Best home router

Hi all, got six 4k tv’s, 6 ipads , 6 iphones, all streaming media on a very heavy usage. What would be the best router in the market to handle such a load with zero hiccups ? thanks

What are some signs to watch out for when interviewing?

Hello fellow networkers,

So I have decided to look for new work after 2 years at my current job and my recent jobs I have had bad series of luck. To explain a bit the last job was not a bad job at all then all of a sudden my boss kept pulling me aside and telling me that networking was a dead career and I should consider generalizing a bit.

The job before that I worked at an MSP for 4 years and the job wasnt bad except for low pay and worked me to death.

My current job I joined and they needed help splitting their company apart into multiple companies. Seemed like a good challenge and I would get experience with Palo Alto, I would be in charge of standardizing the new company etc. They offered to pay for my school, certs, the whole 9 yards. We split about 4 months later. The new company I was assigned to in the split refused to pay for my schooling, my certs, and feels security and networking budget is not high importance. (So I am looking to leave). However, I did standardize them, better secured them, etc and am trying to learn scripting better while I look.

So I been at this about 8 - 9 years now and I was wondering, what are some things us interviewers should look out for or some good questions we could ask? I'd love to end up at a place to be for 5+ years instead of 2 - 3.

1 DSL MODEM + 4G BACKUP ---> 2 CISCO 48 PoE switch's

I was setting up a network where it has a DSL connection, I want to have a verizon 4g backup that automatically switch over if the DSL connection goes down and then if the DSL connection goes online it goes back to the DSL connection. Is it possible to do that?

I will link the picture of the diagram along with the ebay add to the switches I was looking at buying.

Thanks

Determining Devices on a router.

Hello. I am trying to determine what devices are which on my network when I run an IP scan. Is there a way, from my computer, to determine which is the router and which are other clients. Thanks.

802.1q Tag VLANs on single WiFi SSID

Is it possible to have a single SSID that passes multiple VLANs? (One native/untagged + 1 or more tagged VLANs)

Scenario: I'm running virtual machines for a portable lab on my laptop, sometimes I need to connect a VM to a specific VLAN (DMZ, Test, etc.). Currently I do this by connecting wired to a trunk/tagged port. Sometimes this isn't convenient as I'm in a conference room or far from a network drop, so I was wondering if there's any way to create an SSID that would pass as a wireless "trunk" port.

Edit: while still keeping the host laptop in the regular client access WiFi VLAN.

What is the purpose of sub netting, and how in layman‘s terms does it work?

So I understand the basics of how to conjure up these subnets and the absolute basics of what they are. Class A, B, C subnets signify the number of octets that are given to the network park of the address.

But I don’t understand fully why they exist. Say we have a subnet for your house of 255.255.255.0. What is the significance of this thing and what exactly does it do for you? As I understand it, the first three octets are the network portion. The last portion is the host address. 192.168.1.11, 192.168.1.12 and those are apparently two computers on the exact same network, with different host numbers 11 and 12. But I’m having trouble understanding what the point of sub netting is or what it actually does?

Network Admin Toolbox

Hi guys,

I've been looking around and talking to some neteng's about some of the tools/tricks they have up their sleeves. In an IRC channel I was in, a few people told me to look into RANCID, which I did. I was just about to set it up when someone told me about Oxidized, which I looked into and set up. I searched around here and see a handful of posts about this stuff I intend to read.

For monitoring/graphing purposes, I've always like Cacti and used it, but recently I've also discovered LibreNMS + Observium (yes, I know that they are separate projects etc and one is based off of the other). I'm familiar with PRTG too

What are some other must haves you have that might be useful to others? Like your swiss army knife, but of software. I'm just starting to get into the network side of things and loving it.

I see that there is a link on the wiki to: http://ift.tt/2BjDNVS

However, I'm not looking for recommendations of what you use or what's better than the other, I just am looking for a comprehensive list so I can look into all of them.

---

TL;DR

Looking for building list of tools, for my own reference. Please contribute what you can!

Graphing/Monitoring

• Observium
• PRTG
• MRTG
• Cacti
• LibreNMS

Config management

• RANCID
• Oxidized
• Homebrew git system

Factchecking a debate about Net Neutrality on FB

Came across this debate between a conservative and a liberal about net neutrality. I'm a bit lost as to which one was getting his facts straight so I'd appreciate a critique of their statements from somebody knowledgable about NN.

TL;DR: was the internet de facto neutral from 1994 until a couple of ISPs started doing some things in the ~2010s? Then Obama had to step in to maintain the status quo of NN? Or was the internet decidedly un-neutral for most of its history, with ISPs putting their hands on the traffic with impunity until Obama put that to a stop?

Did ISPs' prices for their services go up faster than normal when NN was enforced?

Did NN, after it was enforced in 2015, make any aspect of the internet objectively worse?

---

The debate

Mr. Conservative: After the repeal, the internet companies will be able to compete once again and investors will be flocking back into technology based innovative programs. Before this dumb law was enacted by Obama there were no shortage of investors for internet provider companies. When it became a law it took away the incentive from investors which made it difficult for internet companies to develop new ideas and new technology. It also prevented them from being competitive, in search for customers who might want to choose their own package / price options. Actually the price of internet went up on most everybody since the law was enacted. Why? Because it discouraged competition. Without this law they can now compete for customers and offer different packages / prices. Believe it or not, it will lower the price of internet. The scare tactic of higher internet is a myth.

Mr. Liberal: Right wing propaganda. The only companies that are against NN are ISPs which don't add much value beyond providing internet connection.

Mr. Conservative: what you just said is a left wing propaganda. Countless of companies besides ISPs are against NN. You can google it up.

Mr. Liberal: I'm a web developer who deals with the internet on everyday basis - it's my lifeblood. So I can say with certainty that things have NOT worsen since NN was enacted. What you said was nonsense.

Mr. Conservative: so is my brother. He is against NN.

Mr. Liberal: My point is not that web developers should support NN, it's that things haven't worsen even a bit the past 2 years.

Mr. Liberal: The internet was NN by default until an ISP held Netflix hostage, demanding ransom to resume streaming its video at normal speed. There were further plans from ISPs to control the internet until Obama stepped in.

Mr. Conservative: Clearly you’ve forgotten what it was like before Obama enacted this silly law.

Mr. Conservative: Before net neutrality I didn’t have to pay for hotmail account. I didn’t have to pay for a lot of things. With Net Neutrality I seem to pay more. I am paying more for access to internet. My internet is higher now with Net Neutrality. I checked my old budget book from 1990’s and 2000’s. And it was $20 monthly to $40 monthly. Now I pay a little over $80. So much for net neutrality because it destroyed competition.

Mr. Liberal: lol NN is only two years old. You'll have to look at the trajectory from the 1990s till 2015

Mr. Liberal: Actually, you may not realize it but you proved my point when you said you liked things the way they were "before NN". From the beginning, the internet was NN by default, as ISPs didn't interfere with internet traffic. It was only when a couple of companies started to encroach on the traffic that NN was formally enforced. Since NN was all what we've experienced up to date, and you liked what you experienced, you like NN. A large majority of the public like it. So the burden is on you to prove that we're better off with this recent change.

Mr. Conservative: no don’t lie and twist what I said... that’s what liberals does very well. Lying becomes them and you just demonstrated that. If there was an ounce of truth to what you claimed, that of NN being the default of Internet then why did Obama enact NN in the first place? Sounds like a bunch of hog washes. Quite typical of liberals. Shameful. Pathetic

Good open source projects you can contribute ?

what are good networking open source project we can work and contribute on with skillset having good networking knowledge and limited python and programming knowledge and good with documentation !

Service Provider multi-customer monitoring

Hello All,

How can Service Provider monitor multiple Enterprise customer devices from one centralized appliance? I mean by monitoring for example using SNMP.

What is the currently existing techniques and best practices that the Service Providers currently follow?

cisco PVST Simulation why?

Refer to this document: http://ift.tt/2ClLGtg

I would like to understand why cisco implemented this feature. because i dont see any problem if a MST switch just ignore all pvst bpdu. I think that loop is prevented in all cases because pvst crosses mst domain transparently
Can you point a scenario where the absense of pvst simulation would cause a loop or issue?

Best practices: which is better for your edge device? A firewall or a router?

Just as the title says... I was wondering if you could eli5 what you thought was best practice for your devices connecting to the ISP.

Would it better to have the ISP - Router - Firewall - L2/L3 switch - Lan.. topology or ISP - Firewall - Router.. etc. Does best practice depend on the size of the company? I haven’t been exposed to many environments so I was wondering what you all thought since most of you do this everyday.

Thanks

Is there a way I can find a smaller, open-internet isp in my area?

No text found

Symantec DLP Discover Scan to Linux share via NFS

After enabling NFS on our Windows 2008 server as we were told to do, when we try to scan the Linux share, it doesn’t even generate a packet for wireshark to see on the Windows machine. Has anyone run into this issue?

We cannot use SMB or SFTP at this time for the scan.

We have received a system 53 error and an unknown error. We know our path is correct.

Wireless channel width

HI All,

Just hoping I could get some advice on an issue I have. We currently have a Cisco 5508 WLC hosting a number of APs for out sites (running 8.3.x). At one of our sites, we are experiencing wireless voices issues due to Radar interfering with the APs, as DCA where putting the APs onto DFS channels (802.11h is enabled but does not seem to be doing much). The APs at site are 2802 AP, with 160MHz channel width enabled (WLC is set to "best" channel width").

Anyway we have manually set these AP to avoid DFS channels, which has caused the APs to use channel 36 to 48 (due to the WLC choosing the "best" channel width). This has helped but we still having issues.

At this site, there is a large number of AP due to the amount of clients. I now think the issue is because all the APs are on the same channel. What would your recommendation on channel width be – 20,40,80? At this moment in time as theres only a limited number of channels we can use outside of DFS, we will have to go 20MHz to allow DCA to calculate correctly. We do have clients on the 5GHz range which would benefit from high throughput, but the priority will be stability.

Thanks

Network and systems engineers,how much do you make and how many years of experience do you have?

Trying to see if being in IT is worth it or not.

How much do you make?

Years of experience?

Education and certs?

Where do you work?

***This is meant for those in networking and systems administrator

I am checking Glassdoor but I'm looking for more information

Anyone know any Risc Networks alternatives?

Hi, I am part of a consulting group that uses a product made by Risc networks called IT healthcheck. It has some analytics that help point out the bigger pain points on the network, server and VM infrastructure as well. The best part about it is the automated report it creates at the end of of the assessment. Does anyone know of an alternative for this or worked with something similar?

Small, lower power WiFi to WiFi gateway anyone?

I'm trying to get multiple devices to communicate over the internet from a public WiFi. Does anyone know a portable (ish) commercial product that is able to do this? I've normally used VPN routers in the past (for security reasons) and there are plenty of APs/Gateways that give you wired connections, but I need WiFi to the endpoints. Any ideas?

Fortinet VPN Licensing?

Can anyone confirm if there is any licensing other than just buy the box that's the size you need in terms of throughput and concurrent client connections please?

I can see some prices here http://ift.tt/2AOVAaq which is so cheap as to not care but I'm unclear at what point I need to pay for anything at all other than the box.

Outbound Discards

I have 2920-24G (J9726A) that is reporting Outbound Discards on it's uplink port (#2) to our core switch, a 2910al-48G (J9148A).

The 2920-24G is used for storage, and our three ESXi boxes are connected to it as well. The NAS is connected with two 10G, while the ESXi boxes have only 1G connections.

We do have a Veeam VM with a NIC on the storage network and it does a backup copy job to a machine offsite on a different subnet.

I ran this a few seconds apart:

2920-24G# show interface 2 Status and Counters - Port Counters for port 2 Name : Core: 2910al-48G [1Gbps] MAC Address : d4c9ef-bbf13e Link Status : Up Port Enabled : Yes Totals (Since boot or last clear) : Bytes Rx : 386,799,269 Bytes Tx : 3,096,011,716 Unicast Rx : 2,951,957,285 Unicast Tx : 3,249,931,476 Bcast/Mcast Rx : 141,823,075 Bcast/Mcast Tx : 3,492,270 Errors (Since boot or last clear) : FCS Rx : 0 Drops Tx : 39,625,576 Alignment Rx : 0 Collisions Tx : 0 Runts Rx : 0 Late Colln Tx : 0 Giants Rx : 0 Excessive Colln : 0 Total Rx Errors : 0 Deferred Tx : 0 Others (Since boot or last clear) : Discard Rx : 0 Out Queue Len : 0 Unknown Protos : 0 Rates (5 minute weighted average) : Total Rx (bps) : 51,379,816 Total Tx (bps) : 39,966,440 Unicast Rx (Pkts/sec) : 1,375 Unicast Tx (Pkts/sec) : 1,213 B/Mcast Rx (Pkts/sec) : 14 B/Mcast Tx (Pkts/sec) : 0 Utilization Rx : 05.13 % Utilization Tx : 03.99 % 2920-24G# show interface 2 Status and Counters - Port Counters for port 2 Name : Core: 2910al-48G [1Gbps] MAC Address : d4c9ef-bbf13e Link Status : Up Port Enabled : Yes Totals (Since boot or last clear) : Bytes Rx : 737,207,313 Bytes Tx : 3,536,445,140 Unicast Rx : 2,952,049,801 Unicast Tx : 3,250,023,646 Bcast/Mcast Rx : 141,824,075 Bcast/Mcast Tx : 3,492,300 Errors (Since boot or last clear) : FCS Rx : 0 Drops Tx : 39,626,479 Alignment Rx : 0 Collisions Tx : 0 Runts Rx : 0 Late Colln Tx : 0 Giants Rx : 0 Excessive Colln : 0 Total Rx Errors : 0 Deferred Tx : 0 Others (Since boot or last clear) : Discard Rx : 0 Out Queue Len : 0 Unknown Protos : 0 Rates (5 minute weighted average) : Total Rx (bps) : 48,984,592 Total Tx (bps) : 41,587,720 Unicast Rx (Pkts/sec) : 1,354 Unicast Tx (Pkts/sec) : 1,223 B/Mcast Rx (Pkts/sec) : 12 B/Mcast Tx (Pkts/sec) : 0 Utilization Rx : 04.89 % Utilization Tx : 04.15 % 2920-24G# show interface 2 Status and Counters - Port Counters for port 2 Name : Core: 2910al-48G [1Gbps] MAC Address : d4c9ef-bbf13e Link Status : Up Port Enabled : Yes Totals (Since boot or last clear) : Bytes Rx : 824,037,067 Bytes Tx : 3,556,387,893 Unicast Rx : 2,952,064,081 Unicast Tx : 3,250,034,877 Bcast/Mcast Rx : 141,824,184 Bcast/Mcast Tx : 3,492,302 Errors (Since boot or last clear) : FCS Rx : 0 Drops Tx : 39,626,532 Alignment Rx : 0 Collisions Tx : 0 Runts Rx : 0 Late Colln Tx : 0 Giants Rx : 0 Excessive Colln : 0 Total Rx Errors : 0 Deferred Tx : 0 Others (Since boot or last clear) : Discard Rx : 0 Out Queue Len : 0 Unknown Protos : 0 Rates (5 minute weighted average) : Total Rx (bps) : 49,881,600 Total Tx (bps) : 41,049,888 Unicast Rx (Pkts/sec) : 1,363 Unicast Tx (Pkts/sec) : 1,227 B/Mcast Rx (Pkts/sec) : 12 B/Mcast Tx (Pkts/sec) : 0 Utilization Rx : 04.98 % Utilization Tx : 04.10 % 

I'll be the first to admit that I am not great at networking, so please excuse me if something is wildly misconfigured. I'm willing to show our config (censored a bit) if that will help troubleshoot this.

Thank you for any help!

How to use pfsense to limit traffic to servers?

I've just upgraded my work internet connection and I need to limit bandwidth available to my 4 public ip servers.

I really love pfsense and I use it for openvpn site to site, nat and firewall but I need some advice.

The request is to leave public ip to servers in the same class as psense box but at the same time limit available traffic to them.

Thanks and sorry for my English..

Nexus 5K shows No Operational Members in Port Channel with 4 Up/Up interfaces ... wtf

So I had my day ruined yesterday because of this shit.
Doing some housekeeping on our N5K's, I inherited a poorly maintained network.
I decided I would remove all unused Port Channels. Any Port Channel that had a status of "noOperMem" was getting deleted. Seemed like a simple task.
I was mistaken.
Deleting away, and all of a sudden tickets start flying in and phones start ringing. Users can't access the servers.
Turns out I deleted Port Channels that WERE being used in our Server farm.
Took me 3 hours to rebuild all the damage.
Fuck you Cisco.
I wanted to save this for Wednesday but nah.

Is this a thing, showing noOperMem on active channels???

I know I should have been more diligent before just deleting shit, but showing noOperMem when there are clearly up/up interfaces attached is complete bullshit.

[Junos srx100h2] limiting traffic speeds for everything except connections to 1.2.3.4/0

Hey /r/networking

I'm trying to configure one of our customers SRX100H2 to only use 1/3 of their bandwidth unless they are connecting to our services. (In this example 1.2.3.4/24)

I've tried the following, but it does not exclude 1.2.3.4/24 from the limiting rule.

---

set interfaces fe-0/0/0 unit 0 family inet filter output Traffic-Shape

set interfaces fe-0/0/0 unit 0 family inet filter input Traffic-Shape

set firewall filter Traffic-Shape term 60m from destination-address 1.2.3.4/24

set firewall filter Traffic-Shape term 60m then policer police60m

set firewall filter Traffic-Shape term 60m then accept

set firewall filter Traffic-Shape term 20m from destination-address 0.0.0.0/0

set firewall filter Traffic-Shape term 20m then policer police20m

set firewall filter Traffic-Shape term 20m then accept

set firewall filter Traffic-Shape term last then accept

set firewall policer police20m if-exceeding bandwidth-limit 20m

set firewall policer police20m if-exceeding burst-size-limit 625k

set firewall policer police20m then discard

set firewall policer police60m if-exceeding bandwidth-limit 60m

set firewall policer police60m if-exceeding burst-size-limit 625k

set firewall policer police60m then discard

---

Any ideas?

Thanks

'Hacker' Christmas Tree shows live firewall activity

We randomly chose a firewall and redirected the blocked traffic logs towards our hacker tree. Each time a colored light goes on, someone is trying to do something he isn't allowed to do. #funproject!

http://ift.tt/2AFCROy

cat 4500 oob mgmt port fa1 1000Mb/s, how come?

Hi guys,

i'm trying to figure out one thing today - wheter it is some kind of bug or feature.

Somebody from our monitoring team approached me to check a port fa1 on our cat4500 switch. Cause they're getting some port utilization abnormalities.

I checked the port - and it is an out of band management port, it's labeled as fastethernet but it really shows 1000Mb/s speed.

How is this possible? :)

FastEthernet1 is up, line protocol is up Hardware is Fast Ethernet for out of band management, address is Description: Internet address is MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, 100BaseTX/FX

BTW there are no errors seen on the port itself :)

Thanks for help ;)

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

What is the best practice to run a continuous packet capture on a server to detect intermittently occurring issues?

No text found

Why RSTP only works on point-to-point link type?

No text found

Ethernet Ring Protection on Arista?

Hi all,

Anyone with any experience with Arista know if Ethernet Ring Protection (G.8032) feature is supported on Arista switches? From the EOS supported features I can only find loop-protection which is a similar thing to STP but not so much for a ring.

Data Center vs AWS

I was wondering what were your guy's thoughts on people certifying in cisco's data center track. With the rise of AWS and more companies moving their data centers to the cloud , will this eventually make the cert obsolete/less popular since less companies will be running nexus? I still see tons of people of certifying in data center. Maybe i'm missing something here.

Theoretically, could a virtual circuit be set up to make traffic flow over the same link twice before reaching its destination?

This is also assuming you have complete control over what is in the routing tables. Could this be possible? How could it be accomplished?

Making a tunnel from one business to another?

Working with a business that needs their POS system in one shop to appear as though it is residing in their other business down the road. What is the best way to create the tunnel?

Secure management network designs for critical/monitoring equipment

For background, I have been asked to implement a monitoring/management network for a small service provider. Basically it would provide out of band access to things like management ports and console servers (for serial ports,) and various monitoring equipment. The higher ups are obsessed with security (rightfully so) but I think they are being paranoid beyond reason. I don't think they will be satisfied with anything less than a completely airgapped network with swivel seat workstations (I don't know who floated that idea, but I'm shaking my fist.) How do I get them to back off on that idea and implement a more reasonable (cheaper, less complicated, more user-friendly) solution?

I don't see what we can't accomplish with a combination of ACLs and a firewall gate-keeping "outside" from "monitoring." Maybe require a client-based VPN to get into the management network from outside. I would like to also be able to implement a backup connection for each site through a third party internet connection (because this is critical monitoring equipment,) but that would require exposing the firewall to the internet for IPSec. I don't get why exposing just IPSec/Client VPN to the internet is so unacceptable. Even just VPN from the inside corporate network is a hard sell for them. If even the best designed firewalls are unacceptable, what is?

I have worked with other, much larger providers and none of them have been this paranoid. they all have just used simple ACLs/firewalls to protect their management network, and some even do everything inband, only with ACLs.

I'm mostly just venting because of how gross some of the proposed solutions are and I probably won't be able to convince them of anything, but if anyone has some good talking points to pull them towards something less frustrating, I'm all ears.

Dell PC 2724 replacement switch recommendation.

Heyo! I'm the IT guy at small business currently going through a some hardware consolidation/refresh. Gooood tiiiimes!

We've ruled out going 10gb with this refresh but it does look like a good time to replace our aging powerconnect 2724 switch and wondering if anyone had any recommendations?

The only feature we'd like that 2724 doesn't have is dynamic LACP support as we will also be upgrading our wireless router to 802.11ac wave2 which supports 2-port aggregation and NAS backup which supports 4 ports.

Thanks for any suggestions!

edit: added dynamic LACP as 2724 only supports static.

Question About WANs

Hello r/networking.

So, I'm about to take the Net+ exam and feel 95% confident I will pass. This post isn't asking for advice in that regard (yes, I read the sidebar).

What I have is a more theoretical or abstract question that every single study resource I've used doesn't seem to address -- or I'm just not understanding the text.

Here It Is: When we talk about Wide Area Networks, are we talking about a) a dedicated and private connection between, e.g., Office A in LA and Office B in NYC; b) the whole of the internetwork that exists on the other side of every private network; c) a combination / something in between / something else entirely.

None of my study resources give any context whatsoever to their discussion of WANs. And I have no real IT experience. So context would be so, so helpful in helping me get my head around this one aspect.

Thanks!

Best Cat (Ethernet) cables and switches for large video files.

So at work we download a lot of high frame rate video on a constant basis. We'll probably download about 50-150GB of video at a time and we need faster speed.

Right now we have CAT5 cable running on old 10/100Mbps switches. I'm assuming to get better speeds all we'll need to do is upgrade to CAT 6 or 7 and to 100//1000 Mbps switches (for the computers as well). Is this correct?

1RU Front to Back Horizontal Cable Management for Cabinet

Anyone have good suggestions on this topic? It needs to be 1RU horizontal and used for front to back cable management in a cabinet. Obviously needs to be able to fit in the cabinet with doors closed. Any help would be appreciated.

Aruba 5400 ACL Configuration

I'm working on configuring ACL's on my 5412zl to increase security. This is probably basic stuff. I'm confused on the best way to configure the ACL.

Here's the idea:

• VLAN 60 = Security Camera VLAN
• VLAN 2 = Server VLAN
• VLAN 8 = Data VLAN
• Then there are other VLANs that never need access to security

Here's what I want:

1. Anything in VLAN 60 should NOT be able to contact anything in the other vlans (e.g. a security camera cannot ping/access something in the server VLAN).
2. Two servers in VLAN 2 need to access everything in VLAN 60
3. One workstation in VLAN 8 needs to access one device on port 80 in VLAN 60.
4. Nothing else needs access to VLAN 60

Here's a drawing

Here's my config:

ip access-list extended "Security-Out" 10 permit ip 10.1.2.10 0.0.0.0 10.1.60.0 0.0.3.255 15 permit ip 10.1.2.20 0.0.0.0 10.1.60.0 0.0.3.255 100 permit tcp 10.1.8.10 0.0.0.0 10.1.60.10 0.0.0.0 eq 80 200 deny ip 0.0.0.0 255.255.255.255 10.1.60.0 0.0.3.255 exit vlan 60 name "Security" untagged E19,F20 tagged B1,B3-B24,E16-E18,E21,E23,I12,I17 ip access-group "Security-Out" out ip address 10.1.60.1 255.255.252.0 exit vlan 8 name "Data" untagged E19,F20 tagged B1,B3-B24,E16-E18,E21,E23,I12,I17 ip address 10.1.8.1 255.255.252.0 exit vlan 2 name "Server" ip address 10.1.0.1 255.255.252.0 tagged e1 exit VLAN about 15 other VLANs that don't have access to VLAN 60 

Okay, this works as intended. But I'm not sure if it's best practice. My biggest worry is that something in VLAN 60 could still potentially do a DoS or something, since I THINK traffic can go from 60 to X, but not back (that's why pings fail).

Guidance or suggestions are very much welcome.

Edit: Should comment that simply applying the "ip access-group 'Security-Out' out" in VLAN 60 is how I apply the ACL.

For my GUEST wireless network, I used the opposite process and did "ip access-group 'Guest' in", to stop the traffic in GUEST going to production VLANs.

EAP-TLS

Hey guys!

I'm a bit lost here trying to set up EAP-TLS

I'd love to have this so we can lock our corporate wifi down to just computers on the domain. This stops people from bringing in their phones and laptops and connecting when they have AD access on their normal account.

I did get PEAP set up and working, which is half the fight here.

Equipment:

Radius - Microsoft NPS server WLC - Cisco 2500 Wireless Controller Client - Windows 7

Does anyone have screen shots of how they set this up? I've created a server cert and placed it on the radius server. Taking this off breaks PEAP so I know this part is working. I guess where I'm getting confused is how to implement the client certificate and finish EAP-TLS. How do I link the client cert into the NPS policy or combine it with the server cert?

Here is how I have peap set up

http://ift.tt/2o3ATSd

I tried this guide:

http://ift.tt/2Ci82wy

but it never told me what I need to do to link the client CA.... help! I'm trying to get our company wifi for the first time in their existence. I have the user CA set up so only certains groups can request enrollment as well. I feel like I'm close

Advice request for small design studio LAN setup (multiple rooms)

Hi guys, first time posting here! I was hoping you wouldn't mind advising me on the best way to go from an unreliable Wi-Fi to LAN setup, with the constraints listed below.

I run a small design studio which is part of an old refurbished factory (old walls, not really future-proofed). Our studio has five rooms; four of these feed off the main entrance reception. In one corner of the overall unit is our broadband router/phone line.

We initially got by on the Wifi from that router, but it wasn't strong enough to reach the other end of the unit (about 30ft?). We're on business fibre with Plusnet (UK).

Temporary solution was to use a couple of PowerLAN units which are also wifi boosters, but long story short, it's not good enough for the wifi, and we're not getting the most out of our fibre even via cable (they are tri-port TP-Link 500mbps models). Our cables are almost all old as well. If I remember correctly, they need to be at least Cat5A for gigabit LAN, and some of these cables are from 2001...

I want to invest in a decent LAN solution. At our busiest, we will have up to 8-10 computers plus about as many mobile devices on top of that. Naturally, my plan is to hook everyone up via cable, and leave the wifi to the mobile devices or guests.

We will also be looking to install CCTV soon (4 cameras), but not sure if it's worth doing PoE instead of BNC (BNC currently makes more sense for this scale). I gather I just need to hook up the DVR to the router or switch, but the cameras have options and PoE is one of them, but it means a bigger switch(?).

So, I started looking into 24 port switches with PoE, long term needs and expandability in mind. Thought might as well aim for something I can put in a rack unit. Now thinking it might be a bit overkill, and don't really want a ton of cables going around the place or creating too much work for ourselves.

Would a 5 port switch suffice in the room with the most computers, and just one cable running from the router in the corner to the other end? Maybe another 5 port for the main room with similarly another cable running between that and the router? My room is in the middle, so should I run a main switch from here? Have my own single cable running around? I honestly don't know what the most sensible solution is.

I'd appreciate any advice, and will try my best to answer any questions! Thanks

QoS, Shaping vs. Policing and TCP

I must have some misunderstanding of TCP as when I implement a policer on a port, it breaks TCP (but UDP works just fine.) When I change the policer on ingress to a shaper on egress, it works just fine.

I get 30Mbps for a 100Mbps policer (on a 1G port) with the max burst available in the equipment, but when I implement a shaper, everything smooths out just fine to ~92Mbps for a 100Mbps shaper.

I am running an IPerf to measure speeds and when I limit the bandwidth to ~70Mbps, it works fine on both the policer and shaper (I suppose because congestion control is not triggered.) When I bump it up to 80Mbps, it drops down to ~30 on the policer. Normally IPerf tries to send close to line speed / 1G, so I know there will be drops through both the shaper and policer. Shouldn't TCP congestion control detect the packet loss and adjust the congestion window to compensate? Since in either case I'm sending more than can go through, I know that at some point there will be drops, so why does it work in one case, but not the other? This happens both with IPerf and a file transfer (the initial problem I received.)

For some additional context, I have tried this through both an ME3400 and an Adtran device, both getting the same results with the policer. I am not going to use the Adtran because the model I'm using can't shape per EVC (and Adtran TAC has been very annoying to me lately,) but I can implement a hierarchical shaper on the Cisco and it seems to get the job done.

Can anyone tell me what I'm missing? Is there anything else I can be doing to get a policer to work?

EVE-NG, Virtualbox, and Mac OSX: Can't communicate outside of the lab

Apologies in advance if this isn't the place to ask, but I figure this is where the most users of Eve-NG are going to be hanging out...

I am running Eve-NG on VirutalBox on my iMac running OSX Sierra. I have constant frustration getting the Cisco 3725/7206 to communicate outside of the virtual environment.

Virutalbox is bridging two LAN adaptors to either my wired or wireless connection on the iMac, depending on what I'm using at the time. I have an external network set up on EVE-NG that I bridge to either the Cloud0 or Cloud1 interfaces. (Both Cloud0 and Cloud1 are bridged to the local active network adaptor)

Initially, the emulated IOS images do not get an IP if I set an interface to get one from DHCP, but after some finagling (changing the adaptor that the external network is bridged to, restarting the router image, toggling the "cable connected" setting on the bridged adaptor in Virtualbox - I can get some communication working. In that I can get sometimes get a DHCP address, but I cannot ping the gateway (which is also the DHCP server). ARP entries show for the gateway on the router, but that's it. I can't get an ARP entry to show for any other hosts on the network if I ping from the router.

However - if I ping from the external network to the configured interface on the emulated router, I can get an ARP entry and ping replies on the host OS (i.e. pinging from OSX directly to the emulated router.) Even after OSX pings the device and an ARP entry is now in the router's ARP table, I can't ping from the router to the Mac.

It's driving me nuts and I'm hoping someone has run into this previously and can provide some advice.

[Noob Q] How do game servers resolve incoming frames/packet collision

Started studying for the net+ a few weeks ago and have learned a ton.

But I've been wondering... if we take a fighting game and we have two players fighting each other from across the globe and both are inputting commands how would a game server resolve which frames came in first e.g. who landed the first punch, if both players punch at the same time?

More in depth look @Forhonor

How does a fighting game with animations and on reaction counter attacks determine which player scores a hit and which one doesn't?

Cat6k DNAT - Filter on source?

Hi Everyone,

I'm not incredibly familiar with NAT on Cisco IOS, but I have a config I'm struggling with.

Currently, the config is:

ip nat inside source static tcp 4.4.2.3 4466 5.1.8.9 4466 extendable 

Which work great DNATing 5.1.8.9:4466 to 4.4.2.3:4466. What I need to do, however, is NAT different based on source.

If coming from 4.1.1.6, DNAT 5.1.8.9:4466 -> 192.168.6.6:4466

If coming from anywhere else, DNAT 5.1.8.9:4466 -> 4.4.2.3:4466

I think this is possible with an ACL, but when I tried to configure it, it wanted a NAT pool as well and that's where I got lost. I have done many NATs on firewalls, but not on IOS. Is anyone able to lend a hand?

Thanks,

Gary

Firewall blocks connection via IP, but hostname works

So I have a problem that I cannot connect to a device's web configuration page using it's IP-address, but I can with its hostname. With firewall killed, both work. Firewall logs show blocked entries about netbios and uoipservice.exe, so I think it might have something to do with them. Any ideas? Google helps only with the exact opposite situation.

I can ping both with firewall on. And pinging hostname reveals same IP

Also, if I disable internet connection (wifi) completely, or connect using my personal hotspot, then everything works.

Converted Cisco Firepower 2130 from FXOS to ASA code 9.8.2(15) - Then built a VPN to Azure with route-based VPN (VTI)

(I'll try to fix formatting after I post this. I suck at Reddit formatting) * I recently picked up a Cisco Firepower 2130 appliance to replace my aging Cisco ASAs. I was excited over the new platform and ready to dive in head first into what was the "future". My hopes and dreams were quickly destroyed when I realized the new OS is not ready for production use. To make sure..I fired off some questions to Cisco TAC * * Does the Firepower 2130 support route-based VPNs? ----> Not yet

• Does 6.2.2. support BGP? Can I do BGP with a policy-based or route-based vpn configuration? ----> 6.2.2 supports BGP as a protocol but not over policy based VPN.

• If these features are not supported (route-based vpn and BGP) are they on a future road-map. If so, what is the timeframe for implementation? ----> These features are not in place for the next release and I cannot see these in roadmap for couple of future releases. Right now it is difficult to get a timeframe for this particular VPN feature. *

• Is it possible to configure TACACS management access on a firepower 2130 with 6.2.2. code? ----> Not yet. It is on the roadmap, but not committed to any particular release. *

• If the feature set is limited in 6.2.2 code would moving to the ASA code support these features? ----> Yes. *

• What is the longterm roadmap for ASA support on the firepower 2130 appliance. Will support for ASA code eventually go away in favor of the FTD/FXOS native code? ----> They have recently launched the support for ASA on FP2100s. It will be just like using a normal ASA just the hardware is different so it should not have much issues or bugs. The goal is to eventually migrate to FTD image as it is a combination of ASA and Sourcefire images which gives us next generation firewalls, but the support for ASA will still be there for long time. *

• And finally, do you have any configuration examples of building a VPN from Microsoft Azure route-based VPN to Cisco Firepower 2130 FTD 6.2.2 series of code? ----> Not supported yet

  *

  So I went ahead and wiped my Firepower 2130 and put on Cisco ASA code. The process wasn't that bad. You follow an online document, wipe the box, load the new code via TFTP and you're on your way. I did run into some issues with licensing. The Firepower appliance uses SmartLicensing but when you convert to ASA code it requires 2 additional licenses to be added to your smartlicense. You need *

• Firepower 2100 ASA Standard

• Firepower 2k Series ASA strong encryption

  *

  Without these license features (strong encryption) the ASDM manager will not launch. So make sure you get these licenses setup online and you configure your ASA to use SmartLicense before attempting to use ASDM.

  *How do you setup Smart License on ASA? I followed the online tutorial for ASAv smart licensing setup to get things working (ooh and set your DNS on the appliance so it can look-up URLS to hit the smartlicense web sites).

  So lets get back to what we came here for.. Route-Based VPN with Azure! *

• After looking around online and piecing code from different blogs here is the configuration I came up with that works with Azure VPN and BGP. Hopefully this helps someone.

  *

• license smart

• feature tier standard

• feature strong-encryption

• names

• !

• interface Ethernet1/1

• nameif outside

• security-level 0

• ip address 199.x.x.x 255.255.255.0

• !

• interface Ethernet1/2

• nameif inside

• security-level 100

• ip address 10.30.1.x 255.255.255.0

• !

• interface Tunnel1

• nameif VPN-AZURE-USEAST2

• ip address 192.168.1.1 255.255.255.0

• tunnel source interface outside

• tunnel destination 52.x.x.x

• tunnel mode ipsec ipv4

• tunnel protection ipsec profile AZURE_PROFILE

• !

• router bgp 10001

• bgp log-neighbor-changes

• bgp graceful-restart

• address-family ipv4 unicast

• neighbor 10.50.0.254 remote-as 10000

• neighbor 10.50.0.254 description Azure VPN Gateway BGP Address

• neighbor 10.50.0.254 ebgp-multihop 255

• neighbor 10.50.0.254 activate

• neighbor 10.50.0.254 next-hop-self

• network 10.0.0.0

• network 172.16.0.0 mask 255.248.0.0

• network 192.168.1.0

• no auto-summary

• no synchronization

• exit-address-family

• !

• route outside 0.0.0.0 0.0.0.0 199.x.x.1 1

• route inside 10.0.0.0 255.0.0.0 10.30.1.1 1

• route VPN-AZURE-USEAST2 10.50.0.254 255.255.255.255 52.x.x.x 1

• route inside 172.16.0.0 255.248.0.0 10.30.1.1 1

• crypto ipsec ikev2 ipsec-proposal AZURE_PROP

• protocol esp encryption aes-256

• protocol esp integrity sha-1

• crypto ipsec profile AZURE_PROFILE

• set ikev2 ipsec-proposal AZURE_PROP

• set pfs group24

• set security-association lifetime kilobytes 102400000

• set security-association lifetime seconds 27000

• crypto ikev2 policy 1

• encryption aes-256

• integrity sha

• group 5 2

• prf sha

• lifetime seconds 86400

• crypto ikev2 policy 3

• encryption aes-256

• integrity sha

• group 2

• prf sha

• lifetime seconds 28000

• crypto ikev2 policy 10

• encryption aes-192

• integrity sha

• group 5 2

• prf sha

• lifetime seconds 86400

• crypto ikev2 policy 20

• encryption aes

• integrity sha

• group 5 2

• prf sha

• lifetime seconds 86400

• crypto ikev2 policy 30

• encryption 3des

• integrity sha

• group 5 2

• prf sha

• lifetime seconds 86400

• crypto ikev2 policy 40

• encryption des

• integrity sha

• group 5 2

• prf sha

• lifetime seconds 86400

• crypto ikev2 enable outside

• group-policy SITE_AZURE_USEAST2 internal

• group-policy SITE_AZURE_USEAST2 attributes

• vpn-tunnel-protocol ikev2

• tunnel-group 52.x.x.x type ipsec-l2l

• tunnel-group 52.x.x.x general-attributes

• default-group-policy SITE_AZURE_USEAST2

• tunnel-group 52.x.x.x ipsec-attributes

• ikev1 pre-shared-key YOUR-PSK-HERE

• ikev2 remote-authentication pre-shared-key YOUR-PSK-HERE

• ikev2 local-authentication pre-shared-key YOUR-PSK-HERE

*

You can create your Azure VPN via Script but this time around I created it via the GUI so I don't have any examples. * * I setup a VPN3 gateway, pointed it to a VNET (10.50.0.0/16) * It created the Gatetway Subnet for me (10.50.0.0/24) and placed the VPN gateway into 10.50.0.254. * I activated BGP and created an ASN (For Example: 10000). I wrote down the public IP it presented to me, and I also wrote down the BGP Peer IP (*you'll need this for the ASA configuration).
* I then setup a connection my VPN gateway. Setup BGP inside of that connection with my ASA BGP ASN (Example: 10001 - has to be different from the Azure BGP ASN).
* On my Cisco Firepower I set the tunnel interface to 192.168.1.1. On the Azure side of the connection the 192.168.1.1 was my BGP peer IP. I don't use 192.168's in my data center so this network only lives on the ASA. It's only purpose is to exchange routes with Azure. * Then the final thing that got it all to work was to enable BGP on the Azure connection. There is this little button to click on the connection that says Enable BGP. But you can only enable this button once BGP is configured on your connection.

*

At this point you should be able to ping from the ASA to the Azure VPN gateway IP (10.50.0.254 in this example).
* NOTE: On your ASA you will need a route to the Azure VPN gateway IP (10.50.0.254). This route will point to the Azure VPN gateway public IP.

*

Lessons Learned:
* Make sure you enable ebgp-multihop in your BGP configuration

Links Used * http://ift.tt/2ArKWC8

• http://ift.tt/2p6C4Pv #Right before part 3 you will notice the section that says "Ensure Multihop option for eBGP is enabled on your device

• http://ift.tt/2ArKZxO

Hopefully this helps -Motavar

What security is lost with an "Open" SSID for a wireless network?

We have Aruba wireless and I have been working on configuring a SSID that will perform Mac Authentication for our staff devices. I know Mac Auth is not completely secure, we have ClearPass on the roadmap but this is just to tide us over.

What am I losing but not also adding a WPA2 password to the SSID? From searching around Aruba says that "all" traffic would be unencrypted, but I assume https etc.. would still work, so i'm just trying to get a better idea of what types of traffic would lose encryption without the password.

Thanks.

Cisco ASA Remote access VPN Load Balancing questions

Hi, I have 3 5545 devices which will be used for SSL load balancing, however without encryption enabled the load balancing works fine.

With the encryption I am getting duplicate address in SYSlog and also can see that its joining the cluster and dropping out.

The configuration guides on Cisco site doesn't give much commands that are required for the setup:

http://ift.tt/2AZxLJK

But I don't see anywhere that Cryptomaps are required to be set up etc? I can see my cluster joining buy dropping our with Syslogs saying duplicate address for the Cluster address.

Asking for advice to senior for a small/med business network topology (i'm introducing sophos xg devices)

Hello, i'm a little sysdadmin/netadmin for a small/med company (100 users) and i'm here to ask an advice.

I have a small datacenter with 3 esxi hosts at work, about 30 VMs in total. Actually i have 5 vlans (1 server/ 1 workstation / 1 wifi / 1 guest and 1 voip phones) with about 100 devices (printers, ap, workstations ecc) and all vlan routing is done via an HP 2920 48 port Layer 3 switch (no ACL rules). As firewall/router for internet connection and vpn we use a virtual applicance called Kerio Control in router on a stick configuration (hp switch send evertything execpt vlans traffic to kerio vm via a dedicated vlan trunk isolated from all other vlans,i have simply disabled layer 3 routing on that trunk vlan).

I have this question: now we are changing kerio with a sophos XG 210. I'm thinking on redesign it becouse our sophos vendor told me that a router on stick design could limit Sophos XG capability to intercept and block malicious traffic on the lan network, so the sophos should be in charge of the routing.

I'm a little afraid to leave all the routing to the xg 210 becouse in case of update/reboot/ change in internet configuration i will loose all routing capabilities, opposite to have them managed by a switch that i will update every year or so, so i can consider it as an always on system. And with this configuration i've resolved also the traffic problem: on the trunk to kerio i have only the internet traffic and nothing else. We doesn't have sfp+ modules so the best i could do is to create a LAG of 5 ethernet porrts between the xg210 and the switch to increase bandwidth (i don't have this problem now becouse all the routing is done by the HP 2920 internally). We transfer pretty large CAD files (from 5mb to 500mb) from and PDM archive VM to 20 workstation (3d cad, solidworks).

We have also on an esxi host exchange 2013 and other appliances that rely on some iscsi mapped drive, so if i loose routing i will loose those drive, and if i forgot to dismount for example some exchange db that are on those iscsi volumes before rebooting the xg210, bad thing could happen...

Any idea or advice or else? thank you!

Destination net unreachable from destination host

Does anyone know what would cause the destination host to reply with a net unreachable message?

Pinging 10.129.20.3 with 32 bytes of data: Reply from 10.129.20.3: Destination net unreachable. Reply from 10.129.20.3: Destination net unreachable. Reply from 10.129.20.3: Destination net unreachable. Reply from 10.129.20.3: Destination net unreachable. Ping statistics for 10.129.20.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 

“Suspicious” event routes traffic for big-name sites through Russia

Unfortunately, for many networks the topic of routing security becomes a priority, only after they've suffered the consequences of an incident.

In the long term, the best way to protect against this type of BGP hijacking is to require your connectivity suppliers to implement relevant security measures. Also request full incident reports after BGP hijacks through your provider have been observed.

In other words: vote with your wallet. The moment it becomes socially unacceptable to operate an Internet network without adequate protections in place, there is economic incentive to view routing security efforts as a competitive advantage rather than a nuisance.

http://ift.tt/2AUr3oH

Need help designing a unified network for a student housing building

I recently became the manager for a large student housing building and the first thing that needs to be done is overhaul the wireless network for the building. The building is a 4 story (including basement) housing built in the 1980s with about 35 residential rooms and 45 residents. There is Cat5e running to each of the rooms and a central networking closet that contains a 48 port gig switch for all the Cat5e ports in the rooms. Currently there are 3 networks in the house, an old outdated Meraki setup that covers half of one floor, another separate Meraki system consisting of 3 MR32's and 2 MR18's that covers most of the 1st, 2nd, and third floor, and another separate Google WiFi setup the covers the basement, 1st, and 2nd floor (we have 6 pucks, although none of them talk to each other, they are all just broadcasting their own network). All the access points are just connected to the ethernet ports in residents rooms. The problem is there are dead spots in the house and poor connection in a lot of rooms.

Our Meraki license is about to expire and I am looking into replacing all the networks in the house with one unified Ubiquity network. Our budget is $3-4k. Based on my research my plan currently is to hire a recent college grad to come in and do a wireless survey, then buy a Ubiquiti 24 port PoE switch to add to the one in networking closet and a number of the UAP-AC-PROs to cover the entire space. These access points would be installed in the residents' rooms using the ethernet that is already run. My goal is to have one network that covers everywhere and allows people to roam through the space without having to disconnect and reconnect. I would also like basic management tools like per-device rate limiting.

My question is, is this the best way to achieve the result I want? Are there any tips or things I should look out for? Would this be within my budget? I have a basic understanding of networking but nothing special, and this is my first large scale networking project.

Traditional Phone over IP?

I have a small photography studio with a pair of Ubiquity Nanostations connecting it to my home. I have a "traditional" phone line coming into the studio, and would like to be able to answer the phone at home as well. I haven't come up with a good solution yet, anybody have an idea of where to start? I have a few computers that could act as a server up at the studio.

Why there is 2% more ipv6 usage on weekend?

at least by google. http://ift.tt/1vNFanw and joom enough.

Thoughts on Cape Networks

Would you guys use the company cape networks? (http://ift.tt/2jY6qBv) Seems like a pretty easy solution and wondering if there are any alternatives as well.

NAT to Public IPs from behind 2 different routers.

We've got a block of public IP's: x.x.28.0/23. Our ISP routes these IPs to our dedicated Internet service, which has another small block of public IPs: y.y.y.8/29.

The ISP gateway has customer facing interface y.y.y.9, which is connected to a switch. Our Production firewall Outside interface is y.y.y.12, and is also connected to same switch. The ISP gateway has a static ip route x.x.28.0 255.255.254.0 y.y.y.12. I am able to NAT to Class B Public IPs from the Production firewall OK.

We want to setup a small, separate lab network, using a second firewall, and NAT to a small portion of the same x.x.28.0/23 IP block. Obviously, that static route on the ISP gateway is preventing that from working, so I need to ask my ISP to change the static routes. My question is:

• Should I ask the ISP to change that static route to use only the customer facing interface as the destination?

• Is there some combination of static routes that my ISP could configure to allow my lab firewall to NAT to a small subset of that x.x.28.0/23 block? Around 8 public IPs should suffice, but I just can't wrap my head around the subnetting.

Reading about DNS servers and was hoping to get some clarification.

As the title says, I've been reading about DNS servers, and I'm just not sure I grasp what the authoritative server is. My book says its "the authority on computer names and their IP addresses for computers in their domains".

Who does this server belong to?

Is it just a server with the specifics of what domains match with what ip addresses?

Does that mean TLD servers just hold info about which authoritative servers have the specific information that is being requested?

Sorry if this was a really dumb question and thanks in advance to anyone who can assist

Best way to study for CCENT?

I am currently reading the CCENT/CCNA ICND 1 official cert guide. I just finished the first semester of cisco routing and switching at my cc with an A. I don't know how prepared I am, I don't feel that prepared, but I want to do well on the ccent and then move on to ccna r&s. What are good ways to go about studying?

Same IP range on two different circuits?

Is it possible to advertise same /24 IP range on two different internet circuits, just use different IP's on each circuit from this range?

New to managing Cisco ASAs at branch sites - Advice/explanations for some concepts?

I recently started at a company that has several branch sites around the country, each with an ASA that connects back to the the HQ using a Site-to-Site VPN tunnel. Prior to this, I've spent most of my time in switches in routers, so I'm not very experienced with ASAs.

I have a CCNA R&S cert that I received earlier this year. While studying, the curriculum for the CCNA was really heavy on routing protocols, indicating you could use GRE tunnels and dynamic routing protocols to connect to branch sites.

However, connecting each site with a Site-to-Site VPN tunnel seems like a much different kind of setup that what I was expecting. Is this a typical setup? From inside the HQ network, I'm unable to reach most networks behind the ASAs at remote locations. I don't see them in the routing table on the firewall here at HQ either, but they are in the Crypto Maps.

I guess I'm really struggling to understand Site-to-Site VPNs, Crypto Maps, the purpose of NAT statements that don't translate addresses, Access Rules vs the ACL Manager, and how all of that fits together.

Any advice would be much appreciated.

Palo Alto FW - Remote Root Code Exec

CVE-2017-15944

http://ift.tt/2BiN8jk

Patch early, patch often. Though no one here is exposing their management interface to the internet right?

Seems a few folk are:

http://ift.tt/2CciBkB

The Denver market for networking jobs is completely saturated.

It's been 5 months now that I've been looking for work here in Denver. I'm from Denver, I have my CCNP and have 10 years of networking experience and I can't even find a job!

This is completely out of control, I've never in my entire career had so much trouble finding work. Apparently everybody moving here are CCIEs with 20 years exp. I keep getting turned down do to "we have selected another candidate with more experience".

You do the math. There are 100k people moving here on a yearly basis with only 60k jobs per year being added. So if you're thinking of moving here, DON'T there are simply not enough jobs for everyone.

Standard SVI Config

I've been going through our SVIs in our network that I inherited and am trying to make things more consistent, but it's hard to tell what stuff is done on purpose or not. These are the commands that appear throughout:

• description
• mac-address
• ip address
• secondary ip addresses as needed
• no ip proxy-arp
• no ip redirects
• no ip unreachables
• ip access-group <in/out>
• ip helper-address
• ip pim sparse-dense-mode
• ip route-cache same-interface
• ip irdp
• ip mask-reply

The problem is that not all of the SVIs have each of these commands. ip irdp will be on for half, but missing from the other half. ip mask-reply will be on for all but a handful. It's hard to tell if this was simply user error when creating them or if they weren't added for a specific purpose (which of course isn't documented). I hate to simply apply all the commands across all SVIs.

What do you all tend to do with your SVI configs? I can't seem to find a good "Here's the recommended config" for this sort of thing, so I figured I'd ask the rest of you for your best practices and why you do it that way.

SIP issue with Sonicwall - Sanity check?

First time ever requesting advice here, mostly lurk. Just looking for port/session behavior clarification.

I'm working on a VOIP issue whereby user A makes a call, then completes the call/hangs up. If they pick up the phone to make another call within ~10 seconds of hanging up, they can dial but get dead air before the line goes dead after bout 30 seconds.

From a packet side of things, a successful call seems to look like:

• Device handling SIP trunk at client site sends SIP invite with a destination of the public ip of voip provider.
• Sonicwall takes it, NAT's it so that the source IP is the sonicwall's WAN IP and the source port is 53XXX, destination port 5060
• All sip communication for the call from that point on uses source and destination ports of 5060, until the session ends.

If we pick up the phone and try to dial out in the next 10 seconds, the only difference I can see is that the sonicwall no longer gives the first SIP invite a dynamic source port. it continues to use 5060/5060 as if the previous session didn't end. The SIP device on the clients end continues trying to send invites for about 30 seconds and gives up.

If we wait over 10 seconds, we can usually make a call with the same success behavior.

I'll be very frank, I'm a mid-tier MSP tech trying to figure this out on my own on principle at the moment. Just trying to see if I'm missing something about SIP/NAT behavior.

Weirder still is that the VOIP provider claims they would rather have every packet use 5060/5060. I can force that, so that no invites or sip packets ever get a dynamic port/mapping, but then no calls can be made at all.

My Electronics got stolen, Thief sitting behind NAT IP address

My Post on r/RBI with the Context: Here.

Hello r/Networking, I have got a bit of a situation going on right now and wondered if you can help me. My home was broken into last week and a few things were stolen like Laptop and TV. I've written my story in the post above. So this person is still using my Netflix account on his TV and he is still watching his series. I have followed his activity on Netflix and this guy has used these IP-addresses:
212.88.15.26. Today it changed to: 192.164.122.13. The police told me he is using dynamic NAT IP address. I don't know if it is correct, my police contact was not very tech savvy. If someone could tell me if it is possible to figure out who this guy actually is, I would be so happy! I also have the timestamps when he used Netflix if that helps anything.
Thank you!

A switch that has three root ports....

... Have you guys ever seen this before? We have a switch that has three root ports in an MST instance. MST0 looks fine, but our other three MST instances are showing some wonky stuff.

The switch has three root ports. The CORRECT root bridge is on Te1/1/1. However, the switch is showing Te1/1/1, G2/0/39, and G4/0/10 all as root ports, and the root bridge MAC address shown in the display is hanging off of G2/0/39.

If I shut G2/0/39 and G4/0/10, now the switch becomes the root - yet has a root port. It has a root port, Te1/1/1 - which is the CORRECT root port.

Rebooting all switches downstream from this didn't fix it. We can't reboot this one during the day, we have a reload scheduled for tonight.

You guys ever seen this? Have any suggestions if a reboot doesn't fix it?

Benefits of stacking HP 2610 switches

My client has 4x HP 2610-48G-PWR switches in their network, and they would like to stack them together. They also have some other HP switches in their rack, and at the worst point, some network connections have to hop through 6 switch uplinks to reach the "core switch", which is really just an access switch at the edge of the network.

Reading about this particular model(2610), it seems that there is no stack module for them and only stack via network connections, creating a "virtual stack" that allows you to manage multiple switches from one IP/commander switch.

My knowledge of switch stacking is limited, so I have some questions regarding the benefits of this.

1. Will stacking these switches help improvement their network throughput at all?

2. In, say, a Cisco switch stack(that uses stacking modules), does the stacking configuration allow for better network throughput? As in, does network traffic still have to 'hop' through switch uplinks, or does it go through the stack connections?

ISRG2 overloaded crypto engine - Does this look right?

I've got an un-flow controlled application that bursts small UDP packets with about 30usec gap between. Yes, it's crap. Working on that...

It's traversing a GRE in IPSec tunnel.

The application sees occasional large gaps in the stream. 50-ish consecutive packets go missing. Looks like tail drop to me.

The sites with problem have the old-style 881 routers. I think I've found the problem, wonder if this makes sense?

The show crypto engine accelerator statistic command includes packets in and packets decrypted counters.

I assume that these values should be moving together under normal circumstances?

These numbers are diverging at a rate of about 100pps.

I've confirmed that the following are working correctly:

• All application packets are getting encrypted and leaving the source site.
• All ESP packets are getting delivered to the destination site.

But the decrypted application stream is lossy.

So, what say you? Am I overrunning the crypto engine's input queue?

Is there some other value I should be looking at?

25g and 40G under [CD]WDM network

Hello, I have multiple question under WDM network with 40G and 25G network.

I can't have a proper response for a bunch of question :

• First can we found colored 25G optics ?
• Do they provides theses kind of optics for ER and ZR range under colored one ?
• Can we find 40G colored optics (with the use of proper MUX due to the fact that 40G use 4 color) ?
• Can we use 2 breakout cable and 4 Wdm optics and have a 40G uplink (and not 4*10g) ?
• Do they exist an active transmission equipment that can shift gray 25G or gray 40G to colored one ?

Proper CIDR Notation

I architect storage labs for our training organization at work, and when referencing general networks, I tend to use CIDR Notation.

Recently, I stated that the lab's private network is on the 192.168.1/24 subnet. In review, a colleague states that this is improper, and it should read 192.168.1.0/24.

Personally, I find the 0 octet redundant, inefficient and pointless. I can find several references to my preferred reference (dropping blank octets) in Linux and BSD configuration files, but nothing authoritative.

Can anyone provide an authoritative reference about what the proper CIDR notation? Yes, I've googled, but perhaps I mis-googled.

Any help/input would be appreciated.

Thanks! StorageFreak Dave

Setting up MAC Filtering on ASA 5506-X bridged virtual interface

I am building a lab for my company's future ASA 5506-X [9.8(2)] deployments [Replacing the 881 router] to run Easy VPN back to our campus. We will have a couple of clients in the 'Inside' bridged ports that will reach out back to our main campus. A huge security flaw with EZVPN is that any Joe can take the firewall home and connect to our remote network, so we use MAC Filtering. A problem I have seen is that I don't see how MAC filtering can be applied to the BVI. The Cisco rep I have been emailing with has not been that helpful, either.

Is there some network magicks for this? The easy solution would be to not use a BVI and use a switch, but we want to replace switches with the free ports on the 5506-X.

Thanks in advance!

ACL deny statement troubleshooting techniques on Cisco WLC?

I have an ACL which is supposed to deny all traffic except what's required for the client provisioning process. I can see the counter on the deny ACE increment when my client fails to connect, but I'm having trouble identifying exactly which IP/port it's trying to connect to.

What I've tried so far:

I did a packet capture on the DNS server and watched for it's DNS requests. But I think there must be some connections that don't show up in there (maybe some statically configured IPs).

Then I tried:

debug packet logging acl eth 1 permit any <mac-addr> debug packet logging acl eth 2 permit <mac-addr> any debug packet logging enable all 

But, this doesn't seem to show what I want. I think it's only showing packets sent to the CPU (I'm only seeing DHCP packets), and regular packets hitting the ACL must not be included here? Maybe I'm using it wrong?

Any good ideas of how to do this?

Has anyone taken the NPDESI or NPDEV Network Programmability exams from Cisco?

For those who have taken them, what were your thoughts?

Do the courses on the Cisco Learning Network do a good job prepping you for the exam?

Island Cubicles and dropping communication cables

Hello everyone,

I have a question as an electrical designer for you networking people that deal with the aftermath of decisions made by people like me. I like to do this right, so the IT people are happy and clients are happy.

When it comes to cubicle style office spaces, what do you like to see? In a normal office (standalone with walls) we'll just have regular phone/data outlets with 2xCAT6. Normally when I think of a work station, I think two cables.

With a cubicle style of workstations and dropping from the ceiling it seems like many drop poles can't handle the capacity with this philosophy. For example, 6 cubicles sitting in the middle of the room, that's 12 cables. I realize cables could be dropped at two points, but I want to make sure I'm thinking about this properly.

I realize for data, one could technically drop 1 cable, have a switch lying around the cubicles and go from the switch to each computer. This doesn't seem ideal and depending on client need, 6 computers sharing the total speed of 1 cable may not work.

I'm also aware that one could drop 6 cables for 6 workstations, and you can go cable into telephone, out telephone to computer. (I don't know if that's a specific type of phone system).

So I'm curious. What is ideal for this sort of scenario? Is 2xCAT6 for each cubicle workstation getting excessive? Is there a product I'm unaware of that makes this work a little better?

SonicWALL EAP WLAN Broken Throughout Enterprise

We have been running SonicWALL VAPs for years with EAP against Windows Server NPS. This week, for no apparent reason, wireless clients are no longer able to connect. The NPS server sees the authentication request from the SonicWALL, grants access, and packet captures show successful communication in both directions. There have been no changes. Started to suspect a Windows Update, or some mitigation pushed for the KRACK vulnerability, but the problem also affects Android & iOS devices. WPA2-PSK wireless networks are fine. We feel that we can't be the only customer suddenly experiencing this issue. Can anyone relate or provide thoughts? Thanks in advance!

Workstations in switchports that have a voice VLAN configured are getting addresses from the voice DHCP server

As the title suggests, I have workstations that get network connectivity through an Ethernet passthrough on Mitel 5330e phones. The switchports are regular access ports on our data VLAN, and we have the voice vlan configured with our voice VLAN. We have a helper address pointing to our workstation DHCP server on the workstation VLAN, the voice VLAN does not use a helper / relay as the phone controller serves out DHCP on broadcasts.

2 nights ago, we got calls from a handful of people in the building about not having network connectivity. We found out that those workstations had IP addresses from our voice subnet as opposed to our workstation subnet. If you do a release and renew, it will continue to grab a voice subnet address. The only way to get a workstation address is to remove the voice vlan from the affected port. Alternatively, if you give the workstation a static IP from the workstation subnet you will get connectivity, although not right away in most cases. I've had to do continuous pings to the gateway or some other network address for about 5 to 10 minutes before I'll start getting replies and connectivity will be restored.

There were no topology or configuration changes made to my knowledge. The only thing I discovered that I had thought was causing the issue was a device that was absolutely flooding the network with DHCP Discover messages. After removing the offending device I was hoping the issue would be resolved, but we're still seeing it.

For added background, we've been operating with the same configuration for 3 years and never had an issue. I feel like something had to have changed but I've run out of places to look in an attempt to track this down. I have Wireshark captures available in case anyone wants to look at them.

Assistance w/ Meraki & Ubiquiti L3

Hey everyone.. Just wanted to see if people could take a look and sanity check my proposed setup...

Moving offices and absorbing a few smaller satellite offices at the new location, thus our current flat /24 will not be enough..

On the edge we have a Meraki MX100, internally I have a Ubiquiti ES-16-XG acting as an aggregator ToR switch, cascaded down to 2 ES-48-Lite and 2 ES-48-500W.

Currently our main setup is on 192.168.2.0/24... Which I have to leave intact as the previous admin has all sorts of gotcha's and landmines. e.g. specifiying server connections like ODBC by IP instead of DNS name.

I also want to break out the WiFi and VoIP into their own VLANs for the sake of housekeeping and organization, possible future traffic shaping.

If I leave 192.168.2.0/24 as the default VLAN but make it L3 routed. Add for instance 192.168.3.0/24 for VoIP and 192.168.4.0/24 for WiFi.

I'm pretty sure I can get the Ubiquiti stack up and playing nice... I am just concerned with the Meraki.. Do I just have to create and specify the same VLANs on it as I do the Ubiquiti gear, or do I have to do something like a /30 private network link between the Ubiquiti stack and the Meraki?

Any tips or tricks to ensure I can get something like this working without too much issue and hair pulling?

Thanks in advance everyone.

Flow logging

I'm looking for some open source software that can be used to log flows via a spanned port. I already have traffic graphs for my interfaces but I want to get a little more granular in some specific places. I would like to be able to log sources, destinations, and amount of traffic transferred.

Does anyone know of any open source software that can accomplish this? I haven't been able to find anything, maybe SNORT or Bro can but I haven't been able to figure out how.

It's official - ADSL works over wet string

"It has always been said that ADSL will work over a bit of wet string."

Full article... http://ift.tt/2AMHzXJ

Multicast packets through Draytek Vigor 3220

We are trying to get a timesync server through a Vigor 3220 router for synchronization of video. We can see the packets being broadcast (wireshark) and known the router is receiving them as ICMP snooping is enabled but the client sitting in the DMZ can't see the master time sync server.

I believe I've explained that correctly.

Any help would be greatly appreciated.

Chromebook Admins of /r/Networking, Is there a Solution for Monitoring Chromebooks Remotely?

We are trying to be able to see what students are doing on their chromebooks remotely without them being prompted to "allow" us into viewing their screen.

We have heard of Go Guardian however they priced us at 50k a year which just isn't feasible for our small-ish school district.

Are there any alternatives that you use that can compete?

Thanks in advance for any insight.

EDIT: Also, we use google admin/gsuite.

How Do I Build a Wired LAN Network for 15+ Machines?

At the moment at college we have been learning about all the components that build a network (router, switch, computers, wireless access point etc..) & the various network topologies (star, mesh, bus, tree etc...). We have also done lots of test network builds in Cisco PacketTracer without fail but one of my tasks is to write what components would be needed to build a LAN Network & the instructions to set it up. The hypothetical LAN would consist of 15 machines (Windows 10) & would be used for general file sharing between machines & printing.

Would the process of building a LAN network be the same in terms of components? (router, switch, WAP etc...), how would the IP addresses be assigned to the machines?. I have only done this so far in PacketTracer so I'm unsure if my answer would still be correct. Could anyone help me understand or point me towards a good piece of information for setting a LAN for a begginner since all the sites I go to seem to give different answers regarding the components & steps.

Watchguard Inter-VLAN Routing

Hi, I've got a Watchguard T10 at home for labbing. I have created 2 VLAN's, VLAN 1 and VLAN 2. Using System Manager or the Web UI, how do I get the VLAN's to talk to eachother? This sounds silly I know.

Setting up VPN from FortiGate 80D to Cyberoam Cr25 with Dynamic IP on Cyberoam Side

Hello all, need advice on setting this up: I have to set up a VPN tunnel between 2 sites. Site A (HQ) has FortiGate 80D and Static WAN IP, Site B (Branch) has Cyberoam Cr25 with Dynamic WAN IP.

It is planned to acquire for the Branch a static IP from the ISP with a dedicated leased line reserved for VPN later, but in the mean time the HQ requires VPN access to the Branch.

I have been looking online into solutions and found Dynamic DNS as a possible workaroud: subscribe to the service on Cr25 side, and use the ddns address as a "Peer ID" when setting up Vpn onf the fortigate.

Apart from that, what I would be doing is set up the vpn normally with WAN IPs and manually update the IP addresses on each side whenever it changes, which is simply not sustainable...

Any feedback or advice on this setup is welcome.

Private vs Public IP's subnets

What would be the advantages of using Public IP's over Private to create subnetworks within an organization/company?

Netgear FVS336Gv3 - Ipsec VPN + NAT

I just got off of a call with corporate. They want us to establish a VPN between here and there, and then NAT all of the internal IP Addresses to come from one single IP address when necessary to cross the VPN.

We spent over and hour and a half trying to get this figured out on the FVS336Gv3. I'm reaching out to Netgear too, but thought asking here I may find someone a bit more familiar with this hardware.

Googling the issue resulted in similar use-cases, but they were different enough to really be of no help. I'm a System Administrator, so this is already a bit out of my wheelhouse.

Network monitoring software like Total Network Monitor

I'd like to find a software (free or paid) that is simple and user friendly as TNM2, ive tested a few including prtg( a little overkill for what i want), my company wants a software that we can see what is up and running, send emails when it goes down and send an email when it goes up again, problem with TNM is i tested it, the email function doesnt work that great , sends email randomly even after it stays up and crashes alot.

Ethernet is showing my computer to be connected to wrong network?

Hello guys,

I was hoping someone could give me some insight into this slight issue I've been having with regards to my networking.

Here is my layout:

-My main Verizon router is located upstairs in my computer room. This router is wired to another Asus router for wireless coverage in the basement. This router is also wired to a series of switches.

The issue I'm having is that the devices which are wired to the Fios router via the switches are for some reason, being connected to the Asus network, instead of directly connecting to the original Fios router network.

This is causing some strange symptoms. I have already configured the Asus router to be in Access Point mode, but I don't understand how the devices upstairs are somehow being forced to go through the router in the basement.

My ideal setup is having only devices on each floor to be regulated by the respective router, or even better, have ALL DEVICES regulated only by the Fios router, and have the Asus router simply act as a wireless and wired access point. Any insight at all would be helpful. I apologize if my logic is flawed, I am not very experienced.

TL;DR: Main router is connected to secondary basement router and upstairs network switch. For some reason, devices connected to upstairs switch are showing up on downstairs secondary router.

Phone number is now a cesspool of spam, I need some help.

I get a very high amount of spam calls on my number, from a wide range of numbers. Some just selling stuff, others going as far as to tell me I have (several) warrants out for my arrest. The latest though, is I've been having random people call me up, saying with little variation, and I paraphrase: "I've been texting a guy about duct cleaning services, was calling to inquire." They're usually calling a 701 number, mine is 906, so not even in the same state.

These have all been honest regular people who are just on the other end of the scam, and are just as confused. One guy said he was sent a Google Verification code, and was told it was the access code to a house, is what I think he said, but either way. Is there a way to make this stop? I bought this number and put it on a ton of stuff for my business, so I'd be out majorly at this point if I had to change numbers.

Should I call Verizon? Can they do anything? Next guy that calls I'm going to get the 701 number in full, but I'm not sure it would help, it's probably just some call center like most of them I'm guessing.

But people say they've been texting with the 701 number, and I never see any of these, then I'm guessing they call to set up an appointment or such, and it rings my phone. Does anyone know what my next steps should be, or am I just up shit creek without a paddle? I ask to be on the DNC list for as many as I can but they just keep coming!!

Ballpark figures for a large school bid?

Sort of a non-traditional request, but I'm hoping to at least come away with a number.

I'm currently on staff with a school rebuilding after a flood-- no insurance, so every bit we can save helps. I've installed fairly small to medium networks (100-150 computers, multiple buildings, etc), but always on my own time and as a full time salaried worker.

They've asked me to wire and install 4 networks into the new school building. The walls are gutted and roof is open as well (the main building is two story), and it's a 4 building campus. 1 data network (including 4 vlans and controlled access) 1 security camera network (60+ cameras) 1 intercom system (over Cat5e) 1 lecture capture system (so 1 drop per classroom)

All told, likely close to 200 drops, covering roughly 50,000 square feet of building. Wifi, computer labs, the works--

What would be a typical bid on just the labor of running the wiring/jacks, installing the network gear and configuring the system? Is it per drop on a new install? Do I do it per hour, and what's a reasonable hourly rate? I'd love to just give one price, and I'd love to do it for them at 1/4 the cost of a company, but I just can't put a number to it. I also think it would be unfair (and unethical) to have a local company come out and bid a project they won't receive.

Any help in figuring out a way to price this would be greatly appreciated. Really looking forward to any advice you guys can give.

Help! Forgot password to ip camera

I️ have a FLIR ip camera and forgot the password. There is no forgot password option.

Question about configuring a 2950 with 802.1x

I could find this information on google or in the search so I came here. I need to configure some sort of 802.1x configuration for a lab and all I have is a Catalyst 2950, what are my options for authentication servers?

I have a registered 2012 R2 server but I don't want to spend money; Also, will NAP work here? I'm very capable in Linux and can spin something up if you point me in the direction here as well.

My preference would be using a certificate to authenticate but whatever works here really.

Thnx

ISP Telling Me I Have to Sign New 3-Year Contract In Order To Increase Bandwidth

I am currently about 17 months into a 3-year contract with a regional ISP that services 5 of our locations with dedicated Internet access over fiber. 4 out of our 5 current locations are not directly in our ISPs fiber footprint thus requiring us to have 3rd party last mile providers at these locations. One of the locations has Spectrum, one has AT&T and the other two have local carriers who also own a stake in our ISP (i.e. our ISP is owned by many local carriers and these two locations utilize these carriers for last mile services). Our current services are all 10x10 with the exception of the Spectrum office which is 5x5 (don't judge, I know these are all sad). We don't have any services beyond dedicated Internet and some SIP trunks. No MPLS or other VPN technologies, nothing complicated.

Our company recently purchased property to build a new branch and I have started getting quotes for the telecom services. I first called up our current ISP and got a quote but, upon taking it over to /r/sysadmin's Am I Getting F**ked Friday I realized that the pricing was outrageous so I found a broker and started looking at other pricing. In the meantime, I realized that the price per megabit we pay in our other offices is now extremely overpriced (it wasn't when we first signed up) so, I went to our current ISP asking for quotes to upgrade stating that I felt like we could get more bandwidth without raising our bill too much as it appeared pricing within the industry had come down. Well, my Account Manager shot back at me and has now firmly stood her ground on the claim that we can't make any upgrades without signing a new 3-year contract because they would have to sign a new contract with the last mile providers. This all sounded very fishy to me. I could understand requiring a new 3-year if they were going to have to build-out more infrastructure but to simply add 10mbps to an existing installation and the overall bandwidth remain under 100mbps, it seems absurd to require a new contract.

I briefly ran this by the broker I am working with for the new office and he said it sounded like she was just trying to make year-end quotas. I really wanted to see what y'all thought about this claim, is it common or is it just a sales tactic to pressure me into signing another contract?

Router for Small Business

Hi all,

I will start off by saying I am nowhere near a networking expert or claim to know what I am doing. I can set up a home network but that's pretty well where I draw the line. I tried to do some research but all the Cisco results are above my head.

My family's small business is really just starting to get into the internet age. Therefore, what they have right now is a home router - D-Link DIR-615 from about 10 years ago.

This device is running a network of ~30 devices day to day.

The old router has never really given too much grief, but the ISP recently did some upgrades and now the internet will cut out every few hours and will stay out until the router is reset.

So I was wondering if there is a mostly plug and play small business router out there.

The only requirements I have (or know I need) would be port forwarding and being able to reserve IPs throughout the network.

I apologize if this is a very noob question which I am sure it is, but I would appreciate any support. If you have any questions, please let me know.

The network itself is a rat's nest full of switches to workstations but I plan on running new Cat5e runs to every device from the router/switch. (I also have a 24 port switch I plan to hook up with the new router)

Thank you in advance!

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Setting up a Palo Alto PA-200 with static IP from ISP

Whats up everyone, I am looking into setting up a palo alto security appliance with a static IP address provided by my ISP. I don't have too much experience dealing with these firewalls overall, at least not for setting up a static IP from an ISP for internet. Does anyone have any tips? I have taken a look over the documentation they provide, just want to make sure I am not missing anything.

Just configured the security appliance by my ISP so it is set to IP passthrough, so I can have it act as a modem and connect it to my main firewall that has all of my routing policies etc.

IP SLA for redundant internet route

Afternoon networkers,

I have a few branches that have local internet connections along with their WAN connection. Here is the Topology

I have been trying to figure out how to setup SLA so if the local internet goes down, it will automatically route Internet requests over the WAN connection so users can still reach the Internet.

-Internet IPs are DHCP on the local ASAs -the routing is handled at the 3560 for hosts, default route goes to the ASA

I have dabbled with IP SLA and tracking on the switch, but not sure if I should be using path-echo or icmp-echo nor am I sure what to target. If I target the gateway of the ISP or google dns then the track will come back 'up' when the route is switched to the WAN link, because those are public.

Some of the examples online and in training videos don't have the topology setup as I do, so I am reaching out to this forum for thoughts.

Thanks

Five years ago I retired from a position as an enterprise IT generalist. What is the biggest change I should anticipate in networking when I start my new job in about six weeks?

I'll be going back to work after taking several years off, playing with the idea of retirement. I'll be a "pinch hitter" deploying equipment and providing support. I don't know much about the infrastructure.

Is anything going to be wildly different? Is IP6 making a huge difference day to day? Any equipment manufacturers in common use now that were barely on the horizon five years back? Have there been innovations in layers 1-3?

Wireless networking performance question

I am currently using a Cisco Small Business 4410N WAP, I am uplinked to the work via Spectrums 60mb cable service. In my house I have a total of 9 devices associated at any one time: Laptop 2 x Desktops 2 x Roku Sticks 3 x cell phones Kindle Fire

The Rokus feel the pain more than anything else.. video quality takes a dive from 1080p to around 480p randomly.

None of my devices are 802.11AC complaint however I feel as though the wap is my weak link. I'm looking for advice on this. I am currently planning on upgrading the WAP to AC however I have about a month to go before that will happen.

I 'believe' that all my devices are N compatible.. if so would disabling B/G support help any?

This is not a critical issues, but having been in IT for quite a while I am now more curious than anything to figure this out.

NAT Translation

Hi Team

My ISP has given static address x.x.x.17 on their side and x.x.x.18 /31 and Google DNS 8.8.8.8, I can ping the ISP x.x.x.17 from my router, when I source my LAN on 172.16.x.x /24 I could not, they dont route back to my LAN and they said use NAT overload so I did and IP NAT source list 172.16.x.x x.x.x.18 overload, the good thing is I can source from my LAN to WAN side of the ISP x.x.x.17 but my switches can not ping the WAN link on the ISP side, I do have ip default-gateway on the switches pointing to my LAN interface on the router. NEED HELP

Meraki and cisco

Hi all,

I am a bit confused and hoping someone might be able to explain.

We opened a new office in LA and installed Meraki mx65w. We created a tunnel to NYC where we have Cisco 5516x.

LA office has 75mb FiOS and NYC has 100mb cogent.

The throughput speeds were very slow, and neither Cisco nor meraki could figure out why.

Once we go asa5506x speeds improved greatly.

Does anyone know why?

Thanks.

Anybody know how to get Cisco ISE to use AD OUs instead of AD Security Groups?

I'm working on that solo ISE deployment for our corporation and had what I thought was a working dot1x setup, since dot1x was passing authentication and successfully applying the appropriate dACL and all that jazz.

Trouble is, I discovered along the way that ISE, by default, only uses security groups out of Active Directory for user group assignments, but our AD is structured using Organizational Units. I found a rather unhelpful article from 2012 that suggests using regex to search for distinguishedName to find a user in an OU, but it isn't well written, the syntax in the article doesn't match the referenced syntax in the sample screenshot, etc.

Is there an actual useful guide for using OUs in ISE, or is this simply not supported at all?

Any help is appreciated

Is there more of an automation/programmability use case in ServerEng vs NetEng?

Pretty much the title.

• Certifications/education: The current flagship certification (CCIE) consists entirely of learning a proprietary operating system with no education about writing your own modules or writing any code at all. On the other hand, certain MCSE tracks include the basics of powershell. The RHCE also includes some basic shell scripting. I'm choosing these certifications to try my best at making equivalents but please correct me if I'm wrong.

• Coding: Most NetEng I've worked with do not know any coding at all. Their automation is limited to column highlighting with N++ and find/replace. Sometimes extremely basic regex. Certainly no config management, automated provisoning, orchestration, etc. But maybe that's because this use case doesn't exist or isn't as strong in networking? I'd love to hear from some of you on this.

• Proximity to developers: SysEng is way closer to developers (people who only code and do little to no Ops). So they feel more pressure to automate QA build-outs (VMs, DBs, LB configs, etc.) because the business puts pressure on SysEng to not delay Dev as that directly impacts profits.

To frame the question another way, if someone knows they love automation/coding but also knows they don't want to do development and would rather do operations, would they have more opportunity to code/automate if they went the NetEng route or the SysEng route?

These are some of the comparisons I've tried to make but I'd love to hear from people who have had more exposure to this in their career. Is there more of a use case for automation/coding in ServerEng than NetEng?

Wireless planning for unfinished buildings

Hello community. I've been given a project to design and implement the data infrastructure for an in-construction, 4,000 seat "mega"church. The structure will be a three level amphitheater-like design with a few adjacent rooms for office/study. MDF and IDF locations are set.

We were not involved in the initial design of the building. The original plans call for AP location rimming the back wall of each level with a horizontal cone. Since the plans were drawn, the original electrician has been let go, and the new electrical contractor is itching for us to give them new drop locations. They somehow determined 50 APs total, but just guessed at this number from what I can see, as well as original drop points.

My question is this: the building is only ~60% complete. In a typical project, we'll use carts for a site survey in an existing space. Any advice or experience on how to best figure this out using only floor plans and a partially completed space we can't have unfettered access to?

ASA Authentication using RADIUS?

Hi folks, hoping this will be an easy one. I'm trying to configure my ASA to use RADIUS authentication with a Microsoft NPS server. I want to use this identity source for both VPN users and admins. What I don't want is to have admin/CLI users to be able to hit the VPN and vice versa. Currently, admins can authenticate using AnyConnect so there seems to be a policy conflict. Has anyone set up the ASA AAA in this scenario or similar? I can provide configs as needed. Thanks in advance.

Fortigate 200E issues when replacing a Cisco ISR 4331.... Help?

I attempted to replace our ISR 4331 last night, but ran into some issues, and was hoping someone out there can help me out. I'll buy you reddit gold! Think of the possibilities ;)

We currently have:

ISR / Cisco Core Switch / Cisco Workstation Switch

Essentially, I want to replace the ISR4331, with a FortiGate 200E. Here is the information I can give you - let me know if you need more:

Port Config on Cisco ISR:

interface GigabitEthernet0/0/0 description Interface to Internet ip address xxx.xxx.xxx.xxx 255.255.255.248 ip nat outside ip nbar protocol-discovery zone-member security OUTSIDE negotiation auto ! interface GigabitEthernet0/0/1 description Po1 to Core Switch no ip address ip nbar protocol-discovery negotiation auto channel-group 1 mode active ! interface GigabitEthernet0/1/0 switchport mode access 

---

Other config on Cisco ISR:

interface Vlan20 no ip address ip helper-address 192.168.2.20 ! ip access-list extended NAT_LIST deny ip any host 67.226.181.231 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip 192.168.5.0 0.0.0.255 any permit ip 192.168.8.0 0.0.0.127 any permit ip 192.168.9.0 0.0.0.255 any permit icmp any any echo permit icmp any any echo-reply ! interface Port-channel1 description Po0 to Core Switch Po4 no ip address no negotiation auto ! interface Port-channel1.20 description Production VLAN20 Subinterface encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.30 description DMZ VLAN30 Subinterface encapsulation dot1Q 30 ip address 192.168.3.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.50 description DTE VLAN 50 Subinterface encapsulation dot1Q 50 ip address 192.168.5.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface Port-channel1.80 description Management 80 Subinterface encapsulation dot1Q 80 ip address 192.168.8.1 255.255.255.128 ip nat inside zone-member security INSIDE ! interface Port-channel1.90 description Storage 90 Subinterface encapsulation dot1Q 90 ip address 192.168.9.1 255.255.255.0 ip nat inside zone-member security INSIDE --------------- 

Cisco Workstation Switch Config for port TO Cisco Core Switch:

interface GigabitEthernet0/48 description Uplink trunk to server switches switchport access vlan 20 switchport trunk native vlan 20 switchport trunk allowed vlan 20 switchport mode access spanning-tree portfast channel-group 1 mode passive --------------- 

Port config on Cisco Core switch for the port FROM Cisco ISR (Future FortiGate200E):

interface GigabitEthernet1/0/10 description to Cisco4331 Gi0/0/1 (Po1) switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 4 mode active --------------- 

Config on new Fortigate 200E (Replacing Cisco ISR)

Interfaces: port1 (Plugs into same port the Cisco ISR plugged into for the Cisco core switch) IP/Mask -> 192.168.2.1 255.255.255.0 (no way to assign the default VLAN ID as 20??) L___VLAN 30 Subnet 192.168.3.1 255.255.255.0 L___VLAN 50 Subnet 192.168.5.1 255.255.255.0 L___VLAN 80 Subnet 192.168.8.1 255.255.255.128 wan1 (Plugs into the same port the ISR plugged into for the internet) IP/Mask -> xxx.xxx.xxx.xxx 255.255.255.248 Static Routes: I don't believe static routes are required, as they are all on the same port (port1) on the Foritgate... but I have tried with them as well, with no luck. Policies: I've tried setting a policy where all traffic to and from 2.x, 3.x, 5.x, and 8.x are allowed-and I tried with and without NAT enabled. --------------- 

Now, what happens when I plug in the 200E and turn off the ISR, is that internet works great.... traffic from within the 2.x (VLAN20) seems to work flawlessly.

Servers, computers, printers, anything on the 2.x (VLAN20) subnet seem to work just fine; VLAN 30,50, and 80 however, do not.

I have a feeling it's because the core switch configuration may be causing the issue here, however I don't know for sure.

Is there something I can do to make the Cisco Core & Workstation switch play friendly with the 200E? Could trunk encapsulation be causing this?

Perhaps that there is no 'default VLAN' set on the 200E? (I don't know where to set this for some reason.... only know how to add them, however I want the default IP to be 192.168.2.1, and the 200E won't let me set a VLAN 20 with 2.x, because the 'default' subnet is currently using that subnet.

Thanks in advance for your help!