IPv6 Proxies: 2017-12-03

Saturday, December 9, 2017

New Construction: Ethernet Cable Stapled to Studs?

Apologies if this is not the right place, but I figured it was worth an ask.

I have a low voltage electrician who just roughed in a bunch of cat6 cables in a new condo. When I went to check it, most of the cables were stapled to the studs as they were routed around the unit. I saw they had used regular staples to attach the cable along its route.

I was concerned because the staples have appeared to pinch several points of the cable, and told the contractor as much. Personally I would never allow a cable to pinch.

He first tried to assure me that they were insulated staples, so any pinching was fine. I told him they did not look insulated, and he replied that the regular staples were probably just fine since cat6 is sturdier. I'm no pro electrician, but I feel like I am being given a smoke show. Can you guys reassure me that the cable is probably not compromised? I feel like doing a speed/integrity test once the ends are terminated will be too late.

Can I connect two CAT-5 cables together by twisting the corresponding wires and wrapping them in electrical tape?

I don't have an RJ45 female-female connector and I don't have any longer cables. The electrical tape connections would not be moved or messed with later on. Soldering is an option if needed.

Cisco Firepower FTD Transparent Bridge mode question

We're replacing an old Tipping Point transparent/bridge IPS. It has legs that sit in-line between our external firewall and LAN core, our WAN gateway and LAN core, and the DMZ and external firewall. It's for layered security.

We're looking at FTD (specifically 2100 series) as a replacement for this old unit, but I'm really confused about the behavior in Transparent/bridge mode.

The documentation says:

The BVI does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.

What exactly does it mean by secondary networks?

The diagram Figure 1 on page 2 of this document might help explain where I'm confused.

In our network, Network A is a /29 subnet with only two hosts--the core and firewall interfaces. Would traffic from Network B (or any of our access subnets/vlans) routed to the external firewall/internet be inspected or supported?

Maximum spanning-tree instances on Force10 Dell (FTOS) switches

Anyone have a link to the specs or know the maximum spanning-tree instances the Force10 [FTOS] switches can run (specifically a 4810 and S55)?

Thanks!

Best practice for where to block/allow ports with DNAT/Firewall

I have a Comcast business connection with a /29 block and a Ubiquiti EdgeRouter.

I need to forward some ports (same ports for each server) to a few internal servers, and each server has its own public Static IP.

I seem to have two options

DNAT only the specific ports I need (and also allow only those ports through the firewall), or
I can DNAT all ports for each IP address and just block everything except those ports on the firewall.

What is the best practice here? From a management perspective, DNATing everything is easier, as I can create a port group and I then need just one DNAT rule and one firewall rule per IP, whereas (at least with the EdgeRouter) I would otherwise need a separate DNAT rule for each port or port range.

But are there performance or security reasons not to DNAT everything and just block at the firewall? I know on the EdgeRouter that DNAT happens before the firewall, so I assume DNATing everything gives a slight performance hit, but is it enough to matter?

Thanks!

Which route to go with small business computer desktop access?

I am working on setting up a small office with computers for 4 employees. I want to implement a system where any employee can login on any computer, and access their windows account. I want to be able to have an admin account that can remotely access and control any of their accounts as well as set permissions. What would be the best route to go to fulfill these needs?

BGP configuration gotchas

I've taken over a small ISP with its own ASN and have taken it from being single-homed to multi-homed. I get what BGP is basically but missed a few important details for actually using it at the start.

One is that the "generic" case on our BGP software is actually IPv4 only and there is a completely separate section for IPv6 for almost every single setting. Based on what I've seen, I think this varies based on the router software and some explicitly call out IPv4 in their configuration.

Another is that changing a route-map requires explicitly issuing an outbound soft reset for it to take effect even though the router delays applying changes until they are explicitly committed. We aren't using Cisco, but the outbound soft reset came up in Cisco related documentation and I thought that was worth trying. I don't know if this is generally true to all routers.

Is the information about Cisco and BGP generally applicable enough that I should try some sort of Cisco course to pick up these sorts of details? Where else should I go to find out what I don't know about using BGP on a day to day basis?

If you have any personal tips to share that would also be appreciated.

Issues with switch(beginner)

So I am helping my wife with a business and there is prewired cat6 throughout. The server closet is the culmination of this with a hardwired switch that has the outlets that correspond labeled with the outlets designation ie a4, e3 and so forth. We have a 48 link switch that I am to install to distribute the signal through the building. The switch def works I have tested it and have hooked them up before.

However when I hook into the wall no signal goes through. I know that the last tenants def had internet in these jacks. Is this thing supposed to be powered like the switch? What would your steps be to troubleshoot? I am an idiot and sincerely appreciate any help.

Thank you

SANS SEC560 Network Penetration Testing and Ethical Hacking 2017

http://ift.tt/2AOXCpO

Hi guys quick networking questions.

I wanted to port forward a few Ports. My older routers i just put in the ip, start, end, protocol. On my Motorola modem/router combo it has...

Local IP Address Start Port End Port

External (Internet) IP Address Start Port End Port

Protocol Description

Do I just use 192.168.1.200 for both internal and external? Or do i lea e the external stuff blank or do I put in my actually IP.

Thanks guys in advanced!

strange L2 issue on port-channel/ESXi

Replaced and esxi server, and plugged patch cabled in the same manner. vmnic0-3 are on a port-channel, and using CDP verified they are in correct ports on the switch. Port-channel comes up and can ping ESXi host from a different vlan. I CAN NOT ping the host from other ESXi hosts on SAME vlan. The problem host can only ping gateway, nothing else on the vlan.

Any ideas?? ESXi and port-channel config config (which never changed) are correct.

Internet speed is 6% of what it should be

My ISP says we should have 8 Mbps down and 1 Mbps up.

When I go to fast.com (any device in the house) it reports speeds varying from 300Kbps-700Kbps.

I'm not sure what all this info means but here's a screenshot from my LEDE router's page:

Status: UP Line State: showtime_tc_sync [0x801] Line Mode: G.992.1 (ADSL) Annex: A Profile: Data Rate: 8.096 Mb/s / 448 Kb/s Max. Attainable Data Rate (ATTNDR): 8.912 Mb/s / 1.200 Mb/s Latency: 8.0 ms / 8.0 ms Line Attenuation (LATN): 32.3 dB / 19 dB Signal Attenuation (SATN): 32.1 dB / 19 dB Noise Margin (SNR): 11.7 dB / 29 dB Aggregate Transmit Power(ACTATP): 19.9 dB / 12.3 dB Forward Error Correction Seconds (FECS): 15647 / 224 Errored seconds (ES): 20 / 0 Severely Errored Seconds (SES): 3 / 0 Loss of Signal Seconds (LOSS): 3 / 0 Unavailable Seconds (UAS): 400 / 400 Header Error Code Errors (HEC): 291 / 1 Non Pre-emtive CRC errors (CRC_P): undefined / undefined Pre-emtive CRC errors (CRCP_P): undefined / undefined Line Uptime: 17d 9h 3m 43s ATU-C System Vendor ID: Broadcom 163.167 Power Management Mode: L0 - Synchronized

STP and clients

Hello folks at networking, So far, thank you everybody who has answered previous questions and have helped. As you can guess, this one is regarding stp.

Now, 1. between two networks having two root bridge, would you keep STP running at the point of intersection or just do no spanning-tree ?

Apart from using STP, how you you automatically maintain redundancy between three or more interconnected switches?
What kind of incompatibility have you seen with cisco and other devices and their STP?
Is STP very important? Yes, yes it is.
If STP isn't used (no spanning-tree)at an intersection point between two switches of two networks, how would root or loop guard work? Or do they work regardless?

The reason I ask is because we peer with a lot of people, some directly to routers and some to switches and we find that peering with routers are the best but that is usually 1 in 10. A different switch means a different network and different kind of problem. Do you use any standard set of commands that go on every port? i.e root guard, keepalive, Mac access group, storm control?

Thanks, Niamul

SonicWALL Slow SSL VPN.. even on new fiber internet connection.

Have a TZ600 and using NetExtender to connect remotely to office. Purpose is to access the file server. Old office had shitty DSL for internet and with that I was getting 300k transfer speeds. New office has 100MB up/down direct fiber and with that I'm getting 700K-1.5MB transfer speeds. I understand SSL is slow.. but damn.. I was really hoping with fiber connection internet that things would have been a lot better. Any thoughts?

Book Recommendations

Hi all! A friend gave me a book, Computer Networks (Third Edition) by Tanenbaum. I wanted to learn more and understand networking better. This book is written last 1997 and is it still relevant today? Or should I look for its latest edition? Also, do you have any more book recommendations?

Thanks!

VPN Decryption?

I am using NordVPN as my preferred client while browsing.. umm.. educational websites. I recently downloaded Fiddler 4 and ran it alongside my VPN client just for the fun of it. I found that even after my machine is connected to the client, Fiddler still picks up the websites I'm visiting and displays the URLs, which in my opinion, is concerning. Shouldn't VPN be encrypting my traffic? Is there something I'm missing?

I have HTTPS decryption enabled in my Fiddler client, I don't know if that helps answering this question.

Ports/Devices not picking up VLAN on Aruba switch

I am stumped at the moment and I feel like I'm missing something, especially since we have similar switch configs at other sites. Devices on untagged ports aren't picking up a connection. I'm going to post some of the relevant info.

Running configuration: ; hpStack_WB Configuration Editor; Created on release #WB.16.04.0008 ; Ver #11:01.9b.3f.b3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:55 stacking member 1 type "J9728A" mac-address 1c98ec-7f6d00 member 1 priority 255 member 2 type "J9729A" mac-address 70106f-fc7c40 exit hostname "NER-CORE" time timezone -360 ip route 0.0.0.0 0.0.0.0 10.38.254.254 ip routing snmp-server community "public" unrestricted oobm ip address dhcp-bootp member 1 ip address dhcp-bootp exit member 2 ip address dhcp-bootp exit exit vlan 1 name "DEFAULT_VLAN" no untagged 1/1-1/48,1/A1-1/A2,1/B1-1/B2,2/1-2/48,2/A1-2/A2 ip address dhcp-bootp exit vlan 2 name "vlan2.servers" untagged 2/2-2/3 tagged 1/A1-1/A2,1/B1-1/B2,2/4,2/47,2/A1-2/A2 ip address 10.38.1.1 255.255.255.0 exit vlan 5 name "vlan5.voice" untagged 1/47,2/1,2/37 tagged 1/1-1/46,1/48,1/A1-1/A2,1/B1-1/B2,2/4-2/30,2/46-2/47,2/A1-2/A2 ip address 10.38.5.1 255.255.255.0 ip helper-address 10.38.1.252 voice exit vlan 31 name "vlan31.security" untagged 2/31-2/36 tagged 1/A1-1/A2,1/B1-1/B2,2/4,2/47,2/A1-2/A2 ip address 10.38.31.1 255.255.255.0 exit vlan 32 name "vlan32.wireless.management" untagged 2/38-2/45 tagged 1/A1-1/A2,1/B1-1/B2,2/4,2/47,2/A1-2/A2 ip address 10.38.32.1 255.255.255.0 ip helper-address 10.38.1.252 exit

The two untagged ports in VLAN 2 work and the servers in it are reachable. However, none of the untagged ports in other VLANs work. There is a voice server in VLAN 5 that has a static IP does not have a network connection as well as all the cameras with static IPs in VLAN 31, or the Cisco APs that use DHCP in VLAN 32.

Clients on switches at the other side of the 10G ports seem to have a connection. It's like everything directly attached except for the two ports on VLAN 2 are not working.

Much thanks for any help!

Friday, December 8, 2017

Big amount of data transferring with slow data rate between DC (10G)

Hi guys, I'm wondering about situation with throughput between two data centers. Infrastructure looks like below: server1-(1g)SW2(10g)-SW1(10g)-----20kilometers DWDM----SW1(10g)-(10g)SW2(1g)-sever2 When I'm testing throughput between servers byiperf tcp/udp I can to achieve pretty good amount of data per seconds but when I'm trying copy files via rcp or scp for example, it sucks. Our sys tech team last times complain that they coudn't copy backup from one server to another and they have created ticket. How can I proof that everything is ok with the network or where should I looking for problem?

iperf -c 10.131.2.132 -u -b 200M -l 64 -t 10 -P 5 ------------------------------------------------------------ Client connecting to 10.131.2.132, UDP port 5001 Sending 64 byte datagrams UDP buffer size: 122 KByte (default) ------------------------------------------------------------ [ 5] local 10.131.2.131 port 50497 connected with 10.131.2.132 port 5001 [ 7] local 10.131.2.131 port 46880 connected with 10.131.2.132 port 5001 [ 6] local 10.131.2.131 port 33046 connected with 10.131.2.132 port 5001 [ 4] local 10.131.2.131 port 54935 connected with 10.131.2.132 port 5001 [ 3] local 10.131.2.131 port 37081 connected with 10.131.2.132 port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0-10.0 sec 64.1 MBytes 53.8 Mbits/sec [ 5] Sent 1050199 datagrams [ 7] 0.0-10.0 sec 64.1 MBytes 53.8 Mbits/sec [ 7] Sent 1050190 datagrams [ 6] 0.0-10.0 sec 65.5 MBytes 54.9 Mbits/sec [ 6] Sent 1072385 datagrams [ 4] 0.0-10.0 sec 63.4 MBytes 53.2 Mbits/sec [ 4] Sent 1038869 datagrams [ 3] 0.0-10.0 sec 65.0 MBytes 54.5 Mbits/sec [ 3] Sent 1064935 datagrams [SUM] 0.0-10.0 sec 322 MBytes 270 Mbits/sec [ 4] Server Report: [ 4] 0.0-10.0 sec 29.2 MBytes 24.5 Mbits/sec 0.011 ms 560153/1038868 (54%) [ 4] 0.0-10.0 sec 54 datagrams received out-of-order [ 7] Server Report: [ 7] 0.0-10.0 sec 29.8 MBytes 25.0 Mbits/sec 0.210 ms 562634/1050189 (54%) [ 7] 0.0-10.0 sec 9 datagrams received out-of-order [ 6] Server Report: [ 6] 0.0-10.0 sec 30.5 MBytes 25.6 Mbits/sec 0.230 ms 572333/1072384 (53%) [ 6] 0.0-10.0 sec 1 datagrams received out-of-order [ 5] Server Report: [ 5] 0.0-10.0 sec 30.1 MBytes 25.2 Mbits/sec 0.171 ms 557419/1050198 (53%) [ 5] 0.0-10.0 sec 1 datagrams received out-of-order [ 3] Server Report: [ 3] 0.0-10.2 sec 30.2 MBytes 24.7 Mbits/sec 15.355 ms 570181/1064842 (54%) [ 3] 0.0-10.2 sec 1 datagrams received out-of-order iperf -c 10.131.2.132 ------------------------------------------------------------ Client connecting to 10.131.2.132, TCP port 5001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ 3] local 10.131.2.131 port 32911 connected with 10.131.2.132 port 5001 ID] Interval Transfer Bandwidth 3] 0.0-10.0 sec 1.09 GBytes 938 Mbits/sec rcp 10.131.2.132:/mnt/test5gb ~/ test5gb 100% 5120MB 13.5MB/s 06:18 scp 10.131.2.132:/home/users/user/test256mb ~/ test256mb 100% 256MB 28.4MB/s 00:09

Mode: Transport vs Tunnel. GRE w/IPsec.

So the setup is a GRE tunnel protected by IPsec using ESP. Under the IPsec transform-set is where I can set the mode to either transport or tunnel. While testing both modes and capturing traffic via Wireshark, I didn't see any difference. I tested by pinging from R1's loopback to R2's loopback.

I thought I understood the general theory and that Tunnel mode was more secure. Also, they say that the Tunnel mode adds at least an additional 20 bytes to the packets, but I didn't see a difference there either.

What am I missing here?

What's your attitude towards IoT stuff in your house?

I know this isn't enterprise-related, but there's a lot of people around here on the front lines of network security. I thought I'd ask, particularly with Christmas coming up.

Are you ok with port-forwarding at home for all the little gizmos available these days, like Nests thermometers, doorbells, lights, TVs, etc? Do you set up a separate VLAN for them?

Personally, I don't trust the various manufacturers to make secure products and don't port forward anything, but sometimes it would be a nice-to-have. I also sometimes think about maybe getting a separate internet connection just for that stuff.

Mods: Delete if you think this is inappropriate for the sub.

Ruckus working PoE+ switch

Hi All,

my company has recently decided to move from smb wifi solution to enterprise one.

We've got a Ruckus r720 unleashed from our reseller to test it out. I'm struggling to get it working properly in 802.3at mode. Already read everything around and I've made sure LLDP is enabled and poe mode is set to AT on the access point. Tried a zyxel gs1900, then a cisco sg300 but none of them seems to be able to provide power over MDI. Do you have any suggestion for a working switch, not brocade if possible because out of budget.

Many thanks in advance

WLC 5508 Clients dropping when someone RDP's to them

We are using a WLC 5508 with 3602 AP's and when a client is on the corporate WiFi and someone tries to RDP to that wireless client, the wireless client gets kicked off the WiFi. We lose ping to them all together and we have to manually put them back onto the network.

Our WLAN profile is pushed out through GPO and we do not broadcast our SSID.

Anybody have any ideas on how to troubleshoot this?

TIA

Dynamic Vlans (802.1x) in a routed campus. Sanity check.

I've been working on moving my (inherited) L2 campus to vrf-lite over the past year while deploying 802.1x at the same time. I had an idea that sounds good to me, but I'd like a sanity check on process.

Essentially I have several buildings that do L3 between them with several segregated entities occupying all buildings concurrently. I've implemented 802.1x wired on all the switching, and I'd like to move to dynamic vlaning. I have users that move between entity areas or even buildings all the time, and I'd love to be able to lock them into the right vrf dynamically and not need to worry about notifying IS for network moves.

So, it seems like my cisco switching will allow me to tag dynamic vlans based on the vlan name, not just the vlan id. As I'm not managing the AD/NPS infra, I'd like to keep that side of things simple for that group... just 1 policy per entity.

My plan is to just keep the same vlan name in different areas but keep the subnets and vlan IDs different and just let NPS assign them their vlan based on name. I feel like I'm not describing this well... here's the crux

Bldg 1

entity1 vrf bacon vlan 10 name bacon 192.168.1.0/24

entity 2 vrf cheddar vlan 11 name cheddar 192.168.2.0./24

entity 3 vrf ham vlan 12 name ham 192.168.3.0/24

Bldg 2

entity 1 vrf bacon vlan 20 name bacon 192.168.4.0/24

entity 2 vrf cheddar vlan 21 name cheddar 192.168.5.0/24

entity 3 vrf ham vlan 22 name ham 192.168.6.0/24

Test pool member connectivity from F5?

Had an incident recently whereas a pool member was blocking https(port 8443). VIP was up bit obviously we couldn't access the services on the server via that port.

Is there anyway I could have checked connectivity from the F5 directly to the pool member on a specific port? You know how it is, first fingerpointing is at the network, then the load balancer, because its always comms and never wintel.

Would be good for future reference to have a way to directly pinpoint the server as being at fault(no direct access to servers for the network team unfortunately)

Cisco Firepower Threat Defense 6.1 video tutorials

http://ift.tt/2BiLajc

What do you use for router/switch AAA ?

Our shop is Cisco wired, Aruba wireless. We have CPPM, but only using it for 802.1x atm.

Currently, all cisco equipment is local, I'd like to transition to TACACS+ , ideally. Recommendations? Is this something for which I should be leveraging CPPM or do I go NPS/ACS on a Windows box? Any thoughts on tacacs.net ?

Thanks!

Cisco 2500 - Issues visiting govt. website that requires cert

I have a user trying to access a govt. site that required him to install some special cert. He's able to access the site now on our wired network without issue but our wireless network is behind a Cisco 2500 Series Wireless Network Controller. When we try to access the site on wifi the site is unreachable (I get "can't reach this page" errors).
I suspect it is something to do with with the security/certificate settings on the Cisco WLC but my knowledge of these things is fairly limited.
Does anybody have any input as to what could be causing this? Also, here is a screenshot of some policy config I saw in the Cisco WLC about policy and certs. We're mostly a Fortinet shop so Cisco products and terminology are very new to me. Any help is much appreciated!

Help me convince owner to virtualize

http://ift.tt/2A7SSbP

Trouble with VPN/network instability, various ideas, please have a look if you can

Hi, I have various ideas and questions about trying to resolve an important issue with our setup at the moment.

We are attempting to create a scenario where a script automatically selects an IP from an ovpn list of IPs, feeds it to openvpn gui, and then connects us so we can use the Internet.

We are performing this using a master machine that controls number of virtual slave machines, powered by server hardware (excuse my lack of terminology). Our setup seems to work fine at first on new builds, but the stability of connectivity seems to decrease for some reason quickly over time. Sometimes we visibly see our network connection has dropped, and it reconnects almost immediately. This network instability seems to be affecting the rest of our system and making it break.

First thoughts:

The home router we are using is struggling due to the workload. I don't know if this is a possibility at all. If it is, how should we approach testing it? We have run the system on just a lone machine, or 2 machines, reducing the workload, but still having the issue.
We are on Windows 8, and have changed the Interface Metric in the adapter setting to 10
We haven't tried a different vpn other than OpenVPN Gui and addresses from HMA. We are using this combo because openvpn lets us pick which vpns/lists we want to use, whereas just using HMA doesn't let you. Therefore, we are wondering if the vpn addresses we are using may be unstable, and/or if openvpn is unstable. Are either of these a possibility? I'm thinking that we should just email them and ask.
Due to the fact that we are automating the connection procedure, we have encountered some bugs with Windows 8 , or from somewhere. As openvpn allows a max of 50 files in its config folder, and we use more vpn lists than that, we are using a script to move things in and out of the slave/virtual machines' folders to control them. Apparently we need to elevate permissions to allow this to happen, and the fix is to open the windows Network and Sharing Centre window. We just open it and it works. We got this fix off the internet and nobody there new why it worked at the time, but it increases our initial connectivity rate. Manually connecting openvpn doesn't require this or seem to produce this issue. This issue is possibly unrelated to the ongoing connection stability issue, which is the main problem.
When we get successive/many network connection failures, it seems like it gives up altogether. We restore the problem host machine from a backup and it resolves for a while.
We are wondering if there is a system setting or ovpn setting that will help us fix or further tamper with these connection and stability issues. Is there something we could have a look into that you're aware of? Is there a workaround to having to elevate Windows permissions constantly by opening the Sharing Centre?
We are going to look at SoftEther vpn to see if using this instead of Openvpn will help, however we must find out if we can control it using command line so that we can incorporate it into our system
Computer clocks are OK i think and not dying/resetting
Again, could it be our home router that is causing any sort of issue related to being overloaded, overworked, anything? I don't think we are overworking it during most of our tests - we're just picking out a vpn from our list, connecting to it, and if it fails then we will pick out another one. Could a home router still get overloaded after a period from this?

Thank you so much for reading, any advise or direction whatsoever is appreciated immensely, including direction to a better or more appropriate place, reddit or otherwise, or even person - we would love to chat on skype or something with someone bored who could help - to get this instability issue sorted.

I am a new tech at an MSP with no experience. My boss has dumped a huge (to me) Juniper project in my lap to be done by Monday at noon. Can anyone please help? I have no idea what I'm doing.

I didn't lie in my interview or anything. I have next to no networking experience, and I'm happy to learn by diving in, I'm just getting worried about the deadline. I know for someone who knows what they're doing this is pretty trivial, but figuring out which IPs to plug in is mostly where I'm getting hung up. I don't understand the protocols well enough, I guess.

The overview is that we have 11 SRX300 firewalls that need to be set up in a full mesh (due to outdated software the boxes behind the firewalls are using).

A list of things I need to do:

Set up interface 0 as WAN - done/easiest thing in the world

Set up destination NAT/Port forwarding - I don't really know if I'm setting this up correctly. I also don't know how to test this in a lab environment. I have a list of ports that need to be set up, but I don't know how to tell if traffic is properly being forwarded through. How to I send traffic to say interface one, and know that it was forwarded properly? Also, I have more than eight ports that need to be forwarded, but the limit is eight. Do I just set up another ruleset for the extra ones?

Set up GRE tunnels between all the SRXs - so far I've gotten this configured between two and it's working fine. However, is there any way to...nest(?) tunnels under on one gr-0/0/0 interface, or do I have to create a big list of them - e.g. gr-0/0/1 gr-0/0/2 etc. and set static routes for all 10 of them?

Set interfaces 1-5 onto one VLAN that gets the port forwarded traffic - okay, so this one I don't know if I've set it up correctly. I have created a VLAN and stuck interfaces into it, but I don't know if I'm setting up the IRB part correctly. And then I'm wondering how the GRE tunnels will work. I had them set up before the VLAN was a requirement, so it was easy to plug in IPs and get them talking. Will I just reference the VLAN instead of IPs?

Also, unless I'm missing something - do the interfaces inside the VLANs get their own IPs, or does the VLAN treat it as though they were all (for example) 192.168.1.1? I don't see a step in any of the VLAN configuration tutorials where I set IPs for the interfaces I put into the VLAN.

30 iPads on a single hotspot?

http://ift.tt/2jc0lU4

How can I stop a static IP assignment from a user?

I work in a school district. While I was out a student assigned their personal device connected to our network port to the default gateway IP of the vlan. This caused alot of problems as there was now an IP conflict.

How can I prevent this from happening? We have used clear-pass for MAC auth on some of our campuses with Aruba edge but I did not like it. It always seemed buggy. Currently we are rolling out Extreme Networks to our entire network and we have no authentication rules for the port. Essentially a student could plug into any Ethernet port and get an IP with whatever device they have. Is there a a way to block users on the edge from assigning them-self a certain static IP? Maybe an ACL? I am by no means an expert!

Thanks

Interning at my local ISP?

Hey /r/networking, I'm currently in my sophomore year of my CIS nertworking degree. I need an internship to graduate, so I've been looking around in preparation of my junior year. The city I live in and commute from has a local ISP. They probably serve a few thousand users. Would they even be a good company to intern for? For those who work at ISP's, do you guys even take interns? If you do, what should I talk about when inquiring about it. I've never really applied for a job let alone an internship. Thanks

Redirection based only on port

Hello,

I need some advice for a setup. We have one device A connected to a router and we need it to send 443 TCP requests to a destination B in another subnet as well as 80 TCP requests to destination C in again another subnet. The problem is that on the device A we can only use one destination IP, the filtering must be done only based on ports used.

Is it possible to be done? With what kind of hardware?

I saw this post that would maybe correspond to our needs: http://ift.tt/2skPbQ9

Thanks a lot in advance!

Small business router? Upgrading from Cisco RV220W

We're looking at a new router for the office (digital agency). Currently we're using a Cisco RV220W which has started acting up. So we're looking for an upgrade.

The office and current setup:

RV220W

24 port switch

1 AP in the conference room

15 employees, each person has 2-3 devices.

100/100 connection.

We don't really have an advanced setup. We don't even VPN or anything. Two VLANs. We might upgrade to a 1 gbit connection in the future. The team is unlikely to grow by more than one or two people in the next few years. We really just want the internet to work.. and avoid dealing with it.

I've been looking at the Ubiquiti EdgeRouter Pro, Cisco 5506-X and the Cisco Meraki MX65.. but I feel like I'm just guessing. That's the kind of price range we'd be comfortable with though. I'm a product designer but I guess I'm the closest guy we have to an IT-guy. Would appreciate any insight from you guys!

Cisco 11500 - How works?

Ok, Cisco veterans, I've been tasked with going through the stacks and finding devices that aren't being used. I came across a pair of Cisco 11500s. They're linked to each other, and the CE router, but nothing else. I assume they should be linked like this:

(Web Server) -> (11500) -> (CE Router)

and not

(Web Server) -> (CE Router) <- (11500)

Anyone confirm?

Small VLAN question

So a client of ours is in a shared building, we receive dmz internet from their internal IT department. They use a shared printer with all other departments there.

Long story short, our firewall has 3 int's 1 wan(the dmz) 1 lan(internal use for my client) 1 lan with printer connected to it

I plug everything in, add the routes and try to ping the printer. No go, just to be sure I give my laptop static ip adress (same as my fw had previous) and I can ping the printer. I start troubleshooting but can't rly find the issue to why this is not working. I call the other IT guys he said yes you need to add vlan to your interface for it to work. I was sceptical to why since my laptop with static ip and no vlan configured could just ping the printer without any hassle with the same cable as my fw was using so I would think it was untagged.

Anyone who can point me in the right direction to why?

How are SIP numbers routed at & between Telephony Service Providers

My googlfu has been failing me, and I'd really appreciate it if someone could point me in the right direction.

How are numbers for SIP really routed? And what I mean by this is, how is it learnt that 01234567890@mytelcom.com is learnt to be with my Telephony provider? If I am calling from Verizon UK, how do they know where to send that call?

I feel like I've missed the boat here a little as I worked at an ISP for a while, that was a SIP provider, & never took enough interest in it other than "we send the calls to Gamma, or BT's IP Exchange". But surely there are tables or similar that are updated that allow resolution of a number to a domain? I really don't know. And I do have recollections of problems with calls from specific providers, such as Vodafone, and reaching our lines sometimes; as in you can call from all providers except Vodafone. This was always something that was passed up to the upstream SP such as Gamma and BT to resolve. My understanding of the resolution was always that this was not an outage, or fault as such, more a mismanagement by someone in the chain.

If someone can point me at some recommended reading, or give a simple overview that would be appreciated.

Fortinet SSLVPN accessing two networks

Good Morning - I Currently have a Fortinet in our office configured with SSLVPN access. Users are able to remote in and hit the desired internal network (192.168.81.0). We have added some additional services in a datacenter and have an IPSEC vpn tunnel between the office and datacenter configured so when you are on the 81 network, you can also access the 192.168.71.0 network. Internally this is seamless. Externally, I need to be able to add access to the datacenter network (71.0) on the SSLVPN and cannot for the life of me figure it out. If i create roles similar to the office's internal network (81) they don't work. In the end once connected to the SSLVPN i need to be able to reach both the 71 and 81 networks. Can anyone point me in a direction?

Thank you!

Any NGFW for ~150 clients location

Our Sonicwall PRO2040 spits out nice traffic logs with dst/src IP, amount of rx/tx data, gets urls from http (host + arg), protocol etc to our logging infrastructure (graylog) through syslog protocol.

The regulations requires us to log ALL of our internet traffic (in case of some abuse etc). Also the device is getting older and older, it's not inspecting encrypted traffic, so we can't block https traffic by host name, also we need to log https traffic too, now we have only IP and port, checking IP in whois is a bit painful and it's just not enough.

Can anyone suggest some device with ssl inspection, able to block and log https (spdy? http/2?) traffic with amount of rx/tx data (optional) and syslog support?

Currently we're contemplating FortiGate 50E, can someone confirm it has features we're looking for?

Permanent connection between 20 buildings and a central server in remote location

Hello,

We have 20 buildings where we have a local HVAC installation. This installation needs to be reachable via a central server in another location. Every building has an internet modem installed which I don't know the details from. I don't know what subscription is attached to it etc and assume it has a dynamic IP.

My idea was to make a Site2Site VPN connection from every building to the remote server so the server can reach each installation locally. At the moment, there is no firewall or router in place in every building so I need to come up with a solution.

My idea was to buy an Ubiquiti EdgeRouter Lite X in every building and set-up S2S connection to the remote location. Are there any better solutions available? What should I pay attention to? Can I have a problem with the dynamic IP assigned?

3D network diagrams

I'd like to create 3D network diagrams . Are there any programs or Software help me to do that ?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

IPv6 DHCP-pd flood!

Question: Know of an easy way to limit PD requests per client in IOS?

A client device flipped out and did thousands of DHCP-PD requests. It filled our static ipv6 routing table on a switch... OSPFv3 was OK as we aggregate on /44 for layer3 switches.

The routing table on the 2960XR had ~4k /56s routing to the same link local address:

S 2607:FFFF:D151:D400::/56 [1/0] via FE80::52C7:BFFF:FE1D:D0F9, Vlan252 S 2607:FFFF:D151:D500::/56 [1/0] via FE80::52C7:BFFF:FE1D:D0F9, Vlan252 S 2607:FFFF:D151:D600::/56 [1/0] via FE80::52C7:BFFF:FE1D:D0F9, Vlan252 ... etc ...

Workaround: we blocked IPv6 for the one client, but want a better solution in place for the next TP-LINK router that blows up.

Only perk: made a really nice graph in our TCAM monitoring! sh platform tcam utilization is a great thing to graph. :)

Thursday, December 7, 2017

What are some sites that are similar to this subreddit and hacker news? Networking related.

I am interested in knowing if there are sites like this subreddit that you frequent. Sites that are cover networking topics, current events, thoughts and concerns about the industry. Something like hacker news?

Can't do this in VIRL

I extracted the vIOS images from my VIRL installation and threw them into EVE-NG on a baremetal ESXI server.

Currently have 90 vIOS Routers running in one topology using 15 GB's of RAM.

90 ROUTERS!!!

Memory Consumption -- 15GBs

Sound like a shrill but man Eve-NG is the bees knees. 10/10

QOS in multi-tenant facility recommendations

Situation: Building with 80~ tenants running on 100/100 Fiber from Windstream. Hands off directly to a switch, tenants supply their own routers in suite and are then assigned one of our Public IPs(/25). New tenant works with HD video and is saturating the link uploading and downloading things to and from clients causing everyone else to lose access. Called up Windstream(lol) to see if they could do any traffic shaping on their Cisco 3925 ISR, answer NO, they recommended we get a second circuit and sign up for their SDWAN service. Which doesn't even begin to make sense for this problem.

The easiest solution I can see is to put a box in between the tenants and the Windstream ISR and limit everyone to 25mbps up and down.

I am fairly sure I can accomplish this with a Sonicwall, but I want the opinion of the hive mind here because I have limited experience in multi-tenancy deployments.

Ultimately the client will need to upgrade its circuit, but that takes 6-18 months with Windstream, and this is a problem now.

TL:DR What should I use for QOS in a multi-tenant building.

A (somewhat obsessive) deep-dive into methods of finding unused ports on Cisco switches, using only native IOS commands

tldr: scroll to bottom

It all started so innocently. I just wanted an unused port on a Cisco switch that was fully patched-in. I knew for sure most ports hadn't seen traffic in (potentially) years, but it was very possible some are still in use (but not currently online).

I found that the last output value in show interface output is what I'm after.

(Why not Last input? Turns out, that value is not incremented on L2 interfaces, or when CEF is enabled!) source1 source2

Let's get started:

sh int | i (line protocol|output never)

Interfaces directly preceding a Last input... line have never seen traffic since last counter reset. E.g.:

FastEthernet0/24 is down, line protocol is down (notconnect) Last input never, output never, output hang never

If that command does not return at least one Last input... line, try this:

sh int | i (line protocol|Last input)

This may be hard to visually parse, however. It includes all interfaces, regardless of status, and their last input time.

Can we make our lives any easier?

sh int | i (line protocol|output [0-9]+[ywd])

This shows all interfaces, regardless of status, but then only lines with last output greater than 1 day.

This is because the output format follows 00:00:00 (HH:MM:SS) for timestamps less than 1 day. It follows y/w/d format thereafter (e.g., 34w4d)

Example output:

FastEthernet0/15 is administratively down, line protocol is down (disabled) Last input never, output 47w1d, output hang never FastEthernet0/16 is up, line protocol is up (connected) FastEthernet0/17 is down, line protocol is down (notconnect) Last input never, output 34w6d, output hang never FastEthernet0/18 is down, line protocol is down (notconnect) Last input never, output 8w6d, output hang never FastEthernet0/19 is down, line protocol is down (notconnect) Last input never, output 6w4d, output hang never FastEthernet0/20 is down, line protocol is down (notconnect) Last input never, output 6w4d, output hang never FastEthernet0/21 is down, line protocol is down (notconnect) Last input never, output 34w6d, output hang never FastEthernet0/22 is up, line protocol is up (connected) FastEthernet0/23 is down, line protocol is down (notconnect) Last input never, output 34w6d, output hang never FastEthernet0/24 is down, line protocol is down (notconnect) FastEthernet0/25 is up, line protocol is up (connected) FastEthernet0/26 is up, line protocol is up (connected) FastEthernet0/27 is up, line protocol is up (connected)

This indeed makes it easier to see which interfaces might be unused.

Can we combine both into a one-liner?

sh int | i (line protocol|output never|output [0-9]+[ywd])

Example output:

FastEthernet0/28 is administratively down, line protocol is down (disabled) Last input never, output never, output hang never FastEthernet0/29 is up, line protocol is up (connected) FastEthernet0/30 is down, line protocol is down (notconnect) FastEthernet0/31 is down, line protocol is down (notconnect) Last input never, output 34w6d, output hang never FastEthernet0/32 is up, line protocol is up (connected) FastEthernet0/33 is down, line protocol is down (notconnect) Last input never, output 28w5d, output hang never FastEthernet0/34 is down, line protocol is down (notconnect) Last input never, output 34w6d, output hang never FastEthernet0/35 is down, line protocol is down (notconnect) FastEthernet0/36 is down, line protocol is down (notconnect) FastEthernet0/37 is down, line protocol is down (notconnect) FastEthernet0/38 is down, line protocol is down (notconnect) FastEthernet0/39 is down, line protocol is down (notconnect)

Sure, this works! I still like running them separately, because never-used interfaces will be easier to spot.

We can take this a step further and only find interfaces that have been inactive for longer than one day:

sh int | i (line protocol|output [0-9]+[y]) — At least 1 year
sh int | i (line protocol|output [0-9]+[yw]) — At least 1 week
sh int | i (line protocol|output [0-9]+[y]|output [4-9]+[0-9]*[w]) — At least 4 weeks (~1 month)
sh int | i (line protocol|output [0-9]+[y]|output (1[2-9]|[2-9][0-9])[w]) - At least 12 weeks (~3 months)
sh int | i (line protocol|output [0-9]+[y]|output (2[6-9]|[3-9][0-9])[w]) — At least 26 weeks (~6 months)

Further down the rabbit hole:

sh int | i (down|output hang)

This is easy to remember, and reasonably semantic.

I like it less than above, because it will include results from connected interfaces, which may produce confusing results. E.g.:

FastEthernet0/24 is down, line protocol is down (notconnect) Last input never, output 20:39:49, output hang never Last input 8w5d, output 00:00:01, output hang never Last input never, output 00:00:01, output hang never Last input never, output 00:00:01, output hang never Last input never, output never, output hang never Last input never, output 00:00:01, output hang never

Fa0/24's last output line is only the one directly below it. Subsequent lines belong to ports that are not down, and must be ignored.

Another approach:

sh int | i (down|output never)

Example output:

(output omitted) FastEthernet0/20 is down, line protocol is down (notconnect) FastEthernet0/21 is down, line protocol is down (notconnect) FastEthernet0/23 is down, line protocol is down (notconnect) FastEthernet0/24 is down, line protocol is down (notconnect) FastEthernet0/28 is administratively down, line protocol is down (disabled) Last input never, output never, output hang never FastEthernet0/30 is down, line protocol is down (notconnect) FastEthernet0/31 is down, line protocol is down (notconnect) FastEthernet0/33 is down, line protocol is down (notconnect) FastEthernet0/34 is down, line protocol is down (notconnect) (output omitted)

It's pretty easy to see Fa0/28 is a candidate!

Warning: this approach assumes that connected interfaces will never match output never

Depending on your environment, this may not be a safe assumption! Although it seems unlikely, it's possible a connected interface has output never. If this happens, you can't rely on the above output, because it's possible adjacent lines do not belong to the same interface.

Let's look at the converse to really illustrate the risk:

sh int | i (connected|output never)

Example output:

FastEthernet0/27 is up, line protocol is up (connected) Last input never, output never, output hang never

Huh? Fa0/27 is connected, but has NEVER sent a frame? Very unlikely (unless I just reset counters for that int, which I didn't)

Switch# sh int f0/27 FastEthernet0/27 is up, line protocol is up (connected) (omitted output) Last input never, output 00:00:00, output hang never (omitted output)

Yeah, that's what I thought. So what happened?

The Last input never, output never, output hang never line came after FastEthernet0/27, but actually belonged to a different connected interface.

Bottom line: Only one expression in parentheses can be conditional. If both are conditional, you run the (admittedly small) risk of getting unreliable output. In sh int | i (connected|output never), the term connected will not necessarily return results for every interface, and the same is true for output never. We cannot guarantee adjacent output lines belong to the same interface.

As long as at least one expression is unconditional (i.e., returns results for every interface), we get 100% reliable results.

Put another way: Native IOS offers no 100% reliable way to show only interfaces which are both down, and have not seen traffic recently.

Pulling it all together

When I need an available port on a switch:

sh int | i (down|output never) — Interfaces directly preceding any Last input... lines are almost certainly^* ports that are not in use. If you receive no Last input... line in the output, all ports have been used at some point, since the last counter reset.
sh int | i (down|output [0-9]+[y]|output (1[2-9]|[2-9][0-9])[w]) — Interfaces directly preceding any Last input... lines have not seen use for at least 12 weeks. In my case, that's good enough.
If both of the above produce no Last intput... lines, consider stepping down the threshold, or consider the possibility that all ports are actually in use.

^* This assumes a negligible likelihood of a port being connected, yet having output never

Now I'm curious if there's a way to wrap all this into the napalm-ios module :}

32 byte packets = drops & high latency 1500 byte packets = no drops and low latency

Cisco 2900 router on a T1

WIC was replaced at some point by AT&T sending one out and making the site replace it. Don't know about the smart jack.

We isolated our issues down to the WAN side by re-punching at the 66 block & re-terminated or re-punched every LAN jack and connector and replacing all patch cables. Plus we setup continous pings to 15 LAN devices spread-out across the facility and never dropped a packet.

Router is managed by AT&T who's been on-site twice. Tech clears the line and bolts. Fucking AT&T.

I saw this type of behavior before but, it was years ago and I don't remember what it was. It's pissing me off and I wanted to bounce it off other network people to get some ideas to go back at AT&T with.

Cisco DPC3941B (Comcast Business Gateway) Wall or Ceiling Mount Options

Not a genuine "networking" question, but I have a bunch of these gateways at various sites and find it a pain to figure out ways to mount them just so they're not in the way or being disturbed. We have no need for something super secure, but does anyone know if there's a prefab mount for attaching these to a wall, ceiling, desk, etc? A Comcast contractor informed me that they have them from time to time. Thanks!

How can i block the acces to facebook using ipcop ??

I put the site link in the block list but didn t work.. i have to do it on ipcop for a school project

Let's talk SMB

So, I'm a medium sized business Jr. sysadmin who has found an interest in networking in the last few years. I've been lurking here for a while - and I've learned a little too.

What is interesting to me is the completely different attitude regarding networking from what I'm used to at work. And just the sheer size of things you folks are dealing with.
Just today there was a post describing a "non-prod lab environment, about 50 racks" while all of our prod servers fit in about five racks.
We have people talking about a 250 device network and discussing whether to use Nexus or Cat9300s as edge switches while I had just built a new 450 device network with two HP 2530Gs as cores (god I was happy I was able to source those) and flipping HP 2626 as edge switches.
We have people talking about terabit routing while our rented racks in a remote data center have a 250MB pipe.
We have people talking about getting rid of 3750Xs as edge switches because they're not supported for many years while I am constantly refurbishing, sending in and updating HP 2524s for re-use in prod as new edge switches.
We have people talking about running 40G to the edge devices because 10G is too slow while I am very happy if at least the interconnects are gigabit.
Y'all are talking about cool new things while I am happy I could successfully implement STP in the first branch.

I think you get my point by now, I'll stop complaining now.

Now I know my company is taking this to an extreme but this is just weird to me. I feel like I am the only one here not in a Fortune500 company where things like reliability, redundancy, support,... are valued highly. I am aware that most SMBs don't have dedicated network people and most general sysadmins don't frequent this sub, so SMB content isn't regular here.
Or are other SMBs just not as shit as the company I work at? Do other just not talk about it here?

Extreme Networks IPv6 inter-vlan routing

I have been testing the equipment (X460 summit) for v6-compatibility and I'm having a problem with the inter-vlan routing. Now the configuration should be right.

The address space is allocated to both VLANs.
The router [vlan interfaces] has it's own address (default gateway)
Both vlans have the "enable ipforwarding ipv6 vlan x" command configured.
Both hosts (windows PCs) have their ipv6 settings correct. (even the default gateway!)

Everything works perfectly inside a single VLAN. I can ping from host A to host B no problem. However when these two hosts are under a different VLANs - The ping from host A (VLAN A) goes all the way through to the default gateway, or the routers address of VLAN B, but it never reaches HOST B. Now I did a beautiful illustration of this with paint if the text is a bit unclear.

Also on the router side, both VLANS goes as tagged to the switch's port. The switch has both VLANS configured tagged on the uplink port and VLAN_A going untagged to HOST_A, and VLAN_B untagged to HOST_B. So no problem there either.

I understand it's a long shot but maybe someone has dealt with something similar. I didn't find the answer by googling so I thought I'd ask here. Thanks in advance.

e: formatting

TCP/IP solution to set up a server behind a proxy/forwarder which 'knows' their clients

Consider the following scenario in which a 'Client' connects to a 'Server' through a 'Proxy' as follows:

 203.0.113.1 198.51.100.1:7777 192.0.2.1:7777 +--------+ +-------+ +--------+ | Client |---------->| Proxy |---------->| Server | +--------+ +-------+ +--------+

As you can imagine, the 'Proxy' acts like a proxy/forwarder of any incoming connection from clients to 'Proxy' 7777 TCP port to this same port on 'Server'. As 'Proxy' is a Linux box, what I've done to get this working as described was setting 'Proxy' firewall as follows:

iptables -t nat -A PREROUTING -p tcp -d 198.51.100.1 --dport 7777 -j DNAT --to 192.0.2.1:7777 iptables -t nat -A POSTROUTING -d 192.0.2.1 -j MASQUERADE

This is essentially a NAT configuration. From a TCP/IP perspective, setting things this way erases any footprint of clients from the 'Server' point of view. That happens in such a way any connection getting to 'Server' will seem to be originated by 'Proxy' (a single IP address). I'm looking for a way to keep this 'Proxy' between clients and 'Server' but, from the 'Server' side and without relying on application layer, preserve accountability of how many clients are comming through the 'Proxy'. Is this even possible? Which kind of technology/wizardry could do this?

Question about Comcast MetroE Routing

Just got a new MetroE ckt installed at my company and having trouble finding any information on the best practices with how they do their ip addressing.

The issue I have, is they gave me two usable subnets, a "WAN usable" subnet, and a "customer usable" subnet. These subnets are two different ranges, where the WAN usable has a gateway address already assigned to the comcast equipment. The second subnet is a full usable range, with no gateway assigned. I am unsure as to how to bridge these two networks, so that the WAN gateway is the gateway for both unless I disregard comcasts subnet masks and do a larger inclusive mask that accomadates both ranges that they gave me. I also have two exit connections that are on two different portions of my network, and while we prefer to usually bridge our customer layer 3 devices to the ISP WAN layer 3 devices using a layer 2 device, I am not sure how to route this traffic where the second usable separate subnet, would ever route correctly to a gateway on a different subnet.

IP Range examples

1st usable - (50.223.230.176/29) ISP gateway .177 customer router.178 ||| Second usable - (50.223.230.192/27) no assigned gateway

If anyone could help me out with this one on how I get these two networks to talk correctly using the subnet 1 gateway, it would be much appreciated.

On Cisco switches, why is robustness variable configured under ip igmp snooping, not just ip igmp?

IGMP snooping is just a process of creating a table of mac addresses that have requested multicast traffic. So why do I need to go to the igmp snooping configuration in order to configure an igmp querier timer?

Question regarding Meraki SD-WAN deployment.

I have small Verizon MPLS thta Verizon manages. we also have a layer2 comcast WAN for redundancy and as a result I decided to test out Meraki SD-WAN for it's PbR functionality and it's "Dynamic Path Selection". After speaking a bit with Meraki is seems that how i'm trying to deploy the solution in a way that isn't standar. Normally customers will terminate one private network (MPLS) and one public network (Internet) on the device at the remote location. In my case there is no direct internet access to our remote site and as you can see from the crude network map I create we are using two WAN transports.

My question is around the placement of the device at the remote location. Right now the Verizon MPLS router has a WAN interface and a LAN interface (192.168.20.1/24). That LAN interface is the default gateway of users at that location. I intend on plugging in the Comcast WAN handoff directly into one of the WAN ports in the Meraki and the LAN port of the Meraki into the switch on 192.168.20.0/24 network. Now i'm a bit stumped as to what I would do with the VZ MPLS router. Do I plug it's LAN port directly into the second WAN port of my MX84 essentially making that WAN port a 192.168.20.0/24 interface?

http://ift.tt/2AYDz8V

How have you guys approached this in your design?

New office design, Nexus core?

Moving offices soon and looking for opinions.

Currently have dual 6509s, some 4948s and stacks of 3750s at the access layer. All of this was done new roughly 4-5 years ago so its not old, but given the chance to buy new (CISCO) equipment what would you do? Would be a single building/floor or two floors at most w/2-300 users. Recently did a flex pod design in our DC using 7ks, 5ks, UCS but that would be overkill for an office this size. Read some opinions on 5ks at the core but people seem to love or hate that idea.

Curious on CMTS design

As my area is having a major Internet outage currently, I'm curious on why a service provider's CMTS would deny connection to all cables modems connected to that node. Any cable ISP engineers here? Is it something like if the CMTS loses upstream connectivity it automatically unregisters and denies connection to all cable modems?

License Upgrade on 4500-X VSS

Hello Everyone!

Has anyone ever performed a license upgrade on a 4500-X in a VSS and would be able to share knowledge on the process? I need to upgrade from ipbase to entservices.

We have an eval entservices license on the switches that we will need to activate in order to complete some work, then install the permanent licenses once we get them at a later date.

Would anyone be able to share the steps to go about doing this. Is the process for activating the eval the same as installing the permanent (break VSL, Install license on primary, reboot, install license on secondary, reboot?)

Meraki - Naming VLANs. Possible? How do you manage it otherwise?

Hi all,

I've been trying out some Cisco Meraki kit (switch and AP). It all seems to work quite well. However, one thing I have noticed is that there doesn't appear to be any way to give meaningful names to VLANs anywhere in the dashboard.

e.g. On our existing HP switches, I can do a "show vlan" and it'll produce a list of all the defined VLANs on the switch, along with the names I have given them all (VOICE, IPTV, USER, NFS, etc.).

From what I can find in the dashboard, you can only really define and use VLANs by their ID. There's no nice way to identify what lives in a given VLAN. It would be nice to name them in order to reduce human error and the like as I intend to give certain users to manage port VLAN assignment who are by no means network engineers. The easier I make it for them, the less scope there is for things to go wrong.

This isn't necessarily a show-stopper, but I just find it a little bit odd that such a feature doesn't exist in there somewhere.

Would love to hear what other's experiences have been like in terms of managing VLANs on the Meraki platform.

I've done some googling, and I can't seem to find an answer, so my assumption is that it's not possible. I'll be grateful to be told otherwise!

Either way, thanks in advance.

Cheers,

Lachie.

Double NAT conundrum

I keep thinking I should be able to figure this out by sheer force of will, but I keep running into the fact that I just don't know.

Simply put, would routing traffic through a VPN (like PIA) sidestep the usual VoIP and streaming problems you get with a double NAT? Assuming that the double NAT doesn't break the VPN, that is.

Manual Layer 1 failover to second switch for single NIC device?

I've got a little question. Imagine you have a store. This store has several different devices, several different switch stacks. Imagine now that in one of these switch stacks, some very critical devices are connected, such as a cash till. This device only has one NIC, but you still want it to keep its network connection in case the switch it's connected to fails. So in its current state, if the member it's currently connected to fails for whatever reason, let's say it just dies - then we'll lose connectivity on our cash till. You step into the room where the switch stack is located - it's a mess. All the ports are full, VLANs are in no certain order etc, it's just a mess unless the network engineer come on site and does it him/herself.

So I want to solve this. An idea was if there's some type of smart "splitter" or such, that you place between the patch panel where the device comes in, and the switch port, that has some sort of manual failover. So you would have two stacks running. Each of these critical devices are connected to both stacks by running through this "splitter". One cable goes in (from the device > patch panel to the splitter) and two cables goes out (one to stack1, and one to stack2).

Are there any such "smart splitter panel" or whatnot that's enterprise level and somewhat "proven"?

If needed I can elaborate a bit more, but essentially what I'm trying to avoid is the actual downtime which would be involved when having to wait for whatever hours the lead time would be to replace the entire switch with a cold standby. Of course, this would mean having to use double hardware has "cold standby" that's readily available to take over in case a "flip is switched".

Cisco Catalyst 3560 doesn't reload properly

Hi! (Sorry for bad English in advance) May I ask you guys some help with an issue I'm having with a switch? This beautiful piece of **** does not reload from the console, it only shuts down and then I have to unplug and replug the power cable... Does anyone have an idea on why is this happening?

Thanks!

Describe the qualities of the best co-worker you've had the pleasure of working with

Everyone has worked with people from all ends of the spectrum. What are the qualities of those co-workers you really enjoyed working with or who you've unfortunately had to part ways with that you fondly remember? They could also be a customers employees/support worker or maybe just a contractor. Obvious answers are fine, but does anyone have any subtle non-obvious qualities that stand out?

Configuration works in packet tracer, but not on phycical hardware?

Hi, me and my mate are having trouble solving an issue.

It's so basic that I'm getting so frustrated about it.

We have;

1 Router
2 Switches
2 PC's

Here's the configuration:

Interface GigabitEthernet0/0 192.168.30.1 | 2555.255.255.192

Interface GigabitEthernet0/1 192.168.1.29 | 2555.255.255.128

PC1 192.168.30.30 255.255.255.192 (Default GW; 192.168.30.1)

PC2 192.168.1.29 255.255.255.128 (Default GW; 192.168.1.1)

SW1 FA 0/1 -> G 0/0 & FA 0/2 -> Client PC

SW2 FA0/1 -> G 0/1 & FA 0/2 -> Client PC

Important information;

There's no internet connection.
Router and Switches are both connected to a domain.
Clients are not connected to a domain.
PC1 can ping both G0/1 & G0/1
PC2 can ping both G0/1 & G0/1
PC's cannot ping each other (The request got timeout)

Wednesday, December 6, 2017

Just looking for possible wireless+vlan leaks.

So we are in the process of upgrading our wireless and I am debating if any other changes should be made to our existing settings, during the downtime. Just looking for any leaks.

Currently, this is what is configured using 3 SSIDS.

SSID: Staff (staff access to internal res)

network: bridged to a local_net_vlan, shares lan subnet
Intra-BSS: disabled
security: wpa2-enterprise (radius to win-ad, security group)

SSID: Factory (a separate vlan with access to a few secure internal res, no internet)

network: bridged to a factory_net_vlan, seperate subnet
Intra-BSS: enabled
security: wpa2-personal passkey

SSID: Guest (a separate vlan with no access to internal res, only internet)

network: bridged to a Guest_net_vlan, seperate subnet
Intra-BSS: enabled
security: wpa2-personal passkey

Network Config

Accesspoints are plugged into a trunk port, with port-isolation enabled.
Accesspoints have a separate vlan for management.
Guest/Factory uplink port is only the UTM Firewall. No isolation for staff vlan on same vlan.
UTM is configured to block communcation of guest-to-guest, factory-to-factory to stop clients connecting to eachother via the utm itself.

So based on the above and strict ACL's on what each subnet can access, there shouldn't be any client-to-client leaks on factory and guest correct?

Cisco ISE 2FA

I'm trying to figure out how to assign two authentication policies to one Policy set.

I would like to have ISE check an AD account then if passed trigger a request to a radius server for authentication.

I have the AD check working but I do not see a way to configure the second authentication mechanism.

Any suggestions?

Our Christmas Tree at the office, v2

http://ift.tt/2ktUNV3

having trouble with wifi connectivity from upstairs to downstairs.

so we just moved into a basement apartment and the router is upstairs maybe 50-60ft away. i obviously expected some slower speeds, but im having trouble with my firestick and i wanted to ask a question.

so the firestick will only have enough connection to last maybe 20 minutes at a time, then i have to restart it. could this be a signal issue or has anyone else dealt with something similar. all my laptops work just fine down here.

also, is it possible to set up an unused router as an AP without running ethernet between the two? i've been looking into wifi extenders but i'd rather save the money if i can.

Going through SonicWall config trying to clean up, can't figure out why every address group is referenced by a single address object.

Maybe this is simple and I'm just missing something. Every address group, under "referenced by," has a line that reads "Address Objects Ref. count 1."

Of course many groups are also referenced by access rules, VPNs, etc. but how can groups be referenced by address objects?

Example

L3 switch ibgp, which ones support lots of routes

Small isp here. Looking at running ibgp through our core site, connecting to an IX etc. We're certainly not using our asr to the fullest of it's capacities, and I'm not exactly sure what a beafy L3 couldn't do that we're doing now.

1) is there a reason not to use a L3 switch at the edge? I mean, isn't that really what the 7600/6500 is at it's heart and those things still power more networks than I can imagine.

2) The best L3 switch I can find that can take a half decent amount of routes is a 4900m @ 256k. But I hate that it's rocking X2 ports, sfp is a pain to get and SFP+ requires an adapted. But i can't seem to find much else out there that comes even close to being as beastly as this switch. new is not a requirement, support is not a requirement. used/grey is what we do

AT&T Managed Internet Service (MIS) activation. How long does it take to have someone come out to activate your internet?

Hopefully someone who has used AT&T MIS can help me answer this. I forgot about scheduling to get our AT&T MIS activated today to get internet in our rack in our Datacenter. So I'm planning on calling them first thing tomorrow morning.. but I'm nervous that I won't be able to get someone to come out same day.. but I never had to do this before. When you go to activate your AT&T MIS, do they usually come out same day to activate the circuit? Or am I screwed?

IIS and Apache Interference? Port 80 and 8000 issues for localhost on Windows Server 2012

Hi,

I'm using Windows Server 2012.

I used localhost for testing something on port 80, and it worked. Then, I installed Active Directory and the DNS, and stuff went wrong. I configured Apache server for port 8000, and that works fine as well. I then changed the forward lookup zone on my DNS to something else in place of the localhost to "MySite.edu" and that works fine. The only issue now is, I can't access localhost:80 anymore. Is this normal when I change the name from localhost to MySite.edu? I thought I would be able to type either name and they'd reference the same index.html page.

Thanks for any help!

TLDR; Does configuring a domain controller (ex: myname.local) replace localhost on port 80?

Update on P2P Wireless with Ubiquiti NSL

A few weeks ago I posted on this networking subreddit asking about some clarification about a Cisco Wireless P2P solution. It was needed to provide "at least 40 Mbps" to a couple of construction trailers that sit about 550 feet from our hospital. After I suggested using a Ubiquiti solution, I was told no, get a Cisco solution, hence the original post. Well you nice folks on reddit convinced me not to give up on the Ubiquiti solution, so I didn't. I was able to order some NanoStation Loco M5's. The PoE converters worked excellently on our end.

These things never cease to impress me:

http://ift.tt/2B7TulU

This is only about 550 feet away. They are getting 85 Mbps and the construction workers are amazed that "those damn little things" are providing them with such a good connection. So THANKS everyone for the recommendations. Ubiquiti has won the day and is working OUTSTANDING!

Oh, and here's the line of sight from the shipping/receiving roof of our hospital:

http://ift.tt/2AeRUP8

You can see the trailers across the parking lot. The "Station" AP is mounted on the top right of the trailer.

Delay/Disruption Tolerant Networks: Anyone with experience designing/implementing DTN gateways as overlay on top of TCP/IP network?

Looking into DTN as a side project at work - assuming the current install base on IP devices is not going anywhere any time soon, I'm looking at the plausibility of using DTN as an overlay to protect certain parts of the network that are connected over highly unreliable WAN links or links that are only opportunistically available.

Would be interested in bouncing ideas off anyone who has deployed something like this.

Cisco Switch SG550X Issue

Has anyone have experienced working with this Cisco switch?

I could not get the ssh working on this switch at all. The dedicated g1/0/1 for management access and made the interface layer3, but the uplink switch (Juniper) keeps disabling the edge port because it keeps receiving BPDU from the Cisco g1/0/1. As far as I know, once the switchport become layer3 (no switchport) it will no longer participate to STP.

interface gigabitethernet1/0/1 IP address 192.168.0.2 255.255.255.240 No switchport

What is happening now is the port g1/0/1 is flapping.

Data cable Question

Do any of you know of a cat 6 armored & shielded cable where one of the shields is a mesh?

Why vlan.dat is saved in Flash Memory not in NVRAM in VTP Server Mode?

In VTP Server Mode, switch saves VLAN configuration information in a file named vlan.dat in Flash Memory.

In VTP Transparent Mode, switch saves VLAN configuration information in a file named vlan.dat in NVRAM.

In VTP Client Mode, switch saves VLAN information in RAM only.

I understand that switch can only save VLAN information in RAM only in VTP Client Mode. My question is why in VTP Server Mode, switch saves VLAN configuration information in Flash Memory not in NVRAM. My understanding is that compressed files such as IOSs are saved in Flash memory and uncompressed files such as startup-config files are saved in NVRAM; Startup-Config files are saved in NVRAM because NVRAM is faster than Flash Memory.

Can anyone explain to me why?

Switch/Router monitoring: What things do you monitor, what metrics should be collected?

With the perspective of a system engineer but with a pretty high interest in networking and routing I tried to learn more on what aspects should be considered worthy to monitor and what metrics to be collected. That is: From a more generic point of view, unrelated to the monitoring system or switch/router vendor.

After some reading (including this sub's wiki) I've tried to collect some aspect I'd try to monitor and collect metrics but what would you add and what would you consider critical to be monitored? * Hardware sensors like temperature, fan status (depending on what may be exposed i.e. via SNMP) * Link status of relevant links (ifoperStatus, link speed) * SFP status (if exposed) * Availability of the management interfaces (SSH, HTTPS) * Resource monitoring (CPU load, memory usage) i.e. via SNMP get * PPS alerts (i.e. on import - i.e. uplinks - mostly SNMP based) * Graphing of interface usage * SNMP trap evaluation? * Remote syslog and feed into Logstash or alike, filter for patterns (auditing?)

If there is a pointer towards a book to consider or an article, then I'd appreciate that as well

Network Design Related Study

Hi guys, im looking for any related study on a school campus network design of at least 50 clients to 1 server computer. Thanks for the help.

Question about Bottlenecking vs. a Fat Pipe concept

Hey /r/networking,

This is a noob-ish questino. But I'm trying to remember the names/terms of two networking concepts. And I'm hoping someone can help me out.

Essentially, when you have a 1gb link, you may never use all of the bandwidth for an application(s). It may be because something you have is fighting other applications for that bandwidth. It may be because you aren't generating 1gb of traffic. Either way, I can't remember what this name/concept is called.

The 2nd concept is essentially adding more links/bandwidth to a problem. Yet how that may/'may not' help in any given situation. Lets say an app is generating 50mbsp of traffic. Yet, for some reason, your organization only has a 25mbps link. There was a concept for handing this type of situation. But I can't remember it's name. Meaning I can't research the topic.

I apologize if this is a noobish question. I just can't remember the name of these 2 concepts.

bossrhino

edit:

The 2nd concept is saturation. That's what I was trying to remember. That does cover the 1st concept a little bit. But there was a specific term for the first (and I've seen it described here many times before). Again, thank you for any help you can provide.

Java Update Server URL

Can someone please tell me the url that the jave update calls to? I cannot find it documented anywhere, I'm assuming port 80 as well? Thank You in advance.

Monitor and protect assets

My company is looking to monitor the network traffic and protect critical computers on the network and came up with a solution of segmenting critical computers and nodes on to one vlan and having it hosted on a its own switch. I was wondering if this plan is a good idea or if there are better solutions that is used. These critical computers are also all on different switches.

Cisco AnyConnect Disconnects then Reconnects Consistently

My girlfriend and I work from home for the same company. We both need to VPN back into our company's network every day. We're both using work-issued Lenovo ThinkPads. However, when I connect to my home wifi, my laptop disconnects and immediately reconnects to Cisco AnyConnect at least once every hour. She has no issues. If I use an ethernet connection instead of wifi, I experience no issues. I've unistalled and reinstalled Cisco and we're on the same version (4.4.00243). Is there anything I can look at on my laptop that could help or is this something my company's IT team is going to need to fix? Thanks for the help!

Private Line Q

I saw a private line in my inventory that had an A and Z an IOC and an internet port. Is it possible that this is a billing error or is this configuration not possible?

Had 2 questions in an entry level networking job I was wondering if someone could help me with.

Not asking for advice as I was offered the job, just curious what would have been a better answer.

1.) What new and upcoming technologies are you aware of?

I wasn't sure how to answer this as I am not currently in the networking field, but I told them that it seems like fiber is the new and upcoming thing. Which I know fiber isn't anything new, but it seems like it is preference now over CAT6 so I just went with that.

2.) How would you troubleshoot a computer not connecting to the network?

I started answering this saying I would open up CMD, do an Ipconfig and see where I am at there. He came back then with "Well these computers don't have hard drives, so we are stuck at the BIOS, how would you troubleshoot that?" I was unsure how to answer this, so I said I would start with physical components then, meaning I would check the incoming network cable and make sure it is undamaged and lighting up when plugged in. So I was just curious if I missed something with that answer. Is there a better way to troubleshoot a computer not connecting to the network?

Access Server

Team

Is there anyway i can use cisco switch as an access server? back in the days there was something like Break even switch or break switch that use to do similar task.

Thanks

Verizon Backbone Outage

Does anyone else have Verizon for their ISP or SIP provider? We are currently experiencing a higher level outage within the Verizon backbone network. Does anyone have any additional information? Is it perhaps an attack due to the net neutrality debate going on?

Need to manage network for 4 buildings each 7000m2

Hey guys. I've just recently been handed a huge responsibility and opportunity. I've been tapped to manage pretty much everything that has to do with computers / networking in 4 hospitals that are currently being built. This is in a rather remote area in a developing country so not exactly overflowing with qualified candidates and the partners are concerned with the rampant graft and corrupt behavior so I've been chosen since I'm also an investor in the company.

My background is in computer science and I did programming in corporation mostly with Java and Python. That said, all I remember about networking is faint recollection of tannenbaum's book and using digital ocean to test my builds before pushing it out.

Are there resources one can read to catch up with current standard on building enterprise networking ? Best practices in cabling a building, picking switcher, building firewall and so on. Maybe an overview wiki with reference for more details. Best if said resources dont require previous knowledge.

2 floors
7000m2
healthcare facility i.e. hospital

Weird issues with DF.

Hi all - quick question. To preface, I know the hardware is older and not great. It was purchased before I came to this company and I can't do much about it right now. We have plans to do better, but I have to work with what I've got for now.

We have two locations connected via a dedicated two strand dark fiber. On each end of this is a Cisco 6500 with a 4 port 10G blade and the circuit in question connects to ZR Xenpaks. Maybe 3 or 4 times a year, this circuit will randomly die around 3-5am in the morning. It's always during that window (which may or may not be related) and wasn't happening that often.

The last week, it has happened 3 or 4 times, and it really messes things up. Avoiding the details of why it's a problem, I'm trying to figure out what we can do to continue troubleshooting. The logs from the 6500s show different things. On the main side (the building I work in), you can see iBGP flap briefly and that's it. On the remote end (datacenter), you can see the link status go down and back up. This is usually in milliseconds, and sometimes happens 2 or 3 times back to back before it stops. You can then see iBGP reconverge.

So far, I've replaced an excessive length SMF patch on the remote end with a 1m patch. It was tightly coiled and zip tied and that's obviously not good for a fiber patch. This didn't change much as it was around 4 days before the problem happened again, but we're starting with the easiest things to swap that take the least amount of time.

Tonight, I'm headed up to replace the Xenpak module with a spare and move it to another open port on that blade (just to rule that out). The light levels I'm seeing are within tolerance, but vary from side to side. Noise floor is -24 on these modules and -7 is considered peak/high. The local end where I am usually shows 1.0 Tx power and -15 Rx power, whereas the datacenter (remote) end shows 2.0 Tx power and -18 Rx power. These tolerances aren't optimal, but within spec. Many folks say this range shows there may be a fault somewhere in the run, but there obviously isn't a lot I can do about that.

We're adding a second link and when we do, we're going to have the carrier for the DF I'm talking about do an OTDR on this run, but we can't do that quite yet.

Has anyone seen any issues like this before? One side obviously shows more issues than the other in terms of local logs, so it definitely seems like it could be a hardware issue, but I only have a couple more items I can replace before I'm at the end of my rope.

Thanks for any insight!

Writing a 5000 word essay on encryption on the web, ideas needed.

For my A-Levels I'm writing an essay on whether or not encryption on the net is good and if there are alternatives for my EPQ. This counts as half an A-Level and offers UCAS points so I wanna do as well as possible in it.

Obviously it is ultimately a good thing but for the sake of having something to write I'm arguing both sides. At the moment I have the following things to talk about:

what is it & how does it work.
ways of cracking encryption.
laws in place to protect personal data and privacy on the web.
censorship and the role that encryption plays in it.
net neutrality.
pros of encryption.
cons of encryption.
example of encryption related stories making headlines.

Any ideas are strongly appreciated, thanks :)

Can't Access ADP site on users computer but server ok

http://ift.tt/2itZnyv

Is the networking humble bundle worth 15 bucks?

Im a computer sciences student and i wanted to know if the professionals would recommend this months Humble Bundle for learning about networks

Cumulus/SDN as ISP Gear?

I'm currently evaluating using Cumulus or other SDN software on whitebox to use as parts of Layer 3 network components over traditional Cisco.

Going beyond four 10G ports gets expensive fast in Cisco land, and whitebox is a good alternative. I've been using Cumulus a bit, but it seems it and other SDN is more geared towards leaf/spine for datacenter and not doing carrier grade tasks of traditional rings.

Was curious of others thoughts and experiences, be it Cumulus or otherwise, of using these new kids in their traditional ISP network.

Studying for certs: Read the entire book or just focus on exam objectives?

Curious to get people's opinions and experiences on this. The title question is meant generally but in my specific case I'm working on getting the CWNA cert. CWNA is the second cert I'm working on after getting a CCNA and graduating school a few years ago. I slowly read through the CWNA-106 Official study guide over the course of a few months near the start of 2017 and I started doing a dedicated re-read recently to prepare for the exam.

From looking at the exam objectives linked below though I'm noticing that certain information/chapters in the book(I'm aware of the version differences) don't appear anywhere in the exam objectives. It feels kind of pointless to bother reading and taking notes on 802.11 amendments and clauses and trivia about different frequency bands if none of the test questions actually require it. On the other hand, when I studied for the CCNA I did it over a tighter timeframe and took notes my first time through the book before really checking the exam objectives. I also feel slightly guilty like I'm cheating myself out of more comprehensive knowledge of a subject I'm interested in or shortcutting the learning process in a way where I could still pass but not have learned as much.

http://ift.tt/2jXQei2

TCP/UDP & Message Boundaries

How does UDP manage to preserve message boundaries? I am guessing that UDP can preserve messages boundaries because UDP doesn't care about the RWND/CWND or congestion when it transmits the data, Right?

Lastly, my understanding is that: TCP data get segmented at L4 within the buffer according to many variables such as RWND, CWND, additional mechanisms, and etc. UDP data also get segmented from the Hard. I am wondering according to which variables, does UDP data get segmented and become a datagram?

Cisco Voice Certificion

Guys,

Looking for some advice on places/courses or certifications to gain knowledge of Cisco Voice infrastructure administrations and troubleshooting - CUBE/CUCM/UNITY etc.

is the CCNA-Collaboration the best way to go (this seems to be what CCNA-voice has become)? I'm not really in a position where I need to know about video etc ... but my company runs a Cisco voice estate and this is where my knowledge is lacking. My general networking routing switching etc is sound I just need to plug this gap :)

Has anyone taken the CCNA colab recently? how voice heavy is it?

Tuesday, December 5, 2017

IPsec tunnel question, and DR link in case it fails (implemented on pfSense)

Hi all,

Have a question about implementing a IPsec tunnel on a pfSense box, and what would happen if the tunnel drops due to a transit network outage, etc.

BACKGROUND INFO: We have pfSense box acting as a firewall/router where the "LAN" side is our network, and the "WAN" side is the private network link to the parent company (which does not provide Internet access - we have our own Internet WAN link for that.) We route certain parent-co networks from our core towards the pfSense box, which has its default gw as the IP of the onsite parent-co router terminating the private WAN link (happens to be MPLS over bonded T-1s.) Also, our co's admin domain ends at the pfSense box; we have no admin (or other) access to the parent-co's equipment onsite. The parent co in turn has no admin/other access to our network, other than us allowing traffic destined to certain of our internal servers.

Now, management wants me to engineer a IPsec s2s tunnel for the traffic bound for parent-co that would route over our regular Internet connection, and keep the default route on the pfSense box as a backup link, in case the IPsec tunnel over Internet fails. My manager thinks this IPsec tunnel could be done on the pfSense box, and have everything else stay the same. I am not a networking guru (jack of all trades, know what I know about networking but certainly not a CCIE-level fellow) but I'm pretty sure this would not work... I have the following questions about this:

1) I'd have to have a Phase 1 remote gw that is routed thru the Internet, so I guess I'd need to drop a route on the pfSense box for at least that gateway IP, that next hops our router out the pfSense LAN interface?

2) Then, when I define the remote networks for parent-co on multiple Phase 2 SAs, would the traffic from these tunnels be subject to firewall policy? (Or, how could this happen?)

3) (this is the big one in my mind) What would happen to traffic bound for parent-co if the IPsec tunnel fails? Would it revert to transit out the current default gateway, or just be dropped?

I have thought about this, and am thinking I could just implement another router connected to a second WAN port (opt1) of the pfSense box, which would implement an IPsec tunnel matching all traffic; then have two default routes on the pfSense firewall, main one pointing to the IPsec tunnel router, and a backup one to the current parent-co router (having the MPLS link.) But, that means buying another router... It would be great to be able to do this with what I have now (i.e., just use the pfSense box) unless that would be horrifically complex, or unachievable.

Thanks in advance to anyone who helps me think this through, and answer my questions... Definitely a bit more complexity than I've handled before, but also a great learning opportunity!

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

ubiquiti edgeswitch and wan access

i was configuring an ubiquiti edgeswitch, everything was fine until try to access internet. here is my config

http://ift.tt/2BMOTT2

connect my notebook to port 24 and use 10.99.0.2 as ip and no problem reaching 10.99.0.1 in the router, but internet was impossible.

reaching internet from the switch was fine.

PPPoE on ISP router vs own router

What would be better in terms of reliability?

My setup consists of PPPoE handled by ISP router then my Edge Router X connected to it.

Although its working fine but sometimes i need to reboot both routers.

Last week I shared screenshots of a GUI overlay I wrote for my non-API Cisco gear. It's now available on Github. I proudly present, NetConfig

I received such great feedback last week, so thank you all for the comments and inspiration. It took a little longer than anticipated, but it's now available on Github. Link can be found here: http://ift.tt/2jgbEra

NetConfig Concept

I have a number of Cisco Catalyst switches and routers that do not have any API access or easy way of managing them. I've been writing scripts for them for the past few years, and was wanting to make them more accessible via some sort of web app interface.

So I wrote NetConfig, from the ground up. You can see screenshots here: http://ift.tt/2zFVtxo

I'm currently using it to manage my Cisco Nexus and Catalyst switches, routers, and ASA's. (NX-OS, IOS, IOS-XE, and ASA). There are some minor bugs here and there, but it's still something I've been working on actively for 2-3 months now.

I am still very much interested in feedback and any help contributing to this. I intend to continue working on this project in my spare time, and will post updates to the GitHub page as I update the program.

NetConfig Building Blocks

NetConfig is built on Ubuntu 16.04 Server Edition. I haven't tested this on other OS's. Install instructions can be found in INSTALL.txt. I've run through these a few times from a fresh Ubuntu install, and it works well, so let me know if you run into issues.

What NetConfig is

This was originally written as a graphical overlay for my existing Python scripts, and just kept growing. It is built on Flask and Python 2.7, uses HTML and JavaScript on the front end, and Bootstrap for formatting.

It is built specifically for Cisco switches, routers, and firewalls, which use IOS, IOS-XE, NX-OS, or ASA platforms. It will work with any other systems. Since my existing devices I use do not have API support, all real-time data is pulled via SSH and Netmiko. As such, I'm sure there will be formatting bugs and layout issues with other devices. Feel free to post issues or fixes on Github.

What NetConfig is not

This is not an automation or error checking tool. It may evolve into one later on, but not yet.

I plan to work on documentation in the next couple of weeks, as right now there isn't any. In the meantime, please reference the README.txt to get started.

New Features since last week

I had a few requests for Netbox support, since many people (myself included) use Netbox as their DCIM source of truth. NetConfig now supports using Netbox to pull device inventory.
Note: please read the instructions in NETBOX-INTEGRATION.txt carefully, as there are some custom fields that need to be set in Netbox to work properly with NetConfig.
NetConfig supports a local database file to store device names IP's, and device types. NetConfig now supports multiple device importing using CSV formatting.

This is why I hate Ubiquiti

Note I don't normally implement Ubnt stuff, but I have customers that already have it and are too cheap to replace it.

Besides my many other gripes with their products, like the constant product updates that become necessary (for out of the box features that should work) and requirement to load Java just to manage the stuff, I just had to drive 4 hours to replace an bad AP, when actually the AP wasn't bad, it's just the power cord "fell out" of the injector - due to poor design: http://ift.tt/2A7410n

Anyone else feel like their constantly helping Ubnt design their stuff right?

Proving the network Innocent: Please help me interpret iperf3/wireshark results.

We have a slow backup server. Intermittently basic iperf3 results with no special command line switches is reading 0.00 toward the beginning of a TCP session (see below). This doesn't happen to other servers on the network, and it doesn't happen to the loopback from the server (a case for why it is not the server). Physical cable and SFP modules were swapped without change.

[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 98.1 MBytes 823 Mbits/sec
[ 4] 1.00-2.00 sec 73.5 MBytes 617 Mbits/sec
[ 4] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 6.00-7.01 sec 5.75 MBytes 48.0 Mbits/sec
[ 4] 7.01-8.01 sec 101 MBytes 850 Mbits/sec
[ 4] 8.01-9.00 sec 99.2 MBytes 838 Mbits/sec
[ 4] 9.00-10.01 sec 79.2 MBytes 662 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 457 MBytes 383 Mbits/sec sender
[ 4] 0.00-10.01 sec 457 MBytes 383 Mbits/sec receiver

There is a single interesting Wireshark message that states "TCP Window Full". Implying that no response has been received from the server for a while. This appears to correspond.

Pings and UDP iperf3 tests appear to work fine so far but more testing is in order.

I am in the classic position of having to prove the network innocent. Any tips? Does this prove my case if there is a single network device between test targets and there is no drops on either involved interface?

P.S. The test above is to a slow device. This was to more easily capture all related packets. The backup server is capable of realizing 6gig/s TCP sessions and has the same intermittent 0.00 bit/sec behavior.

P.S.2. Sorry about the table spacing

Request for Recommendation - Wireless Device for monitoring remote wireless coverage, Ping & Latency, and maybe spectrum analysis?

Hey everyone, I think this is the right place to come. I'm looking for some sort of recommendation, or even a direction to be pointed. We have a need at our company to have the ability to monitor some criteria as a wireless client in a remote location (just not in our corporate office). Here's what i mean - We use a monitoring service called What'sUpGold that does a great job, but that's from the perspective of a server which can monitoring wireless access points, or even end devices.

Lately we've been getting reports of some "bad wireless", but upon inspection we don't see any sort of poor coverage or any sort of slowness in the reported areas. The frequency that we are being brought into the conversation is enough to have me looking for something that can just stay over in that reported area. So what I'm hoping for is a small device that can just stay in the reported area and collect data for us such as ping history to a custom IP, latency to specific sites or servers, RSSI history in that location, and even any sort of spectrum analysis.

I found this company NetBeez that does almost exactly what I'm looking for, but their pricing is just absurd. For an on-prem virtual appliance, and 5 wireless devices (that you lease, not own) is up over 5k a year. Does anyone here have any other ideas besides throwing some sort of monitoring freeware on laptops and putting them around campus?

Thanks everyone!

CAP2702I-E-K9 autonomous configure problem

Best,

I have a problem to make my config complete. I still miss 2 things

1 WPA2 on the SSID 2 BVI mapt to management vlan 10 Can someone help me to realize the 2 things thx. if you still see wrong config I am free to learn

no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname WIFI-AP ! logging buffered informational logging rate-limit console 9 no logging console

clock timezone GMT 1 clock summer-time cet-summertime recurring last Sun Mar 2:00 last Sun Oct 3:00 ip domain name S-N ! ! dot11 mbssid dot11 syslog dot11 vlan-name SN-Home-00020000-24 vlan 15 dot11 vlan-name SN-Office-00025000-24 vlan 25 dot11 vlan-name SN-IOT-00030000-24 vlan 30 mbssid ! dot11 ssid S-Guest vlan 15 authentication open

 WPA2 Password

mbssid guest-mode dtim-period 90 information-element ssidl advertisement ! dot11 ssid S-OFFICE vlan 25 authentication open

 WPA2 Password

mbssid guest-mode dtim-period 80 information-element ssidl advertisement ! dot11 ssid S-IOT vlan 30 authentication open

 WPA2 Password

mbssid guest-mode dtim-period 90 information-element ssidl advertisement ! ! ! ip tcp synwait-time 10 ip ssh version 2 bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 15 mode ciphers aes-ccm ! encryption vlan 25 mode ciphers aes-ccm

encryption vlan 30 mode ciphers aes-ccm ! encryption mode ciphers aes-ccm ! ssid S-Networks-Guest ssid S-Networks-OFFICE ssid S-Networks-IOT

interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 15 mode ciphers aes-ccm ! encryption vlan 25 mode ciphers aes-ccm

encryption vlan 30 mode ciphers aes-ccm ! encryption mode ciphers aes-ccm ! ssid S-Networks-Guest ssid S-Networks-OFFICE ssid S-Networks-IOT !

interface Dot11Radio0.15 encapsulation dot1Q 15 no ip route-cache bridge-group 15 bridge-group 15 subscriber-loop-control bridge-group 15 block-unknown-source no bridge-group 15 source-learning no bridge-group 15 unicast-flooding bridge-group 15 spanning-disabled

interface Dot11Radio0.25 encapsulation dot1Q 25 no ip route-cache bridge-group 25 bridge-group 25 subscriber-loop-control bridge-group 25 block-unknown-source no bridge-group 25 source-learning no bridge-group 25 unicast-flooding bridge-group 25 spanning-disabled

interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled

interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface GigabitEthernet0.15 encapsulation dot1Q 15 no ip route-cache bridge-group 15 no bridge-group 15 source-learning bridge-group 15 spanning-disabled ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 no bridge-group 20 source-learning bridge-group 20 spanning-disabled ! interface GigabitEthernet0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled

interface Dot11Radio1.15 encapsulation dot1Q 15 no ip route-cache bridge-group 15 bridge-group 15 subscriber-loop-control bridge-group 15 block-unknown-source no bridge-group 15 source-learning no bridge-group 15 unicast-flooding bridge-group 15 spanning-disabled

interface Dot11Radio1.25 encapsulation dot1Q 25 no ip route-cache bridge-group 25 bridge-group 25 subscriber-loop-control bridge-group 25 block-unknown-source no bridge-group 25 source-learning no bridge-group 25 unicast-flooding bridge-group 25 spanning-disabled

interface Dot11Radio1.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled

interface GigabitEthernet1 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface GigabitEthernet1.15 encapsulation dot1Q 15 no ip route-cache bridge-group 15 no bridge-group 15 source-learning bridge-group 15 spanning-disabled ! interface GigabitEthernet1.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 no bridge-group 20 source-learning bridge-group 20 spanning-disabled ! interface GigabitEthernet1.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled

! BVI 1 to VLAN 10 MGM

interface BVI1 ip address 10.0.10.20 255.255.255.0 no ip route-cache ! ip default-gateway 10.0.10.10

no ip http server ip http help-path http://ift.tt/1M5jmKo bridge 1 route ip ! ! ! line con 0 session-timeout 5 exec-timeout 5 0 line vty 0 4 session-timeout 5 access-class vty-acl in exec-timeout 5 0 transport preferred ssh transport input ssh transport output none