Cisco rv345 fiber?

A friend of mine is helping a small town with the network for their police department. The town forgot to make budget for IT, so they don't have any funds to hire an actual network engineer, and they have no IT staff.

The town also doesn't really know anything about their setup, so unfortunately they haven't been very helpful.

Their WAN connection comes in to the building with 2 fiber connections that run into a small Trendnet box, it looks like a converter to me, unfortunately I don't have the model number. It has 2 ports for the fiber and an Ethernet out that runs to a Cisco rv345.

Something seems to be killing the connection between the Trendnet box and the Cisco router. Network connection is fine, but the internet keeps going down, cycling power on the Trendnet brings it back, but it goes down about an hour later.

I'm not really familiar with fiber. Can we get rid of the Trendnet and run the fiber directly into the Cisco rv345 with a port mod? Or should we replace the Trendnet box with something similar?

My thoughts here are that either the Trendnet box is bad or traffic on the network is overwhelming it (there shouldn't be that much traffic though.)

How do I set up VLANs on my Ubiquiti switch?

I'm hoping someone can help me out with this. What I want to do is seperate ports 1-22 and 23-24 with VLANs. I have 2 Ubiquiti switches on different floors connected via fiber on sfp 1. I have created a VLAN Only network and given it VLAN 10. I assigned this network to ports 23-24 on both switches. All other ports, including sfp are assigned All. I don't want the devices on the VLANs to be able to see each other. Have I set this up correctly?

Small Business Retail VLAN Best Practice

Hi Team,

I'm looking for advice on the best practice for a VLAN setup and configuration for a new client project. The equipment list is very simple: Router--> Switch. The switch has a redundant GSM connection which automatically activates when the primary WAN becomes unresponsive.

The network needs 10 VLANS set up, each with a DHCP server. Is it best to have the VLAN routing and DHCP server configured within the switch, or have it set up within the router itself? Any advice?? Thanks for helping the new guy out!

Need some insight with my wireless router in my apartment.

Hey r/networking. I hope im posting in the right place. In my apartment I have my router set up where the coaxial outlet is. My PC is located on the opposite side of the two bedroom apartment. Moving the PC next to the router is unfortunately out of the question, and so is running a long ass ethernet cable across the whole apartment.

So I have to use Wifi on my PC. Currently using a USB Wifi adapter. For a few months, the connection was fine. Lately the download speeds are barely 1 Mbps, No one can understand what I'm saying on Discord, and every multiplayer game has unplayable lag. This is not good. I went from the wifi icon to showing full connectivity to missing one "bar"

So I have a few questions about improving this situation:

1. The router in question is the Comcast issued one that I rent for 10 dollars a month and should probably replace anyway. Can I find a router with better range?

2. In my entirely uneducated opinion, the best option here seems to be put a wifi repeater in the second bedroom and then connect to the PC via ethernet cable. Is this the right way to go about it?

Once again I pretty much have to be on wifi, and also my ISP didnt change anything with my internet speed. Sorry for the wall of text, and I appreciate any input!

When will it become accessible for everyday users to host their own content?

A huge impediment to P2P protocols really taking off and working properly has been IPv4 and NAT in particular. Port forwarding just isn't a satisfactory or adequate solution, it leaves many holes.

UPnP improves the situation somewhat, but it still often fails to work for users, and at least for me fails behind multiple routers. Sometimes routers just don't support it adequately, or users don't know or can't be bothered to activate it in router settings.

Torrents get around this by just assuming some peers won't be able to see other peers (i.e. pairs of users without port forwarding can't see eachother), a messy set of techniques know as NAT traversal that don't really work reliably notwithstanding, as far as I can tell.

So... when will we see some kind of protocol that restores the Internet's principle of end-to-end connectivity as originally envisioned?

Network Load Balancing- Unicast or Multicast?

I am learning about this subject on a fundamental level in a college level course. From my understanding, Multicast makes sure that requests hit the different client servers of a system simultaneously, and allow for equalized load balancing in case of a client failure. On the other hand, Unicast is dependent on the pathing the request is sent through, so some are ahead of others as far as when the data would hit. Also, it appears they don't always have the best backup scenario in place; if a server goes down, its reliant to carry the rest of the requests on the clients that are synced with it (time speaking), and none else.

I'm just curious to hear some real world examples of when Unicast would ACTUALLY be beneficial to use, since as far as I can tell, it's the suboptimal system here...

thanks in advance!

Hurricane Network's Explained

• They have multiple POPs in thousands of sites.

• They don't own or lease fiber.

• I'm told all they do is build the POP, and then charge others to connect to it in the colocation hotel (via cabling in equipment racks). If so, what's stopping others from building a POP, offering connectivity to it for free (i.e. major ISP), and bypassing HE?

• I'm clearly missing something. If HE isn't a transit provider, what's the benefit of peering with them?

I've never actually messed with MIBs before, or even understood what exactly they are

I've always felt like a lackluster networking guy, because when people start talking MIB, I go blue in the face and I don't really know what is going on.

I know it has to do with SNMP.

I've set up many devices (routers/switches/asa's) in SNMP, and added them to stuff like Orion Solarwinds, PRTG, etc..

I've never touched MIB.

I know it stands for Management Information Base... I know it's kind of like a "users manual" that tells the SNMP Manager Server how to "read" the device.. but how is it that I've never had to actually set this up and usually SolarWinds will know exactly what the device is and reads all sorts of stuff from it anyway, like CPU, memory, interface drops, etc.

Any good reading out there about MIBS that would be good for someone at my current understanding level to jump into?

I prefer tutorials that may actually hold your hand and walk you through some stuff, accompanied either by videos or pictures.

Q about assigning ipv6 adresses to hosts

I have a subnet - 2001:0718:0002:16a4::/64

That's my host address range: 2001:718:2:16a4:: - 2001:718:2:16a4:ffff:ffff:ffff:ffff

can i assign first IP to host or first one is used as network address as in ipv4 and i have to assign to host the second in row?

I was given some networking gear. Is any of this worth anything?

The company I work for is upgrading their networking gear I was given (1) cisco me-3400eg-12cs-m (3) foundry GS648p and (1) SMC 8150L2. Is this stuff worth keeping around? I'm getting conflicting answers doing a google search. Thanks!

Need help designing a network.

For my assignment, I am designing a network for one of the college building. I am trying to figure out how design the faculty office network.

What I have so far:

The faculty router is connected to the faculty file server and the faculty switch. The faculty switch connects to a Cisco phone, located in each office. Phones are also connected to the single computer in each room.

What I am trying to figure out:

How should I set up the printers? I was thinking of having 1 cheap printer in each office. Then creating a designated printing room with one computer and a 2 multifunction printers.

I'm still learning, so all advice is welcomed. Thanks in advance.

Port Channel Config

I was curious in the past I have seen in the running config in the #show run, port channels that have the output of switchport mode trunk. Obviously that change is suppose to reflect to the individual ports in the port channel, based on how Cisco IOS works.

But the strange thing is on the same switch they have other Switchports that still function in trunk mode that are in various port channels but don't have the same output under the port channel interface output in show run.

Is this something that could cause future connectivity issues or mismatches? My guess is that my first example had the switchport trunk encapsulation dot1q command and the switchport mode trunk command applied at the port channel level and therefore has that corresponding output.

I know port channels can be funky, so does anyone have any input on this? Is there room for concern?

IP phone help

I have to build a network in packet tracer for a school project. There are 5 locations. Each location has a number of users (desktops) and Voice over IP phones. So, location 1 is supposed to have 200 users, and 200 IP phones. I'm very confused as to how the configuration of IP addresses should be handled. I've seen diagrams showing the PC connected through the IP phone, but that confuses me more. Do they use the same IP address? Can somebody please explain to me how this works

[Troubleshooting] Is there a protocol that reports hostname, switchport, IP address, and MAC address for end user devices?

Long time lurker, first time poster.

I've been browsing this subreddit for a good while after it randomly showed up on my front page. I started reading posts thinking I knew stuff about networking, only to find posts referring to protocols and procedures I'd never even heard of. After that point, I realized I don't know jack about networking, and started working towards CCNA.

For my work one of the biggest pains is the constant documentation. Not circuit diagrams, but making sure we know exactly where each end user device is, what switchport its on, what IP is assigned to it, so on and so forth. So anytime an end user device changes we have to update the following:

A) Switchport Description

B) Hostname to IP excel spreadsheet

C) Inventory sheet with hostname, IP, MAC, location, user, ETC.

D) Site map

What I'm looking for is a protocol or methodology to automatically spit out a text sheet that has reports the current device hostname, IP address, switchport, and MAC.

Heres what I've researched so far:

1) Using multiple excel spreadsheets to match each one manually.

2) Solarwinds Kiwicat tools (doesn't poll hostname data, only switchport descriptions)

3) Cisco commands

4) Installing CDP on our windows workstations

5) Utilizing SNMP to gather the data and exporting it, but SNMP doesn't report that data from what I found

I don't know if this protocol or procedure even exists, but I'm really hoping one of you has heard of something, or can offer some advice.

Network engineer resume

Do we have a place on internet for network engineer resumes? I did try in /r/engineeringresumes but no one responds there. I am looking for a current template to make my own.

Thanks!!!

[Question] ONT rebooting when rate limited to a certain speed

What do you think could cause this?

We are using Zhone ZNID-GPON-2424a and we have deployed over 5000 and we ran into a issue recently with a certain customer where if we set them for 1000Mbps on the download speed, and 30Mbps on the upload speed then the ZNID will be fine but once we set them for 1000Mbps on the download speed, and 1000Mbps on the upload speed then after a few hours the ZNID reboots.

Any suggestions? We are currently trying to find the breaking point by setting it for 1000/900, 1000/800, etc.

Thanks,

Help for finding ranges for WiFi Antennas

Hi! First up, a bit of background...

For a school project I am building a remote control submarine over the next year, similar to a FPV drone in the sense that it will have a video stream to the pilot (or submarine equivalent). Both the remote and sub will be controlled by a Raspberry Pi Zero, connected to a WiFi antenna each. I am controlling the system through WiFi, as it provided the best speeds, especially for the video stream.

I understand first of all that WiFi doesn't work underwater, I am well aware of that. I will make a float that will remain on the surface and among other things include an antenna to connect to the remote. The float will be connected to the sub by a cable.

My issue is communication between the remote and sub. I understand that 2.4GHz is my best option for range, so I think I will go with that. I am aiming to get at least 100m out of it. I am trying to work out what approximate ranges are for various standards (802.11ac, 802.11n ect.) and what effects the range of different antennas. I have tried googling and youtubing but I cannot get a straight answer.

Let me know if this should/can be asked anywhere else and I really appreciate any feedback.

Thanks

Edit: Or would I be better off just getting a normal USB WiFi adapter, and changing the antenna for a larger one

What should a simple HTTP server be capable of?

I'm writing an HTTP server for a quick project in C on Linux, but I don't know what to do beyond simply server file contents. Doing that part is pretty simple. What else would be fairly easy to add on to the project?

DOT1Q VLAN tagging inside a L3 switch

Please settle this debate, it would mean a lot.

Situation:

-Access interface configured with VLAN 5 on a L3 switch. A frame leave the host towards the internet. At what point does the frame get its VLAN tag inserted? Diagram - http://ift.tt/2ABXDxA

Me: Nowhere. The frame does not cross a trunk, there is no need to tag.

Him: VLAN tag is inserted as it transitions from the SVI to the routed port.

Can anyone confirm either case?

ASA 5506x, no ping, no ssh, no AnyConnect connection?

Sorely confused, I've set up plenty of ASA's, not had much issues as I've gotten better. This one was no different, simple AnyConnect VPN, and ASA configuration. I haven't checked, but the modem has to be in bridge-mode (IP-passthrough) because of the setup.

The outside int has the public IP range assigned to it, with it's route out as (of course) the IP range GW. Everything internally has internet access. Following commands have been used for those who will ask:

ssh 0.0.0.0 0.0.0.0 outside

crypto key generate rsa modulus 2048

Inspect ICMP under global_policy

AnyConnect completely setup, on port 443, RADIUS authenticated.

AnyConnect states "Connection attempt has timed out. Please make sure you're connected to the internet" when trying to connect. Again, can't SSH externally, can't ping from outside, WHAT IS GOING ON. (please)

Also, MXToolbox shows that SSH is open on port 16, I did not set up anything to do with that and it's leading me to believe I can't see the FW at all - it's just not making sense to me.

dhcp / wireless question

One of our remote sites is having issues with wireless. Basically some clients are getting 169.x.x.x addresses intermittently. They have aruba AP135s waps there with one of them a virtual controller. They have an infoblox that's doing dhcp. there are ip helpers set up on the 2 switches between the APs and the DHCP server.

I'm logged in to an box there that has both wired and wireless and i'm getting the same (wireless) issue. From wireshark it looks like the dhcp only discover packets are being sent. after 15 mins or so it'll finally get an IP. but when i disconnect/reconnect i get the issue all over again. Any ideas on what may be causing this?

AnyConnect changing routes on Macbook?

Hey guys,

Confusing issue I have. I have remote developers who use Any Connect 4.0 to VPN back to HQ (ASA 5545, 9.7.1 code). We do split tunneling and allow 10.0.0.0/8 through the tunnel. However, developers use a VM on their computer that has an IP address in the 10.200.x.x subnet. The routing table on their Mac points to vbox for that subnet. Sometimes though, it points to the tunnel.

Now, I have 2 users testing Any Connect 4.5 and the problem always occurs. The route starts out pointing to vbox, then they connect and it points to the tunnel. This messes up communication with their VM and it is no good. However, Cisco is telling me that this is normal. One side of me says that I understand the VM subnet is within the allows split tunneling subnet and maybe can believe that it is normal, but the other side of me says that this usually was not happening on Any Connect 4.0, so which one is normal?

If this is confusing, I can provide some more info and maybe even some pictures. Quick and dirty is Mac has virtual route to VM (points to vbox) but sometimes while connected to VPN using Any Connect 4.0, the route changes to point to the tunnel and 100% of the time it happens on Any Connect 4.5. I am aware that I could put an exclusion or maybe only do 10.0.0.0/9 through the tunnel instead since I have no subnets in my network past 10.127.255.255, but I do not want to do that unless the behavior we are seeing is indeed expected.

WAN failover w/ ipsec tunnels

Hey everyone!

I am looking on the best method to implement failover WAN in a hub-spoke scenario and have some questions. I did some looking around but am missing something (many things I am sure).

We have a main location (SiteA) with a new secondary WAN link. We have about 5 remote offices that route back to SiteA through ipsec tunnels and advertise routes through ospf.

Previously, I was figuring I would have to create a second ipsec tunnel for each remote site, or 3 more tunnels for remote sites that also have dual wan (a1-b1, a1-b2, a2-b1, a2-b2)

I was speaking with a buddy and was told that they handle this situation by using BGP and aggregate their two WAN links so that there is one advertised outward facing IP so that they get redundancy over the existing tunnels without additional configuration (beyond the BGP setup).

I have roughly looked at how BGP works (and need to seriously do more research before testing it) but am curious about advertising your IP with the second ISP. Can I use the public IP leased through ISP A and ask ISP B to advertise it? If that is true, does that not cause issues when ISP A go down, don't they own that last hop?

If it makes any difference, we are using fortigates at every site

sorry for things being unclear - this was a bit stream of thought

How to deep-dive into TCP

Can anyone recommend resources for learning TCP? I want to learn the specifics of flow control, flags, error messages, etc. I also want to learn more about TCP tuning and performance issues. I want to deep dive into it.

Every time I search TCP or TCP/IP in Amazon, I get books about general networking which deep-dive into OSPF, BGP and static routes, only mentioning that TCP uses a three-way handshake.

How do I deep-dive into TCP?

HP PoE+ Allotment Question

I am attempting to add more Aerohive APs to a PoE switch. What I am trying to figure out is how HP allocates and distributes the PoE. I cannot seem to find this answer anywhere.

For example: I know that PoE+ devices which require over 15W have a full 30W allocated to them on Cisco PoE+ switches (I may be a bit off on this). If a cisco AP is pulling 24.8W, the excess 5.2W does not count towards the available PoE. If the PoE+ limit is reached (based on multiples of 30), some switchports will default back to 15W. Is this also the case with HP switches?

Model is 2920-48G J9729A

Thank you!

Looking for an Iperf utility that does packet validation (compare the CRC at the receiving and signal errors)

Hi guys

I need to do stress testing in a complicated scenario which requires me to compare the payload of the packets sent and received. It has to work like Iperf but should allow me to craft the payload (which Iperf can do) but I need to be able to compare the packets (I guess any variation in the TCP checksum will do it)

Any recommendations ?

Thoughts on SDN for network engineers.

TL;DR: is it useful to learn about containers, docker, kubernetes and all of these tools that will aid in the SDN for network engineers

Hey all.

So, I work for a large ISP and they are priming us network engineers to learn some Python to prepare us for SDN in the future. I've certainly learned a lot with Python, but i'm a bit overwhelmed at the moment. Here's why.

I'm a NetEng3 and our company has four engineers in the ranks of 'fellows'. I reached out to one to pick his brain, and asked him what he thought on the subject given both the industry and our company as it stands. I gave him some background on myself, and how I was going to start preparing to study for the CCIE R&S, and to see if he had any advice to share on this as well.

Here is his response verbatim:

"I think understanding routing at the CCIE level would be useful but I’m not sure the router config skill will be useful. We are moving to doing everything via sw (not just configs but also troubleshooting and analytics) so having the ability to code is critical in the network engineering space — IMO it’s a must have skill now.

We’re close to the point where we will have router state pushed real-time from the network into collectors and then into kafka. Analytics will grab the info from kafka and start reasoning over it and over time perform re-mediation. I see NE skills evolving from building configs and manual troubleshooting via show commands to writing code looking at the state published to kafka and deducing what’s wrong— or at least what doesn’t look right. So being able to write code and understand routing— eg the ability to write code to pull from kafka and correlate to other data streams and then know what the kafka data is telling us (routing expertise) — that intersection will be IMO a very important skill to be working on.

Python is a good start. I’m actually not very python savy but I have started to build tools in python this past year in order to gain experience in this space. Another important language that has legs is GO— I do much of my tool development work in GO these days.

Vmware and network admin skills are a good start— I’d try and get some experience using open stack— but don’t stop there— try and get up to speed on containers and docker and kubernetes.

Find ways where you take your existing work and incorporate the above— to both learn and get real hands on experience."

The guy is a fellow, and obviously knows his shit and has tons of knowledge to share. I'm going to take him up on his suggestions but as mentioned, I find myself overwhelmed at the moment. I know virtualization a bit (not an expert by any means), but containers, docker, kubernetes and all that stuff is completely foreign to me.

Just wanted to see what you all think and if anyone has any experience in these areas, if they could point me to some resources to get my feet wet. I'm immersing myself in it as we speak, but thought it was a good idea to get it on here as well to see other feedback.

Thanks all.

nmap -p 9000 arrives on port 80... what the hell?

Hey /r/networking!

I'm working on a really strange thing. I want to set up a connection to a server located at $locA in a DMZ network. My test box is sitting in $locB. The server needs to be reachable on tcp/9000, tcp/5000 and tcp/102. I set up DNAT rules on the remote side firewall so those ports are forwarded to the server sitting in the DMZ (using a RFC1918 address).

Both my test box and the firewall at the remote side are linux boxes with your usual array of network tools.

To test the connection, I use nmap on my side. My public IP is 1.2.3.4, remote side is 5.6.7.8. When I run

nmap -p 9000 5.6.7.8 

the resulting tcpdump on the remote side looks like this:

15:50:52.568247 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [S], seq 3553520961, win 29200, options [mss 1380,sackOK,TS val 3258462 ecr 0,nop,wscale 7], length 0 15:50:52.568495 IP 5.6.7.8.80 > 1.2.3.4.52056: Flags [S.], seq 224129858, ack 3553520962, win 28960, options [mss 1460,sackOK,TS val 351697989 ecr 3258462], length 0 15:50:52.596307 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [.], ack 1, win 29200, options [nop,nop,TS val 3258469 ecr 351697989], length 0 15:50:52.602374 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [R.], seq 1, ack 1, win 29200, options [nop,nop,TS val 3258469 ecr 351697989], length 0 

Yup, that's right: I send a packet on port 9000 and it arrives on port 80. The very same thing happens using port 5000 and 102.

If I try the same thing with -p 80, tcpdump looks the same. Using -p 443, I see a tcp handshake on port 443. But if I use any other port, the packets arrive on port 80.

What the actual fuck is happening here? Am I subject to some provider-side NAT? Anybody else seen this happening? I'm thoroughly confused-

//edit: Adding to this, I have tcptraceroute on both sides, but it doesn't seem to work. Whatever parameters I feed to it, it stops with this message: libnet_write failed? Attempted to write 40 bytes, only wrote -1

What format does everyone use for their work instructions/change documents?

We have a current debate going on in the office. Some engineers use notepad to create work instructions for changes made on the network, while others use Microsoft Word. Word allows engineers to highlight certain important aspects of the change or insert diagrams and tables. The drawback is that when copying and pasting commands from word it can result in extraneous characters such as carriage returns etc. Which method have you found that ensures accuracy with cut and paste, but also allows the ability to insert diagrams and change text color in work instructions?

NOC Workers - How do you manage all of the displays/TV's?

We currently have 12 screens in our NOC, majority are Solarwinds NOC views but some are for our cloud environments.

We use a mix of Raspberry Pi 2's and 3's with Chromium pointing to the monitoring servers. The problem with the Pi's is that they can become very sluggish and don't seem to handle Java or Flash very well, so we're looking to build a dedicated NOC server to replace them.

The problem I'm faced with is how do I run 12+ HDMI/VGA cables to the TV's and connect them to the server?

Would you run Ethernet to the TV's instead and stream the displays over Ethernet?

Can any NOC people on here share how they have their monitoring screens attached to the network?

Thanks for reading!

How to Find Cisco Catalyst 3550 Fiber Switch Port Specs

We have an older Cisco Catalyst 3550 fiber switch (WS-C3550-24-FX) and we are trying to get some compatible fiber-ether converters to use at the remote end of a few fiber runs. The first fiber converters we purchased don't seem to communicate properly with the switch. Both ends get a link light and the switch says the line and protocol are up but data does not seem to transmit (the counters indicate packets going out but nothing coming in to the switch). We have had the fiber strands themselves tested thoroughly so it isn't an issue with the fiber. The converters are 800nm wavelength so I'm wondering if maybe the switch ports use a different wavelength. I have tried looking this up but I can't find anything on Cisco's website about it. Anyone know where I could find such info?

I can't conceptualise ERPS. At all.

I just don't get it. Why would I need it if there's STP and UDLD? What are the problems ERPS solves that STP and UDLD doesn't? How come I haven't heard of it even once during my 4 year career?

[Purchase Advice] Small Business Router

Hello everyone,

Firstly, I hope I'm posting this at the right sub. If not, I apologize in advance.

The sysadmin at work requested my help to revamp the company's network. However, I do not have an IT role in the company but I'm currently attending a networking course at university and will be having my CCENT exam in a few weeks. The sysadmin is not very knowledgeable in networking and he asked for my help. In addition, I have zero experience working in a production environment and have only messed around with my home lab. I'm more than willing to help him out since i'm dying to get some real experience setting and up and configuring a network.

He asked me to suggest a router to purchase, with the given requirements:

• Budget: Under 1000 £ GBP (Ideally around 500 £) just for the router, we already have all of the other devices.
• 4 VDSL ports, or 4 modems? Which one would you recommend?
• Minimum of 2 Ethernet ports, ideally 4. Gigabit Ethernet would be nice but not necessary.
• 1 WAN Ethernet Port.
• VPN capable, with IPSEC
• No Cisco support

I've included a topology below, just for visual purposes. Please note that the topology below does not accurately represent the network topology. It's intent is to give a visual representation of the router requirements. Any advice or suggestions are greatly appreciated. We will be purchasing in the UK, second hand routers are actually preferred since we can get them for a better price. Thanks in advance.

Topology

DTLS negotiaition issue Anyconnect

Dear Networkers

I have users in my LAN that are using anyconnect to connect to customer. They are suffering slow downloads, after mi investigation I noticed that it is negotiating TLS instead of DTLS. There is no problem with negotiating DTLS outside of my network. Im not blocking any ports for anyconnect destination. On ANyconnect logs from users I found "SOCKETTRANSPORT_ERROR_WRITE DTLS" and "A DTLS Alert was sent by the client during a write operation. Severity: warning Description: close notify" I have no access to customer ASA to check his settings. Am I missing something?

Rewiring Business Network: Cat7?

I'm not a networking guy - but have been tasked with helping out a local small business modernize their infrastructure...We're replacing their 1990s PBX with one of the open source PBX systems, and one of my runs is going to be close to 350 feet - so I was thinking that it'd be better if I were to run cat7 vs cat6. I'm not anticipating a ton of network traffic - but I will be running a voip system so am concerned about performance...It's also got a lot of night club equipment - think sound system, strobes, etc - so I'm worried about possible interference from those devices.

Anyone have any feedback on the plan to go cat7? Anything I have to be thinking about? Thanks! :)

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Automating deployment of 200 switches - Cisco 3650

Need a good starting point for mass deployment. The big things we want to accomplish are to update code, IOS XE 3.x. Add SSH, Domain, NTP, ACS, and Logging Commands.

Thanks for the help, trying to be smarter on deploying these.

Assessment tests from recruiters

I'm working with a recruiter, and before they can submit me for this new job, they are requiring me to take a Network assessment test.

It was from IKM, fairly difficult, it was 51 questions and it took me 1.5hrs to complete. I must still know what I'm talking about. I scored an 88. In the 95% of all users that took this test.

Have any of you taken similar tests from recruiters?

Cisco Cat 9k - Anyone using them?

We typically use Cat 4500x for our ROBO core switches. VAR is pushing us toward Cat 9k. Anyone using them successfully, likewise anyone using them and having significant issues?

How to set up a single unified communal network. (ie large building, multiple access points, single network)

I am a relative networking novice so excuse incorrect terminology but I need to transition a communal living house network into more of a commercial/unified network and am looking for advice on hardware/technique. Background: The building is 3 stories tall and houses 40 residents in personal rooms with communal living space. This leads to well over 40 connected devices between phones, computers, and gaming from residents and guests all on the single network. Currently each room has an Ethernet port and many have set up their own personal wireless networks with a small router. In addition to this there are 3 unconnected public routers throughout the building leading to many dead spots of wireless connection and continuous switching of network choice. I plan to eliminate the personal networks and create one unified wireless network. I believe the current modem to be over 6 years old and the routers are cheap with limited range. Am I correct that I can set up a single network with multiple routers as access points to extend coverage? Are there recommended pieces of hardware for this or resources to guide the setup?

Long shot: HP Vl Modules (420x series chassis): POE Options?

Hey, So google keeps turning up lots of things regarding POE for this series switch (power ratings for fully loaded, etc.), but I can't actually find a POE enabled module for it!

Can anyone confirm/deny if the "VL" series modules ever came in a POE equipped variant, and if so, any chance you'd know the part number for it?

Specifically for a 4208, but I believe the VL series modules suit a wider range of switch chassis.

I know this is a bit older gear, but she's still functional, just need to expand POE capability for one module.

What is the general practice after end of Manuf. support on managed switches?

I see a lot of stories indicating a lot of companies wait until things break to replace them even after end of support. Given the hight cost of the equipment, and limited funds, it seems wasteful to replace something that is working without issues with new gear only to start the counter again. Of course some spares are required so that if an outage does occur you can restore service.

Help with DNS synchronized on both ends of an IPSec tunnel

This is for my homelab, but as it's pretty far beyond the scope of most homelab operations, I figured I could gain more traction here.

Local site: Fortigate 90D-POE as DNS server in Recursive Mode with a DNS Database type Master and view Shadow.

• I don't know what these terms mean, but I followed a Fortinet cookbook and has been working very well.

Remote site: Juniper SRX210HE2 operating as router/firewall/gateway/dhcp server for an ESXi 6.5 server and its VMs.

Since I have an IPSec tunnel between the Fortigate and SRX, I know I can just make the SRX use the Fortigate for DNS, but I don't want all DNS queries to have to go through the tunnel - it's just extra latency. Plus the IPsec tunnel has issues now and then, and I don't want the remote site to be without DNS when the tunnel is down.

Is there a solution that allows me to have a small linux VM on my remote ESXi server that operates as DNS for the remote site? And can it "pull in" the entries from my Fortigate DNS server so that all hostnames in both sites resolve properly at both sites?

I'm not looking to gain a thorough, deep understanding of the RFC associated with DNS. I just want something that works so I can move on to other things. I use the same domain name at both sites and would like some sort of "synchronize the DNS servers with each other" option.

Having two ports transparently pass traffic between one another?

Hey there,

I wasn't really sure how to word the title of this post properly, but essentially I'm looking to have my managed switch 'transparently' connect two of its ports together. The switch is a D-Link DGS-1510-28X.

Essentially the issue I'm having is that my Wired internet connection provided by my university will errdisable the port upstream if I connect any form of switch to it. I'm assuming this is something to do with STP? Would also be interesting if anyone could explain how this works and how the upstream switch detects that another switch has been connected to it. The upstream switches are Cisco 2960-Xs. The connection does not require 802.1X or any form of authentication.

What I'd like to achieve is having the connection from my university come in on Port 1 of my DGS-1510-28X, then have two other computers on ports 2 and 3. I'd like to be able to switch between which machine out of port 2 and port 3 is connected to the internet via port one using the switch itself, rather than physically changing cables. I don't need the connections between the two machines and ports 2 and 3 to carry LAN traffic, they've both got two interfaces and will be connected to the switch on other ports for LAN traffic, this is purely for WAN traffic.

I'm not sure if this is possible at all, but if so, some explanation or a starting point would be useful. If this isn't possible, then I'd greatly appreciate any ideas or suggestions as to how I could go about toggling my connection between these two hosts using a script. My next idea after this is to build a physical switch using an Arduino and some analog multiplexers, but that seems all a bit overkill if there's a better way I can do this.

Cheers!

ASA HA BGP to a VRRP QFX

I'm wondering what the best way to create BGP Redundancy between a pair of QFX5100(Core Router( VRRP GATEWAY)) and A Cisco ASA HA Cluster ( I know nothing of ASA, and a client is configuring the ASA)

So from what I have read that ASA has an IP address on the Primary FW, and has a Secondary IP address on the Backup Firewall. The Primary Address and Secondary Address swap when the HA fails over.

I also have two QFX5100 as acting as a routing core(Gateway) running VRRP because it is the Gateway for all routes, and the ASA will connect the Gateway to the DIA( Direct Internet Access)

What would be the best way to pair them together?

If I have the ASA point to my VRRP IP address only one of my QFX BGP sessions will show up ( Active VRRP Router) This will cause the QFX (Backup VRRP Router) to create alerts because it BGP session will always be down until a failover.

However, if I do redundant BGP connection to each QFX5100 I'll have to create load balance or at least some local preference changes on the Cisco ASA. Also, it might affect my BGP peering unless I do Multichassis LAG

Is there anything I am not thinking of?

Class A and Class C?

Hi all,

I'm no networking guru, so I'm hoping this question isn't offensively trivial.

At an industrial site, we have an NTP server with IP address 10.12.160.xxx and we wish to have a number of field devices sync to it. These devices are on an isolated Modbus network with IP addresses in the range of 192.168.1.xxx.

We haven't completed the physical connection between the two networks yet, but I was wondering if it's even possible through subnet assignment to have a device with a 192.168.1.xxx address communicate with a device with a 10.12.160.xxx IP address.

Thanks!

Microsoft Protected EAP(PEAP) settings issues (x-post in wireless)

So I am configuring a new network (using Aruba/Clear Pass) having some issues on a couple of my older machines. I think I have found parts of the problems.

Outline of issues:

• I tried to add WPA2-Enterprise profile via GPO, while the GPO is loaded on the machine it does not create the wireless profile.
• I tried to manually add in the network and it would not allow me to traverse past the initial page (selecting specifically wp2-enterprise, the others network settings work fine).
  • I found the resolution to this, I found that we had SEP installed on the machines in questioned and that SEP had modified several of the DLL routes for EAP so I had to set those back to default Link for those who have similar problems
• Now that I have gotten that far and can now setup profiles with Microsoft: Protected EAP (PEAP) when I go through and try and select settings on the security tab I get error "Windows has encoutered an ereror saving the EAP properties. Specific error: The request is not supported."
  • While I have tried to google fu the answer I keep getting no where.

While these laptops have had SEP and Intel Proset, I have removed both so those (in theory) should not be affecting anything else. Has anyone else encoutered this? Is there away around it? In Clear Pass the error I keep getting when trying to connect is: RADIUS EAP: Client doesn't support configured EAP methods.

I take that to mean its the EAP settings I need to effect change to and I am unable to. Any links or settings that I should look at would be appreciated.

Is PFRv3 supported without an overlay (DMVPN)?

Hi everyone,

I'm interested in setting up PFRv3 between IOS-XE routers which are connected via GRE tunnels. This includes smart-probes, load balancing and so on.

Is it possible to set this up without an overlay?

Thanks!

Help with cisco switch

We have a Cisco sg220-50p switch that I am trying to configure. On first boot, not on the network, I log into the console and change the default password. I then save and reboot the switch. I then verify that I can log onto the web interface and the console with the new password. The issue I am having is when I plug into the network and get an IP address from DHCP I am no longer able to log into the console or the web interface. Just typing the username into the console will say Authentication failed and I get invalid username or password on the web interface. I cannot figure out why this happens once I have connected to the network. Has anyone else had this problem?

Azure express routes and User defined routes

Hey everyone, not sure if this is the best place to put this, but this community has the best people on the internet, so I figured maybe you guys would know about this as well.

I am working on implementing new Cisco FTDs into the Azure cloud space for my company. So far, it has been fairly smooth sailing, until I hit a snag with express routes not routing properly to my DMZ. It seems like the express route is trying to take its own path rather than the UDR. This causes us to not even make it to my firewall when we have the UDR in place. If we bypass the firewall and remove the UDR, everything is working and we can ping our test server.

I am very new to how azure works, but I was wondering if anyone else has gone through this kind of issue, and might be able to provide some more insight. I am happy to expound on my issue, but im not sure what you would need to know. anyone able to help?

Vigor2830n-plus: Inter-LAN Routing disabled yet functioning

I'm looking for some help with my VLAN configuration, specifically inter-LAN routing, which I would like to be disabled, yet for some reason is still functioning.

 

This is my configuration so far.

http://ift.tt/2jz9x0N

http://ift.tt/2i6Sove

http://ift.tt/2jAOrPH

 

As you can see, 192.168.2.10 can still ping 192.168.1.1.

 

Thoughts?

SPAN on ACI

Hi all

We are looking at purchasing a Riverbed Steelcentral solution including Netprofiler and App Response and would be looking to deploy it within an ACI fabric.

I have searched the web and cannot seem to find a best practice guide for implementing network taps within a spine/leaf design. I would be looking to capture as much data as possible from within the fabric, sending it to the App Response appliance. It seems a fabric span would cover this as we operate in a network centric deployment and have alot of EPGs which would be a pain to setup.

In my mind the appliance would connect direct to the spines on dedicated 10G interfaces, rather than on a leaf but being an ACI beginner i am not sure this can be done as it is only supposed to be leafs connected to spines ( not sure if this is just a best practice or has to be done).

Any one have any experience with network taps in an ACI fabric that they could kindly share?

HP Switch not connecting back after losing connectivity to a Meraki Switch via a 4 port LAG

Quick overview:

Core switch is a Meraki L3 Switch that connects all Access Points, Servers, and internet Routing. There is a four interface LACP going to the HP Switch, which is where all desktops and phones connect to.

When the Meraki Switch reboots for Firmware Updates, the HP Switch will not renegotiate the LAG back to the core Meraki without being rebooted.

Any idea why this would be the case?

Dell MAB Authenticating regardless of valid credentials?

Hi! I've recently started working on a new stack of Dell N3048P's for my company. They want to implement dot1x on the switches but in order for printers and other dot1x unaware devices, I was looking into MAB.

The switches are already set to authenticate on a RADIUS server in WS2k12, which is then linked to an AD domain. When I used MAB on an interface, I have two problems:

Firstly, if the device is shown as authorized, it still gets tossed into the unauthorized VLAN.

Second, with MAB enabled, any device that connects to those ports is shown as authorized, regardless of if there are matching credentials in AD or not. This is an example config of one of the MAB switch ports:

interface Gi3/0/48

switchport mode general

switchport general allowed vlan add 20

dot1x port-control mac-based

dot1x reauthentication

dot1x unauth-vlan 20

dot1x mac-auth-bypass

authentication order mab dot1x

authentication priority mab dot1x

VLAN 20 is the guest network while VLAN 1 is the trusted network.

Any suggestions? Thanks!

AT&T's Disaggregated Network Operating System

Just wanted to know what are your thoughts on ATT's white paper regarding the so called 'white boxes'

http://ift.tt/2BmI4XC

Partner Portal

Simple question.

What are the advantages of Partner Portal?

I have access to various partner portal. What can they be used for as a Engineer.

Thank you.

Hp switch Acls.

Can anyone point me in the right direction for setting up an acl on a hp 1920s switch? I'm trying to stop any access from the WiFi network into the private network bar access to getting a dhcp address.

I have a public wifi subnet . 99.x
And a private lan subnet . 7.x
On the lan is the dhcp server 192.168.7.10

This all goes through the 1920s switch. Two vlans on it.
Vlan 10 (public) is 192.168.99.253

Vlan 254 (private) is 192.168.7.253

I thought I could just do
1- permit 192.168.99.253 0.0.0.0
2-Deny. 192.168.99.0 0.0.0.255
3- permit all

Then apply that to vlan 254. (it auto applies inbound) Doing that just let's everything through like I don't have an acl applied. What am I doing wrong?

7280SR-48C6 as edge router

Hello everyone. Does anyone have experience with the 7280SR at the edge? I'd like to know if I'd have issues taking two full BGP views and ~100k routes from an IX. We're comparing this solution to something much larger, older, and more power hungry... MX240.

Why are jumbo frames ever disabled by default

Hi guys,

weird question I guess and yet I wonder why nobody asked it before. If I enable jumbo frames on switches/vlans, I allow devices to use it. Devices that use a lower MTU still work as well. What's the purpose of jumbo frames to be disabled by default?

How do I do my job?

I've somehow found myself in a precarious position. I need you to tell me how to do my job.

I've been hired to build an infrastructure for a small facility. I haven't been given any details yet apart from the fact that they hired a bunch of vendors who half assed the job. I'm to design and build (or fix the vendors mistakes) a network, AD servers, and work stations.

Whelp, I've got 0 experience with any of this. I'm the entire IT department, and I don't even know where or how to begin. I labbed a lot in school, but purchasing stock equipment was never part of it. Based on my quick research, i don't think I can just simply purchase the minimum required Cisco equipment, configure and then deploy them. It seems more complicated than that. I also do not know what I am doing in regards to configuring a wireless network from the ground up or the AD server.

You're asking, "dude, why did you accept this position if you're not sure you can actually complete the duties?" Well, I've searched long for some sort of junior or "entry" level networking gig in which I can learn under the tutelage of someone more experienced than me and gain that much-needed professional experience. I have come to the conclusion either this doesn't exist, or it's extremely rare. And so this is my only option to get some experience.

Help me stop freaking out, please.

Multi DNS behaviour - best practise (cisco/windows)

Hi,

I'm looking for someone who has practically done this to try and answer a burning question.

When using DHCP we want to add 4 DNS servers to the scope as we currently have two. So if we have saw problems with first 2 the others would be used.

1.) Is having more than 2 possible on Cisco DHCP handoff config? ( I am struggling to do this and have googled alot!) 2.) Does windows os even allow it without customisation. I.e. if dhcp was setup with 4 dns handoff would it accept by default.
3. ) Is there an optional industry standard method like a load balancer or VIP I am overlooking that shud be used.

Thanks G

Comware, Permitted Vlan not passing.

Hi I know this is a bit basic but after a quick google I can't actually find the answer.

Currently I have a port not "Passing" a permitted Vlan. Now most of my experience is with procurve/provision switches and I can't actually find out what this means so any help would be appreciated

Dump of the section of the port config below

Port link-type: Trunk

VLAN Passing: 1(default vlan), 101, 108, 290-292, 3097

VLAN permitted: 1(default vlan), 101, 108, 290-292, 2882, 3097

Any help appreciated

Newbie sysadmin having network problems at work

Setup: 1 ethernet cable coming from the wall, 2 external IP's. Cable from wall goes to a switch, switch goes to a wlan router for our wifi (with its own external IP) and to a cisco firewall. Cisco firewall goes to a few different switches which power all our rooms.

Cisco firewall has it's own external IP-adress too, and works like DHCP server.

Lately we have had a lot of troubles on our network, external access just drops out of nowhere for a few minutes. This ONLY affects everything from the cisco firewall and "downward". The wifi isn't affected.

I had plugged in an extra switch last week, problems got worse. Disconnected it yesterday, and we had less problems but the internet still craps out a few times a day. Internal IP's are still pingable. Problem is resolved when i unplug the firewall for a few seconds and then plug it back in. No other changes than this made to the network for months. Problems started 4-isch weeks ago.

I can connect to the firewalls internal management, but cant find anything strange there. The connection to it craps out when the net craps out though.

Anyway, this is about as far as i have come. No idea how to go further. What would the next logical step of troubleshooting be?

Any HIPAA security guru's got a moment for the hated vendor?

So for anyone in healthcare IT, I'm THAT guy now. The vendor who brings in a VM OVA file that was created in 2015, a bunch of desktop PCs, and network requirements from the mid 90's.

As a bit of background, I work for a rather large company that provides patient monitors to hospitals (the beepy heart monitors in your hospital room) and because we have people's lives on the line, our equipment has to be approved by the FDA for every facet of how it is touched. As such we have the following requirements

1. Any and all security patches to our system must be first be tested by our R&D for any impact.

2. No outside software can be installed without first being fully tested.

Now this seems sensible on the surface, but combine this with the fact that in order to ensure that our systems communicate issues to the nurses at the moment something happens, we have to be able to display the results less than a second after the event is detected.

This makes our latency requirements make voip look generous. Any latency of more than 30ms will break our system. Prior to the current version this was easy. We built the entire network connecting these systems ourselves separate from the hospital and connected only to send data that was needed over to the hospital. Unfortunately with the new ACA requirements, larger amounts of patient data had to be stored with the hospital so we began connecting our network to the hospital, or letting the hospital connect our devices to their network provided they could meet our requirements.

Unfortunately this is where I turn into the enemy. Our requirements are things like

1. Antivirus is limited to two vendors and must be so disabled as to render them useless
2. No form of snapshots can be done to any VM we issue, and no form of backups can be made beyond the one we provide.
3. No group policies may be applied to the systems whatsoever.
4. No external clients for malware scanning or similar may be installed.
5. Remote support for our systems must be provided using our own custom remote solution that has been cobbled together from a handful of older, non supported solutions that the DOD once used.
6. Most key, any security patches that do make it through our approval process show up a month and a half after they are released, and must be manually patched, which will likely result in a downtime for the patient monitoring system.

Now I've only been with this company for a little while, and I know the pain of a regular, non HIPAA, non PCI audit, and I know how much those requirements suck. I know that this is the kind of thing that screams Target's breach or Wannacry all over. The problem is that there is nothing I can do about it. My job with the company is to negotiate with IT to communicate these requirements, and ensure that they are met. I even have come to understand why these requirements have to be so ridiculous, but the problem I've come to you with is this:

*Is there a documented process to allow a HIPAA compliant system that cannot be patched to be approved? *

Obviously there are going to be systems that for whatever reason cannot ever be patched, cannot be ensured as safe, and have to be considered largely toxic devices. Embedded windows systems, legacy systems etc. We all have them and we deal with them by isolating them and locking them away from our network as hard as possible. Fortunately this is something I can support and actively encourage our customers to do, but Security is all about the CYA, and they need documented proof. They need exceptions and they need proven processes. So for any poor soul out there who's job it is to deal with this kind of thing, can you help me find a process that I can give my irate IT customers to help them C their As? Keep in mind that just saying stick us behind a firewall and lock us down to the absolute bare minimum required isn't what I'm looking for. That is of course what we need to do, but I need something with a bit more authority than my own dumbass self saying so.

does anyone know how to restrict router from conencting to a certain country?

lets say while playing a multiplayer game, i get connected to japan servers, is there a way to completely block japan on the router? my router is tp link archer 1200

Is there a way to encrypt the UN/PW in the "archive path" command on a Cisco device?

I'm trying to implement configuration archives / configuration rollback on Cisco devices using SCP. As it stands, using the "archive path scp://username:password@SCP_IP/Directory/" command, it goes directly into the config with the full command and it does not hide the username or password. Service password-encryption does not work in this case.

All the documentation I've seen just talks about how to pass UN/PW in a single command (like above) or how to set up a local account for SCP, but not if it's possible to hide the username/password in this particular instance.

Bonus question: if you store all configuration backups in the same directory, would the switch know which one to pull out of the directory or would it just pull a random one? I'll be testing this tomorrow, but just wanted to see if I could get a comment. :)

Thanks!

Cisco Nexus 9K no lacp suspend-individual in VPC

Hello,

I am planning some new gear deployment and I wanted to verify that the provisioning process would work as expected (unfortunatley don't have an extra pair of switches to test it now).

So situation is fairly simple - bunch of 1U servers that will be uplinked to pair of Cisco 9Ks via LACP bond. Add a little twist - I also need to PXE boot them. I know of "no lacp suspend-individual" command that would bring up a port even if there's no LACP received on it.

What I don't know and can't find with the help of Google - how will this command behave in vPC environment? Can it be different on 2 sides of vPC? If yes, I can just use it on 1st switch - if port is not sending LACP then the port will come up on it, while port on 2nd switch will still be disabled. If not - are there any other tricks? Or am I SOL and will have to write some additional automation to change state of ports after the servers are built?

Any information will be greatly appreciated!

Need a BGP guru to answer a config question.

We use an MPLS provider to supply backup links to many of our remote locations (primary is Internet VPN). Note that the provider does the MPLS magic - we simply connect our routers to their routers via a /30 link, and let BGP peer with their router. We and the provider use Cisco routers.

This works great, but there is one minor nit that is bugging me. On my routers, I only see BGP advertisements from the provider's router for two of my remote networks. I don't see the provider's routers advertising the other locations' networks.

I do see all my remote routers advertising their local network to the provider's local router. In the case that the Internet VPN goes down to a location, the provider's routers DO start advertising routes to affected location's subnet.

I assume that some of the provider's routers are configured to NOT advertise a route to my routers if my routers are advertising a better (shorter) route to the provider's router.

I'd like to have the provider change their config so that they are always advertising routes to my routers, even if my routers are advertising a better route to them.

I can't see the config on the provider's routers, so I can't compare the settings on them. What is the IOS magic incantation to accomplish this?

EDIT: include crappy ascii diagram

+-------------+ +-------------+ | CR1 | -------- (internet VPN) ------------- | CR2 | | 10.0.0.0/24 | | 10.0.1.0/24 | | | | | | 192.168.1.1 | | 192.168.2.1 | +-------------+ +-------------+ | | | | +-------------+ +-------------+ | 192.168.1.2 | | 192.168.2.2 | | | | | | PR1 | --(hop1)--(hop2)--(hopN)------------- | PR2 | +-------------+ +-------------+ 

The above diagram shows main site to one remote location. CR1 is my router and PR1 is the provider router at the mothership. CR2 is my router and PR2 is the provider router at Ultima Thule. In reality, there are multiple sites and subnets CR3/PR3, CR4/PR4, etc, but my ascii drawing skills can't handle that. The VPNs connect in a hub and spoke back to CR1, and the MPLS connect as a mesh.

In some cases, PR1 does not advertise a route to 10.0.1.0/24 to CR1, (presumably) because CR1 is advertising a better (one hop) route to PR1.

However, in other cases, PRx DOES advertise routes back to CRx, even though CRx is advertising a better route to PRx.

Packet capture using a switch as copper tap

I have a nexus 9K i need to span 1 port (source) to 3 destinations. The Nexus 9K has a limitation built in to not allow more than 2 destinations for a source and no more than 2 spans with the same source. I had thought if i span the 1 source, to 1 destination, connect to a cisco switch 2960, use the receiving port on the 2960 as the source and then put my capture devices 3 destinations on the 2960 this may work. I tried doing this with a different switch as a test. What I found was the switch was collecting the incoming MAC addresses and adding them to its MAC table. This clearly caused issues and I shut it down.

Does anyone know how to make what Im suggesting work? Disable the mac table? or is it just better to ask the boss for $ to purchase a copper tap?

Passing Python commands to router/switch using Windows

Hey guys, I've been looking into Python Network Automation but an issue I'm finding is that in the tutorials I'm seeing using GNS3, the python script can be run from the Linux terminal and the switches and other devices can be connected directly from the same Linux terminal. However, from my understanding, Windows CMD does not support IOS and an application such as PuTTy would have to be used. This being the case, how can I pass Python commands to Cisco devices from PuTTy or using Windows?

Nokia buyout of Juniper Networks, what are your thoughts?

I'm a network engineer and a Nokia shareholder and I'd like to get some perspective from other engineers. Thanks!

Application of MPLS without L2/L3VPNs?

So I've been kind of struggling with this.

MPLS and label distribution protocols (LDP/RSVP/Static) are always shown in conjunction with configuration of various MPLS applications (the most common being MPLS L3VPNs). That is the most obvious use case.

However, from what I understand as MPLS L3VPNs is a collection of 3 separate technologies (VRFs, MPLS transport, L3VPN).

Given that they are 3 separate technologies, wouldn't they have applications/use cases separate from each other?

For example, I can have VRFs as a form of network separation without running mpls. However, MPLS applications (L2/L3VPNs) cannot work without a functioning MPLS network.

How was MPLS used before mpls applications like L2/L3 VPNS?

Anyone doing network based cameras in a corporate setting?

If so, what solutions are you using for your company.

ISE port authentication keeps changing from dot1x to MAB after some time

Pretty much covered in the title, which is behavior that I don't want. For some reason, even if a device initially authenticates with dot1x, it will still eventually show up as MAB when I go to look at the auth sessions on the switch or in the ISE live sessions.

I do have the priority set thusly:

authentication priority dot1x mab

to allow phones to authenticate with MAB, which will also be used for guests eventually I think.

Anyway, what can I do to make sure dot1x sessions stay dot1x sessions instead of transforming into mab sessions.

Any help appreciated, thanks!

Bad routes - anyone ever get ISP to investigate?

Have had a habitual issue now with all of my offices on Spectrum in Michigan where traffic is being routed very poorly (Boston -> NYC -> Buffalo -> North Carolina -> Michigan) but I cannot get any of our support contacts to do anything about it. We first reported the issue to them in July and have continued to do so with no success.

Has anyone ran into this and how did you go about them actually looking into the issue? Every time I call into our enterprise support number they tell me it will be escalated to a higher tier but the routes have remained bad for months. We've got to be on Tier 60 by now.

Cisco Packet Tracer. Cable type.

Hello!

Could you please tell me if there is a way to know what type of cable is being used in a scheme of Packet Tracer? I've tried rigth-clicking on the cable with expectations to get some sort of properties window but had no success.

This is the example scheme I have and I need to know if it's Serial DCE or Serial DTE.

Thank you.

https://ibb.co/jb7iUb

Combining Private MIBs into one mib file

I've been tasked with combining 50+ private mib files into one file that includes everything even the definition files.

Is this possible? What is the best way to go about this? Anyone have an example of this?

Any input is appreciated.

Thanks,

Cisco 819 acting like DHCP pool is full even when it's not?

We've had several issues where when we add devices to our network, we have to expand the DHCP pool in order for that device to get connected. However, there's always been enough addresses available in that pool.

Setup: Cisco 819 router, and from that an un-managed dummy Netgear switch, in which these devices are being plugged into. The switch we have set up as Vlan2, which has direct internet access. We normally have the DHCP pool range of 192.168.2.245 to 192.168.2.253, with 192.168.2.254 being the IP of the Vlan itself. So, in my mind there should be 9 available IP addresses. However, on some occasions there have only been 4 or 5 devices in that Vlan, and the new device won't get connected until after we expand the DHCP pool. We've tried restarting the switch, the router, clearing DHCP binding and the ARP table. What else could this be?

Some config:

ip dhcp pool manager network 192.168.2.0 255.255.255.0 default-router 192.168.2.254 dns-server x.x.x.x x.x.x.x lease 3 class MANAGER address range 192.168.2.241 192.168.2.253 (This is what we expand it to. Typically the range starts at .245) 

Config for the Vlan:

interface Vlan2 ip vrf receive INET ip vrf receive INET-CELL ip address 192.168.2.254 255.255.255.0 ip access-group 150 in no ip redirects ip nat inside ip virtual-reassembly in no ip route-cache ip tcp adjust-mss 1300 ip policy route-map LOCAL-INTERNET hold-queue 32 in Extended IP access list 150 10 deny ip any 10.0.0.0 0.255.255.255 20 permit ip any any (1540064 matches) 

Juniper SRX to Cisco PIX - VPN Phase 2 Issue

Hi Guys,

We are attempting to connect a VPN connection with a 3rd Party - they are using a Cisco PIX (I know) and we are using a Juniper SRX 1500 Cluster with Junos 15

Phase 1 seems to be negotiating fine however I am seeing a wierd issue with Phase 2 as below:-

[Nov 29 17:12:09][OUR-IP <-> THEIR-IP] Authenticated Phase-2 notification `No proposal chosen' (14) data size 4 from THEIR-IP for protocol ESP with invalid spi[0...16]=59 f7 4c 6e 8f 6c c5 d3 54 44 41 63 77 d9 d7 da causes IKE

google turns up very limited results for this log, all phase 2 parameters match - we have changed ESP from 256 to 192 to 128 and still the same issue persists

can anyone shed any light on this ? Is this an incompatibility between Cisco and Juniper ??

If I add an ACL on L2 port and and ACL on L3 interface, which one of them has a higher priority?

So let's say I do this

interface vlan 100 ip add 1.1.1.1/24 ip access-group 11 interface fa0/1 description Host=1.1.1.2 switchport access vlan 100 ip access-group 22 access-list 11 10 deny 1.1.1.2 access-list 22 5 permit 1.1.1.2 

Which one should work first and why?

PPPoE Gateway Issue with ISP

Ok, so i'm having a bit of an issue with my ISP.

They are setting the remote/gateway address as a private address instead of a public address, which conflicts with my own network

My linux firewall has an IP address of 10.0.0.1

I have internet in my building, provided by ethernet.

When I connect, it shows the following in pppd

Nov 28 23:42:21 firewall pppd[19591]: local IP address 211.122.156.12 Nov 28 23:42:21 firewall pppd[19591]: remote IP address 10.0.0.1 

(I have changed my external ip address in this post for security)

Note the remote IP address is also 10.0.0.1

So, my ISP is using 10.0.0.1 as the PtP address as shown here:

ppp0 Link encap:Point-to-Point Protocol inet addr:211.122.156.12 P-t-P:10.0.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1480 Metric:1 RX packets:1669 errors:0 dropped:0 overruns:0 frame:0 TX packets:1479 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:681954 (665.9 KiB) TX bytes:148840 (145.3 KiB) 

now, when I connect, it sets the default route on the firewall to 10.0.0.1 which conflicts with the LAN ip.

eg:

root@firewall:~# ip route show 10.0.0.1 dev ppp0 proto kernel scope link src 211.122.156.12 10.0.0.0/24 dev eth0 proto static scope link root@firewall:~# ping 8.8.8.8 connect: Network is unreachable 

I currently get around this by using the following options in pppd:

nodefaultroute noreplacedefaultroute 

Then setting an interface route:

ip route add default dev ppp0 

so the routes look like this:

root@firewall:~# ip route show 10.0.0.0/24 dev eth0 proto static scope link default dev ppp0 proto static scope link root@firewall:~# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_req=1 ttl=60 time=11.1 ms 

The issue is, I want to use different routing software, which doesn't do device routes and runs into the conflict.

How can I prove to my ISP that the issue is on their end? Am I missing something myself?

Multiple IKE tunnel endpoint

Hey everyone! Our org is working on some initiatives to tame our disparate infrastructure and implement some additional security for the management of our routing and switching gear, much of which is located in isolated networks with their own DIA connections.

One of the approaches we've considered is moving all management to private networks on their own VLAN so as to expose as little attack surface as possible. That's easy enough for the on net stuff, but we can't standardize on that unless we can bring those remote sites' management VLANs on net via secure tunnels.

So, we'd like to establish secure tunnels to each of these remote locations so as to bring those devices' management VLANs back to our core. Does anyone know of a good device for acting as a tunnel endpoint for these numerous sites? We're talking about potentially as many as 100 or so tunnels, so I imagine it would need to be pretty beefy or distributed across multiple devices. The traffic over those tunnels would be low, only SSH, smallish OSPF, and SNMP.

Does anyone have any suggestions, or perhaps even an alternative approach that achieves the same or similar desired result?

Inside the Technical Assistance Center: The TAC Experience

I thought this was a fairly good article on the Cisco TAC.

https://www.youtube.com/watch?v=uVMSbKKHYps

Help, CRC error occurs when connecting CAB-10GSFP-P3M 30 AWG to Cisco DCN switch.

I have a 10Gbps Direct Attach Cable(CAB-10GSFP-P3M 30 AWG) which is compatible with Cisco. But something went wrong when I tried to connect the cable to Cisco switch(DCN BUN-CS6500-48-L3-D and DCN S5750E-52X-P-SI), it turned up to CRC error.
I got the cable from http://ift.tt/2Bwl09C and it's supposed to be compatible with Cisco.
Does anyone here know what was going on?

Pay with Bitcoin

HAProxy stats question

In the HAProxy stats service(?) is it possible to restrict access to the stats page by source IP address? Here is the relevant config in haproxy.cfg:

listen stats bind *:1936 stats enable stats uri / stats hide-version stats auth X:Y 

I've tried using an ACL like this:

 mode tcp acl network_allowed src 192.168.1.1 tcp-request connection reject if !network_allowed 

but I can't connect to the stats page at all with the above. Is what I am attempting possible? I would like to keep the "security" of this configuration inside the haproxy config if possible, but if I have to I will restrict with iptables.

Hyper-collapsed core design?

We're designing a one-rack colo space that would basically be a data center in a box. The servers are going to be with a hyper converged cluster (apps, storage, etc all on the same platform.)

One thought I had was basically rack a pair of beefy datacenter switches in there, and collapse everything (access, core, distribution, dmz, etc) into that single layer, segment everything with vlans/private vlans, and vrf (for the external segment)

Then you'd basically have one big trunk going down to the server cluster, one big trunk going north to the firewall, and your links to external peers in their own vrf.

That way everything truly is handled by the core switches, so basically you have one cluster of servers, one pair of switches, and one pair of firewalls.

I know this may not meet any best practice design guide but it's kinda out of the box experimenting... what do you think? Even eliminates a separate box for edge routers too... most/all dc switches will do bgp peering and it won't be full tables... default only

Does a whitebox switch vendor exist that...

• has an "access" switch (e.g. 48 x 1G-T, 2-4 x 10G-SFP+) that is under 1000USD
• has an "aggregation" switch (e.g. 48 x 10G-SFP+ 2-6 x 40G-QSFP+) that is under 5000USD
• have support for ONIE / cumulus
• have lower cost / lower density switches for laboratory testing (sub 500USD)
• have some semblance of a reputation (e.g. fs.com satisfies the first two objectives, but they are new to the scene)

Also this is a general request for vendor suggestions related to deploying with ONIE/ONL/Cumulust/etc. If you've had a good time and feel like your choice of vendor / software have not bitten you too hard It'd be interesting to hear about it.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Warm Spare or One Stack - Meraki MS425

We are looking to replace our core switch (currently Cisco 6509-E) with 4 Meraki MS425's. I have gone back and forth with the topology and come up with two ideas and wan't to get some feedback on each. We have multiple buildings using two fiber pairs to connect each back to our MDF. Here are my options:

1) Create two stacks with two switches each and configure one of the switches to be a warm spare. Each building would have a single fiber connection to each switch stack that would be connected to separate building switches.

2) Create one four switch stack and use LACP to connect to the buildings. Again, each building would have a fiber connection to different switches in the core stack and different building switches for redundancy.

The issues I see is that in scenario 2, if I lost the building switch that was connected to the primary core stack I don't believe the warm spare would pass traffic, I think that only kicks in if the primary stack were offline. In scenario 1, the switch stack would need to reboot during upgrades and cause an outage. What am I missing and which way should I go? I am leaning toward option 2 but wanted a 2nd opinion. Thanks

Cisco industrial switches - 1000 series

Has anyone used these? we have a wifi project where we are deploying quite a few of these that will have APs attached. Apparently the config is web-based and I can't find too much online regarding a configuration guide except some scant information regarding express setup. I usually configure my switchports for the access points with switchport trunk native and then allow the vlans across the ports that pertain to the SSID client network. I can do something similar in the gui for the 1000 series? where i trunk a port but untag the vlan the ap is on? (switchport trunk native)?

Quick sanity check: ASA redundant interface configuration

Hey all, just a quick sanity check to make sure I understand the concept of redundant interfaces on ASAs. I've got a 5525-X connecting to two separate switches with the physical NICs a member of redundant1. The redundant interface is assigned an IP and if switch1 dies, then the ASA will continue to stay up thanks to switch2 kicking in. Is this an okay setup? My only concern is STP but if there is something else wrong, let me know. I have it all set up as follows:

SWITCH1:

interface Ethernet1/46

description ASA1_gig0/1

switchport

switchport access vlan 255

no shutdown

SWITCH2:

interface Ethernet1/46

description ASA1_gig0/2

switchport

switchport access vlan 255

no shutdown

ASA1:

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 192.168.255.1 255.255.255.0

Diffie-Hellman groups to avoid

Some vendors have put out documentation suggesting we avoid DH groups 1/2/5 (keys with <2048 modulus).

I just watched this video on how DH key exchange works: https://www.youtube.com/watch?v=3QnD2c4Xovk&feature=player_embedded

Now I know how to mix red and blue to get blargh and stupid Eve can't see how I did it.

So where do we go from here? Is the problem that the prime numbers in groups 1/2/5 are too short, and people have created something like a rainbow table of them?

How serious of a problem is this? Are these tables easily mathematically computed, or are they publicly shared on the Dark Web? Is this real life?

I asked my Cisco SE and he said it is down to every organisation's security policy, but most of the people I work with don't have a security policy. And even if they did, they aren't technically competent enough to judge the risk of running DH 2 vs NG encryption.

All I keep telling people is that bigger is better and we always install the best encryption available at the time, but things change. VPN tunnels stay up at 3DES for years and years, and they get forgotten because they are working fine.

Am I being overly paranoid?

Got a call from "Sonicwall Renewals" stating I get a free NSA if I renew Security Suite for 3 years. Are they legit?

The caller ID said Sonicwall Renewals and they had the serial numbers of my NSA's that I have. They want me to renew our advanced security suite for 3 years and they will give me a free TZ 300/400 or 500.

Something sounds off and I'm wondering if they are even with Sonicwall at all.

What are some currently developing topics in network engineering/networking?

(I understand this post might violate rule #5, if so, I apologise)

I am currently a month away from having to start writing my bachelor thesis in my Network Security program. I am honestly more interested in the network part than the security one, so I would like to write about something in this field, but I don't have a topic yet.

Due to the nature of the program our main focus was on LANs and PANs, so I don't have a lot of insight into anything wider than that, but I'm very curious.

So getting back to my question, what would you say is a currently relevant topic in networking that is worth researching for me?

I can not seem to figure out how to connect these 2 routers.

http://ift.tt/2zNKzWs

I need to connect Router A to Router C. I was thinking about building a tunnel to them but none of them have public ip addresses. It is worth a note that I do not have access to Router edge A and router edge B. Is there any way I can connect them?

Different router id in vrf not working in BGP..what am I missing?

Hi Guys,

I am trying to setup L3VPN in my network. The requirement is that i have multiple ospf process with different router ids.

While my BGP runs with router id 100.1.1.1, i have a OSPF core of Segment routing that runs with router id 100.1.1.12. I want the L3VPN traffic to use the SR path.

I am trying to specify router id under vrf as 100.1.1.12 so that remote PE sees that routes are coming from neighbor 100.1.1.12 instead of 100.1.1.1 and then uses OSPF path for 100.1.1.12 to route traffic in SR core. But it doesn't seem to work as VPNv4 routes are being learnt by 100.1.1.1 instead.

What I am doing wrong? Does VPNv4 routes always use global router id instead of vrf? Is there any other solution to this?

RP/0/RP0/CPU0:R101-PE1#sh run router bgp 4134 vrf SR_1 router bgp 4134 vrf SR_1 rd 4134:4067 bgp router-id 100.1.1.12 label mode per-vrf address-family ipv4 unicast label mode per-vrf redistribute connected ! address-family ipv6 unicast label mode per-vrf redistribute connected ! ! ! RP/0/RP0/CPU0:R101-PE1#show bgp vpnv4 unicast vrf SR_1 BGP router identifier 100.1.1.1, local AS number 4134 BGP generic scan interval 60 secs Non-stop routing is enabled BGP table state: Active Table ID: 0x0 RD version: 0 BGP main routing table version 127898 BGP NSR Initial initsync version 1216 (Reached) BGP NSR/ISSU Sync-Group versions 0/0 BGP scan interval 60 secs Status codes: s suppressed, d damped, h history, * valid, > best i - internal, r RIB-failure, S stale, N Nexthop-discard Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 4134:4067 (default for vrf SR_1) *> 103.1.67.40/30 0.0.0.0 0 32768 ? *>i103.2.67.44/30 100.2.1.1 0 100 0 ? * i 100.2.1.1 0 100 0 ? Processed 2 prefixes, 3 paths 

Can anyone recommend a coax/cable level service ISP in Melbourne, FL?

I am in the market for a coax/cable quality business Internet connection for an office located in Melbourne, FL. I am hoping to get about 150Mbps download and 10Mbps upload or better at around the $200-$300 price point. Normally I just google these things or go with Charter/Comcast/Cox but I am having no luck going that route with these. If anyone has any recommendations I would greatly appreciate it.

routed port connected to a trunk port

We have a 6814 w/ a routed port that is connected to a 3650 with a trunk port, and all works well.

Configs:

6814:

int x/y ip address x.y.z.2 255.255.255.0 

3650:

int x/y switchport mode trunk 

int vlan 1

ip address x.y.z.7 255.255.255.0 

From what I understand, this should work (and does) by default as vlan 1 is untagged. However when we try to put in a 3850 with same config/parameters, the link comes up but no traffic goes across. I'm going to have them try to add native vlan 1 to the port, but vlan 1 should be untagged by default, correct?

Bulk cat5e cable quality

I am finally almost out of my 1000' box of network cable. Looking on eBay I've noticed a range of pricing for bulk 1000' cat5e cable from $35usd to $130, is there a difference is quality between them? Why the price difference?

DDoS protection for 2 ISPs?

Would it be necessary to apply DDoS services to two instances from separate ISPs? One is a fiber line and the other is Rj45. My customer, I believe, is using the latter as a fail over.

Thanks!

Is there any way that a Windows Active Directory/LDAP/Domain Controller (separate from a router) could share QoS information with Windows machines that would cause the machines to throttle themselves under network load - without any specific configuration done on the Windows machines?

I am on a network where there is a Windows Domain controller that handles DNS and a Cisco router (CISCO ASA 5506) that does routing. On this network their are all types of clients: Windows, Mac, Linux, phones, tablets, etc.

A claim has been made that the Domain Controller is communicating with all the Windows machines on the network to handle QoS when the network is under load (people taking up a lot of bandwidth). No special configuration has been done to these Windows machines, as far as I know they aren't getting any Group Policy configuration from anywhere and don't have any special networking configuration.

Is it possible that the Domain Controller or any other LDAP protocol would be sharing QoS information with just the Windows machines that would cause the Windows machines to throttle themselves when the network is under load.

Any recommendations for a 802.11ac solution that won't break the bank?

Got a single pc in a weird part of the office so I don't think I need a whole access point. Doing some searching on Amazon revealed a ton of usb dongle adapters from no-name companies that quite obviously bought their reviews (fakespot scans).

What do you use for your own stuff? I just need it to have high throughput for a wireless connection and it needs to be cost effective. Thanks

MTU issue to server with tow NICs

Dear Networkers, I have strange problem. Our server Team has a VM on Hyper V with to NICs each in separate subnet. One NIC has a gateway and one only route to 192.168.0.0/16 subnet. Problem is that there is a problem with working on this device (linux) listing a larger amoun of data breaks the connection or the connection hangs somwhere. When changing MTU to 1400 everything seems to be normal. I did some pings with size 1500 and everything seems to be fine. Our offices are connected with MPLS from provider, one lst office without MPLS seems to be working correctly. What am I missing here? only thse servers with two NICs has a problems. Thank you for any provided help

NX-OS Radius

I am new to NX-OS, I am needing to add our ciscoMDS 9148s to allow radius login.

the commands look very similar to cisco IOS. After initial configuration I can ping to and from the server, but still not able to login. Doing a little research I saw a mention of cfs distribution, but I am not sure if it is needed or not.

currently cfs distribution is not enabled.

my current config:

HQ-MDS-1(config)# radius-server host 10.1.1.1 key password HQ-MDS-1(config)# radius-server host 10.1.1.1 auth-port 1645 HQ-MDS-1(config)# radius-server host 10.1.1.1 acct-port 1646 HQ-MDS-1(config)# radius-server host 10.1.1.1 accounting HQ-MDS-1(config)# radius-server host 10.1.1.1 key 0 password HQ-MDS-1(config)# radius-server host 10.1.1.1 key 7 password HQ-MDS-1(config)# do sh radius-server retransmission count:1 timeout value:5 deadtime value:0 total number of servers:1

following RADIUS servers are configured: 10.1.1.1: available for authentication on port:1645 available for accounting on port:1646 RADIUS shared secret:********

HQ-MDS-1# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=127 time=0.878 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=127 time=0.246 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=127 time=0.213 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=127 time=0.235 ms 64 bytes from 10.1.1.1: icmp_seq=5 ttl=127 time=0.213 ms

Found a serious bug in a HPE Office Connect 1820

Literately unusable.

Access switch that can handle MSTP and 20 VLANs?

I have a need to provide access switches at the edge of our network that are 8 to 24 port but aren't "data center loud". We've been using cheap "web managed" HP Procurve switches, but the entire procurve line seems to now be some sort of sub brand of Aruba?? or something on HPs site, and more problematically, they don't support enough VLANs or MSTP, so if they ever get into the wrong place, they break spanning tree.

For reference all our core is Blade / IBM / Lenovo System Networking G8000, G8052 etc switches, which are perfect in that they're reliable, cheap on ebay, and support lots of VLANs and MSTP. However, they're way too loud to be in offices, and are all 40+ ports.

I'm not loving HP Procurve (especially as I have no idea what the new name is) as much recently, mostly due to lack of "complicated" VLAN and MSTP features, so I'm trying to work out what I might replace it with. Any suggestions?

I've posted this to /r/sysadmin and gotten ubiquiti and microtik, neither of which show MSTP support in their documentation, and at least for microtik looks somewhat complicated for trunking VLANS also.

Given that I may be looking for a Unicorn here - would it be "safe" to just not have the edge switches handle MSTP and have our policy to not daisy chain them? This is what we've been doing with the HPs but it seemed like it would be best to standardize on MSTP on all switches as an end goal - but if it's not possible I need to know if the current model is a reasonable backup plan.

We cannot get away from 8-24 port switches at the edge to connect multiple computers or instruments over one cable back to the core. I.e. we can't run new cables to core switches.

Slightly OT - is there some reasonable direct replacement from anyone, including HP to the 1800-8G Procurves?

NEED HELP!

Can anybody please tell me how I can direct a specific program only to go through a VPN connection while maintaining a direct "unprotected" connection for all the other Windows 10 programs? I have read some articles that talk about split-tunneling. Is split tunneling the solution to my problem?

ANY HELP/GUIDANCE WOULD BE GREATLY APPRECIATED!!

Are there any influential books Network Engineers should read that are non-technical?

We get caught up in reading mountains of highly technical texts which tell us how to configure this and that. But are there any non-technical books you believe Junior and Seniors alike would benefit from?

Options for a Singe Sign On service that would integrate Active Directory with a corporate gmail account?

What is some software that would let me implement a single sign on, that would be used for a corporate gmail account that would integrate with the Active Directory and Sophos UTM VPN setup? This is for a small business that will be purchasing office space and hiring employees this spring. The owner of the business plans on hosting AD at the company office space. In addition, what redundancy options would be possible if the AD Domain Controller at their office goes down?

In addition, if this isn't the best subreddit for this post, what is a good subreddit?

How do you go about discerning device uptime within Meraki?

I've been looking all over and it appears there is currently no way to see the uptime of a device in Meraki. I get that a lot of people like Meraki for cookie cutter deployments and ease of use, but this is just fucking absurd. When a site goes down, one of the first things I want to figure out is if it is a power issue or an ISP issue. (Yes, UPSs is important, but that doesn't excuse the fact that it's ridiculous that you can't see something as simple as device uptime)

In the course of trying to research if it was possible, I found questions on cisco forums from 2+ years ago asking the same thing. The response? Open a ticket and click "make a wish" button....

Clearly Cisco has no interest in adding this feature, or they would have over the past few years, so I'm curious how other people who use Meraki figure out how long the device has been up, or other ways of ruling out a device crash.

Company wants a new core

So my company wants a new core for a remote office with about 900 people, they want me to use a pair of Nexus 3048 as the office core. I have worked with the Nexus line before and I am leery on using a top of the rack switch as an office core so I am asking for second opinions. Am I being paranoid or could this work and be stable for a site that does manufacturing work - thus the need for a lot of connections to our order/supplies database.

Fiber connectivity help

Disclaimer: I'm not a network engineer or a sysadmin but I'm the person in charge of it as well as my normal job at my company. This is a smallish business (50 people).

I'm trying to fix/update the network I've inherited (which is a mess). My current task is to run fiber from our downstairs network closet to our upstairs server closet (about 125 feet). Currently these are daisy chained together. I'd like to run 10g currently but of course leave room for upgrade. Based on my research, I was planning on running the following: MTP-12 MPO/MTP Cassette, 12-144 Fibers OS2 Single Mode 12 Strands MTP Trunk Cables, 30m give or take.

So is it really that simple? Get a pair of cassettes, slap them in a tray, buy the requisite amount of trunk cable, and plug it in? Is there anything missing I should be thinking about or am I completely missing anything else?

Thanks.

What exactly is throughput?

A user asked about the difference between data rate and throughput, and an answer was:

Bit rate refers to the number of bits per second that the physical medium can transfer. Throughput usually means how many bytes per second of useful data can be transferred through the link.

Does "useful data" mean payload?

My textbook says:

If you got a hub with three interfaces, each 100 Mbps of capacity, and two of them are trying to transmit 100 Mbps to the third, then the third would receive 200 Mbps, which is not possible. So the two hosts connected to the first two interfaces will have an effective data rate of 50 Mbps each.

For me, these 50 Mbps are not "useful" data. They're just data. The amount of data that is actually being transmitted.

Is my textbook wrong? If so, which concept would you use to describe these 50 Mbps?

Is there a difference between throughput and effective data rate? This article differentiates between the two. Though I've seen many times throughput = effective data rate.

Another definition of throughput:

Network throughput is the rate of successful message delivery over a communication channel.

Does that mean that if each packet has to be transmitted twice because of some failure, then the throughput would decrease?

Which concept would be "rate of (either successful or unsuccessful) message delivery over a communication channel"?

Downsizing level of network devices based on total users?

I’m looking into cost savings / efficiency improvements for a network I manage and I’m looking to get opinions from people that aren’t trying to sell me things. We’re a Cisco environment (that won’t change).

In an environment serving less than 1000 personnel, we utilize ASR1004s, 4506s, and 6509s for boundary & distribution. Remote access and VTC, VOIP are eventualities but still don’t permit this level of overkill I think. We do have a firewall controlling NAT and will also control remote access when implemented, so losing the ASR wouldn’t do much of anything.

MGMT is considering “the cloud” (naturally), so I’d like to get trunk links at 10G, which would mean I could easily do this by throwing a bunch of 3850s in L3 in place of the routing gear, but I’d like to get other suggestions as well.

Thanks!

ACL on interface not showing enough hits

I have a Cisco WS-C4506-E that my PC is connected directly to on port Gi2/24. On that interface, I put ip access-group tqos in. That access list has a specific permit for my pc, and a permit ip any any. For some reason, I barely see any hits on the ACL, despite throwing hundreds of packets per second at it. Can anyone explain why? I was hoping to use this to verify dscp tagging, but that won't work if it doesn't register hits properly.

---

Important Config

NLSW10#sh run int gig 2/24 Building configuration... Current configuration : 408 bytes ! interface GigabitEthernet2/24 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security ip access-group tqos in ip access-group tqos out spanning-tree portfast end NLSW10#sh ip access-lists tqos Extended IP access list tqos 10 permit ip host 172.20.110.66 any dscp af41 log 100 permit ip any any log (138 matches) 

---

Mostly Full Config

Current configuration : 55370 bytes ! version 15.2 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption service compress-config ! hostname NLSW10 ! boot-start-marker boot system flash bootflash:cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin boot-end-marker ! ! vrf definition mgmtVrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging event trunk-status global ! ! ! ! ! ! aaa session-id common clock timezone CET 1 0 clock summer-time CET recurring last Sat Mar 2:00 last Sat Oct 3:00 hw-module uplink select tengigabitethernet ! ! ! ! ! no ip routing ! ip vrf Liin-vrf ! no ip domain-lookup ! ! ! ! ! power redundancy-mode redundant archive path bootflash:config-backup- ! spanning-tree mode mst spanning-tree portfast bpduguard default spanning-tree extend system-id ! spanning-tree mst configuration name SPANS01 revision 1 instance 1 vlan 1-4094 ! ! vlan internal allocation policy ascending ! ip tftp source-interface FastEthernet1 ! class-map match-all AutoQos-4.0-Scavenger-Classify match access-group name AutoQos-4.0-ACL-Scavenger class-map match-all AutoQos-4.0-Signaling-Classify match access-group name AutoQos-4.0-ACL-Signaling class-map match-any AutoQos-4.0-Priority-Queue match cos 5 match dscp ef match dscp cs5 match dscp cs4 class-map match-all AutoQos-4.0-VoIP-Data-Cos match cos 5 class-map match-any AutoQos-4.0-Multimedia-Stream-Queue match dscp af31 match dscp af32 match dscp af33 class-map match-all AutoQos-4.0-VoIP-Signal-Cos match cos 3 class-map match-any AutoQos-4.0-Multimedia-Conf-Queue match cos 4 match dscp af41 match dscp af42 match dscp af43 match access-group name AutoQos-4.0-ACL-Multimedia-Conf class-map match-all AutoQos-4.0-Default-Classify match access-group name AutoQos-4.0-ACL-Default class-map match-any AutoQos-4.0-Bulk-Data-Queue match cos 1 match dscp af11 match dscp af12 match dscp af13 match access-group name AutoQos-4.0-ACL-Bulk-Data class-map match-all AutoQos-4.0-Transaction-Classify match access-group name AutoQos-4.0-ACL-Transactional-Data class-map match-any AutoQos-4.0-Scavenger-Queue match dscp cs1 match cos 1 match access-group name AutoQos-4.0-ACL-Scavenger class-map match-any AutoQos-4.0-Control-Mgmt-Queue match cos 3 match dscp cs7 match dscp cs6 match dscp cs3 match dscp cs2 match access-group name AutoQos-4.0-ACL-Signaling class-map match-all AutoQos-4.0-Bulk-Data-Classify match access-group name AutoQos-4.0-ACL-Bulk-Data class-map match-any AutoQos-4.0-Trans-Data-Queue match cos 2 match dscp af21 match dscp af22 match dscp af23 match access-group name AutoQos-4.0-ACL-Transactional-Data class-map match-any AutoQos-4.0-VoIP-Data match dscp ef match cos 5 class-map match-all AutoQos-4.0-Multimedia-Conf-Classify match access-group name AutoQos-4.0-ACL-Multimedia-Conf class-map match-any AutoQos-4.0-VoIP-Signal match dscp cs3 match cos 3 ! policy-map AutoQos-4.0-Output-Policy class AutoQos-4.0-Scavenger-Queue bandwidth remaining percent 1 class AutoQos-4.0-Priority-Queue priority police cir percent 30 bc 33 ms class AutoQos-4.0-Control-Mgmt-Queue bandwidth remaining percent 10 class AutoQos-4.0-Multimedia-Conf-Queue bandwidth remaining percent 10 class AutoQos-4.0-Multimedia-Stream-Queue bandwidth remaining percent 10 class AutoQos-4.0-Trans-Data-Queue bandwidth remaining percent 10 dbl class AutoQos-4.0-Bulk-Data-Queue bandwidth remaining percent 4 dbl class class-default bandwidth remaining percent 25 dbl policy-map AutoQos-4.0-Cisco-Phone-Input-Policy class AutoQos-4.0-VoIP-Data-Cos set dscp ef police cir 128000 bc 8000 exceed-action set-dscp-transmit cs1 exceed-action set-cos-transmit 1 class AutoQos-4.0-VoIP-Signal-Cos set dscp cs3 police cir 32000 bc 8000 exceed-action set-dscp-transmit cs1 exceed-action set-cos-transmit 1 class class-default set dscp default set cos 0 ! ! ! ! ! ! ! interface Port-channel1 description UPLINK CORESWITCH switchport switchport trunk native vlan 999 switchport mode trunk storm-control broadcast level 20.00 ! interface FastEthernet1 vrf forwarding mgmtVrf ip address 172.16.1.110 255.255.0.0 no ip route-cache speed auto duplex auto ! interface TenGigabitEthernet1/1 description MER5-CORE1 Eth1/27 uplink switchport trunk native vlan 999 switchport mode trunk flowcontrol receive off storm-control broadcast level 20.00 channel-group 1 mode active ! interface TenGigabitEthernet1/2 description MER6-CORE2 Eth1/27 uplink switchport trunk native vlan 999 switchport mode trunk flowcontrol receive off storm-control broadcast level 20.00 channel-group 1 mode active ! interface GigabitEthernet1/3 shutdown ! interface GigabitEthernet1/4 shutdown ! interface GigabitEthernet1/5 shutdown ! interface GigabitEthernet1/6 shutdown ! interface GigabitEthernet2/1 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/2 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/3 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/4 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/5 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/6 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/7 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/8 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/9 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/10 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/11 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/12 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/13 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/14 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/15 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/16 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/17 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/18 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/19 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/20 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/21 description END USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/22 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/23 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/24 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security ip access-group tqos in ip access-group tqos out spanning-tree portfast ! interface GigabitEthernet2/25 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/26 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/27 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/28 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/29 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/30 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/31 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/32 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/33 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/34 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/35 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/36 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/37 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/38 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/39 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/40 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/41 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/42 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/43 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/44 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/45 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/46 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/47 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface GigabitEthernet2/48 description END-USER switchport access vlan 110 switchport mode access switchport voice vlan 41 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security aging time 3 switchport port-security spanning-tree portfast ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan18 description CISCO_MANAGEMENT ip address 172.20.18.110 255.255.255.0 no ip route-cache ! ip default-gateway 172.20.18.254 ip forward-protocol nd no ip http server no ip http secure-server ! ip access-list standard SNMPpoller permit 172.25.220.230 permit 172.16.8.126 permit 172.16.8.98 deny any log ip access-list standard sqos deny any ! ip access-list extended AutoQos-4.0-ACL-Bulk-Data permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq 22 permit tcp any any eq smtp permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq pop3 permit tcp any any eq 995 permit tcp any any eq 1914 ip access-list extended AutoQos-4.0-ACL-Default permit ip any any ip access-list extended AutoQos-4.0-ACL-Multimedia-Conf permit udp any any range 16384 32767 ip access-list extended AutoQos-4.0-ACL-Scavenger permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any eq 3689 permit udp any any eq 3689 permit tcp any any range 6881 6999 permit tcp any any eq 11999 permit tcp any any range 28800 29100 ip access-list extended AutoQos-4.0-ACL-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-ACL-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 ip access-list extended tqos permit ip host 172.20.110.66 any dscp af41 log permit ip any any log ! logging trap warnings logging source-interface Vlan18 logging host 172.25.152.27 logging host 10.211.1.241 ! ! ! ! line con 0 stopbits 1 line vty 0 4 exec-timeout 0 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY accounting commands 1 VTY accounting commands 15 VTY login authentication VTY length 0 transport input ssh transport output ssh line vty 5 15 exec-timeout 0 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY accounting commands 1 VTY accounting commands 15 VTY login authentication VTY length 0 transport input ssh transport output ssh line vty 16 transport input ssh transport output ssh ! ntp source Vlan18 ntp server 172.20.18.252 ntp server 172.20.18.253 end