Question about DAS deployments: Why can't they use my backhaul?

Hi everyone,

Our organization recently had a new multi-carrier DAS setup installed in a few of our buildings. These DAS systems get thier backhaul from the nearby cell site. However, we have had many users complain that speeds are inadequate (50+ users), and upon further research, found that an LTE connection with a strong signal (-67dbm) struggled to reach 0.1mbps on all major carriers, and Speed Tests often timed out. We offered the contracting company use of our internet connection to use as backhaul (even offered them one of our dedicated circuits w/business level $$$ connection w/SLA) to enhance the capacity of the DAS, but were told that it was illegal because "it fails to comply with 911 standards". Is this true?

Thank you very much in advance. Will be happy to provide any additional details.

Aerohive as standalone access points

I have an opportunity to acquire a bunch of Aerohive access points and I'd like to set these up in a smaller network. From what I understand Aerohive works with their cloud to allow you to remote manage them. Is that required or can I just configure them as standalone devices?

I have to get CCNA certified in 6 months, where do I start? Company will pay for any training of my choosing as well.

I have basic understanding of network principals and worked in a networking role for the past year but never picked up a book. No idea what to study or how to take the test.

Can NetFlow signal if a packet was dropped by a firewall?

I recently stumbled across Elastiflow on Github that will take NetFlow data and turn it into pretty graphs.

I'm curious if the NetFlow protocol can 'signal' that a packet was dropped or didn't traverse the router so we can pump it into Kibana over NetFlow rather than having to write a parser for the firewall logging.

I've googled but not had much luck...

Thanks

VLAN in Small Business

Currently have a flat network with:

  * Router/Firewall

  * L3 Switches

  * Hypervisor + AD/File Server in a VM

  * App server

  * BDR

  * 20 PCs

  * No WIFI

 

It's a small network, but due to liability issues we were told to segment to different VLANs and apply secure policies. Planning on this VLAN scheme:

  * VLAN1 - Nothing (172.16.1.xxx)

  * VLAN10 - Servers (172.16.10.xxx)

  - AD Server, File Server

  - App Server

  - BDR (backs up servers and certain laptops in VLAN20)

  * VLAN20 - PCs (172.16.20.xxx)

  * VLAN99 - Management (172.16.99.xxx) iDrac / iLo, Switches

 

Some questions:  

1) They want servers to be in a different VLAN. Is that a good idea, to make the AD/File/App Servers separated from workstations? How would the servers & workstations communicate? Can you elaborate on VLAN routing?

 

2) Same for Management VLAN, if it's separated, then how would we access the configs from a remote workstation? Should the servers/BDR be members of this VLAN too?

 

3) Any suggestions or changes you recommend? Small IT dept, so prefer simplicity while still satisfying recommended security bets practices.

Power Primer

I'm looking for a better understanding of power, especially how it relates to our jobs managing data centers and all of the devices that connect in to them. I've been in the industry for about five years now, but always feel out of my element when discussing power. Everything from transformers, generators, UPS, and transfer switches to amps, watts, and volts.

I would really appreciate an overview of how all of these pieces tie together, especially from others that deal with these types of challenges regularly.

The Packet Thrower MPLS Lab without Route Reflector

Hi, First off thanks so much to /u/the-packet-thrower for his great Cisco MPLS Don't Label me Bro lab.

Is the any chance someone can point me in the right direction to create same lab but with the router reflectors.

Just curious as to how different the CE/PE config would be and would like to more accurately recreate a similar type network.

Thanks in advance and a special thanks again to The Packet Thrower.

Can't we build a community-driven intranet to fight for net-neutrality?

I'm fed up of struggling to keep a basic right. Can't we build an intranet based off of wireless router technology? If a high number of citizens reprogram their routers to link themselves together into a mesh network, wouldn't it free us from the grasp of corporate greed?

Chromecast and Ruckus AP's

We are an ISP that services mostly MDU student housing. We enable client isolation on our WLANs due to the obvious issues, but it breaks Chromecasts ect. Does anyone have a workaround?

Data center - Migrating storage from FC to IB, does this make sense?

Hello!

I work in a data center and we currently have 4-8 Gbit/s FC storage, all Brocade gear and IBM SVC controllers. Our workload is mostly HP blades running vSphere.

Since the setup is borderline legacy and becoming hard to maintain we had this thought: migrate to vSAN and use InfiniBand interconnects.

We've figured that:

• we can buy a IB HP blade to attach to the current systems running vSphere, around 300 € refurbished

• for non-blade systems, IB HBAs are pretty cheap, e.g. Mellanox ConnectX 2 goes for around 100 € refurbished

• we can get some cheap IB switches, e.g. the Mellanox IS5022 goes for around 200 € refurbished

• the real expense is cables, particularly longer runs which have to be active, we figured around 100 to 300 € per cable with QSFPs

We'll be running vSAN in all-flash configuration and we plan to transparently migrate the VMs for all nodes to the new setup (which means that for a while we'll have a hybrid FC/IB architecture).

Anyone went this route? Any pitfalls or obvious things we're missing?

Thanks

when I change my wifi channel every other channel follows

Why is this? Wifi analyzer shows that we're all on the same channel and whenever I try to switch channel everyone else moves with me

Any Black Friday deals for us networking shut in's?

Looking to upgrade my office/lab with anything I see online within reason. Anyone notice any good deals for hardware/software/courses worth investing in?

Any Infoblox upgrade experts here?

We're running an environment with older 800 series appliances. Looking to move to the 1400 series. However I've been informed that it's literally impossible to maintain using the same IP configuration from old box to new. We cannot by no way take our existing 800 VIP address and reuse that with the 1400 series. Meaning any static assigned address (so 1000's of VLAN helpers, appliances, static assignments) all have to be reconfigured to support this.

Is this for real? There's no way? This is normal for a IB appliance upgrade?

Juniper SRX FBF and Dest NAT question

So i have been working on a configuration for an SRX240H2 with 2 ISP connections. I am using FBF to forward packets to the correct ISP, I have this portion working. SRC NAT is also working as intended. Problem I have is with Destination NAT not working as expected. I have looked at the packet flow from Juniper regarding how incoming packets are processed, so If I am correct, Destination NAT should be applied first, then it determines the route for the incoming packet. The default routing instance (I'm assuming is inet.0?) has the correct route for the incoming packet after destination NAT, but I am still unable to pass traffic. If I remove the interface from the Filter for FBF and route using default instance, Destination NAT works correctly. It is only when the interface has an input filter applied to change the routing-instance to a virtual-router in forwarding mode. Am I missing something simple with DEST NAT to get it working? These are for some simple services that just need port forwarding.

configuration looks something like this:

routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 next-hop [ <ISP-A> <ISP-B> ]; route <internal routes> ... } rib-groups { IMPORT-PHY { import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ]; } } } firewall { filter filter1 { term term1 { from { source-address <Some Range>; } then { routing-instance routing-table-ISP2; } } term default { then { routing-instance routing-table-ISP1; } } } } routing-instances { routing-table-ISP1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop ISP-A; qualified-next-hop ISP-B { preference 100; } } } } } routing-table-ISP2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop ISP-B; qualified-next-hop ISP-A { preference 100; } } } } } nat { destination { pool 1{ some internal IP/32 port XXXX; rule-set tmp { from interface ge-0/0/0.0; rule 1_tmp { match { source-address 0.0.0.0/0; destination-address External-IP-ON-ISP-A/32; destination-port { XXXX; } } then { destination-nat { pool { 1; } } } } 

I have tried changing the from field for the destination nat rule to the untrust zone which contains both WAN interfaces, and that has not made a difference. I think I am missing something small in the routing portion, but I am not sure. Any input would be useful, and I can post a full config somewhere if needed.

Thanks.

[VPN] Cisco ASA Assistance

Hi All,

I'm running a Cisco ASA 5510 - 9.1(7)16

I want to configure it to act as a VPN endpoint for different devices... either local or radius auth

I've found some decent guides on how to setup a basic VPN that would allow me to connect, but what I'm looking to do is a little different.

I have 3 sub-interfaces on the "inside". Main, Guest and Share What I want to do is have different VPN user accounts, that when authenticated allow for access to a variety of different combinations. user1 = Main + Share, user2 = Guest + Share, user3 = Guest

Is this even possible?

Thanks

Strangely formatted ip in netflix activity?

I've noticed some shows popping up in my netflix that I haven't watched, so I've looked at the recent activity and found that somebody else has been using my netflix account. But the ip address that netflix lists is...not one?

Looks like this: 2605:6000:2a83:1900:d0a6:76fb:78b6:c18f

What kind of tag is this?

How do you actually make the determination of going collapsed core or three-tier?

Disclaimer: I'm more of a voip guy

Our network refresh is coming up. We currently have a collapsed core design where our access switches plug directly into our core switches, dual-homed with ECMP routing, and the access switches advertise their local subnets. It works fine.

A member of our team though wants to add a pair of distribution switches to our order and move the access switches there off the core. When challenged on why he just says "it's how you're 'supposed' to do it," and can't explain any of the actual reasons or benefits.

Problem is we're a small IT shop and this substantially increases our price quote and I feel this just isn't necessary. There's only 8 access switches, four on each floor... is that really "big" enough to require a pair of distribution switches?

To me I just don't see what these switches would actually be doing other than just being another bump in the road for the access switches to go through.

I totally get the three tier architecture but I just don't think we need that.

Is QinQ still used by ISPs?

I have a fairly reasonable theoretical understanding of QinQ, and from what I've heard initially is QinQ is usually used by ISPs. But then I was told that it's not the case anymore, and most of the ISPs use PBB or MPLS instead. Now, I have a very limited knowledge of those two, so I can't tell if it's a viable claim.

Could you guys shed some light on that?

Guest networks credentials

Hi guys.

Does it make sense for devices to save the credentials on a guest network?

I have some users that only have access to the guest network and they have been complaining that they have to re-authenticate every time they exit/enter the premise.

But I don't really think that the network should be memorised.

However, I'm still a junior network guy, I want to know the opinion of more instructed people.

auto change host identifier on IPv4 ?

i'm not sure my question is correct, so here my question. how "auto change host identifier" works ?. let see my case on my university internet, my laptop use IP 172.20.0.10, but my android get 172.20.1.30. as far as i know "0.10" and "1.30" is host identifier, how this "host identifier" change the number "automaticly" ?i connect into same AP (Unifi UAP LR). my university use Mikrotik for router and Cisco for switch.

STP in HP2920 with VLAN

Hi Team, I'm not able to setup a STP between 3 switch using two VLAN. Below is my simple topology. http://ift.tt/2mZUuSH Someone here have already doing something like this and can help please ? Thank you in advance

AWS VPN Customer Gateway configuration with CISCO ASA

I'm attempting to set up a site to site tunnel between an office and an AWS VPC as so

I've done the hard bit and got it all working but for some reason when I apply this config it removes the two existing VPN tunnels I already have set up.

I want to deploy this in a few different geo locations on production ASAs that also have existing VPN tunnels.

Here is my ASA config before

Here is my ASA config after

A apologise in advanced for using the

DM_INLINE_ 

Any help would be extremely welcome. I really don't understand why my existing tunnels are vanishing.

SIP Trunk and UCCX

The Cusomer have CISCO ISR G2 3945e , CUCM BE6K and UCCX with 18 Agents . He wants to configure SIP Trunk between the ISR GW and the SP Server which will serve till 20000 users . I will use G729 (8 Kbps) for the SIP . What are the Questions should I ask him before the config ? Any suggestion about the Configuration scenario ? SP SIP Server <--SIP Trunk --> ISR Router <--SIP Trunk --> CUCM <---Integration--> UCCX Should we use SIP Trunk between the ISR and the CUCM

what is the main differences between licensed and unlicensed radio frequencies 'for telecommunications' ?

is it the interference ? distance ? or what ?

Micro Segmentation replacing physical firewalls?

Hi guys,

Two of my colleagues went to a conference and were told "micro segregation" is replacing firewalls and hardware firewalls are "outdated" but they do not know the details on it or what it actually is. I find this hard to believe firewalls are being replaced

So what is Micro segregation and how does it replace a firewall? Sorry for being so vague i have tried to google and it is not helping me find any information to ask a better formed question.

Incompetent ISP and an enthusiastic CS student.

Greetings /r/networking

I am an undead sophomore CS student (My department is named Computer Engineering but our cirriculum is pretty much CS) who is horribly failing at school (since 2010).

After having my family support being cut after dorm/bursary/loan ending too, I ended up working in a hotel as part-time IT.

Sorry for not-so-important personal details, but I thought some background info might help you to understand my perspective & approach at our problem.

So, back to the real topic. When I came here for the first time, the business was using and old hotspot solution with outdated access points deployed on numerous locations of the building.

Due to the domestic laws, we are supposed to log activities of our customers. We had a unix-based central server that serves us as both firewall and also manages captive-portal and logging.

(I am getting to a point where I will reflect my lack of networking knowledge, but here we go...)

At some point, our managers decided to renovate our hotspot system.

We had a contract with our ISP and got their new-shiny(!) Aruba 214 APs deployed.

The problem is, idiots completely ignored the fact that we need a decent NAC solution.

You might wonder where I was when the deal was being made and you are right.

I believe I did my best with explaining how we are supposed to log the usage traffic and we need some sort of integration with our hotel management software.

Seller guy was like "count it done" and all, but once the system went online, I realized they didn't even implement some sort of CRM related verification.

Let me sort our problems in some sort of list to be more clear:

• Anyone with a GSM number that connects to our AP can get a verification via SMS and get full access to internet connection. This causes literally anyone around our hotel to leech our internet, thus cause unwanted bandwidth usage, speed loss etc.

• Our foreign customers (around %50 of total customers) may not have their roaming enabled or their GSM service may not have agreement with our ISP, thus no SMS code being sent. This causes them to NOT have internet access at all!

• One of our meeting rooms is below entrance floor, thus customers trying to login there don't receive SMS for verification, they also can't use the internet.

So, I contacted the customer representative numerous times and also a lot of companies that sells hotspot services. Turns out our ISP just suck about hospitality solutions. We are on the edge about cancelling the contract because what they promised and what we have is completely different. Still, I wanted to find some solutions myself before we cancel the contract (with possible charges)

What I figured out as follows:

• We are supposed to use some sort of Captive Portal regardless what the verification method is.

• Our ISP seems to use Faraday Network's "Spectrum" WiFi management solution. ISP finally provided me an access to the interface, but it is lacking a lot. For example, it allows us to set polls and add more user data forms, customized captive portal design to be inserted, but it has nothing related to NAC.

• When I confronted ISP about everyone can connect our WiFi, they -like a joke- said we can use whitelist/blacklist (and it doesn't even work, I add user GSM numbers excessive usage but it doesn't save numbers on system) which is stupid. Our reception officers can't simply manually add new customers to whitelist whatsoever.

• So we need some sort of integration with our hotel management software (I will refer it as ModHotel from now on)

• For logging, we need to have internet usage activity logged with timestamps and also MAC-citizenship number (for foreign guests, we have passport ID similar to citizenship number). This will allow us to provide logs to officials in case of there is a criminal-case.

• I researched a bit and also talked to sysadmins of our department in school and read about Packet Fence.

• I think with enough time invested, I can set Packet Fence up in our hotel using manageable PoE switch and 20 Aruba 214 APs. Still, I have a lot of doubts.

I will need to somehow extract customer data from MODHotel's database, using phone number and citizenship/passport ID to match them with their log.

However this seems to be much bigger than what I can achieve, because I will need to set-up both NAC and Captive Portal and also save logs safely.

I dunno where to start even.

Should I just cancel the contract and get our hotspot installed from scratch with other companies that already solved this hospitality-specialized WiFi?

Should I tell our ISP to go f* themselves and use our own software-side solution about authenticating/logging?

For those who will think "well as an IT, you should have known better about how the system will be deployed, no wonder you fail at school lol" well, you are right a bit, but I was really not given any sort of project or responsibility other than managing company e-mail accounts, some simple help-desk tasks etc.

In the end if I was a network specialist, I would not work in a hotel for something slightly more than min. wage per hour.

Anyway, I kind of wanna commit and solve this hotspot thing, but at the same time the reason we got this project performed by our ISP was not being dependent on "IT guy" or anyone else.

If there was a problem, ISP was supposed to be responsible etc.

How do you guys manage your hospitality-focused logging/NAC solutions?

Should I try and solve it alone? Is it worth it?

I think the personal experience would be worth a lot but at the same time I feel like I am nowhere near to be paid when it comes to "expertise and experience" it takes to solve this.

Sorry for unnecessarily long-post, let me hear what you more-experienced networking members think about this specific situation.

Thanks in advance.

(Will add a tl;dr after lunch break if post isn't dead by then.)

unlicensed radio frequencies is it secure for data communication link ??

I'm kind of new in the radio frequencies. so is it secure for data communication link (connecting 2 site offices 'business lan') together using free un-licensed radio frequency (ex 2.4/5/24G HZ) ?

assuming that i will use this link for just extending my connectivity (to other location) instead of using fiber(hard and cost effective), and I'm already implementing the security parameters in my own infrastructure(firewalls..etc)

example of the wireless products that I'm think of is 'Ubiquiti Nanostation NSM5, 5GHz'.

and kindly share with me if you have better soultions

Thanks alot

How much time does it take to network programming? How advantageous is it for a network engineer? How much demand is there for engineers with network programming skill?

I am a engineer with 5 years of exp in IT networking domain. I have recently re-certified CCNA R&S. How advantageous is it given my background? How can i get started with that?

Anybody use Non-Cisco SFP and SFP+ with Cisco ACI?

I heard this was not possible any more and that you had to get cisco branded optics.

Silly hypothetical - DSL link over POTS

I saw another post earlier today where a couple was setting up their own rural ISP, using a leased 10G fiber line distributed to households with ubiquiti LOS wifi gear.

I was wondering - if they, or anyone else for that matter - wanted to allow DSL connectivity, what would be involved from a technical and red-tape perspective? I'm assuming you'd have to get some sort of authorization from the telecom that owns the lines, maybe including a certification of your system, and some kind of carrier-grade networking equipment that supports VDSL2?

Enterprise-wide default route swing tonight - shitting myself

I'm trying to get some sleep before tonight I embark on probably one of the biggest potential pending shitstorms in my career in networking....

We are migrating data centers and with that comes internet connections - proxy traffic seems to be flowing through the proxy in the new data centre but tonight is the turn of the 'direct' traffic for shitty legacy apps and that cannot proxy for whatever reason - traffic that uses the default route.

I need to announce the new default route from our new data centre into our MPLS network and nullify the advertisement of the old one. Oh and by the way the powers that be have cancelled the current internet connection and it will be chopped in 6 days (and with it goes IPsec s2s vpns etc)

I'm unsure if anyone is whitelisting our current public IP internet based apps or services, I'm sure countless firewall rules have been missed on the new DC DMZ firewalls too

The task may seem trivial from a 1000 foot view - but on the ground this has been chaos. Rushed. I'm not holding out much hope.

Thanks

Uses of blockchain technology in network security

I have been tasked with giving a 15 minute presentation at a job interview on a topic that I am interested in. I am considering discussing how block chain technologies can be used to combat network attacks such as DDoS. I have found several resources online with regards to researching this, my question is whether this is a good area for a network engineer role? And what ways can I improve this stimulus? Many thanks in advance. (If this is the wrong place for the post I apologize)

icmp-redirect Performance impact

Hi everyone,

we moved to Brocade MLXe-4 as our core routers and noticed very bad performance between vlans in on the same LAG.

In this "Router on a Stick" configuration with two 10G interfaces we got a throughput of about 46 Mbps between two Workstations.

After we disabled "icmp-redirects" global on the MLX the performance went to wirespeed. Can someone please explain this to me? I used wireshark and haven't Seen a single icmp redirect paket...

Thanks!

Draytek VPN PPTP Issues

Hi all,

So we've just switched to a Draytek Vigor 3900 and been trying to setup VPN's for users to access network drives etc from home. From our understanding, this is a fairly simply process that is done by creating user profiles in the router, enabling them to use PPTP and then just giving them the login details?

This works "most" of the time but for some reason, anyone on an iPhone Hotspot cannot use the VPN, windows just keeps spinning when connecting then throws error 619 (Saying the port is now closed or something?) has anyone had a similar experience?

Also we've added eta.local in the DNS Suffix for their VPN's in the network adapter settings and had to modify a rasphone.pbk document in %appdata% so that windows doesn't try using their VPN logins to access network shares as their windows credentials and VPN ones are different.

Overall however we've been running into all sorts of issues, if it's not the first issue regarding iPhone hotspots not connecting at all, users can't access network shares, their accounts get locked as windows I assume tries loading the network shares with the VPN credentials and the DC locks them out?

Has anyone had similar experiences or can recommend a better way of trying to achieve what we are reliably and conveniently? There's only around 25 users that work from home/on the field.

BGP Adj-RIB-Out

Hi guys,

As I understand to view the Adj-RIB-Out table on a Cisco router you use "sh ip bgp neighbors x.x.x.x advertised-routes"

I have two routers, with two circuits connecting to the same ISP. I influence inbound routing via MED.

Now when I do the above command it doesn't seem to show me my advertised routes WITH the MED set via the route-map. Although the influencing does indeed work as I can see Rx increase on the interface.

R1 route-map rm-isp-out permit 10 set metric 10 R2 route-map rm-isp-out permit 10 set metric 15 

I have lab'd this up and when I do a "sh ip bgp neighbors x.x.x.x routes" on the ISP router I can see the correct MED but still the PE routers don't show this.

My question: How can I verify I am indeed sending the MED to the neighbour if I don't have access to the neighbouring device.

Price check for Cisco qsfp-40g-lr

Anybody have the actual price for these? List price would even work, non knock of pricing please.

TP Link Archer C3150 setup as an access point and switch help

Hello all.

I bought two TP Link C3150 routers and are trying to use one as the main router and the second one as an access point plus switch.

The reason for the 2nd router to also be a switch besides being an access point is because the main router is at the back end of our store mainly connected with a DVR security system. The 2nd router connects to the main router and then connects to the reception is computer and also acts as a n access point to provide an extra area for wifi connections.

The problem is, all the guides I researched just shows how to make the second router an AP. If I disable the DHCP server on the second router, will the reception computer still be able to gain internet connection via the second router?

I use DMZ on the first router to open our IP for public access to our DVR security cam system. However, when I connected the second router with DHCP on, both my receptionists computer and the wifi of the second router are working. But the DVR is not working. I suspected it's because both routers are using the same range of IPs for the DHCP servers respectively.

I tried to change the range of the second router but got an error code 85011 "please input end up address". I have no idea why this is happening. I switched off the DHCP server for the second router and magically, the receptionist computer still was able to connect to the internet. But my DVR is still not working.

I hope I provided enough information on my situation and I hope some one could help. Thanks!

Update: weirdly, I tried resetting both the routers, setup the first router again and now the DVR is working. I plugged the lan cable from the first router to the second router's WAN port instead of LAN port and the second router automatically detects the settings of the first router and matched the settings including the wifi SSIDs and passwords, as well as login password. Should I now change the IP address of the second router as instructed from the guide to a number outside the DHCP range of the first router?

Also seems like the DVR not working is due to address reservation. Now with address reservation off, the DVR is working again lol. Should I use IP Mac binding instead of address reservation in this case?

High-performance open source VPN gateway as an alternative to a costly appliance

Hi /r/networking, for the last half of this year I have been hacking on libre VPN gateway software for commodity hardware (x86_64 servers): http://ift.tt/2mWbglT

Its intended niche is interconnecting outposts over untrusted lines at 10G, i.e. where network admins traditionally rely on big costly appliances, with the best hardware/energy/maintenance cost-efficiency possible.

Now that I have a working prototype, I am looking for more feedback from practitioners (that’s you! ;-)). Are you deploying some kind of VPN gateway? What do you like, dislike about the particular solutions you have deployed? What are must-have basic/extra/maintenance/monitoring features you seek in a VPN solution? SNMP? YANG? IPv6? How would you ideal deployment look like? Do you prefer to buy operation-ready boxes, or do you see benefit in choosing and assembling the hardware yourself? How much value do you see in being able to get the full source code?

Since I am basically asking for free market research here, I can offer to answer any questions you might have for a software engineer working on networking applications. Sorry in advance if this is not a suitable topic for this reddit.

AWS temp hybrid network for reinvent in Vegas

http://ift.tt/2A41BMY

Ohhhhhhhh me likes especially since ill be there to enjoy it!

Also now you know why your L3/Centurylink tickets are taking longer than usual :P Just kidding!

Very specific IPMI VLAN problem (Shared vs dedicated port)

So I have a Supermicro board with a dedicated IPMI port, however it also has an option to share IPMI with one of the LAN ports. On that machine is also a virtual pfSense box.

Now when I put the IPMI port in shared mode and assign it to a VLAN, let's say VLAN 2, and give it an IP of 10.0.2.5, I can only access IPMI management it if I also put the machine I am accessing it from into VLAN 2. However when I set the IPMI to use the dedicated port with the same VLAN and IP setting as before, I can access it from anywhere just fine.

My best guess is that IPMI has something wonky about it that is messing with VLANs on layer 2, considering how in the past Supermicro didn't even support VLAN tagging on IPMI. Did anybody ever encounter anything like this? Any insight you can give me?

I know this is a very specific and unusual problem, and you might say it's not actually a problem since I can always use the dedicated port, but if I have the option to use less switch port's I'd take it. And yes, I am aware of the security implications of using IPMI in shared mode and how the OS on that machine can listen in.

Ubiquiti wireless controller software open source?!?!?

Hi everyone, I'm currently working on a wireless project, and been looking for a viable open source wireless controller software, then i remembered that Ubiquiti offered an amazing controller software, however after digging a little it seems like it a GPL archive was meant to be offered, but wasnt? Doesnt this mean that ubiquiti's wireless controller code is based off another open source project? People have been saying its completely written in java, but i find it hard to believe it was made from scratch....would anyone know what they wouldve used?

I'd also like to know if anyone on this thread has tried out openwisp or chillispot, would love to have a chat!

Thanks in advance,

ASA LDAPS issues after updating DCs from 2008R2 to 2016

• After updating DCs from 2008R2 to 2016 LDAPS stopped working. Using plain LDAP works just fine.
• LDAPS is running just fine on DSs and its serving others servers as expected. Only issues with LDAPS are with ASAs.
• RootCA that is issuing certifates to DCs didn't change
• system clocks are in same time

 

ASA versions

5520 9.1(7)19

5545x 9.6(3)1

 

Configuration

aaa-server AD (inside) host A.B.C.D ldap-base-dn DC=x,DC=y,DC=z ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=d,OU=c,OU=b,OU=a,DC=x,DC=y,DC=z ldap-over-ssl enable server-type microsoft ldap-attribute-map VPN-LDAP-MAP 

Debugs

test aaa-server authentication AD host A.B.C.D username test password test [-2147483625] Session Start [-2147483625] New request Session, context 0x74b43ccc, reqType = Authentication [-2147483625] Fiber started [-2147483625] Creating LDAP context with uri=ldaps://A.B.C.D:636 [-2147483625] Connect to LDAP server: ldaps://A.B.C.D:636, status = Failed [-2147483625] Unable to read rootDSE. Can't contact LDAP server. [-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [-2147483625] Session End ERROR: Authentication Server not responding: AAA Server has been removed 

NMAP enum ciphers

nmap -p 636 --script ldap-rootdse A.B.C.D -Pn TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D 

Any ideas what to do next?

When is physically separating networks a necessity?

Long story short, we've engineered a network for a casino. The casino people hired an old IT guy to take things over after we're done with the install. He was pretty blown away that we didn't have the games and the admin stuff on physically separate networks (he doesn't trust VLANs because at his last job a security auditor was able to hop VLANs, and he's not willing to admin this was a config issue on his part)

His reasoning isn't great IMO, but this got me wondering, is there ever a reason where you would want/need physically separate networks rather than VLANs, for legal or other reasons?

firewall routes - static vs. dynamic

I have a scnerio where I have a fireall that has a trunk link to a switch. That switch links to multiple customers each in thier own vlan. Typically we run an IGP between the fireawll and the customer so any new routes that they advertise are learned by the firewall. The firewall links up to a campus core where customers routes are advertised.

Problem I am having is this. If the customer needs to see certain traffic coming from the campus as a different source IP then we would need to create a new sub-interface on the fireall, create new NATs and then use 'STATIC ROUTING'. Reason being is that for some reason (someone here may know better) OSPF will not form an adj between the customer router and the firewall along the sub-interface if there is already an ospf adj between the two. Not sure why i would assume its a different "interface" all togeather. Work around is static routes pointing out the new sub interface and that traffic gets translated to the source the customer wants to see.

So my question is this... Is there a scalable design that can be maintned here?

Effects of broadcasts

So I always hear about how VLANs create more broadcast domains and essentially limit the amount of broadcast traffic on a given network.

My question is when do you actually see this being an issue and have it impact performance? Would 240 hosts on a /24 really show performance issues due to broadcasts?

I'm a field engineer currently and don't have as much hardcore networking experience as I'd like to so please forgive my ignorance if its quite often.

Net Neutrality Posts

Hey all,

While we understand that Net Neutrality is a sensitive subject right now, this topic is not exclusive to Enterprise Networking.

In addition, these types of discussions tend to attract the wrong crowd and overly aggressive vocalization.

We don't have any issue with content submission beyond spam, but for the time being links or discussions to Net Neutrality will be removed.

There is a thread that has been approved for ongoing discussions.

PSA: The case against cheap NICs from eBay

The issue: http://ift.tt/2AoJuEl

Model details: HLF1081A NO: 9700

Image of unit: http://ift.tt/2zYA9SN

As a warning this could save a lot of problems and wasted troubleshooting for those who buy them off eBay. Be warned. I was fortunate enough to check before beginning to use them! These are only for a homelab and I'll just need to remember to keep them on separate broadcast domains.

Local stores had them for AUD$35-40, online stores had them for around $15-20 with a few days delivery time and eBay was ~$5-7. This will surely be a valid reason to ask for my money back or a full refund on at least one unit.

Cisco AP 3702 cannot be 'Primed'

Hi Network Gurus!

Would like to consult you on something. Setting up a vWLC (Cisco Virtual Wireless LAN Controller (v8.4.100) and integrating Cisco AP 3702UXK9 in my network.

I was able to broadcast the SSID with the 2.4GHz domain but I was not able to do the same with the 5GHz band. Read Cisco documentation and found out that I need to 'Prime' my APs.

Tried downloading the application on my android phone and my iPhone but it still says 'try to connect on a universal AP' but the settings on my WLAN 'Universal AP Admin' is enabled. Configured country code is okay as well, but shows 'UX' in the specific AP.

Hope someone here can help.

Thank you!

Net Neutrality and SD-WAN

I know people are probably tired of seeing Net Neutrality posts, and yes we know a lot of the doomsaying is overblown... but this topic interests me.

After repeal, do you think it's possible at&t would say "ok, we're not going to allow vpn tunnels between UVerse and Comcast DSL subnets anymore?" Or any other combination of providers?

Could that kill SD-WAN and effectively force customers to go back to using expensive MPLS?

Reading material

Hey guys, I feel like I’m probably asking a question what there is already an answer to somewhere, but at the moment I’m currently studying networking and sort of struggling, i was wondering what reading material would you guys recommend to help me advance ?

I would say I have a okay knowledge of networking so far but would like to further that knowledge, I could easily look for books or material myself but I was hoping to get an opinion from people who know what they’re talking about.

This is my first time visiting this sub reddit so apologies if there is already places to find this information, I’m currently on mobile and couldn’t see any.

Why Speed and Duplex setting are not set to the maximum by default ?

I just installed ethernet instead of using wifi on my main pc. I was wondering why I was getting only 80-100 Mbps instead of the 250/250 my older pc get. I tough my cable was faulty

I found in speed and duplex it was set to 100Mbps and not 1gigabit. Luckily it fixed the issue now I'm getting 250/250.

But why it is at a lower speed by default ? Considering my older pc was an easy plug and play and with full speed.

Juniper L3 VPN/MPLS VRF export policies

Hi All

Wondering if someone can assist with a VRF export issue I am having. I wish to only export the 27.144.1.40/29 network. Below is the config:

set policy-options policy-statement VRF-Export-Policy term 1 from route-filter 27.144.1.40/29 exact accept

set policy-options policy-statement VRF-Export-Policy term 1 then reject

set routing-instances VRF vrf-export VRF-Export-Policy

However, when I import this VRF on another PE into another VRF using the below import policy:

set policy-options community Grey-VRF members target:64000:666

set policy-options community Cust1-VRF members target:64000:777

set policy-options policy-statement VRF-Import-Policy term 1 from community Grey-VRF

set policy-options policy-statement VRF-Import-Policy term 1 from community Cust1-VRF

set policy-options policy-statement VRF-Import-Policy term 1 then accept

set routing-instances Cust1-VRF vrf-import VRF-Import-Policy

No routes are being learnt. However, when I don't apply a VRF export policy, all routes are being learnt. How do I go about filtering a specific route on an export policy?

Thanks

HP Procurve K-serias firmware and RFC 3021 (/31 support)

Does anyone know if the latest K-series firmware (K.16.02.0021 or similar) for HP Procurve switches support /31 mask?

I have a bunch of 3500yl switches without support agreement or anything that I will use.

BGP Static Neighbor

Does anybody know what the standard behavior is for the TCP listener associated with a static BGP neighbor on Cisco & Juniper hardware?

With a static neighbor configured does Cisco iOS reject TCP connections from other source addresses (that don't match)?

On Juniper gear is this behavior the same?

Can't find the behavior documented anywhere.

Thanks.

Trouble connecting between two subnets

I have subnet: 255.255.255.252

I have subnet 255.255.255.240

I have a router.

Gigabitethernet 0/0 interface is configured with the following host-address: 192.168.0.65 /30 Connected to this interface is an end-device with the following host-address: 192.168.0.66 /30

Gigabitethernet 0/1 interface is configured with the following host-address: 192.168.0.33 /28 Connected to this interface is an end-device with the following host-address: 192.168.0.35 /28

None of my end-devices can ping each other. The /28-end-device can ping both gigabitethernet 0/0 and 0/1 The /30-end-device can only ping 0/0

Router is a Cisco 1941 router.

What seems to the problem here?

Research project about GSM alarm system

Hi, i wanna make a research about GSM alarm system for my final institute class. Can anyone help me where to start and what’s the important things to talk about and where to find some useful informations? Thanks for your answers.

Doubt about Net Neutrality

I'm from Southamerica and here we have some countries with Net Neutrality laws, I'm trying to convince people to help this cause, but everyone seems to think that because we have these laws what happens to USA won't affect us... but my logic tells me that it can perfectly affect us, since if from here I use a service that has the server in the USA my experience can be degraded because (as I understand) the American ISP could:

• Limit the internet to the server that I'm using.
• Limit connections with southamericans ISPs.

Am I correct or wrong?

Juniper EX Stability

I'm just curious about other people's experiences with Juniper's EX series switches. I have multiple platforms (all access switches) that I have been deploying for the past 4 or so years. However, they seem buggy as shit. Here are the platforms I have deployed

• EX-4200-48T
• EX-3300-48P
• EX-3300-24T
• EX-2300-48P
• EX-2200-48P

I have had the following issues.

• EX-4200-48T - Randomly crash. Software update fixed it. Been fine since.
• EX-3300-48P - Doesn't mark DSCP values for most interfaces. Some interfaces work ok, but others just don't get marked. Software upgrade appears to fix the issue. However, since the upgrade the Master RE now crashes once a week.
• EX-3300-24T - Master RE crashes randomly
• EX-2300-48P - All services crash and restart. After the services come back up PoE doesn't work at all. Only a reboot will get PoE working again
• EX-2200-48P - No problems with this one

Those are my main concerns. There's also other weirdness like not loading a config when losing power. Another time I couldn't commit changes due to a file locking issue in BSD.

Has anyone else experienced this many problems with these access switches? I really like JunOS, but I'm not sure I can, in good conscience, keep deploying these switches.

Network monitoring software

At work we are experiencing seemingly random connection drops to our ISP.

in the past we have had networking issues due to our internal traffic. As far as we can tell we have solved all these issues but the possibility remains.

We need someway to correlate the outages against internal traffic.

Simply looking at logs or using wireshark has proved fruitless so far.

FTD Clustering or ASA Clustering

Anybody running these in production? Would you do it again or go with active standby?

Connecting Extreme Network switches to HPE FlexFabric - Issues with MLAG possibly

Hi,

We have two extreme network core switch stacks. (made up of two switches each). They are connected together using load sharing or port channel to us normal people. And use MLAG to connect to a number of distribution switches, also extreme networking. There is no spanning tree due to EN stating not to use it when having MLAG in place.

We are connecting in a new HPE FlexFabric 5700 switch stack (made up of 2 switches). The ideal is to connect two ports to one core stack, and two ports to the other core stack.

We have setup the LACP connectivity on the HPE side, having two bridge aggregation ports. Connecting from two ports on the HPE to one core switch. Works fine. LACP etc all done. When you connect the other two ports to the second core switch, you get a network loop.

Now I believe the right way to do this, is to have on the HPE switch, one bridge aggregate made up of 4 ports. Connect two ports to each core switch stack. And configure the core switch stack ports as MLAG members.

Anyone any suggestions or am I in the right area?

EDIT: Rang ExtrememNetworkis, basically the answer is one Bridge Agg on the HPE with all 4 ports. Setup sharing on the extreme switch (2 ports per switch) with LACP. then mark the ports as MLAG

enable mlag port x:x peer "peer name" id X

and voila

INE Black Friday "deal", already have a beefy lab environment. Should I do the all access pass or the CCIE bundle?

Think the only thing I would miss out on are the workbooks, I'd have the videos in the all access pass still, wouldn't I?

New pfSense installation: Gateway offline, No WAN internet

Hi,

I'm pretty new to networking and firewalls configurations. Basically I replaced the old sysadmin in my company, and I didn't get too much information about the firewalls and the network.

This is our network topology pretty much:

( we have our own hosted cabinet in a datacenter )

So, Datacenter Internet > 3Com Switch > physical pfSense Firewall > Dell Switch > All other servers.

Now, I'm trying to install a new virtual pfsense firewall.

I connected 1 of the ESXi ports to the 3Com Switch and the other port to the Dell Switch.

now, created a pfsense VM with 2 NIC's, WAN & LAN, assigned the NIC's to the right WAN.

I have range of IP's the datacenter assigned for us:

( Just an example )

10.0.0.1/248 - 6 IP's

So I tried to configure the WAN interface IPv4 with 10.0.0.3, and set the gateway as 10.0.0.4.

( My physical firewall also uses 10.0.0.4 as gateway ).

It doesn't work on the VM, just no internet and it shows the gateway as 'Offline'. I also cannot ping 8.8.8.8 or anything.

might be a stupid question but can't I configure any IP of the range I have as a gateway?

I guess I'm missing something but I have no clue what.

The internet is under attack. We need a backup plan!

The Fight for net neutrality might not succeed. We need a backup plan. These Communities are fighting for an open internet, beyond the ISP. Share This Now http://ift.tt/2b9sAKi http://ift.tt/2jN1oJO http://ift.tt/2zrrSaO

World's Most Extreme Datacenters

This is quite fun - it shows the datacentre in a chapel that Dan Brown referenced in his last book and shows Yahoo at the height of their power building one inside a chicken Coop!! lol.

http://ift.tt/2zdiJP5

Should option 43 Always be recieved in a DHCP offer?

Looking at RFC3925, option 43 responses are offered when an option 60 attribute are specified by the client.

Now most vendor implementations indicate that option 60 must be configured on the server end as well as the client, except for juniper who indicate it only needs to be configured on the client’s end, and do not make the option available when setting the pool

Most wireless vendor articles on the subject indicate that a server will ONLY reply with option 43 when a client sends and option 60 that is also configured on the server end.

See this DHCP offer from a MS DHCP server to an Aruba AP which has broadcast a DHCP REQUEST with the option 60 field set on both the client and server end.

this to me looks like the correct behaviour of option 60 & 43.

Now when i plug my win10 laptop into the same network and request an ip address from the same server, I receive the same option 43 response back even though the win10 option 60 field is not set on the DHCP server. the option 60 response is also not sent back to the win10 client.

so, my questions are;

1. what is the correct interpretation of the RFC?

2. should servers respond with option 43 to clients whose option 60 attribute is not set on the server?

Q-in-Q: where did the terminology "push, swap, pop" come from?

I thought it was from a standard, I don't see it in 802.1ad. I see it in Juniper docs and a liiittle bit in Cisco (push, pop). Basically, my question is: is it a standard-based terminology or vendor-based?

Anyone have a rough estimate of the percentage of Backbones are owned by Universities?

I remember a conversation a while ago with a university Network Engineer who was talking about something along the lines of "most internet backbones are owned by Universities and then leased to commercial backbone providers due to how ARPANET and other predecessors were historically built out." Anyone know if that claim (presently) has merit, or if it was likely just loose-small talk?

Another Network Engineer who wants to enter Security.. Where can I Learn so I know enough to pick what security field I want to enter?

I currently have an ITPro Subscription. And I am not against doing CBT Nuggets for a month or 2 for some basic learning. (These are supplemental. And I use them to give me basic knowledge of a topic before delving deeper in various ways.)

I ask because I have been wanting to get into security for a bit, but I hit a bit of a road block where I just do not know what the fields are.

Like many of you, I assume, I can find what I need to find and teach myself when i know what I need to learn.

But when it comes to security.. All I can think to do is just watch all the things.. And that has simply not sounded enjoyable.

I need a little bit of an end goal and some paths to choose from.

To be clear I am not asking about certifying in anything. I want to KNOW and work in the field.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Method to extend Cat5e?

Hello, Is it possible to extend a Cat5e cable using a keystone? One side would plug into with an rj45 connector and the other would be punched down. Is there any disadvantages to this? The keystone will be wrapped around with electrical tape to prevent dust build up.

r/Networking should get involved

If this post isn't allowed, I apologize ahead of time. However, I find it really ironic that r/Networking hasn't said anything about Net Neutrality. I think it's up to us to clear out confusion or misleading information about what would happen were NN repealed. After all, this is OUR spectrum of expertise. We are all in some way subject matter experts. What are some general opinions about how this would effect networking operations, data centers, enterprise/business networks, and the internet in general?

ASA NAT to multiple outside IP addresses

We are hitting port exhaustion on our single-address NAT. Trying to change the NAT object to a range results in loss of connectivity.

It works when I run it as:

nat (Inside,Outside) after-auto source dynamic INSIDE_SUBNETS interface 

But not when I run it as

nat (Inside,Outside) after-auto source dynamic INSIDE_SUBNETS OUTSIDE_NAT_POOL 

Pool config:

 sh run obj net in | incl NAT_POOL object network OUTSIDE_NAT_POOL range 1.2.3.4 1.2.3.5 

Where am I going wrong? There are several other after-auto NATs that are working correctly, but are all configured with a single IP or configured to use the interface.

ASA as a VPN Server Only

Hey all, I'm currently trying to set up an ASA 5525-X as an AnyConnect VPN server. The interesting part is that I'm using this as strictly a VPN box where my redundant ASRs are responsible for NATing/routing in and out of the LAN. I'm thinking there are one of two ways to approach this. One would involve having the ASA have an inside and outside interface being used so clients would come in through the outside interface but servers on the LAN would go through the ASRs. This would give me a dedicated LAN and WAN port but might muddy up routing in the sense that it's another box in the OSPF topology. Having said that, I'm not sure how much of a kludge that would really be in the grand scheme of things.

The other alternative is to set up 1:1 DNAT rules for port 443 on the ASRs pointing to the ASA. The ASA would be in a one-arm setup where there is only one way for everyone to get in and out. Again, not sure how much this would look if I'm setting up the same DNAT rule on two routers.

Has anyone set up an ASA in a similar fashion? What are everyone's thoughts? I can clean up the post as needed and answer any other questions about the environment. Thanks in advance!

Explain Net Neutrality like I'm a Network Engineer (I am)

I'm a system/network admin and have been for decades. I'm pretty libertarian politically, so I'm skeptical of net neutrality. To that end, can someone explain from a technical standpoint how such legislation (or it's repeal) would effect transit, peering, and networking on an enterprise level, rather than just the typical "pay more for certain sites" consumer-oriented explanations?

Not looking to argue the merits one way or the other, but rather understand what it actually entails for the underlying technology.

Help me setup this network

I have to upgrade a medium sized school campus network, which contain around 1500 users and 70 access points.

We use 6 Cisco 2960 as access switches and one 3850 as core switch, which is all connected in a daisy chain manner,

I was planning to stack the current 2960 switches and connect each stack to core switches which is 2 Cisco 3850 Switches.

If i do this kind of setup , will it cause a data bottleneck

I am also planning to setup byod, where i need only basic setup.

I first considered Cisco ISE, but later thought it will be way more expensive and should use cisco ASA or fortinet to do the basic Byod Setup.

Can you guys advise me on this setup , how should i move forward with this.

How should i connect the core and access switches, can i use 4 stacks with each stack containing 2 switches , connecting to a stackehd 3850 core.

Should i go with fortinet or asa for Byod?

I need your help, i am new to all this.

"Trunk Cable" "Harness Link"

Can anyone explain like I'm 5, what the infrastructure components mentioned are for, what they do, and what do the ends plug into. Let's say its based on an MPO Fibre connector. I'm really stuck and could do with some help. I`ve googled and watched videos, I'm after a simplified explanation if possible. Thanks

No TCP handshake?

So I have tried to find another topic about this with no luck. I have a log server that is being accessed over port 1433. On computers this is working with, a sniff on my firewall shows what I would expect. PC->Server / Server->PC:1433 SYN- SYN ACK - ACK- PSH - with SYN flags inbetween the rest of the ACK flags.

The PCs that aren't working, the traffic I'm sniffing on the firewall only shows. PC->Server:1433 ACK Server->PC:1433 ACK PC->Server:1433 ACK Server->PC:1433 ACK Etc....

The log application allows the user to login, but then just sits there loading. I let it sit for 10 minutes of consistent traffic without a single SYN, PSH, RST, FIN.

I see the traffic passing on both sides, so I know it's getting through but I can't figure out what the flags on the non-working PC are telling me. The networks are coming in on VPNs, and this is with multiple systems also, so I know it isn't the PC itself.

Anyone have any tips?

Upgrading WLC to deal with WPA2 "KRACK" seems like a nightmare

So due to the WPA2 "KRACK" thing happening about a month ago we've been looking at upgrading our HA-paired WLC 8540 to partially deal with the problem from the infrastructure side.

We're currently on the 8.2 train and we don't want to take too big steps forward at a time so we've been looking at 8.2.166.0 and 8.3.133.0, both who are supposed to deal with the KRACK problem.

Looking at the currently Open Caveats for both releases I'm starting to kinda not wanting to upgrade... there are multiple big thing giving me nightmares.

8.3.133.0 has fewer bugs overall but really serious stuff like this. Apparently I should be worried the NICs of the WLC won't work after the upgrade? What the f----

8.2.166.0 has a GIGANTIC list of Open Caveats, many of them just a serious as the bug above with WLCs crashing left and right... AP 2700 series seem to run like shitif all these bugs are to be believed and we mainly have those.

How are all of you dealing with the problem? Anyone running any of these versions without big trouble?

Thinking about moving from Network Engineer role to Security. What to expect?

As my title said, I have a potential opportunity to move from my current role as a network engineer into a security role at a new company. This change would as come with a considerable pay bump and better benefits.

Currently I am the only network guy in a company of 4000 employees, so I get a lot of hands on stuff and plenty to do. My education included a healthy blend of network and security, and I always thought a lot of the security principles were interesting.

What could I expect moving to a security role instead? Would I potentially find it boring? What sort of things should I ask at an interview?

Riverbed asymmetrical routing question.

I have a question about how Riverbed handles asymmetrical routing but all the documentation I can find only considers routing asymmetrical if there is a Riverbed on one side of the connection and not the other. I have a design that requires 2 MPLS circuits from ISP managed routers to terminate on a single Riverbed on both sides of the connection. I want to do equal cost load balancing and utilize both circuits but I'm not sure how the Riverbed will react if traffic passes destined for circuit A but the return traffic from the remote site takes circuit B back. Again, both circuits will pass through the Riverbeds on both ends. Does anyone have any experience with this? Thanks.

Firewall to switch LACP link issues - drops ping every 30 seconds

We have a FortiGate 100D connected to a pair of stacked Netgear M4300s via LACP. Two ports on the firewall -> Cat 6 cables -> one port in each Netgear.

I noticed "occasional" network hiccups and started troubleshooting.

I can ping the firewall IP (say 192.168.1.1) from the outside and lose no pings. I can ping the switch IP (say 192.168.1.2) from the inside and lose no pings. Pinging 192.168.1.2 from 192.168.168.1.1 (and the reverse) at 1 second intervals results in a ping timeout every 30 seconds.

A vendor has suggested starting further troubleshooting by changing cables, but I won't be able to do that until next week.

Ninja Edit: The LACP settings are the defaults on both devices. This didn't get noticed until it was in production, so I don't want to just start throwing settings at that... :End Ninja Edit

Any suggestions on where to start looking for the cause? From what I can tell it is exactly every 30 seconds which is leading me towards some sort of negotiation occurring at that interval.

Edit: I also see a pause in RDP sessions and other transfers every 30 seconds which coincides with dropped ping. This is where I first noticed the issue.

Questions about rmon/snmp and history/stats

I have been trying to get some monitoring going with cacti and I got it working on our Avaya switches easily enough with enabling snmp and rmon.

I was not returning any values until I used the following command on port 1/1 of my main switch (to see WAN connectivity bandwidth):

rmon rmon history 1 1/1 owner "WAN (history)" rmon stats 1 1/1 owner "WAN (stats)" 

Now, the documentation with Avaya isn't all that well done, so I am trying to figure out everything on my own and without any real expertise.

I typed in this command because it made sense when I was reading through stuff, and obviously my stats starting rolling in. But I am not sure exactly what I am doing with it and what sort of things I should be doing to get my data sets properly.

I am more of a systems guy but have about 20 odd years of experience in switching and routing, but by no means am I advanced or expert level. :)

So please, if someone could give me a quick rundown that's easy to understand with rmon, buckets, best practices, etc and whatever else you think I might need to know.

Thanks!

Change Management Best Practices for vlans

Trying to incorporate vlans into our relatively "flat" and am getting some push back from a couple of techs. They insist that "the way we've always done it" is to submit Change Management for each new vlan. This seems to me to be a complete waste of time. What is considered "Best Practice" for this?

WiFi issue, taking laptop home, wifi doesn't work on return to work

Recently redid the network of one of the schools i work for.

Re-subnetted, re-vlan'd, changed wifi passwords.

All teachers are on laptops (HP ProBook 640 G2). A couple of them take them home at night, and when they come back in the morning, in order to get on wifi they have to forget the network and rejoin.

I've updated drivers, i've wiped all wifi networks from the laptop i've been using to troubleshoot. I can't replicate the problem while onsite.

My laptop (a Dell), has no issues swapping between the 5 schools that are all setup nearly identical, the only differences being SSIDs and IP Schemes. 3 of the 4 other schools are also using the same laptops, and also I am not hearing any issues there.

It feels like it may be their home network scheme is messing something up when they report to work?

Aruba APs, HP Switches, Fortinet Firewall managing DHCP. No servers.

URL Redirects - Do Firewalls Care?

My company hosts our own website (let's call it abcd.com). Our internal and external apps all make calls to www.abcd.com.
Recently, the decision was made to move our main site, www.abcd.com, to a 3rd party web hosting company. The immediate problem is - instead of rewriting all of our apps to look elsewhere, we are asking our hosting provider to setup URL redirects to point back to us so our apps will continue to function.

Our clients's firewalls.. Will they block either of these scenarios?

Scenario 1: Client-A is whitelisting *.abcd.com. Will the firewall suddenly care that traffic first gets resolved to 3rd party hosting company's ip 1.2.3.4 then gets redirected to our ip at 5.6.7.8?

Scenario 2: Client-B is whitelisting 5.6.7.8 (our IP), will the firewall deny because the traffic first resolves www.abcd.com to 1.2.3.4 and that isn't whitelisted? Or is there some magical exception since the traffic would be redirected to 5.6.7.8? (Which is whitelisted)

Just when I think I know the more obvious stuff.. stuff like this humbles me :)

Please join "Stop the FCC from ending Net Neutrality" Facebook Group

My goal is to get the word out as much as we can, so we can STOP the FCC from ruining many of the important Net Neutrality rules.

URL for FB group is

http://ift.tt/2zq1Dl0

VLAN mystery

Okay guys/gals, I have a good one for you. I'm having a very interesting problem, if you consider it that, because everything works...Ha. Theoretically, I don't think is possible. It's a complete violation of 802.1Q. Anyways, I'll do my best to explain it fully and clearly. My test machine(HP EliteDesk | Win10 | 64bit) is plugged into an access switch(Cisco small business SGE2010P) via ethernet cable. The port it's plugged into is an access port with VLAN 20 untagged. The access switch has a trunk port going directly to our core layer 2/3 infrastructure(Juniper VCF consisting of QFX 5100's and EX4300's). The trunk link has VLAN 1U, 20T, and 22T. U for untagged and T for tagged. If I do an ipconfig /release and /renew on this machine, sometimes I get a .20 address.....sometimes I get a .22 address. No matter what address I get, .20 or .22, everything works fine. I even tried reserving an IP in DHCP on the .20, since that's what VLAN the port is on, /release /renew, get a .22. What in the world is going on here? How is it possible to first, have 100% functionality with a .22 IP address on a VLAN 20 port, and second, get a .22 IP address from DHCP on a VLAN 20 port. I'm really confused. I appreciate you taking the time to read this and help me out. Let me know any thoughts, comments, suggestions.

BGP Question - How much information does it store?

Hello,

while I do understand the basic concept of BGP, I've never had practical experience with it and I keep reading in articles that if you have a router in your network running eBGP for your internet facing routes, you will also receive "the entire internets routing table" as updates, if configured.

Now, having a full routing table available of the complete topology of the internet would be a massive amount of data? And that for me is the definition of a link-state protocol like OSPF or IS-IS, to have the entire topology at hand. And as I understand, the massive amount of routes that you'd have in BGP if you knew the topology of the entire infrastructure that makes up the internet, would just be too much.

So how much information does my BGP instance really know? Are there different settings for this in a router configuration?

Can I set up a CoovaChilli splash page w/o a Radius server for OpenWRT edgerouterlite router?

I'm using a Ubiquiti EdgerouterLite flashed with OpenWRT 15.05, I have a Ubiquiti Nanostation Loco M2 w/ default firmware broadcasting the SSID, I'd like the OpenWRT router to display a html/css splash page I made to anyone connecting to the SSID but don't know how to set up RADIUS. Can this be accomplished w/o it? I'm going to attempt and host the Apache server on the router as well (although I hear that OpenWRT has one built in?) Thank you.

New Draytek 2862 vs Ubiquiti USG-Pro 4

Has anyone had any experience/thoughts on the new Draytek 2862 ?

I am looking for a router and firewall for a small business and cannot decide between the 2?

Please help. Small business , sharing software licences between separate LAN's.

I very rarely resort to asking question like this and will normally get by with reading previous posts. However; this time I am out of my depth. I don't even know which keywords to search!

I am starting a small business that will have less than 10 employees, all working either from home or from remote locations. We are using Sharepoint and Office 365 for email and document storage.

We also need to be able to share licenses for a few pieces of specialist software. The software licenses would normally be shared by a bunch of people on the same LAN. Each piece of software has a licensing client that makes sharing over a LAN very easy. The problem is that I have no idea how to achieve this between distinct LANs.

My guess is that we wither need a physical server somewhere, or a virtual server. We would then load the licensing clients onto this server and each of us would use a VPN tunnel to access the licenses from our own LAN. I can easily build a server and get a static IP address, if that is what is needed.

Is it possible to do this without paying a VPN provider? Could I just point the other users to a static IP? Is it possible and economically viable to pay for a virtual server (can Azure do this)?

Everything I google just seems to come up with ways to make my browsing private, or how-to-guides for specific router to router connections.

Any advice at all, even just better key words to search, would be greatly appreciated.

Looking for an enterprise grade LTE router/modem combo for OOB and backup connectivity...

So far I’ve found Cradlepoint and Cisco... looks like Hauwai has some, documentation is sketchy.

Anything else?

How do I best restrict inbound traffic on individual VLANs?

For maximum segmentation and control, we have over 30 VLANs. What's the proper way to control inbound traffic from each subnet?

If a router or L3 switch is doing the VLAN/routing, you are limited to ACLs. When I try to restrict inbound traffic using ACLs, it blocks responding traffic from inbound connections. For instance, pretend this ACL is applied to fa0/0 inbound:

ip access-list extended WEBSERVER permit icmp host 10.20.110.80 any permit udp host 10.20.110.80 host 4.2.2.2 eq domain deny ip any 0.0.0.0 0.255.255.255 deny ip any 10.0.0.0 0.255.255.255 permit tcp host 10.20.110.80 any eq www permit tcp host 10.20.110.80 any eq 443 

If I try to connect to 10.20.110.80 on fa0/0 on port 80, the traffic from the host is sourced by some random port like 57644 and therefore is blocked by the inbound ACL since it doesn't match the rules.

I want that host to be able to create outbound connections for DNS, HTTP, HTTPS but I also want it to accept inbound connections since I need it to also host a website.

Am I applying ACLs incorrectly? Do I need to do this on an ASA?

Thanks for any help.

BGP - Same AS at multiple internet sites - allowas-in or iBGP?

I've got two sites in the US (different states) with BGP peering to different ISPs with our same AS. Both advertise different chunks of one of our /20's.

Site A gets full tables, site B just a default route (although this may change at some point).

Site A won't install any routes from Site B (via the internet) because it sees it's own AS in the path (this is expected).

I'm curious what people prefer in this situation. "allowas-in"? iBGP between my edge routers via the internet? Something else?

CUCM 9.0 Global Address List Smart Phone Contacts Seeing User Extension

I am not sure completely sure how to describe this issue but I will do my best to explain. I can't help but feel that other people have encountered this problem and overcome it.

From my research as well as TAC cases I understand that in CUCM 9.x that the directory search for extension will only display the number number listed under the "Telephone Number" field from Active Directory (if you are using LDAP synced users).

This is fine for the most part but the problem is that when users on their smart phones go to search the Global Address List for a contact, the number listed as "work" is the same number listed in the "Telephone Number" field for the user in Active Directory.

This is very undesirable for the users as it is of no value to have a four digit extension number when you are calling from the PSTN. My initial attempt to address this was to simply move us to ten digit dialing, but that was met with considerable resistance by my decision makers.

Has anyone else overcome this problem? I feel like there should be a way to present additional numbers in the global address list such as the "IP Phone" field and others. I'm not an expert on Exchange or the general behavior of the Global Address List so I am not really sure where to go to resolve this.

If anyone has any suggestions or has overcome this issue in some other way I would greatly appreciate hearing about it.

Captured traffic on both sides, sequence numbers don't match up

I captured both sides of a conversation, but when I go to look at the packets in Wireshark they are different sequence numbers. Any idea what could cause it?

Basic Real-world Bandwidth cost of 1Gbps to 100mbps.

I know it will vary wildly from appliance to appliance - But does anyone know of any basic metrics out there on the media conversion impact on 1Gbps -> 100Mbps. I've been trying to find some resources on this to convince our ISP to give us gigabit up-links instead of multiple LACP'd 100Mbps links to get our 300Mbps advertised bandwidth. I've already got a lot of data on the switch level that shows high packet input/output queue drops which may be enough.

Cisco CLI Filtering -extracting specific patterns from output

Hi guys

Is it possible to extract certain pattern matches from the command line using regular expressions ?

Exemple: from the show version I would like to extract only the SN or the OS version from the show version and remove all the wording around it

Cisco switch cat 3850 NTP to server not syncing

I'm trying to sync my cisco switches NTP server (centos 7). I'll issue the command #ntp server 192.168.1.5 version 2

Show ntp status displays the following:

Clock is unsynchronized, stratum 16, no reference clock nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10 ntp uptime is 107900 (1/100 of seconds), resolution is 4000 reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 16.19 msec, peer dispersion is 0.00 msec loopfilter state is 'NSET' (Never set), drift is 0.000000000 s/s system poll interval is 8, never updated.

Any thoughts?

Saw a tweet today from the VP of Networks of Netflix. I need help understanding it

I saw this tweet today: https://twitter.com/dtemkin/status/928689879302651904

And I simply don't understand it. Netflix is no longer using Cisco or Juniper but rather "commodity switches." Huh? I guess I don't understand what exactly it is they're doing.

It sounds like they're doing something totally different from what I've seen so far. Does anyone know what it is? Is there something I can read to understand better?

There is some talk later on in the comments about switches having "partial routes" and "full routes". Almost sounds like switches running BGP. I'm lost. Anyone know?

Looking for inexpensive managed high density SFP Switch.

Hi,

I work for a smaller ISP running FTTH and we're looking for inexpensive options for switches that have many SFP ports on them. We've bought and started to implement PLANET switches at our nodes as they were inexpensive ($1-2k) but now we're running into issues where the copper ports for management randomly stop working or the SFP ports between switches randomly disconnect, requiring either an entire switch reboot, or an on-site visit to physically unplug and replug the connectors into the switch. This, among other issues (non-existent MIBs so SNMP walking is atrocious, terrible tech support, etc.)

PLANET doesn't seem to be an option anymore at this point considering the problems we've been having. We've looked at the new Mikrotik 16 port SFP switches that came out at end of September, but we need something with more port density.

I've looked at other switches, but it seems like the I can only find switches that run into the 10's of thousands of dollars or so... We've looked at FiberStore switches, but we are cautious about them... Has anyone used these before?

Are we just going to have to bite the bullet and purchase more expensive switches?

Any recommendations would help. Thanks in advance.

Fortigate firewalls... any good?

Anyone here have experience with Fortigate products? How do they compare to Checkpoint in terms of performance and reliability?

We have Checkpoints currently and have been running into performance and reliability issues (particularly when the Infosec team goes crazy with their vulnerability scans, but also from DoS attacks from the web). The Fortigate salespeople claim they are the only ones in the space offloading traffic to ASICs. Is this true and does it make a difference in real life?

Edit: Not sure why I'm getting so many downvotes.. is it because you've had bad experiences with Fortigate? Or because you think the question isn't appropriate for the sub? Either way, feedback would be appreciated.

Thoughts on Ubiquiti vs Netgear Switches

Hi

Crossposted from /r/homelab .

Currently the "IT Person" for a small office in Canada in a building with two floors. Rooms are pre-wired with three wiring closets connected by conduits. I've got my network topology figured out along, just deciding on which switches to get. Nothing fancy for the requirements, just basic VLANs with an edgerouter X doing all of the routing.

• 24 port Ubiquiti switches. Have this narrowed down to the ES-24-LITE-US or the US-24-US.
• 24 Port Netgear Smart Switch (GS724T)

I'm leaning towards the Netgear switches since they would handle functionality just fine and would come with a lifetime warranty (with supposed next business day replacement) as well. Can get them on Amazon for approx. $270+GST.

In contrast the Ubiquiti EdgeSwitch Lite is about $10 cheaper, probably has more developed features (and more timely software upgrades) but only has a one year warranty. Even if bought with a credit card, that would only be extending the warranty for an additional year. The other Ubiquiti switch is approx. $20 more expensive and can be integrated with the controller software used for our Unifi AC-LR WAP. One year warranty as well.

Can anyone share their experiences or recommendations. I guess this boils down to if the Netgear warranty outweighs the Ubiquiti software and software updates.

Thanks

Cisco 8945 unable to setup video

We have an office in South America that is getting this message when making inter-office calls. I've expanded the bandwidth in location in CUCM. I've also checked the routing, latency and bandwidth between offices and everything appears good. For a test I had a user dial someone within their office and it works (just to make sure the camera wasn't turned off).

What else should i check? voice works fine but the video on the cisco 8945 phones displays the error message unable to setup video.

NX-OS commit confirmed equivalent?

Hi,

Does NX-OS have the ability to do a junos style commit confirmed with an automatic rollback after a specified period of time?

I have seen that I can edit the config in a 'session' but there is only a commit option with this, am I missing something?

Thanks

CUCM Time Period Configuration

Wanted to double check on this. Last admin didn't have any holidays configured in CUCM. I'm trying to automate this so I don't have to waste my holidays forwarding numbers, but I'm pretty green when it comes to CUCM.

When setting up a two-day time period, will the below work for being closed on Thursday & Friday? It would be a little more clear if it said "Through" instead of "Until." Looked through documentation but wanted a second opinion....Thanks in advance!

imgur.com/a/aRWaS

Wireless bridge, cheap solution?

Currently looking in creating a wireless bridge between two houses, both have an antenna mast and LOS which is about 300m (1000ft). Speed is not an issue, since we’re only looking to use it for a DSL internet connection (20-30Mbps).

I’ve looked at the Ubiquiti Nanostation Loco, Picostation and Rocket, but we’re not set on Ubiquiti, so other suggestions are welcome.

Do this sound feasible, and what are your guys recommendations for this sort of situation? Budget is an issue.

Thanks!

Load Balancer Help

I'm looking to implement a highly available load balancing system for public web server. The web server will be running web apps built in ASP.NET and running on Windows servers. Currently we have just one web server running the apps, but will be adding another in the near future and more if/when the performance boost is needed. Money is an obstacle. Performance is a must. And easy manageability would be great. I've looked at just about every free version that falls under a google search, but my lack of expertise in this area hinders me from knowing if a free one will hold up under pressure. Any suggestions, advice, links, or best practices are appreciated.

No Internet On VLANS

I have internet on our default data network VLAN 2, but cant seem to get internet on either vlans 7,8...DHCP is configured correctly, pointing devices on each vlan to the ip of the switch, ip leases also going out correctly, please see config

Startup configuration:

; J9089A Configuration Editor; Created on release #R.11.119

hostname "OZZYSSW2" trunk 49-50 Trk1 Trunk ip routing snmp-server community "public" Unrestricted vlan 1 name "maint" ip address 192.168.2.16 255.255.255.0 tagged Trk1 no untagged 1-48,51-52 exit vlan 2 name "data" untagged 4,37-48,51-Trk1 ip address 192.168.1.16 255.255.255.0 exit vlan 3 name "voice" untagged 1-3,5-36 ip address 192.168.3.2 255.255.255.0 qos priority 5 ip helper-address 192.168.1.5 tagged 4,Trk1 exit vlan 4 name "cameras" ip address 192.168.4.2 255.255.255.0 ip helper-address 192.168.1.5 tagged Trk1 exit vlan 8 name "Guest Wifi" ip address 192.168.8.2 255.255.255.0 ip helper-address 192.168.1.5 tagged 47,Trk1 exit vlan 6 name "MUISC" ip address dhcp-bootp tagged Trk1 exit vlan 7 name "Music Streaming" ip address 192.168.7.2 255.255.255.0 tagged Trk1 exit ip route 0.0.0.0 0.0.0.0 192.168.1.1 primary-vlan 2 spanning-tree Trk1 priority 4 password manager password operator

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Cisco ASR1002 and LAG on 10Gb ports?

Is it possible to run LAG (LACP) across two of the 10Gb cards on an ASR1002?

I know you can do it on the 1Gb built in ports and I know the option is there for the 10Gb ports at least it allows me to type it under the 10Gb interface. I can't actually run it at the moment though as it's a production router.

Thanks

Troubleshooting with PSPING

So I'm trying to have one of my workstations PSPing a server via port 80 (on the same network) and it just keeps timing out.

I have tried disabling the firewall on both the server and workstation and still get the error. DNS is working fine as it resolves the name (and I can ping it). Any thoughts?

Edit: I have also used the -f switch on an admin console as to by pass any firewall rules but as stated above it doesn't even work with the firewall turned off. Also I have done a Wireshark capture on the device i'm trying i'm sending the PSPing too and I can see it coming over but then I get a RST package following shortly after.

Network Operators and Net Neutrality, where do you stand as a professional?

I'm not sure if this is allowed but it's really the only place aside from /r/sysadmin I thought the question would be appropriate.

With all of the talk about net neutrality it got me thinking. At the end of the day a network engineer/system engineer somehow, somewhere is implementing these changes into a network. Be it DNS filtering, rate limiting/shaping and monitoring of data streams. Are these people fundamentally different to the people who are in this subreddit?

If you were faced with this moral dilemma to perform some of the changes to your networks (monitoring traffic, shaping users, blocking certain sites based on your organization's requirements from others) would you oppose them and leave or is the role too important and would you implement them, would you uphold the integrity of the Internet?

Understanding FirewallD and relationship between services and rich rules

Hello,

I'm currently setting up a small group of blades to be used for rendering at my university. At the moment I'm using KVM to access the blades, but I'm trying to switch this over to SSH. I'm trying to set up the firewall (CentOS) to only allow connections from internal university networks, so anyone outside has to VPN in to access the blades.

At first I left the Public zone as is and added the rich rules you see below. But this would still allow me to SSH into the box regardless of originating IP. When I remove ssh from the services, only then does it require me to use the VPN service to gain access. To me this seems backwards, as my understanding is that the services would obey the rich rules and only allow access to those within the guidelines, but instead seem to be imposed as gatekeeper overrides and allowing anything to get through. By not setting any services in the rich rules I thought they would apply to all connections attempts/types.

Is there something incredibly basic that I'm missing here? I've gone through multiple Unix/Stack Exchange posts as well as the RHEL documentation but I can't find any information that clearly explains my situation. If there is my eyes are blind at 3 in the morning. Any help would be appreciated!

public (active) target: default icmp-block-inversion: no interfaces: enp3s0f0 sources: services: dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="XXX.XXX.0.0/16" accept rule family="ipv4" source address="XXX.XXX.XXX.0/19" accept rule family="ipv4" source address="XXX.XXX.XXX.0/18" accept 

Help understanding capture: Lots of duplicate ACKs after window update

http://ift.tt/2hECEzh

I'm troubleshooting a slow connection on one particular segment of my network. I noticed a ton of duplicate ACKs in the capture, starting directly after a window update. I took screenshots of the capture and the TCP graph. Can anyone help me interpret this?

From Engineer to Management

Hello fellow Dudes and Dude-ettes.

I've been a Network & Infrastructure Security engineer for almost 12 years now, not including my time as a student or intern at Dell, Cisco or Boeing. Most of this time spent at Mega-Corps (FANG's of San Fran and Seattle), doing Cloud IaaS, Data Center and High Security Top Clearence stuff.

However, in the past few months I feel as if I am done with being an Individual Contributor. Meaning, the more Leadership opportunities I take on and execute successfully, the more intellectually and socially stimulated I become. It's addicting, fun, stressful and building a team and/or program seems to be something I do well.... At least, according to my peers.

I've been offered the opportunity to begin transitioning into a Sr Manager, then later Director role, at my current company.

I... I think I'm going to take it.

As a Engineer (Principal Engineer something something standard title), my salary is capped, stock is capped, bonuses are capped and there is no higher ceiling to shatter. I feel that I finally have enough Knowledge, Experience and Wisdom to really lift other peers up and help them become exceptional engineers. It's so rewarding and in my opinion, far more impact is possible when leveraging the best and worst of others in a team to deliver something.

*So - my question.*

How many of you made a successful (or unsuccessful) transition to being a Team Lead, Engineering Manager and/or Director / Senior Director in the Networking space?

Can you tell me your stories, should I do it? If it helps, I'm a exceptional people person and social butterfly, who happened to be good at the Technical side of the house.

tl;dr - Go into Leadership? Tell me your stories? I'm good at it so far. I don't want to be a piece of shit manager / director, as I have worked for plenty of shitty people before.

No ping on static network

Hi guy, I have a customer in the company who has static network /I hope thats the correct term/. They have no DHCP server, and every device`s MAC address has to be authenticated in the network first.

We are exchanging there our old devices to new ones. That means the IP address of the devices has to be always the same as the old device, just the MAC address is new.

When I installed the new device it gets no internet connection and they said they can see it has been plugged in to the switch but they cannot ping it. The old device could be pinged and had internet connection.

Two things are for sure: they have authenticated the MAC address of the new device and the second is that all network properties of the new device is the same as the old one /IP, Netmask, Default gateway/.

I have advised them to clear the ARP table maybe the old entry for the old device preventing the new one to connect, but they said there is no ARP entry for the old device nor the new one.

Do you have any idea what could prevent the device to connect? I would very welcome a little help!

Network Access Control (Clearpass etc)

Hi, not sure if it is the right sub...do you guys have any experience with any NAC (i.e. Clearpass). What we are trying to do is to allow endpoints based on certain criterias (i.e. if computer it is in a domain and so on, or if it has an antivirus installed). I know Microsoft NAP is gone, Clearpass looks a like a very expensive extremely granular (= no one will maintain it properly) piece of software. Any experiences/suggestions?

EIGRP issue - how to force EXTERNAL EIGRP routes to be preferred over INTERNAL EIGRP routes

Hello,

I have a situation where routes being learned from EIGRP that is redistributed from BGP are being preferred over routes learned from EIGRP connected to backup VPN routers using GRE over IPSec tunnels.

What we have is an MPLS topology using EIGRP for route distribution internally (redistributed from BGP from the MPLS provider).

For BACKUP if / when these MPLS connections go down, we have VPN routers using GRE over IPSec with Tunnel interfaces.

Because the GRE over IPSec is considered INTERNAL EIGRP, and the BGP redistributed into EIGRP is considered EXTERNAL EIGRP (because it's redistributed via another routing protocol), the BACKUP routers are always being preferred over the MPLS routers.

The metric from EXTERNAL EIGRP from the MPLS providers routers is 170.

The metric from INTERNAL EIGRP from the GRE over IPSec tunnels is 90.

How can we force the EIGRP from the EXTERNAL EIGRP system (MPLS Providers routers) to be preferred over the GRE over IPSec EIGRP ??

We have full control over the backup routers (Internal EIGRP), and we can set admin distance, delay, bandwidth, etc....if the change needs to happen on the MPLS providers side, we would need to make a change request.

It would be easiest to make the change on the INTERNAL EIGRP. If we could get the METRIC to be higher than 170, that would fix it. I'd rather not set static routes with a manual metric higher than 170, but that of course will be our last resort.

Thank you!

Entry Level Router/Firewall with WAN failover and Larger internal subnets on VE

Hello,

I worked at a datacenter as a SysAdmin for few years, but never really got heavy into the networking side. I have some basic knowledge.

I have a client that I am doing a cryptocurrency mining buildout for. I have want to put them behind a nice firewall/router with WAN failover and the ability to include a large internal subnet, say at least a /21 on a vlan, and pass that vlan through to multiple unmanaged switches.

I think I would prefer a router with a GUI option, maybe a newer mid-level Sonicwall, as opposed to an ASA with only command line, for the time being, until my networking knowledge grows a bit more. I might practice with some ASA command line in GNS3 in the interim.

What would be your hardware suggestion, and any suggestions in general?

Thanks!

PS: Does a TZ500 on the low end, support up to a /21 internal subnet on Vlan...what is it's subnet size limitation?

How do we keep the internet as accessible as possible?

Hi all!

I'm a student writing a longform journalism article about the internet and the challenges/struggles in keeping it as democratized and accessible as possible (certainly a relevant topic given the upcoming FCC announcement about net neutrality). It was inspired by a talk in one of my other classes by Andrew McLaughlin. Since, I've been talking to comp sci professors, looking into IETF, the internet society, and learning about how changes to the internet get made, and by whom.

I think I'm trying to explore how each part of the internet, from like ISPs to IETF to just regular internet users contribute or detract from the ultimate goal of the internet (which I'm assuming is to connect people).

Particularly interesting to me: open source software, the monopolistic hold that big tech giants basically have on the internet, the difficulties in implementing research. But also, how accessible and available /should/ the internet be to everyone?

So far, I'd love input and opinions about this topic -- any leads for sources or people who would be best to interview about this.

Thanks, y'all!

At what point should I consider using enterprise grade network equipments?

Among other IT things, I manage a network of about 40~50 users, which I'm sure is much smaller scale than what r/networking usually deal with. Currently, we're using non-enterprise-grade (SMB?) equipments like TP-Link and D-Link.

The company is growing into 100 people in the foreseeable future. We're also looking into digitizing more of the business processes, which means more servers, more VMs, and more network traffic. We're looking into new office spaces, so I'll be building an entirely new network. At first, I was planning to keep using non-enterprise grade equipments, since they've been working fairly well. But after doing some more research, I've been wondering if I should invest into enterprise grade equipments, like Cisco and Juniper. Since I'll be building an entirely new network, this would be a good chance to step up our networking too.

However, my impression of enterprise grade equipment is that they serve much larger businesses, at 1000+ users, ISP, or data centers. I think the needs of my company is not quite at that level yet. I'm sure companies like Cisco and Juniper have equipments that are targeted at my business size. But if my current non-enterprise equipments do the job seemingly well, should I really consider enterprise grade equipments?

Thanks in advance for any advice!