Saturday, November 20, 2021

The inner workings of an sfp port and a mistake that may have cost me 2 days of scratching my head

The simple question here is Is 1gbs sfp(non infiniband) just ethernet over fiber

The long part When i say is it just ethernet over fiber i mean does a 1gbs rj45 port ethernet use the same chip as a 1gbs sfp port. Does the sfp transfer just have the wires connected in thIs configuration Rj-45 sfp TD_D1+ > TD+ TX_D1- > TD- RX_D1+ > RD+ RX_D1- > RD-

Or does an sfp traciver use a diffrent protocal to comunicat between the host device and the tranciver If it does use a diffrent protocal does anyone know what it is and would you be so kind as to let me know it would be thoroughly appreciated because im trying to find a chip set that can interface with an sfp module and the lack of results is bringing me to the conclusion im looking for the wrong thing



Anyone using M1 Macbook for networking job?

I'm thinking about switching to a M1 Macbook Air and have a few concerns.

Anyone had issues using a usb-c to serial cable for connecting to cisco gear with their M1 Macbook? Also, what programs do you guys use for your day to day work?

Cheers



How do I set a bandwidth limit to an interface on a cisco 3850 switch?

I want to limit a few interfaces to 15 mb. I tried using the following config but sometimes it works and sometimes not

Policy-map “Name” Class class-default Police 15000000

Interface x/x Service-policy output “Name”

Is there a better way than this?



Help with this problem (read below)

Hi guys, this is my problem:

i have two offices(540 ft2) in a building, same floor but distanced by a few other offices in between them. the thing is i can't afford to pay for two ISPs anymore, so i need to be able to share the service from one to another. What would you do?

Needless to say, the building is a co-ownership so wiring isn't an option.



Data rates on different channel widths?

Hi, I would exactly call myself a wireless "expert", I definitely know my way around most of the tech but the "ins and outs" are something I will definitely be picking up and studying the next year or so when I get a chance. But for this question, what sort of data rates can you expect to get generally in terms of difference when on a 5GHz network on a 20MHz vs 40 and 80 width channels? WiFi 5, I'm going to call it because technically that's what we should be calling it now, has a theoretical speed of 1.3Gbps, yes I know that it's only theoretical, but given the question, what sort of speeds could I expect if I had 3 different wireless networks, all on 5GHz, but at the different channel widths?

Let's take interference and larger channel widths suffering from interference from more channels out of the equation as well here and pretend all 3 different networks operate fine.

Also, as a side not question here...am I right in saying a 5GHz network on a 20, 40 or 80MHz channel width allows "5HGz speeds through that "gap" or width essentially? Which in turn means that the larger the channel width, the "more speed" there is to go through it?

Thanks



Looking for OS10E trial / download

Does anyone have the hookup on some OS10E downloads for lab use? I have a few switches that have licenses but are running old builds. This is for lab only, but there are some new IPv6 ND settings in 10.5.3 that I’d like to use on my OS10E.

I’m glad dell made OS9 update public though.



1/2 mile wifi booster.

I have a large ranch and am trying to boost my wifi 1/2 mile in all directions. What can I use to do this? I have an external 5 ft. antenna that attaches to my router. It has a small in-line booster attached to it, but that is not helping at all.



Configure Forcepoint NGFW to send syslog data to Splunk via Universal Forwarder

Hi,

From few days I'm trying to to get the job done but I'm getting little confused. As we got 3 components for this to work out - Forcepoint SMC, Splunk and Splunk Forwarder. The environment which I'm installing it on is CentOS 7 hosted on a VMware esxi. As far as I understood the data should be sent from the Forcepoint to the Splunk Forwarder and then to the Splunk server right? How exactly does the Splunk Forwarder work and what should be it's connecting point with both the Forcepoint and Splunk. Should I be using docker or can i get it working without it. Let me get it clear to where I'm so far.

- Created splunk user and group which has full permission to the /opt/* folders (I'm little confused who should be running the processes). Whitelisted the ports.

- Configured Forcepoint to send data to SplunkServerIP:9997 (probably data should be sent to the Splunk Forwarder which I think this is the main problem)

- Installed the Splunk and Forcepoint app (got it shown in the apps in the web server at SplunkServerIP:8000)

- Got Splunk server running and listening on port 9997, which is set on the web server as receiving. Let everything else default(management port and stuff)

- Downloaded and installed the Universal Forwarder(no docker used), changed the management port from 8089 to 8090(because of an conflict with the Splunk Server management port). Added forward server to SplunkServerIP:9997 and monitor to - /var/log/ with sourcetype linux_secure.

So far as I checked the data received from the Splunk Server i can see errors that the data chunks are too large.

Thanks in advance I'm just getting introduced to linux and firewalls and sorry for any spelling mistakes. Any help would be appreciated even if its for logical understanding how these should work!



Guest WiFi can't get IP address (Sonicwall/Aruba/Ruckus)

I have 2 networks/sites that are pretty similar, but only 1 is working properly.

Network1:

  • Sonicwall TZ270
  • Aruba 1930 8G PoE switch
  • Ruckus R320 Unleashed AP
    • Corporate and Guest WiFi SSIDs

Network 2:

  • Sonicwall TZ400
  • Aruba 1930 48G PoE switch, Aruba 1930 8G PoE switch
  • Ruckus R550 (x3), Ruckus R320 unleashed APs
    • - Corporate and Guest WiFi SSIDs

Network/Site 1 is working as expected.

Network/Site 2 is working for wired clients, and Corporate WiFi clients. Guest WiFi is not working on Network 2. Devices are unable to get an IP address.

In both networks I have the Sonicwall configured with a virtual interface. X0:X50 in it's own zone.

In both networks I have a DCHP scope configured for X50 on the Sonicwall.

How can I troubleshoot why Network 2 is not passing DHCP info on to the clients on the guest WiFi.

I have gone through the setup on each network and made sure that the config on the Sonicwall, Aruba and Ruckus gear is the same on both networks.



Salary negotiations for mid-to-senior positions. Is it reasonable to request a hiring bonus to buy out my soon-to-be-besting RSUs?

tl;dr - Expecting an offer for a new position, but accepting it will mean walking away from ~$40k in bonus and vesting RSUs at current job. Is it reasonable to request a hiring bonus to cover that?

I'm pretty happy at my current job, and getting $154k + $20k/yr in RSUs. But a recruiter tracked me down on Linkedin about a similar position at a new company, I did some interviews and have apparently "far exceeded their expectations" and am expecting an offer shortly.

My recruiter indicated that they were looking for someone in the $175k range. I've told him that I'll be looking for $200k as a base salary, irrespective of equity offers (company is probably 2-3 years from an IPO from what I can tell). We'll see what they offer.

My other hesitation is that I'd be walking away from about $40,000 in bonus/vesting RSUs at my current job that would have come out in February. Is it reasonable to ask for this as a signing bonus? What does a reasonable signing bonus look like?

For reference, this is a in the SF Bay Area where salaries are quite inflated, and although I match the skill set damn near perfectly (and know that I could do this job EXTREMELY well), I am not sure what a reasonable salary range is for a CCNP Net Eng with a very recent extensive experience in Palo Alto/Panorama/Prisma/Clearpass.

That being said, I'm very comfortable and reasonably happy at my current job so if it doesn't work out, I'm only out a few hours worth of interview time.



What is a recommended firewall for a small business?

Our network and domain is pretty small. We took over a retiring business and are trying to restore the network.

The network looks like this: Main ISP Wireless Router > 5-port Switch (this mini switch splits to another network segment for another isolated office) > 15-port switch for our own internal network.

The ISP wireless router has limited firewall capabilities. Is there any true FW device you would recommend (that is fairly easy to configure)? Based on my knowledge, the FW would need to be placed in front of the 15-port switch. I’ve looked at Cisco Meraki MX86 and it seems straightforward.

Thanks!



Dell OS

Enterprise networking noob question here. Mostly I own Unifi kit but looking to investing in some second hand Dell Switches. I’m particularly looking at the S5148F-ON for 25G links.

What is the situation with firmware on Dell switches without a support contract? Am I going to be stuck with the software they’re currently running? Or is there an upgrade path?

Would I be better off running a different switch OS via ONIE? If so, what would you recommend?



Limited downstream speed in Wifi in university

Hello,

I am a student in a university where the downstream speed in Wifi has been limited on the sites other than those belonging to the university (limited to 0.4 Mbps). The upload speed is very good (40 Mbps).

On the fixed stations of the school no throttling is applied (40 Mbps down and up).

This is a handicap to work in the school, especially since the 4g networks do not cross the walls...

I tried several things without success:

- Use a VPN -> doesn't work debit bridged

- Connect with different ports to 80 & 8080 (http), 443,...

- Use a proxy

- Change DNS server

- Change IP address

If I connect to the school Wifi, I have an IP address starting with 10.33.169.xxx, on a fixed station I have an address in 10.33.1.xxx.

In wifi I'm on a subnet however I can ping the addresses 10.33.1.xxx. But I can't put a fixed Lan ip address in 10.33.1.xxx.

I wonder if you have solutions to suggest me. Some tracks to explore...

Thanks !



Sockets and Personal Hotspot

Say I had two computers connected to the same personal hotspot on my phone, would I be able to use Sockets/Python to connect between them? I am absolutely new to networking so I apologize if this is a stupid question.



Friday, November 19, 2021

10Gbps speed not achieved

Based on the network diagram.

Network-diagram

I'm not getting 10Gbps connection to my VM's although the link speed is showing 10Gbps. I've installed necessary drivers needed.

Does my L3 switch (1Gbps) is the limiting factor to this?



Snmp scan a list of IP’s?

What I’m looking to do is automate running a snmptget of a specific OID to a list of IP addresses to gather the firmware version of Cisco switches.

I’d also like to export the string response to a text or csv file so I can add it to a spreadsheet

I have access to SolarWinds Engineer’s toolset but can’t find out how to run an SNMP sweep for a specific OID.

Would anyone be able to recommend a simple way for me to accomplish this task?

Thanks in advance!



software to convert a connection table to a topology diagram

I have a large table describing layer 1 connections between nodes. Each row represents a physical connection between two devices. There are columns representing device A, port A, device B, port B, and connection type (like serial or ethernet). There is (ideally) no differentiating device A and device B, they're just connection endpoints and reversing them doesn't change anything.

Yes I know you can "import" excel spreadsheets into Visio, but it doesn't add the connectors automatically, and you can't even label the endpoints of connectors at all, which I would think is a no-brainer for anything used to diagram networks. Automatic network discovery tools will not work. While these devices are always connected, most of them are powered off most of the time, and some connections have strict firewalls that I do not control in between.

This table is part of a larger inventory tracking database. Most of our assets are actually disconnected from any network, whether or not they're always powered on.



Cloud Hosted VOIP (Fuze Issues)

Having an issue with a new implementation of cloud hosted VOIP via Fuze and I was curious if anyone else has struggled with Fuze (or any other vendor) over the internet.

The problem we are having is after a SIP INVITE has reached a ring group and one phone picks up, the server is sending SIP CANCEL to all phones that did not answer in that ring group, but we are getting SIP CANCEL packets lost in transmission to phones occasionally. The result is the phone that did not rx the SIP CANCEL rings until it's ring time has been reached or manual intervention.

Understanding that via RFC 2543 a phones response should be 200 OK or 487 REQUEST TERMINATED if a CANCEL is rx'd, are there any vendors re-transmitting these SIP CANCELs for phones without a response returned?

Follow up, to those of you who use consumer grade circuits at your locations and hosted VOIP, do you have any issues with running SIP over TCP and standard internet packet loss? We are QoS'd to our edge honoring EF, CS3, AF41 - so the issue seems to truly reside on the internet with the loss.

Anyway, curious to hear about all the struggles of your hosted VOIP implementations so we can vent together.

Cheers! (is it okay that it's ONLY my 4th glass of the fire water today so far?)



Can someone explain why I configure a static route to a loopback network on another router?

I am doing a networking lab for school. I have configured two routers, one with a created loopback address. One of the steps in the lab is to create a static route, from the one router to the other, for its loopback network.

Is this to direct traffic that is meant to the loopback network from the router without the loopback address to the router with the loopback address? What exactly is the point of this? Why does someone need to get into the loopback network from outside the router?

Thanks!



Vendor-Independent SD Access/Access Layer Microsegmentation

We have a project going on to implement "personalized networking" -- essentially, microsegmentation at the access layer. Focus right now is around 802.1X, ISE, and TrustSec. Discussions about DACLs after determining device type, but that's pretty well been rejected. Focus is on platform limitation of ACE entries (regardless of platform, but think Cisco and Juniper) as the biggest objection. Goals are to provide device classification, limit east/west traffic, and eliminate VLAN changes (current NAC uses that, what a nightmare).

What are people doing out there for vendor-independent microsegmentation-type solutions? I know EVPN has Group-Based Policies that can carry SGT information, and I've read that, theoretically, Cisco can advertise SGTs through GBP, but understanding in a unified way what's possible and what's out there these days is kind of nebulous. Cisco would want us to do -- ACI, I think? -- and Juniper would want us to do Mist.

This is a large hospital/medical environment, 100K access ports out in the network, so this is a large undertaking. Catalyst 9300 is our typical access switch, we've got some Juniper EX4300s out there, and we're waiting for more information/test gear of the EX4400. That said, we're open to the idea of third party/white box switching, so don't focus solely on Cisco/Juniper.

Whatever we do, we've worked hard to get rid of proprietary protocols over the last several years and want to minimize the dive back into them as much as possible. Pretty certain SGTs are in our future, but using GBP instead of SXP is a plus. VXLAN/EVPN control plane instead of VXLAN/LISP is a plus. Etc.



Router, cisco or unifi

Hi all, My company has a 4321 with a fibre lease line coming into the property. They are wanting to upgrade this to a unifi dream machine pro. Is this a good idea?



Anyone burned out?

I'm soo burned out over covid, short staffing etc, anyone else?



Cisco Catalyst 9300 link failover

I have an ASR router that has a single connection to to the ISP. That router is connected to a cisco 9300 switch via 2 links. I want 1 link to act as the active link and 1 link to act as the backup link. When the active links fails, I want all traffic to pass through the backup link automatically. How do I do that on the router/switch?



Mikrotik Groove Antenna Help

I recently purchased a Mikrotik Groove wireless antenna, and have had a hard time finding clear and concise directions to even a basic setup. I have a windows computer with WinBox control software.

My goal is to plug the antenna into an existing network switch without built-in WiFi and connect wirelessly to the network.

Any direction or link to resource would be appreciated.



Extending ethernet 500ft away - ethernet extender or uplink another switch in the middle?

Hi All,

planning on putting 10-12 systems to another floor in my building. we estimate about 500ft of backbone run. I am deliberating between an ethernet extender pair kit such as the Tupavco TEX-100 or cutting the backbone somewhere around 250' and uplinking a gigswitch? I'm leaning towards the gigswitch because it'll be only a 2nd leg. at the endpoint will place a distribution switch for poe to phones and workstations. With the TEX-100 i'd max out at 100mbps but it would be a single segment up through the floors. thanks for your advice and Hafa Adai!



Juniper MX960: RE 0 "0x100 reset from debugger"

Hello r/networking!

I've got a Juniper MX960 with dual RE-S-1800x4 routing engines. Last night, RE0 went offline and GRES change RE1 to the master. Investigating, we have found that:

- all the logs say is “re0 noped out, here are 50 different processes complaining about not being able to talk on re0 any more”

- RE0 was "0x100 reset from debugger"

Running JUNOS 19.4r3s1.

Any suggestions? Unfortunately don't have an active support contract or I'd be on the phone with JTAC already. I appreciate any assistance you experts may have. Thank you!



Multi gateways loadbalancing

I'm trying to loadbalance trafic (all ports) between multiple gateways (VMs) to test a product from my entreprise.

See the following schema : ```

 ---> GW1 --- / \ 

<client1> ---> <load balancer> --- ---> <web server> \ / ---> GW2 --- ``` Explanations :

I want the client1 trafic to go randomly (round robin) through GW1 or GW2. In this example, I only have 2 gateways (GW1 and GW2) in this example, but in reality, I plan to have many more of them. Same for the clients. What I wall "gateways" (GW1 and GW2) are VMs. So I don't want to loadbalance trafic between network interfaces, but between multiple IP addresses.

I saw many docs / topics online about "standard" loadbalancing; but there is a very little amount of docs about what I'm trying to do (looks like it's called "multi WAN" or "multipath routing").

I saw things like :

``` table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif "eth0" snat to xxx }

chain prerouting { type nat hook prerouting priority dstnat; policy accept; #dnat to numgen inc mod 2 map { 0 : <gw1>, 1 : <gw2> } } 

} ```

But that's not what I want to achieve and this config (located on the machine I called <load balancer> on the schema) is changing the flow destination so that they are trying to connect on GW1 or GW2. But I want to route the trafic through GW1 or GW2.

I also saw things like iptables / nftables marking the flows so that the flows are routed to a specific gateway.

Vyos looks interesting about what I plan to do but I didn't tested it yet https://docs.vyos.io/en/latest/configuration/loadbalancing/index.html

There are also ECMP and a project called nftlb...

I want to : - Loadbalance through multiple gateways any type of trafic (ICMP / UDP / TCP / etc) - Be able to change the configuration easily (Vyos API looks interesting...) whithout restarting everytime - Be able to scale easily (many "gateways")

Can I get recommendations about what I want to do ? In your opinion, what is the best solution ? Any tips ?

Thanks ! Have a good day, bois !



pfSense, vpn in tap mode and vlan mapping to resolve conflicting vlans between 2 sites

Hi! Perhaps you have an idea - I got 2 sites that need to be connected via VPN in tap mode. We have pfSense boxes for that. But the sites have conflicting VLANs. We're looking for a way to resolve this conflict using VLAN mapping. However, I'm not sure pfSense and it's openvpn implementation can do that. Any idea how to resolve this issue? Thanks :)



Modern and "nice" type of a "mnaged Firewall order form"

Hi,

i have a question that is not very technical, i hope it is ok for this category.

I'm designing a new managed firewall service for our customers. Most MSSPs provide an Excel sheet to their Customers to collect strucktured Change requests.

I'd like to avoid M$'s overdosed Calaulaor and create a more comfortable tool.

How have you (MSSPs) solved this?
Webtool? PDF Form? Funky App?



Visited a sketchy http site for a second, did I fuck up ?

The title, I opened a suspicious site by mistake from the first page of Google results. The issue is that the site is http not https and the name is just an IP, did I expose my machine by just clicking on it for 2 seconds ? I'm not sure if I'm allowed to post it here so if anyone is interested I can PM the site.



Recommendations on physical server to buy to run small scale VPN?

I'm the IT technician for a small company that for various reasons requires a VPN into their physical in-office network. Has to be a physical computer, can't be via a cloud provider.

Am currently looking at a purchasing server that can serve up to 30 concurrent users connected to the network at once. I've set up VPNs before but not at this scale, so are there recommendations on what to look out for? Is there a go-to general purpose rack server that works for this? Learning by doing right now :D



Any idea/process to follow for proceed with network segmentation with IT and OT mixed together?

Hi all,

i did a lot of search about this topic but it's still not clear to me to how proceed.

So first of all my job is to separate IT network from OT network as mentioned in a lot of normatives/standards and security best practices.

The network that i have to segmented at the moment is all-in one network with devices, servers, surveillance, and ICS.

is there a process to follow step-by-step? or i have just to separate network elements used for IT and used for OT?

did i have to separate them based on functions? or locations? or both?

thanks in advance!



Cisco ACI home lab - Real POD

Hello Guys,

Since im moving from NSX to ACI, and ACI is not really something you can have to practice, I was thinking about building a home lab ACI pod, I checked in the internet i found something interesting in a blog : https://rcitnet.com/my-home-lab-aci-datacenter/ I have the series of the switches he used i found them already in ebay also the ucs server used is ok, but my main abd biggest doubt, is the damn license !!!!!! I was trying to contact the blog written but without luck, Can anyone please explain to me how license work for the same ACI pod in the blog and how can I buy it ? How much cost ? And if you have any suggestions please let me know,

I appreciate your help guys



Opinion on Clearpass tech support

Hi there,

How is the Aruba Clearpass TAC? We are in the process of purchasing clearpass and with me being the only NetAdmin in my organization, additional support is key since I'll be fresh into learning the software. I have a 3rd party who will be installing/setting up & doing initial training with me & recommended I add in some additional consulting hours with them for later on top of getting the Foundation Care.



IKev2 Anyconnect Cisco ASA

Hi Folks,

We have more than 8k users on our environment using the Anyconnect with ikev2/ipsec. I have seen a few of them after get connected, not able to access internal resources but can access some External Sites.

If they connect using SSL everything works fine, I have had to test different ISP's in different locations to check it out if it could resolve the issue, but it have not.

The user is able to resolve the internal resource, but it just timeout when connected using ikev2/ipsec, as I said I have thousand of them, including myself running without any issue.

I have also upgraded the anyconnect to 4.10.3104 but It have not resolved this weird issue with the ikev2/ipsec for them. My asa is running the version 4.10.

Anyone else have experienced it?



Dell network card

Hello

Do you know if I will be able to use this card to connect to a C3850 gigabit switch using a GLC-TE transceiver or similar?

https://www.dell.com/en-nz/shop/dell-dual-port-sfp28-10-25-gigabit-server-adapter-ethernet-pcie-network-interface-card-full-height/apd/540-bcno/i18n#techspecs_section

Thanks



Question: How does an ISP assign multiple public subnets to one link?

Today, the company received a notice that the customer's edge will need updated IP information. After inputting the new IP information, the connection immediately went up.

Does anyone know the physical and logical setup to allow these seamless subnet changes from ISPs?



Netflow bit rate and Interface Bit Rate

Hello!

Im trying to understand some netflow v9 information. We have a NCS 5508 interface with always 5Gb Up and 5Gb Down..

But collecting netflows on this interface says that it only has a BIT Rate of 3.89 Mbps..

This make any sense ?



Network query (Unmanaged switch vs Windows Server vs NAS)

Hi,

I'm by no means a network guy so apologies in advance for missing any crucial information. Alas I have included a network diagram of sorts to help explain the issue.

https://imgur.com/a/37GTVnJ

Our network is dropping and I think due to over-utilisation of our NAS backups (software running on Windows Server). It is taking in ~500Mbps (from main NAS) and spitting out ~500Mbps (to backup NAS) via our unmanaged switch.

Now the switch itself can apparently handle 32Gbps of "switching capacity". Therefore while the backups may go slow (as it may exceed the individual ports 1000Mbps capacity) what I did not expect is for the general office network to go slow as a result.

In fact, I think it has crashed internet connectivity entirely at peak times. There are between 10 and 20 office users who do not do anything else "network intensive" unless they are all on youtube 4k streaming without me knowing....

Long story short - why is our otherwise beefy internet appearing to be affected by the backup procedure? I thought the switch would be able to safely route internet to the rest of the office? The server does not handle DHCP or as far as I know any internet function so it puzzles me why the general internet is affected....



Questions about ARIN and legacy IP block fees?

Anybody here familiar with ARIN and their fee structure?

I have a "Direct Allocation" /24 network block which has been in continuous use since the mid-90s, registered to me personally as the POC and organization in ARIN's records. The address space is announced by my Tier-2 colocation provider via a consent form.

ARIN sporadically pushes me to sign an agreement, but is evasive about what sort of annual fee would be owed, and I cannot use the fee estimator on the website (error message is "Account Does Not Exist in ARIN's Billing System").

As a "Legacy" allocation, it appears I would be required to pay the minimum annual fee of $125 after I sign a LSRA, or $150/$250 if I sign the RSA?

What am I giving up by not signing up to pay the approximately 3% "ARIN tax" on the address space? Does it even matter as long as I have no intent to request an ASN nor sell/lease the block?



Extreme Partners in the UK?

We're not too happy with our current Extreme partners, due to useless account management and engineers that seem to be way too overloaded with work to focus on our projects.

Can anyone recommend a good partner? We need the engineers to know the products (VOSS and EXOS) inside out and actually be available once in a while, and the account managers to answer emails in less than a week.



Thursday, November 18, 2021

US LTE business internet without data caps?

I have a US branch office with a T1 connection that's being discontinued in the near future. I've inherited a half complete cutover to Verizon business LTE that gets throttled at 150 GB.

We've hit the data cap 3 times in nearly as many months for various reasons. The reasons get addressed, but this is a disaster waiting to happen when the T1 is gone. I'm working on getting a secondary LTE connection (bandaid IMHO) for failover, but that opens up a whole new set of problems relating to failover downtime, DNS record updates, VPN tunnels, VPN clients, etc. The hardware I have is dual SIM, not dual modem. But the root problem is a data cap on the site's primary business connection as far as I'm concerned.

Ideally I'd get a hardwired connection out there but it's going to take time and money, and this ended up on my plate at the 11th hour. Worst case scenario I throttle the connection so we can't possibly exceed the cap again. Improved bandwidth monitoring is on the agenda but I really don't want to babysit this.

Are there any US business LTE internet providers with unlimited data? Should I be looking into satellite (eww)? I wish Starlink was an option... Any advice would be appreciated. The office is in CA. Thank you.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



What's true core difference between DHCPNack VS. DHCPDecline?

If DHCPNack is (Server-to-Client)

And

DHCPDecline (Client-to-Server)

But they both have similar purposes, that if it finds another devices is using the same IPV4 or it's a duplicate IPV4.

Are there any true core difference besides that the fact that both are either client to server or server to client?

Thanks



How did W. Richard Stevens die?

Why is it such a secret? You literally can't find anything on the guy and especially on his death. Apparently closest thing I found is that his family wanted to keep it a secret for some reason but that he mightve died from a rock climbing accident.

Was anybody here alive at the time that could provide some insight?



Ethernet autonegotiation

Today I solved a networking problem that was caused because the speed and duplex of a network interface on a printer was set to 100 Mbit/full duplex. Both the printer and the switch it was connected to were gigabit ethernet interfaces. With the switch set to autonegotiation I ended up with a link that was 100/full on the printer side and 100/half on the switch side. Printing seemed to work but users complained about scans being slow. After setting the printer to do autonegotiation I ended up with a gigabit link and everything was well.

My question: what would be a valid reason for using any other setting than autonegotiate other than "there was a problem so we fiddled with it and this seems to work"? Backwards compatibility for very old networking gear perhaps?



In a Unifi Controller, is it possible to set bandwidth throughput limits on an SSID as a whole instead of the users that are on that SSID? More in comments

Say I have 100 Mbps down from my IPS, can I create an SSID in Unifi so that it only has access to 50 Mbps of my internet speed, regardless of how many users are on that SSID?

I know if you go to Settings > User Groups > you can create a user group and set specific Download and Upload bandwidth limits. Then you go to the SSID settings and assign that User Group to the SSID.

Will that limit the SSID as a whole to the limits set in the User Group or individual users that are connected to the SSID but still have access to 100 Mbps throughput?

Thanks for your time, I hope I've been able to explain myself well.



New Building Wiring (Cat5e/6/6a?)

TLDR: Does anyone have any recommendations for which CAT cabling to run from IDFs to endpoints? Bonus points for sources I can reference.

Greetings,

We are in the process of designing a new 55k+ square foot building, and I've been tasked with researching cable standards for the endpoints to connect back to the IDF. Things we are considering:

  • Future-proofing
  • VoIP phones may share the line with the computers to save on lines/switch ports
  • Current standard of 1 gig to endpoints
  • Cost/benefit
  • Growing POE requirements (VOIP phones, POS, WIFI APs)

We ran cat6a cabling in the last building we built, so we have the standing to request Cat6a for this building. However, my manager is wondering if we will ever see a return on our investment and if we should just install cat6 cabling in this building. Given that we are now running VOIP phones, I am inclined to think that cat6a cabling would be preferred, but I'm not finding much information on this; I would greatly appreciate a source online that I can point to. Is there a silver bullet in this day and age that tips the scale in favor of cat6a?

A few good articles I've already referenced:

Thanks



Trunk vs Access - Latency & Performance

Hello, I am assisting in a science project involving very precise timing (interferometry). I have a VLAN/trunking question regarding impacts on latency vs access ports. I am a computer monkey and know very little about interferometry other than it's dark voodoo magic science that uses lots of lasers and actually requires PNTP instead of NTP. I am not actually certain about the requirements on the latency side (I am operating under the assumption that we want to minimize latency as much as possible), this whole project has been a bit of a scramble actually as we're upgrading lots of equipment in anticipation of more projects.

Here's a simplified diagram of what we are doing: https://i.imgur.com/2yTlA1d.png

The proposed change to the diagram is changing the single trunk link between switch1 and switch2 to 3 access ports instead, similar to how switch1 and switch3 are connected.

Given the 3 links are 1Gig and the trunk is 10Gig, do we see any real impact on latency between 200,201,202A to 200,201,202B by using a trunk vs access port? Would using no vlans at all improve latency? Thanks for the input.



usb sfp nics at a sane price?

im looking for a reasonably well regarded USB to sfp interface similar to a an Ethernet one, just a usb-c port on one side to plug a cable from the computer in to and a bog standard sfp port on the other side, i have looked around but so far i have only found a couple non of which were below $250 despite being about the same capability as a £10 RJ-45 adapter

use case is to plug a 1 gigabit fiber optic transceiver in to some small form factor devices in a building that has fiber in the walls instead of copper



ISP Fiber Handoff

Hello, we are getting a new internet service and the ISP required a fiber hand off. On there equipment they are using a Champion One 1000SFP10 to hand off the circuit to us. I looked at the datasheet for this SFP and it does not specify an ethernet standard. The only info I can find is that the wavelength is 1310 and the description states "10km Long Haul SFP". The website states universal transceivers all over it but I assume that means as far as slotting into various vendors equipment. Is this some kind of universal transceiver as far as ethernet standards? Does the description imply 1000Base-LH/LX?

If anybody has any experience with this type of handoff I would appreciate your input before we go purchasing transceivers.



Network Segmentation Advice and Best Practices

Management has asked that I come up with a viable solution to let a partner agency utilize our network in various locations by installing end devices along with PoE switches, which they will manage and pull data from. The partner agency will essentially use our network backhaul data to their network. Full disclosure our network is mostly cisco and I’ve never had to connect to an outside network with the exception of ISP and VPNs.

Network background: Partner agency devices will be grouped in a separate VLAN. Those device gateways configured on layer 3 distribution switches as SVIs. Distribution switches have point-to-point links, advertise routes back to the core via OSPF. We have a patch panel in the data center that connects to agency.

Business requirements: Partner agency should only be allowed to access their devices; our subnets should remain unreachable to partner agency.

Initially, I wanted to create a separate VRF instance for them. This seemed like the most straightforward and cleanest approach. Turns out we have no dedicated fiber to spare. I was under the assumption I would need to assign each VRF instance to an interface? In other words, I could not run both VRF instances back on the same point-to-point link.

Here is what I’ve implemented so far. Partner agency routes come back to the core via OSPF as described above. Core connected to a newly configured layer 3 switch in datacenter under our control. Running iBPG between both core and new layer 3 switch. Advertising only partner agency routes via iBGP to new layer 3 switch in datacenter. Partner agency has connected pair of racked servers to our switch with the advertised iBGP routes so they can pull data from their end devices. (They have a second network connection from the servers to their own network switch in the same rack.) Their network switch connects to the patch panel which connects to their network.

They plan to install more servers from their DC in ours if needed over time. I thought it might be more efficient to run eBPG between our switch and their racked switch. Essentially, I’ll just hand them the routes they need and they can keep their servers in their DC. Does this seem like a good idea?

We are currently in the testing phase and I can’t help but think I’m missing something here. Is there an alternative approach that seems more logical?

I do have some security concerns. I planned to configure ACLs on the distribution switches to limit the inter-vlan routing of the partner layer 2 PoE switches. Any other suggestions would be greatly appreciated!

tl;dr

Connecting to an outside network, best way to segment traffic in terms of security and scalability.



Juniper MX104 NAT between routing-instances (VRF)?

I have been assigned a NAT pool that we are advertising via eBGP on an interface.

The eBGP routers are in their own routing-instance. How do I configure 1-to-1 NAT from the BGP routing-instance to another routing instance?

I read this post, but those commands are for a SRX, not an MX and do not work.



How Does a RADIUS Client/Supplicant Validate an Authentication Server?

Hey all,

Thanks in advance for your patience and time. I seem to have a fundamental misunderstanding about something. I am trying to understand how a RADIUS client/supplicant actually validates that the authentication server is who it claims to be.

When I go to a website like reddit.com in my browser--I typed that myself, and by extension my browser knows what service/platform I am trying to contact. We resolve the URL/DNS name to an IP address and establish a connection to that IP. My browser receives a certificate from the server when making that connection, and compares the common name on the certificate to the URL I typed in. If they match, the certificate is formatted correctly and my browser trusts the certificate authority that issued that certificate, then I can confirm that my connection will be encrypted, and that my traffic is going to the correct destination. If the common name does not match, then my browser gives me a warning: "Hey client, technically your communication will be encrypted when it is sent but we can't guarantee who is receiving this information on the other side--it seems fishy, do you want to continue?" Of course my browser usually makes many such connections to many webservers when I go to a single website, to pull content from different servers, but at the end of the day, we know what destination servers we want to talk to (URLs/DNS lookups), and can validate that the certificate belongs to those destinations (common name and trusting the issuing CA).

How in the world does this work with RADIUS? As the client I seemingly have know prior knowledge about the authentication server before I receive the server's certificate. I did not make a request to a specific destination--akin to typing in a URL in a browser--I am simply letting the authenticator arbitrate the communications between myself and the authentication server. Every explanation about the process I have come across seems to gloss over this idea. Does the client actually forego validating the identity of the server? Does it just say "the presented certificate is in the correct format, I am happy with the format of the common name and subject alternative name fields, the appropriate extended key usage type(s) are designated for this purpose of RADIUS authentication and I trust the root CA who issued the certificate--that's good enough!"? Under what circumstances would the client question the info contained in the CN and SAN fields of this certificate?

Bonus points to anyone who wants to elucidate exactly what is needed to create a valid (for all endpoints) third-party-signed certificate to be used in RADIUS authentication (I know wildcard certs are supposedly a no-no), but this information seems to be more readily available via Google than the answer to my previous question (even though there might be some conflicting info out there).

Thanks for your time!



All pc's in a network shutting down during a specific time stamp

Well i am in charge of troubleshooting and fixing a,network consisted of 100 devices (pc's)approx And a weird think keeps happening each day, the pc's turn off at around 1:16 some at 1:17 and some at 1:18 Not all at the same time which made me lost I don't have pc autoshutdown or wake on lan scheduled shutdown at that time What i tried to do to fix it but couldn't fix it: -Formatted a lot of them and re installed windows -Ran wireshark on it to check if its receving any packets from wake on lan or remote shutdown to shutdown couldn't find any _ checked event viewer to check event's before the pc's shutdown and also couldn't find anything related

Note: -all the pc's are part of a single domain _no faulty hardware from pc side for sure



Network folder issue

A question. We have a machine that produces a secured process report in pdf format. It stores to USB but should also be able to send the file via ftp for storage in a network folder. IP address, port nr, username and password are OK, there is a link but the files are not being stored in the dedicated network folder. So the machine sends but nothing is recieved. What could be the cause? Firewall?



What should throughput speed speed for 10gbe file transfer?

On a 1gbe file transfer, I know that you will top off around 940Mbps or about 118MB/s file transfer. Would like to see what some real world examples are of a 10gbe connection.

I did look at previous posts, but don't see something like this answered, thank you!

  • million 2gb files
  • One direction
  • no contention
  • assuming no issues on network, source, destination, hops in between wide open and at 10gb capacity as well
  • Copy method can push as many threads as needed to fully saturate line


New internet line. 1 wire, 5 IPs

Hello, we are in the process of upgrading our internet line and our new ISP said that we'll be getting one wire from them and that we're entitled to 5 public IPs.

My question is, can I put this cable on a (L3?) switch and configure specific ports on the switch to pick only one of the available IPs? What I'm looking for is to split this one cable the ISP is giving me, to 5 individual ones, but each of them to be able to only obtain the IP I want.

Example

Cable from ISP coming in to the building( 192.217.22.1/29 ) | | L3 switch? Port 1 | | --Port13 -- Router ( 192.217.22.2 ) --Port14 -- Router ( 192.217.22.3 ) --Port15 -- Router ( 192.217.22.4 ) --Port16 -- Router ( 192.217.22.5 ) --Port17 -- Router ( 192.217.22.6 )

What I effectively need to do, is to be able to give a cable from let's say port 15 of my switch, to someone with a router of their own and tell them that they can use 192.217.22.4 as their public IP without them being able to get any of the other IPs.

I would also like to be able to allocate bandwidth ratio for each port/IP.

Is this something an L3 switch can do? I might even be approaching this thing wrong.

Thanks in advance.



Snooping with LAG - Brocade switch

Hello everyone,

I need to configure DHCP snooping, but I have the following problem:

Hosts are connected to brocade switch1 and DHCP Server is connected to Switch2. These switches are connected with 2 interfaces and there is Link aggregation group(LAG) configuration.

I have configured DHCP snooping for VLAN and made these 2 interfaces trust, but PCs can not receive IP addresses from DHCP, Switch1 blocks DHCP reply.

I think the problem is caused by the fact that the LAG itself is not trust. I tried to configure LAG as "DHCP snooping trust port", but there is no command to do this.

Does anyone know if Brocade have support to make LAG as DHCP trust?



Wednesday, November 17, 2021

Is it possible to create InterVlan in this type of network?

I have to networks, one 192.168.10.64 /28 and 200.10.45.128 /26, and I want to create intervlan between them, is it possible? Or do both networks need to share the same network?



Allowing Pelco VMS on a Dell 3930 Server remote access thru Sonicwall

I need assistance trying to set up either a VPN/SSLVPN or port forwarding of some sorts to allow an offsite server to communicate with the on-site server that’s behind a Sonicwall TZ400. Or maybe there is an easier way to achieve this end result. Open to suggestions.



Assigning a public IP to a L3 switch

Hey,

Is it good practice to assign a public IP to a L3 switch to be managed remotely?

And would turning off web GUI via cli help to limit some security risks by opening a switch to the public?

Or would doing a site-to-site VPN be a better option to manage that switch.

Just want to hear from some gurus on here on the risks of opening my switch up to a pub IP.

Thanks!



VPN Works, but not quite

I was wondering if anyone could shed some light on an issue I'm having with a TP-Link, as I'm not familiar with those. I did a quick sketch to give a general idea.

My network runs off a Cisco RV325 router. It's connected to my cable modem and does the usual router stuff. DHCP, port forwarding etc. On my network, I have 3 servers running Proxmox to muck around on.

I recently bought a TP-link Archer A6 router to rebuild some sort of wifi, since the free Meraki license expired. I plugged it into the modem (a router, really), got an ip, and created a separate network. To get both networks to reach each other, I configured a port on the Cisco to reside on the Archer's network, then connected them. They can see each other, ACL's and routes allowed devices on either network to see on the other side. Everything works.

Now I left home for a couple weeks. I saw that the Archer had openvpn, so I gave it a try. It worked, but with one caveat. I was on a 192.168.3.0 network, as configured on the Archer (You can't use the same subnet as the DHCP pool). Aside from being on this new network, I couldn't reach the 192.168.4.0 hosts. So naturally, I did the normal route to the 3 network (Can't double up on 4), and created a vlan for that subnet on the Cisco, and got the ACL's done. Still doesn't work.

So from VPN: I can ping the vpn gateway (the 3 network default gateway) I can ping the 2.0 default gateway I CAN'T ping the Cisco's interface that's plugged into the Archer. (192.168.4.250)

If anyone knows TP-Link routers, is there anything that would allow a vpn client to reach the local network, yet not allow them to access any other networks?

On the Cisco side, will the Cisco block traffic from the vpn subnet because it's coming from the Archer, even though the ACL's are there for it? Traceroutes stop at the Archer as well.

This was tested using a phone as a hotspot, then the connection at my remote location. If anyone has any idea what's up, please lend a hand, thanks.



Am I doing something wrong with the VLAN?

I am having some major issue with a getting this to work.

  1. I have a chelsio t540 using port 0 is going to a DVSwitch Uplink while Port 1 using as an iSCSI Offload adapter. port 0 is DV uplink utagged. port 1 is VLAN11 10.30.30.231/24 I also have VLAN10 192.168.10.1/24 for iSCSI Multiplath.

There isn't anyway to assign a VLAN in ESXI for the iSCSI Offload adapter. So I have been using the switch (Dell PowerConnect) to put it in VLAN11. I have tried Access mode, General Mode, and Trunk Mode. the only way I have been able to get it to "work" was to use General Mode assign PVID=11 and VID=11U to the port where the T540 port 1 is connected to. however the outcome is not what it is expected.

I feel like I might be missing something in my configuration.

NOTE: If I setup a VMKernel Adapter for the T540 Port 1 using VMWare's software iSCSI, everything works as intended. Provided that I set up a VLAN Tag on the VSSwitch and setting General Mode VLAN11 Tagged. But I am trying to use the card as intended without the VMWare software iSCSI drivers.

Here are the ping results from the iSCSI Target:

datanas: ~# ping -S 10.30.30.1 10.30.30.231  <---- THIS IS RIGHT

PING 10.30.30.231 (10.30.30.231) from 10.30.30.1: 56 data bytes

64 bytes from 10.30.30.231: icmp_seq=0 ttl=64 time=0.292 ms

64 bytes from 10.30.30.231: icmp_seq=1 ttl=64 time=0.258 ms

64 bytes from 10.30.30.231: icmp_seq=2 ttl=64 time=0.259 ms

^C

--- 10.30.30.231 ping statistics ---

3 packets transmitted, 3 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.258/0.270/0.292/0.016 ms

datanas: ~# ping -S 10.30.30.1 192.168.10.231 <----THIS IS RIGHTPING 192.168.10.231 (192.168.10.231) from 10.30.30.1: 56 data bytes^C--- 192.168.10.231 ping statistics ---6 packets transmitted, 0 packets received, 100.0% packet loss

datanas: ~# ping -S 192.168.10.1 10.30.30.231  <----THIS SHOULD NOT BE PINGABLE!

PING 10.30.30.231 (10.30.30.231) from 192.168.10.1: 56 data bytes

64 bytes from 10.30.30.231: icmp_seq=0 ttl=64 time=0.305 ms

64 bytes from 10.30.30.231: icmp_seq=1 ttl=64 time=4.873 ms

64 bytes from 10.30.30.231: icmp_seq=2 ttl=64 time=0.215 ms

64 bytes from 10.30.30.231: icmp_seq=3 ttl=64 time=0.221 ms

64 bytes from 10.30.30.231: icmp_seq=4 ttl=64 time=0.236 ms



Is isolating domain controllers on dedicated VLAN pointless?

Does it increase security in any way when all the domain joined systems and any non-joined system that needs to be joined to the domain still needs to be able to reach the domain controllers and have SMB access to SYSVOL etc..?



How to Integrate LTS(NVR) with JMSC POS system?

I was trying to integrate pos system with LTS.I was not able to do it.I think iam not adding correct port no's in nvr and pos system. So what we need to fill in playback port and text ins port(In POS system) Port no(in nvr pos settings)

Sorry for my English!



IPERF shows 10 mbs on Azure express route?

I tested our express route with IPERF - running an instance as server at our on prem dc and the other instance on a VM in Azure. I'm getting 10 mbs tops bandwidth. I also tested bandwidth between VMS in Azure just to make sure IPERF was valid. I got 1.5 gb. We have a couple of Palo firewalls and as a test I took a test VM and instead of routing it through the Palos I routed directly to express route. Same result. 10 mb. I opened a ticket with Equinix but so far they've reported everything looks good on their side. I don't know what else to look at? maybe IPERF is not right. Although judging by complaints I've been getting regarding file transfers, I'm not too sure. Our express route bandwidth is 200mb.



TDM signaling change, Life safety and cost increase, what do?

So I have a strange and frustrating situation and am hoping someone has has something similar and can give advice. I manage a campus with 20 plus buildings. Each building has a fire alarm panel (Life Safety) and they all plug into TDM with PSTN hand off service form our provider (type 2). This is outside our phone systems for the best resilience. We received notification from them over a month ago that the cost of service was going up from $1200 to $8000 dollars due to that technology being phased out and wanting us to upgrade.

They have been almost nonreceptive to our questions. Does anyone have anything similar? How do you run the life safety equipment from your own organizations? Any recommendations on escalating with in the provider? Other channels I can contact through?



Weird multicast address right in the middle of my scope

So I have a issue where my wireless controller is not responding properly. I have an 8.0 subnet on a /23. When I try to ping 9.36 from anything on the 8 it does not respond. If I try to ping 9.36 from anything on the 9 then it responds fine. Here is where it gets odd. Arp is showing a multicast address on 9.36. 00:00:5E:00:01:01. Computers with a 9 address show the same arp entry. What is this multicast address?



Check if AP x has internet access from device on AP y

Hello, I have two wireless access points and I want to programmatically check if access point X has internet access using a device that is attached to access point Y. Is this possible?

EDIT: Assuming no dedicated devices connected to X



Local PC can't ping DC

Hello everyone,

I have two Windows Server 2019 servers, the DC is called DC_RRAS. the other server is called Member_RRAS which is a memberserver with the RRAS role installed, both in the same domain named Rras.com. There's also a client which is not in the domain. This client has to ping to the DC via the Member_RRAS memberserver. Member_RRAS has two NIC's, one for the public network and one for the domain. See the network configuration down below:

DC_RRAS network configuration:

IP address: 192.168.2.12

Subnetmask: 255.255.255.0

Default gateway: 192.168.2.1

DNS server: 127.0.0.1

Member_RRAS domain network configuration:

IP address: 192.168.2.14

Subnetmask: 255.255.255.0

Default gateway: 192.168.2.1

DNS server: 192.168.2.12

Member_RRAS public network configuration:

IP address: 201.6.12.10

Subnetmask: 255.255.255.0

Default gateway: -

DNS server: 192.168.2.12

Client network configuration:

IP address: 201.6.12.11

Subnetmask: 255.255.255.0

Default gateway: 201.6.12.10

DNS server: -

I can ping from the client all the way to the NIC from Member_RRAS IP address 192.168.2.14. The problem is that I have to ping to DC_RRAS but when I ping it shows request timed out.

Is there a way to reach the DC from the client via RRAS or another solution?

See pic down below on how it is situated (Routers represent the servers):

https://imgur.com/SVTZEax



Best Network Monitoring tool for my situation

Hello,

I run the network at a satellite office and need a way of testing the performance of our new line as we have had reports of drops etc. Can anyone recommend a fairly basic network monitoring platform (freeware/open source/premium) which can run either as a docker or full VM?

Thanks in advance.



Configuring Squid webpoxy

Hi,

I'm having difficulties with my .conf file to run my proxy server on. There are no errors but the server allows continues connections even thought it's specified to allow it between the hours 9-12 12.30-17.

The selected IP's are called "IPGROEP1" and it's defined in the acl section.

acl werk_tijd time M T W T F 09:00-12:00
acl werk_tijd2 time M T W T F 12:30-17:00

And allowing them http_access to my network:

http_access allow IPGROEP1 werk_tijd
http_access allow IPGROEP1 werk_tijd2

The proxy does refuse connections when i put the line:

http_access deny IPGROEP1

above the other 2. When this line is put below them, the clients still webpages.

Is it possible to let the proxy refuse connections between specified times?

And idealy, could i filter the proxy in such a way that certain websites aren't available between working hours (with pause included)?

Setup:

Intel Nuc
Ubuntu 20.04 LTS

ESXI VMware as hypervisor
edge router

there are 2 clients connected (VM's)
A Ubuntu and a Windows 10 edu

Thanks in advance :3



L3VPN vs EVPN in service provider

I've always used VPLS and L3VPN (VPNv4) over MPLS and have been happy with the results. Never had much reason to explore EVPN.

I see the benefits of EVPN over VPLS for MAC learning. No arguments about dumping VPLS for EVPN.

But what about replacing L3VPN with EVPN? I can see the push to have the grand unified control plane... Is the experience the same?

-Do you have to mess about with IRBs in a pure L3 scenario? Is that just mixed L2/L3?

-Does an IPv4 EVPN prefix take the same amount of forwarding plane memory as an VPNv4 prefix?

This is controversial, but I've always done Internet in a VRF. Yes, it uses more forwarding pane memory, but it's a beautiful architecture to operate. Total control plane and forwarding plane separation. Full underlay/overlay. Your routing doesn't run in-band anymore. Don't have to do route leaking and rib-groups (on Juniper). It's nice, you should lab it up before you hate on it.

So the next radical step--consider this is service provider--if you're going to run EVPN everywhere, do you dump MPLS for VXLAN? What does that look like slushing around a full set of Internet routes in a VRF over EVPN?

It's all a bit too radical for myself, but VXLAN keeps getting attention. I bet Internet-in-VRF is already too radical for old service provider guys, lol.

Just some hypothetical discussion. I welcome the angry comments :-)



Block Inbound Geolocations with Cisco Firepower Management Center (FMC)

I am going to be setting up Geolocation blocking on our Firepower Management Center (v6.6.1) to block all inbound connections outside of North America. Does anyone have any guides/videos on the correct procedure for doing this? Everything I have found online is for older versions of FMC that look significantly different.

From what I have gathered so far, I’m going to go to Polices --> Access Control --> Edit the existing policy --> Add Rule --> Under “Zones” tab set action to “block” (or should it be “block with reset”?), set source zone to outside, leave destination zone on any, under “Networks” tab select “Geolocation” and add countries or continents to source networks box --> Set rule to Mandatory or position 1? --> Add --> Deploy

Does that look like the correct way of doing this? I rarely spend time in the FMC so I don't know if I am going about this correctly.

Thanks,



How and what tools do you use for brain dumping your networking notes

Recently I have been looking at the mass amount of notes I have acquired through my career to date in networking and out of curiosity wondering on other peoples note/wiki solutions. This isn’t for storing corporate data just notes for building configs, interesting faults/bugs, study notes etc that can comes with me with every new role.

Currently everything is in OneNote so I have access to it where ever I am or which ever device I am using. All broken down into service (routing, switching, wireless, firewalls etc.) then further broken down into vendor or technology. One note is great for ease of use and portability but I really starting to dislike the lack of formatting structure, where it’s just too easy just to drop images or text anywhere on the page. Was wondering on other peoples note solutions - does anyone use some kind of markdown?



Automating netcool and or other snmp based alerting tools

Hi,

Has anyone been able to automate the initial checkouts for any of their alerting mechanism?

I'm thinking, snmp trap gets sent to some automation server then a script is triggered to perform basic task and dependant on that outcome a ticket gets generate

Any ideas?



How to switch automatically between 2 links when 1 falls?

I have 2 internet uplinks (100 mb main and 100 mb backup) that I will connect to a cisco switch. How do I configure the switch to switch to the backup link automatically in case the main link falls or do I have to do that from the router itself?



Small office VPN setup , help !

Hello,
Recently I had the idea to make our small office more secure.

I want to hide my main office IP because we share that IP for whitelisting

With our internet provider, we have PPPoE connection and my plan is to route that connection but I don't know-how.

My plan is to get a cloud server with OpenVPN installed, get here a Linux server and make the PPPoE connection to the provider and the VPN connection to the cloud server and then share that connection to our router here.

I'm a noob on this networking stuff and i want to know if my plan is good and how I can make this or if you guys have other ideas



Unicast Use of the Formerly Reserved 127/8

Couldn't find this anywhere on this sub but thought people might like to see a draft the IETF is putting out around use of 127/8. I can't imagine the enormity of such a change

https://www.ietf.org/id/draft-schoen-intarea-unicast-127-00.html



Change IP in Juniper SSG140.

Hello Guys, I have a doubt to know which will be the best way to change a ip on interface ? I know its possible by GUI/CLI if i change this in GUI and apply new this working quickly, i think so. My question is if I do it by command line only modifying the ip the steps that I will follow (1) if I do not alter anything but the ip to do so. Also if doing it by GUI is the best option. I am always going to be connected via console anyway. Thanks a Lot.

(1)

unset interface ethernet2 ip (remove old ip)

set interface ethernet2 ip 10.1.23.1/24 (set new ip)



Issues with JunOS virtual router

I'm stuck with the following issue and need to solve it urgently

I received a public IPv4 /24 subnet at location A and want to use a part of it at location B. Locations have no private interconnection.

My approach was the following:

Create a GRE tunnel between location A (10.0.240.10/30) and B (10.0.240.9/30) --> works

Create a static route on A for the public subnet to point to B (route add x.x.x.32/28 next-hop 10.0.240.9 )

Here comes my -relevant- configuration at B.

I can ping the public x.x.x.33 from outside successfully, but no other hosts behind ae0.0 (e.g. x.x.x.34)

As the GRE tunnel works, I might miss something else. Any hints?

gr-0/0/10 {

unit 0 {

tunnel {

source B_PUBLIC_IP;

destination A_PUBLIC_IP;

}

family inet {

address 10.0.240.9/30;

}

}

}

ae0 {

aggregated-ether-options {

minimum-links 1;

link-speed 1g;

}

unit 0 {

family inet {

address x.x.x.33/28;

}

}

}

routing-instances {

offsite_access {

instance-type virtual-router;

routing-options {

router-id x.x.x.33;

static {

route A_PUBLIC_IP/24 next-table inet.0;

route 0.0.0.0/0 next-hop 10.0.240.10

}

}

interface gr-0/0/10.0;

interface ae0.0;

}

}



Cisco ACI rack rental

Hello guys, Any suggestions regarding a trusted service for renting Cisco ACI remote lab ? Or any idea how to practice it in real devices, I was wondering if I can buy separate switches and setup an aci homelab but looks like i have huge issue regarding apic licensing… thanks



IP Transit cost tiers at Internet Exchanges

Can anyone give me some numbers on IP transit costs at Internet Exchanges and more specifically the different tiers, 100Gbps - 3000Tbps. I know it varies vastly which IX etc but any indication of the discounts (in percent or otherwise) and pricing tiers would be helpful.



IOS-XR bgp filter by prefix length?

We are migrating from Mikrotiks to ASRs.

So on our mikrotik we have some bgp filters that filter prefixes by prefix length. And now I need to rewrite them for IOS-XR.

Obviously the syntax does not match.

Say, if on a Mikrotik I had a bgp filter that puts all /32 ipv4 prefixes in a blackhole community, how do I convert this into IOS-XR syntax?

An example of the mikrotik route filter rule: add action=accept bgp-communities=xyz:666 chain=BHOLE prefix-length=32



Cisco ASR-1002-X and 3750 won't link beyond 100Mb/s

Hooking a router up to a switch should be pretty easy.

Either set auto on both ends, or in some very weird circumstances, hardcode the speed/duplex on both.

On the router side, this is the first of the 6 built-in ports (with a copper SFP installed). On the switch side going to a built-in copper port.

The devices differ slightly in setting port speed/negotiation. The router has "switchport nonegotiate" or "no switchport nonegotiate", and no ability to set what speeds/duplex is advertised, but I'm going to assume it's announcing 1000/FD. You can manually fix speed/duplex as well.

The switch combines "speed" and "duplex" negotiate or not and advertised link speeds all under the "speed" and "duplex" port commands.

I have tried every combination here - auto on both ends, fixed on both ends, auto on one end w/fixed on the other (and vice-versa). The only thing that gets me a link is autoneg for both ends, but it's only negotiating 100/FD.

Swapped in a new cable. Both old and new cable report OK in the switch's TDR test.

What caught my eye after wasting a half hour getting in OOB to both devices and testing all the combinations of speed/duplex is the SFP. It does not look quite legit:

1002x#sh hw-module subslot 0/0 transceiver 0 idprom IDPROM for transceiver GigabitEthernet0/0/0: Description = SFP or SFP+ optics (type 3) Transceiver Type: = GE T (26) Product Identifier (PID) = SP7041-E Vendor Revision = B Serial Number (SN) = YACS1071 Vendor Name = CISCO-METHODE Vendor OUI (IEEE company ID) = 00.00.00 (0) CLEI code = N/A Cisco part number = N/A Device State = Enabled. Date code (yy/mm/dd) = 11/08/30 Connector type = Unknown. Encoding = 8B10B NRZ Nominal bitrate = GE (1300 Mbits/s) Minimum bit rate as % of nominal bit rate = not specified Maximum bit rate as % of nominal bit rate = not specified l3-1002x# l3-1002x#sh hw-module subslot 0/0 transceiver 0 status The Transceiver in slot 0 subslot 0 port 0 is enabled. Sensor Data is not supported by this transceiver l3-1002x# 

The OUI, vendor ("CISCO-METHODE"?), part number, etc. don't really scream "I am legit".

What are the odds of the SFP being at fault here? I don't mess with enough of this stuff to have a sense for how janky off-brand SFPs are. This is labelled as a "SFP-GE-T" - are there any weird limitations/surprises on this model?

If we need to grab another 3rd party sfp quickly, how's FS for this stuff?

https://www.fs.com/products/12626.html



Tuesday, November 16, 2021

Why isn’t 1024 QAM used for everything?

This question was asked by my teacher.

My understanding is that the higher you go, the more susceptible to noise you are. Also, technologies like Wi-Fi 5 are limited to 256 QAM.

Would these reasons be correct? Would there be anymore reasons?



Testing New 40g Links

As part of a core upgrade project, I am configuring our Cisco Catalyst 9500-16X core switches in a StackWise Virtual pair. Currently there is a port channel between these cores. As part of the upgrade we have created two new diverse fiber paths that have been tested with the OTDR. I have ordered Cisco 9500-NM-2Q 40g network modules and QSFP+. Before creating the SVL I would like to slot the modules and SFPs and connect the links to test connectivity and transceiver details. My thoughts are I can configure the 40g interfaces for access mode in an unused test vlan. This should not effect the production network. Is this a valid thesis?



Disk failures on E1031 whitebox switches from multiple vendors - anyone else seeing these?

We've recently had a worrying number of blown ONIE partitions (which seem rooted in Innodisk mSATA SSD failures) on various Celestica OEM whitebox switches across multiple vendors (Penguin, SuperMicro). Thus far ONLY the MLC Innodisks have failed, and none of the more recent iSLC, which Celestica seems to have changed to silently.

In the last 6 months we've had failures on 3 E1031 models (1 Penguin Computing 4804iq, 2 Supermicro SSE-G3648B) and 1 D2060 (Penguin 4806xp).

Is anyone else seeing these happening?



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Enabling SSH on cisco ios xe sdwan

Hey guys.

Has anyone ever had any success with setting up SSH access to the router via it's ip assigned to a physical interface? This would not be the same as sshing towards the system ip. Assuming for whatever reason let's say connections to the controllers were down, and we need to get into the cli.



Strangest disagreement with the a client's family member who doubles as their "Computer Guy"?

I have a customer with 4 separate assisted living facilities. I installed IP Surveillance at each of them. They are pretty small, 5/6 tenants each and all in residential neighborhoods. Currently each location has its own NVR and a remote connection over the internet to my client's office for monitoring. Aside from the NVR, the internet at each location is only used for basic IOT devices like doorbells, thermostats and Netflix. At times, yes internet performance can be poor because that's just Comcast in Baltimore.

F0R SOME REASON, my client's brother-in-law who doubles as their "Computer Guy" is trying to convince them to get a EVPL package and a Dedicated Internet Circuit at the office which would route all the camera traffic to a single NVR over the private line and then allow the all of the Dedicated Internet bandwidth to only be used for Netflix.

I suggested getting rid of the ISP's Modem/Router combo and replacing it with a QOS capable router but they seem to be siding with the brother-in-law although they haven't received a quote form the ISP yet.

What would you guys recommend?



Securing multiple L3 VLANs - EGRESS ACL or INGRESS ACL or both?

I am in the process of configuring a new network as I have 2 new switches that I can configure leaving the existing network as is for now. I am struggling to formulate where to place the necessary ACLs to restrict access based. I have some basic L3 switches, but can apply ingress and egress ACLs to ports and/or VLANs, I assume VLANs is the best choice.

Given the following VLANS;

Management : VLAN 1 : 192.168.1.0/24 (This will likely change to another VLAN but for the sake of this demo it's VLAN 1)
Production : VLAN20 - 192.168.20.0/24 (ESXi/DB servers/Windows AD/Puppet/General)
App : VLAN30 - 192.168.30.0/24 (Web Servers)
DMZ : VLAN40 - 192.168.40.0/24 (HA Proxy pair)

VLAN 20 can access everything.
VLAN 30 needs to access specific ports on VLAN 20 (DB, puppet and proxy to internet)
VLAN 40 needs to access specific ports on VLAN 40 (puppet) VLAN 30 (http/https) and needs to expose http/https to internet via gateway (192.168.1.254)

I'm guessing it would be best to block EGRESS on VLAN 30 and VLAN 40 and then add specific rules in to allow the http/https/db/dns/puppet to the other VLANS? What I am struggling with is the rules to allow VLAN 40 http/https direct to the gateway, would that be an INGRESS ACL as well as an EGRESS or JUST EGRESS?

Also, does the logical separation look acceptable or could be improved?

Thanks



Networking aptitude tests

Hello! This subreddit has helped me many times when I have run into strange Cisco issues throughout the years and I am forever grateful. I am now looking for a solution to assist me in hiring some new engineers at my company.

In the last couple of years I have cast my net wide and brought in some amazing candidates... sometimes on paper only it turns out. The resumes have the jargon, they go through a couple of interviews with management and then a final interview with some of the engineers that will be their peers. Our job involves installing temporary specialized networks in very short windows of time. A handful of the new hires (even ones fresh out of college) grasped the fundamentals of networking quite well and have excelled at their job. A majority of them have failed and their coworkers have either had to step in, or in cases where they are too busy, I have had to spend hours on the phone after hours and on weekends to ensure we get the job done.

In an effort to alleviate these problems going forward, I am trying to build a "lab" that the applicants will have to complete properly in order to progress in the hiring process. I toyed around with having some physical gear that they would touch in one of my two offices, but it would require quite a bit of work due to Covid protocols we have in place for our clients, along with the fact that we have had to open our hiring to people out of state. More than half the applicants can't even be bothered to reply to emails within 72 hours, so I really can't expect them to travel across the country to take a test.

I am basically looking for a testing platform that I can load up with a few Cisco devices (ASA, core switch, WLC, edge switches) and a basic visio of how the network should be architected along with a list of VLANs required, SSIDs required, and public IP info. Depending on the outcome of their build, I can advance people based on their true skills. If it is something simple like forgetting to make a NAT rule for a VLAN, I can bring them back in and say something like "the customer on vlan 604 is stating that they get an IP but can't get Internet, can you troubleshoot that?" If the applicant can't even get the WAN interface configured, they won't be coming back for a final interview.

I haven't used Routersim and Packet Tracer in quite some time, so I don't know if those are feasible given the specific hardware in our design. The applicants would need to have their own sandbox for me to view and it would be nice to know when they started and finished so I can try to rule out copying of designs or cheating. I would even be willing to pay monthly or per "test" for a testing platform if there is one out there.



Optimal TX/RX Transceiver Power

Hi, I'm trying to understand the optimal TX and RX power of an SFP installed in a Gigabit port. I've seen several times that when the value was something between -3.5 dbm to -4.5 dbm and this was causing problems even though the interface was always up and no errors. However looking at https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/gigabit-ethernet-gbic-sfp-modules/datasheet-c78-366584.html it shows the range as TX: -3 to -9.5 and RX: -3 to -20.

So my question is that should you take these values as a reference or what is the highest and lowest ranges should be for a 1000BASE-LX SFP?



Golden ROMMON

Having a bit of an issue updating a stack of 9300s. The stack updates to 17.03.04 OK but fails when I update the golden rommon.

I can't actually find which version of golden rommon is on the switches, show ver | I ROM only appears to show primary rommon.

Any help appreciated.



Google Cloud is having issues

Google Cloud is having issues and it's affecting multiple sites

https://status.cloud.google.com/



Redoing a theatre network

Hello everyone,

so, we're a theatre, currently running the network on ten year old HPE infrastructure, with some arubas thrown in which came later. Apparently some guys up the ladder got the memo that ten year old equipment isn't exactly brand new (only needed a linecard to die while there was a play on stage making the lights flicker during the show). Now I am to guesstimate what a new network might cost. Currently we have mostly 5412zl (around 10) with some newer aruba's and two stacked H3C's as core. Since we are a theatre, everything has to work flawlessly during the show, the network is managing quite a lot, from people flying above the stage, to rotating the stage, turning lights on and off, pointing those lights, intercom systems for people to communicate and so on... Video and Audio are mostly excluded from the network as is, but we're going to put them on our network as well once we have a network which can support them, which brings me to my question: Which switches would you use for media production? Since we need things like streaming from a camera on stage to a projector behind the stage (4K and beyond), and audio from the actors mics to the audio system, everything needs to be as reliable, jitter free and low latency as possible while also providing a huge bandwith. How would you go about designing this kind of network and how would you make it cost effective? Should I outsource stuff like lighting fixtures which don't need crazy amounts of bandwith to ports on cheaper equipment? We're trying to replace huge SDI crossbars with IP equipment, so I'm guessing we're probably looking at stuff like Cisco Nexus 9k and Arista, or are there other vendors out there?

Problem is, I have never done network architecture and I'm kind of lost as it comes to designing a whole network. If you have any resources about IP networks in media production or theatres specifically that would be awesome. I'd like to ask more specific questions, but it seems I'm so lost I've been typing this post for the 3rd time and always it ends up rambling. So, to end it, if any of you now how to go about designing networks, or any specifics on theatrical networks at all, please point me towards any ressource you can think of.

Thank you all!



Monday, November 15, 2021

DHCP Option 82

Since short and to the point questions get nuked as low quality I will milk this.

What devices do you recommend Metro Ethernet demarc devices with DHCP option 82 support?

DHCP Information option (Option 82) is commonly used in metro or large enterprise deployments to provide additional information on “physical attachment” of the client. Option 82 is supposed to be used in distributed DHCP server/relay environment, where relays insert additional information to identify the client’s point of attachment.



Option 82

What Metro Ethernet demarc device do you recommend that supports DHCP option 82?



Gigabit switch not handing out IP while Megabit switch is

Hi guys,

I’m farly new in networking (basic knowledge) and english is not my mother toung so i apologize for any mistakes.

I’ve been hired as an intern at this company since their IT quitted and i was hired as “junior IT for basic things” . This month has hell for me since we had a lot of issues with our internet connection. Long story short our AP were not handing out IP (We have a DHCP server installed on a server in HyperV). These AP we connected to a gigabit switch and when hell came loose i went to the server room and tried to connect to the gigabit switch so i can be on the same VLAN as the AP and reboot them, that switch did not give me an IP but the megabit one did. To reslove the issue i went at work on saturday created a new VLAN and at the DHCP server i created a new IP range /22 and connected all the AP to that switch. Can anyone give me a hand here and tell me why the switch wont hand out IP’s?

Thank you



Private Cloud firewall cluster, redundant across multiple AZ in AWS. Is anybody doing this for production?

We currently have Checkpoint cluster in a single AZ, and if you use IPsec tunnels, you can’t deploy Checkpoint cluster in two AZ, unless you don’t use IPsec. We have around 300 VM’s there in different VPC’s isolated with TransitGateway quite a bit traffic going on there. Just wondered, what other people are using out there?



STP taking down my firewalls or my config is just plain wrong

In the last day or so, I have had an issue with my firewalls and the secondary kept dropping offline. I have been on site for the last 4 hours and I could not see any reason for there to be an issue until I had a thought about STP and it appears that this is what was causing the issue, one of the ports on my switch was being blocked. I have disabled STP on both switches for a single port, that port is a trunk on VLAN 2 between my 2 switches. There are 2 other connection in the same VLAN on each switch and those being the outside interface of a firewall and the connection to my provider.

This doesn't feel right, but it also makes sense as to why I have been having issues. I am also not sure why this suddenly started happening yesterday with no changes from my end.

I am trying to understand if I just happened to have made it work when it should not or I actually fixed the problem and have not introduced a horrible issue somewhere.

The connections from my provider are running HSRP I believe. From what I can see, only 1 of my links is active at any time.

So with STP active, it appears it was blocking one of the ports and stopping both of the firewalls being able to see the active uplink so only the firewall on the same switch as the active connection from my provider would work. If I swapped the active firewall at this point, the active provider link was on the other switch and not until I disconnected the provider link in the other switch would it work.

After disabling STP, I can failover the firewalls however I want and because they both have access to the active provider link, they both work.

My concern is that I have had to disable STP on these ports and what is the impact of that. I had also expected the firewalls to know something was up but it seems that only occurs when the provider link goes down.

What gives!



secondary vlan ip on EVPN-VxLAN network

I have working EVPN-VxLAN fabric and life is good but now i need more public address so i am planning to add new public IP subnet in existing public VLAN interface on all border-leaf and my other leaf switches. does following work and any other complication for future?

currently i have following config for public VLAN

interface Vlan100 description ** Anycast Gateway For Public ** no shutdown mtu 9216 vrf member CUST1 no ip redirects ip address 69.xx.xxx.1/24 ipv6 address 2600:c04:3111::1/64 ipv6 nd prefix default no-advertise ipv6 nd ra route suppress no ipv6 redirects fabric forwarding mode anycast-gateway 

I want to add new public subnet Ex: 70.xx.xxx.1/24

so can i do following, just add secondary ip?

interface Vlan100 ip address 70.xx.xxx.1/24 secondary 


Barracuda Firewall Backup PAR file - Is it a text file?

Hi, getting ready to do some analysis on Barracuda F600 and F400 devices. Manual mentions that a backup creates a PAR file. I don't have access to these devices yet, does anyone know if the PAR file is plain text? Can I open with notepad++ ? If not, is there a way to export config to csv? TIA!

https://campus.barracuda.com/product/cloudgenfirewall/doc/72515937/how-to-back-up-and-restore-firewall-configurations



Need help with the Design of a University Classroom

Hey guys,

a friend of mine asked me to help him and his professor with the design of the network infrastrucsture in their new classroom. I recently finished my CCNA so my knowledge isn't very deep especially when it comes to networking hardware so please don't go too hard on me ;)

The task is the following:

-1 autotracking camera focused on the presenter

-1 camera that works with a microphone to identify different zones in the room and to focus on those zones

-1 microphone on the ceiling of the room able identify the beforementioned zones

-1 TV

-1 SmartBoard

-1 Computer/Control desk

-1 Tablet to connect and control the computer

The idea is that other students who can't attend the class and are studying from home can still see both the presenter/teacher and the people speaking in the classroom. The camera together with the ceiling microphone will communicate and focus on the speaking student in the classroom (the microphone tells the camera in what kind of "zone" the talking student is, after that the camera focuses on that zone). At the same time the other camera is constantly tracking the talking and presenting teacher in the front of the classroom.

From my understanding right now the microphone and the cameras will be connected through USB cables to the computer and will communicate through some software on the computer. Since I'm not very familiar with transmitting multimedia over the LAN my question would be if I can CONTROL the cameras and microphone over USB but getting the video output over the LAN and import it into something like OBS (the specifications say that the camera supports IP streaming like RTSP and RTMP and do I need a speacial Switch/Router that support those protocols)?

The next problem is the network where all this devices should be. Since transmitting livestreaming information(tablet connecting to pc, cameras, microphones connecting to pc etc) over the university-network is rather problematic (needing to reconnect, connecting the camera can also be problematic since the admin has to add them etc. etc.) I was thinking of creating a private network for the classroom. The professor says last time he tried to do something simillar and far simpler in some other classroom and talked to the IT staff of the uni it took them months until they did something and even that was wrong so he doesn't want to rely on them again... Right now there are around 6 LAN ports in the room that each have a static public IP address. Basically I thought about connecting a router to one or two of the ports and impelementing NAT for all the devices that will be connected to the router (see above).

The are a few requirements:

-At least 8 ports (10 would be better)

-There should be at least 3 PoE+ ports for the microphone and the cameras

-Wireless Access Point (needed to connect the Tablet to the Computer and eventually to connect the devices of the students to the computer)

I didn't find a device like that online. Best I found were these 2 routers:

The RV260P VPN with PoE Router which has no WiFi and only PoE which from my understanding isn't enough since the devices need PoE+.

And the RV260W VPN with Wireless Router which has no PoE at all.

Since I didn't find anything better I thought of getting the RV260W and a simple Layer 2 Switch that has PoE+. Then connect the Router to the wall LAN port, the Switch to the Router and all the devices to the Switch (Or the Access Point of the Router). I also thought about getting a Router and putting PoE+ and a wirelless modules inside but didn't find anything appropriate either.

I really hope someone could give a recommendation for a Router, Interface Cards + Router or Switch + Router. And probably show me some of the red flags I missed in this setup.

Thank you very much in advance

PS.: The Professor said that ordering and receiving those items would take up to 3 months (German burecruacy) and he wants to get all the needed hardware as soon as possible. Meaning reordering is not really an option.

PPS.: On the Cisco website it only says that this router (RV260W) only supports 802.11ac however on this website (just scroll down) it says that this router supports many different wireless standards. Does Cisco just omit mentioning all the other standards?

PPPS.: The price doesn't really matter. The prof would rather pay $1200 than waiting another 3 months for the additional hardware. He just wants a solution that works and doesn't involve the Uni-staff.

Edit1:

I’m sorry I forgot to mention it but I already found some mics and cameras that do exactly that (can communicating with mic etc). There are those shure mics that you attach to the ceiling. And this Aber Camera that can focus on those zones. The other camera looking on the presenter uses “basic” ai auto tracking.

What do you think about the Router/Switch networking problem?



Wireless Topologies - Star, Infrastructure, service sets (ESS) - All or some?

This is for an educational project to build a network for a company. Currently, my wheels have been spinning trying to iron out this detail. Any help would be appreciated so I can move on with the project. I'm currently in my first networking class so I'm very new to this information.

I will be posting links to what sources I've read to try and determine the answer for myself. There is a rule against re-direction, but I must show the effort I've been attempting to locate the solution.

The questions I need to be answered: For a large multi-user business on a WLAN, would the topology in this network use an infrastructure topology, star, and/or ESS(extended service set)? Which are physical/logical?

Note: This is a question I wrote and not something directly from the project.

Infrastructure Topology

I'm currently using the uCertify course materials. I understand the difference between physical and logical topologies. According to uCertify wireless networks use the three wireless topologies: Ad Hoc, Infrastructure, or Mesh. (I would link to the text, but since it's paid material, that's probably a nono.)

From the point above, I'm reasonably confident the WLAN I'm crafting will use infrastructure topology.

Infrastructure topology appears to be physical since it extends a wired LAN to include wireless devices.

link: http://www.idc-online.com/technical_references/pdfs/data_communications/Wireless_Network_Topologies.pdf

Star Topology

Star topology appears to be the logical topology I would be using. However, the uCertify material seems not to mention star being used with wireless.

Tom's Hardware agrees: https://www.tomshardware.com/reviews/local-area-network-gigabit-ethernet,3035-7.html#:~:text=Wireless%20networks%20have%20different%20topologies,use%20only%20two%20logical%20topologies%3A&text=Point%2Dto%2Dpoint%E2%80%94Bluetooth,point%2Dto%2Dpoint%20topology.

Here is another source with diagrams showing star topology being used as the logical topology component fire wireless networks specifically:

https://www.emerson.com/documents/automation/training-wireless-topologies-en-41144.pdf

Extended Service Set(ESS)

According to uCertify ESS operates within an infrastructure topology. The link below, which is another education program, labels ESS as a topology in itself:

https://networklessons.com/cisco/ccna-200-301/wireless-lan-802-11-service-sets

ESS is the connection between more than one Basic Service Set (BSS); any google search should confirm this since it's a definition. Due to this definition, this topology sounds physical as well.

Conclusion

My answer to this question would be the WLAN would use all three: a physical infrastructure topology with a physical ESS topology within along with a logical star topology.

Edit: fixed the duplicated links to reflect the appropriate ones