Multimode SFP works while Singlemode SFP does not

I hope this isn't too low level for you guys but I have been around trying to get this resolved and was hoping for a bt of input.

I have an HPE OfficeConnect 1920s and our CDW rep recommended "compatible" C2G Singlemode SFP Transceivers which were $50 vs the HP branded transceivers which were $500. I can't for the lfe of me get the transceivers to work. For the heck of it, I test an Extreme Networks Multimode transceiver and it worked almost immediately.

Is there something special i need to do to get the Singlemode transceiver to work or are the C2G transceivers just to cheap to work with my switch?

I submitted a support request to HPE and their boilerplate answer was to make sure I have HP branded transceivers.

Was there any specific moment in your life where you realized, "hey, I think a career in computer networking would be a good idea"?

The reason I ask this is because I plan on transitioning into this field of work this year. I have a degree in CS, but it's been a while since I graduated and I'm currently relearning everything on my own so I can earn my certs. I've just hit a wall and I'm looking for some inspiration to move forward.

Extending WiFi

How can I extend Wi-Fi downstairs I’ve been using extenders but they are so slow. Or should I just buy a more powerful router?

Any point in taking CCENT years before ill actually be working?

I'm nearing my last year of school where they give us a LOT of free time to revise for our exams in the last year the thing is everyone from the year above (final year) I've asked says they only need a fraction of the time to study.

Im thinking of starting to work towards my CCENT and after that CCNA (the latter would probably be after leaving school) in the time I don't use to revise for exams as well as working on it at home. My question is is there any point in working towards either of these qualifications years (probably 4 or 5) before I'll actually use them or do they change too much to be useful by the time I'll be working in a job that requires them.

Sorry if this is a stupid question but I'm new to this stuff.

Users segment cant reach server zone interface.

Hi All,

I'm working with my lab right now and having some issue with user segment reaching server zone interface.

Devices

Fortigate: 100D

Switch: 3850

Fortigate Configuration details:

Network Interface Port 1 (Created interface and zone)

int port1.400 (Outside interface)

allow ping http https snmp

assigned under outside zone

int port1.200 (Server interface)

allow ping http https snmp

assigned under Server zone

Routes Add static route to destination 192.168.10.0/24 to nexthop 172.1.1.2(Switch SVI)

Policy Create a policy from src zone outside to dst zone server that allow all ip and services.

Switch Configuration details:

ip routing

created vlan 400(for Outside interface). 10(for user sengment)

Create a SVI for vlan 400 with ip 172.1.1.2/24

Create a static route to 192.168.200.0/24 pointing to nexthop 172.1.1.1

No filtering configured on switch side.

What would be the possible issue? Attached the photo and ping test.

Ping result: From source server interface .200.254 can able to reach user segment.

While from user side .10.1 It can only reach SVI from switch 172.1.1.2

Diagram: https://forum.fortinet.com/tm.aspx?tree=true&m=159454&mpage=1

Thank you

Help identifying old fiber cable and using it for 10G

Can anyone tell me the specs of this cable? It's not labeled very well and I don't have the experience to say for sure. It runs underground a few hundred meters, has three pairs, and has multimode fiber and optics connected.

SEICOR OPTICAL CABLE 09 98 M (TELEPHONE SYMBOL)

I've been told that it might be possible to run 10G by using LRM2 optics and mode-conditioning cables. Is that crazy?

This cisco bundle from cracked.com looks too good to be true. Is it legit?

Found their post somewhere but you can check it here

DCI technologies

I have the following problem:

There are two separate DC's with a separate ACI fabric running in each DC. Any traffic (such as data, heartbeat, replication, etc) between the two DC's goes over a SDH/DWDM via EoMPLS. Any congestion or failure on the local link can cause failures on heartbeat traffic which is very critical. I want to know how I can separate the data traffic from the critical heartbeat traffic - basically keeping the data traffic on the existing EoMPLS and having the heartbeat traffic go over a separate local link via the same DWDM. Can I utilize OTV or VXLAN? What about using ACI multi-pod or multi-site?

Looking for some help and recommendations to steer me in the right direction. Any links to documentation would be appreciated.

Need suggestions on how to map a folder to a remote computer ...

I don't know where to start with this but what I need to do is this. I have a computer at location A and it has a folder that I want location B to see but it needs to be mapped as a network drive. I've been told i can do this with a VPN router but i don't know which one I need or how many. Would like to do this as cheaply as possible. Thanks in advance.

Making an impact to leaders

You probably work later and or off hours building out new projects and putting out dumpster fires. Participate in On-call rotations, big projects and small. You’ve probably saved the day with a packet capture that found a weird packet flow that highlighted a application problem - that’s “been like that for years”. Anyways, what I’m saying is /r/networking gets a lot done.

Has anyone here found a way to gain visibility with leadership?

How does your CIO find out about all the great stuff you’re doing to ensure when you ask for more budget dollars you get them?

In other words how do you market your team in your organization? Prove those system and circuit upgrades are adding value...

Is this only a management concern and crappy manager = no visibility and good Manager = rockstar visibility?

Curious on your thoughts, thanks.

Cisco CSR1000V OTV with Virtualbox and GNS3 not working

I am trying to get OTV working between two CSR1000v VMs running in Virtualbox and GNS3. I have followed several guides, which are all pretty simple. The OTV adjacency between the two routers comes up just fine and everything looks good when I do a "show otv". The issue I am having is that the OTV routing table is not populated with the MAC addresses from the devices being trunked up to the router. I am just trying to trunk a single VLAN up and extend it between the routers.

I found some talk online about the CSR1000v having issues in Virtualbox and VMware with the subinterfaces not working properly. When I do a packet capture on the trunk from the switch going up to the router I am seeing the tagged frames going up just fine, but the MAC from that device does not show in the otv routing table or the ISIS database, which has me thinking it is the issue with the subinterfaces not working.

Any ideas?

Local status report for DNS/Ping

Hey guys,

I'm pretty weak in the programing/scripting department to say the least, but I have a need for a simple and graphical way for a user(non-technical) to tell if DNS/ping is working.

Here's the scenario: I'm a sysadmin for a company that deploys workers for service on a variety of manufacturing equipment. The equipment has software that connects back to a central server via SSL tunnel. The connectivity of the equipment is reliant on getting correct DNS information from our customers as well as ensuring we can navigate their proxy/firewall settings.

What I'd like is to be able to have a script or program to check a few URLs and verify the success/failure of some pings that the tech can run on his/her laptop. This would be for a non-technical end user, so it would be great if it was in the form of a web page or something that gave a simple read out based upon some DNS settings entered into it.

Does something like this exist? I've seen some server up/down stuff out there, but it requires the user to setup a lot and that's the biggest hurdle.

am I over/under thinking this?

Thanks in advance for any advice.

Range on ethernet cable

Hey there, I'm soon going to be setting up a network on a rural piece of land with about 1000ft between buildings. I feel like this is too long to run an ethernet cable, and a P2P satellite seems a little expensive. Are there any other alternatives? Would converting to coax work?

Cloud based disaster recovery solution?

Hi all, my boss tasked me to find a cloud based disaster recovery solution. We're a small company and are looking to backup all of our servers. I am not an IT guy but he thinks i am. This is what he wants. A cloud based server that can be a domain controller, dns,dhcp,file server, have a firewall and vpn access for 50 to 70 users. Is that something a cloud server can do? do you know of any vendors that can do this? please let me know. thanks

CAT6A terminations - cost?

Hey guys, a scenario for you.

You have an office with approximately 160 data and IP phone drops, all CAT6A. How much would you expect to pay for the termination of the drops and installation of wall plates, as well as terminating and dressing all of the wiring in the rack enclosure? It's a real mess where the equipment rack has to go. We already have procured the hardware for the technicians as well as the wall plates. They did not run the low voltage wire and are quite upset with the way things look in the planned server room right now with all of that spaghetti pouring out of the empy ceiling tile and say it is also going to take them some time to fix it. They bid to run the wire for the GC but they thought their cost was too high at near $30k.

[RANT] Unicorn Solutions

I really dont understand why people build such complex and nonstandard solutions. The number of times Ive walked into a business with several routing protocols redistributed into each other or a bash script that triggers only when an ip sla goes down to change a firewall rule that does NAT or using hundreds of static routes in PBR to mess with the way traffic flows... Why? I mean, I get it if thats the way the network has evolved and its temporary but to be designed like this from scratch. I did some work for a vendor for a while and the feature requests they got were insane. "I know this is only supposed to be a wireless access point but say I want to run BGP on it for our DC..." ... Seriously? People who do this? Why? If its pressure from management, just say no. If its your own curiosity, save it for your lab. If its to save money, itll end up costing you more in support.

Subnet Mask noob question

I've been learning about networks and I have always been curious about this. Let's say I have 100 computers that are going to connect to a network, but I also might have people come through my business and let them connect to the network.

Why can't I just put my subnet mask to something like a class A, and allow thousands, or tens of thousands of IP addresses to be assigned by the DHCP server so that hey even if a thousand people were to walk into the lobby of my business they could all get an IP address.

I guess another way to put it. Why do we want to constrain our pool of IP addresses so that we only give out what we need?

Something better than Outlook Calendars for keeping track of circuit orders, install, and site readiness?

We have dozens of in-flight circuit orders at any given time. I'm having a difficult time keeping everything organized and was wondering if anyone knew of a software solution or organization tactic to keep track of all this information.

I need to keep track of building construction and site readiness to make sure the circuit doesn't get installed too early. I then need to coordinate this with on-site contacts who can facilitate access to the building.

After the install is done I need to coordinate with contractors to go out and extend wiring if necessary, patch our equipment in, and other misc tasks if necessary.

As I'm typing this, it doesn't sound all too complicated, but when we have ~25+ in-flight orders, and this is supposed to be a very small portion of my actual workload, I find dates slipping as I can't find a good way to stay organized with all the dates and statuses of each order.

Anyone have any tips for keeping up with all this?

tl;dr I suck at juggling 25+ timelines at once, how can I make my life easier?

Why exactly do people hate IWAN so much?

IWAN is the only SD-WAN offering I have experience with, so I really haven't seen a whole lot of what competitors have to offer.

Google Home WiFi and a Cisco switch

Howdy all, probably a dumb question here, but I've acquired an old 10/100 switch from the office (Cisco 2960, circa 2010) and wish to use it to hardwire a lot of my home devices.

It looks like the Google WiFi system (only one pod for now) does its own DHCP for my wireless devices, so my question is, can it hand out IPs to downstream hard wired devices if I plug the Cisco port 1 into the Google WiFi's LAN side port (WAN to fios)?

I've got the switch reset to factory with a few PWs where necessary, and no IP addressing thus far. Figured leave it unaddressed a la a DMZ, and the Google will hand out the IPs. Anything else I'd need to consider here? Planning on trying this out when I get home tonight.

UCCX licensing

On our UCCX it shows "Cisco Unified CCX Enhanced Seat(s): 10"

does this include supervisor signons as well as agent desktop? We're using version 9 of UCCX currently.

Genexis HRG1000 wired connection issue

My modem/router only allows wired connection through port 1. It is not possible to connect to the router at all using port 2-4 (can't get an IP or access admin interface). Wifi works fine and allows multiple connections.

How do I enable port 2-4 to be used? I have browsed the entire admin interface and I can't seem to find anything that would allow it. Is it an ISP issue? I have changed to a static IP address, but I don't see how that would limit cable port connections when wifi works fine. (Are routers magical artifacts?)

Getting DHCP from Cisco 3650 loopback

I may not be understanding this correctly but can I run DHCP on a 3650 and use a loopback as the gateway? If so, how do I advertise DHCP as coming from the loopback?

RB2011UAIS compatible with ubnt sfp?9

so i recently got a good deal on a mikrotik rb2011uais and im wondering if its possible to use a ubiquiti networks sfp module in the rb2011uais. on the listing it says a mikrotik sfp module is reccomended but i dont want to purchase more, as i have a bunch of ubnt ones. thanks.

Looking for salary advice in the Philly area

My wife and I are trying to move into the Philadelphia area to be closer to family. I'm currently in Huntsville, AL 2orking for a managed service company as a network engineer. What should be my target salary for an equivalent job in Philly? Thanks in advance.

Monitoring Meraki switches with Solarwinds, any gotchas?

We have around 20 Meraki sites (switches, not waps) that we monitor through Solarwinds via snmp polling.

Quite often Solarwinds will report that a device is down when Meraki says it is not. (I can ping the device, see that all is green on Meraki's dashboard, and reach devices sitting behind the device Solarwinds believes is down.)

This keeps happening across different sites and I'm a bit at a loss. Has anyone else run into a similar scenario or have any general gotchas I should be aware of with using Solarwinds SNMP polling in combination with Meraki switches?

Edit It looks like Status & Response Time is being monitored by ICMP, not SNMP, even though polling is SNMP, so I'm trying to see if changing that to also be SNMP might resolve the issue.

Anyone used cleerline fibre?

I just went to a trade show and was given a demo of terminating this cleerline fibre. I was impressed, but wondering if anyone has any experience using it in the field they could relate? They claim it has a bend radius of 3mm, can be run over by an ewp and still work, and doesn't need certification to terminate. It's also cheaper than cat6. Anyone know how true this is?

Active Standby Config Guide 4150

Hi All,

Can someone link me to an active/standby configuration guide for a 4150 please. I can only find the active/active cluster guide, and it's not what I want.

Issue with processing multi label MPLS packets on Arista

I'm trying to setup a design where Arista switches packets based on MPLS labels. Not using LDP protocol and all MPLS rules are set statically. In the design switch receives packets with 2 labels (i.e. 1000/2000), should pop top one and route it via appropriate interface to next hop (so that next hop switch will also mpls switch it based on underlying label - 2000). This should be achieved be following command:

mpls static top-label 1000 Po1 10.0.0.1 pop payload-type mpls 

Problem is this doesn't work and Arista silently discards the packet, not sure why. On the other hand Arista can handle packet just fine if it only contains a single label (label 1000 and same comment as above but change last option from payload-type mpls to payload-type ipv4.

Switch will also process swapping labels, when packets contains just one (label 1000). So following command works just fine:

mpls static top-label 1000 Po1 10.0.0.1 swap 1111 

Couldn't find debug command for mpls, so not sure how to troubleshoot this one. Anyone run into similar issue?

How do you guys handle active-active internet connections with different datacenters and firewalls?

Just curious how you guys handle active-active internet connections with different datacenters and firewalls? I have two datacenters in different locations with a link to the internet (same ISP). Currently we poison one link and it goes unused but we're interested in an active-active design. However this causes issues with the firewalls being stateful. If traffic comes in side A, and then hits the datacenter on side B, but the upstream router on side B prefers the default route on it's internet link, then the firewall on side B will block the return traffic. Just curious how you handle that. Thanks,

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Laptop tripod for a network engineer

Hi!

I'm looking for a good laptop tripod for our networking team. Do any of you use them frequently? Do you have any recommendations?

I'm looking for one that folds to a fairly small size so it could fit in a backpack or a tool bag and doesn't take too much time to set up.

Appreciate all of your advice.

Can anyone recommend a wireless (wifi) sip conference phone? or a decent wifi phone I can put on speaker?

Thanks in advance. This is for a non-profit so we are trying to avoid running wires.

What's the secret to operating voip across cable/dsl links successfully?

How do call centers that have all work-at-home employees operate successfully? Usually they have residential grade Cable/Dsl connections, and a VPN router that tunnels back to the mother ship.

I can't comprehend how VoIP can function in an environment like that, where packets traversing these consumer grade broadband networks are highly, highly prone to out-of-order packets, high latency, high loss, high jitter.. you name it!

We also know that VoIP is one of those technologies where if you do have these problems, the users will always complain, and if your job is to take phone calls 24/7, not being able to hear the other person, or have them hear you--is a very big deal!

Yet a lot and a lot of these companies are doing this. What is their secret?

There's no QoS across the Internet...

Can't access facebook.. (routing??)

Hear me out :)

We have our own /24. This block has some security services on it, provided by the ISP, that make it be announced via that service instead of directly by ourselves. That security service exists in multiple places so that if one center gets overwhelmed we can be pushed via another.

For example we normally get announced out of our ISP's connection in City X, but if City X gets overwhelmed, we can be rerouted to be announced via Y.

We recently had a situation where we had to get shunted to City Y. Once things got cleared up we moved back to City X. Now nothing in our /24 can access FB.

My first thought is somehow stale routing exists in whatever ISP FB uses. We are going to test by switching back to City X briefly after-hours, but we can't stay that way. City X increases our latency and that degrades performance for certain key applications.

Our ISP isn't much help as we can't prove anything. Traceroutes don't help with as many IPs and differing paths traffic might take to get to FBs datacenters.

Any thoughts?

Securing large amount of very small networks

Before I begin, I would like to say that I am not trying to receive any sort of hand-outs or have my work done for me, but more as a discussion of topics/technologies and the like, since I have already done a bit of research.

I have started a new position and am tasked with ensuring that 50-200+(I say this because it is growing exponentially) small networks are secure as can be for a good cost. PCI compliance is the main pressure point at this time. Right now, the firewalls in place are not ideal, so this seems to be the biggest aspect requiring change. Each network really only has about 4 devices connecting to the network, plus a few IP cameras. No one really uses the internal Wifi, and there is no guest Wifi. It also MUST have the ability to run a failover seamlessly. I was looking into cloud security platforms that could bring Firewall as a service to each location, but this does not seem ideal and I could not really find a good company that has this sort of thing for inbound traffic.

The main point of the post would be thinking about the benefits of just having singular small firewalls at every single location(I've been looking into a Watchguard T35 since it allows failover circuits) or if maybe an SD WAN could be the way to go? Can an SD WAN even replace a firewall as a whole? Would managed security services be worth recurring subscription costs?

I'm thinking a small firewall at each location is probably the best bet since it's what I'm used to, and each of the small networks don't need to interact with each other whatsoever. I do need to take into account implementation as well, since firewalls at each location would have me going all over the country for installs(this is why I was hoping a cloud based network security would work).

Thanks in advance for any insight!

Best way to allow employees to access company resources from china

We currently have OpenVPN set up inside of AWS however this is blocked from China, we have a legacy system currently in our office that does work in China however this system has been unreliable (outside of China) and needs to be replaced. Our employees who regularly travel to China need access to our internal resources and Email (google), does anyone here have experience/recommendations on getting a VPN connection through the great firewall?

Guest access with ISE - DNS

For those using ISE for Guest user isolation, how are you approaching DNS resolution for your PSN?

To explain further, here is the general layout of the LAN:

• Trusted versus Untrusted (Guest) networks are in separate VLANS.
• Guest network is completely isolated behind a firewall, currently with absolutely no access to RFC1918 (outside of it's own subnet).

We want any and all Guest users to be presented with a Hotspot portal via ISE. We plan on having a PSN at any given location, however, the problem is security with how we will handle DNS.

• If we allow Guest users to talk DNS with our internal DNS servers, doesn't that open up a dangerous vector for leaking information for an attacker?

• If we create a public DNS A-record with a private IP address, doesn't that expose internal information about our LAN; i.e. if it's 192.168.2.15, one can reasonably assume our gateway is .1, it's a /24, etc.

• Creating a DNS server and putting it on the Guest network would be a lot of work for our server folks and generally doesn't sound like it would scale well. Less than 100 locations total, but still, our teams are very small (2 people) and have many other projects.

How does your organization handle this?

Cisco phone anyconnect sslvpn embedded client with 3rd party firewall instead of ASA? Does it work?

Looking to replace ASA

ref: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115945-config-sslvpn-ip-phones-00.html https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116162-trouble-anyconnect-vpn-phone-00.html

Dma acl questions

Lan 192.168.2.0 vlan 100

Dmz 172.20.1.0 vlan 200

I want to make an acl so the dmz cannot access the lan vlan , but I want the lan to be able to access the dmz vlan

What would that acl look like on the catalyst?

Extend subnet on layer 3 connection without going through intermediary switch

So, I have this topology. I know I can plug the Primary ISP into the 3850 and then into the ASR router for it's L3 connection and use a L2 vlan to transport this. However, I would like to do the same thing, without having to demark in the 3850 first and go straight into the ASR router. I am trying to think of a way to do this, but I think I might be SOL.

I was thinking about maybe being able to assign a vlan-ID to the port and then use a subinterface with dot1q down to the 3850. Any ideas?

Thanks!

https://imgur.com/a/p8sGR

Lab Ideas

Hopefully I'm not violating any rules by posting this here.

I'm trying to practice all of the CCNA stuff in a lab, ideally a few comprehensive labs that cover most of the CCNA curriculum. I've done a few myself but I still feel that i'm lacking a lot, and at the same time I can't really come up with things to test out.

Please note that i'm working on GNS3 and not real equipement. And also, I thought it would be cool if anyone has some Tshoot lab files on GNS3, I keep hearing that Tshoot is a really good way to learn and have a better understanding of things.

Why do you love what you do?

I work in Network Assurance for a large ISP - What does that mean? It means I fix things when they break. Little things like a PE router being offline, to big things like 50,000 people having no internet access or problems on a 400Gbps peering link with another ISP or CDN.

I love my job. At times it can be excruciatingly stressful, and I get downright angry at the corporate BS and some of the ways I have to do things.

But that moment when it 'clicks' and that problem you figure out that problem that you've been working on all day is the best feeling in the word. Or the fact that I'm the "go to" guy that people come to when they need help figuring something out. To knowing that I help keep the world as we know it in operation.

Question: We pay our provider, provider pays the carrier, carrier pays ???. Who's at the top of the bandwidth pyramid?

No text found

Don't do this.

Saw this at a nursing home =/

https://imgur.com/a/OQHD8

PAC file for Cisco proxy

I am trying to figure out why this pac file configuration is not working and its driving me nuts. It's very straight forward -

function FindProxyForURL(url, host) { if (isInNet(myIPaddress(), "192.168.1.0", "255.255.255.0")) return "PROXY 192.168.1.1:80"; else return "DIRECT"; }

However if I use the configuration below it works without any issues -

function FindProxyForURL(url, host) { return "PROXY 192.168.1.1:80"; }

Anyone have any ideas?

Handling Guest WiFi

Long time, first time. This is probably a better Moronic Monday question, but I'm having a hard time articulating my concerns.

My company is looking to provide "guest" wifi at our remote locations. The goal is to give employees and customers at these locations internet access for personal devices - kind of like a coffee shop. Management would like to set up a Cisco 3502i AP at each location. Guests would authenticate through a central 2504 WLC and then have the remote AP send guest data out an interface on the remote router. I have a quick mock-up for how I think it would work if we went this route:

High Quality Design!

I'm concerned this is either 1) overly complicated for what we're trying to provide or 2) not doable. I'm trying to push for wifi access on Comcast gateways at each site. I think it's the simplest way to do this, especially where we already have a Comcast connection at each site. The only drawback I can think of is we'd be unable to throw up a captive portal when users join the network - something management would like to have.

If the captive portal turns from "would like" to "must", doing centrally switched guest wifi was my next suggestion. Management is concerned about how this would affect bandwidth usage on our WAN. I thought we could apply QoS to the CAPWAP traffic to mitigate this issue. That seems to be a common way to handle guest wifi based on what I've read.

Am I wrong? Is locally switching the AP at each location possible? If so, is it a good idea or a bad idea? Could guest traffic cripple a WAN connection if it's centrally switched? Wireless isn't exactly my forte and any help would be great.

On an ASA we can capture the outside interface for packets before they are dropped, can we do this on an ISR with the packet capture utility?

On an ASA we can capture the outside interface for packets before they are dropped, can we do this on a router running IOS XE with the packet capture utility?

• correction, please assume I am running IOS XE

Cisco wireless with IPv6: Privacy extension address keeps changing, connections dropped

We are running a fairly standard deployment of 8.3 code on our WLCs. I am testing IPv6 with SLAAC which resides on an SVI on a Catalyst 6840. Clients assign themselves addresses and life is good. However, instead of the privacy extension aging itself out gracefully, the client just generates a new address every 1800 seconds or so. Since the private address is used for outbound connections, these will drop. If I connect my laptop to the same VLAN over wired, I don't have these issues. Cisco says our config looks fine and that this is expected behavior, but that doesn't sound right at all. Anyone running Cisco wireless with SLAAC?

If I set ipv6 nd ra lifetime 9000 (max), I do maintain connectivity longer, but it still forcibly drops the connection which is less than ideal.

stumped, unsure how to track down.

SME environment, doing a wireshark capture for another diagnostic and saw a 1000s of STP packets originating from 788a.20b9.XXXX, which seems to be a UBNT device. Now, we did just recently deploy one at another site, NOT connected to this segment. However, when I mac trace this back, it seems to go to a Brocade ICX switch, which is then pointing to our stack of VDX switches, and then the mac seems to disappear.

Any suggestions on how to track this down. Is it possible that the ICX has somehow grabbed onto this mac address and is sourcing the STP from it?

Forgive my ignorance in advance.

DNS filter cloud based

Was just curious.. since SSL inspection is more or less relegated to proprietary solutions, squid hacks to compile old versions, and L7 firewalls, etc.. I was considering a cloud based DNS filter service.. cheaper and I don't have the data privacy issue to worry about.

Seems super easy to implement as well.

My question is.. is it possible that despite my outbound traffic being nat'd to one external IP that certain internal clients can be exempted from the filter policy?

I imagine I could do it with an on premise list subscription but I was curious to get people's thoughts on the matter...

I was thinking of DNS filter.com as an example.

Cheers, M

Combine or separate edge and main router and firewall?

Historically we've had a router that both connected us to the upstream network and was the "main" router for some of our subnets. It also was our edge firewall. Over time it's been migrated to vyos, a seemingly dead fork of vyatta before it went closed source. So obviously, due to lack of security updates and the like, we need to migrate to something new.

We'd like to stay FLOSS, though maybe with commercial support or available consultants for back up. The reason is mostly financial - we're also looking to add more internal firewalls between subnets, and would like consistency on the firewall side. We don't really have a budget for this (of course)...

So we tried using pfsense, and failed pretty bad, mostly due to it not supporting outgoing rules, and the assumptions built into it that you have an "inside" and "outside" network as it's primarily a firewall. But we have 4 interfaces, of which 3 are "inside" in which there (currently) should be no rules applied, and 1 "Outside" which needed 2 way rules, i.e. block most coming in, but also block some going out from any of the 3 inside networks. This proved tricky to implement due to manual duplication of rules and the like. It didn't seem a good way to try and keep them in sync either over time.

Anyway, this background got me to thinking - "Is it actually a good idea to combine the firewall and router here?". The local pros are 1 FLOSS "transparent" firewalls don't work well (don't know if this is true currently)

2 "Extra" hardware and configuration

3 We've always done it combined (and I'm generally familiar with it combined, albeit with the more home linksys style combinations, which again pfsense seems to be targeting also)

But really - this means your appliance or software combination or whatever has to both be a router and a firewall and the UI has to understand both and your configs are even more complicated (maybe)... I'm sure that pfSense would have been fine if it was ONE connection with WAN on one side and LAN on the other.

I'm thinking about comparing Untangle and Shorewall next, but I wonder if they'll have the same issues around the UI, and I don't want to consider straight iptables or pf, even though they both support outgoing and incoming rules.

So - before I go further down a potential "garden path" - is it reasonable to combine the functions? Do "transparent" floss firewalls work well? Am I missing a smart option (that isn't Fortinet cost, i.e. close to $0)? Am I being silly to try and keep firewalls consistent (I have options for edge firewalls that are "rented" from upstream, but could not use those internally, and host firewalls will generally be different anyway a la Windows firewall)...

Spanning-tree bouncing between PVST and PVRST on a single VLAN

I am having an issue on a ring I am working on. Topology is ASR9K -> 4900 -> 4500 -/- 4500 -> 4900 -> back to ASR9K on separate Ten Gig port. Currently I have the link between the 2 4500's shutdown.

All of the switches are running PVRST and the ASR9K is running MST. (Converting the ASR to PVRST next week)

My issue is with 1 single VLAN. I found a switch that hangs off of one of the 4900's was running PVST. I set it to rapid and now instead of showing P2P (Peer), it bounces between Peer and P2P about every 5 seconds on Po7. The same behavior is present on the other 4900 as well but all the switches off of there are also running PVRST. Po7 on this switch is the bundle-e back to the ASR.

4900#sho spanning-tree vlan 69 VLAN0069 Spanning tree enabled protocol rstp Root ID Priority 8261 Address 78ba.f96c.bef6 Cost 1 Port 1287 (Port-channel7) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24645 (priority 24576 sys-id-ext 69) Address a493.4c23.aec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- Te1/8 Desg FWD 2 128.8 P2p Po1 Desg FWD 3 128.1281 P2p Po3 Desg FWD 3 128.1283 P2p Po7 Root FWD 1 128.1287 P2p Peer(STP) --------------------------------------------------- spanning-tree mode rapid-pvst no spanning-tree etherchannel guard misconfig spanning-tree extend system-id 

Juniper vSRX on RHEV/oVirt

Hi All -

Just spent the last few weeks plugging away at this. Juniper documentation is good for standalone KVM but I really wanted to put it in to my oVirt cluster for a bunch of reasons. The documentation lacked a few things and completely doesnt cover some (like KVM node needs to be able to spoof MAC and ARP)

Please let me know what you think - https://ckozler.net/vsrx-cluster-on-ovirtrhev/

Arguments to keep a firewall.

So, I'm trying to find reasons to keep a firewall in place at some locations right now, and seeing if anyone has an argument for it.

Right now we have a bunch of site locations that access some of our services. We run the network for thoses site and have generally a Fortigate firewall attached to a few PCs, or a Fortigate attached to a Cisco switch.

We don't have any advanced services running on these firewalls. They just have routes and policy rules. So, security-wise, all they're really doing is running an ACL for us.

We've been looking into setting up ISE and Trustsec for a little bit now. What I'm trying to do is figure out after that if we need a firewall in place if we have that. When it's only being used to ACL specific IPs and Services, and we can do a DACL to do the same thing with ISE.

Is there anything I might be missing that a firewall is giving us in this situation that would compromise our security if just using a Cisco 3750 with DACLs.

White-listing from SSL Inspection

Forgive me if this is not appropriate for /r/networking

Starting to implement SSL Inspection (DPI-SSL With a SonicWall NSA 3600). Finding that Pandora music streaming is not playing nicely with the MITM attack. Songs randomly pause and play. Unfortunately white-listing pandora.com does not seem to work and my guess is because Pandora is reaching out to a CDN for the audio content. Question 1: Has anyone else dealt specifically with white-listing Pandora and have a list of URLs that need to be white-listed? Question 2: For those of you who implement SSL Inspection, how do you best troubleshoot these issues when a simple addition to a white-list isn't enough?

DDOS Tcpdump analysys help

We are getting DDOs'ed with a very low volume but still consistent attack ( thousands of IPs per minute, all over the world ) on our smtp server. The problem is that these connections look like a syn flood but with two acks - I don't know how to describe it, but I have some tcpdump logs below. First example is an actual attack on our port 465, second one is a regular connection that connects properly.

Has anyone seen anything like this before ?

DDOS CONNECTION:

17:40:36.197973 IP 177.239.76.125.62242 > my_local_server.465: Flags [S], seq 854619169, win 8192, options [mss 1412,nop,wscale 8,nop,nop,sackOK], length 0

17:40:36.198027 IP my_local_server.465 > 177.239.76.125.62242: Flags [S.], seq 3888728441, ack 854619170, win 65535, options [mss 1412,nop,wscale 6,sackOK,eol], length 0

17:40:36.354866 IP 177.239.76.125.62242 > my_local_server.465: Flags [.], ack 1, win 259, length 0

17:40:41.351841 IP my_local_server.465 > 177.239.76.125.62242: Flags [.], ack 1, win 1036, length 0

17:40:41.479040 IP 177.239.76.125.62242 > my_local_server.465: Flags [.], ack 1, win 259, length 0

REGULAR CONNECTION:

17:43:09.995356 IP good_client.34751 > my_local_server.465: Flags [S], seq 912247919, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13408412 ecr 0], length 0

17:43:09.995434 IP my_local_server.465 > good_client.34751: Flags [S.], seq 2057029005, ack 912247920, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3231091032 ecr 13408412], length 0

17:43:09.995794 IP good_client.34751 > my_local_server.465: Flags [.], ack 1, win 1026, options [nop,nop,TS val 13408412 ecr 3231091032], length 0

17:43:09.996006 IP good_client.34751 > my_local_server.465: Flags [P.], seq 1:308, ack 1, win 1026, options [nop,nop,TS val 13408412 ecr 3231091032], length 307

17:43:09.997766 IP my_local_server.465 > good_client.34751: Flags [.], seq 1:1449, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448

17:43:09.997780 IP my_local_server.465 > good_client.34751: Flags [.], seq 1449:2897, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448

17:43:09.997790 IP my_local_server.465 > good_client.34751: Flags [P.], seq 2897:4097, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1200

17:43:09.997831 IP my_local_server.465 > good_client.34751: Flags [.], seq 4097:5545, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448

17:43:09.998608 IP good_client.34751 > my_local_server.465: Flags [.], ack 2897, win 1003, options [nop,nop,TS val 13408412 ecr 3231091032], length 0

17:43:09.998876 IP good_client.34751 > my_local_server.465: Flags [.], ack 5545, win 1003, options [nop,nop,TS val 13408412 ecr 3231091032], length 0

Meraki Mx84 vs Cisco 4300

Anyone played around with these two to give advice/advantages/preferences?

SIP command to see frequency of dial peer usage

Is there a Cisco command that will show the frequency or hits for a dial-peer? Just curious. I'm cleaning up our SIP router and we have 200 dial peers for around 20 or so offices. I kinda know the dial-peers to delete that belong to offices that have long since closed but would give me greater piece of mind if there was a command that would show recent a certain dial peer has been used.

Sonicpoint routing issue on a Cisco 3750X (Cross-post from r/Cisco)

Looking for help with my setup. I recently picked up a 3750x to learn CLI with Cisco. Prior to that I was comfortable with SonicPoints and Netgear switches where the SonicWall was doing all the routing (ROS). I am trying to learn layer 3 routing with the switch and have been mostly successful up until trying to get the SonicPoints up with connectivity to the LAN on the admin SSID. I understand I need to start with baby steps so my I am just trying to get it working with a single SSID. I have read multiple posts elsewhere about using a free port on the SonicWall and separate switch however, if possible, i would like to pass everything through the Cisco.

Switch config is below but a quick summary of my test bench:

• VLAN 20 - Desktops
• VLAN 30 - Servers
• VLAN 40 - Phones
• VLAN 50 - Access points (before it was a pvid for the management and IP addressing of the AP's with the actual traffic passing on the VLAN associated with the SSID)
• VLAN 60 - Admin wifi
• VLAN 70 - Guest wifi

Everything on Vlans 20/30/40 is all working and talking fine. Just stuck with the wireless. They come up and work fine with them built off the SOHO on a trunked port. Struggling with the routes necessary to allow Lan connectivity

• SW Port 1 - Dhcp Server for vlan 20/30/40
• SW Port 2 - PBX
• SW Port 3 - Voicemail Server
• SW Port 10 - Test PC
• SW Port 11 - Phone with PC Pass through (single drop simulation)
• SW Port 21 - To X3 (wlan for Sonicpoints)
• SW Port 22 - To Sonicpoint
• SW Port 23 - To X0 on sonicwall (lan)

Config:

! interface GigabitEthernet1/0/22 switchport access vlan 50 switchport trunk encapsulation dot1q switchport trunk native vlan 50 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/23 switchport access vlan 30 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport mode trunk spanning-tree portfast ! interface Vlan1 ip address 10.1.10.1 255.255.255.0 ! interface Vlan20 ip address 10.1.20.1 255.255.255.0 ip helper-address 10.1.30.3 ! interface Vlan30 ip address 10.1.30.1 255.255.255.0 ip helper-address 10.1.30.3 ! interface Vlan40 ip address 10.1.40.1 255.255.255.0 ip helper-address 10.1.30.3 ! interface Vlan50 ip address 10.1.50.1 255.255.255.0 ! interface Vlan60 no ip address ! interface Vlan70 no ip address ! ip default-gateway 10.1.0.1 ip classless ip route 0.0.0.0 0.0.0.0 10.1.30.254 ip http server ip http secure-server ! ! ! 

I can post the sonicwall config if it necessary but I am hoping the community can point me in the right direction!

HP 1920S Switch - Creating LAG

Prelude:

(The "S" is important in the model number. I've done this multiple times with HP 1920 switches by editing a text configuration file and uploading it to the switch using TFTP, no problem. But the 1920S only allows web GUI configuration, no ssh, no telnet, no console port, etc. Also, it doesn't seem to allow downloading or uploading plain text config files. I get an error when I try to upload a config file from a plain 1920 (without the S) and when I download a backup copy of the running config, I get some 13MB non-plain text file that isn't helpful to me.

The other problem I have is the Web UI menu for the 1920S is very different from the 1920. So when I'm searching Google I get a lot of hits on how to configure LAG on the 1920 switches. On the 1920 switches you go to Network, then Link Aggregation. But the 1920s doesn't have those menu options. In fact, I can't find any LAG or link aggregation menu options anywhere on the 1920S. From what little information I have been able to find, it seems like HP was trying to make this model more "user friendly" but it's ended up confusing the hell out of me)

---

I have two HP 1920S switches and I'm trying to create a LAG connection between them on ports 47 and 48 on both. I've tried the following steps on both switches, but it ended up creating a network loop and broadcast storm, so it's good I was working on it in an isolated network.

• VLAN -> Configuration -> Add
  • Create vlans 100 and 200
• Trunks -> Configuration -> Select TRK1 -> Select "Edit"
  • Add ports 47 and 48 to "Members" column
  • Change "Static mode" to "Disabled" (I've read that this is how the 1920S magically creates the LAG, reference: https://community.hpe.com/t5/Web-and-Unmanaged/Ling-Aggregation-and-LACP-for-HP-1920-and-HP-1920s/td-p/6979910 This is one of the few pages I could find that specifically referenced the 1920S model )
• VLAN -> Port Membership
  • Select VLAN 100 from drop-down menu
  • Select TRK1 and choose "Edit"
  • Change "Participation" to "Include"
  • Change "Tagging" to "Tagged"
  • Select VLAN 200 from drop-down menu
  • Select TRK1 and choose "Edit"
  • Change "Participation" to "Include"
  • Change "Tagging" to "Tagged"

I connected port 47 on switch 1 to port 47 on switch 2, and the same with ports 48. I plugged a workstation into each switch, configured the ports the workstations are plugged into to vlan 100, gave each workstation a unique 10.0.0.x address with 255.255.255.0 mask, and they can't ping each other.

I don't know if I'm missing a step, if I'm doing these steps in the wrong order, or something else. Obviously I'm mostly a novice with this, so I'll appreciate any help anyone can throw my way.

Thanks!

firewall / dns / other option to block game Fortnite on a network?

I've been asked to block a specific video game, Fortnite, but Epic Games, on a company segment.

Does anyone have any bright ideas about how I can shut down either this specific game or the game servers of this game manufacturer?

Thanks in advance for the help!

S4128-ON Linux documentation

It has Linux OS10, sadly it lacks documentation on how to set interface information without taking down full interfaces, or ways to store the changes between reboots.

I know how to use the /etc/network/interfaces, but that means i have to take down interfaces to bring up the interfaces with the new settings.

Last login: Fri Mar 9 05:16:38 2018 from 192.168.0.149 ahernandez@OS10:~$ uname -a Linux OS10 3.16.39 #1 SMP Debian 3.16.39-1+deb8u2 (2017-04-29) x86_64 GNU/Linux 

My problem has been that I'm unable to even configure VLANs in /etc/network/interfaces.d/ without taking down the interfaces first and bring them up. There's no test functionality or even validation that something will work or not.

Is there some sort of hidden documentation out there besides the getting started that comes with the switch which has allowed me to configure users, sudoers, ifconfig, etc? I'd like to know how to manage the vlans and trunks going from port to port from within /etc/network/interfaces. I don't need fancy ACLs, just need to manage access at the port level.

Should I get a CCNA certificate if I am unsure to pursue a networking career?

I am kind of undecided of the Area of IT i'd like to get specialized in.

I'm interest in being a network administrator and a developer.

But I'd prefer to just stick with one path.

Do you think in this case I'm better off with just a Network+ certificate?

Setting up QoS for MPLS

While troubleshooting some voice issues our MPLS provider noticed all the traffic coming into the managed router was all marked best effort, I checked out the edge router and of course there is no QoS currently set up. I've really never dove into setting up QoS other than setting up auto qos on switches before. Our topology is pretty simple, Network Switch > Edge router > MPLS managed router. If we have QoS enabled on the network switch, do we need to configure QoS on the edge router as well? If we need to configure QoS on the router can anyone recommend a good reference document?

Two MPLS Sites with a P2P. How can one site handle MPLS failure at another?

Some BGP routing assistance requested.

Ultra High Level Topology: https://imgur.com/a/6LCbA Picked one network from each site for example.

I have two branch sites that send lots of site data to their sister site so a P2P between them was purchase. L3 Switches at each site acting as gateways, peering OSPF with each other and their routers. Routers redistribute BGP to the L3 Switches (There are other WAN connections at these branches for partnered companies). Switches currently not licensed for BGP.

Right now the routers only advertise their site's networks into BGP. What's the best practice to have these router's advertise the other site's networks in case of a MPLS failure at one site. If I redistribute OSPF into BGP at each site the router would send both sites network into BGP at the same cost right?

Thanks!

VPNs with AWS. Using it as a single VPN point for redundancy into datacenters. My google-fu fails.

So I'm dealing with an environment were multiple clients VPN into my 5525X ASA and dump data. Lots of data. In a few months I'm standing up a Direct Connect MPLS into AWS and I want to leverage the VGWs on AWS to point all my client VPNs to so they can fail over to my DR site if things go tits up. Is this going to be as simple as having them VPN into my AWS instance and have the routes pointing to the Direct Connect MPLS?

Anyone deal with this? How does AWS do with large chunks of data going over their networks via VPNs?

*for clarification, this is a different approach to having a type of HA for point to point VPNs that requires ISP intervention with getting ASNs and floating a public IP. Trying this way since data isn't punched through all the time, and being charged per GB is cheaper in the long run for this project.

Submarine Cable Map 2018

http://submarine-cable-map-2018.telegeography.com/

Question about wholesale PTP rates

We are being told that our wholesale rates are too high by prospective customers, specifically a large carrier that rhymes with mayo.

In order to see how far off the mark we are, would you guys be kind enough to provide what pricing you are seeing in the wholesale market for these two scenarios for a gigE and 500Mb?

1. PTP to cell tower
2. PTP from cell site to regional transport provider (psap)

Thanks!

What are some cool things I could do with a network switch?

I have access to a switch, patch and console cables and a computer. The switch has an OS in it and a client console via RS232. What can I do with it? Performance tests? load test etc... Or are these just bricks when used alone?

I'm not really into networking but I have this expensive switch and I want to "play" with it.

Allowing public IP through ASA

Hello all, How should my config look like for ASA 9.5 to allow one public IP to inside of my network to ANY. Let's say the public IP is 9.9.9.9.

Shopping around for multiple 10G waves and IP transit

Howdy all. I'm shopping around for some additional waves and IP transit and rather than go straight to our usual providers I thought I'd start here this time. Specifically, I need a 10G wave from Mississippi to Dallas, another two 10G waves from Mississippi to NW Ohio, and up to three more 10G waves between two sites in Mississippi depending on pricing. On the IP transit side all I need for now is 10G commit in Dallas to replace one of our existing peers. Any brokers lurking or anyone care to offer any advice?

HSRP and return traffic

Lets see if I can explain this w/out resorting to picture...

OSPF network.

Switch A is connected (L2) to Router1 and Router2 (which have no links between them). Router1 and 2 are in an hsrp pair with Router1 active. From there, Router1 and Router2 have separate paths (wan links) out, before converging back into the enterprise network at different points.

So my traffic from my switch is going to use the hsrp active link. From there it's going to make it's way to the enterprise on it's wan link.

However, lets say on the return link, from some point in the network, it's actually faster to use Router2's path. I'm correct in that traffic will use that path (router2), even though router2 is the hsrp standby, right? The network knows that my fastest path back is via that router, and traffic will go that way and use the (standby) L2 link to get back to switch A.

So in this configuration/scenario, I will wind up getting circular/asymmetrical traffic from/to switch A.

Experience with ZTE switches? Esp. the ZXR10 5900E and 8900E series?

They would be used for a rural (=broke) ISP to backhaul some small PON sites to their core routers over MPLS/EoMPLS, and likely do nothing else.

Network mapping tool that can export to a nice looking Visio or something similar?

What do you guys use for network mapping and creating As-Built's? I am looking for something to discover routers and switches and then be able to import it into a nice looking Visio or something similar. I know there's nothing out there that will do this entirely but I am mainly looking for something to do like 70% of the work (like importing the names, IP, their neighbors etc... ) without me inputting every little detail. So far I have only found things they go beyond what I need like monitoring or only exports it to text. Doesn't need to be free, any suggestions welcome. Thanks!

Switching from Networking to IT/SysAdmin work.. bad move?

I started off in the trenches like a lot of you.. I worked at Comcast doing Internet Tech Support, then transferred to their Network Abuse department, and later moved to an MSP where I did a handful of jobs like Deployments, Desktop Support, etc. I decided I was sick of fixing printers, windows machines, and phones, and so I got my CCNA. After that I worked in a NOC as a Tech II for about two years and it was awesome. I absolutely loved only being responsible for the first 3 layers and not having to worry about whatever stupid error Excel was giving the user or whatever.

However, my NOC shut down and I had to look for other work. I got my Security+ and toyed with the idea of really trying to get into infosec, but it's not going to happen overnight. I haven't had much luck with the Network Administrator jobs I applied for, and I don't feel quite qualified enough to be applying for Engineer level jobs (maybe if I started on the path towards my CCNP first). So I interviewed with an MSP and was offered an IT Consultant job (Tier 2). I've accepted the position and start next week. This place mostly supports smaller businesses, so it'll be more common to be working on workstation issues, Microsoft Server issues, AWS, etc., then straight up networking issues like I've been used to. I've heard nothing but great things about this particular company so I feel pretty good about that, but I'm just nervous about what I'm getting myself into. I look at r/sysadmin and I just panic. There's soooooo much stuff to learn it seems absolutely overwhelming. The networking world seems so much more manageable.. just keep moving up the chain with Cisco certs and you'll be good! (or so I've told myself..)

So I guess my question is, have any of you guys done something like this before? Was I just spoiled in my NOC position and I need to learn all this other shit anyway? Or do I listen to my gut and just start studying for my CCNP sooner rather than later and try to get an engineering position and try to stay warm and cozy in the nice, comfortable, familiar bottom layers of the OSI stack?

Updating firmware on HPE 5700 from non US to US version

Stupid question because I'm new to HPE switches...

Can I update a non TAA switch with a TAA (US) firmware? I see on the web site for the 5700 there's a -US version of the newest firmware so I'd like to install that on my switch even though it's running the non -US version now. Any issues?

Related to this: In the zip file I downloaded there's a packet-capture bin file but in the documentation I found on HPE web site with how to update the firmware I only see a commend for the ipe file. What do I do with the bin? Just upload this bin file? Ignore it? Upload the new one and delete the old one?

Thanks

Find IP info via API

Someone posted this on a python sub, figured it would be appricated here. You can get the data via a webpage here. http://ip-api.com/#1.1.1.1

http://ip-api.com/#IP_HERE

But you can get the data in json here

http://ip-api.com/json/IP_HERE

http://ip-api.com/json/1.1.1.1

How do school networks work?

I realize the title is somewhat vague but i'm very curious and cant find an answer anywhere, more specifically i'm wondering how a network is setup so that no matter where you log in it shows you the same background and files etc... is it just a bunch of VM's or some type of more complex network because a few thousand VM's seem like a lot.

Allowing traffic from known outside host to inside host best practice

It seems to come up quite regularly that someone asks to access internal resources over the internet. Obviously this is a bad idea to expose internal hosts to the internet, but what about to specific hosts? Technically, I know this is very easy to implement. I'm just not sure if it's a good or bad idea.

For the most recent request, another company is asking to allow SSL traffic on a non-standard port from 2 AWS IPs they use to an inside host. They claim this is the only way their product works and an IPSec tunnel is out of the question.

How do you handle these types of requests, and is it even anything to be worried about?

Behold the future! Found this guy clogging the pipes

Had a user reporting some slow performance, nothing new. Checked the switch and port was negotiated at 10M, I figured no big deal, probably a bad cable.
And then I found this beauty, a true Ethernet hub.
I've been here 2 years. This has probably been deployed for 5 at the very minimum.

What to pursue after CCNP?

I've just gotten my CCNP and have my CCNA Security. I know if I go up the design path I just have to take two exams (Don't have CCDA) to get the CCDP. Which is the better route CCDP or CCNP Security? Both can be useful to be at my job.

Inter vlan communication under nexus 9k

Hello, I'm faced with a really specific usecase for a cloud environment.

I need to bridge multiple vlan under a nexus 9k. I can get it working under brocade CER/MLX like this

router mpls vpls foo 100 vlan 10 tagged ethe 1/1 to 1/3 vlan 11 tagged ethe 1/1 to 1/3 

Under nexus 7k I can do something like this

int eth 1/1 service instance 10 encapsulation dot1q 10 service instance 11 encapsulation dot1q 11 int eth 1/2 service instance 10 encapsulation dot1q 10 service instance 11 encapsulation dot1q 11 eth 1/3 service instance 10 encapsulation dot1q 10 service instance 11 encapsulation dot1q 11 bridge-domain domain-id 100 member eth1/1 service-instance 10 member eth1/2 service-instance 10 member eth1/3 service-instance 10 member eth1/1 service-instance 11 member eth1/2 service-instance 11 member eth1/3 service-instance 11 

can I acheave something like this under nexus 9k ?

Cisco Nexus 9000v vxlan evpn

Does VXLAN EVPN inter-VXLAN routing work in data plane on Cisco Nexus 9000v? I followed steps documented, but the ping messages (as an example for data packets) don't pass between VXLANs. Intra-VXLAN traffic has no issue.

Firepower 4150 Licence Help for HA

Hi,

I have two 4150's that I want to run in active/standby. I'm trying to work out if I need to buy two identical licences, or if I just need one licence for my firepower features. So let's say I have a threat defense & base licence on one 4150, and the other just has a base licence. Will it work in a HA failover?

Bandwidth in School Network going extremely slow around 2.00 PM

So we just installed some new Monitoring software on our school network in one of the classrooms. The software is Impero Edu Pro.

We have used this program before with absolutely no problems. We recently upgraded our PCs from Windows 7 to Windows 8.

Ever since this change, at an exact specific time in the day (2.00 PM to be exact - every day) the network starts going EXTREMELY slow... To the point where browsers will hang and start throwing DNS errors etc... Then it will come back up.. couple minutes go back down... and repeat.

I opened up Resmon and noticed that around the time of the Bandwidth spike, Impero is peeking at around 100Bps... Now time this by the 16 PCs we have in the room?

In the morning, Impero is only utilising about 4k Bps... So I think it might have something to do with this?

I checked the config, and there doesnt seem to be any setting in relation to Auto Update? We also rang them up and they assured us the only beaconing Impero does it to check for the License key... which is every 30 minutes or so?

Does anyone have any idea about what is going on?

Why put a switch between an router and a dedicated link?

My Company will interconnect one of our DCs with our cloud in AWS. People at DC said that we should put a switch in front of the router that will receive the link for protection. Why?

Re-Certified CCIE Using Continuing Education.

I was able to re-certify my ccie taking the following courses;

https://learningnetworkstore.cisco.com/on-demand-e-learning/designing-and-implementing-cisco-network-programmability-npdesi-v-1-0-elt-npdesi-v1-0-020749

https://learningnetworkstore.cisco.com/on-demand-e-learning/developing-with-cisco-network-programmability-npdev-v4-0-elt-npdev-v4-0-020748

Big thanks to u/djdawson, he posted a few months ago and answered all of my questions. I was able to complete both courses in about 40 hours. While my background is in Datacenter and Routing and Switching, the change to programability was a really nice change of pace. It cost a total of $1800, plus I also took the intro class which was an additional 400. I think you could do it with only the two I posted. I asked my boss if they would pay for it, just so happened we had a 100k order and I just added learning credits to the orders. It was essentially free for me.

If you have any questions for me just reply and I will get to them as soon as I can. Thanks for your help Reddit! This was a very low pressure way to renew my cert. For those of you who are on the fence and might have to for it out of pocket you can add this to your taxes if you are filing itemized.

Peering with your ISP, Multipath or LACP?

It's assume you have two upstream ISPs with quantity 2 - 10Gb circuits to each ISP. You want to load balance across both links. Do you use LACP or multipath BGP?

Question about fiber lines

I'm sorry this is probably a really dumb question but, if I purchased fiber lines for a building, would I need to buy router/switches/firewall that are specifically designed for fiber cables?

Like could I use a cisco router in a building that uses fiber cables? Or are there specific routers for use with fiber cables.

Sorry again if the answer is obvious.

What's the difference between HS8546V and HG8245Q2

Hi, everyone! I want to buy a Huawei ONT rencently, I searched online, find that Huawei HS8546V and HG8245Q2 can meet my need. And it says their function is the same, just a little bit difference of their appearance. Is that so? Or is there have other difference between them?

Jumbo frames

Hi, first post and looking for a bit of advice!

We have x6 3650's stacked as our core switches in our data centre, (I'm aware the 3650 isn't really designed to be a core switch, and we have experienced issues with the buffers becoming overloaded as a result, but it's what we have and need to deal with it for now).

We're looking at implementing jumbo frames on the stack in an effort to boost the performance primarily of iscsi traffic.

As it's a global command to the entire stack, are we going to experience a degradation of performance for all the other devices connected directly to it, (to name a few, some physical servers, VPN server, WLC and checkpoint firewalls).

I'm after opinions from people who have implemented jumbo frames and seen benefits and also those who have had issues!

Many thanks

Rich

P & PE or just PE devices in enterprise MPLS?

We built our own MPLS network for our enterprise spanning few cities and six DCs, and used a design where we have two different core rings and separate P and PE devices.

Somewhat similar as this design in the Cisco Live presentation: https://snag.gy/BUaK9P.jpg

It's been running well, but I've started to wonder why we need the P switches there at all (we built it witch switches to get more 10G ports and there aren't that many labels/routes in the network). The idea was to have redundancy etc but if we didn't have those, everything would still be connected to at least two other switches.

And now that it seems our 2x10Gbps links aren't enough for a single use case and we'd need to upgrade, it'd be a lot nicer to upgrade to 40/100 gig if we didn't have to get line cards for those extra P switches too :) And of course our budget is on a bit low side currently so we could use those switches elsewhere...

Any ideas? Should we just go with PE switches or are those P switches useful for some reason I'm not seeing yet (we haven't had any major outages or anything, yet). Or maybe replace the P switches with cheaper 1U switches as they're only doing OSPF and not BGP/L3VPNs or anything.

Thanks!

Edit: we use MPLS in our campus core/distribution too. Everything is segmented in different VRFs that are terminated in the DC FW cluster and it all goes over our MPLS network, that's why the 2x10 seems a bit slow sometimes and we also have backup/replication traffic going to a third DR site over the same links

HP5406ZL and LACP

I have a question on using LACP trunks and can't seem to find a direct answer. If I have a switch with multiple trunks not currently utilizing LACP (TRK1, TRK2, TRK3...), if LACP is enabled for a specific trunk, are you forced to use LACP for all or is it just trunk specific. Example: trunk 1-2 trk1 trunk 3-4 trk2 trunk 5-6 trk3 lacp

would that scenario work or would it cause a lacp misconfiguration on the switch?

I hope the question is specific enough.

Weird speed issue

We have been trying to track down a weird speed issue at one of our locations. We have a 1Gb fiber circuit coming in and get the following speed results. Anyone have an idea on what might be causing it?

Router - Mikrotik CCR1009, no firewall or queues

Switch - Cisco 3560 10/100 with 1Gb uplinks

AP - Asus 5G, tested and works at other properties

Fiber--Router--AP, 800Mb down, 800Mb up

Fiber--Router--1Gb uplink to Switch--Laptop hardwired in 100Mb port, 95Mb down, 95Mb up

Fiber--Router--1Gb uplink to Switch--AP in 100Mb port, wireless 30Mb down, 95Mb up

Fiber--Router--100Mb uplink to Switch--Laptop hardwired in 100Mb port, 95Mb down, 95Mb up

Fiber--Router--100Mb uplink to Switch--AP in 100Mb port, wireless 95Mb down, 95Mb up

All speeds are expected except when we use a 1Gb uplink from the router to the switch. For some reason thats the only time we get 30Mb down. This has been tested multiple times with the same result. Even tried swapping to a different switch with the same results. Any ideas?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Learning SDN vs AWS

As we all know SDN and AWS are becoming/are hot topics in the current industry ,but i wanted to know your guys' thoughts on why should someone even bother learning SDN. Also by SDN I mean having a central controller that is in charge of the control plane of the network devices. Not automation.

SDN is primarily used in the on prem Data Center(i know SD-WAN is a thing) ,but a lot companies are migrating their DC to the cloud(AWS) thus leaving the need to know SDN questionable. I don't see the use of technology unless your company has a hybrid environment with an on prem and cloud,but even then whats market for those type of companies? I could see the need to know if somehow they made SDN work in a campus network.

Will AWS/Cloud technology make SDN useless in the data center field?

IIS Site Binding

I have two sub-domains (for example, test1.example.com & test2.example.com) for which I want to load the same site. I've created site bindings in IIS, with the same IP and Port (443). One of the sites loads just fine, but the second one just keeps spinning around and the page does not load.

I've configured the DNS for both sub-domains and everything resolves correctly. I'm not sure if it's a permissions issue with the application pool in IIS or if the web config file in IIS needs to allow access to the second sub-domain.

Any ideas would be appreciated. Thanks.

VSS'd 6807s: Etherchannel routed links using SVI to Dists. Any thoughts on design guides and pitfalls I may reveal it doing this?

I am considering rolling out a new core design where we have two 6800s in two geographical locations (1/4 mi. apart), and each major distribution switch is connected to a port on one physical unit and also the other. The current core design is using equal cost multipath EIGRP, but I feel like we can move toward another configuration design for the new core (NüCore).

My thinking was to LAG the interfaces at both ends and build routing across SVIs using EIGRP. So instead of a physical port acting as the routed link, it would be the port-channel. Is there a massive performance hit here or am I not fully thinking through the architecture in this idea? I'm open to suggestions and caveats on this.

How to prevent bandwidth hogging?

We have many site to site VPNs and other small offices using MPLS. We monitor the network and most of the times when people complain about network issues is when people upload/download to a cloud server. What can I do to prevent this? QoS?

History question

Long time ago (30 years) there were essentially 3 networks (that I can recall). Lantastic, which ran on coax and was very simple, inexpensive, and good for small offices. Then there were two "serious" networking concepts. To work them, it helped to be an MSCNE (Microsoft Certified Network Engineer) and another often offered at the same schools so that the student could be certified in both. I cannot, for the life of me, remember what the second networking standard was.

Any thoughts.

How do I convince my supervisor that we need to completely redo the network?

I currently work for a small company (less than 20 people) that is growing. They have asked me to set up a DNS server so that team members can remotely and securely work on their projects.

For some context, this is my first "real" networking job so I have no experience setting up and scaling enterprise networks.

I think it would be a lot easier to set up the DNS server if I had a better understanding of the network and set up the network the way that it needs to be. But when I tried telling this to my boss, he dismissed me and told me that we didn't have time to worry about it. My boss isn't a networking professional and I think he doesn't fully understand why this step is so important.

How do I convince him that documenting and re-designing the network is necessary?

Handling firewalling with VXLAN BGP EVPN L2 DCI

Let's say we have two DCs with VXLAN fabric like in this diagram:

https://snag.gy/EUVPc6.jpg

How would you configure the firewalls if you wanted to be able to do VMotion between DCs and have the VM to still have it's original IP address? I could have anycast gateways to get out of the DC network, but how about the firewall? I guess I could use BGP on the firewalls, and of course copy rules between them, and just live with the fact that sessions drop after doing a migration. Or maybe running active-active firewall cluster, I guess it might work too?

Thanks!

Need NetEng Salary Negotiation Advice

http://ift.tt/2prVhtH

Is possible for routers in EVE-NG to communicate to the internet?

Hi guys,

I spent so many hours on trying a router to communicate to the internet.

I use in VMware Player NAT adapter (VMnet 8). In environment I used Cloud 0 (Management) as interface connected to my router. I'm able to ping from the router in environment to VM where EVE-NG is running. When I set static route to the internet on a router in environment it still doesn't reach it.

My scheme:

a router in environment connected to cloud interface -> EVE-NG VM - > a host

From EVE-NG VM I ping to the internet and the router in virtual environment but from the router I can ping only the EVE-NG VM but not the internet.

IDK why I've so many Cloud options but if someone uses EVE-NG and knows what I'm talking about, please help.

Basically I just wanna get connection outside of environment to the internet from a router in virtual environment.

Thank you in advance.

Has anyone used a Ubiquiti ER-X-US EdgeRouter X as a SoHo firewall solution?

I'm using an older Fortigate 60C as a firewall, which connects to a 48 port switch. So I don't need port counts. I need features like 2 Networks, IPSEC VPN, NAT translation, port forwarding.

There aren't a lot of firewall rules, but things like regional IPs, object management, etc do come in helpful

From those with experience, (I know the APs are great), are these worthwhile for a SOHO?

Maintenance & Support

Hi All, how do you all manage maintenance and support?

we currently have a supplier that provides us Cisco support for around 400+ switches & 100+ Routers this Cisco SmartNet cover so we get options for 24x7x4 or nbd with/without engineer ...all the normal bits

the problem we are having is when renewals are coming up...are devices are really badly inventoried so we have to hunt though all these switches looking for serials on stacks to make sure everything is covered we have SolarWinds which monitors what people have added but then we have missing devices and to detect stacks thats a different reports - we also have Cisco AI monitoring that does not pick up out whole estate either

from the maintenance contract that we have coming through we are working out the last renewal only covered around 60% of all hardware

we are UK based with European offices and I am wondering is anyone knows of some sort of blanket coverage if we say we have roughly 500 devices we want covered 27x4x4 with a flat price no matter what the device is

anything like this around?

Can I install a VPN appliance on a network that already has a firewall?

Is it possible to have a firewall and still add a second VPN appliance to handle L2L traffic? We have an important vendor who already has a customer with our subnet. they tried natting the VPN between their fw and our sophos fw but Sophos tech support could not do it and said it was impossible. I did give them an SSL VPN client but they do not want to connect that way because of the number of employees and number of clients. I just don't understand how I can have a second appliance when all my servers have the sophos as their default gateway. If we have to, we will end up replacing sophos at both locations.

thanks!

Checkpoint - restore backup onto replacement device

I've run into an issue restoring a backup to a replacement security gateway.

I got the new device, restored backup from usb but am now unable to enter cpconfig as it is stating I need to run the first time wizard via gui.

Do I need to run the wizard even though I'm restoring from a backup or have I missed a step out?

Need to Route Guest Traffic Out Secondary ISP

Hello /r/networking. I have a question in regard to an ASA 5500 series that I'd like to get resolved.

Currently, we have dual ISPs connected to our head-end with IP SLA for redundancy. We also have a guest wireless subnet for visitors in our office to connect to in the event that they need internet access. There is an ACL in the way blocking traffic to get to resources it shouldn't be, but I'd like to expand this to a properly segmented guest network. This should include:

-Guest traffic leaving on the secondary ISP

-Proxying DNS and other services to something public, such as Google

-All traffic attempting to resolve to an internal host should go out the secondary circuit, resolve publicly, then come in on the primary w/ inspection to reach its destination

Where I'm having trouble is figuring out how to configure NAT/routing on the ASA to make this happen. We use PAT for internal hosts to get translated to a public IP on the primary circuit. How do I configure just the guest network VLAN to get NAT'd and routing out the secondary circuit at all times? It should be mentioned that the guest network VLAN's gateway resides on a downstream L3 switch. Would I also need to have the ASA seize the gateway to make that work? Are there any netsec benefits in doing so as well?

Thanks in advance.

Interop, you going?

Been to a couple Cisco Lives but this'll be my first Interop and first time in Vegas. Anyone have any recommendations on where to or not to go/do at the conference or otherwise?

Context for anyone wondering what the hell Interop is: https://www.interop.com/

What kind of an ISP employee can view one's internet history?

Logs are being kept in the UK. So for example you phone up your ISP for technical help can even they see your viewing history/habits? without the use of a VPN.

PSA: Don't take Systems Engineer positions unless you want to not do actual networking

Four different gigs with four different titles all listing network engineering as the primary function, and all four lied.

Don't sell yourself short, and definitely get the company to tell you the position title before signing.

Statistics: 1/4 gov 3/4 private

2/4 hostile work environment of those one was isolationist tactics and belittlement from management (bad manager feared my depth and lashed out by doing highly illegal, but legal in this state things)

1/4 pushed extreme hours without legit 1.5x overtime (also only legal in this state for "exempt" roles)

3/4 reduced role or over managed constantly resulting in reduced work flow or trust issues within office and me.

2/4 didn't allow any network engineering to occur, and allowed a younger storage or electrical engineer to do the design work...

I could go on.

I'm tired of the chase, and just want a decent frigin gig.

Can I use a POE+ router and a passive splitter for an IP Camera?

Sorry lads, new to this. I bought a POE+ router to power some new ipcams I picked up. I currently have two ipcams using passive injectors/splitters. I'm wondering if I can keep the splitters on the end of the run or if I'll need to buy active ones? Thanks ya'll

Keystones "jacks" or Wall Mounted box'es

Hello guys, so i cannot go into details but i need to "make it right" and cheap enough. So What do you think would be better for new office to install at rooms (those are not production rooms, they'll have keystones for sure). Box with keystones jacks or ready to install Wall mounted boxes? prices for box with keystones cost about 30-40% more. At old office noone ever replaced keystones. I'm kinda struggling between those two. If something fails i'd have to unscrew box anyway to replace one keystone.

If you would decide what would you choose and why?

Benefits of centralized dhcp for a companies intranet vs dhcp servers running locally at each site?

Im trying to understand why the company I work for has decided to forgo local dhcp servers at their ~2000 locations in favor of centralized dhcp with no local backup (run out of a data center) This seems ridiculous as when there are network outages dhcp is just gone. Are there security benefits that could explain this?

Anybody using Comcast ENS?

Anybody using the Comcast EDI/ENS “metro-E” MPLS offering for your WAN? Have inherited it for the past 3 years and it’s been fantastic. But it’s also fantastically expensive. My contract is up for renewal and I’m curious what others are paying for equivalent service.

I have a 4 site WAN across 4 towns, 100/100 between locations and a 400/400 egress at HQ site. I’m paying ~$11K/month which does include a couple PRIs over fiber, but the bulk of the bill is EDI-ENS. This is the first multi site I’ve managed that wasn’t a simple IPSEC tunnel. So I have no cost comparison to base my opinions on.

Cisco Switch DHCP issue

Hello... I have a Cisco 2960x switch that’s causing me some issues; I’ve assigned an ip, subnet and default gateway and there’s only the default VLAN 1 on the switch. I’ve assigned one trunk port for the SFP and added some STP config to the global config. My issue is that when I plug devices into the switch, some ports pass DHCP while others don’t. And I cant find a reason as there is no special configuration on the ports. As an example, I plug in a VoIP phone and the PoE powers the phone and I can see in iOS showing the link as up but there’s no actual IP assigned. But if I move it one port over (as an example), it’ll work without issue.

Does anything pop out as out of place?

Bad Mojo: Palo Alto Networks releases Linux VPN client, makes it an extra paid feature

In PANOS 8.1, there is now a a Linux VPN client. This VPN client is apparently going to be an add on feature -- requiring the Global Protect Subscription. Depending on the size of your firewalls, this could cost your organization $10,000s more annually.

Boo Palo Alto.

L2 or L3 between access and distribution/core layers

Hi All,

Due to rapid growth and limited budget, our LAN currently spans 3 floors in our building as a single /21 subnet. We are about to gain an additional 2 floors so I now have an opportunity to get this under control, but I need a little help.

Each floor has an IDF supplying aprox 300 ports. Each IDF is about to get a new stack of L3 switches (8x Netgear M4300-52G-PoE+). I will run each floors LAN as it's own L2 network terminating on the switch stack and routing to a core/distribution layer.

We are small enough that we could use static routing, but the switches do support OSPF so i'd like to use that.

Looking a several design guides, there appear to be two methods for connecting the access layer to the core/distribution layer:

• Layer 2 - Each switch stack participates in a single OSPF area (broadcast)
• Layer 3 - Point-to-point links between the core and each access switch stack

Layer 2 Option This seems like the easier option.

• All uplinks from the access layer belong to the VLAN on the core and all participate in OSPF
• Each switch has a full view of the network

Layer 3 Option This seems a little more complex

• each switch stack only needs to get a default route from the core * failures are more rapidly detected

Is there anything I have missed/mis-understood or should know before building this new network?

EDIT: Diagrams

LEC Network Professionals: What are common ways to deliver an Ethernet circuit from a PoP to the customer?

Do you guys like run your own L2 (or L2 overlay) networks and basically give each circuit a VLAN? Do you mux/demux using technologies like WDM and PONs? Is it a mix of both? Is it something else altogether? Or do you pretty much just patch fiber and call it a day?

Also, does TDM/SONET still come into play? If so, how?

Senior Network Engineer - Next Phase?

Hi all,

I am currently the head of the datacenter networking team in my company, about to get promoted in a few months and need to decide on where I want to go.

Diplomas-wise, I have a B.Sc in Telecommunications Engineering (which is in my university an upgraded software engineer so I know how to code well), got a CCNA (and decided to stop there for now, I don't think it'll be difficult for me to get to the CCIE except for the vast investment of time)

Experience-wise, my job as a team leader included SDN solutions (ACI/NSX/Neutron) who were part of our cloud infrastructure (we also wrote the automation for the cloud, and obviously I have knowledge in virtualisation), Load balancers (mainly F5), classical networking (data center focused but I am experienced as well in the WAN/LAN areas), some video streaming (lots of multicast and cisco DCM).

All of those required knowing JavaScript, Linux, Python, some ansible, and I have experience with C++, C#, Java, Android etc. from my degree and student jobs. Our network is mainly Cisco based so I don't really have any experience with Arista, Juniper etc.

I feel that I'm pretty done with the Network Engineering jobs and would like to advance into something that involves networking in some way (I love networking, after all) but less work with the physical infrastructure (who's not tired of designing those vPC networks with VLANs and all, ey?). Question is, what are the jobs you typically see in the industry coming after network engineer/architect (DevOps? BigData?)? What are the skills required for those jobs, what skills are hot in the market today?

Basic CSR 1000v Spec Question

I've never worked with CSR 1000v before and I've just got a basic question in terms of specs. I see that the device is licensed by throughput level and feature set. Since this is a virtual device with its actual potential performance based off of RAM/CPU availability, should I expect degraded performance when running certain types of traffic, encryption, NAT, etc.? Or to put it more directly:

If I license a CSR 1000v for 500mbps with Security feature set, should I expect real-world 500mbps IPSec throughput, since the "physical" limitation of the device is significantly higher than 500mbps (assuming I allocate appropriate RAM/CPU)?

I've been trying to dig around for actual real-world numbers, similar to these studies for the physical ISRs, but have not been able to find much useful info on this subject regarding CSR 1000v in particular:

ISR G2 Performance Overview
ISR 4000 Series Performance Overview

Any info is appreciated, even anecdotal. Thanks in advance to anyone who can provide some insight!

pull remote config of nx-os switch from linux

like ios switches you can do like scp user@switch:running-config backedupfile

I have not yet to figure out how to do it with NX-OS anyone got any tips?

ACI APIC/switch firmware issues?

This all started when we upgraded the APIC to 3.1 then did a remove/re-register attempt on some spine and leaf switches before upgrading them to 13.1. This lead to the switches coming back online as unsupported. We managed to upgrade them using the oob management, but they still come back as unsupported. I've attempted to do some setup-clean-config.sh to get the switches back to default state. Within the APIC fabric membership section I can see the wiped switches as blank registered switches waiting to be added to the fabric. On the switch itself however, a few minutes after reload the switch seems to revert to it's previous configuration (hostname changes from none to XXX-Leaf101, etc). It seems to be downloading this from the APIC, as I've reloaded the switch once after disconnecting it's connection to the spine and it came up blank and stayed blank, only to suddenly rename itself once the spine connection was restored. Any ideas?

Firesight network destination list

I have users who will spin up temporary systems in Azure and make SQL calls to them. Since it's not HTTP/S related there's no SNI and therefore I can't filter on URL. Stuck with using only the IP it seems.

I'll need to allow the entire region to prevent issues? Any recommendations on how to tackle this? Rather not build 250+ network objects and continue to manage it.

Is Cisco Anyconnect the only way to do this?

I'm working on a project to implement user and machine authentication with ISE. Machines will authenticated via their machine accounts, and users need to be authenticated via certificates on a smartcard. I know that it can be done with Anyconnect, although I understand it can be a bit finicky.

Almost all discussions I can find are several years old, and have stated that AC is the only supplicant that could do it then. Looking at the Windows supplicant (W10 home, 1709), I still don't see an option for user+machine authentication. I'm guessing both, via EAP chaining, still isn't available in the Windows supplicant at this time.

If that's true, are there any others out there?

Certain traffic over MPLS very slow

Our main office is connected to several smaller sites using MPLS circuits (1gbps handoff here at the main office, shared with 9 smaller sites each with a 1gbps handoff) All network services come through the main office (voice, lan, internet). On occasion we get complaints about slow internet at the sites. I have done iperf testing from our main office to the sites (and vice versa) and found speed to be within an acceptable range. However, I recently found a repeatable way to show that there IS actually a problem. There is a 60MB file hosted on icloud that is almost impossible to download at any of our MPLS supported sites. I can download this file from our main office without issue, it takes only a moment to download the full 60MB file. With 100% consistency, when I attempt to download this file over the MPLS circuit it never completes or takes a LONG time. I have ruled out our content filter as the source of the problem.

Most other internet traffic seems to work just fine (certainly there must be more problem traffic I just have not identified it).

Any ideas? I used wireshark to capture traffic but I am not well versed in packet analysis. It looks terrible though, tons of black. TCP Out of order, TCP retransmission, TCP Dup Ack, TCP Spurious Retransmission. Filtered based on the IP of the host and of Apple 17.x.x.x it's over 3mb for 17seconds of interesting traffic.

How much resources take your labs in in GNS3 and other related emulators?

Gonna upgrade my pc soon. At work using EVE-NG but the client-server solution won't last too long because of a sys admin that will convert my ESXi lab into Hyper - V

So I'll learn at home and wanna know how much strong computer do I need - how many cores and especially memory.

BTW, still beginner but once I'll be advanced, too

Disadvantages to using longer power cables for networking equipment?

I'm setting up a Catalyst 9300 stack (2 switches) that use two 350WAC PSUs per switch. The supplied power cables are 18 AWG.

I need to plug them into PDUs that are about 11 feet away from where they are racked. Will I face any noticeable electrical resistance by using 12ft 18 AWG power cables to these switches? Maybe go with a lower AWG like 14 AWG?

Help understanding Windows NAT Instances vs NAT Objects and their relationship to Internet Connection Sharing (ICS)

For context, we're exploring using Docker For Windows for developer machines, and I've been tasked with determining if things have matured enough on Windows to actually be of use to us.

There's a lot networking behavior that docker does on windows that is...less than transparent. Without getting into the minutia, my current hunch is that the rosetta stone to this behavior has something to do with understanding "NetNat objects" versus "NetNat instances".

I know this is a long shot since I'm guessing most folks on this subreddit don't do Windows work, but here's hoping.

In short, after a Docker For Windows installation, there is definitely Network Address Translation happening as evidenced by the output of the Get-NetNatExternalAddress cmdlet (see my Git Gist for sample output: https://gist.github.com/pldmgg/3914df33e622f96179983bd9cc179ce9)

Given that there is NAT activity happening, I would expect to see NAT objects returned by the Get-NetNat cmdlet...but unfortunately, it doesn't return anything.

To add to the mystery, if I add NAT myself via some PowerShell:

$NATSubnet = "10.10.3.0/24" $NATIP = "10.10.3.1" $NATNetworkMask = 24 New-NetNat -Name LocalNAT -InternalIPInterfaceAddressPrefix $NATSubnet New-VMSwitch -Name ForLocalNAT -SwitchType Internal Get-NetAdapter "vEthernet (ForLocalNAT)" | New-NetIPAddress -IPAddress $NATIP -AddressFamily IPv4 -PrefixLength $NATNetworkMask 

...the Get-NetNat cmdlet does, in fact, show a NAT object:

PS C:\Users\pdadmin> Get-NetNat Name : LocalNAT ExternalIPInterfaceAddressPrefix : InternalIPInterfaceAddressPrefix : 10.10.3.1/24 IcmpQueryTimeout : 30 TcpEstablishedConnectionTimeout : 1800 TcpTransientConnectionTimeout : 120 TcpFilteringBehavior : AddressDependentFiltering UdpFilteringBehavior : AddressDependentFiltering UdpIdleSessionTimeout : 120 UdpInboundRefresh : False Store : Local Active : True 

...and it works as expected.

(EDIT: To clarify, nothing is / was ever broken, I'm just trying to understand how docker can perform NAT without creating a NAT object like the above PowerShell does).

So my question boils down to - what is the difference between "NAT instances" that don't seem to need "NAT objects" to perform Network Address Translation and "NAT objects" (and their corresponding "NAT instances") that perform Network Address Translation?

Another related mystery that is bothering me. If you look at the output of Get-NetNatExternalAddress in my above Git Gist, you'll notice that some of the objects' NatName properties reference 'ICS', aka Internet Connection Sharing. I'd love to know what this means in this particular context (all ICS documentation that I could find doesn't really speak of ICS in this context).

Cisco UCS rack extension

So I have a cage full of racks but I did a poor job of future proofing my infrastructure rack. I have 4 UCS chassis and the Fabric interconnects in the first rack. It is filled up with storage devices as well. I need to expand to another rack but the next available one is about 20 ft away. The core switch (nexus 9k) is in the rack right next to it and I just have my uplinks from the FIC plugged into it. I believe I made a mistake by plugging storage devices into the FIC instead of the Nexus (will have to fix this later).

How do I extend my new rack that I plan on putting more storage and UCS chassis into back to the first rack? Do I just run my IO modules on the chassis back to the original FIC (thats a lot of cables)? Or do I need to buy another set of FICs? I am probably planning on buying like a nexus 2k to extend back to the core for the storage expansion devices in this new rack instead of plugging them into the FIC.

What is best practice to expand a UCS rack?

Edit 1 - I am using twinax cables for all data traffic and cat5 for mgmt ports. New rack would be too far away to keep using twinax.