Saturday, November 13, 2021

Trying to choose the right setup(router/firewall, switch)for a family member’s growing small business

Hello, first time poster here, I recently got asked if I could help out my aunt’s growing business she does tax prep and is moving to a new larger location, that is luckily already wired up, so she has all the wall drops she needs for her new onboards.

The location has a closet with patch panel all ready to go, but here is where I would need some help, since she is running the tax prep software on the server that emails and efiles thru the software, it basically installs clients to each computer for access thru a shared drive as it licensed, she never had any issues before with the router she was using from spectrum business plan, as she only had 2 computers wired in, the server and a network printer and it worked fine.

This new location has 8 total drops all running to a patch panel, and she is going to need all of them, so could she we connect a switch to the existing spectrum router and then connect to the patch panel? The bigger question is would the spectrum router be able to handle the traffic internet and server access all wired? Would we need a different type of router or switch? Any help would be greatly appreciated.

edit: if I should be posting this somewhere else please let me know, thank you



Bad Mask /25 for address 198.133.234.3

Am I having a brain fart here? I am trying to reconfigure a 1001-X router running IOS-XE and getting the above message. I clear out the old IP address of an interface and enter:

ip address 198.133.234.3 255.255.255.128

It gives me: Bad Mask /25 for address 198.133.234.3

There are no other interfaces in this IP space and this isn't a network or broadcast address. I tried other addresses in the last octet as well.

It will accept 255.255.255.0. It will also accept ip address 198.133.234.129 255.255.255.128. But if I use any IP in the first half of that /24, it doesn't like it.

I tried configuring this on a switch with IOS-XE and it accepted it. So that points to either something in the configuration or an IOS bug.

Because of that I figured that IP space was conflicting with something else in the config. So I cleared out any mention of any IP address beginning with 198.133 in the config but still no dice. So it doesn't seem to be a conflict. Of course a conflict wouldn't explain why it would accept /24 and not /25.

I tried configuring the same IP on a clean, unused interface on the same router. Same thing. /25 in a different IP space works.

It won't accept anything smaller such as /26, /27, etc. either. It will only accept a /24.

So, why would IOS accept only /24 for a particular IP space in an interface config?



C3PL config questions with ISE

Hi all,

We currently have ISE running for 802.1x auth using certs deployed by Active directory to endpoints. We are using legacy authentication commands on our switches and want to switch over to IBNS 2.0 / C3PL commands for the added flexibility.

I've been testing this in a lab and have most of it working but am having an issue with 1 particular thing. I would like to have a fallback scenario where if a windows PC fails authentication using 802.1x due to a cert issue (which happens a lot) I would like for it to get a minimal access ACL which allows connectivity to AD and the certificate authority server as well as DHCP so that it can a) get an IP and b) allow our help desk to renew its cert or troubleshoot any other issue with it and then once everything is good that client can automatically re-authenticate using 802.1x and get full network access in the event of a success. Does anyone have any working config to achieve that? Any would be greatly appreciated.



Working for a consulting company versus doing consulting on your own

Is there anyone out here who used to work for a consulting company and then decided to do consulting on your own? If so how did you get your first customers? Was it worth it? Would you do it again?

What are some major pros and cons?



Labeling Multiple Fiber runs between buildings

I'm at a location where there is existing fiber between the main office building and various other locations throughout the property, mainly smaller offices/IDFs/etc.

At the MDF/server room I've been identifying and labeling fiber patch cables that exist in the patch rack and go to a specific SFP port in the switch/switches, for example, 1000 is labeled on both sides of the fiber cable. On my document I'll write that fiber patch cable 1000 plugs into switch 1, port 1 and connects to fiber patch 1. This is very helpful when tracing cables within the MDF server room.

Continuing to use this example, fiber patch 1 (cable 1000) is using strands orange/blue to go to the next building. In the next building, it terminates to orange/blue (obviously) in the fiber patch panel. From here, it continues to another patch panel box (it is very possible that orange/blue are not used on this next patch panel, but I do link the correct strands together with a patch cable.

This is where my question starts...should that patch cable be labeled 1000 since it is a continuation of the patch cable in the MDF or do I label it something else as to not confuse me or someone else if they are troubleshooting this run in the future?

I do have a diagram with the fiber runs that I am keeping up to date, but I'd like to know if I should be using 1000 for the entire run (from office, to all the thru locations, to final destination) or should I use a unique number for each leg of the run?

Thanks.



SC/APC to connect 2 switches

Hi, I was curious if it’s possible to connect 2 switches with an sc/apc to sc/apc cable. I already have 1 GPON transceiver, and if it is possible to, then I’d order another one, note that the switches are not in the same room and the cable would have to run outdoors and since I already have an sc/apc outdoor cable I would like to know if it’s possible. I’m pretty new to networking with fiber so sorry if it’s an obvious question. Thanks for any help!



As a network installer who test the cabling, what I must check before starting?

What should I do reffering to the previous steps?



Selective filming without consent

For a bit of context, I work for a small IT company as a techy, I've been here almost a year and for the most part things are pretty good. There's one thing I'm definitely not comfortable with though.

Every Friday afternoon we have our weekly meeting just 4 or 5 of us who can make it, and our OS colleagues. The thing that initially triggered this, I think, was a webcam set up overlooking the lunch room, which appeared to be harmless, just sitting underneath the TV. I gave it a little tap to dislodge it off centre, and sure enough a few days later it disappeared.

Since that time, the boss has set up a brand new HD webcam on top of the monitor in our weekly meetings, in such a way that the office manager and head tech are not in the picture, just myself and the other one or 2 techs if they are not on-site - nor do the OS guys switch theirs on either. The boss knows I'm not a camera person, I don't have social media, and the fact that I am likely uncomfortable that I don't have a say because I have to attend the meeting. Everyone sits in their designated seats every week so changing seats is not an option.

To say the least, this is hugely unprofessional and does not sit well with me at all. Saying something will obviously satisfy his hunger to know that I'm uncomfortable being filmed without my consent. Sure in his defence he can say, how is this any different to the CCTV cameras in the office? Everyone is filmed coming in and out of the office, that's the difference. Certain people in the meeting are not in the frame, that's the difference.

This has led to me being withdrawn from the meetings with absolute minimal input, and just makes me look bad if in fact they are recording, which I'm almost 99% sure if he's not recording on the boardroom PC, then on his work laptop.

It's a lose lose situation for me if I speak about it. I would have no problem if it was mandatory for everyone in the meeting to be in frame with their cameras on, including the OS guys. This, along with a tech that is a complete smart ass, some irate customers that continually belittle them, and I'm left to take the brunt as the bad guy who sticks up for us in the business, is almost enough for me to throw in the towel.

What are your opinions on this, and would you be just as uncomfortable as me in this situation. Any help is much appreciated.



Unable to ping host from firewall 2 but can on firewall 1

I have a cisco ASA 5506 active/standy configured and whenever I swap the active member to a particular firewall, I am unable to ping certain IP addresses both internally and externally. This particular host machine has numerous IPs on it and I can ping all but 1 of those IPs from either firewall, so it is a single IP from a single host that I cannot ping.

firewall 1: (fails)asasov# show arp | grep 197.

inside 10.75.197.96 0050.569e.e28c 379 - Ping works

inside 10.75.197.95 0050.569e.e28c 598 - Ping fails

inside 10.75.197.103 0050.569e.e28c 649 - Ping works

firewall 2: (works)

asasov# show arp | grep .197

inside 10.75.197.96 0050.569e.e28c 491 - Ping works

inside 10.75.197.95 0050.569e.e28c 710 - Ping works

inside 10.75.197.103 0050.569e.e28c 758 - Ping works

The IP addresses are configured the same on the host;

inet 10.75.197.95/8 brd 10.255.255.255 scope global secondary ens160

valid_lft forever preferred_lft forever

inet 10.75.197.96/8 brd 10.255.255.255 scope global secondary ens160

valid_lft forever preferred_lft forever

inet 10.75.197.103/8 brd 10.255.255.255 scope global secondary ens160

valid_lft forever preferred_lft forever

There is no additional filtering on the network to this host.

I am not able to ping the firewall IP from the host with firewall 1 active:

ping -I 10.75.197.96 10.0.0.30

PING 10.0.0.30 (10.0.0.30) from 10.75.197.96 : 56(84) bytes of data.

^C

--- 10.0.0.30 ping statistics ---

15 packets transmitted, 0 received, 100% packet loss, time 14343ms

yet as soon as I swap the active firewall, it works;

ping -I 10.75.197.96 10.0.0.30

PING 10.0.0.30 (10.0.0.30) from 10.75.197.96 : 56(84) bytes of data.

64 bytes from 10.0.0.30: icmp_seq=1 ttl=255 time=0.918 ms

64 bytes from 10.0.0.30: icmp_seq=2 ttl=255 time=0.574 ms

From the same host, I can use another IP (10.0.87.1) which works regardless of which firewall is active. If I add another IP, it works regardless of firewall (10.0.87.1).

The only change when the firewalls are swapped would be that the inside interface is connected to a different switch, but these switches are trunked and it's only that single IP that has an issue. I have cleared any and all arp caches on host, firewall, switch yet I still can't ping.

I would add that I have 2 of these rogue IPs on 2 different servers.

Suggestions welcome!



Friday, November 12, 2021

Amber light on an Aruba CX 6300 stack

Say one of the switches in the stack shows an Amber light what could be causing the issue? Could it be a misconfiguration in the stack? Hardware issue, spanning tree issue? Cannot find anything online regarding Aruba switches for this scenario. Only see stuff for Cisco switches.

Thank you.



Wellfleet Breath of Life (BOFL) - any clue what this is?

Hi,

I’ve been investigating some network issues and play around with wireshark in one of our Sites. We have there Avaya VSP (VOSS) switches running and in wireshark I see a massive spam of Packets which are classified as „Wellfleet Breath of Life“ (BOFL) from wireshark. No human readable payload or other useful Information. I want to know what this is but googling is delivering only a very low amount of results.

„sensing Protcol“ (maybe PPP?) - from some very old Network Books. Nothing more - just what the Acronym stands for.

Do you guys have any clue what these packets are and how can I disable the spamming of this into my network?



GPON Vendor help

All,

Im relatively new to GPON and am tasked with helping a service provider find hardware solutions. At their headend today they run Zyxel switches that they want to replace. Sounds like they've landed on Ruckus switches for the Head End.

So first my dumb question: Would the Ruckus Switches be considered the OLT? They will be a stack of switches with layer 3 capabilities. Or is the OLT after the Main network switches facing the customer ONT?

If I still need OLT does anyone have any recommendations on hardware that's worked well for you?

Since Im new to GPON Im not terribly familiar with the vendors outside Cisco that do this. Looking for recommendations on ONT's and Fiber splitters too. Most sites will be around 10 miles away from the CO, and in some cases up to 20miles. Hoping to start with GPON with upgrade options to 10Gig later on. Any guidance would be appreciated.



Need to learn NX 93ks in 3 months any recommended study materials?

Hey guys, I need to learn a decent amount about 93ks will be moving over our old nexus switches to new 93ks. Im currently studying for my CCNP Encor and fairly new to the Engineering space. Do you have any tips on recommended study material? Just looking for a start point really my boss is paying for official courses, but looking for some more material just to build out my knowledge base.



Having trouble understanding bandwidth

https://www.verizon.com/info/definitions/bandwidth/

This link says:

"Bandwidth is often mistaken for internet speed when it's actually the volume of information that can be sent over a connection in a measured amount of time – calculated in megabits per second (Mbps)."

But wouldn't increasing the speed increase the bandwidth as well? For example, if you increase the speed, then X more megabits are able to be sent across the connection.



Cisco ASA 5506x ASDM issue - stuck on "Software update completed" but only one 1 out of 2 devices.

I have a active /standby pair of ASA 5506 running the following software;

firewall1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(4)20
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.13(1)

Compiled on Thu 02-Apr-20 10:19 PDT by builders
System image file is "disk0:/asa984-20-lfbff-k8.SPA"
Config file at boot was "startup-config"

firewall1 up 6 days 0 hours
failover cluster up 5 years 249 days

---------

firewall2# show ver

Cisco Adaptive Security Appliance Software Version 9.8(4)20
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.13(1)

Compiled on Thu 02-Apr-20 10:19 PDT by builders
System image file is "disk0:/asa984-20-lfbff-k8.SPA"
Config file at boot was "startup-config"

firewall2 up 1 year 120 days

failover cluster up 5 years 249 days
---------

When firewall1 is active, I am unable to connect to ASDM, but I can connect to ASDM on secondary IP.
When firewall2 is active, I am able to connect to ASDM, but I am unable to connect to ASDM on secondary IP.

The issue is that it always gets stuck on "Software update completed." and will go no further. I have read a number of issues with versions of JRE etc, but I am at a loss of why it would work with only 1 of my firewalls when they are both identical. I have tried removing the local cache folder and even reinstalling ASDM launcher, but same issue persists.

I will be in a position to update the software if this might stop the problem, but again not sure why only 1 machine.

Thanks



What's your on-call rotation like?

Hey networking, tell me about your on-call duties/rotation/frequency/intensity. Trying to get some context outside of the 3 companies I have worked for. I'll go first; once a month, a week at a time, almost guaranteed to get a few middle-of-the-night calls and a few weekend morning/afternoon calls, decent triage/due diligence done beforehand, but a bit of shit slinging too. Only paid when called, regular hourly rate. ~1-5K employees to give you a sense of company size. Been in the game about 8 years.

Cheers



Migrating Cisco switch configs to Aruba CX 6300

Is there a documentation that explains how to do the Cisco switch migration to Aruba? Or just a general migration documentation. We are planning to migrate configuration and will be working on a lower level with a big team to help with the migration. I have found some YouTube videos as well but want a detailed document that explains it.

Thank you in advance.



VLAN ACL security - what am I missing here

I have a Netgear M4300 (which might be the biggest issue, we will see). I have the following VLAN config;

1 vlan 1 192.168.1.30 255.255.255.0

2 vlan 2 192.168.2.1 255.255.255.0

My firewall IP is 192.168.1.254 and I have added a static route to 192.168.2.0/24 via 192.168.1.30. This all seems to work as expected as I have a host on 192.168.2.0/24 that I can see from 192.168.1.0/24 and it can see the internet via NAT.

Eventually, what I am trying to do is block access to the VLAN apart from specific hosts/networks to specific hosts/ports in the VLAN. However, before I get there, I am trying to get my head around ACLs on VLANS and I appear to be failing at the first hurdle.

In order to test this, I have applied the following ACL to VLAN 2;

ACL Name: test

Inbound VLAN ID(s): 2

Sequence Number: 10

Action......................................... deny

Match All...................................... False

Protocol....................................... 1(icmp)

Source IP Address.............................. 192.168.1.195

Source IP Wildcard Mask........................ 0.0.0.0

Destination IP Address......................... 0.0.0.0

Destination IP Wildcard Mask................... 0.0.0.0

ACL Hit Count.................................. 0

Sequence Number: 20

Action......................................... permit

Match All...................................... TRUE

ACL Hit Count.................................. 7395

However, I can still ping 192.168.2.65 from 192.168.1.195. Even if I modify the ACL and add the DENY on 192.168.1.0/24, I can still ping 192.168.2.65.

What am I missing here apart from a decent level of knowledge into how this all works. I feel this should be easy to do, yet it does not work. I want to be able to apply an ACL as described above, but if this doesn't work, I'm dead in the water.

Suggestions?

Thanks



Cisco ASA Anyconnect DHCP

Hi Folks,

I have one anyconnect tunnel running on my asa and have external dhcp for it.

I need to config a second anyconnect tunnel due some requirements, but i dont need to have a new scope.

I know with pool address on the asa we can use the same for multiple tunnel groups.

Based on how tcp and dhcp works, i should be fine to use the same dhcp scopes for 2 tunnels? I haven’t see neither any limitation or possible conflict.

Group-policy grp-tunnel-1 attributes Dhcp-network-scope 10.10.0.0

Group-policy grp-tunnel-2 attributes Dhcp-network-scope 10.10.0.0

Tunnel-group tunnel-1

Dhcp-server 10.0.5.1

Tunnel-group tunnel-2

Dhcp-server 10.0.5.1

In the future we are going to migrate it to the Asa and not use external dhcp.

Thanks.



Experiences of Draytech Vigor 3910

I'm looking for a router/firewall device for a shared office environment. I will deploy a number of switches and APs with up to 30 VLANs with different companies running desktops, laptops, phones, printers etc.

I have a 500Mb connection that I want to use with a 4G modem (active/passive) and provide Internet access to these companies whilst having good control and reporting on the utilisation. For example, a company may choose to have 100Mb dedicated. I would want to be able to report on top talkers, live stats of bandwidth usage/sites per device / VLAN.

Has anyone experience with the 3910 or can suggest similar products that I should also look at.

Ta



Newb Question - VLANs with same subnet?

Curious if I can assign a virtual IP range to a VLAN, almost like putting a VLAN behind a VPN/NAT? Would like overlapping subnets to exist on the same network.

Example: Internal soundmasking 192.168.100.0/24 network on its own switch - d/c from the rest of the network. Then maybe we also have the IP phone system on 192.168.100.0/24 that is connected to the rest of the network.

I want to add the soundmasking into the rest of the network, without having to change its subnet.

Thinking I can setup a new vlan / tag port on my main switch (HPE/Aruba L3 stack) to connect the soundmasking switch to - then set something up in switch or router to tie that vlan to another ip range? say 192.168.200.0/24 .

So if I send data to 192.168.200.1, it would be forwarded to 192.168.100.1 on that vlan? - And reversely data sent out of that port/vlan on 192.168.100.1, would look like its being sent from 192.168.200.1?

If you guys can point me in the right direction? I can usually figure things out but in this case I'm not even sure what to search for / what to read up on?



HPe 561FLR-T vs 562FLR-T - Which card?

I have 2 HPe DL360 gen10 servers that I'd like to put 10Gbps cards in.

I guess I'll get the obvious out of the way: Will the 561FLR-T compatible for use in gen10 servers? I've seen datasheets, but being an older card, I can never tell if they're updated to include/exclude future models.

If the answer is 'Yes, they will work', is there a benefit to spending 4-5x more for the 562FLR-T?

Thank you.



Office internet connections - how do you monitor them properly in 2021?

In the last couple of years, many businesses have switched out to using more and more cloud services. For my company this came down to pretty much all infrastructure getting moved to the cloud. People check e-mails via office.com, have meetings via zoom and developers VPN into the virtual appliance running in AWS to access their test environments.

This means that when we get back to office, the network there has to be basically an internet cafe. But the business does rely on that internet link for pretty much everything. Yes, I have dual internet connections in offices, but right now the only monitoring that's happening is rpm probes that ping some common IPs and if there are too many failures - internet link gets switched over to another one. This is hardly sufficient for todays world.

So my question is - how do you guys monitor internet connection to all the cloud services and make routing decisions based on that? For example, I could use something like Thousand Eyes, have 2 instances pinned to different internet links and monitor connectivity through it via all of their built in tests that can cover all the cloud services I care about. I could write a script that would trigger route failover based on the tests from 1k eyes, but as far as I am aware I'd need to be able to reach 1k eyes web site to get the data that link is down - which is kind of hard to do when your internet is down. I guess I could do it from a known IP on the internet directly to the working WAN IP, but that seems a bit like a hack.

Are there other products that can do similar things? Or maybe even open source projects? I am also open to looking at some other vendors for WAN connectivity, not that I mind the Juniper SRX that I have now, but making internet failover and monitoring as easy as possible would save me from lots of headaches...



Can large companies with millions of servers and VMs (like Microsoft Facebook Google or Amazon) run out of private ip addresses?

The 10.0.0.0/24 address space has 16777216 ip addresses available. Azure says it has nearly 4M servers, and who know how many VMs are there. Same goes for Google and Facebook.

And the 192.168.0.0/16 has a little more than 65k addresses, which can be easily used up by these companies, quite possibly in a single region.



Question Regarding Industrial Grade Switches

Good morning all,

I am not sure if anyone on here has ever used products from a vendor called ORing/Rugged Science. I am a network engineer specializing in industrial grade architecture and related devices and I am trying to find information on using third party (Startech) RJ45 SFP 1Gig transceivers with their switches.

Whenever I slot them in, I get link lights but no traffic is flowing between the two devices.. I have used the web GUI to force port speed on the switch but still no dice.

I have used the "secret" command on cisco switches before to allow third party SFP hardware to work and am wondering if there is something similar I can do on the ORing Switches.

I am using an ORing IGPS-9084GP Industrial Grade Switch if that helps.

Cheers!



Network Lab on a Linux Box using Vagrant

The last time I was messing about with labs I was using Vagrant with Virtualbox and some Juniper virtual routers. I was using vagrant cause it can all be setup with the CLI as I want to host this on a Linux box.

Just wondering what the current trend is, has Vagrant been replaced by something better?



LINUX BONDING AND LACP ON DELL SWITCHES

As noobie in networking I have a question. I have 2 proxmox nodes, using mode 4 of the Linux bonding (802.3ad) connected on two not stacked dell switches (s4048) using LAPC port channel. This was an early implementation for failover. Now I want to combine the bandwidth for the interfaces and im wondering what’s the best approach, to stack the switches and continue using mode 4 or can I use mode 0 Linux bonding combined with the dell switches?



Can you use DDNS w/ a Static IPs?

Can you use DDNS w/ a Static IPs? We currently have a management network where we connect our iLO/iDRAC, it uses static IPs. The issue is we have people who build the servers and get everything setup, but then sometimes forgets to get a DNS entry for the management interface. No one notices the issue, till there is a problem with the server...

I searched Google and I see a lot of Use Cases for DDNS w/ a Dynamic IP, though saw nothing for static. I am curious if it can be leveraged with a Static IP to remove a step from the process as well as make sure we don't run into an outage w/o knowing how to access the server's console.

I am not a Networking SME, though the networking engineers I am working with on this don't speak the same langauge and Google Translate doesn't always work that well on these type of topics. I see them talking about DHCP and we currently use Static IPs, hence why I am wondering if there is a limitation.



Port calculator for new sites

What do you guys use for calculating ports for new office builds? We pretty much use an excel template for this but wondering if there are other efficient/cleaner ways.



Automatic configuration of Port/VLAN and client by MAC address

Hey guys,

I would like to achieve the following:

If a known host (identified by MAC address) is connected to any switch within the company network, the corresponding port should be configured automatically (assigned to a specific VLAN). At the same time, the host should automatically be assigned a defined IP address. If the host is unknown, it should end up in a prison guest VLAN.

While doing research, I stumbled upon 802.1x. But if I understand correctly, it only works in conjunction with a DC. We have a large number of hosts that aren't members of the domain so I'm not sure whether this is the right way to go.

I know that there is DHCP MAC binding. But I would like to avoid having to configure the one thing here and the one thing there... A central way to define VLANs and IP addresses based on MAC addresses would be my dream.

Is there such a thing? If so, which keywords do I need to delve deeper into the subject?

Thanks a lot in advance!

PS: The security aspect is secondary.



Thousands but ONE PROBLEM

Hey guys,

Our company is moving to a different location and in a few weeks our Users network is going to be up and running.

My manager told me we have a new problem-

When the time comes and the technicians will connect each device (PC, Printers, IP Phone and more) to the dedicated switch in the floor we will need to configure a dedicated Vlan for each department.

the problem arise when you understand we are talking about a thousands of devices and 40 different Vlans.

I just started learning Python this week and my skills are not sharp enough to build a script or something... also my job in the company is temporary for this project and maybe if I will provide a good practical solution they will give me a place in the team which is my goal.

If you guys have a solution or maybe a script you used before so I could modify I will really appreciate it <3

Thanks



Duo 2FA messing up my GPO settings

I’m a long time sysadmin with RDS systems.

A client now decided to add duo for user authentication.

The issue is that in my dev lab, my RDS server works and works well.

Dev user can logon no issues and use applications.

I have now installed Duo and configured it. After doing this dev users start getting this error message.

https://prnt.sc/1z7o5z6

As soon as I remove Duo my dev users can successfully login to their rdp sessions.

I know my gpo and security policies for “logon locally” and “allow logon through remote desktop” are properly configured.

How can I fix this and what is causing Duo to not bugger up my systems like this?



Cisco Nexus Switch 5548UP

Hi Everyone,

I was wondering if someone can help me, I'm working on an environment with a Cisco Nexus Switch 5548UP.

Can someone please guide me on what the procedure would be to log into the Cisco Nexus Switch.

What type of cable would I need an which port should I plug the cable into.

I would be really greatful for any assistance.

Thank you



Alternative to DC ToR switches instead of Cisco FEX solution

Hello,

Currently we're using Cisco Nexus solution with FEX ToR switches in every rack - called top of the rack. It helps to save cabling and etc. But already few years when Cisco FEX solution is deprecated, instead of them they're offering to buy Nexus switches.

I'm curious what other companies are using ? Is there're anything simmilar and comfortable like Cisco Nexus with FEX DC solutions ?

Thanks



QoS general questions

Am I right in thinking QoS only becomes relevant if there is congestion?

I.e. if traffic levels are below what the physical interface is capable of (or below the shaper if using that) then everything is forwarded at line speed anyway.

Thanks!



Thursday, November 11, 2021

Device isolation exclusions failing on Cambium APs

I have a network with an bunch of Cambium cnPilot e410 APs controlled by the cnMaestro cloud controller. They are running version 4.2.1-r12.

We have 2 wlans set up, 1 for internal use, and one for Guest access. The guest access wlan has client isolation turned on and set to Network Wide. It is also on its own vlan.

We need to allow a couple of wireless printers on the guest wlan. I added their MAC addresses to the client isolation list but they are still not accessible on that wlan. I have made sure they are on the correct wlan and connected. They do both show an IP address and gateway address that is correct for that wlan. I'm not sure what I'm doing wrong here.

For troubleshooting, I turned off client isolation and the printers were immediately available. They are also available from the internal wlan almost any time. Turning the isolation back on, the printers are once again inaccessible. Am I missing something?



beta testers needed for ebpf-based k8s network monitoring agent

Hey all.,

I'm a PM for Kentik-- we build network observability tools. My team has completed work on an MVP of an eBPF-based daemonset/agent that builds flow logs from the network conversations within and between nodes in a k8s cluster. The agent aggregates these flow logs and then annotates them with k8s metadata, container and process metadata as well as network performance metrics. Then it ships the logs off to Kentik's SaaS portal for visualizations, UI/API reporting etc.

We're looking for a few organizations that might find value in this kind of solution and thus would be willing to kick the tires with us a bit. The software is actually pretty baked for an MVP-- it's tested at huge scale and is already decently documented.

Participants will get cool Kentik teeshirts, some free K8S traffic monitoring f(or the duration of our beta program), and obviously, get to exert significant influence on the product roadmap.

If you're interested, please email me at drohan -[at]- kentik.com or DM me. Hope you'll consider it!

Dan



Any reason the Mellanox SN2700 32x100G switch is much cheaper to buy 2nd hand cp,[ared to other competitor switches?

**compared

Long story short, I'm working with a very small office (about 4/5 workstation PCs total) and we can benefit from a 100G switch in the future with our workloads (with PCI 4 and 5, storage speeds are. I'm looking at 2nd hand switches and the Mellanox SN2700 has a lot of availability right now and is relatively well-priced (about 2000 for 32 ports of 100G with their Spectrum ASIC). Anything 2nd hand from eBay with >8 100G QSFP28 ports seems to often be at least double or triple the price. I'm fairly familiar with MLNX-OS but not yet with Cumulus., so I'm wondering...

Is there something I'm missing here or is this a pretty good deal? Why are the Mellanox SN2700 switches so much cheaper compared to Arista / Cisco / Juniper 2nd hand switches?



None of the Windows nodes in EVE-ng get a DHCP address

Hello!

I am not following why the Windows 10 nodes I've uploaded in EVE-ng are not picking up an IP address from my DHCP pool when the EVE-ng VM in VMware Workstation 16 Network is in Bridged mode. Even I put a static IP address, I cannot ping it and Windows 10's NIC displays as "Unidentified Network" and no communication. Help, please!

Thanks!



I need to create a guest WiFi network for our small office. Which is better: an AP or another wireless router connected into our main wireless ISP router?

Unfortunately, our ISP-provided wireless router does not support a segmented guest wireless network. However, we’d like to get one set up.

I am thinking an AP (plugged into the main wireless router) is the most logical solution for our clients to connect to a guest wireless network without connecting to any of our internal systems.

Could someone confirm if this is possible? Are there any recommended APs that we can configure from a dashboard that only lets them surf the internet?

Thank you in advance!



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Use cases for flow analytics using SFLOW/Netflow/IPFIX

Can I request the community to provide some thoughts on WHY they use flow analytics features in the network. I understand what the various leading products in this space can do, but I am curious to hear from actual network operators what they actually use it for? Is it the visibility of top applications or users? Is it identifying malicious flows? Does anyone use flow analytics for troubleshooting endpoint connectivity - for example, if an employee is having connectivity or performance issues? Basically trying to separate the marketing fluff from vendors and what it really gets used for.



Spectrum Business installed a router between the modem and our router, claiming its required for a static IP.

We're using a Ubuiqiti Dream Machine router, but when we upgraded our internet speed, Spectrum installed a router between the cable modem and our router. Our internet still functions, but we do have some strange delays, and some SaaS providers are blaming our internet for connection issues.

Spectrum said this router was required to maintain a static IP address.

The modem plugs into the WAN port on their router, and then a cable runs from port1 on their router, to our router's WAN port.

Our router IP is 192.168.1.1, which I read was the default for theirs.

  1. Does that wiring sound correct?
    I wasn't sure if their router should be plugged into our routers WAN port or just a regular port.
  2. Is there a way to access their router's WebGUI from a PC connected to our router?
    I'm not sure the IP address of it. I want to at least disable it's wifi networks.

Thanks for the help.



Load balancing a domain name according to geolocation

I have a domain name.
I have a VPS with of course an IP v4 address. It serves a web app with API.
I have set the DNS with the IP with https://domains.google.com/
The problem is that users from all over the world may have latence due to their geolocation.
So I would like to install my app on another VPS hosted in the USA.
Then, as a personnal user (not professionnal), can we set a DNS load balancing according to the user geolocation ?



Cisco 9300

Hi - we are looking at a large refresh next year of 3850s. I am checking out the 9300s now. Any pros and cons for this switch? I am also looking at Juniper EX4300. Has anyone compared the two? Is there a clear winner?



Layer 3 Leaf/Spine without overlay network controller?

Hi,

We are redesigning our network architecture for new locations, and we were thinking about going with a layer 3 leaf/spine fabric design. However, we have some constraints which I believe will become pain points for us.

Notably, we are looking at using VMware NSX-T as the overlay network. This will work for most of our traffic, but some of our traffic will still need to be VLAN-only. Because we will be using VMware NSX-T already, we aren't too keen on also going with ACI, as this would represent extra costs for us with little benefits.

However, judging by the fact that some of the traffic will not be encapsulated in VXLAN, and that these VLANs may spread across mutliple leaf pairs on a single site, we need a way to allow "layer 2" communication between these leaf switches. We also need to support multi-tenancy via VRFs.

To that end, I was thinking about building an EVPN mesh across the leaf switches. My main concern regarding that is manageability (how hard is it to manage without an overlay controller) and compatibility with VMware NSX-T (can the Geneve traffic be encapsulated in VXLAN?)

Does anyone have experience with a similar setup? Are we headed for a world of pain? Should we just stick to good ol' spanning-tree?



A survey of AQM and fq_codel in enterprise bufferbloat battles

I am curious as to what extent awareness and mitigations for the bufferbloat problem(s) have made it into enterprise gear? I'm aware of efforts in P4 for fq_codel, fq_codel being the default for most linuxes now,of the AFD algorithm in cisco's gear, comcast's fulll rollout of DOCSIS-PIE on their CMTSes ( https://arxiv.org/pdf/2107.13968.pdf ) during the covid crisis, experiments with L4S/DCTCP and SCE in the IETF, middleboxes such as libreqos and preseem, other server fixes like the adoption of TCP_NOTSENT_LOWWAT in apache traffic server recently...

In particular I'd like to learn of any offload efforts or improvements being deployed at head-ends of any sort, and at overcongested interconnects. I'd also love to learn of a CISCO AFD deployment story.

Is anyone tracking ecn usage, also?



Can infiniband go though a trunk?

Hi all. I'm not to versed on infiniband. But is there generic optics or anything for it? Can I send the signle though an mtp patch panel, pick it up on the other side and into an infiniband switch without any problem?



Industrial research on networking

Hi all,

I’m currently doing a uni assignment on a made up network and need to compare the Aruba 6300 v the Cisco 2900.

I’ve not much experience in networking so was wondering if these are suitable to compare with each other and what in particular is worth comparing as selling points ? Any advice is greatly appreciated



Trying to swap from EIGRP/VRFs to VxLAN

My current work setup utilises EIGRP and VRFs for layer 3 routing utilising SVI's.... I am currently investigating the feasibility of switching this setup to using VxLAN.

The biggest thing that I'm questioning is that every single tutorial or piece of information on VxLAN says to use spine-leaf exclusively which my setup does not... We have a collapsed design with a number of "core" switches leading to access switches - but not all core switches connect to all access (ie- not spine-leaf).

Can I achieve using VxLAN without having a spine leaf topology?

I can provide more information if required, writing this out quickly before getting up for the day.



Networking + Linux career tips?

Hi all,

I've moved into networking as a career about half a year ago and things are looking good. I'm currently working in a NOC with prospects of moving to the 2nd line of support soon. I've got my CCNA, JNCIA scheduled at the end of the month and I'm studying select topics from ENCOR as the appear in my work.

I also have a lot of hobbyist experience with Linux and could pass RHCSA within a month if I could carve out and hour or two every day for studying and labbing. I would love to use and expand that knowledge in my work, but, unfortunately, things are heavily siloed in my company. Unix and Wintel people know nothing about the network, we know nothing about their servers (this also means that anything more complicated requires a time consuming bridge call).

In your experience, are there jobs where this particular combination of skills is needed and valued?



LibreNMS integration with Oxidized

I'm not too familiar with ruby so I'm having trouble interpreting what this error requires of me.

oxidized@librenms:~$ oxidizedSSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)Traceback (most recent call last):       20: from /usr/local/bin/oxidized:23:in \<main>'       19: from /usr/local/bin/oxidized:23:in \load'       18: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/bin/oxidized:8:in `<top (required)>'       17: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/cli.rb:13:in `run'       16: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/core.rb:4:in `new'       15: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/core.rb:4:in `new'       14: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/core.rb:14:in `initialize'       13: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/core.rb:14:in `new'       12: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/nodes.rb:125:in `initialize'       11: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/nodes.rb:10:in `load'       10: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/nodes.rb:130:in `with_lock'        9: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/nodes.rb:130:in `synchronize'        8: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/nodes.rb:15:in `block in load'        7: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/source/http.rb:21:in `load'        6: from /var/lib/gems/2.7.0/gems/oxidized-0.28.0/lib/oxidized/source/http.rb:74:in `read_http'        5: from /usr/lib/ruby/2.7.0/net/http.rb:1483:in `request'        4: from /usr/lib/ruby/2.7.0/net/http.rb:932:in `start'        3: from /usr/lib/ruby/2.7.0/net/http.rb:943:in `do_start'        2: from /usr/lib/ruby/2.7.0/net/http.rb:1009:in `connect'        1: from /usr/lib/ruby/2.7.0/net/protocol.rb:44:in `ssl_socket_connect'/usr/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)``

oxidized@librenms:~$ curl -Lks 'https://git.io/rg-ssl' | rubyHere's your Ruby and OpenSSL environment:

Ruby:           2.7.0p0 (2019-12-25 revision 647ee6f091eafcce70ffb75ddf7e121e192ab217) [x86_64-linux-gnu]RubyGems:       3.1.2Bundler:        2.1.2Compiled with:  OpenSSL 1.1.1f  31 Mar 2020Loaded version: OpenSSL 1.1.1f  31 Mar 2020SSL_CERT_FILE:  /usr/lib/ssl/cert.pemSSL_CERT_DIR:   /usr/lib/ssl/certs

With that out of the way, let's see if you can connect to rubygems.org...

Bundler connection to rubygems.org:       success ✅RubyGems connection to rubygems.org:      success ✅Ruby net/http connection to rubygems.org: success ✅

Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 

Your guidance would be highly appreciated.



CUCM - SIP Trunk with password auth.

Good day everyone,

I am trying to connect CUCM to Sip trunk provider which is using password authentication.After little googling looks like password authentication is only supported with certain IOS Routers running CUBE (Not exactly sure).

For Plan B considering deploying Asterisk between CUCM and SIP Trunk, maybe it will work.

If some of you had such case what options are there ?



How to check the full Internet speed of a network I'm connected to?

I am in a hotel and I am connected to their network. Their download and upload speed are both limited to around 3 Mbps. How do I know the full speed of their Internet subscription?



VLAN or Voice VLAN for VoIP network

Good day good folks.

So our office is upgrading a decade old infrastructure and moving from completely unmanaged networking and traditional telephony to managed network and IP Telephony. We have two Dell PowerConnect 5400 series switches that are going to be installed in the lower and upper floor. There will be 3 VLANS - one for main network (workstations, printers, NAS, etc), one for IP cameras security system and one for IP Telephony/VoIP. The Dell switches provide two options; VLAN and Voice VLAN. As per my understanding, Voice VLAN is useful when you want to prioritize voice packets over data packets when using the same trunk (PC --> IP Phone --> Switch). But in our setup, all our IP Phones are going to be installed on separate port each and no PC will be connecting to the IP Phones. So my question is should I still use Voice VLAN for the IP Phone subnet or just simply a normal VLAN as our Phones and Workstations are on different ports each. Thanks.



Wednesday, November 10, 2021

Firewall for medium sized business (40 users)

Hi all, I’m on the lookout for a reliable firewall router for a small/medium sized business. We have approximately 40 computers, and 20 VOIP phones. Looking for something max £300/£400 ($500), and something straightforward to manage that doesn’t need an ongoing subscription.

Can anyone recommend anything?

Many thanks

Tom



SFTP network cable

Hey y’all. We just ran 700ft of cable. 200 of it, we can’t get working yet. Even when we run toner signals through it, the signal is weak at best.

I did some digging and found that the 200 that isn’t working is SFTP cable instead of regular shielded cable. There’s foil on foil on foil…

Am I missing something in the punch down or wiring process? We have regular Cat6 keystone jacks we are using for the wall plates.

Halp? Thanks in advance!



Networking Setup question

I wanted to get a sanity check to make sure I am not missing something for a network config.

My ISP put their connection on the outside of my building and all the cat cables are run to a network box on the outside, everything is in a secure box so I am not to worried about someone plugging directly into my gear. There is only one run from the ISP box to the closet where my MX is living and the only place that would be better is outside in the ISP box. This is the only way I could think of with out pulling new cable to get an ethernet run to other rooms.

I have my ISP going to a SG-350 and the port configs are as follows

GE1 Access VLAN2

GE 2 Untagged VLAN2 Tagged VLAN1

GE 3 -10 Access VLAN1

MX68W Port Config

Loop out from GE3 Trunk Untagged VLAN2, Tagged VLAN1

GE2 Access VLAN 2 to Internet IN

GE 4-6 Access VLAN1

Is there anything I should be aware of on a security side of things having a switch on a public facing network? Management is accessible via my LAN. I don't think I am missing anything but always better to check.



Electrical Components of Network Circuitry

I'm looking to do some deeper digging into how networks operate and how electrical engineering factors into network engineering. Are there any books that go into the science behind how electricity traverses a data communication circuit? I suppose books that cover the physics end of it would be just as important.

Every book I've come across covers the physical layer briefly but doesn't delve deeper. I could tell you all the basics about how a T1 operates and how the twists per inch affect performance in Cat5 and 6 cables but I want to know the why.



Software for Dell S4810-ON?

I have 4 Siwtches DELL S4810-ON. They should use open Software like Cumulus or LightSwitch, But current version of Cumulus doesn't support the switch anymore, and LightSwitch doesn't exist anymore.I have been able to install ONL, but it doesn't recognize the interfaces.Someone can provide a working software for those switches?



IOS image won’t boot to running config on 3560 switch.

I’ve saved my config. I’ve made sure the boot statement was correct. Reload and the previous image is still running no matter what. I’ve been looking everywhere and can’t find a way to change the register.

It’s currently set to 0xf.



HPE says hackers breached Aruba Central using stolen access key

https://www.bleepingcomputer.com/news/security/hpe-says-hackers-breached-aruba-central-using-stolen-access-key/

Just saw this from a blog, no word from our SE and account managers yet (and we spend millions with them). Have no idea what the extent is of the data breach. We're going to be engaging the SOC to see if there's anything that comes up in our logs. So note for all your central customers. We have a few hundred sites on our central platform.



BGP With Two Routers and Two Uplinks

Hi All,

I'm looking for some advice. Current scenario is an ASR1002-X with BGP config peering to two different handoffs going to the same place (geodiverse paths). One path is "preferred" and the other is a backup. We have our own ASN.

Need to configure the 2nd ASR1002-X for redundancy. The preferred path will be on the first ASR, the backup on the second. How do I configure iBGP for the two routers to talk to each other and honor the preferences? We're just receiving a default route and routes for Internet 2. Any assistance is greatly appreciated!



Question about trunking vs vlan participation

I am in the middle of an epic saga in trying to get the enterprise network that I have inherited back in working order. Members of this community have already been immensely helpful to me in this project. Here's hoping you all can come to my rescue yet again.

I have a ubiquiti edge switch, a layer 2 switch with multiple vlans that *should be* trunked back to a layer 3 core switch. The interface in question that connects to the layer 3 switch is not trunked. The configuration on the interface instead shows:

vlan participation include 10,20,22

vlan tagging 10 (phones)

Will this accomplish the same thing as trunking? I would guess not. Could it be why I cannot ping the SVI gateway for vlan 22 on the layer 3 switch? What is the difference between vlan participation and trunking? How should the port be configured to allow me to use vlans 1,10, 20, 22 on this switch?

Thanks for your help!



Benchmarking an App

Hi All,

My company develops an app that is used on Data primarily - I want to be able to gather the ‘minimum requirements’ and ‘recommended requirements’ in terms of internet speed/latency required in order to have a good experience on the app. What would any of you recommend in order to capture this?

I’m looking for something to start from and understand there are LOTS of variables.

Thanks!



Trying to identify remote BGP peer name

Hi,

I can't find the answer on google to save my life. I am trying to identify a remote router on a BGP VRF. I know there's a command that will list the names or IDs of the router or at the other end of a neighbor adjencancy, can someone please remind me?

Thanks



HP IMC default user and password

Just install HP IMC on a Windows server and its asking for a username and password.

The install guide says it's admin and admin but it just says incorrect when I enter them.

Can anyone advise what I'm doing wrong please.

Tried http :8080 and https :8443

Thank you.



Android devices get IPV6 address as primary DNS server. No IPV6 dhcp on network (Checked)

Hi all

I have some troubles triyin to resolve local dns names on the Android Wifi connected devices.

Our installation:Firewall (that not provide DHCP) USG310 by ZyxelWindows 2019 DC with DHCP v4. No IPv6 Configured.Wifi Ruckus with ZD1200 Controller

If i check the data assigned with DHCP:Get the IP for Our DC server.Primary DNS1: fe80::250:56ff:febe:f93d%wlan0DNS2: Primary DC DNS IPDNS3: Secondary DC DNS IP

Trying to resolve dns that are created by us, failed randomly. because android device first try to resolve into internet dns prior to use the internals.

Test already done:

  1. check my Firewall. No ipv6 configs here.
  2. check my DHCP, there are NO ipv6 config at all.
  3. iPhones, works good, get only ipv4 local dns.
  4. Check for rogue DHCP on network, not show anything
  5. Connect a windows laptop (wifi) with ipv6 enabled, not get any v6 config.
  6. Connect a windows laptop (WIF and LAN), with ONLY ipv6 protocol, not get any config.
  7. My ruckus controller, not show any ipv6 configuration that involve this protocol.
  8. This kind of IPV6 Address, locks that only local link address, and are not MAC Address vinculated to check the origin.
  9. IPv6 is disbled on the WIFI controller...

I´m running out of ideas,Any help willbe appreciated.



Network Backup Software

Hey people 👋

I’m looking for a backup tool, to save and manage backup for Juniper, Cisco, Fortigate and more. I also want a tool with a GUI, needs to be installed on a server.

I saw CBackup, but it’s seems to be a dead project. And it’s not available on CentOS8.

I saw a few more tools, but from old posts.

I would like that tool to be free, as we don’t have a lot of appliances.

(Sorry in advance for my English skills).

Thank you ☺️



Tuesday, November 9, 2021

Help with PoE, online info seams to conflict

I plan on installing 4 PoE cameras, I originally just planned on buying bulk UTP CAT 6A wiring, and RJ45 Jack's so I can run the wire to the length needed. But I've read many articles that say using UTP wire can be a fire hazard especially if ran through walls and ducts which quite obviously has to happen. The reason I chose 6A wire is because I figured the size could help the heat dissipation. Is it safe to use this wiring for the cameras? Or do I need to go to F/UTP with a ground? Also do the products I chose look to be good choices? If I do have to go with a shielded wire, where should I place the grounds and how do I do so?

CAT6A wire -- https://www.amazon.com/dp/B07534S7Q4/ref=cm_sw_r_apan_glt_fabc_AFC1B8TP5697650V55RJ?_encoding=UTF8&psc=1

RJ45 Jack's -- https://www.amazon.com/dp/B01LDFV44G/ref=cm_sw_r_apan_glt_fabc_MGTBYVRNN4J4T93R97FQ?_encoding=UTF8&psc=1

https://www.amazon.com/dp/B07Y384VHM/ref=cm_sw_r_apan_glt_fabc_P49W4A9BEQ96KXCG9QP2?_encoding=UTF8&psc=1

Wall plates -- https://www.amazon.com/dp/B003ZZUZ6Q/ref=cm_sw_r_apan_glt_fabc_2WXTZX3HH98JDB19YKFM?_encoding=UTF8&psc=1



Issues with routing in BGP Lab

I am building a BGP demonstration lab, with four Autonomous Systems each with three routers. I am using VyOS for the routing, bringing up the routers with Vagrant and configuring them with Ansible. I have the routers set up and the BGP config somewhat working. I can see all the routes for all of the prefixes, but the actual routing table doesnt update. The next hop for the routes that aren't working are on subnets attached to the neighboring hosts, so it can see the route its just not making the connection.

Here is an Imgur album with network diagram, IP/BGP tables, and router configuration. Any help with this is greatly appreciated, I've been trying to get this to work for a few days now and have been tearing my hair out. This is my first time using VyOS, I typically use OPNsense but wanted the script-ability of the VyOS CLI.



MPLS only network VeloCloud Edge activation

Hello all,

This question would be asked already, but I did not find anything about it online.

How do you activate VeloCloud Edge in a MPLS only branch site with no internet link?

Do we have to provision the edge first in the VCO, configure Edge specific settings by creating user-defined overlay, enable Service Reachability in the WAN settings, and then send the activation email along with configuration to the site contact?

because the normal approach shows an "VeloCloud Orchestrator Unreachable" error during activation.

Thank you



Unsolicited TCP:R from upstream ISP device.

I'm hoping to get some insight as to why an upstream ISP device (10.9.0.34) is sending TCP:R to some connections. They are currently being dropped by a stateful firewall.

4911 2021-11-09 22:06:39.282325 MY_WAN_IP PUBLIC_IP TCP 74 22896 → 56184 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=2766267974 TSecr=0 WS=512 4924 2021-11-09 22:06:39.452079 PUBLIC_IP MY_WAN_IP TCP 74 56184 → 22896 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1358 SACK_PERM=1 TSval=2169412418 TSecr=2766267974 WS=128 4925 2021-11-09 22:06:39.452276 MY_WAN_IP PUBLIC_IP TCP 66 22896 → 56184 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=2766268144 TSecr=2169412418 4927 2021-11-09 22:06:39.456919 MY_WAN_IP PUBLIC_IP TCP 285 22896 → 56184 [PSH, ACK] Seq=1 Ack=1 Win=65536 Len=219 TSval=2766268149 TSecr=2169412418 4946 2021-11-09 22:06:39.625135 PUBLIC_IP MY_WAN_IP TCP 66 56184 → 22896 [ACK] Seq=1 Ack=220 Win=65024 Len=0 TSval=2169412592 TSecr=2766268149 4983 2021-11-09 22:06:40.096402 PUBLIC_IP MY_WAN_IP TCP 567 56184 → 22896 [PSH, ACK] Seq=1 Ack=220 Win=65024 Len=501 TSval=2169413058 TSecr=2766268149 4984 2021-11-09 22:06:40.096716 MY_WAN_IP PUBLIC_IP TCP 66 22896 → 56184 [ACK] Seq=220 Ack=502 Win=67072 Len=0 TSval=2766268789 TSecr=2169413058 4985 2021-11-09 22:06:40.101459 MY_WAN_IP PUBLIC_IP TCP 276 22896 → 56184 [PSH, ACK] Seq=220 Ack=502 Win=67072 Len=210 TSval=2766268794 TSecr=2169413058 5017 2021-11-09 22:06:40.269929 PUBLIC_IP MY_WAN_IP TCP 66 56184 → 22896 [ACK] Seq=502 Ack=430 Win=64896 Len=0 TSval=2169413238 TSecr=2766268794 5018 2021-11-09 22:06:40.270163 MY_WAN_IP PUBLIC_IP TCP 134 22896 → 56184 [PSH, ACK] Seq=430 Ack=502 Win=67072 Len=68 TSval=2766268962 TSecr=2169413238 5019 2021-11-09 22:06:40.271118 PUBLIC_IP MY_WAN_IP TCP 66 56184 → 22896 [FIN, ACK] Seq=502 Ack=430 Win=64896 Len=0 TSval=2169413238 TSecr=2766268794 5020 2021-11-09 22:06:40.271295 MY_WAN_IP PUBLIC_IP TCP 66 22896 → 56184 [FIN, ACK] Seq=498 Ack=503 Win=67072 Len=0 TSval=2766268963 TSecr=2169413238 5039 2021-11-09 22:06:40.439240 10.9.0.34 MY_WAN_IP TCP 60 56184 → 22896 [RST] Seq=1 Win=0 Len=0 5041 2021-11-09 22:06:40.443392 PUBLIC_IP MY_WAN_IP TCP 60 56184 → 22896 [RST] Seq=503 Win=0 Len=0 


Any thoughts of NBase-T switches as of late 2021?

It seems like it's doable to get some TP-Link or Netgear switches that do 5-10 port 2.5 or 5gbit for a couple hundred each; or spend $2K on full 16/18-port 1/2.5/5/10 units. The environment I support, I can't really see supporting more than 5gbit for most units in the next 2-3 years timeframe; obviously pure-10gbit switches won't work for this setup. Thunderbolt to 10gbit might be an option, but those adapters are $200 a pop! I need 16-24 ports per rack.

Thoughts? Thanks.



Detect IP and port of FAILED outbound requests

Hi all,

We have a managed firewall(Forticlient device if that's relevant) with some quite tight restrictions on outbound connections. The problem is we also need to access a number of sites via customer provided VPN's and or Remote Access software. Frequently these aren't let through the firewall but we can't always see the configuration of where they are trying to go.

Now we can have specific rules added to the firewall to allow them out, but I'm trying to find a tool that can identify outbound requests from my laptop. There's quite a few that can give me the connections that are open at any given time, but I'm after something that somehow captures the intended destination of requests that are failing.

Does such a tool exist, or is my only option the Firewall logs themselves(Which I don't have direct access to so would require continual (paid) calls to the firewall provider)?

Sorry if this is a stupid question - networking is not really my area of expertise.

Thanks



Configuring VPN

Hello guys, I am a broadcast engineer looking for some help on how to use a VPN to tie two locations together. I understand an ok amount of networking but far from a network engineer. Typically all of our equipment is networked with static Ips on layer 2 switches. Most of this equipment has GUI interfaces to configure and talks to each other over the LAN network.

What I would like to do is tie two locations together so their LANS are as one or so equipment can talk. This way my server on network A can talk to equipment on network B over the lan.

Next thing I would like to do is be able to join this VPN to be able to pull up GUIs and configure equipment from anywhere.

Lastly I am trying to pass general internet traffic without having to go through the VPNs server. I have seen this done but I am not sure how. The reason for this is sometime I have encoders on the network that I do not want having to bounce through the VPN server to get to where it needs to go adding latency.

What I have setup but am stuck at is I launched a AWS instance running a wireguard server. I have two GL-iNets as wireguard clients and equipment on the GL-iNest's two different LANs. I can ping the address to the AWS LAN ip for the two devices but cannot talk to anything on each others networks. I am probably going about this all wrong and open to suggestions but please let me know if I'm on the right track and what I need to do to finish this loop.

I tried making one of the GL-iNets the wireguard server and the other the client but since I am usually sitting behind a firewall on a LAN network it was not letting the two talk without opening a port that I will not have access to.

I am not looking to use something like Cisco Meraki because I am doing this for my own dime and doing it for my own education.

Let me know and thanks ahead of time.



WIRELESS LAN CONTROLLER WLC INFORMATION

the wlan controller provides wireless connectivity without the lightweight ap? I ask this because in my work they told me to create some vlan in the switch I have several vlans created and configured

but I would like to know if I can create vlan in the wlc without the thin aps and put the port that goes to the wlc in trunk to be able to use dot1q encapsulation to communicate the vlan



WIRELESS LAN CONTROLLER INFORMATION

WIRELESS LAN CONTROLLER

the wlan controller provides wireless connectivity without the lightweight ap? I ask this because in my work they told me to create some vlan in the switch I have several vlans created and configured

but I would like to know if I can create vlan in the wlc without the thin aps and put the port that goes to the wlc in trunk to be able to use dot1q encapsulation to communicate the vlan



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Microwave links/PTP

Hi All,

Seeking some advice about microwave links.

Rather than pay for a normal vpls/IPSEC over DIA etc I was wonder how feasible using a microwave link would be.

Background

We are based in small town centre in the UK.

We are looking at taking the building next door which has clear line of sight and is 70meters/230ft away.

Exisiting building has 300 users. The New Property is likely to have 150 users.

Typical UK weather.

Ideally low latency < 5ms and bandwidth of 10GB.

Questions :

1) can anyone advise what speeds you can get in "real life" I have seen 10GB but is that realistic in real world usage?

2) I looked at this tech along time ago - 15 years ago - weather / birds etc are still gotcha's?

3) Can you recommend a UK partner to work with?

4) is there a "no brainer market leader in the uk"? Siklu? any to avoid?

5) Link install is < 30 day ? You need a license?

6) Typical costs? my assumption is cheaper than DIA-VPN/VPLS over 3 years...?

7) any lessons from the field you can share?

many thanks :)



Netflow Ingress Only

Hello,

im currently using Cisco NCS 5500 and this only supports Netflow Ingress, in the past with ASR9000 i would enabled netflow on a interface and be able to see inbound and outbound traffic.

But with NCS 5500 being capped to ingress only how im stuck with only inbound traffic, how can i check my outbound traffic flow ?

Im currently generating flow from my NCS 5500 o my internet facing interface. Should i generate flow also on my core facing interface to be able to see the outbound traffic ?



CCIE Cisco Modeling Lab (virl) topology

I am looking to see if there is a good topology to download or use for cml virl, for the ccie enterprise infrastructure. I have a ine subscription, but they don't seem to have it either.



Fcs errors

I just work help desk for a rather large enterprise. Anyway I had a call today that an a user that seemed rather knowledgeable was receiving an fcs error on a switch that she accessed using putty. I normally just do proxy troubleshooting so i didn’t know what an fcs error was. But the technician group I forwarded this ticket said they could ping both switches. But the user said the network was so slow it wasn’t useable.Anyway my questions is after reading about fcs errors, Could this be caused by a duplex mismatch or a bad port. And how would the technician still be able to ping both switches assuming one switch is down stream?



Traffic on unusual port

Apologies if this isn’t the most appropriate place to ask. We’re seeing a significant spike in traffic on port 61616. A quick search shows it’s generally used by ActiveMQ “An open source message broker written in Java…Communication is managed with features such as computer clustering and ability to use any DB as a JMS persistence provider besides virtual memory, cache, and journal persistency”

Sounds kinda like malware to me. Are there other uses for port 61616 or is it reasonable to see a spike in traffic on this port?



Arista 7050SX3-48YC12 or 7050SX3-48YC8

I am looking for a pair of switches that can meet the following requirements:

SFP / SFP28 ports

- Looking to use those ports for 10Gb copper using sfp transceivers that let me plug in a copper cable.

- 25Gb using sfp28 (fiber).

- Good amount of uplink ports prefer 6-8.

I was looking at HPE FlexFabric 5950 48SFP28 8QSFP28 Switch, but I don't see any 10Gb copper transceivers. Just 1Gb and DAC available.

I saw Aruba has JL624A Aruba 8325-48Y8C 48 x 25Gb ports (SFP/+/28), 8 x 100Gb ports (QSFP+/28), but I am trying to avoid this unit because of how hard it is to get 3rd party transceivers. I know my company will not want to pay over 1k per transceiver.

There are 2 switches that Arista offer that can do that:

7050SX3-48YC12 or 7050SX3-48YC8. I don't have anyone that I trust to resell. If anyone has any vendors with the switches available?



Port forward issues with ASA 5506

Evening,

I am trying to complete my first first forward on a 5506, this is what I have but I can't connect to the RDP.

object network RDP_Media_PC

host10.0.10.104

nat (inside_10,outside) static interface service tcp 3389 38383

access-list rdp-inbound extended permit tcp any object RDP_Media_PC eq 3389

access-list rdp-inbound extended deny ip any any

access-group rdp-inbound in interface outside

What am I doing wrong please?



Alcatel OmniSwitch 9702: NI module stuck in Operational Status: Down

I've search the forums and couldn't find an existing resolution....

Our OmniSwitch 9702E NI-1 is stuck in "operational status - down".

We only have 1 NI and 1 CMM. Because of this error, no ports appear under "show interfaces" and thus we are unable to add VLANS to interfaces and etc....

>show module status
CMM-A
Admin-status - POWER ON
Operational status - UP

NI-5
Admin-status - POWER ON
Operational status - DOWN

Getting the following errors in logs:
INTERFACE - info - Excessive wait for connection to NI 1 NISUP
HSM-CHASSIS - info - ==HSM == NiNsmT1: NI state rcvd (sl: 1), MsgFlag: 3 Local T.O. Flag: 0
HSM-CHASSIS - info - ==HSM == NI down rcvd from App 6 for slot: 1, ResetMode: 3
HSM-CHASSIS - info - ==HSM == Clearing Takeover Flag from NI CTX
HSM-CHASSIS - info - ==HSM == NI (1) down received (from: Appid: 6), Power Off NI
HSM-CHASSIS - info - ==HSM == Power off NI niSlot=1
IPC-DIAG - info - ipctPipeReceived: PICT_CLOSE_CONNECTION slot 1
INTERFACE - info - esmHandleNIBootUpFailure() NI 1, err 0
INTERFACE - info - NIs are ready
INTERFACE - info - Warning date could be changed, kindly set date if needed
REMOTE_CONFIG - error - Invalid state: 2 event: 1
SYSTEM - info - i2cNiBoardReset: task tCS_HSM slot ` device 0x70 state 0 data 0xff
HSM-CHASSIS - info - ==HSM == NI 1 has been reset...
HSM-CHASSIS - warning - ==HSM == Skip NI (1) Power ON due to
HSM-CHASSIS - warning - ==HSM == ....Admin Power Off
HSM-CHASSIS - info - ==HSM == csHsmUtilNiCtxBrdSend() nsm CS_HSM_NSM_ST_OP, poweroff 0 NI1
VLAN - info - CS_NI_DOWN/CS_NI_Notpresent msg Rx for slot 1
GM - info - NI-down_1

System info:
show microcode:
Jbase - 6.4.3.884.R01
Jadvrout- 6.4.3.884.R01
Jos- 6.4.3.884.R01
Jeni- 6.4.3.884.R01
Jsecu- 6.4.3.884.R01
Jencrypt- 6.4.3.884.R01
Jdiag- 6.4.3.548.R01

show hardware:
uboot Ver - 6.4.3.479.R01
uboot-miniboot ver - 6.4.3.479.R01

Please let me know if I could provide any additional details.

Thank you



Stacked switches - what happens if I lose just a port

Looking at creating a stack with 2 catalyst 3850 and I understand that it becomes active/standby and in the event of a switch failure, the standby will become active. However, if a single port fails, what happens?

Thanks



Do I need a Bachelors degree to become a Network admin?

I have an associates degree in Networking(and another on Cyber Security) and I'm studying for my CCNA. My question is, would that be enough to become a Networking Admin, with the right amount of experience of course.



Username and Password on Clearpass OnGuard agent

After installing Clearpass OnGuard agent on a device, it asks for username and password credentials. Are these credentials validated against active directory (basically the same ones used for employee login) or is this a unique username/password specific for OnGuard



Major Comcast Outage

I'm seeing cable and fiber down across all my customers nationwide



Android, first DHCP get a IPv6 link local that i don´t have on my DHCP Server

Hi all.

First, thanks for read this:

The DHCP server is a ipv4 only on a W2019 Server.
My android devices get the ip addres correctly on ipv4, but if check the ip y see my primary dns server is like fe80::250.......,
The DNS2 and DNS3 are my coorect internal dns servers.

but i don´t give it on any dhcp option or similar.

The problematic is that the android devices fails to resolve local dns names......

Any help will be appreciated.
Regards.



Cisco ISE Posture - ASA VPN

Howdy!

I’m trying to setup a PoC for posture compliance over Cisco AnyConnect VPN (via Cisco ASA) for a customer.

I’ve got it setup in ISE so that if the posture status of the VPN client is “unknown” it redirects them to the default portal and uses an ACL I created on the ASA that looks like this:

Deny any domain (allows DNS) Deny any ISE (allows access to ISE) Permit any web (Denys any web traffic)

When I connect to the VPN, it doesn’t install the posture agent and check my compliance. I just get restricted based on the ACL listed above.

Is there something else I’m missing here? I’ve uploaded the AnyConnect and Compliance module to ISE, and setup the policy to install it, but nothing is working.

Any help would be much appreciated.



Multiple Active DC Design - is it wise to run BGP between your border leaf and border gateway which are different pairs of firewalls?

Hi folks,

I am reading up on some design documents in order to cater for Active/Active DCs model, which relies heavily on leaf/spine fabrics with MP-BGP EVPN as a control plane overlay (and VXLAN as data plane). The idea is to span L2 when needed, over IP fabric, without actually spanning VLANs across DCs.

There is an idea for advertising host routes (/32 and /128) into IGP and/or BGP peering with the border gateway, in order for better control of the ingress traffic. However, most guide just mentions the concept but without the actual consideration for real-world device performance.

I am thinking of a design where my border leafs at each DC would peer BGP with perimeter firewalls, since with BGP I can use lots of attributes for better control and conquer. The perimeter firewalls then can advertise summary routes if needed. IGP is giving me quite a headache in calculating costs, and there are still cases that I am concerned with asymmetric routing (since these are all stateful firewalls).

So, have you ever thought of or designed your data centres in such way, and do you have any experience to share with this poor guy? Do you have performance and convergence issues with BGP running on firewalls?

P.s: Please bear in mind that when I refer to those perimeter firewalls, I did not limit it to Internet DMZ firewalls only, but to a modular design where between each module (WAN-to-ServerFarm, HO-to-ServerFarm) would have different firewalls in between.



Cisco Stateful Interchassis Redundancy can data and control be the same interface?

I have two identical Cisco 4351 routers.

I want to configure them in HA using Stateful Interchassis Redundancy.

I have standard 4 interfaces in each router. One goes to Inside, Second to Outside and Third one is empty and there is Management interface.

Does anybody use Stateful Interchassis Redundancy?

According to documentation it requires a data link, control link and interface link.

Could it be the same physical interface?



YANGinator - A YANG validation plugin for IntelliJ

Hi r/networking! I am one of the contributors to YANGinator, a plugin for IntelliJ for validating YANG files. We are keen to gain as many contributors for this plugin as possible since we believe users of this subreddit might benefit from a plugin doing most of the validation of YANG files for them.

You can find the code on GitHub here.

And on the JetBrains Marketplace here.



Tool for config backups and mass config changes / Any recommendations?

Hey guys,

I'm looking for a tool (open source or paid doesn't really matter) to backup our network devices (mainly HPE / Aruba switches) and do mass config changes/rollouts. Any suggestions?

We only have around 30 stacks (2-4 switches each) on three sites.

Sorry if there's already a post about it, but I haven't found anything recently in this sub.

Btw, this is my first post in here. IT hooray!

Thanks for your help!

Cheers, uneinverleibbar



Monday, November 8, 2021

Random connected to Bluetooth treadmill?

My treadmill was on. I hear a voice coming through the damn treadmill speakers asking if I can hear them. Okay I just unplug the machine and will deal with shutting off Bluetooth on the machine later cuz why would I need Bluetooth when the speakers suck. Then an hour later my internet goes down. Or at least it says I am connected to the wifi but not able to access anything on the internet then my phone says it’s not able to connect to my wifi. The modem is turning green to red flashing when it should be white if it was able to establish a connection. Is this a random internet outage or is the possible “troll” connected to this in some way? Cannot confirm with neighbors since it’s way too late rn.



Broadcom NPAR and Aruba CX6400 switch, server IP unreachable by some clients?

Has anyone experienced difficulty using Broadcom's NPAR feature, perhaps with an Aruba CX 6400 series switch, or Windows Failover Cluster? This is my first time working with NPAR so I'm not schooled on pitfalls or gotchas.

Here's the problem. Using NPAR on two servers to split up a 25G link on each into several different roles (separate vlans.) Some of client machines can't reach one server's IP, while other client machines on the same network have no problem talking to both server's addresses.

I thought maybe an ARP table was messed up, so everything got rebooted, switches, computers, etc. No change.

I had started to type a novel to explain this problem but who has time to read a novel.

Server: Two matching config HPE DL325 G10+ v2 with two HPE Broadcom NetXtreme E-Series dual port 10/25G card

Switch: HPE Aruba CX6405 switch running firmware FL.10.06.0140 (August 2021), ports for the servers are configured as trunks, with vlan 1 native, all vlans allowed. Clients talk to the servers over vlan 101.

Software: Windows Failover Cluster on Server 2016, latest updates, latest HPE service pack for drivers / firmware



Spent 20 hours troubleshooting this very bizarre network issue on church streaming PC

Client machine is our church streaming PC - Intel Xeon, 4 core, 16gb ram, 512 SSD, GTX1050ti (for encoding), Windows 10, onboard gigabit NIC. Using OBS to send out stream at 8mbps. Internet is 100/100 fiber.

Connected to 24 port Aruba switch tied to main LAN. DHCP for all clients. Firewall checked, port for stream is wide open, priority for video packets.

Everything was working fine until new IT company came in and installed new gear. Ever since, we have had continuous issues with pushing a stable stream. Starts out fine but within a few seconds, goes to pot with erratic upload of 0 to 4mbps as indicated by OBS. IT company says no problems that they can find, must be the PC or ISP, so I started my own troubleshooting.

Upload tests through speedtest.net show a 100/100 connection. But if I run it through TestMy, only getting 4-5mbps using random packet testing.

Installed new PCIe NIC, cables, removed all other connections to the switch, and tried various ports on switch with same results. Updated drivers to no avail.

Here is where it gets weird. On a whim, I hooked up a USB to Ethernet adapter to the PC and suddenly had great upload speed tests along with a stable stream output. I then hooked up a different PC using normal Ethernet, it too suffered from the same problem until I hooked up the Ethernet adapter.

But there’s more, the USB Ethernet adapter only provides the normal connection if it’s connected to a powered USB hub. If I try a direct to PC USB connection, the problem still persists.

I am baffled. Any ideas? The adapter isn’t really a solution as extended testing still shows some problems, but it’s 90% better. I don’t understand how an Ethernet adapter, through a powered hub “fixes” the problem on either PC.



Linux command for checking WiFi strength

Hi guys, does anyone know about any Linux command that shows the frequency and signal strength? Thank you



ISR/ASA SSH Smart Cards?

Right now we are using radius PAP with to a MS NPS server, but now with smart cards we want to disable legacy auth. Has anyone managed to implement ssh with smart cards on either ISRs or ASAs? How?

We have the PKI infrastructure in place, we have Yubikey based smart cards issued and working. We even have putty-cac working with Linux, but for the life of me I can’t figure out how to get the Cisco hardware configured. Is it just too much a PITA? Should we just use ssh keys and local accounts? I’d hate to have to configure this on all the equipment.



What technicaly hurdles remain to replacing the entire Internet everywhere with one single mesh network? I understand the legal hurdles and the incentives for ISPs to prevent mesh networks from every happening, please teach me about a different problem, like a technical one.

https://blinqnetworks.com/rural-wireless-solutions-in-the-third-world/

The article shows multiple existing successfull implementations (where incumbent ISPs didn't exist to stifle this innovation.)

I am interested in technical comparisons between the Internet as-is today, and various alternatives (if regulators and incumbents were no issue.)

All comments welcome, just please include at least one argument for your answer, or at least one source supporting it. I already found similar questions, with nothing but blind assertions in response.

I want us to teach eachother science :)



Traffic generator for DHCP traffic specifically

I'm trying to understand nuances of DHCP by crafting my own DORA packets. For example I'd like to see how Wireshark captures will look when I change the broadcast bit flag in Discover messages from 0 to 1 or vice versa, and more. I considered using Ostinato by copying hex output for a normal Discovery packet over into it but it's not working as expected just yet. While I try to figure that out, I'm wondering if anyone has already looked at this so maybe I won't have to try to reinvent the wheel here.

tl;dr - I want a traffic generator for DHCP packets. Any suggestions?



Cisco SDWAN TLOC Extension

Has anyone mastered real-world use of TLOCs? Have a large branch office (upcoming) with primary ATT MPLS & secondary internet. I would like to leverage MPLS as the primary & failover capabilities with the internet circuit, while also leveraging the dedicated internet circuit for DIA. Seems complex but I’m stuck in the mud at this point.



Dividing a network into 3 subnets

If I wanted to divide a network into 3 subnets would I have to borrow 2 bits from the network address and add it to the subnet? Say if my network address was 200.150.128.0/23. What would my other 3 subnet addresses be???. I know that the new address for the first subnet would be - 200.150.128.0/25 if I borrow 2 bits. I am struggling a bit when it comes to subnetting and networking.



Problem trying to replace all "\" in variable - MIKROTIK ROUTEROS

Hi guys, i have a problem trying to replace all "\" in a variabe with script in mikrotik routeros.

If anyone knew how to do it, I would appreciate it! :)

Link to original question

Thanks!



What benefits do I have for building a Cisco only network?

Currently I am being asked by my boss to write out all the benefits of being a Cisco only network. Talking points that are quality of life do not justify being only Cisco. Such as only having to know one language, familiarity of troubleshooting, etc. Basically I need talking points that enforce stronger security, any benefits within Cisco ISE, or anything that guarantees better network flow. Not finding anything through google that is convincing enough. Any and all info is very much appreciated. From what I'm gathering if you eliminate EIGRP, CDP, and ease of use there aren't any benefits to being only Cisco.



Wanted to be a networking guy, but current experience is 5 years sysadmin/tech support with CCNA cert

Hi All.

I really wanted to be a netwoking guy. Focusing on firewalls, routings, switching, APs.

Am I on the right track? I've been working as a Sysadmin/IT support for the last 5 years at an MSP company.
From supporting end-users, confirugin windows server and hyperV, doing basic linux things, office 365 administration/

Then for networking, I got my CCNA cert last 2017 but my only networking experinece was configuring firewall, router, switch for small businesses. Since most of our client are small businesses I never handled complex network infrasctructure. Biggest client I have supported has 5 sites, configure there firewall, switch..

I know how to implement vlans and such things at CCNA level. I did really study hard with my CCNA cert last 2018 so I believe I have strong networking fundamentals.

Is it worth it to take a pay cut and look for an entry full time networking roles?

Or

just continue being Jack of all trades?

Thanks r/networking



Ubiquiti vs Ruckus

I need to get more serious about my wifi implementation. Currently I am running a mix of several different consumer level access points on a small business network, but am looking for something that will support VLANs natively rather than managing access points for three different networks/VLANS. I have primarily been looking at either Ubiquiti or Ruckus.

Preferably I would like to find something that I can use a trunk port and assign VLAN per SSID, and not place multiple AP's immediately next to each other for and use assigned ports. The building is in excess of 100,000 square feet so something that would work in a mesh configuration would be ideal, along with adding a standard central management.

The primary concern is for only around 60-80 devices that require wifi and they will be placed in fixed locations. Beyond that there are a handful of phones that would be nice to get better coverage for, along with a better guest network for customers and vendors.

I am hoping that someone with some experience with either or both of these brands clarify a few questions:

  1. Is buying the access points alone is enough, or is there also a management appliance that needs to go along with them?
  2. Is Ubiquiti using standard 802.1q for tagging, or is it a proprietary solution with their switches?
  3. Does either brand require a subscription for management/updates?
  4. Preferences between the brands
  5. Another brand I am overlooking in the pro-sumer/enterprise categories.


Switch options

I am looking for a switch much like this one from FS for colo rack, except from a better brand. I’m having a hard time finding the right model/tiers across the various brands so I’m hoping someone here can help point me in the right direction.

The main specific features I need are:

  • VRRP
  • MLAG
  • at least 24x 10 gig ports (prefer a mix of 10GE and SFP+, but all of one or the other is fine)

I would also love to have the hot swap power supplies and fans but those are not absolute deal breakers.

We aren’t picky about brand - I have just heard mixed reviews about fs so I’m trying to find something with a bit more history and broader support than them.

Budget is of course a factor. I feel like we don’t need all of the other robust features/performance of an $11k catalyst 9300 — I’d love to see if I could bring this in under $3k per switch. But if the answer is that this realistically can’t be done on that budget (without going to something like the fs I linked to) then I’m still interested in hearing what would be the lowest priced option that could get me into those features.



How Internet Proxy is working ?

Hello Community,

I am a Network Engineer and when i perform live troubleshooting with the customers i can see that they reach internet & some application like outlook and so on via a proxy configured in their web borwser , for example the proxy IP is 10.x.x.x , while the end user LAN IP is 192.168.x.x , i would like to understand how the traffic will be destined to proxy 1st before remote destination , for example user wants to reach google and google IP is 100.100.100.100 so the packet would be:-

User source IP before Natting: 192.168.x.x

User destination IP 100.100.100.100

where in the IP header the destination will be the proxy 10.x.x.x ? will there be a tunnel which has inner and outer IPs ?

Will the source IP Natting will be performed on the WAN IP of the SD-WAN Edge / Legacy Router or it will be done on the proxy server ?

Thanks in Advance :)



How to create a dummy file on Velocloud SD-WAN CLI to test the download and upload speed?

Hello Community,

I would like to know how to create a dummy file with specific size in velocloud Edge CLI as this based on linux and how can i try to download this file from another Edge and upload this file to a remote edge.

Basically we receive multiple tickets sometimes that the users from a specific site complain about slowness while downloading a file from a remote DC and this issue is affecting a single site so my plan is to configure a dummy file on the remote DC Edge and try to download this file from the affected site.

if users will face upload issue , i want to create a dummy file and upload it to a remote location to test the upload speed and performance in this site.

How can i achieve the above with the CLI Commands on the Velocloud SD-WAN Edges?



How do you create two separate LAN on the same internet connection?

Is there a way to buy two separate routers connect to the internet modem and not have the two LAN networks have access to each other for security purposes?



Region of whole network changed

Hello everyone!

We have the following problem in our company network:

We are stationed in Austria and therefore, we should automatically be assigned the austrian region on every website. This has worked since ~15 years without any problem.

We've had someone from our company site in Mexico for training in our office and ever since then, our region on google, YouTube, and non-google services have been set to Mexican.

Our IP is still Austrian and I have no idea how they determine region otherwise.

The person from Mexico has been gone for ~1 week now but the problem still persists.

Has anyone experienced this before / might know a solution?

Thanks in advance! :)



Wifi addressing schemes for DHCP?

Just wondering if for wireless clients they should be given their own ip address range (say 10.200.x.x) or should they follow the ip address range that they got from a particular wired building say (10.10.x.x)? Any tips where to find a good campus IP addressing scheme?



Where are all the Junior '5G' Wireless Engineer jobs?

Hello all, I have a Help Desk Engineer background and I've passed my CCNA about 1 week ago.

With the hype and expansion of 5G networking being seen on mainstream media, I'm curious if any of you guys know the typical rates and demand for these positions?

  • Are they Security-clearance types?
  • Are there any 5G high paying (70k+ Jr Network Engineer) deployment contracts to help build the infrastructure for various cities?


As a network engineer, how do you handle having to deal with tech support for your home internet?

Do you guys just go through the motions and let the tech support person go through their checklist so they can inevitably send someone out in 3 to 5 days only for the issue to fix itself before the tech shows up and then when the issue starts back a few weeks later only to repeat the cycle over again?

Or do you have your own ways of bypassing this cycle of dealing with tier 1 tech support? I've tried sending an email to a tech support related email address for my ISP containing documented incidents of significant packet loss from an ongoing, repeated test that saves records to a database, and the only result was they sent a tech out after the issue went away. So frustrating!



I just spent 9 hours troubleshooting a bad power cable.

I had a stack of switches that has been online for a couple weeks now, but has been acting wonky the entire time. They were up, and passing traffic, but just acting . . . wonky.

SFP ports sometimes wouldn't work. Unplug the SFP itself and plug them back into a DIFFERENT port, then plug them into the original port and they'd work again. Couldn't get both sides of a LAG back to the core to come up. Either one independently, but not both. UDLD would report all kinds of errors on known good fiber. Spent hours shining light, swapping pairs, swapping patches, swapping optics, taking the entire stack back to our workbench and plugging it directly into the core, taking it back to its home and plug it back in and shit that worked PERFECTLY on the bench suddenly won't work.

Sometimes clients would negotiate at 10mbit, 100mbit, or 1gbit. Using the internal cable test utility was returning all sorts of random crazy results, even on cables that we tested with a Fluke Net Tool and all passed easily. PoE would sometimes work and sometimes not. Reboot the switch and PoE would work, reboot it again and they wouldn't.

NINE HOURS LATER we finally called the electrician over because I was about to loose my mind.

We had 180v on the ground.

He replaced the extension, and all the problems went away.

Motherfucking Layer 0 fucked me in the ass today.