Strange Latency Issue

Sorry for the wall of text. I'm a cable technician, and for the last couple of days, I've been working with a commercial customer troubleshooting a latency issue. I can be fairly certain that the issue is not RF or plant related. When troubleshooting, I connect my laptop to the modem (a gateway device with multiple ethernet ports) and ping Google. My ping times would be in the 100-300 ms range, until I disconnect the customers network from our modem. Then my ping times drop to normal, 30-40 ms. So, customer network issue, right? I figured case closed after that. They're an IT company, after all, they can just fix whatever is eating up their bandwidth. But upon further troubleshooting, we left their network disconnected, and hooked up the customer's laptop in addition to mine and the customer starts downloading a file at maybe 10mbps. They have 50 meg service. The ping times shoot up again. The customer is also running a traceroute utility, and it's showing the ping times jump to the high levels between the first hop and the second hop (10.1.10.1: modem, and 96.etc.etc.etc.: our CMTS). This is a MacBook pro, by the way. We do the same thing on a different MacBook Pro, with the same results. It seems that with any minor activity on their network, ping times go crazy.

It's very doubtful that this is an issue with our cable plant, as our line techs and head end have looked at any possible RF issues in the area, as well as potential capacity problems, and neither is currently a likelihood. Also, the cable drop and outlet were bypassed with a test drop straight to the tap, all with the same results. I even had their 50/10 meg plan bumped to 100/20 temporarily to see if that alleviated the issue, with no luck.

However, I removed the customer laptop, left their network equipment disconnected, and simply had my laptop, my work phone (iPhone 7) and my personal phone (galaxy s8) connected to the wifi on the modem. I ran a Netflix stream on the laptop and YouTube videos on the phones, and ping times stayed quite low and steady, only jumping a bit when things were buffering. I also did a hangouts video chat between the phones to try and tax the upstream as much as possible, but still no significant blips in ping times.

It only seems when the customers Apple computers are connected (most of the rest of the machines in their office are Apple computers, and no I'm not an Apple hater), do ping times go haywire. I've asked them if they have anything running that might cause this, such as icloud backups or anything else, but they swear they don't. I'm not entirely certain what's going on here, and if anyone has any ideas of something else to try, I'm all ears.

Thanks!

Dumb NSX question

Hi, (please don't crucify me for talking about sdn) I am really new on all this of NSX/SDN solutions, anyway here is my question, when you have a NSX Edge VM installed, it acts as a router for the whole VM infraestructure only internally? Meaning that it only works for the VMs on the overlay? Or can physical servers use the Edge as a router too? If so, do I ditch my L3 network hardware and go full L2 and let the Edge do everything? I have seen that it doesn some NAT but I don't get how that would work painlessly behind some L3 device? But if I ditch the L3 how do I go around with the management network?

Thanks!

iBGP as an IGP - Static routes between the peers?

Hey All,

We are beginning to lab/test using iBGP as our only IGP and we're having a split opinion on how to get the routes for the peers themselves around.

We're a fairly typical enterprise, and the largest site has something like 4 routers that will need to be part of the mesh. One part of the design (partly technical, partly political) is that some of the routers must transit L3 through another to get to some of their peers, so I can't just stick everything in the same L2 /24 and have every next hop be connected.

The portion we have a split opinion on, is do we just set "redistribute connected" everywhere, and let the recursive lookups figure it out, or do we set /32 static routes pointing at the (known) L3 next hop for all of the peers. We will never scale past ~5 routers, so the overhead of /32 routes and needing a full mesh isn't a big deal. Nothing as complicated as wanting/needing to set up a Route reflector.

We see pros/cons to both and curious what others might be doing.

To core switch or not to core switch?

Hi,

The diagram: https://snag.gy/uXD8Cg.jpg

The question: should we have core switches or core routers connecting everything?

We're refreshing our campus network. New network is new, in a new building. All the access switches are cabled to distribution switches and everything is new there (or going to be in a while it's still being built). Then we have the old access network where all the bad habits live. Like chaining access switches to each other and old 100Mbps switches and everything...

In the new building we also have a new DC. The older data center is managed by outsourced company, their contract is ending in a year or so. They basically run a single virtualized environment for us, they have Juniper ex/qfx or something as the core thingies. New DC is managed by us.

How would you connect everything? Ring between 'coreish' switches? Full mesh? Adding core switches/routers to the picture?

I'm thinking of just connecting fibres semi-randomly between the 'core' stuff (depending where we have fibers available) and then running OSPF & BGP in the core (BGP towards the old DC network that's not managed by us). We also have few VPN tunnels & MPLS links coming in to the datacenter... currently to our old FW from the ISPs router.

New network and new DC are in the same building, old DC network is spread accross two different buildings and the old network spans 5-10 buildings all in the same campus area. Old network has two core switches currently.

Thanks!

Where do i sign up for a network security course?

Hi guys, total newbie in this subreddit. Anyone can suggest me a good online course where I can study network security course?

Someone is advertising my IP space with BGP

I have a /22 and had agreed to allow someone to use a /23 for a period of time that ended on January 31, 2018. They have not stopped advertising the IP space and have not responded to my inquiries. What should I do?

Remote access question

I have 3 home based businesses (group homes). I’m constantly getting calls with minor computer issues. We have 1 computer in each home which the staff uses to log in client meds etc. I would like to have remote access to those computers so I can fix from any location out of network.

Determining the gateway IP from a /29 question

Hi everyone,

I'm trying to configure a router for a customer and just trying to get some info in advance. The customer has a cable modem in bridge mode with a /29 connected to their current firewall. They told me the /29 range but not the gateway when I asked by email. Before I go back and ask for it I wanted to check if maybe it's always a certain one, like the first IP or something in a /29 or something obvious. This is not their range but just a made up one, but if it was something like 208.163.16.244/29, if there's a a particular one used by the modem/gateway, and what the one for the router would be. Thanks!

Noob question, we switched routers, IP addresses now all different, can't find Linux server anymore. Please help?

Normally I'd ask my IT guy, but he's unreachable.

He built a Linux server that acted as a proxy server and also hosted our local wiki, which is just a simple wordpress site. Users here at work could just type wiki into the address bar and it would appear at http://wiki. It was great.

If it ever went down, he would access it through something called proxmox if it ever needed restarting. The instructions I have to access proxmox are to just type the old IP address into the address bar of his computer, and it was one of the options. However, we had to change routers and all the IP addresses are different, and now the server is no longer at the old IP address, so of course that saved address doesn't work. I can't figure out how to find the server on the network, and to even be able to view any web pages at all, I had to turn off the "use a proxy server" option in the browser like I had to on all the other computers, which means I assume the proxy server is not functioning.

Where would we start in terms if figuring out how to access that server or figure out it's new IP address? Honestly, I just want to get the wordpress site off of it, it's our wiki, and we could likely figure out how to host it another way. I just don't know where to start. Thanks in advance.

Separate Campus LAN and DC Cores

Hey,

This is sort of a follow up to my previous post (I'm trying to learn more about the factors that go into designing a data center).

I've read in Cisco Documentation (CCDA material) that it is a best practice to have separate LAN and Data Center Core Switches - however, I've not known this to be the case at the two previous companies I've worked for (one was a Fortune 500 with a pretty large Campus and Data Center). So I'm wondering, is this an antiquated guideline / unrealistic expectation?

People of Networking, ill be travelling to colombia with a group of university students to volunteer and teach kmpoverished kids about Networking and web devlopment among other things. What are some cool and interesting things we should show them

We want to keep things fun. What are some good topics, websites or games that are fun and informative that we could show them?

Does anyone here us Big Switch Networks on DC/OS?

Does anyone here use Big Switch Networks on DC/OS? If so, what is one thing you get by using the two together vs just using them alone?

NX-OSV 9000 7.0.3.I7.2 VPC fully working?

I have the latest image in GNS3, and I can get the peerlink and keep alive working, however I can never get a LAG to from. I tried LACP from a IOSV l2 to N9kv and from a 2012 R2 VM to N9kv. I see the LACP PDUs going across but its like they don't see eachother. Specifically it's like they are listening for LACP PDUs on different Multicast addresses, strange.

External ACL's - How do you stay organized?

I'm in the middle of rewriting our firewall's external ACL to get rid of legacy crap, eliminate IP any rules, etc. I basically have the opportunity to burn the whole thing down and rebuild it from scratch the "right" way so I want to make sure I do it in a way that is scalable and easy to manage.

This ACL controls external access to ~150 servers in our DMZ through an ASA firewall. The vast majority of these are web servers, ftp servers, and email servers for various business units. We don't foresee significant expansion here, but nothing is impossible. The way my boss and I see it, there are two ways to go about this:

1. Have a few object groups that serve as a "catch-most" group, such as a group for web servers, one for ftp servers, etc. This will allow us to consolidate most of our servers into ~5 lines, and then another ~40 lines for all of the other one-off ports that need to be open.

2. Have each server in its own object group with its own line. This will obviously be much longer, but it seems like it would be easier to make changes such as adding ports, decommissioning servers, etc. when we know there is only one place to look.

So my question is - what would you do? I can see pros and cons for both approaches, and I really think consistency is important so we need to pick one and stick with it. My boss is leaning toward approach 1, but he's made it clear he can be convinced either way.

Maintenance Windows

I'm curious what your company's policy is in regards to maintenance windows. The last couple of companies' I've worked for didn't have a rigid policy. Was really anytime after 5 or 6pm. When I started in IT, I learned real fast that it's best to not do anything on a Thursday or Friday since I didn't want to risk ruining my weekend. So I usually chose Tuesday or Wednesday to make changes.

My current employer has a philosophy that changes should only be made on Friday, usually at 8 or 9 pm or later. That way if there are issues, you have all weekend to work on it.

I realize my philosophy is probably selfish since it favors me not having to deal with something on the weekend and I see my CIO's point of making sure there aren't problems during the week since he's the one who is the face of IT and has to answer for it.

I'm just curious what other companies have as their maintenance window policies.

Best way to monitor for issues with hosted VoIP and Skype issues.

Hello r/networking,
My company recently opened a smaller satellite office (20 users, mostly execs) and it had a bit of a rocky start with the network. We originally had an issue with our Fortigate firewall's SIP helper which we disabled and fixed issues with calls dropping etc.
The above incident unfortunately killed the faith of some of our users and they typically assume any static on a conference call is an issue with our network. I have noticed a legitimate trend albeit small of people reporting issues calling into our office or two another of our offices. Here is our setup:
-Skype for Business/Audio conferencing. (this is where a lot of meetings are hosted and issues are often reported)
-Hosted VoIP with OnSIP (people using their VoIP phones to dial into meetings frequently) -Hosted conference bridge lines through GlobalConference (some meetings are hosted here but not nearly as much as Skype due to no video capability)

  What I would like to do is monitor the network traffic involved closely to try and understand when and where we might be having issues. I've previously done some packet loss tests between our network and the hosted VoIP servers and ensured there isn't anything causing EMI in our office for example. I also have our VoIP subnet and VLAN removed of any security policies that should cause problems. Are there any tools or guides to troubleshooting the traffic involved with VoIP? Since all of our services are hosted, I'm assuming there is a way I can look for packet loss or latency issues from user>server>user?
Essentially my goal is to do my due diligence in ensuring QoS. I'm not asking for anyone to hold my hand or give step by step instructions. Although I appreciate anyone pointing me in the right direction!

Prevent cisco switch from forming a connection with another switch

This may be a silly question. And i'm probably going to be redoing the network at this location but I thought I would just ask. Once i redo the network the question probably wont be relevant.

We have 3 offices connected via wireless bridge. There are a bunch of netonix switches up there connecting the wireless bridges together. I'm installing an industrial cisco switch in the mix. The issue is that one of the switches at the physical office is configured as an access port instead of trunk. When I bring up the cisco switch that connects to a netonix, it doesn't really see the netonix switch and attempts to make a connect to this switch that's configured as access port - i get a port mismatch on the both switches. Right now I can't configure both switches as trunk ports because at the physical office there is also an untagged vlan on the router. We're planning a trip up to this site and i plan to tag the traffic in the office so i can trunk both ports.

But I got to thinking is there a way on the cisco switches to somehow just deny a connection being formed but allow all other connections? port security?

[Troubleshooting Port-Mortem] 5 port old switch causing unrelated ports on a 2960 to drop 50%+ of outgoing packets?

Junior tech here, working for an MSP. At a client today, and was working on an issue with poor application performance. Noticed pings dropping like crazy from users desktops to the SQL and App servers.

Checked the 2960 they have in the main closet and after clearing counters and watching output drops for a bit, 8 ports were dropping 50, even 75%+ of outgoing traffic. I'll admit there were probably other stats I could have checked, but I found the MAC addresses of the users PC's who were complaining, and they all came up under one port. Assuming correctly, there was a switch buried between their desks. Old 5-port linksys 10/100.

Removed, swapped with a 5 port gig dumb switch, and when I checked the counters they sat at 0, and still sit at 0 for all ports.

Users across the company report way better performance for their applications. Is there a reason I'm not thinking off that the removal of a switch like this would fix? I doubt it was messing with STP, right?

NX-OS headaches

Hey gents, I've only worked in Cisco IOS before and so far NX-OS is kicking my ass. I have a pair of nexus 3000 switches, the rest of my network is Meraki gear. I have to use these Nexus switches to implement PTP on a small segment of my network.

The problem I'm running into right now is that I can't get the switchports to route traffic.

It's quite possible that I've forgotten a simple step somewhere.

I've set up my ports as follows:

Eth1/46 20 eth access down Link not connected auto(D) -- Eth1/47 20 eth access up none 100(D) -- Eth1/48 20 eth trunk up none 1000(D) --

I go into config mode and enter in my ip route:

ip route x.x.x.x/x y.y.y.y/y

hit enter no errors

then I run sh ip route and my route isn't there.

pastebin of sh run: https://pastebin.com/DjMEK2WS

can anyone see why traffic isn't being routed?

TIA

CGNAT Accounting Radius

I have been reading a bit about Carrier Grade NAT and the ability to use the same IP for multiple customers. I have seen many small WISPS using this presumably to save money on buying IP blocks. The vast majority seem to use a radius system and I would suspect that the IP recorded would be the same for all the users sharing the IP at that time. As I understand it is important to keep strict records of IP usage in the event that law enforcement requires this information. If this information was required though how would it be possible to determine the user?

Anyone using Juniper QFX series in the Data Center?

It's hard to find reviews on this stuff, sometimes. We're thinking of making the leap from an all-Cisco environment, to running Juniper QFX-5200's. Most of our team has Juniper EX series experience but haven't touched QFX series ever. Any casual reviews? We're just looking to hear some experiences from others.

I can't really find many reviews other than on gartner, where the reviews kinda read like advertisements.

JunOS virtual-router dns issues

Hi,

I have a virtual-router instance and I set all the hosts within this virtual-router instance to use the gateway 10.0.70.1 for dns.

set system services dns dns-proxy interface irb.70 set system services dns dns-proxy default-domain * forwarders 10.0.9.11 

This is the security-zone:

set security zones security-zone LAB-VR-ZONE interfaces irb.70 host-inbound-traffic system-services dns 

The routing-instance is this:

set routing-instances LAB-VR instance-type virtual-router set routing-instances LAB-VR system services dhcp-local-server group LAB-VR-MAN-GROUP interface irb.70 set routing-instances LAB-VR access address-assignment pool LAB-VR-MAN-POOL family inet network 10.0.70.0/24 set routing-instances LAB-VR access address-assignment pool LAB-VR-MAN-POOL family inet range LAB-VR-MAN-IP-SCOPE low 10.0.70.100 set routing-instances LAB-VR access address-assignment pool LAB-VR-MAN-POOL family inet range LAB-VR-MAN-IP-SCOPE high 10.0.70.254 set routing-instances LAB-VR access address-assignment pool LAB-VR-MAN-POOL family inet dhcp-attributes name-server 10.0.70.1 set routing-instances LAB-VR access address-assignment pool LAB-VR-MAN-POOL family inet dhcp-attributes router 10.0.70.1 set routing-instances LAB-VR interface irb.70 set routing-instances LAB-VR routing-options interface-routes rib-group inet LAB-VR_TO_inet.0 set routing-instances LAB-VR routing-options static route 0.0.0.0/0 next-table inet.0 

The problem now is I could not resolve any fqdn. I could ping all the way to the Internet, but I could not resolve any fqdn.

connect modem to my asus RT-AC88U

Hi Guys,

I need to have a failover internet connection. I've bought the new Asus RT-AC88U router and I saw that it has USB port available. My question is, can I connect a modem with sim card to my router via USB and get the internet from that it? If the answer is yes, can I do somehow to automatically switch to modem when the WAN connection offline?

Many thanks!

Mss and options length

Hello, I thought that by disabling certain options that i dont need like window scaling, i could increase the mss i am advertising to the peer, but this doesnt seem the case when looking at the first SYN header : The mss always fixed at 1460. Is there some clear explanation on mtu, mss and their relationship with the header length? Also is the size of the tcp payload received from the peer related to its mss? I am confused looking at the trace of wireshark as the payload i receive is less than 1260 bytes which is the peer mss Thank you for any clarification

Broadcast Domains in the Data Center

Hey guys,

I'm really trying to educate myself about all the factors that go into designing networks, specifically data centers in this case. I seem to hear a lot of talk about expanding L2 domains in the data center, and this has me thinking... at what point does a VLAN become too large in a DC environment?

Obviously broadcasts can take a toll on server resources, but at what point would a VLAN become big enough for that to be a legitimate concern? Or is the real concern actually that a larger VLAN would equal a larger failure domain (in the event that a host gets compromised and/or its NIC malfunctions)?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Change MPLS with which technology

Hello all, We connect with our central offices with an MPLS connection and we want to change it. Which one is suitable in these circumstances? Thanks a lot

Enterprise vs Government

First 4-5 years of my career, I started out working in small and medium business networks. For the last 4-5 years, I have been a govt contractor.

I'm starting to wonder what would it be like working a large enterprise network outside of the gov't. It feels like being a government contractor earns more money with the demand for clearances, but I have been on contracts where there are incompetent teammates but they just hang around forever no matter what. They're just seats to fill.

What are the benefits of working in a large private company vs working as a contractor in the government? I would think in the government technology are a few years behind, projects move at a much slower pace, but you get paid much more. Also, being a contractor (depending on the contact), you don't work overtime or get paid working overtime.

A merry tune, the story of IPv4

Off topic, but I wrote this poem after a rant with a co-worker and thought some people here might like it.

so once upon a time there was really smart guy,

he said "We'll run out of v4!", it wasn't a lie.

decades snuck past, like a bear in a den,

no thinking ahead, companies prefer CGN!

new hardware deployed supports Carrier-Grade-Nat,

what a joke; could you please take it back?

disaster ensues, ip blocks being shuffled,

the screams of v4 routing tables silently muffled.

hilarity ensues, wikipedia bans a nation -

appologies were given, possibly carnations.

how you might ask? a group of users you see,

the entire country of Qatar sharing a single IP.

Mellanox SN2100 help

Hey all,

We are new to Mellanox networking, We are looking to get some SN2100s, but for the short term I need to connect to them to some Dell switches that only run at 10GB over SPF+

Does anyone know what direct attach cable I can get to plug into the QSPF28 ports? I am under the belief that the 40gb to 4x 10gb cables should work?

Cheers

Powerline Adapter TL-PA4010 KIT

http://www.tp-link.com/latam/products/details/cat-5034_TL-PA4010-KIT.html

will this work with aluminum wiring... is it dangerous with aluminum wiring???

My friend seems to think this will be effective in my house.... I am not quite sure why.

wlc upgrade caution

At some point will be upgrading from 8.2. Spoke with Cisco tac and engineer said to not upgrade to 8.5 as they were getting calls by the day from those who had. Just thought I would post. thx

vPC Issue between 3 N5K switches

So in summary we just got 2 new 5624Q to use as core switches and I'm trying to setup vPC to a 56128 TOR switch. It looks like the 2 core switches see the port-channel up if I'm reading it correctly but the TOR switch isn't seeing the same (SD)

Any help would be much appreciated!

Here are the outputs for the 3 switches:

CORE SWITCH 1

SES-CORE-SW-01(config-if)# sh vpc brief Legend: (*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1000 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status : success Per-vlan consistency status : success Type-2 consistency status : success vPC role : primary, operational secondary Number of vPCs configured : 1 Peer Gateway : Disabled Dual-active excluded VLANs : - Graceful Consistency Check : Enabled Auto-recovery status : Enabled (timeout = 240 seconds) vPC Peer-link status

id Port Status Active vlans

1 Po1 up 1 vPC status

id Port Status Consistency Reason Active vlans

1000 Po21 up success success 1

SES-CORE-SW-01(config-if)# sh port-channel summary Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met

Group Port- Type Protocol Member Ports Channel

1 Po1(SU) Eth LACP Eth2/11(P) Eth2/12(P) 21 Po21(SU) Eth NONE Eth2/1(P)

CORE SWITCH 2

SES-CORE-SW-02(config-if)# sh vpc brief Legend: (*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1000 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status : success Per-vlan consistency status : success Type-2 consistency status : success vPC role : secondary, operational primary Number of vPCs configured : 1 Peer Gateway : Disabled Dual-active excluded VLANs : - Graceful Consistency Check : Enabled Auto-recovery status : Enabled (timeout = 240 seconds) vPC Peer-link status

id Port Status Active vlans

1 Po1 up 1 vPC status

id Port Status Consistency Reason Active vlans

1000 Po21 up success success 1

SES-CORE-SW-02(config-if)# sh port-channel summary Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met

Group Port- Type Protocol Member Ports Channel

1 Po1(SU) Eth LACP Eth2/11(P) Eth2/12(P) 21 Po21(SU) Eth NONE Eth2/1(P)

TOR SWITCH

SES-TOR-SW-F10(config-if)# sh port-channel summary Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met

Group Port- Type Protocol Member Ports Channel

10 Po10(SD) Eth NONE -- 21 Po21(SD) Eth LACP Eth1/49(I) Eth1/50(I)

Netflow analysis and anomaly detection

I am currently using the ELK Stack for netflow analysis , but couldn't find a way to detect anomalies and threat issues. Anyone could suggest a software to accomplish this ? Or anything that could help me

Does Juniper have anything like CiscoLive library from where I can download slides and watch videos ?

Hi guys

I am learning Juniper and I wanted to know if they have anything (and it is available to anyone with an account @juniper.net) similar with CiscoLive Library

Some of you were saying that Juniper's docs are much better than Cisco's so how are they in the above respect?

Is VMware Horizion/ PCoIP protocol "secure" over internet?

I'm reviewing Horizon client traffic on the outside interface of the firewall.

Outside interface it's a mix of tcp/443 and tcp/4172. The tcp/4172 gets classified as PCoIP client on the outside interface.

On the DMZ the broker(?) makes tcp/4172 connections that the firewall classifies as either PCoIP or SSL over tcp/4172.

I'm suspicious of the Horizon PCoIP tcp/4172 client traffic going over the internet - is it 100% encrypted or not?

Load Balancing

We're currently running a Fatpipe with 2 ISPs and smart DNS. Device is 3 years old and I'm looking to replace it.

Is F5 still the gold standard? Anyone using the CiscoRV's or TP-Links(They look a little anemic on options)

Small Business Network, Office 365 won't download error code 30068-39

Little background on me I just started working in Helpdesk role at a new company with a very small IT team consisting of me and a sys admin (Who I'm not confident knows anything about sys admining lol)

I'm looking for some advice or tips on how to solve a problem where windows 365 will not download w/error code 30068-39. I know that if we take these systems off the network and use our own personal networks that the software suite downloads just fine. I think it's a porting issue but I don't know where to start. I'm not interested in taking anybodys ideas and passing them off as my own. I just simply want to understand what could cause this and fix it.

We do run an antivirus software which I have temporarily disabled on this workstation just to see if that could be causing it. But I doubt it for reasons I mentioned above.

Does Microsoft use a specific port for downloading software that may be closed?

Ddns on ASA?

Anyone ever set this up? I've got a business network with a dynamic IP (static NOT available) and would like my host name to auto update with a 3rd party hostname provider for consistent VPN connection. I've seen the Cisco white paper on this but none of the options seem to work properly with what I'm trying to achieve.

FBNet-Command-Runner (FCR)

FBNet Command Runner (FCR)

A thrift service to run commands on heterogeneous Network devices with configurable parameters. It scales to a large number of devices.

It hides most of the devices specific details like:Prompt processing IP Address lookup. The base implementation only supports SSH. But other type of connections can be easily added. Client can use any language of choice, to communicate with server using thrift call.

I have been trying to get this to work, but have no clues being a Python Novice.

Any directions on how to set this up would be much appreciated if one of you have tried this before.

https://github.com/facebookincubator/FCR

NANOG Slides: https://pc.nanog.org/static/published/meetings/NANOG71/1454/20171004_Singh_Command_Execution_In_v1.pdf

Video: https://www.youtube.com/watch?v=E462j9XLbgY

Do you make notes while troubleshooting?

I have recently been trying to narrow down a registration bug with our SIP phones and eventually sorted the problem out.

After a few other failed attempts of the same thing I decided this time to make a note of every change/attempt I made at fixing the problem in chronological order. This made it easy to see what I'd already tried, but also to tie in my changes with the remote server log should I need to ask the provider.

The problem is, once I started making progress I completely forgot about the manual logging. MY question is, do you make logs as you go, if so, do you have a set structure?

As an example, here are some of my logs from the fix attempt:

20:34 - Enabled SIP alg on gateway via system -> conntrack -> modules -> sip -> disable. 20:38 - Tested session kill from AAISP end, phones d/c and aren't re-registering. 20:41 - Re-enable SIP ALG and reboot router 20:47 - Reboot PoE switch (192.168.1.23) 20:50 - CORE-SW-001 uplinks appear to be p39, p41, p47, p48 20:50 - Add VLAN 999 'VoIPDMZ' to CORE-SW-001 uplink ports and port 11 untagged (to firebrick) 20:55 - Add tagged VLAN 999 to test port 13 20:57 - Change tagged VLAN 999 on port 13 to UNtagged VLAN 999 on port 13 because no IP address was assigned when tagged 21:04 - Add VLAN 999 to HP PoE switch as tagged VLAN on p50 and untagged on test port 27 (Brew Room phone), rebooted brew room phone 21:11 - Change port 27 to tagged VLAN 999 and tagged VLAN 40 (original VoIP VLAN) 21:12 - Factory reset test Brew room phone 21:16 - Add p21 on HP PoE switch to UNtagged VLAN 999 to test laptop DHCP lease 21:18 - Laptop not getting DHCP lease on test port - checking new VLAN is traversing switches 21:19 - first checking if laptop gets DHCP lease on CORE-SW-001 p13 which is still UNtagged VLAN 999 21:21 - laptop gets DHCP lease and public IP of PUBLICIP on p13 or CORE-SW-001 21:22 - hardcode brew room test phone to use VLAN 999 tag 21:23 - Added tagged VLAN 999 on CORE-SW-001 to p43, brew room phone got DHCP lease PUBLICIP 21:33 - Manually configured test brew room phone with SIP account, registered successfully. 21:33 - Killing AAISP session to test new connection method 21:37 - Brew room phone failed to re-register 21:38 - Change brew room phone to TCP from UDP and kill session at AAISP 21:41 - Brew room phone failed to re-register 21:42 - Revert brew room phone to UDP and enable STUN 21:42 - Brew room phone re-registers, killing session at AAISP again to see if it re-registers 21:44 - Session killed, no re-register from test phone yet 21:47 - Disabled STUN and switch to IP rather than FQDN on brew room phone 22:00 - Switch brew room phone to TCP while on IP without DNS and force re-register, trying kill session at AAISP 22:17 - Lowered all SIP sessions timers on brew room phone, tested UDP and TCP and killed session - still no re-register 22:17 - Found useful forum post with similar issue (https://www.3cx.com/community/threads/periodically-phones-lose-registration.47666/) 22:17 - Found newer version of Yealink firmware for T19P E2 models, trying now 22:23 - Upgraded brew room phone to firmware v. 53.82.0.20, set STUN and TCP, trying kill session at AAISP 22:45 - Brew room phone back to original VLAN 40 (tagged) - testing on Drug Right with new settings didn't work so updating firmware 

Question about modem/router/telephone link

Today I stumbled on a "forum 5008" and I literally have no clue what this is. Picture is underneath.. I'd also like to know what the different lights mean.. my search on the web led to literally nothing...

Picture: https://imgur.com/d9p6Uht

Do Cisco certs still carry any value other than a resume boost?

I've met some heavily decorated techs/engineers that can't even answer a simple BGP question. Then there's guys with real hands on experience and no certs, who can outpace certed guys any day of the week. Dumps really have devalued certs and they're pretty much false advertising on your resume. Thoughts?

edit: Outside of CCIE, which is an actual test of knowledge. This is mostly about NA/NP

Dumb question... what kind of access list is this?

access-list 1 permit 192.168.1.254 

That's all it is. No mask, no ip host, nothing but just that. Does that mean it's applied to just an explicable, unwritten host or? Also I can't find where that access list is applied to in my config (didn't write it myself) so I'm a little confused on it's usage.

Actel 6850-U2X firmware

I have tried reaching out to vendors and not one could help me, but i really need help finding the firmware 6.4.3.893.R01 or newer. We had a couple of these switches get corrupted in our datacenter and trying to reload the firmware to see if we can bring the switches back online. Any help you guys have would be awesome I've tried everything I can think of.

Cisco asa 5506-x in a datacenter having trouble configuring vlans & subnetting

Ok let's get this out of the way: Yes i'm 100% underqualified for this. Yes my boss should hire someone else to do it, but he sadly cant because of things being a bit tight money-wise at the firm they cannot afford someone else to do it. I'm the sole IT-guy of the firm (linux admin) and that's why this has come at my table.

So we got an cisco asa 5506-x for our rack. We have gotten one ipv4 /28 assigned by our ISP and one ipv6 /48

The primary scope is "Have the asa act as a firewall to protect internal servers, and seperate internal servers and external service on different vlans. The external servers should be assigned their own external ip from the /28.

Ipv6 is a plus but not strictly needed.

Everything is configured using the ASDM graphical interface.

From now on let's use the following faked subnet as an example: 211.51.112.140/28

I have done the following:

• set the asa ip to 211.51.112.142 with a subnet mask of 255.255.255.240
• set up the internal interface with 192.168.1.0 as an ip, with dhcp ranging from 192.168.1.5 - 192.168.1.128 subnet mask is 255.255.255.0
• set up external_servers interface with 192.168.2.0 as an ip with dhcp ranging from 192.168.2.5 - 192.168.2.128 subnet mask is 255.255.255.0
• set up a static route from /any4 to the gateway 211.51.112.141

Now i want to assign 211.51.112.143 to a server hosting a test website on port 80/tcp, the way i tried to do that was going to configuration > firewall > public server > add

• private interface: external_servers
• private ip adress: 192.168.2.5
• Private service: tcp/http
• Public interface: outside
• Public IP adress: 211.51.112.143

Am i doing this right? How can i prevent the servers on 192.168.2.* to access 192.168.1.*? Any best practice i need to think about?

Also a bonus question: How would i do this with ipv6? Is it the same way as with ipv4? As you can see i'm not really good with subnetting etc.

Any help would be appreciated. I'm certainly interested in best practices so i can learn it the right way from the start.

Introducing an Internet Gateway into existing LAN

Hi, I am trying to introduce a firewall in the form of pfSense computer into my Network. I first will describe what kind of setup I have and what I want to end with.

Existing Setup: A Computer I will call DHCP-Server. It is connected to my local network on one card and the internet on anothe card. The DHCP-Server thereby also acts as an gateway for all computers in the network to the internet.

What I am going for: I now want to release the DHCP-Server of being the gateway to www. The task should be given to the firewall, which is basically a computer with pfSense, as I said. So I connected the firewalls WAN with the www and LAN is basically a DHCP-Client. The DHCP-Server is setting the default route to the IP of LAN. The client also changes his default route to the IP of the firewall. Now for some reason this doesn't work. What works is setting pfSense to be the DHCP-Server for LAN. In that case, clients have access to the internet.

Do you good people have any idea where I went wrong or missed something? I am not even sure if my problem is the config of pfSense or DHCP-Server.

Cheers Jan

IBGP injecting global routes from EBGP

Hi,

 

I have two edge routers R1 and R2. Each have EBGP sessions to upstream providers and receive full routes.

 

To exchange these routes, R1 and R2 have an IBGP session established between themselves.

 

These routes are placed in a GLOBAL table (or VRF if you will - I am using Linux and Bird for BGP)

 

 

R1 and R2 are also configured as route reflectors for my internal routes. (Using an INTERNAL table to store them).

 

To exchange these routes between themselves I have another IBGP session between R1 and R2. To make it work, I am using a different ip address to establish this session.

 

I have other routers R3, R4, R5 ... that establish IBGP sessions to R1 and R2 (route reflectors) to exchange my internal routes.

 

I leak some routes from the INTERNAL table to the GLOBAL table that are meant to be routeable on the edge routers (e.g. non RFC 1918 addresses).

   

Problem:

 

I would like to pass some/all global routes to select routers (R3, R4). What is the best way of achieving it?

 

Option 1 (Utilizing the existing route reflector IBGP sessions):

 

1) On the route reflectors leak routes from the GLOBAL table to the INTERNAL table and tag them with some bgp community.  

2) On the route reflectors, for each ibgp rr client session to R3 and R4 filter the outgoing routes based on the community tag to let them pass. For other ibgp rr client sessions I would reject these routes.

 

pros:  

• using the exising single ibgp session  

cons:  

• I will pollute the INTERNAL table with GLOBAL routes on the route reflectors  

• I will need to be careful with route filtering on the route reflectors, otherwise I can accidentally push full routes to other routers. This is additional work.  

   

Option 2 (Establishing a second IBGP session):

 

1) Slap a different ip address (e.g. on a loopback interface) on R3 and R4

 

2) Establish a second IBGP session to R1 and R2 from R3 and R4.

 

pros:  

• this will work  

• I don't need to touch other route reflector ibgp sessions (to update filters).  

• I can export the routes I want inside the newly established ibgp sessions.  

• I won't pollute the INTERNAL table on the route reflectors with routes from the GLOBAL table.
   

cons: - second ibgp session  

   

What would be the better thing to do? I am leaning towards option 2.

   

Thank you.

ASA webvpn vulnerability upgrade

If I have to upgrade an ASA to mitigate the latest and greatest webvpn vulnerability, do I have to also upgrade the anyconnect client? I upgraded ASAs before but never with webvpn enabled. I've read through the Cisco guides below but they are both silent on the matter. They talk about asdm compatibility and sourcefire compatibility module but nothing about anyconnect compatibility. The only anyconnect compatibility document I found lists compatibility with client OS (Windows, MAC, Linux, whathaveyou) but nothing about ASA firmware: Planning your upgrade: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html Upgrade the ASA https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

What will the end user experience be? Will they have to download a new client? Does it happen automatically or do I have to send it to them through a side channel? I'm guessing I may have trouble with users that don't have admin privileges on their stations.

Netgear GS728TP SFP RJ-45

Hi, long time lurker. Hope it's not too nooby. I have some Netgear GS728TP's and would like to have some RJ-45 on the SFP Ports. Netgear HP says that the AGM734 modules are not for the GS728. Has anybody tried a RJ-45 SFP Module on the GS728?

Thanks ahead.

~3500 Flash Cards for CCIE R&S v5.1

http://ift.tt/2E7YY0U

Best Training center to learn new growing technology

No text found

Moving from a huge enterprise network to a company managing multiple clients with small networks and wider range of vendors how did you adjust and any advice.

As the title says a bit nervous about leaving my giant enterprise Cisco shop network and joining a service provide managing lots of clients with lots of different vendors many of which I have never logged into. Just seeing who else has made this type of transition and any advice or things you wish you knew when you began?

Hey guys, how can I pull from a DHCP server from two separate VLAN’s on two separate networks?

I have two client networks pointing to one DHCP server.

DHCP Server | L3Sw1 | L3Sw2 — VLAN 2 (192.168.2.1) | L3Sw3 — VLAN 3 (192.168.3.1)

In between Sw2 and Sw3 is OSPF, in between Sw2 and Sw1 is a static route with both client networks pointing back to Sw2.

Sw2 has an SVI for VLAN 2, and Sw3 for VLAN 3. They both have helper-addresses for the single DHCP server.

Currently: Clients on Sw2 can pull DHCP while Clients on Sw3 can’t, Clients on Sw3 with a static route can ping the server,

I can’t access my lab right now and I’m stuck with packet tracer, but I recreated my problem.

How would it be possible to pull the same DHCP scope to clients on vlan 3 in Sw3? Would it even be possible?

Apologies as I did ask this question a few days ago, but I was drunk and could not figure out how to word it.

Thanks for any help

Edit: Some formatting/IP errors.

Need suggestions 48 port Poe switch

Hey guys, I’m looking for suggestions on what switches you would recommend. I need the switch to be managed POE capable of supporting 400+ vlans and be at least 500 watts of Poe power. We plan to hook up Ubiquiti ac pros to the switches and have all 48 ports used for the ac pros. Does anyone have an idea of what I could get? Is this possible for ~$1000 per switch or ~$1500 per switch?

Is there a way to collapse all rules in ASDM?

On some contexts we have like 15 interfaces, and it's really annoying it doesn't have a collapse/expand all rules button (or i just can't find it). We have version 7.6(1)

Cisco netflow - possible to include packet size?

We are currently setting up netflow V5 on our switches, and we are not able to get the packet size via. netflow V5.

We get the following error: https://image.ibb.co/itzD16/error.png

Cisco ECCN for router 2921

Hello reddit,

I need some help regarding ECCN for CISCO 2921. The confusion I have is what is ECCN for this product if I use npe (no payload encryption) image. If I go to cisco eccn page, and use the product ID CISCO2921/K9 I get the 5A002.A.1 ECCN number for the router.

For IOS, selecting Cisco IOS Universal 15.0(1)M Image for 2901-2921 or Cisco IOS Univ. Image 15.0(1)M (No Payload Encryption) for 2901-2921, they both have the same ECCN 5D002.C.1

As we would like to export the product in Russia, I have a problem with selecting the correct image, as it seems that both have same ECCN? Is it possible to go with the "normal" universal image in this case?

Thank you.

Win L2TP with Cisco ASA

So we migrated to a new firewall ASA 5516-X. Previously we were using Windows L2TP remote access VPN but since changing to the ASA we are having issues using it.

Some people can connect, some cannot. Some people can connect from one ISP and then not from another. It doesn't make any sense to me. I have engaged TAC and they are telling me the ASA is configured correctly and it is not the cause. I am getting a lot of grief since it stopped working afer firewall migration. The error we get is 789. Google tells me some things to check but that is for issues connecting full stop not for intermittent connection issues.

Anyone got any pointer for me to look into? I will be very grateful.

Unifi Routers

I have been asked to trouble shoot an issue where a certain SIP ACK packet is not making it through the firewall across an IPSEC VPN from a 3cx PBX to a 3cx soft-phone. This making calls drop when they go on hold.

With Cisco devices I could probably get to the bottom of it but this set up is using a Unifi router which I am somehow administrating from a centralised cloud controller. Even if I could SSH into a command line I wouldn't know whether to SSH into the box or into the cloud controller. I don't have the luxury of access lists or any decent logs.

Any Unifi guys out there with any tips? I am prepared to learn a little bit of the CLI as my boss (an MSP) has deployed these things everywhere.

Wired ports security

I'd like to know how you guys handle these type of things. The goal is to block people (or at least alert) from random connecting their stuff into network ports they find in the office.
We don't have public areas, and all access is restricted or at least someone has to let you in to be able to access the premises. But we had an instance where a printer maintenance guy plugged in his laptop on the printer port and caused an outage because he set his laptop with the same IP as the default gateway of the network, without telling anybody that he was doing so.
Now the obvious answers are:
- port security (i.e. lock down ports by MAC). Easy to implement, but relatively easy to spoof and it is a pain in the ass for the staff, we have hundreds of endpoints.
- 802.1x with NPS or ClearPass: increases complexity a lot, requires NPS / ClearPass HA configs, very expensive, and i have the feeling that it will create a lot more problems that it is trying to fix.
I was thinking of something like Snort, but this would require to set all port in mirroring which will kill the switch CPU.
What i am trying to achieve at the end of the day is to receive an alert (at least) that an "uncommon" device (i.e. a MAC address the switch never saw) accessed the network.
Thanks in advance.

HPE OfficeConnect 1950 Firmware Update Question

Hello r/networking, I've been a long-time lurker, however never have posted here. Forgive me if this post is not worthy of this sub.

I've be assigned to configure some HPE OfficeConnect 1950's for a client to replace some non-managed DLINK trash. I have quite a bit of experience with HPE OfficeConnect 1920, however this is my first encounter with the 1950's. I'm aware these are H3C switches running Comware, which is different from ArubaOS and such.

I've had some time to login and poke around the UI and familiarize myself with the available options, and am currently in the process of reading through some manuals to clarify a few questions I have.

My issue today is regarding upgrading the firmware on these units. I have a few of each of these models: HPE 1950 24G 2SFP+ 2XGT PoE+ Switch (JG962A) HPE 1950 48G 2SFP+ 2XGT PoE+ Switch (JG963A)

I've downloaded the latest software: Software Release 1950_7.10.R3116 Build date: 07-Jun-2017

On the JG963A 48-port units, I had no problem navigating the UI via the default IP Address of the switch, uploading the 1950-CMW710-R3116.ipe file and rebooting the unit. Firmware was applied and all was well.

My issue is with the 3x JG962A 24-port units -- I can login to the UI via the default IP, browse and select the same .ipe file to upload. However the switch UI just sits at "Uploading" and eventually gives me a timeout error after 20-25 minutes. I've connected via console, restored the default config and re-tried the upgrade with the same results. I've tried this on 2 of the 3 units that I have. If I reboot the unit during the upload, it simply reloads its stock boot image and functions normally. I'm not applying the update for a bug-fix for feature enhancement, however I do not like deploying units with firmware that isn't current.

Has anyone encountered a similar issue, or have a recommendation that I might try? It's afterhours for me, but a TAC ticket will be my first step in the AM.

Dual ISP's at spokes with HPE Comware 7 ADVPN.

I recently moved jobs from a DMVPN environment to a Comware MPLS ADVPN environment. I have been looking into the idea of adding a secondary connection at all of the spokes and I’m having trouble coming up with the correct way to implement this setup. I've been searching through HP documentation and the one thing that seems consistent with all HP documentation is that it is rarely good. Having combined that with Juniper and Fortinet documentation for ADVPN I’m thinking the idea is to use a separate tunnel per internet connection as well as a separate ADVPN number per tunnel. You would then specify the tunnel to use by changing the OSPF to metrics to favor the primary connection. Has anyone implemented such a configuration or does anyone know if I’m approaching this the wrong way.

Software to remote into multiple stations and send them all the same inputs?

I know I've seen it once but can't find a name for it. Basically I had to do something to a lab of computers today so I connected remotely to each one and did what I had to do one by one. The process was exactly the same on all of them. Is there some software where I can connect to all of them and have my inputs send to all the computers? Example: I click browser icon, all computers click browser icon.

Real simple monitoring tool?

Hey all,

I want to monitor whether a remote server or ip address is accessible or not. All I want is it for to email/text/call/notify me somehow if it's not available after x tries/minutes etc.

Either my Google fu is garbage or there is no easy basic tool for this task. Everything I see seems like overkill for this type of task.

Do you have any recommendations?

Thanks!

Interview Write-Up, Network Professional

Hello r/networking, I have a tiny request if you have a moment to spare. I'm a freshman in college and I have this interview write-up assignment that I'm working on. The point is to interview a person in an career field you wish to join. The interview includes questions regarding problems within your industry and how essential writing may be to your position. There are just ten questions I would have you answer. I'm asking here because I don't know any networking professionals personally. It's a lot easier to interview a nurse or policeman, but not so easy with a networking professional. I would cite you as my source and send you the finished product. It would be a huge help if anyone could share their expertise.

1. Was your employer interested in evaluating your writing skills before hiring you?

2. Do you find yourself recalling writing techniques you learned in college to assist you with your writing?

3. Are you able to apply those techniques to the forms of writing required by your position?

4. Hypothetically, if you were unable to write at all how severely would your job performance be impacted?

5. How much is your writing is doe in Microsoft Outlook and PowerPoint as opposed to Word?

6. What do you think is the most significant problem facing your industry or workplace today?

7. Do you believe your industry leaders are making an effort to fix this problem?

8. How do you believe this problem can be solved or its impact limited?

9. How would your industry benefit from this solution?

10.What advice would you have for newcomers to avoid or prepare for this problem?

If this post is against the rules I apologize. I read the rules and a post like this didn't seem to be in violation.

[RANT]New Network Administrator here...

Hello /r/networking!

I have recently been promoted to being a Network Administrator within my company. I've been doing a bit of training with the company doing basic tasks such as subnet transfer requests..IP block assignments etc.

Recently, I have been moved up to Network Administrator for more extensive training. Turns out that the guy training me told me the day of that I am to be taking over for him since he is putting in his two weeks immediately.

I was not prepared for this..At this time today is his last day. I've been trying to train hard and learn as much about the job as I can but I Just dont feel ready for the role. This is a fairly large Network with a relatively small supporting crew with me being probably the main guy to figure things out etc.

My questions are...what do you recommend as far as prepping myself as best I can within the next coming days/weeks? There is alot I still do not know about networking and even things like troubleshooting etc. BGP is very involved here as well. We have multiple switch brands such as Cisco, Brocade and Juniper. Even some Edgecore stuff...

Any tips or tricks of the trade on getting up to speed now that my trainer is gone? Was tough to cram everything within the past two weeks..

Thanks for your words and advice..I'm really in a bind and am especially nervous about all this haha.

Network Mappning Software - Which is This? (pic)

https://imgur.com/a/qukWI

Curious does anyone know as to what networking software could be used to draw up this? Sorry for all the blackouts, tried to just show the symbols.

Thanks.

Cisco Prime to monitor and alert on down APs

Inherited Cisco Prime at my new gig since nobody here knows it well or has time to learn. I have very limited exposure to Prime and the doco seems very vague and ponderous. Manager and Wireless guys want to use Prime to monitor APs that are in the system and on maps, and send out alerts when they unregister or go down.

I am not sure that is the best solution, I had previously just used SolarWinds to monitor these and send out alerts, but since monitoring is a different team here nobody wants to go that route. Is what they want even really feasible? I see how to configure SMTP alerts, but not seeing how I would monitor APs specifically or configure the alerting logic. The alarms and events I see are all over the place, and not very intuitive at all.

Can anyone offer a 1000ft view of how this would fit together?

SG300 ACL to allow Internet Access

Hey,

Learning how to configure ACLs. My VLAN60 the default action is deny any. Im trying to allow internet access from VLAN 60 but having some difficulties.

I have it setup but whenever I enable the ACL, any device on the VLAN is unable to access the internet.

ip access-list extended VLAN60_OUT

permit tcp 10.240.60.0 0.0.0.255 any any 80 ace-priority 11

permit tcp 10.240.60.0 0.0.0.255 any any 443 ace-priority 11

deny ip 10.240.60.0 0.0.0.255 10.240.1.0 0.0.0.255 ace-priority 90

deny ip 10.240.1.0 0.0.0.255 10.240.60.0 0.0.0.255 ace-priority 100

Not sure what im doing wrong?

80/443 are set on the destination port and source port is set to any.

SG300 is connected to our ASA 5512 which doesn't have anything being blocked from the inside to outside. It has a Ikev2 site-site VPN connection to our datacenter which hosts our AD/DNS server.

Cables -- Do you buy pre-made or make them yourselves?

I am going through my coldroom cabling right now. I won't describe to you how bad it was, so I'll let you imaginations wonder.

It's been cleaned up quite a bit but I am maybe 50% done. I have been getting premade cables mostly for time consumption and ease, but also because I am color coding my VLANs and the cables to match so people know what is what by looking at them.

Buying premade is quick and easy, but needing that exact size that varies from connection to connection can be annoying, was curious if I am alone in this or if everyone is custom making their cables and I am a derp?

Cisco CAP Stories

I’m wondering if anyone has any knowledge of any interesting Cisco customer assurance stories or Cisco disaster response services.

I have read the story titled ‘All Systems Down’ many times because I find it fascinating.

I will probably continue reading it repeatedly but I am curious if there are any other stories out there.

Thanks!

switched rack PDU's...What do you use to control them?

I have roughly 10 switched rack PDUs from APC (APC7920's) on my network. APC produce software that costs over $1000 to control them all from 1 place. Is there another way i can control the outputs from a single place or will i need to log into the webGui of each specific one every time i watch to change something?

I have looked into PRTG but will only monitor the outputs and won't let me control them (very well)

DDoS protection via iBGP

Hello,

We are receiving TCP attacks that our switch firewall is not capable of blocking. After some research it seems that the best course of action would be to route attack traffic through a DDoS filtration server that would then pass 'clean' traffic back into the switch and have it route this traffic normally once cleaned.

In attempts to do this I've setup 2 iBGP sessions between the filtration server and the switch, one of them has the filtration server advertising the under attack /32 prefix (this sessions goal is to route traffic into the scrubbing box and it does), and the other has the switch advertising the under attack /32 prefix (this sessions goal is to route traffic out from the scrubbing box and it does not).

The main problem seems to be routing traffic seamlessly from an under attack subnet to the scrubber server and back into the switch again. I can accomplish this in half-duplex by establishing a iBGP session and routing a single /32 prefix through it, this will cause traffic from the switch to route into the filtration server, but it does not exit the filtration server, instead it seems to be processing the traffic as if the IP was assigned on the server itself.

I believe this is because the routing is fundamentally flawed, connectivity from the internet reaches this IP from a single homed ISP default route advertising a /24 prefix in BGP, trying to re-advertise an IP within this prefix as a /32 to the filtration server in iBGP will not work because it is being advertised already to our ISP, so either the switch doesn't export the route to the iBGP peer, or the iBGP peer rejects it. There's probably some whole other issue about routing loops in here that I've yet to get to.

So what can I do to either force BGP to route this subnet, or somehow get traffic out of the box and back into my switches regular routing table to be processed normally and sent into the end device assigned with the under attack IP?

Looking to replace MPLS, is SD-WAN the answer? Concerned about VoIP Services.

Is anyone using VoIP in an SD-Wan situation to their branch locations?

We only have 5-15 phones at each branch location, we are worried about call quality/jitter/etc etc. We have 100mbps down at each branch.

Thanks!

ELI5 - What is a “Dry” vlan?

Please and thank you!

CCNP Route 300-101 Study Guide + ~600 Flash Cards

Hey folks,

It's been a while since my last post about automation. I'm currently stuck in study hell but since I've recently taken and passed the CCNP Route, I wanted to share my notes and flashcards. Heavy inspiration from another post on /r/sysadmin here.

CCNP ROUTE STUDY GUIDE

CCNP ROUTE FLASH CARDS

To use the flash cards, click on the flashcard section, then click option, and choose "Answer with definition".

Mods, not sure if this is relevant to enterprise, so feel free to remove this post if it doesn't fit in with the rules.

Arista 7280R (MPLS LSR)

Guys,

Has anyone got any experience running the Arista 7280R as an MPLS LSR, and if so, in a multivendor environment too (Cisco / Juniper)?

I'm currently looking at some short term options for a light replacement P core, and this and the QFX are looking like good options for 10GB/40GB (PE facing) and 10/100GB (Core facing) from a cost point of view. Not got a huge label stack (max of 3 label depth) and they will simply be switching labels.

IPFIX collector?

Hey all,

I am looking for an open source IPFIX collector with decent documentation. I looked at ELK with the netflow codec, but it doesn't look like IPFIX is quite there yet with Juniper gears, and I'm really not trying to spend a month forcing this to do what I want it to do.

I also rolled across vflow but the documentation is sparse to say the least. The idea that I'd have to roll out zookeeper/kafka/InfluxDB along with vflow, figure out how to get them all talking in a meaningful way (sans documentation of any sort on the vflow side), then work out something for dashboards seems like a bit much.

The budget I was given for a paid solution was 2k for the year... and that seems a bit unrealistic after looking around some.

Anybody got a suggestion that works decently without all the headache? I have a decent bit on my plate, and I'd rather not have to dedicate too much time to something that should be so simple. v9 flows aren't an option for me unfortunately, or this would be done in a day.

If I have to invest all the time, then I guess I have to do that - just seeing what's out here and reliable first before I begin the trench digging.

Thanks!

Software issues the final frontier; and the bane of my networking existence currently.

So I am working on a project where we have to convert Webex arf files into mp4. There is currently to my knowledge only one means of doing that, and its is via cisco's Network recording player offered by Cisco. We have an archive of 15min -75 hour (don't ask on the latter, I dont have an answer) sound files that need to be converted, some of these conversions are taking a super long time, but the catch is the CPU is only maxing out at 4% for the conversion process.

Have submitted Tier 2 TAC case, to which cisco responded with the typical "the application is operating as it should, and the issue is caused by the length of recording". I dont understand how an application cant utilize the CPU more or use parallel computing techniques to distribute loads of the audio file to different VM's.

Has anyone ran into this issue, any suggestions?

Do you think Cisco has backdoor in their products like Intel and other vendors?

Hi,

I just don't believe that Cisco is 100% away from companies like NSA which like backdoor put possibly everywhere.

The thought of Intel Management Engine is enough.

Generally the thought of NSA which wanna have access everywhere is unacceptable.

I think there are two possibilities. One of them is Cisco allowed to have backdoor in their products or NSA has a hidden agent working in Cisco being a very good engineer.

What do you think?

ASA SSL VPN enabled?

Quick question, how can you tell via the Cisco ASA GUI if SSL VPN is enabled? Does the outside interface in the access interface tab of connection profiles need to be ticked or does there just have to be connection profiles created?

Thank you

What do you pay per month for Gigabit Internet?

Just got a quote from Century Kink for $2000 , I was wondering what you pay.

Is 802.3af different from 802.3af/A? UBNT AP-AC-Lite and a Cisco 2960C-8PC-L aren't playing nicely together.

I have some Ubiquiti AP-AC-Lite WAPs and a Cisco Catalyst 2960C-8PC-L PoE switch that I'm trying to get working.

The datasheet for the AP says that it supports 802.3af/A and the switch supports 802.3af source: table 5. Are these two different specs? I haven't been able to find anything on the /A in the Googles. According to the Ubiquiti live cat peeps, "it should work".

Plugging in the AP to the switch results in nothing - not even an attempt to power on from what I can tell.

The switch itself is known to be working - it has 3 others non-UBNT APs connected and powered up.

The UBNT APs are working as well, as they power on just fine with the included PoE injector. The problem is, I only have 1 injector and 6 APs (I thought the Cisco switch would work and wasn't able to test it.)

Some Debugging Info

poe002#show power inline Available:124.0(w) Used:46.2(w) Remaining:77.8(w) Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Fa0/1 auto on 15.4 Ieee PD 0 15.4 Fa0/2 auto off 0.0 n/a n/a 15.4 Fa0/3 auto on 15.4 Ieee PD 0 15.4 Fa0/4 auto off 0.0 n/a n/a 15.4 Fa0/5 auto on 15.4 Ieee PD 0 15.4 Fa0/6 auto off 0.0 n/a n/a 15.4 Fa0/7 auto off 0.0 n/a n/a 15.4 Fa0/8 auto off 0.0 n/a n/a 15.4 poe002#show power inline police Available:124.0(w) Used:46.2(w) Remaining:77.8(w) Interface Admin Oper Admin Oper Cutoff Oper State State Police Police Power Power --------- ------ ---------- ---------- ---------- ------ ----- Fa0/1 auto on none n/a n/a 2.3 Fa0/2 auto off none n/a n/a 0.0 Fa0/3 auto on none n/a n/a 2.2 Fa0/4 auto off none n/a n/a 0.0 Fa0/5 auto on none n/a n/a 3.4 Fa0/6 auto off none n/a n/a 0.0 Fa0/7 auto off none n/a n/a 0.0 Fa0/8 auto off none n/a n/a 0.0 --------- ------ ---------- ---------- ---------- ------ ----- Totals: 6.6 

Claimed Meraki MR26

I salvaged a Meraki MR26 from a demo, the company that owned it is long gone. The serial number says the device is still claimed. Is it totally useless? Thanks!

Anyone familiar with router-switch.com?

They seem to have just about everything and reasonable prices. Almost seems too good to be true.

IP Netflow tool - Cisco Network IOS/NX-OS

Hi Guys,

Just wondering about a netflow tool and i thought by myself. Why don't i just ask fellow colleagues what they are using.

So we are in the process of reviewing some tools to do IP Netflow and maybe sniffing if it's included in the tool. We have a running tool which is called: TruView, it's from Netscout. I think it could also prove very powerfull.

But what is your tool of preference? How easy was it to setup? Did it require special configuration on the switches? We are running a production Cisco NX-OS network for multi tenancy and some F5/IOS/Juniper/Palo Alto, pretty mixed environment.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Android Device and Cisco Wifi

I've been running into an issue that might only be affecting Android devices (still need to test on some iDevices) that may be related to our Cisco WLC config. I'm leaning towards this because I don't see the same behavior on my home network.

The issue is, when I unlock my device and start getting on Facebook or another app I'll notice things are loading. Usually, at some point, my wifi symbol on my Galaxy S7 gets the exclamation mark. Usually within 5 or 10 seconds after this, it clears up and I can start browsing.

We're using RADIUS with MAC filtering, AAA Override, and ISE set as the NAC State on the WLAN. I don't believe this related to our NAC setup though since I saw this behavior before we re-enabled our NAC setup.

I originally though my device was trying to get to Google DNS which we block. It is trying to get to 8.8.8.8 and 8.8.4.4 despite receiving DNS settings from DHCP pointing to our internal DNS servers but even allowing that traffic through the firewall for my device doesn't resolve it.

At some point I considered our DNS servers themselves since I had evidence that even my Windows desktop was getting timeouts on nslookups to our primary DNS server, however, we've moved our wireless networks over to two brand new Infoblox appliances.

I'm curious if anyone else has encountered this and might know what the issue is or where I should look next? It certainly isn't the end of the world but it can be very annoying to try to look something up and it end up being faster to just turn wifi off and use my cell connection. This is driving me nuts since an Android phone isn't the easiest thing to do network troubleshooting on.

Thanks!

Getting a bunch of deauth packets from Ruckus gear

Our Ubiquiti antennas seem to be getting bumped from over eager Ruckus gear looking for 'rogue APs'.

Anyone have a good contact at Ruckus to contact about the FCCs ban on deauth?

+----------------+----------------------------------------+---------------------+ | Times Deauthed | Log | Last Deauth | +----------------+----------------------------------------+---------------------+ | 1 | Received deauth from 24:c9:a1:12:96:ac | 2018-01-30 12:14:56 | | 60 | Received deauth from 24:c9:a1:12:98:1c | 2018-01-30 16:59:01 | | 3 | Received deauth from 24:c9:a1:12:9d:dc | 2018-01-30 16:22:53 | | 394 | Received deauth from 24:c9:a1:1d:e6:5c | 2018-01-30 17:03:27 | | 68 | Received deauth from 24:c9:a1:1f:49:4c | 2018-01-30 16:49:05 | | 70 | Received deauth from 24:c9:a1:50:c6:07 | 2018-01-30 16:59:38 | | 115 | Received deauth from 24:c9:a1:5d:e6:5c | 2018-01-30 17:03:51 | | 1 | Received deauth from 24:c9:a1:5f:49:4c | 2018-01-30 15:08:58 | | 62 | Received deauth from 24:c9:a1:9d:e6:5c | 2018-01-30 17:03:52 | | 45 | Received deauth from 24:c9:a1:9f:49:4c | 2018-01-30 17:03:43 | | 18 | Received deauth from 24:c9:a1:a7:cc:cc | 2018-01-30 16:40:53 | | 490 | Received deauth from 2c:5d:93:31:89:6c | 2018-01-30 17:05:30 | | 12 | Received deauth from 2c:5d:93:31:93:ec | 2018-01-30 14:25:06 | | 85 | Received deauth from 54:3d:37:81:c2:bc | 2018-01-30 17:05:59 | | 51 | Received deauth from 84:18:3a:22:3c:1c | 2018-01-30 16:50:02 | | 62 | Received deauth from 84:18:3a:a2:3c:1c | 2018-01-30 16:44:29 | | 29 | Received deauth from 8c:0c:90:39:c5:4c | 2018-01-30 16:57:30 | | 19 | Received deauth from f0:b0:52:14:d8:2c | 2018-01-30 16:48:12 | +----------------+----------------------------------------+---------------------+ 

Cute Ruckus dog pissing on a network

Other than troubleshooting, is there much else to do with packet data collected with Wireshark?

Other than troubleshooting specific issue, is there anything else I can do with this data that would be beneficial such as monitoring network performance or detecting other issues automatically?

I'm helping a vendor troubleshoot issues and using wireshark to collect data on several of my controller networks. I'm only minimally involved with networking, but it feels like with hundreds of gigs of network data there would be something cool you could do with it.

I've asked our IT manager and he basically said it's really only for troubleshooting issues.

Looking for advice, impending DC and staff move

Hello everyone,

We recently received notice that the company plans to sell the building we've been in for a few years. This building has a data center inside of it that houses are Internet edge, core switching, and server infrastructure and we rent colo space from a provider for DR.

With the move, staff will move into a new building and we will need to find a colo provider for our server infrastructure. There are a lot of moving parts like we just (within past 3 months) added an additional ISP for dual Internet connectivity and bought new ASA 5525Xs for this building and colo. I just migrated to the 5525Xs at this build today as a matter of fact.

Currently, we plan on moving our phone system to the new staff building but eventually might plan to try a cloud-based solution. Also, we do have users who will be using VDI at the staff building provided by servers located at the new DC location. What would you guys be thinking as far as connectivity and equipment from new staff building to DC colo? VPN over DIA? MPLS? SD-WAN? If I go the MPLS route, should I have a DIA as a backup? Do I need to buy more additional equipment like routers or will the 5525Xs suffice?

Thanks in advance for any feedback and let me know if any additional info is needed.

cable labeling database

Does anyone have a commercially available cable labeling database they like? I was talking with my colleges today - we were imagining a system where we could print barcodes for all our cable ends, and then lookup/update the entries with our smartphone cameras.

Any ideas? What do you use?

SFP-10G-SR - how much headroom on distances?

The spec sheet says "up to 400m" - is that best possible conditions or what?

I have some runs that are about 350m total but have to go through several patch panels so will lose a bunch to connection losses. I'm trying to get a definitive idea before I buy a bunch of SFPs.

Wondering what peoples experience is?

Lantronix PremierWave XC HSPA+ Out-of-Band Management

I have this cellular device connected at a remote office in order to do out-of-band management. I cannot for the life of me get it to VPN back to our firewall in the office in order to have access to manage the device. Has anyone used this device before for this purpose and successfully created a VPN connection from this device to their corporate firewall? I've been engaged with their support; but they haven't been a lot of help.

Packet Capture in a ring network

Hi all,

Looking for some advice on how one would go about doing a network traffic analysis on a ringed network.

Essentially I want to capture all network traffic in a 24 hour period for a network. I was going to use wireshark and just capture a pcap file to disk. I'm happy configuring port mirroring on an uplink port which id mirror to an access port and connect my capturing laptop into.

What I'm wondering is, whats the best approach for in a ring network, lets say of 4 switches, each switch has access devices connected and I want to capture all the traffic for the network. Is there an easy way of doing this without having to have a capture device plugged into each switch?

Thanks!

Should I upgrade my Catalyst 3850 firmware?

I have a pair of 3850s that are managing BGP for our primary datacenter and was curious as to whether I should upgrade off of 03.07.05E?

I know that this was asked about 2 months back and the general consensus at the time was that you shouldn't move towards the 16.x code base just yet. Is this still how people are handling their 3850s at this point? I noticed that Cisco now lists 16.3.5b as a starred release suggesting that it is considered stable, but I figure I would ask the masses here what their feedback has been as I know that several people here manage some 3850s.

For reference the last time I know that this was asked:

https://www.reddit.com/r/networking/comments/7dfqlz/new_cisco_wsc385012xse_what_version_of_iosxe/

Weird Fiber/Speed Issue

I have a customer who is on rather slow internet as it is at their main office that has fiber ran from that office to 3 buildings about 500-600 yards away. The 3 buildings are close to each other so we have fiber coming into the first building plugged into a switch and then cat6 outdoor ran to the other 2 buildings..

The first building that has the fiber uplink is insanely slow BUT the other 2 buildings run at the speed I would expect from their ISP.

How could this be? I would think the switch that has the shortest route to the host building would at least be the same speed as the others..

Tried different switches, gbics, etc... I have no clue.

spanning tree issues between dell force 10 (RSTP) and cisco (Rapid PVST)

hi there,

ive hit a bit of a block when setting up spanning tree on a new set of force 10 switches. the F10's are set up to use rstp and that cant be changed as they're using VLT, and the cisco 2960's are using pvst. when i do a show spanning-tree on the cisco's the vlans are coming up as blocked (although vlan1 is forwarding). is there anything im missing to get this working? the cisco is set up as a trunk port and the dell is set up as a hybrid port with vlans tagged accordingly. ive looked online and it says that pvst should revert back to stp when this configuration is set however vlans are still being blocked.

Cisco Quad Supervisor ISSU

I was wondering if anyone had any positive experience with a quad supervisor upgrade. We performed one last saturday on our 6807 from 15.2(1)sy1a to 15.2(1)sy4 and it turned into a bit of a mess.

The first problem was one of the line cards went into an FRU-Power error and won't load after the "issu commitversion" step requiring an RMA.

The second problem was the 2 ports on the standby hot supervisor on the formerly active now standby chassis wasn't joining the VSL port channel. So they are also going to RMA that supervisor.

VSL Connections: Yellow and green link will now not join the VSL port-channel. https://imgur.com/a/pn7jO

In the end we have 2 slots that have to be RMA'd and im hesitant to do another ISSU upgrade (and actually cant until the VSL links get repaired)

Is this par for the course with ISSU or did we hit the lotto?

Thanks in advance.

Smartnet-Specifc resellers

About 5-8 years ago, I came across a reseller that does nothing but smartnet, supposedly very well. I've ransacked my business card folder and my email... no joy.

At the moment we are using CDW... they're co-terming everything onto specific contracts, moving stuff that doesn't need to be 4-hour off onto NBD etc... its actually not terrible, but we're always looking for percentage points.

Who do you manage SmartNet with and how's the experience?

SSH client like secureCRT or MobaX that lets you create a network diagram and access your devices via that diagram?

Long shot, but just wondering if anyone knows of a SSH client like secureCRT or MobaX that lets you create a network diagram and access your devices via that diagram?

Neighbors internet...

Hi, my neighbor gave me access to his WiFi Router. Now I want all of my devices and computers with internet.

Configuration: Router from Neighbor (((-))) Raspberry Pi — My Router (bridge Mode) — All devices.

Is there a way to encapsulate all of my devices, so that my neighbor does not see my devices?

Would there a conflict, if I set my Raspberry Pi to DHCP mode?

Thx.

Tool to grab output

Hi everyone

Does anyone know of a tool be it Solarwinds or an open source that will allow me to say..grab output before a change and allow me to grab output after a change and run a diff?

Say im about to perform a system reboot I want to grab a 'sh ip route, show interface status, show lldp nei". Put up a diff after the reboot and report whats changed if anything?

Managed Network Services assistance

Hi All,

I work for a consultancy - while on the bench, I have been tasked with creating a managed network services training presentation. I don’t know too much about telecom and would like some assistance, particularly with providing an overview on routers, switches, WAPs, WAP controllers, and Load Balancers. If anyone has the time or can point me in the right direction to do the research on my own, I would like to know about the typical pricing structure (e.g., s, m, l), scope of services (e.g., monitor and notify, physical management, full management, etc), key differences in functionality (e,g., for switches PoE support is required for VoIP 911), and requirements for service to function effectively (e.g., cabling of cat5 of greater). Thanks for your help.

Need help finding a portable wifi hotspot router with SIM card slot

Hi there, so sorry if this isn't the area to post this but I'd like to know if there are any good recommendations for a portable hotspot router with a sim card slot? Im headed overseas for a bit, would like to prep!

Again if this doesn't belong here, then apologies to mods!

I've a problem withSquid Cache IPV6

Hi, i've a problem with squid. My squid is configured for manage multiple isp With tcp_outbound_ip rules

Example: acl tasty3128 myportname 3128 src 24.xxx.210.0/24 http_access allow tasty3128 tcp_outgoing_address 67.xxx.108.128 tasty3128 Next i've setted dns_v4_first on But squid sometime use ipv6 ... why? I need ipv4 only. I am using squid for windows so i can't compile with "--disable-ipv6"

I hope you help me, thanks.

Problem configuring EAPS+MAC-IN-MAC with EXTREME NETWORK devices.

Hi,

Im trying to setup a lab environtment where there are 2 EAPS rings connected together with LACP link between 2 MetroCore Devices. They transmit customer traffic from Workgroups 1 and 3 (WG-1 and WG3). This is done entirely as L2-traffic. EAPS rings are done with Q-in-Q and MetroCore-link is done as MAC-in-MAC (a 3rd tag, sometimes referred as PBB)

Problems arise when im trying to configure port 1:3 and 1:4 at MetroCore1 to untagged state. That breaks my EAPS ring, but i have to have those ports untagged in order to apply 3rd tag to the packets in MAC-in-MAC-phase.

Extreme's manuals are very, very unclear and uninformative and googling hasn't helped me either. I could say you are my last hope.

Here is the network topology:

https://imgur.com/6cYm1Ng

Help bypassing network filter (for educational purposes)

Our school blocked vpns on android but not apple phones, browsers works but sometimes get the error "sec unknown issuer" on firefox. The play store works as do the android services. I do not have root atm but am happy to root if necessary.

I was wondering if it is possible to disguise traffic from one app app as another

I also tried installing the cerfificate and couln't figure out how as it only had a public key and was a txt

Looking for case studies of LTE w/802.11 enterprise deployments

I have heard of a few businesses that have done one or the other but no hybrid schemes. I would be very interested in the architectural deployments of a hybrid solution. I'd even take theoretical models if I had to. I am currently thinking of a LWA scenario, but it doesn't have to be in principle. Any best practices out there?

Switch and router telemetry in the modern age

I've been thinking what the future of router/switch monitoring looks like and am looking for enlightened opinions. The classical approach is to poll devices over SNMP and aggregate, but that is not scalable (fine to poll 100 devices every fifteen seconds, but 10000?)

You could invert the model and have devices report interesting flows to some collector, and I see some work in this area dating back to NetFlow, plus new things like the ELK stack and some of the ideas that folks like AT&T are doing (with Apache Avro data serialization) in ONAP.

Of course, at scale the volumes of data would be immense. Maybe that's enough to sink the deal. (Would you need a whole new network just to handle flow reporting? Have you just doubled your traffic?).

I can shake a feeling that polling is just wrong in 2018. But I don't know what the cool kids are doing.

Idle side note: this was prompted by my VoIP supplier showing me one of their tools where every signaling flow from any of their network elements is recorded in a database with a web gui. That's obviously much higher in the stack but a neat idea.

CISCO ASA5515X IPSEC VPN HA

We are working in an ipsec vpn lan2lan HA design. Our network environment has 2 HQ sites ( forming an ipsec vpn between them, using 2 ASA5515x fot that), and that HQ needs to communicate with a lot of Remote Sites (each one using 1 ASA 5505).

-Each remote site has 2 crypto map entries, 1 for each 5515x of HQs

-Both 5515x HQ ASAs have 1 crypto map entry for each remote site.

At normal conditions, having both HQs sites up, everything works fine, in deed we have an "active-active" ipsec vpn from each ASA5505 remote site to ASA5515 HQs.

-If we lost 1 HQ site, 5505ASA remote is not able to use the second crypto map to reach remaining HQ site

I will attach crypto-map configs here, please could you help how to fix this issue.

Juniper COS

If you have 4 queues.

1- high priority

2- med-high priority

3- med priority

4-low priority

Let's say queue 1 has been allocated 30% of the bandwidth. And utilizes the full 30%. Will subsequent packets be dropped/buffered and serviced after queue 2 is fully serviced ? Or will the higher priority not let them be dropped ?

Gpon hardware reomendations?

Hello.

The company i work is going to start the first gpon contract..we do have all the pasive considered (fiber optic, splitters, etc)..

On the equipment we are thinking mainly doing it with Huawei since they already gave us a proposal.

I would like to know any thoughts about Huawei and my other options wich are Zhone and Calix for the OLT and ONT

It is a OLT and 300 ONT with TVRF and 4 xRJ45...Wifi will be provided with Ruckus APs conected on this ONT's ports by cat6

So..any thoughts about this brands??..tks

Trunking - How is this passing traffic?

interface GigabitEthernet4/33 description trunktestport switchport switchport trunk allowed vlan x,y,z switchport mode trunk shutdown no mab snmp trap link-status 

Note... its SHUT DOWN.

But here is a router connected to it, vlans y,z, through the trunk. With a computer attached to the router, and the computer is browsing the internet.

Perhaps I'm missing something from CCNA1&2.

Are trunks not affected by shut/no shut or something?

Having a multicast problem - cant figure it out.

Hey Guys!

So out of the gate, I'm super weak on Mulitcast. Never really had to mess with it. Let me explain whats going on.

We have two devices that need to keep a constant link to each other. Device 1 reads incoming data, and Device 2 Reads outgoing data. They constantly keep an active link between each other to pass an identifier. When Device 1 has incoming data, it tags that specific data with an identifier, so when it hits Device 2, it knows whats leaving.

Before, the devices were connected directly to each other, and everything worked fine. Now, we want to be able to run reports out of these devices, which requires them to either be internet facing, or, we can manually log into them and run the report ourselves.

When we moved the devices over to our internal LAN, the devices fail to stay connected to eachother. They will connect for about 8 seconds, then drop off. I done a port mirror on each of their ports, and found that I'm getting hundreds of ICMP Failures coming from all of our local devices on the LAN. I'm assuming this is essentially a DOS attack - all the devices on the LAN are replying all at once, and it's overloading the two Devices.

To test this, I moved them over to their own VLAN, and, they connected fine. I would normally just leave them on their own VLAN, but I have about 15 different (vendor) switches in between (Recently took over this network.) so I would like to avoid having to put it on it's on VLAN.

So - is there a way I can configure the switch they're plugged into to only pass multicast traffic on two ports? Anything else I could do to try to fix this?

I do have IGMP enabled on the switch the devices are plugged into, but not the other switches.

The switch they're plugged into is a HP 2530G - it's a fully managed layer 2 switch.

Thanks for the help!!!

Compromised CCTV hardware

Was upgrading our scrutinizer install to the newest build today and decided to run a few reports on our CCTV vlans.

Found multiple attempts by an alarm integration module to bring up an l2vpn (UDP 1701) with an IP address in Shanghai.

Needless to say I'm not very happy about it and have a few calls to make with the manufacturer tomorrow. They are supposedly high-end devices and certainly not cheap.

Anyone seen similar behaviour with other CCTV/security kit?

New critical Cisco ASA remote code exec vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Uh oh. Base score of 10.

Filtered traffic report for SonicWalls?

Hey I was wondering if anyone knows of a way to pull up a report of all of the traffic that is filtered out by SonicWalls. As an MSP, I deploy SonicWalls to a lot of my customers and frequently get asked "What am I paying for with this?" I would like to be able to show them a tangible report of all the things the SonicWall is protecting them against.

Networking Tools for Linux (or other)

I have been presented with a very rare opportunity. I have been placed in a situation where there is a current network, but not much documentation/automation going on. So far I have implemented tacacs+ and netbox for my company which have met with great reception from management.

I was wondering if you guys knew of any other tools that you have found invaluable in during your employment that I could employ?

OSPF link question

http://ift.tt/2FoiseP

Changing Split Tunnel VPN to Tunnel All Traffic

Consider the following network diagram: https://imgur.com/PCMu1cX

We are considering the removal of our .PAC files on our Branch Office computers and tunneling all Branch traffic through our Datacenter, rather than the current split-tunnel design. I think that tunneling all traffic over the VPN Connection between the two ASAs should be fairly simple. My dilemma is how do I then get that traffic destined for the internet and sourced from the Branch office to flow through the Cisco 3560-G at the datacenter so that it can be trasparently redirected through our Web Proxy for filtering purposes, since the datacenter ASA would normally just route this traffic straight out to the internet?

Cisco router that can handle 1gb internet connection

Looking for a router that won't bottleneck our 1gbs internet connection. So far it looks like a 4431 (upgraded), 4451, or ASR series? I don't need any advanced features or anything... just doing routing with static routes, but needs to handle 1gbs download and upload speeds. Any others I need to be looking at for a more budget friendly option?

Cisco 5508 Upgrade path from 7.2

Hi guys,

I just find a maintenance window to update one of our WLC to address KRACKS issue. The Firmware/Software are quite old :

Software: 7.2.110 FUS: 1-7-0-0

Target :

Software : 8.2.166.0 FUS : 1-9-0-0

I've never done an update from this version to this one. I searched on the net but I didn't found exactly what I was looking for and I also found some kind of "confusing" answer.

On "random" website : "7.2.x releases You can upgrade directly to 8.3.133.0."

On Cisco website I didn't find any precise information but some comments refer to possible issue/bug by upgrading to 8.2.X from prior to release 7.4.

Did anyone of you experience such upgrade? Is it safe to do it "directly" or should I go for an interim version 7.4 or 7.6 before pushing the final one?

ISP Engineers: How do you receive a DSL/Cable tail handoff?

Not entirely sure if I'm using the correct terminology here. Say I want to start reselling cable services in my area, I want to do all the layer 3 (or at least doing the handoff to upstream peers). What will my local last mile providers give me? Say I have 500 customers on the end of DSL/Cable services? Will I just get a single piece of fiber into a data center of my choosing and all my subscribers packets will be routed down it or?

Training with HP/Aruba Switches

I'm starting work with HP / Aruba switches and Aruba routers. I would like to work on them virtually (something similar to Packet Tracer). I found GNS3 but I can not find an IOS anywhere on the HP / Aruba switch. Are you able to help me with this? Maybe you know where I can find IOS.

Looking for books and videos to learn Juniper SRX firewalls

Hi guys

What would you recommend me to watch for a zero to hero trip on Juniper SRX firewalls?

I have seen the following:
-Juniper SRX series 2013
-Junos Security -2012
-Junos for Dummies 2012 (seems to be god to familiarize yourself with CLI)
-Juniper Networks Warrior 2013

Are there any videos?
Are there any other good books that I should be looking for ?
In what order would you read the above books in order to get from zero to hero

thanks
R

Spirent help needed..stream block with range of TCP ports !!

Hi all,

Not sure if this is the right place but I believe many of us may be using Spirent Test Center to test their networks.

I am trying to test NAT44 functionality and for the same am trying to create a stream block with flows having range of TCP ports. Now we can add TCP header in spirent and configure the port but I want to do this for 65k ports unique for every stream. But cannot find a easy way or a wizard where one can go and select range of TCP ports for the same IP header that creates the streams. Has anyone else tried this? Maybe someone testing NAT actively.

This was easy on Agilent N2X but alas I only have spirent currently.