220.2 as 4000;
password "secret123";
}
protocol static static_bgp {
route 172.16.0.0:255.255.255.0 via 192.168.220.1;
}

centre bird.conf

router id 192.168.220.2;
protocol device {
scan time 10;
}
protocol kernel {
metric 64;
import none;
export all;
persist;
scan time 20;
}
protocol bgp left {
import all;
export where proto = "static_bgp";
local as 4000;
neighbor 192.168.220.1 as 3000;
password "secret123";
}
protocol bgp right {
import all;
export where proto = "static_bgp2";
local as 5000;
neighbor 192.168.220.6 as 5000;
password "secret123";
}
protocol static static_bgp {
route 172.16.1.0:255.255.255.0 via 192.168.220.2;
}
protocol static static_bgp {
route 172.16.1.0:255.255.255.0 via 192.168.220.5;
}

right bird.conf

router id 192.168.220.6;
protocol device {
scan time 10;
}
protocol kernel {
metric 64;
import none;
export all;
persist;
scan time 20;
}
protocol bgp {
import all;
export where proto = "static_bgp";
local as 5000;
neighbor 192.168.220.5 as 4000;
password "secret123";
}
protocol static static_bgp {
route 172.16.2.0:255.255.255.0 via 192.168.220.6;
}



I only need 1 switch for my tasks. Should I buy a Core Switch or an Access Switch?

That's all.



SNMP storm?

Asking for an advice.

On our K12-district we have multiple UniFi-UAP's and Aruba 2540-24G-PoE+-4SFP switches. All switches is configured to use fault-finder for broadcast-storm ( warn-and-disable 300pps). We have experienced multiple broadcast-alarms in those ports where UniFi-UAP is connected, everyday in a past couple weeks.

W 10/15/21 10:50:40 02675 FFI: port 43-Excessive Broadcasts. Broadcast-storm

control threshold 300 pps exceeded.

M 10/15/21 10:50:40 02673 FFI: port 43-Port disabled by Fault-finder.

I 10/15/21 10:50:40 00898 ports: Fault Finder(71) has disabled port 43 for 600

seconds

I 10/15/21 10:50:40 00077 ports: port 43 is now off-line

I 10/15/21 11:00:40 00900 ports: port 43 timer (71) has expired

I 10/15/21 11:00:42 00076 ports: port 43 is now on-line

This have happened before(last year) and i did manage to capture network traffic with wireshark from those ports when that broadcast was happening. In these cases there was tons of ARP packets coming from one device and i blocked that device accessing our wireless from Unifi control panel. But now this broadcast is different.

This time we are getting loads of SNMP packets from one device(Oneplus Nord smartphone), over 40k packets in 1 minute. And this why we are getting broadcast alarms..

Source is that smartphone, and destination is 255.255.255.255

14556676 2021-10-15 09:00:59,999581 10.14.215.177 255.255.255.255 SNMP 140 get-request 1.3.6.1.2.1.1.2.0 1.3.6.1.4.1.2435.2.3.9.4.2.1.5.5.1.0 1.3.6.1.4.1.11.2.3.9.1.1.3.0 1.3.6.1.2.1.2.2.1.6.1

I have no idea what is going on on that phone?



OSPF + MPLS core but build on IPv6

Hi,

i have experience with MPLS core with IPv4 OSPF in my ISP network design. I am quite happy with it and I use all nice features of MPLS. One of best is ipv6 labeled unicast. It made me really happy when implementing ipv6 dual stack on PE routers, less work in core and it works excelent.

I will be designing new datacenter network on newest arrista boxes. And i've had that idea to build core strictly on IPv6. And I have a questions:

- is there somthing as IPv4 labeled unicast? Did anybody acutaly used it

- is MPLS LDP protocol even work with OSPFv3 and ipv6?

Or am I totaly wrong and should be sticking with what I know and use traditional IPv4 core?

Sorry for my bad english. And thanks for your suggestions!



Does NAT affect TCP seq/ack numbers?

For some context, I am tasked with implementing a device that is attached between 2 different subnets, that are connected by a gateway. The device has to identify packets going through the gateway and match them with the output on the other side when it undergoes NAT. I am using a hashmap and the key is a hash of parts of the tcp header with the rest of the packet. However, my design right now assumes the seq/ack numbers will not change so that they can be reduced to the same hash. I use the seq/ack numbers because I don't want collisions due to TCP retransmissions.

Alternative solutions to matching the packets are welcome, but I am more interested to know whether it is a safe assumption that TCP seq/ack numbers will not change for a generic gateway device.



Updating image on an Avaya/Extreme Networks ERS stack

I inherited several Avaya ERS 3500 & 4800 switches and the 4800s are in a stack of three. I've updated all of the individual ERS switches no problem, but I don't see any specific instructions for updating a stack. I know the versions need to be the same across the stack, but not positive on how to accomplish that. Is it the same process as the individual switches, just carrying out by logging into the stack address and so the switches then update simultaneously?



Thursday, October 14, 2021

Can someone tell me why I get horrendous lag and rubber banding?

So I've been playing Overwatch on PC via Wi-Fi (netgear A6120 usb Wi-Fi adapter) for some time now. I understand Wi-Fi is not ideal but it's all I have right now and truthfully in the past I've not had these issues this bad before on Wi-Fi. I ran a speed test and I have 18ms ping, 18mb down, and 18mb up. Why would I have such terrible lag and rubber banding constantly?



Remote Access

Hey guys bit of a noon here. I have multiple remote site with routers/switches connected to a handoff from ISPs. My question is, how do I access these devices remotely via their IPs? There multiple companies that offer cloud services but I dont want to only use one company. I think this would be with a site to site VPN?

Please roast me for my stupidity but also leave some knowledge with it for this noob.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Tasked with implementing a firewall into a small business. Need help.

So to make a long story short, I work at a smallish company (around 200+ users total) in the IT department (first real IT job) and I support our users who are here at our office and also some located in our New Mexico office. Our security is terrible, nearly non existent. We do not have an Active Directory, nor do we have a firewall. Passwords are all kept in Keeper and we have soooooooo many user credentials its an absolute nightmare how our data is managed. My IT lead is concerned w security and saw that I am studying for my CompTIA Sec+ certification, so he tasked me with coming up with some ideas to increase security. He definitely agrees we need a firewall and he has tasked me with figuring out how to implement one, but I do not have the slightest idea where to even start. Don't know how many ports I need on the firewall, don't know what kind to buy, or how to even configure it. My networking knowledge is rather entry level, so this is quite a daunting task. If anyone has any suggestions or can help me in any way please reach out to me on this thread. Thank you for anyone that decided to help me out :)



HPE 5820 support for SNMP context for VRF

I'm trying to set up VRF in an old HPE 5820 switch. Functionally it is fine. But doesn't appear to support snmp context for the vrf and I can't snmp query the VRF routing table. Has anyone tried this? Thanks!

(I know it is already an EOL'd product).

display version HPE Comware Platform Software Comware Software, Version 5.20.105, Release 1810P16 Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP HPE 5820X-24XG-SFP+ Switch uptime is 11 weeks, 0 day, 10 hours, 53 minutes HPE 5820X-24XG-SFP+ Switch with 2 Processors 1024M bytes SDRAM 4M bytes Nor Flash Memory 512M bytes Nand Flash Memory Config Register points to Nand Flash Hardware Version is Ver.C CPLDA Version is 002, CPLDB Version is 004 BootRom Version is 303 [SubSlot 0] 24SFP Plus+4GE Hardware Version is Ver.C display device manuinfo Slot 1: DEVICE_NAME : A5820X-24XG-SFP+ JC102A DEVICE_SERIAL_NUMBER : CN37BFQ0JC MAC_ADDRESS : CC3E-5F6A-48F3 MANUFACTURING_DATE : 2013-08-03 VENDOR_NAME : HPE 


Monitoring traffic from a Mac-address

Hello all,

We have a cisco IE 3400 switch that has two vlans trunked on the uplink ports. We have a port channel enabled on the uplink ports. We are trying to monitor traffic from a certain mac address coming into the switch via the uplink ports. The said traffic we are intending to monitor is for one of the two vlans mentioned earlier. Any ideas on how to go about this? We want to monitor that traffic on a mirror port. I was thinking of creating an ACL and applying it to the vlan, but that would deny all other traffic.



Advice on getting into networking.

Hello everyone, I’ve been working as a nurse for a couple of years and I’m contemplating making a career change. I know theres is a way to work as a nurse with tech, but it’s a difficult specialty to get into. How does on go about going into networking? I thought about maybe taking some classes or bootcamps. Any advice would be greatly appreciated.



VLANs on Dell N2048P Switches

Looking for some help here folks.

At my work, in our Admin office building, we have 3 Dell N2048P switches that we're wanting to test a VLAN for our Guest wifi network.

I went in and added the vlan to all of the switches. 2 are stacked, 1 on its own. I did not give it an IP address on the switches. I made sure the connecting ports between the switches themselves and the router were all set to trunk ports.

We use Ubiquiti APs since most of our locations are small offices. I set a VLAN only network up on the controller for those, and set the guest network to use that vlan only network.

Our Managed WAN provider set the VLAN(50) up on their Mikrotik router.

When I try to connect to the Guest network, I can't get an IP address at all.

Here is the config of both the stacked set and single switch.

!Current Configuration:

!System Description "Dell Networking N2048P, 6.2.6.6, Linux 3.6.5-50bbccb7"

!System Software Version 6.2.6.6

!

configure

vlan 50

exit

vlan 50

name "Guest"

exit

slot 1/0 9 ! Dell Networking N2048P

slot 2/0 9 ! Dell Networking N2048P

stack

member 1 9 ! N2048P

member 2 9 ! N2048P

exit

ip routing

interface vlan 1

ip address 192.168.0.11 255.255.254.0

exit

ip default-gateway 192.168.0.1

username "xxxxxxxxxxxx" password 859a781fc5444799ddb5e7898cfbf34a privilege 15 encrypted

!

interface Gi1/0/35

switchport mode trunk

exit

!

interface Gi2/0/44

switchport mode trunk

exit

!

interface Gi2/0/48

switchport mode trunk

exit

snmp-server engineid local 800002a203f48e383bf509

exit

!Current Configuration:

!System Description "Dell Networking N2048P, 6.2.6.6, Linux 3.6.5-50bbccb7"

!System Software Version 6.2.6.6

!

configure

vlan 10,30,40,50

exit

vlan 10

name "IT Shop"

exit

vlan 30

name "Internet Only"

vlan association subnet 192.168.30.0 255.255.255.0

exit

vlan 40

name "ITShop"

vlan association subnet 192.168.40.0 255.255.255.0

exit

vlan 50

name "Guest"

exit

slot 1/0 9 ! Dell Networking N2048P

stack

member 1 9 ! N2048P

exit

ip name-server "192.168.0.8"

ip name-server "8.8.8.8"

ipv6 unicast-routing

ip routing

router rip

split-horizon none

auto-summary

default-metric 1

exit

ip dhcp excluded-address 192.168.20.1 192.168.20.10

interface vlan 1

ip address 192.168.0.12 255.255.254.0

bandwidth 10000

ip rip

exit

interface vlan 10

ip address 192.168.20.6 255.255.255.0

bandwidth 10000

exit

interface vlan 30

bandwidth 10000

exit

interface vlan 40

ip address 192.168.40.1 255.255.255.0

ip netdirbcast

bandwidth 10000

ip rip

exit

ip default-gateway 192.168.0.1

username "Admin" password 859a781fc5444799ddb5e7898cfbf34a privilege 15 encrypted

line telnet

exec-timeout 60

exit

!

interface Gi1/0/1

switchport mode trunk

vlan priority 1

exit

!

interface Gi1/0/2

switchport mode trunk

exit

!

interface Gi1/0/4

switchport mode trunk

exit

!

interface Gi1/0/5

switchport mode general

switchport general pvid 10

switchport general allowed vlan add 10

switchport access vlan 10

switchport trunk native vlan 10

exit

!

interface Gi1/0/6

switchport mode trunk

exit

!

interface Gi1/0/7

switchport mode general

switchport general pvid 10

switchport general allowed vlan add 10

switchport access vlan 10

switchport trunk native vlan 10

exit

!

interface Gi1/0/11

switchport general pvid 10

switchport trunk allowed vlan 1,10

exit

!

interface Gi1/0/13

switchport general pvid 40

switchport access vlan 40

exit

!

interface Gi1/0/14

description "CDS Credit Card Machine"

exit

!

interface Gi1/0/48

switchport mode trunk

exit

!

interface Te1/0/1

speed auto

switchport mode trunk

switchport trunk allowed vlan 1,10,30

exit

snmp-server engineid local 800002a203f48e3831111f

exit

I'd appreciate any help. I've been with my employer for a little over 6 years now, and this is the first time I've been tasked with doing VLANs of any sort.



IOS XE GuestShell - Execute Script from Flash

Anyone out there willing to help me understand what I'm missing here? I'm attempting to execute a python script from flash. Guestshell is working but I'm unable to execute from flash. HTTP server is enabled and running and I can ping between XE and guestshell.

R1#sh flash: | inc .py

285 222 Oct 14 2021 19:08:56.0000000000 +00:00 /bootflash/sample_script.py

R1#show app-hosting det

App id : guestshell

Owner : iox

State : RUNNING

R1#sh ver

Cisco IOS XE Software, Version 17.03.04a (CSR1000v)

R1#guestshell run python3 /bootflash/sample_script.py

python3: can't open file '/bootflash/sample_script.py': [Errno 2] No such file or directory

R1#guestshell run python3 /flash/sample_script.py

python3: can't open file '/flash/sample_script.py': [Errno 2] No such file or directory

R1#guestshell run python /flash/sample_script.py

env: 'python': No such file or directory

R1#guestshell run python3 /flash:sample_script.py

The run command has been modified to: python3 //flash/sample_script.py

python3: can't open file '//flash/sample_script.py': [Errno 2] No such file or directory

R1#guestshell run python3 bootflash:sample_script.py

The run command has been modified to: python3 /bootflash/sample_script.py

python3: can't open file '/bootflash/sample_script.py': [Errno 2] No such file or directory



Globalprotect intermittent routing

Good day all,

 

I have an interesting issue i have come across. We have a few remote users reporting an issue with accessing a web page. The end users connect to the VPN and access the site with no problem. After navigating on the site for a random amount of time, they receive a timeout. Upon looking at logs, they are not disconnected from the VPN and the logs show allow for the traffic. I then moved forward to a packet capture and I noticed something interesting. There were quite a few re-transmits when the web page times out. These re-transmits however are coming from the "public" IP of the web server. Then randomly, the page loads correctly and the capture shows the internal/private IP address responding. This is a full tunnel VPN. The DNS servers internally resolve to the internal IP address. These are the same DNS servers configured on the VPN virtual interface when a user connects. What would cause this routing or DNS issue?



SSL CERT FOR FIREWALL

I just factory reset my sonicwall appliance and imported firmware and configuration. I imported and installed the ssl cert with no issue but for whatever reason, when I browse to the firewall from the web browser, it's not recognizing my certificate BUT I have public access disabled from the firewall. My question is isn't my firewall pretty much safe without an SSL cert since no one can access it publicly? They'd have to be inside of our network to connect to the firewall and get around 2FA.



Route Traffic from one Sonicwall VPN over another VPN tunnel

Is it possible to route traffic from Sonicwall A to Sonicwall B and then over a tunnel on Sonicwall B to a 3rd party firewall:

Packet from LAN -> Sonicwall A -> S2S to sonicwall B -> over S2S tunnel to a 3rd party firewall.

When I do a packet capture on Sonicwall B the packets make it to SonicWALL B and are consumed and then immediately dropped. I have the routing setup on the 2nd S2S between Sonicwall B and the third party to send any traffic from sonicwall A LAN destined for 3rd party firewall LAN but they don't seem to route that far.

Are there any special access rules I need to setup? Or do I have to configure a route based VPN tunnel and set custom routes?



Cisco CNA alternative for GUI control of Cisco stuff?

I have a client who's staff are stubborn, afraid of CLI, and willing to spend money to stay that way.

Against my advice, they've used the Cisco Networking Assistant (CNA) tool for many years to perform simple switch control tasks like bouncing ports, assigning VLANs, changing ACLs, and doing ad-hoc backups.

Now that CNA's officially dead, they're looking for something else and willing to pay for it.

They've looked at SolarWinds, ManageEngine OpsManager, and Cisco DNA, but these tools are primarily for monitoring and don't do much (if anything) for providing GUI-based switch port control like I described above. Some of what they want to do could probably be automated with these tools and SNMP, but we don't want to allow SNMP write.

So, they basically want the Ubiquiti Unifi or Meraki dashboard GUI experience for their enterprise Cisco stuff.

Can anyone suggest alternative tools to look at?



Getting an IPsec RA tunnel working on an ASA

Hello, I finally get to ask a question here, exciting.

We're trying to get a remote access tunnel using IPsec and AnyConnect up and running and I'm absolutely stumped as to what we're doing wrong. The tunnel comes up in ASDM monitoring and shows a child SA in sho crypto ipsec sa with the appropriate ts (at least as far as I know), the decrypt increments appropriately and throwing a vpnfilter on for testing shows the addresses in the VPN pool getting hits while the inside network doesn't. The inside interface outbound doesn't increment when pinging into it from the desktop with Anyconnect. So there's something between the VTI (where it is receiving incoming packets and decrypting/decaping them fine) and the inside interface (which never transmits) that I've configured wrong.

But I'm lost as to what that might be. We have the correct ACLs set up -- the Anyconnect tunnel works fine over SSL but the boss insists we get it working with IPsec --, the identity NAT is set up, we have split tunneling on but that works fine and taking it off doesn't make a difference. I've killed the tunnel config a few times and recreated it from scratch using both the ASDM wizard and following config guides by hand.

So:

  1. VPN itself comes up, shows Rx but no Tx
  2. Adding vpnfilter, VPN pool addresses show hits but the inside network does not
  3. Inside interface output doesn't increase when test pinging
  4. show crypto ikev2 sa has child sa with local ts of 0.0.0.0-255.255.255.255 ie all traffic, remote ts of 192.168.145.0-192.168.145.255 (the pool of addresses for Remote Access connections)
  5. show crypto ipsec sa shows decaps increment but encaps don't
  6. If setting the Anyconnect profile to not use IPsec as primary and letting it connect SSL, everything works!

I can't get full configs posted but I can answer any questions. Any help would be appreciated.



Juniper SD-WAN

Greetings

I know Juniper conducted the acquisition for 128T for AI/ML SD-WAN , what am trying to understand is the controller piece , for 128T there is the smart session conductor , will the old devices such as the SRX or NFX be managed through it or it will keep under CSO?

Any ideas will be appreciated.



Looking for help with improving an old network

Hi! So I'm an IT trainee and I've been tasked with optimizing the switch infrastructure at my firm, which is pretty old and chaotic.
Here is the basic switch setup across five floors, with the important servers being on the 12th floor and the switches being a combination of HP aruba 2530-8G/48G and various HP ProCurve models. The most important part of the project is to add redundancy to the network, if needed by getting new switches.

My question is, what's the best way to go about it, especially when I haven't had any real practical experience with this kind of thing yet? Are there any good online resources on the topic you could recommend?

Thanks in advance!



SNMP Switchport descriptions

When SNMP (non-V3) is configured to be sent, is it possible to include switcport description?

Full disclosure - I haven't gone mad into research, but when searching either I'm using the wrong keywords or there is not much out there.

Now I'm receiving:

2021-10-14 06:58:12 Local7.Debug 192.168.1.1 community=communityxx, uptime=06:58:12, agent_ip=192.168.1.1, generic_num=5, specificTrap_num=4, specificTrap_name=, version=Ver1, generic_name=linkUp, ifIndex.10105=10105, ifDescr.10105=GigabitEthernet1/0/5, ifType.10105=ethernet-csmacd, locIfReason.10105=up

Is there a way how get Switchport Description included?

E.g.:

2021-10-14 06:58:12 Local7.Debug 192.168.1.1 community=communityxx, uptime=06:58:12, agent_ip=192.168.1.1, generic_num=5, specificTrap_num=4, specificTrap_name=, version=Ver1, generic_name=linkUp, ifIndex.10105=10105, ifDescr.10105=GigabitEthernet1/0/5, ifType.10105=ethernet-csmacd, locIfReason.10105=up, ifDescription or ifName

Mainly for 2960x, 3850, 9200 and 9300.

If that is possible, any guidlines on how it is done? I do see that you can walk the MIB's and see them, but can't wrap my head aorund how to get them to Syslog.



Wednesday, October 13, 2021

BGP Route Signaling to another router

Hoping someone can explain a possible solution. I currently have this type of setup:

R1=isp1 R2=isp2

R1 and R2 both advertise /24 to the internet via eBGP

R1 and R2 both have iBGP session

R2 has ebgp with Route Reflector. Route reflector sends bgp update with community string but the update is intended for R1 to pull the advertisement from the internet based on the top and Route maps configured.

How can I pass this update through R2 ensuring R2 doesn’t act on the update but simply passes the update to its iBGP neighbor (R1 in this case)

Unfortunately it doesn’t allow me to post a diagram hence have to explain in text.



How do you handle routing to on-prem public IP from guest-wifi?

Currently we have a web site that is hosted on-premises and split-DNS so if somebody is on our private network they get the 10.x IP but the public gets the public IP.

We also have guest WIFI. This is a network that can not route to the private networks and does not have private DNS. When a user on the guest wifi goes to our public website it can not route to the public IP. Is this a common issue?

The firewall is a Cisco ASA and it also acts as a physical edge that is plugged straight into the ISP.



RFC1918 addresses in (own) public subnet: good, bad, neutreal?

Suppose your ISP routes you 203.0.113.168/29. Modem IP is 203.0.113.169 (does not perform NAT), router IP is 203.0.113.170 (performs NAT for internal LANs such as 192.168.200.0/24).

Is it good, bad or neutral practice that my own nodes in 203.0.113.168/29 see my private (RRC1918) IP addresses?

In other words, should the router perform SNAT on 203.0.113.170 for everything, including 203.0.113.168/29? Or should the router only perform NAT for addresses !203.0.113.168/29 ?

(In case it matters: ISP does not allow access to the modem. Modem is black box with assigned IP 203.0.113.169. On its ethernet interface I freely connect devices my own public servers and the router).

PS: Currently router performs NAT on everything which I don't perfectly like. I'd rather access the servers without NAT.



Figuring out why a packet went missing

I'm investigating an issue where someone at a specific location goes to a website to submit an order, submits that order which then opens an SQL query to a data base outside that location (the server) which then send back an SQL query that will commit that order back to the original location (the client). The communication up to the point of the commit packet is all fine when looking at a packet capture at the the server side and the client side, no packets missing and 3 way handshake is good, but the packet to commit the change is lost every times you attempt do submit the order. I've attempting this multiple times in testing and the tcp stream is the same each time.

I've confirmed that at the server location the packet is leaving the egress point ie the firewall in this case by captures at that location.

I attempted to confirm if the packet at least gets to the clients side router/firewall but the ubiquiti device on site can't capture all the packets (captures 4 out of about 15 that the client device can capture in the specific TCP stream. and its always the same 4 packets weirdly).

I'm really at a loss now to figure out how to figure out who is dropping this packet and all the retransmits.

Here is the TCP stream with the client on top and the server below. The packet that does the commit is the 1808 length packet. Note this length is an anomaly of tcpdump running on the firewall putting packets 18155 and 18156 together when it records the length. The packet is within a 1500 MTU still in reality. That packet along with the other retransmit never show up at the client side. On the client side he just TCP keep alives for about 60 seconds and then gives up. Its like once this packet is lost they no longer can see each other.
Also I know the source ports are different in this image I was doing a bunch of testing and didn't keep two captures in the same test unfortunately. Each time the resulting stream is the same.



I could use a quick sanity check/2nd opinion

I was brought in to perform an assessment of a customers network and for the most part the environment is in a decent state with infrastructure, redundant WAN, HA , L7 etc. But, I've come across some weird network design decisions at their offices and the response I've received when I asked about it was that this was intentional. The layout is below:

L3 Core - 2 stacked L3 capable switches with SVIs. All intervlan routing between occurs here and only traffic for the WAN or remote offices is routed to the edge.

All other switches in the building are stacked in sizes of 4-7 switches. They are L2 access switches for users, APs, printers, etc to connect into.

Below is a short snippet of the design that threw me:

L3 Core Stack -> A single 10G fiber run Switch Stack 1

Switch Stack 1 -> 2 10G fiber runs to Switch Stack 2

Switch Stack 2 -> 2 10G fiber runs the L3 Core Stack.

From my perspective, the 2 10G fiber connections between Switch Stack 2 and the L3 Core Stack should be in a LAG. Ideally a second 10G fiber run would be implemented from the L3 Core Stack to Switch Stack 1 and that would also be in a LAG. We would decommission the 2 10G fiber runs between Switch Stack 1 and Switch Stack 2.

Running L3 between all the Stacks and the Core isn't an option with the current infrastructure.

The pushback that I am receiving with this is making me question my network sanity. I see this as one spanning-tree blip away from a network crashing broadcast storm but maybe I'm wrong.

I'd appreciate any other points of view on this.

** Added/reworded for clarification.



How to get in

Hey everyone!

I'm completing my final semester to get my Associates degree in Internetworking Management and another in Cyber Security.

As for experience, I've been volunteering for a local nonprofit's IT and do work for the family business. Other things/projects here and there.

IT positions locally aren't the easiest to come by, especially in networking. I would really rather have something remote too. The other thing is pay...I can get any position at BestBuy making $15+ whereas many positions I've come across are that or mainly lower.

I have applied for a few large organizations (enterprise level) and my application is generally denied super early in the morning (I usually apply late at night) or I never hear from them. The smaller orgs I found interviewed me and usually went with someone, one of them straight up didn't like me at all and the body language showed during the interview. 🤷‍♂️

How can I find a position with a company that will actually interview me rather than deny my application without having the time to actually go over it? Most of the positions I've applied for are T1 help desk. But again, if I can get something entry level in networking I'd be much happier. No problem working up the ladder though either.

Edit: I have my A+, Network+, and Security+ certifications.



Should I submit this work?

My networking teacher gave us a homework assignment that asks for our personal computers’ ipv4 address, subnet mask, default gateway and ipv6 address. This my first year of networking so Idk much about it, but is this not the exact type of computer information you should never give any random person?



Faster than 1Mbps router for EVE-NG?

I am running the CSR1000V. Doing just NAT'ing and bridging 2 interfaces for IPS. Due to licensing, it is stuck at 1Mbps. I have a QEMU Windows 10 and a Linux box, and everytime they do something, the network comes to a halt. Even a ping to Google takes a few seconds.

Any alternatives where I won't be stuck with licensing?



Looking For Career Advice

I’m a 29M that has been currently working at a colo data center as a building tech for 4 years, while pursuing my flight ratings to become a pilot. Long story short it’s looking like it won’t become a reality.

My fall back has been the IT world. I have BBA in Health Care Management, but do not want to pursue that. It doesn’t make sense at this point for me to go back and get a degree in IT. So I’m currently studying to get my Comptia Network+ rating.

I am interested in the security side of IT after the experience I have received working at my current job. I do find the network side interesting as well, but have seen posts here talking about how the cloud and security side will be the real future.

What should I be pursuing to make me more marketable in the future? Can I crack the IT world without a CS degree?

Thanks in advance!



I don't understand subnetting.

Hi, so I was wondering if any of the good people of Reddit could help me with an issue I'm having. I'm currently taking Networking 1 in college and one of the main things we have to know is how to subnet different network addresses and find the Network ID, 1st available network, last available, and Broadcast ID given a number of hosts (200, 100, 50, etc).

I've tried to wrap my brain around how to do this and I'm legitimately lost on where to even start but I just don't know. Where does the host number even get incorporated into an address? So if I have an address of 192.168.0.0 with a subnet mask of /16, where would 100 hosts even fit into that? How would I use 100 hosts to find the first/last available addresses and the broadcast?

Any help is appreciated because I've tried studying this but nowhere online seems to have any lessons or guides about subnetting with given host amounts.



Network Inventory Tool

I've seen this tool posted here a few times and I can't find it now. it's an open source tool to keep track of subnets and rack layouts. I can't think of the name to save my life. Can you help me find it?



Help regarding AWS VPC networking.

Hello All,

I've recently started a new role, and I'm having some trouble figuring out a bit of AWS to "On-Prem" networking. Unfortunately, the last guy to hold my position did not leave much documentation, so I'm trying to wrap my head around what is currently in place while still dealing with a backlog of tickets.

About the situation:

We are in the process of moving a customer (CxCompany) to their own AWS account as we somehow got stuck hosting their infrastructure after spinning up a test environment for them.

MyCompany is slowly moving to be more 'Cloud' focused, and I anticipate creating a process for connecting to customer networks will become a priority once I can figure out the proper steps.

What I am trying to Accomplish:

Add a new AWS VPC (subnets 172.41.10.0/24 & 172.41.11.0/24) to an existing VPN connection to allow for direct communication with the resources..

Current Configuration:

To connect to our AWS resources, MyCompany uses a virtual PfSense firewall that is hosted in AWS.

NAT and AWS VPC peering has been configured such that MyCompany's AWS resources are capable of communicating with the resources in the new VPC.

CxCompany connects to their AWS resources that we manage via a third party VPN. The third party VPN is using an IPsec tunnel to connect the following:

The first entry is currently working as expected, while the bottom two entries that I added are not.

Local Subnet (AWS Resources) Remote Subnet (CxCompany VPN)
10.21.107.0/24 10.101.100.0/24
172.41.10.0/24 10.101.100.0/24
172.41.11.0/24 10.101.100.0/24

What I have done:

To try to resolve this issue, I created the bottom two IPsec tunnels listed above and added outbound NAT rules to allow 10.101.100.0/24 to see the new subnets.

I also contacted their VPN provider who apparently added P2 entries to their configuration to allow for them to connect to the new VPC.

Where I am stuck:

Currently, CxCompany can connect to resources in the new VPC only if they 'jump' through one of the servers living in the 10.101.100.0/24 network.

Attempts to connect directly to resources in the 172.41.x.x subnets timeout.

The IPsec tunnel on MyCompany firewall indicate that a high amount of outbound traffic, but little-to-no inbound traffic.

My Question:

Other than adding NAT rules and additional P2 entries to our firewall, am I missing something that would prevent communication from their VPN to the new VPC?



Looking for help with a restaurant POS system.

I'm a sous chef at a restaurant and one of the only tech-savvy people in the building, which is not a brag by any stretch. We've been having an issue with one of our kitchen printers periodically dropping orders. With the information I have, I cannot resolve the issue.

I think what I have to do now is run a continual test overnight to this one particular ethernet port. Just wondering what tool or program I need to get to run this test.

Most of what y'all do is way over my head, and I understand this is probably a simple ask, but any help would be great.

Also, if this isn't the right sub, I apologize.



Any reason to use 10GBASE-T?

Noob fiber questions. I never had to work with fiber, since the stuff I manager works fine on 1GbE, including my Nimble CS300 SAN. But time to refresh stuff and I'm going to at least 10G on my next refresh in a few months.

Is the answer to always use SFP+, no matter what? Even if the runs are less than 30'? What are people using 10GBASE-T for? I see Nimble has NIC options for 10GBASE-T on their controllers.

Also, when connecting two ProCurve 5406Rs together over a long distance (500'+), single mode fiber using a SFP+ transceiver module is the only way to go, right?



DHCP Controller within an IPAM? Any recommendations?

Hi Gents,

I've been tasks with getting a IPAM but it also needs to be able to "do" DHCP... meaning to say the IP Address Manager also functions as the DHCP. So far we've reviewed Manage Engine and Solar winds, both great tool but neither have a DHCP controller they pull allocations from and existing DHCP box (in the case Windows) on the network.

I am wondering if anyone knows a product which matches to what we want? Ideally it will have DNS control as well.

I'm about to call Infoblox to see what they can do but the4 cost is a bit prohibitive.



OSPF Multi-Area Type 3 LSA ISSUE

I have two OSPF Processes running, 234 which is in the default routing table and 911 which is in a VRF. These VRF’s merge at our palo alto firewall and I haven’t had any issues with this setup until now. On our main wan site I have all routes in area 1 and this works fine as well. Our ABR is the core switch that is connected to the wan sites switch. I have recently been asked to extend the VRF to the wan sites as well so I have done so using the ospf 911 process from within the VRF using area 2. This has not worked the VRF instance on the coreswitch and the rest of the network can see all the area 2 routes however, the WAN switch has no IA routes whatsoever. I am not an expert at OSPF but looking at the databases I cannot quite seem to fine the issues.

CoreSwitch: C9500-48Y4C IOS 16.09.05

Wan Switch: WS-C3850-24P IOS 16.9.04

I can provide config/LSDB but I do not want to flood this post

Here is an example from the database summary command on the WAN switch.

cctowswi01#sh ip ospf 911 database summary 10.100.240.0 OSPF Router with ID (172.16.221.8) (Process ID 911) Summary Net Link States (Area 2) LS age: 1644 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 10.100.240.0 (summary Network Number) Advertising Router: 10.254.254.234 LS Seq Number: 80000009 Checksum: 0x2AB7 Length: 28 Network Mask: /23 MTID: 0 Metric: 2 cctowswi01#sh ip ospf 911 database summary 10.100.240.0 internal OSPF Router with ID (172.16.221.8) (Process ID 911) Summary Net Link States (Area 2) LSA prefix priority: Low Distance: 16777215 Now in min table Table index: 50 min 8 sec LS age: 1662 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 10.100.240.0 (summary Network Number) Advertising Router: 10.254.254.234 LS Seq Number: 80000009 Checksum: 0x2AB7 Length: 28 Network Mask: /23 MTID: 0 Metric: 2 

Core Config: interface Vlan91 ip vrf forwarding CCSO-VRF ip address 10.201.5.129 255.255.255.128 ip ospf priority 50 ip ospf 911 area 2 Wan Config: interface Vlan91 vrf forwarding CCSO-VRF ip address 10.201.5.130 255.255.255.128 ip ospf priority 0 ip ospf 911 area 2 


Questions about Etherchannel

What's up, everyone? I've met an issue when configuring Cisco layer 3 switch:

" %EC-5-CANNOT_BUNDLE2: Fa0/6 is not compatible with Po3 and will be suspended (vlan mask is different))"

Please give me some ideas to issue it. Thanks.

Andy



Strategy for future proof IP subnetting

Maybe this question is too simple but I am wondering if there are strategies to make IP subnetting as future proof as possible?

I got a /24 prefix which I'd like to split into various subnets. Some will be connecting p2p links (/31 and /30), some will be smaller ones (maybe /29), some larger ones (/27). Maybe I'll need one /26, but no /25. The problem is I don't know exactly how many of these subnets I will need down the line and how large exactly they will need to be (at the very beginning (=now), I only need 2x/31 and 3x/29).

I found this wonderful tool which is of great help: https://www.davidc.net/sites/default/subnets/subnets.html?network=192.168.0.0&mask=24&division=11.551

How would you start subnetting this to be as flexible as possible down the line (if this is even possible at all)?



Any use for having a firewall between WLAN and LAN?

Right now we have the WLAN APs going through a router/firewall (WLAN dedicated DHCP) then to the core switch so traffic is getting NAT'd but configured to talk to at least two other subnets on the LAN.

Is this more secure than having WLAN on it's own VLAN with DHCP handled by the server subnet? Other than blocking ports that shouldn't be open on the LAN in the first place, I don't really see a benefit.

The WLAN equipment in question does not serve any guest connections. It is internal only.



Multimode SC to LC

Hello,

Can I use an SC to LC fiber cable to connect to a MA-SFP-1GB-SX SFP ?

Right now it looks like we have an SC fiber optic cable going from the termination block to a BL-100 series media converter which connects to our switch via Ethernet :

https://imgur.com/a/KbxaScm

The goal is to replace these switches with Meraki MS210's. I would connect the MS210's to the fiber termination block with 2X MA-SFP-1GB-SX SFPs and 2X SC to LC fiber cables and do the same thing on the other end using LACP.

Is this a valid design ? Anything special I need to consider ?

Thank you



Structured Cabling, Plenum Spaces, and you: A *brief* guide to ethernet and fiber cabling in your building(s)

The following information is provided as-is and with no warranty, express or implied. You should consult the relevant building authorities, officials, and legal counsel for questions on these matters. If you take legal or building code advice from a random guy on Reddit, you're going to have a bad time

Structured Cabling, Plenums, and You: A brief guide to cabling in your buildings

Why are you writing this? Every now and then on /r/sysadmin, /r/networking, or /r/msp, there are questions about running cabling in your company's building or one of your customer's buildings. People ask what kind of cable to buy, can they run it next to this or that, and so on. This guide attempts to answer some legal and code questions and is not a how-to guide on running cable.

Who are you again? This guide will be written from the perspective of a contractor (me) operating in Florida, in the United States. I hold an Alarm Systems 1 Electrical Contractor license. In the state of Florida, this qualifies me to install ALL cabling inside and outside structures provided that that cabling does not carry more than 98 volts, as well as installation and maintenance of fire and burglar alarms. My MSP acquired this license so that we can legally run cabling for customers in addition to the IT Services we provide.

Before going any further, let me introduce the Prime Directive


The Prime Directive - Hire a properly qualified contractor

In almost all cases, cabling work should be done by a properly qualified contractor. Not everybody who will take your money is a properly qualified contractor.

How do I find a properly qualified contractor? First, get an idea of what you want done. Have your scope of work statement condensed down a few bullet points. Then, call your local government offices and explain that you want some work done and you need to know what license a prospective contractor will need. They will direct you to Code Enforcement, Building Inspections, Contractor Licensing, or some other similarly named department. Once you're on the phone with them, explain in brief the scope of work and ask what license would be required to do so. They will give you the information you need and how to verify a license.

Then, when you are seeking bids to do the work or you just start randomly Googling local companies and calling them, make sure they have the right license or a license that exceeds the requirements. The State of Florida maintains myfloridalicense.com where you can lookup license holders. Your state or locality might have a similar service.


I don't need no stinkin' contractor. I can do this myself!

Maybe. However, allow me to introduce you to the almighty power of "someone else's problem" (SEP).

Situation: You need 100 Ethernet cables installed for your new office.

Option1: You and your buddy do the installation

Option2: You follow The Prime Directive

Problem 1: The cabling is installed too close to 277volt lines which feed overhead lighting. Your VoIP phones crackle and hiss all the time

Option1: You and your buddy must cut and re-pull 100 cables via a different route to fix the problem

Option2: SEP!

Problem 2: The installed cabling is Copper-Clad Aluminum cabling that you got from Amazon for $90 a box and it's shit because CCA is shit and should never be installed

Option1: You and your buddy must cut and re-pull 100 cables using a different supplier to fix the problem

Option2: SEP!

Problem 3: An installer falls off a ladder and injures his back while leaning way over a ceiling tile to reach something. The ceiling grid takes major damage and he's out of work for awhile

Option1: Workers Compensation denies your claim and you have to do a shitton of appeals because your company does NOT carry insurance for that sort of thing

Option2: SEP!

Problem 4: The Fire Marshall comes in to inspect something else and notices a bundle of ethernet cables that weren't there before. He checks the label and finds out that they aren't plenum-rated and they should be. He demands that these cables be replaced immediately and threatens to revoke your Certificate of Occupancy until it's done.

Option1: You get to explain to your boss how you shut down the company for a month to save some money because you don't understand code

Option2: SEP!


I hope I've made my point. Just because it's "just low voltage" doesn't mean that code doesn't apply. The United States National Electrical Code (NEC, NFPA 70) has huuuuuuge sections that dictate the running of low voltage cabling, fiber optics, etc.


"Okay, so are you saying I need a license just to plugin a printer to an Ethernet cable?!"

No, I'm not. Here is a GENERAL rule of thumb (see italicized bit at the start of this post) for whether you need a license:

  1. Does the cable run start AND finish in the same room?

  2. Can you SEE the entire cable run from start to finish while standing in a normally-occupied space WITHOUT using any special tools? If a cable is tucked behind a desk or a file cabinet, that's fine

If the answer to both of those is yes, then you probably do not require a license to install or modify it. If you're not sure, Prime Directive. The Building Code people will tell you. It's literally their job.


"Right, so what's all this business about Plenum spaces?"

When people ask on here about plenum-rated cabling, it always makes me nervous. Because if you are talking about running plenum v. non-plenum cabling (CMP vs CMR/CM) then you're talking about a scope of work that would require a license to do, at least where I operate. In which case you shouldn't be asking Reddit, you should be following the Prime Directive. If you ARE licensed to do that kind of work... you should KNOW the answer and not be asking on Reddit.

That said, Plenum-rated cabling (CMP) is required when cabling is being run in a "plenum space". A Plenum Space is a space that is used for return air back to the building's air conditioning or heating system. Plenum-rated cabling has an outer jacket that, if exposed to extreme heat or open flame, will not release toxic gasses. You can see how this would be VeryBad™ if you have toxic gasses being pumped all over the building by your air conditioning or heating system. Most commonly, a Plenum Space is the area above ceiling tiles or below a false floor IF that is being used as an air return space.

Just because it's above ceiling tiles does not necessarily mean it's a plenum space, though it might be If you have a question, then PRIME DIRECTIVE

If your building has ducted returns for the HVAC system, then the area above the ceiling tiles is likely NOT a plenum space. If your building does NOT have ducted returns for the HVAC system, then the area above the ceiling tiles MIGHT be a plenum space.

Plenum Space - Plenum-rated cable required

Not a Plenum Space - Plenum-rated cabling permitted, but not required


"So what if I just buy and run plenum-rated cabling everywhere? I can do that right?"

Yes, you can. However nobody likes doing this for two reasons.

  1. Plenum-rated cabling is between 1.5 and 3 times more expensive than non-plenum rated cable.

  2. Plenum-rated cabling is ASS to work with. It seriously sucks. It's stiff, it hates turning corners, it usually requires more feed-points for longer runs, its outer jacket cracks easier if you bend it too far. It's just ass. Nobody likes it. We only use it when we have no other choice.

We dislike it so much that usually we'll redraw plans to avoid plenum spaces, if possible. If we're just passing through a plenum space from one floor to another, we'll install (or have the Sparkies install) a bigass set of 2 or 4 inch EMT conduits with proper fire-stop to allow our wiring to pass through the space. That way we don't have to use Plenum-rated. This may differ in your jurisdiction. Some areas require plenum-rated cabling even if it's inside conduit if that conduit passes through a plenum space. And some places like highly sensitive medical facilities require plenum-rated cabling everywhere because of REASONS. So, if you have a question then PRIME DIRECTIVE.


"Something you said here isn't accurate. In MY jurisdiction, we're allowed to do X Y or Z..."

You're probably right. I assume you followed the Prime Directive , in which case, knock yourself out!


"This doesn't apply to fiber-optic cables right? They don't carry voltage, after all!"

Sorry, NEC goes BRRRRRRRR. Article 770 of the National Electrical Code (NEC, NFPA70) governs the installation of Fiber optic cabling. Yes, you still need to be licensed in my jurisdiction to install it.


Thank you for reading this brief guide on code and plenums. I will add / edit sections over time as I think of stuff.



5Ghz, internet

 Im confuse, I have 25Mbps internet plan, when I used the 5ghz wifi the speed goes way hundred bits per seconds. Can someone explain to me why it goes higher? 


Young & career loss

Hello all,

I am a young (23) person who’s been doing networking for about 4 years now (admin/technician/little bit of engineering) this career is definitely a passion of mine and I want to continue to excelling in this line of work. I’m military and at my previous base I managed a lot of routers/switches at a data center and have a lot of experience with access and both static and ospf routing. I don’t plan on getting out for at least four years and really want to get the education knocked out so I’ll be set for civilian side. I guess my question is besides getting basic ccna/ccnp & network + certs, is there anything else I should go for if I want that future network engineering position? Like what other IT subjects should I also be focusing on?



Ciena 6500 Metro-E and Long range optics, also third party vendor optics?

I'm getting a Metro-E circuit delivered, and have some questions about the optics my provider is requiring.
It's a 100Gb circuit, and over 100km long. The provider has had to engineer in a mid-span repeater/regenerator, and the link is testing good on across the span.

The provider has installed a pair of Ciena 6500 7-slot and a mux in my site. The 6500 is in a cabinet adjacent to my equipment.

Originally, the provider said that they'd support 2Km optics in my gear, but ran into problems. Now they're saying I need to provide 100Gig LR optics for this part of the span.

I'd rather stick with short range optics because the Vendor-part number for LR optics is on the order of $25,000 each. [ Yes, I know that price list, but that's crazy. ]

I'm having trouble deciphering the BoM for the Ciena so I can understand what each individual piece does, and documentation for these is locked behind lots of paywalls. But I'm assuming that the optics on the customer-facing side of the Ciena have little to no bearing on the SPAN side of the Ciena. I don't think that 10Km optics vs 2Km optics are going to have any bearing on the workings of the 100Km link. I kind of suspect that I could plug a 100Gb Bi/Di into the front side of the Ciena and still have end to end connectivity. However, the engineers on my calls haven't been able to explain anything other than "we had problems, now we're just following industry standards and you need to buy LR4 optics for what appears to be a 5 meter link, given that your equipment and our equipment are in adjoining racks."

1: Can you explain to me what the Ciena's doing, and if it's more complicated than the switching that I'm envisioning? Does the DWDM vs CWDM on the customer facing side really play into the span side of the link?

2: Any preferred third-party vendors for a QSFP-100G-LR4-S compatible optic, preferably available through Insight?



If all governments around the world would require an ID to surf on the internet, could this be circumvented in some way, using an alternative network or other technologies?

I'm not sure if this is the right subreddit to ask this question. But I thought I may try here.

Other technologies would be maybe an alternative satellite network, VPN? I don't know much about networking.



Should I stick with my job as an English teacher or get into help desk while I'm studying for my bachelor's of cyber security

Hey everyone, I recently enrolled in a part-time program to obtain my bachelor's of cyber security and am currently working as an English teacher in Hong Kong which gives me some freedom to study and attend college, I'm currently studying to get some CompTIA certs as well, considering I'm 28 years old and new in the industry I am thinking about getting a help desk job so l have more experience when I graduate but I'm afraid I won't have enough time and freedom to study for my college (again my current job gives me some free time daily so I can study at work), just need to hear your thoughts about the situation I'm facing, Thanks for your time in advance.



802.1aq / SPB over WAN - any resources?

Hey all, I am wondering if it's possible to use SPB over a WAN network (like ISPs) to spam SPB over multiple locations that do not have a direct "private" connection like a darf fiber or anything.

I just recently got to work with Spb and it sounds really interesting, but sadly the documentation is quite rare.

I've learnt that Spb is a way to encapsulate layer 2 traffic in layer 3. Does that mean I could transport the Spb to another location by using a VPN? Is there any documentation about Spb over WAN in any other scenario?

Sorry for my bad wording if it does not make sense, I'm in site and decided to make a quick post before I forget about the question.

Thanks on advance!



Projects/Roadmap

Cross posting from r/networksecurity

Hello community,

What are some of your upcoming projects like? What does your roadmap for the next couple of years look like?

We have done or in the process of implementing ztna, nac, data centre build, etc. Curious as to what you folks are working on.



Please help me with this weird problem

Hello, I have been scratching my head for 3 days now without any progress, hope somebody can help me.

Background

I have a firewall (OPNSense) running Unbound DNS server. All my devices connected to the firewall is using my Unbound as DNS server, except my Kubernetes cluster (3 master/worker nodes). I setup my Kubernetes cluster to use 8.8.8.8 as the DNS server. I also use Cloudflare to point my domains into my public IP. In Cloudflare DNS page, I use the "proxy" feature for the domain root and "DNS Only" for the wildcard of the domain (because Cloudflare doesn't support wildcard proxy for free tier).

In my firewall, I have forwarded port 80 and 443 into my Traefik ingress (running inside the Kubernetes cluster). In Unbound, I have host override for my domain to the IP of the Traefik ingress too.

The Problem

If I curl my domain that doesn't use the "Proxy" feature in Cloudflare from my Kubernetes cluster, I got connection timed out. I can curl into any domain names in this world except my own domain that is not behind Cloudflare Proxy (like WTH!). I can do nslookup/dig just fine, very weird. I have also tried allowing all traffics to go through my firewall.

After 3 days of balding my own head, here is the simplified version of my problem: I can't access my services using my domain if it's not using Cloudflare proxy and I'm not using my own DNS server and I'm in my local network. (I can access my wildcard domain outside my local network)

Hope somebody can help me with this. I know I can just use Cloudflare proxy and not using wildcard for everything. But I want to know how does this happen. Thanks before.