Learning how to route through a VPN connection...

I am learning how to use VPNs and route through them. I am failing at getting bidirectional ping working on my network and it's been bugging me for a bit.

My Network

Here is a diagram of my network made in MS Paint: https://i.imgur.com/EXueBr4.png

I'll outline the devices for you:

• VyOS running on Vultr.com with a public IPv4 (/23) and OpenVPN Server running.
  • We'll call this R1.
  • Notable IPs: Public IPv4, 172.16.64.1/29
  • Static route to 0.0.0.0/0, NAT to 10.0.0.0/8 (summarised my LAN)
• EdgeOS running on a Ubiquiti Networks Edge Router Pro 8 Port, behind a modem, utilising a public IPv4. Runs OpenVPN Server and has 3 VLANs individually using a LAN port per VLAN.
  • We'll call this R2.
  • Notable IPs: Public IPv4, 10.0.102.1/24, 172.16.64.2/29
  • NAT runs between my 3 VLANs as well as to the WAN.
• CentOS 6 running within Proxmox on a Supermicro server. Firewall open.
  • We'll call this the Server.
  • Notable IPs: 10.0.102.9/24

My Issue

I am able to ping and trace from Server to R1's 172.16.64.1/29 address. I am able to ping and trace from R2 to R1's 172.16.64.1/29 address. I am able to ping and from R1 to R2's 172.16.64.2/29 address. I am unable to ping and/or trace from R1 to R2's 10.0.102.1/24 address. I am unable to ping and/or trace from R1 to Server's 10.0.102.9/24 address.

Configuration

Below are parts of the configuration for R1 which I feel are important to share:

 interfaces { ethernet eth0 { ...public address config... } openvpn vtun0 { firewall { in { name VPN } local { name VPN } out { name VPN } } mode server server { subnet 172.16.64.0/29 } tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/server.crt dh-file /config/auth/ovpn/dh1024.pem key-file /config/auth/ovpn/server.key } } } nat { source { rule 1 { description "VPN to Home" destination { address 10.0.0.0/8 } outbound-interface vtun0 protocol all translation { address masquerade } } } } protocols { static { route 0.0.0.0/0 { next-hop 108.61.196.1 { } } route 10.0.0.0/8 { next-hop 172.16.64.2 { } } } } 

Below are parts of the configuration for R2 which I feel are important to share:

 firewall { all-ping enable broadcast-ping disable group { address-group NetworkAdministrators { address 10.0.102.8 address 10.0.102.7 address 10.0.102.254 address 10.0.102.14 description "Network Administrators" } network-group OpenNetworks { description "Networks that can access WAN." network 10.0.101.0/24 network 10.0.102.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name Tenant { default-action accept description "Tenant network rules." rule 1 { action drop description "Block control panel." destination { address 10.0.102.1/32 port 80,443,22 } log disable protocol tcp } } name VPN { default-action accept description "Allow any VPN connection" rule 1 { action accept log disable protocol all } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { ...other lan... } ethernet eth1 { ...other lan... } ethernet eth2 { address 10.0.102.1/24 description Tenant duplex auto firewall { local { name Tenant } } speed auto } ethernet eth7 { address dhcp address dhcpv6 description WAN duplex auto firewall { local { name WAN_LOCAL } } mac 00:24:81:82:d8:d5 speed auto } openvpn vtun0 { mode client remote-host ...R1 public ip... tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/client.crt key-file /config/auth/ovpn/client.key } } } service { nat { rule 1 { destination { address 10.0.102.0/24 } inbound-interface vtun0 inside-address { address 10.0.102.0/24 } protocol all type destination } rule 5003 { description "Tenant to VPN" destination { address 172.16.64.0/29 } log disable outbound-interface vtun0 protocol all source { address 10.0.102.0/24 } type masquerade } rule 5004 { description "NetworkAdministrators to Management" destination { address 10.0.100.0/24 } log disable outbound-interface eth0 protocol all source { group { address-group NetworkAdministrators } } type masquerade } rule 5005 { description "Public Route" log disable outbound-interface eth7 protocol all source { group { network-group OpenNetworks } } type masquerade } } } 

Routes for Devices

Here I'll document the routes for each device:

Routes for R1

default via ...public gateway... dev eth0 proto zebra 10.0.0.0/8 via 172.16.64.2 dev vtun0 proto zebra ...public network.../23 dev eth0 proto kernel scope link src ...public ip... 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.1 

Routes for R2

0.0.0.0/29 dev vtun0 proto kernel scope link default via ...public gateway... dev eth7 proto zebra 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.1 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.1 10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.1 ...public network.../24 dev eth7 proto kernel scope link src ...public ip... 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.2 

Routes for Server

10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.9 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.9 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.9 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 default via 10.0.102.1 dev eth2 

Tests

Here I'll put a collection of traceroutes from each device.

Traceroutes from Server

# traceroute 10.0.100.1 traceroute to 10.0.100.1 (10.0.100.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.100.1) 0.197 ms 0.315 ms 0.293 ms # traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 0.248 ms 0.317 ms 0.305 ms # traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.102.1) 0.284 ms 0.342 ms 0.317 ms 2 172.16.64.1 (172.16.64.1) 18.894 ms 24.621 ms 24.596 ms 

This displays that Server is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R2

# traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 38 byte packets 1 172.16.64.1 (172.16.64.1) 18.031 ms 15.952 ms 14.631 ms 

This displays that R2 is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R1

# traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 27.038 ms 26.968 ms 26.940 ms # traceroute 10.0.102.1 traceroute to 10.0.102.1 (10.0.102.1), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * # traceroute 10.0.102.9 traceroute to 10.0.102.9 (10.0.102.9), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 

This displays that R1 is only able to ping the OpenVPN client IP of R2, but no further.

Help Appreciated

If anyone is able to offer some assistance with this, I'd greatly appreciate it. Thank you.

ACI clarification

I know that there are some very bright minds in here, I was wondering if anyone could clarify for me whether in ACI a local station table and global station table are tied to leaf and spine switch respectively or how they are positioned?

Day in the life for a network admin?

Whats yall daily routin look like im studying for my CCNA.

SSL DPI

What is the greatest level of inspection you can do on encrypted traffic without having to install certificates on client-side devices without creating client errors? I'm learning about deep packet inspection/AppID for things like content filtering, malware scanning, and application identification.

I understand the concept is essentially creating a MitM for yourself on your firewall/proxy and then publish the cert to the endpoints, but is there any compromise to where you can gain more insight into the datastream than just seeing it's HTTPS/TLS traffic without having to install a cert?

New to firewalls, facing some issues when communicating between firewalls

We have on premise DC Small scale, 20-30 servers. I have configured a N/W 192.168.0.0/18 Using Fortigate 100E firewall. Plan is to have one subnet for each services deployed on this servers.

Servers are using Ubuntu server 16.04 Base image I have configured static IP address by updating the interfaces file in server.

Right now the problem is severs can't communicate to other servers in another subnet for e.g services in 192.168.1.0/24 can't communicate to 192.168.2.0/24

I haven't created any subnets its a flat network which I initially configured So my assumption was all the servers should be able to communicate to each other without any issues.

Not sure where to debug. Some help on figuring out the issue would be great help I am more of a DevOps rather than networking guy

Routing loop?

Hello,

I'm thinking about a setup. There's something I don't like. Let's start with what we have:

• 800 virtual machines sitting in subnet 10.70.0.0/22, each with its default gateway pointing to 10.70.0.70. There are multiple layer2 switches in 10.70.0.0/22, where the physical hosts are connected to.

• The IP address 10.70.0.70 is configured on a layer3 switch. All mentioned layer2 switches are connected to it. On the layer3 the default route points to another layer3 switch with IP address 10.70.0.71.

• The layer3 switch with IP address 10.70.0.71 is the actual gateway to other subnets.

• So what is the actual traffic flow? A server starting a connection with an external subnet will push its traffic to 10.70.0.70, which will push it to 10.70.0.71. As 10.70.0.71 is in the same VLAN as the server, it will directly talk to the server after the first contact? But still there's the gateway actually sitting on the other/wrong switch...

What do you think?

Crypto SPI recovery

Why would I want to manually enable this if by default Cisco already performs the recovery functionality on the router? What will be the point of this? Any benefits?

crypto isakmp invalid-spi-recovery

VLANs and L3 switches

I've been racking my brain on this question for a few days now, in the standard L2 hierarchical LAN all VLANs are defined at the distribution layer and VLANs span access switches. In the Layer 3 access model, VLANs are defined in the access switches and cannot span other access switches. What confuses me is:

1. If IP routing is enabled and each VLAN has a configured SVI, if the links between 2 switches are trunks (not configured with a "no switchport" and IPs on both ends) is it doing L2 switching or L3 routing?

2. If switches are doing L3 routing (IP addresses assigned to connected switchports) how does it handle the "same" VLAN on both sides of the switch? At that point they are effectively different networks so my assumption oh how it handles them is "not very efficiently"

Bonus question. Assuming there is 1 switch acting as a "Core switch" with VLAN 1 being the native VLAN for all switches, the default route of all other switches doing either L2 or L3 should be the cores VLAN 1 IP and not the IP of another VLAN defined at the core, correct?

With all the talk around SDN/Configuration management and automation. Back in the real world, what is your stack?

I've heard a lot of chatter for a long time about SDN and network automation. But for those living in the real world, could you describe your current stack of tool you use to both manage configuration and manage and monitor devices?

Would it cause problems to receive full tables from our ISP but just filter it all out?

We're getting transit from a few providers and eventually we will get full tables from both. Today, however, our router would not be able to support full tables.

Instead of opening change orders after we replace the router, I was going to have both send full tables, but then filter everything out so it won't hit the RIB or FIB. This will also allow us to demo some routers and immediately receive full tables during the evaluation without having to reach out to the ISP to constantly update their export policies towards us.

Would this cause any performance issues on the underpowered router or are there any caveats I should know about?

Lack of senior level work from home/travel jobs?

Is it just me or are there not many senior engineer or architect positions that allow either work from home or travel? I'm currently a traveling network consultant for a large Cisco partner but I'm getting pretty tired of them. I've having a hard time finding other VARs or companies that allow you to live anywhere.

What's a reasonable expectation of quality of service in this high-volume scenario?

I work at a co-working space where the management has a contract with a local IT company; I'm convinced that they have no idea what they're doing at this point.

For some context there's a public and a private wireless network in the same open 5000 sq ft space. Each network probably sees around 200-250 connected devices at peak usage for a total of 500 clients at peak usage on the same infrastructure. I imagine they have 5+ wireless access points (Cisco Meraki) to serve everything and at least one dedicated, business-class 1Gbps line.

A few weeks ago the entirety of the user base had major issues connecting such that some people had no internet for an entire day; these issues persisted for a week. Many of these issues have since been mediated, but the network is still randomly latent. The current situation is that most people will be fine with the internet browsing experience they get, but my quality of connection drives me up the wall purely because I use a lot of command-line utilities that are atrociously-sluggish at executing 100 different API requests when the network issues spike.

When I run ping tests against 9.9.9.9 I will sometimes get averages of 100ms with max's and min's of 750ms and 15ms; at times packet loss can be as high as 50% during the random spikes which do in all fairness happen less often now. Within a single 5-minute period I can get 140down/40up and shortly after 10down/20up in a speedtest.

I check my Linux syslogs to see if my Ubuntu 16.04 machine has been doing any switching between the various APs, and the answer is usually no. I've also seen scenarios where my laptop remains connected with good strength to the wireless network but has 99% packet loss for 19 mins and suddenly the network seems to self-correct. (Nothing occurs on my end as the syslogs would show AP or network switching).

Am I going crazy? I can see that most other people's internet access is not greatly affected by the shaky service, but I can't help but notice every single time that latency spikes or throughput decreases. What's the best way to demonstrate the issue to them? Perhaps the issue is with my laptop (it has a recent 802.11ac card from Intel and up-to-date drivers)? Is there even an issue? Are my expectations too high? Could it just be QoS between the public and private networks?

Need Advice on Running out of IP Addresses

Hey everyone,

I inherited a K12 network of about 850 users. We are moving toward a 1-1 environment where every student gets a device. The problem I'm having is that we are about to run out of ip addresses. We use a 255.255.252.0 subnet. When looking around for potential fixes I came across resubnetting and going to 255.255.248.0. But, I've heard that having a broadcast domain above 500 devices is a bad idea. So then I thought about VLAN between buildings. But then I'm worried about all users not having access to our file server.

I'm pretty green so any advice would be very helpful.

HPE Comware VPN Instances

Hello, /r/networking

Could someone fluent in Comware help me a bit?

I have few building networks connected by HP A5800 switches running OSPF. Each building has few vlans and is linked to others by L3 only links. Management recently got idea to deliver guest WiFi to all the buildings.

Can I deliver some guest networks/vlans to all buildings without connecting them in L2? I dont linke tthe idea of firewalling everything from guest networks on all L3 switches. It seems that it is task for VPN instances (aka VRF) but I do not fully understand yet how it works and if it is the correct tool for this. Will this allow me to have different, not connected IP networks for LAN and guest traffic?

MSP: Network Devices - Upgrade Schedules for clients

Hey ladies and gentleman,

This isn't a very technical post. I'm just looking to brainstorm with fellow nerds.

I'm tasked with creating a plan to schedule recurring upgrades to network equipment for clients. I'm thinking BiAnnually sounds about right. This would be upgrades/patching to all switches, routers,firewalls, wireless,etc.

I'd write up instructions so eventually technical support can just do it.

If you had a large base of clients, let's say 100 how would you approach it?

Would you do them all at the same time or maybe 25 a month and just keep rotating? That would be 3 upgrades a year instead of 2. Would you do it quarterly?

IPSEC Quick Mode question

Any IPSEC experts out there?

Router A IPSEC SA expires (seconds or KB), and in doing so, sends Quick Mode packets to Router B, to which Router B does not reply. Since presumably Router A is changing the SPI, now Router B is sending traffic which is blackholed. Quick Mode works fine if done immediately after Main Mode (clearing the tunnel for example, or a hard reboot on Router B). But any time Router A lifetime (seconds or KB) expires, these Quick Mode messages get no response from Router B. Router B debug shows it is receiving QM packets, but also shows "quick mode failed."

Any idea why Quick Mode would fail in the context of a lifetime re-key, but work fine as part of the Main Mode Phase 1 --> Quick Mode Phase 2 transition?

I am also having a hard time finding "normal" behavior for this re-key - is it normal to just send QM packes as part of an IPSEC lifetime re-key? Or should it enter Main Mode again?

Cisco 2802 AP w/ Mobility Express

Older Cisco APs would allow me to put them in bridge mode and/or workgroup bridge mode. I do not see this in the Mobility Express GUI or anywhere in the CLI anymore. Does Cisco prevent you from using APs as bridges? Does anyone have some example configs or related links to share regarding this?

Thanks!

Durability GPON fiber PLC splitters

I help operate a GPON network based on fs.com PLC splitters. Works great. So far those splitters are all safely stored in cabinets. We're looking at extending service and one option to cut down on cost is putting smaller splitters underground in hand holes.

Here is the part we would use..

https://www.fs.com/products/11526.html

Right now our splitters are easy to service and replace, but these would be trickier being perm. burnt in.

Any thoughts on PLC splitter durability. I have many 50 splitters with 0 lost so far.

Suggestions on combo modem router

I think that the time to change router has arrived for me. I am not a big expert on routers or networking in general. I would like to buy a router that has a modem integrated without spending more then 100€. I've found this one https://www.amazon.it/gp/aw/d/B00Q2HYVJG/ref=mp_s_a_1_1?__mk_it_IT=ÅMÅZÕÑ&qid=1523049353&sr=8-1&pi=AC_SX236_SY340_FMwebp_QL65&keywords=fritz+box+3490 The reviews are perfect but the fact that it came out years ago prevent me from buying it immediately. What do you think about it? Is it worth those money? Can you suggest me a better one? Also, I would like to have one that has the possibility of setting static ARP entries to make wake on lan work remotely. Thanks

Is it bad to utilize proxy arp? is there a way to lock it down more while still utilizing it?

I have an interesting setup utilizing proxy arp and I was wondering if anyone has seen this before/there is a name for it. My firewall is an edgerouter and the server is a linux host.

I wanted to configure a host with a static external address but I wanted/needed the firewall to remain in place and not use NAT at all.

I already had the host working with internal address so I just added the external IP address to the existing server interface (not it's own/new interface) and added a route for the external address to the internal address on the edgerouter and to my supprise it started working. I removed all the NAT and replaced it with just a SNAT to rewrite the outgoing IP (which brings up another question, does using SNAT still require the firewall to maintain the connection table/state?). The firewall works beautifully on the edgerouter before the server now so no need for firewall on server.

I then realized I had proxy arp enabled on my WAN interface and disabled it. A few days later the connection stopped responding on the linux server external address, so I re-enabled proxy arp and it started working again. So need proxy arp for this to work...

Is there anything wrong with this setup? I was also able to use this technique to route an external IP address across several wireless links all with internal addresses (of course needed to add route to each antenna but it works beautifully). What kind of problems could this cause? I am aiming to have everything routed only, no bridges (unless at edges) so I would like to use this to provide customer external address if needed, can I make this more secure/prevent abuse of the proxy arp? (I suspect I would need to add a route to firewall to even get this to work, but I wanted to ensure this technique could not be abused from the customer link)

Thanks for anyone's input! Your help is greatly appreciated

Cisco Anyconnect 4.6 the only maintained branch going forward

Cisco Anyconnect 4.6 just released yesterday, with one important note... from the release notes:

AnyConnect release 4.6.x will become the maintenance path for any 4.x bugs. AnyConnect 4.0, 4.1, 4.2, 4.3, 4.4, and 4.5 customers must upgrade to AnyConnect 4.6.x to benefit from future defect fixes. Any defects found in AnyConnect 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, and 4.5.x will be fixed in the AnyConnect 4.6.x maintenance releases only.

So anyone rolling out patches on any other 4.x branch will be forced to upgrade to 4.6 going forward, and we just rolled out 4.5 latest just a few weeks ago, ugh.

One great new feature though: 'AnyConnect WebLaunch' replaces the old web install page that used java, and they just present the download right away on login now, hooray!

Anyone work with UC / WebEx / Skype for business?

I have an interview next week for an outfit that specialises in building Cisco UC solutions such and spark/WebEx and Skype for business for clients.

I'm from a pure data background with not much grounding in these. The role is primarily supporting the Cisco/juniper corporate network and implementing data solutions for clients.

I don't have much knowledge of the Cisco UC suite so was looking for some brief pointers on these from knowledgeable folks here.

Apart from usual demands such as low latency etc what else do these solutions rely on from a network perspective?

Just want to be able to do a bit of homework to prep myself

IP SLA Probe integration with NMS

Hey /r/networking,

So I've found a lot of useful information in this post here:

https://www.reddit.com/r/networking/comments/3gmvyp/what_are_you_using_for_sla_monitoring/

I'm curious though: for those of you that are/have deployed NIDs and use them with "popular" NMS suites, can you share your experience with me? I'm curious about the prospect of deploying these probes with a product like Riverbed, or maybe an open source alternative, like Nagios (or any of the similar alternatives).

Any details to the setup process, how well did it integrate with the monitoring suite...

VPN and Routing

I am failing at getting bidirectional ping working on my network and it's been bugging me for a bit. I posted here the other day but I was missing some key information so I'll try to present that this time.

My Network

Here is a diagram of my network made in MS Paint: https://i.imgur.com/EXueBr4.png

I'll outline the devices for you:

• VyOS running on Vultr.com with a public IPv4 (/23) and OpenVPN Server running.
  • We'll call this R1.
  • Notable IPs: Public IPv4, 172.16.64.1/29
  • Static route to 0.0.0.0/0, NAT to 10.0.0.0/8 (summarised my LAN)
• EdgeOS running on a Ubiquiti Networks Edge Router Pro 8 Port, behind a modem, utilising a public IPv4. Runs OpenVPN Server and has 3 VLANs individually using a LAN port per VLAN.
  • We'll call this R2.
  • Notable IPs: Public IPv4, 10.0.102.1/24, 172.16.64.2/29
  • NAT runs between my 3 VLANs as well as to the WAN.
• CentOS 6 running within Proxmox on a Supermicro server. Firewall open.
  • We'll call this the Server.
  • Notable IPs: 10.0.102.9/24

My Issue

I am able to ping and trace from Server to R1's 172.16.64.1/29 address. I am able to ping and trace from R2 to R1's 172.16.64.1/29 address. I am able to ping and from R1 to R2's 172.16.64.2/29 address. I am unable to ping and/or trace from R1 to R2's 10.0.102.1/24 address. I am unable to ping and/or trace from R1 to Server's 10.0.102.9/24 address.

Configuration

Below are parts of the configuration for R1 which I feel are important to share:

 interfaces { ethernet eth0 { ...public address config... } openvpn vtun0 { firewall { in { name VPN } local { name VPN } out { name VPN } } mode server server { subnet 172.16.64.0/29 } tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/server.crt dh-file /config/auth/ovpn/dh1024.pem key-file /config/auth/ovpn/server.key } } } nat { source { rule 1 { description "VPN to Home" destination { address 10.0.0.0/8 } outbound-interface vtun0 protocol all translation { address masquerade } } } } protocols { static { route 0.0.0.0/0 { next-hop 108.61.196.1 { } } route 10.0.0.0/8 { next-hop 172.16.64.2 { } } } } 

Below are parts of the configuration for R2 which I feel are important to share:

 firewall { all-ping enable broadcast-ping disable group { address-group NetworkAdministrators { address 10.0.102.8 address 10.0.102.7 address 10.0.102.254 address 10.0.102.14 description "Network Administrators" } network-group OpenNetworks { description "Networks that can access WAN." network 10.0.101.0/24 network 10.0.102.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name Tenant { default-action accept description "Tenant network rules." rule 1 { action drop description "Block control panel." destination { address 10.0.102.1/32 port 80,443,22 } log disable protocol tcp } } name VPN { default-action accept description "Allow any VPN connection" rule 1 { action accept log disable protocol all } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { ...other lan... } ethernet eth1 { ...other lan... } ethernet eth2 { address 10.0.102.1/24 description Tenant duplex auto firewall { local { name Tenant } } speed auto } ethernet eth7 { address dhcp address dhcpv6 description WAN duplex auto firewall { local { name WAN_LOCAL } } mac 00:24:81:82:d8:d5 speed auto } openvpn vtun0 { mode client remote-host ...R1 public ip... tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/client.crt key-file /config/auth/ovpn/client.key } } } service { nat { rule 1 { destination { address 10.0.102.0/24 } inbound-interface vtun0 inside-address { address 10.0.102.0/24 } protocol all type destination } rule 5003 { description "Tenant to VPN" destination { address 172.16.64.0/29 } log disable outbound-interface vtun0 protocol all source { address 10.0.102.0/24 } type masquerade } rule 5004 { description "NetworkAdministrators to Management" destination { address 10.0.100.0/24 } log disable outbound-interface eth0 protocol all source { group { address-group NetworkAdministrators } } type masquerade } rule 5005 { description "Public Route" log disable outbound-interface eth7 protocol all source { group { network-group OpenNetworks } } type masquerade } } } 

Routes for Devices

Here I'll document the routes for each device:

Routes for R1

default via ...public gateway... dev eth0 proto zebra 10.0.0.0/8 via 172.16.64.2 dev vtun0 proto zebra ...public network.../23 dev eth0 proto kernel scope link src ...public ip... 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.1 

Routes for R2

0.0.0.0/29 dev vtun0 proto kernel scope link default via ...public gateway... dev eth7 proto zebra 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.1 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.1 10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.1 ...public network.../24 dev eth7 proto kernel scope link src ...public ip... 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.2 

Routes for Server

10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.9 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.9 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.9 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 default via 10.0.102.1 dev eth2 

Tests

Here I'll put a collection of traceroutes from each device.

Traceroutes from Server

# traceroute 10.0.100.1 traceroute to 10.0.100.1 (10.0.100.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.100.1) 0.197 ms 0.315 ms 0.293 ms # traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 0.248 ms 0.317 ms 0.305 ms # traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.102.1) 0.284 ms 0.342 ms 0.317 ms 2 172.16.64.1 (172.16.64.1) 18.894 ms 24.621 ms 24.596 ms 

This displays that Server is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R2

# traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 38 byte packets 1 172.16.64.1 (172.16.64.1) 18.031 ms 15.952 ms 14.631 ms 

This displays that R2 is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R1

# traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 27.038 ms 26.968 ms 26.940 ms # traceroute 10.0.102.1 traceroute to 10.0.102.1 (10.0.102.1), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * # traceroute 10.0.102.9 traceroute to 10.0.102.9 (10.0.102.9), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 

This displays that R1 is only able to ping the OpenVPN client IP of R2, but no further.

Help Appreciated

If anyone is able to offer some assistance with this, I'd greatly appreciate it. Thank you.

Is it possible to get ipv6 autoconfig to work over a trunked port?

Hi,

I'm working on a school assignment. We are setting up an enterprise network with several VLAN's in Packet Tracer. The assignment wants us to set up the network with both IPv4 and IPv6. I have set up a DHCP server with ip helper-address to serve the LAN with IPv4 addresses. I have set up the diffferent VLAN's behind access switches, then onto a MultiLayer Switch. The issue I'm facing is that the MultiLayer switch is not able to forward the autoconfig of IPv6 addresses over the trunked ports going out to the access switches and then out to the clients.

I'm really stuck here and have been googling and reading up on this the last 5 hours without going anywhere. I'm quite a novice when it comes to networking (on my first year of a Bachelor), so if you have a solution for me, I would really appreciate a detailed description of how to get it to work.

Thank you in advance for your help :D

Juniper SRX300 Reliability

I am beginning to deploy Juniper SRX320 in packet-mode for use as PE routers on the edge of my MPLS backbone.

However, I am running into a problem where many of them are failing to boot. It looks like the primary AND alternate slice/partition are becoming corrupted on bad power cycles due to unstable power in my customer's offices.

Is this a known issue with the SRX300s? Should I be using the SRX220 instead since it appears to be a more mature product?

Has anyone found a good way to manage the Layer8 side of ansible automation

Within my network I have a vxlan deployment with 80+ switches that I manage. The workload with managing the numerous vlans and VRF's is becoming very time consuming, and I've been looking for automation solutions. I've been playing with Ansible, and have been able to automate a lot of the task that I do on a day to day basis, but I'm running into issues with ease of use. My ansible variables file has become overwhelming with all of the VRF settings, and descriptions and vlans. Has anyone found a good way to manage the variables? Can I use a CSV file or something similar? Would Ansible Tower be the answer? Kinda lost on this one and looking for guidance.

Tuning MTU

I want to understand something about best practise with MTU. If you have a server connected in a network and enable jumbo frames between all the places that access that server, then obviously you get a higher MTU and transmission speed across the network. However, most web servers somewhere in the internet will be in a transit path that hits a standard 1500 MTU. Thus, somewhere in the transit path the packets will be fragmented down the a 1500 size packet when the servers access the internet. Let's say that this point is your edge router connecting to your ISP, which will be burdened with this task which gets worse with the more servers configured this way with jumbo frames.

My question is, how do you optimise your internal access between servers (i.e. use jumbo frames here), whilst not burdening your edge router with the fragmentation when the servers use the internet?

Bi-Di 10G SFP+ optics for Nexus 3100?

Hello /r/networking.

Have any of you attempted to use any Bi-Di optics in Nexus 3100 switches? More specifically N3K-3172PQ?

The Cisco 10G SFP matrix does not list SFP-10G-BXD-I / SFP-10G-BXU-I as supported in this platform.

I need a 10Gbps Bi-Di optic that will work in an N3K. Probably going to try some from fs.com but if someone has attempted this already it would be helpful to confirm.

Thanks!

questions about CISCO TRex traffic generator

I have never used TRex or any traffic generator before. total noob.

But i have been tasked with testing the throughput on a firewall with all services on, simulating traffic from multiple clients/servers So i followed the TRex manual. connected 2 sfp+ ports (10G ports) to the firewall. I see a lot of scripts (.yaml) but which one would test throughput simulating multiple clients and services. Not sure if I'm making sense.

Blockchain as a Transport or Blockchain Define-WAN: I kid you not

Ok, apparently we can blockchain all the things, even networking. These peeps propose using a blockchain as a LAN and WAN control plane and VxLAN as the encaps. SMH

SFP+ cable for SR transceiver

I have a Catalyst 4948E with SR transceiver and a server with Intel X520-SR2 NIC. Is this cable good to connect the two directly ?

https://www.fs.com/products/41728.html

Cisco WLC Logging Client Connections

Does anyone know of a way to log each time a client connects and disconnects to an AP that is managed by a WLC 5520?

I was leaning towards just having a python script that polled the WLC to see what clients were connected but figured there must be some sort of event log that tracks this on the WLC.

Thanks!

Is a mounting shelf needed with a MX480?

We're rack mounting a MX480 in a 4 post rack, I see the rack mount instructions refer to a mounting shelf: https://www.juniper.net/documentation/en_US/release-independent/junos/topics/task/installation/mx480-mounting-hardware.html

Is this needed? Have you mounted without it?

VyOS VM help within GNS3

Hello Reddit I am turning to you as always for a specific networking problem I am having with a project I am doing.

I am using GNS3 in conjunction with VMWare VM's to create a topology which involves -

-Windows Server 2012

-Windows 7

-VyOS

In this scenario all of these machines are on one internal network with the subnet 10.0.0.0/24 with the interfaces on the VyOS machine as 10.0.0.1, the windows server machine 10.0.0.254, and the windows 7 machine as 10.0.0.10. The topology is windows server and 7 machine connect to a ethernet switch on ports 1 and 2, and the ethernet switch is connected to eth0 on the VyOS machine with port 0.

I have the VyOS machine configured with ethernet 0 with the address of 10.0.0.1/24. And within the virtual machine settings all the network adapters are set to VMNet 2.

The problem I am having is that both machines can ping the VyOS router, but it cannot ping them back, thus there is no inter connectivity between the 2 windows machines. If I could I would gladly use a cisco router image within GNS3 but I do not have access to one so I am stuck with VyOS.

Can anyone help with this problem in any possible way. If needed I can post additional information on the scenario.

TL;DR VyOS cannot ping VM's that are directly connected, but they can ping it.

Enterprise Access Switch Monitoring Strategy

What is your access switch monitoring strategy with your network monitoring software? Do you monitor ALL ports on access switches or just uplink ports. Why or why not?

I'm testing out new monitoring software and trying to develop a strategy and standard going forward.

Hopefully basic network setup question

I am looking separate my debit terminal from the rest of my network in the simplest possible way. I currently have a wireless router which does not support VLAN (Linksys EA 6400). The debit terminal is plugged directly into the router along with several other devices. I am a hairstylist and while I’ve built PCs in the past I’m a complete beginner when it comes to networking. I’m trying to understand if I can buy a smart switch, and plug it into the router to run a single VLAN for the debit terminal. Also, if that is a viable option, should I plug the rest of the devices into the switch and configure a separate VLAN for the other devices and only have the switch plugged into the router? Or could I leave the rest of the devices plugged into the router? I would really appreciate any help anyone would be willing to give.

1.1.1.1 and Is my router borked?

I ran Google's namebench software to see if 1.1.1.1 was faster for me as a DNS. The results seem worse for the router itself than anything else. Can anyone advise me based on this graph?

https://imgur.com/a/Eqjvi

Routing from OpenVPN-Net to internal LAN

https://ift.tt/2qfZ3Hd

Draytek VPN Wireless problem...

Hi all,

apologies if this is the wrong place to post! I'm having an issue with a Draytek Vigor 3900 device, it's been working fine as our main VPN for 3 years now (or around that long!)

Recently a lot of our users are reporting that the Draytek VPN isn't working, however after troubleshooting, I seem to have diagnosed the problem...

• On a wired connection, the VPN runs just fine, no problem at all.
• On wireless, if using the Draytek Smart VPN Client on SSL connection (our choice of tool), if you have "Use default gateway on remote network" ticked, then the VPN doesn't work at all...

No settings or configurations have changed, it just appears to have completely stopped working.

Disabling the default gateway setting makes the VPN work on wireless (however you then can't access any of our network shares, programs etc)

Anybody ever had anything similar and know what could be causing this?

TL:DR: Draytek VPN has been fine for years, no changes to config, settings or hardware, it's suddenly stopped working for wireless users due to the default gateway..

Proper BGP multi-homing for ISP customers

I do work for a small regional ISP and having some difficulties figuring out how to properly advertise a multi-homed customer's network to our peers. All routers are Juniper M/MX.

Customer X has their own ASN and IP addresses. say AS 65530

Customer X has an internet connection from ISP A and advertises their prefix via BGP to ISP A

Customer X has an internet connection from ISP B and advertises their prefix, with a couple of prepends, via BGP to ISP B (ISP I am doing work for)

ISP B is BGP peered with several tier 1&2 carriers. Lets narrow it to 2 for this question. Level3 (AS3356) and Sprint (AS1239)

In order to properly route traffic to Customer X, ISP B has to accept their prefix via the direct connection to them, as well as from Level3 and Sprint. When ISP B receives Customer X's prefix with a shorter AS-path from Level3 or Sprint, ISP B's router does not advertise it back to the respective Tier1 (to prevent loops of course).

So how do I make sure the Tier1 ISPs know that ISP B is a valid path to Customer X's prefix with Customer X still advertising directly?

ISP B could filter Customer X's prefix from their Tier1 peers, then the routers would advertise the prefix learned directly from the customer. But then if the customers link to ISP B fails, ISP B would have no other route to Customer X, so ISP B's other customers could not communicate with Customer X.

I don't recall coming across such a scenario in any of my training.

Any advice? I hope I was clear enough in my description. I can add a drawing if necessary.

LoraWan curiousity

I have been looking into a side hobby and LoraWAN has caught my eyes. I am a network engineer with zero programming skills. Anyone played with Lora and any advice on it's applicability?

Just For Fun: HE's Global Network Map

Found this by mistake earlier. Really interesting. It's HE's 3D map of global connections.

http://he.net/3d-map/

Can you think of a valid use case for IPsec over GRE?

I am NOT talking about GRE over IPsec.

Help troubleshoot credit card terminal communication failures

I am struggling troubleshooting a credit/debit terminal communications to find the cause of the problem. I ran packet monitoring on the terminal today and finding there are a lot of re-transmissions. What are possible causes?

The linked image shows an example from today with two transactions. The first transaction timed out after 60 seconds, the second transaction succeeded. After the first transaction failed, the user tried the transaction again and it worked. They have to do this on about 35% of their payments. Reviewing the day, there are a lot of re-transmissions mostly from the server, but some from the terminal.
Imgur

This has been going on for about 6 weeks, many conversations with the payment processor with no success.

The captures are of credit card payment transactions so I'm not able to post the cap file(s).

Credit Card Terminal is a Ingenico iCT250. The payment processor has replaced the unit twice.

All cabling has been tested with no change. Terminal was moved to another location, moved to server room connected directly to switch, connected directly to router (sonicwall), cable unplugged from working computer and plugged into terminal, etc.

Thanks.

In theory, how far could you repeat a wifi signal?

Is it possible to repeat a wifi signal continuously? Would it be possible to cover big distances with enterprise or consumer level equipment?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Confused About Zentyal Default Route

See this routing table.

I'm used to seeing a route marked "default" and that's not the case here. How do packets get routed to the Internet?

Cisco Nexus-to-Nexus dual-VPC interconnect - topology help?

Since a picture speaks 1000 words...

https://i.imgur.com/bj2PvYy.png

Which of the two VPC configurations in that picture is best, blue or red?

I'm thinking Blue, since while a single switch failure in either option is bad, in the blue option only ~10Gb of traffic would have to transit the VPC peer-link (in theory). A single switch failure in Red would result in potentially 20Gb of traffic needing to transit the peer-link, right?

(No, this is not homework, this is an actual thing I'm doing at the office and just wanted to double-check myself.)

Raspberry pi as IPTV mcast stream monitor

Guys does any1 over here have a working solution of rasppi asi mcast probe?

PowerConnect 5448 Configuration.

So i have a powerconnect switch, and i need to get into the command line interface, without using a console. mainly because i dont have the cable. Im looking for the default ip address for this switch so i can SSH into it, i looked around allready but didnt seem to find any diffinitive answers, and yes, i did factory reset the switch. i appreciate the help. thanks.

Stubborn WiFi user...continued

Hey all,

I posted a few days ago. Real quick overview: We have 5520 WLCs (HA) running 8.2 with 52 WAPs of the 1852 variety, spread out between 2.5 floors (fairly big space). We are working on upgrading the code to 8.3

Anyways, I see myself currently with a -46 dBm from the WAP I connect to. On my Mac, I see myself as having a -56 RSSI. All is fairly well. I believe whatever is bolded on the wireless diagnostics scan on Mac is what you are connected to - has to be the case.

Anyways, I am on Zoom with the guy testing this out and I have wireless issues as well. Connected to 5 GHz, no interference or noise going on from what is reported on the WLC, etc. No bluetooth or anything. I noticed when I had the problem (frozen video, 2300 MS pings to 8.8.8.8), I did another scan on the wireless diagnostics on my mac, and I was connected to an AP further away with an RSSI of -73. Why the hell did this happen? The AP I connected to is statically configured for a channel and TX power. The one I was connected to (and sit near) is configured to auto (I will change all to AUTO soon, then re-assess). Did I change channels perhaps? And drop? How can I tell if my AP is changing channels? Why would it happen 5-10 times within 15 minutes?

I know everyone hear hates Apple, but I seriously do not understand what's happening. I had a third guy on Zoom and pinging 8.8.8.8 who was wired, and no issues. I'm just not understanding. I check the WLC, the dBM for me is fine. The channel utilization is fine. The interference is fine. I check wireless diagnostics on my Mac and it's all fine. We get into the video call and suddenly I start switching APs and my signal has done to hell. I was only pushing a few mbps per my Macbook reporting as well. Ugh. Ideas?

BPDUGuard Enabled and receiving BPDU from a host device, not a STP device.

We are experiencing a seemingly random event where a port will go errdisabled after receiving a BPDU from a Delta Controller.

Initially, I thought this was happening during commissioning of a new building, where they would power cycle these devices and move them from port to port. But, we are unable to reenact the issue while capturing packets to try and figure this out.

I was wondering if anyone else has seen this issue before?

We are running Cisco 3650x-48PD Switches. IOS 03.06.06.E.152-2.E6. All ports are Spanning-tree portfast and BPDUgaurd enabled.

Thanks,

Network Automation Scripts/API Interaction Suggestions

Hi /r/networking

Hopefully this don’t break your posting rules but I am looking for some suggestions what I you guys have automated network wise using python/Cisco APIs.

I am trying to learn python and need a good project to work on. The issue I am having is I can come up with an idea but its just not possible for one reason or another. For example, we make use of Cisco Prime to manage our wireless via templates and basic switch monitoring. So I thought I could I could script the creation of templates for new sites using the Prime API, well the API don’t exposes any template functionality except for clitemplates. Ok I look at doing something with firepower, yet again function x is not available via the API.

Anyone got any suggestions on something I could work on which might be useful? (we looking at the APIC controller so I have avoided config generation for devices).

Thanks

Edit: In terms of our envrioment we a Cisco shop for anything networking. all switches routers are manually configured (looking at APIC to automate that), Cisco WLC is manage via Prime. We have firepower devices managed via FMC. We dont have any issues other than everything done the old faction wait - ssh into the device and manually make changes as required etc

Incorrect SNMP Traffic Data on Subinterface

Howdy, I'm having a bit of an issue with our ASR1006, running IOS XE Version 03.16.02b.S, and bandwidth monitoring using PRTG

I have subinterface Te0/0/0.1201 with a 5gbps connection to another ISP. The physical interface only has this subinterface configured on it. Whenever traffic goes above 3.5gbps our prtg traffic monitor flatlines as if our upstream isp has some traffic policy in place that's stopping traffic. However, our sensor monitoring the physical interface (te0/0/0) is showing the correct traffic utilization past 3.5gbps.

We've decided to just use the physical interface for our aggregate monitoring but if we decide to use te0/0/0 for any other traffic we'd like to have a more granular breakdown. Any ideas why prtg is showing an incorrect flatline? We're using snmp v2c

L2 over L3? VPLS, L2TPv3?

Cat6k doesn't support L2TPv3? Currently have dual 6500s with a 10g port-channel to a lone 4948 over L3 running EIGRP between buildings for some dev/qa equipment. Have some vlans on the 6ks which may need to extend behind the 4948 as well. I think the only option would be to move those L3 interface IPs into a new vlan on each side and make that port-channel a trunk? Any other way to do this?

Can't connect to a Dec server 700

Hello /r/networking, how are you? Well, as for me, I am almost throwing this piece of junk to the seventh hell! I can't connect to this Dec server 700 using the console port, can someone help me before I freak out? I tried connecting to the port 1 of the Dec server with every single one of the cables we had here: straight, crossover, even some custom cables for Cisco switches, and nothing works. Tried connecting it to a switch, but it does not ask for an IP through DHCP.

Hello with guest anchor Cisco 2504/5508

This is driving me mad, I've got a 2504 WLC to use as a guest anchor controller for public WiFi (I work in healthcare).

The mobility anchor is up with our foreign controller and the SSID is broadcast fine on all of the required APs.

DHCP is being handled by a 3rd parties device, this device is also the gateway out, doing the fancy stuff like limiting Bandwidth use and taking login credentials etc.

The switch has an svi on the same vlan as the gateway/DHCP device, the WLC has an interface on the same vlan with the correct IP and gateway for the vlan.

The gateway device can ping the WLC and the switch. The switch and ping the other two devices.

The WLC however can only ping the other two devices when I do so via CLI. If I do it from the GUI I can only ping it's own interface....huh?!?

I could live with this but devices aren't being issued an IP address. They are when directly connected to the switch. I think the two issues are related, but I can't figure out what's causing it.

Help!

Unifi Switch vs Alternative for SMB Storefront

Hey Networking Community,

As a tech who is a little rusty on current vendors and such I am again looking for some personal opinions.

I have a small business client (carryout restaurant, 3 tables for diners, multiple tablets) that I am adding on Ubiquiti USG and AP LR to their AT&T service. There needs are very minimal with a few tablets for online ordering and printers, and a credit card machine. Being able to set up a guest network for employees and guests, as well as have the ability to monitor bandwidth and manage remotely is a major selling point. Also having the additional security in the USG is a plus; I am hyper-sensitive to security. I am stuck on the switch.

I have ran 9 x Cat 6 ports with the ability to have up to 12. This is more than they will need for years to come. With the USG and AP, having a Unifi switch doesn't add much except for the ability to manage individual ports; from my research, the usage stats and management can be done from the USG. Since I will never need a 16 port switch, should I chose an alternative smart switch, such as d-link, Luxul, or HPE, to get only 10 or 12 ports at a better cost? I originally planned and purchased an 8-port Unifi non-POE but its now too small. I can add a second and daisy-chain them together with a Cat 6 patch, but I am not convinced the cost is worth it.

I have never thought highly of D-Link and I am not familiar with Luxul. I have had luck with TRENDnet at home but not sure they are reliable for a small business. HPE has a great warranty and I have heard good things at the enterprise level, not sure about SMB. All the equipment is mounted in a Leviton Structured Media cabinet with a secured, vented door. I appreciate any personal input anyone is willing to share. Thank you in advance for the assistance!

natting an outside local subnet

Hello redditors!

I have little experience doing NAT on an CISCO asa 5510 (yes it's old). I have been able to NAT inside local but on this particular situation I have not been successful, and so I have turned to you for help.

Scenario:
We have a VPN tunnel setup for a third party with a destination range 192.168.100.0/24 . We are starting a new service with another party that has the exact same destination subnet, I have been asked by the 3^rd party to NAT their subnet. Can this be accomplished on my end or do I need to have the 3^rd party NAT their subnet? This is what I have tried:

access-list policy-nat-test extended permit ip 192.168.100.0 255.255.255.0 10.2.1.0 255.255.255.0 access-list policy-nat-test extended permit ip 192.168.100.0 255.255.255.0 10.2.1.0 255.255.255.0 access-list policy-nat-test extended permit ip 192.168.100.0 255.255.255.0 10.2.1.0 255.255.255.0 static (OUTSIDE,INSIDE) 10.2.1.0 192.168.100.0 netmask 255.255.255.0 

[edited]

In network programming, is there a way to download the MAC table from switches without login or it being a managed switch?

I am building a network mapping tool, and I want it to do more than scan for open ports and such but I also want it to be able to generate a topology of the network and in order to do that I need to be able to see the MAC address tables to map what each port is connected to (weather it be a switch or a host). Another thing I need is to be able to do it without it having telnet or ssh enabled since not all switches are going to be managed. I want to be able to map what is also connected to dumb switches alongside the managed one and without user authentication if possible. I know Cisco has a SNMP (I am not sure if this works on other brands of switches and routers) and I have no idea if that is going to be something that I am looking for when it comes to using it to map hosts connected to dumb switches, since they are mostly embedded devices not running a full Operating System on them.

Simple script to pull ipconfig and netstat output?

Before I attempt to reinvent the wheel, anyone know of a simple script that will interrogate a range of IP addresses and return the output of ipconfig (or ifconfig for nix) and netstat? We just need to obtain the system IP address and active connections. Preferably free. Thanks!

Comments on Cisco 829 Mobile routers?

We're going to be trialing some 829s as DMVPN spokes for a handful of firetrucks over the next few months. They're going to be classic phase 3 DMVPN hubs, dual sim, dual hub and probably just serve as autonomous APs. Anyone out there with comment on these routers in a mobile environment?

Best way to see what websites clients access

Hi all,

Not my favourite topic to discuss but it has been suggested to me as something we need to impliment. What's the best way to impliment a way I can see what machines (IP/MAC) or even better AD accounts are accessing what websites? I'm not interested in what they're sending to the site, just to see what sites they access?

Our DHCP/DNS is handled by Windows Server 2012, i'm sure there is a feature built into the server to do this but wanted to get peoples opinion first.

Thanks!

Old Ruckus APs

Hello everyone,

I want to help my friend to rebuild fairly large (in the sense of surface) hotspot network in hotel. Everything is set (captive portal, radius) aside of APs.

I can buy, fairly cheap, old Ruckus hardware (Zoneflex 7363,7962,7942,7352 etc) and here is the question:

will they work as simple dumb APs, just for spreading wifi all over?All i need is wifi ap with poe power. I have heard they have very good redios with decent antenas and are pretty solid in general.

i know there are a lot of old hardware, but usually they need some sort of controller (MERU,TRAPEZE etc).

Best regards

Does using DNS such as 1.1.1.1 cause issues with CDNs?

Does using DNS such as 1.1.1.1 or 8.8.8.8 cause issues with CDNs? I'm quite sure it can cause issues with YouTube caching servers with home ISP's, but I think that is a different set of tech being used fro that.

QoS Router for SDWAN

I have a 150/50Mbps Broadband connection that I need to split in a special way. I'm looking for a router that can take that 150 Mbps and put a guaranteed 50 through one LAN port and spread the remaining 100 over the rest of the ports. I only need 4 or 5 LAN ports in total. It also might prove helpful to be able to select which ports get DHCP (if that's even a thing....) Any recommendations on something with a good warranty and GUI?

Content hardware firewall suggestion?

About a company of 200 people, they are looking to do more logs filtering etc than the Meraki they have can do.

I know there are free build your own like Smoothwall..

What are some good ones that comes already together and installed. We want incoming and outgoing logs, ability to block websites etc

Quick Question - Deals with VPN on ASA

Had a power outage yesterday and everyone got sent home because the power company knew it was going to be out for hours. So I thought, that's fine, I'll VPN in and bring everything back up via HP iLO. I'm driving home, which takes over an hour and realize our VPN is using RADIUS. So... with literally everything being down, including AD, how am I going to authenticate? Called the MSP that set it up for documentation to try to get a local account on the ASA to use to log in. Long story short, it didn't work, and I'm trying to make sure I fix that moving forward.

In ASDM if I just check the box "Use LOCAL if Server Group fails" on the AnyConnect Connection Profile, will I be able to use a local admin account to connect? Or do I need to add a local user to a group?

Anyone use Tierpoint for hosted DNS? I've had 3 techs tell me they're removing the ability for customers to edit their DNS without opening a ticket.

As the title says, last night I had trouble editing a text record. Normally you just leave the 'name' blank, so it will apply to the root of the zone (example.com), and then you can add your text (verifying you own the domain, for example).

Tierpoint was suddenly saying the 'name' field is mandatory, so we can't add new records and any of our long existing entries are non-editable.

I opened a ticket to report the bug, and was told it's not a bug, but that Tierpoint has started using Infoblox and is migrating all customer zones into there. They said my domains were migrated already, and I will no longer have permission to modify DNS, and that all future DNS changes will require a ticket for support to do for me.

I've now spoken to 3 different support techs who all say that same thing, but they're trying to find a manager to clarify the policy to me.

Anyone experience this?

Has anybody here succeeded to setup Cisco WFO QM Call Recording solution ?

Hi /r/networking,

I'm here after searching almost everywhere to find a solution to a setup issue related to QM call recording but couldn't solve it yet

it seems that QM can't connect to the call manager through the JTAPI user (the same JTAPI is working fine with UCCX no issues, QM recognizes that the licenses and their number ), same goes to AXL user (I don't have good experience with the AXL user tho) I really don't know what i'm missing and what's my next step to solve it

The problem is in the "Telephony Group" but I don't know at which level exactly, when I try to test CTI services I have the following message : https://imgur.com/a/rdzCC

Tested what was suggested in here without any success https://supportforums.cisco.com/t5/contact-center/wfo-qm-aqm-refusing-cti-connection/td-p/2705293

So obviously i can't see the phones to record

do you have any suggestions guys ?

Thanks in advance

I suck at VPN Routing.

I understand home networking is usually not allowed, but I'm considering this an educational/home lab thing which I think is allowed here.

I'm having an issue with my VPN (it's OpenVPN) between my home (the Client) and my Vultr router (the Server). Both are Vyatta-based (EdgeOS Client, VyOS Server). The Client has subnets 172.16.64.2/29 and 10.0.0.0/8 (subnetted). The Server has subnets 172.16.64.1/29 and a single public /23. Client can ping Server on common subnet, and vice versa. Server cannot ping 10.0.0.0/8 on Client.

As far as diagnostics go, I've checked that routing is there. My setup is all static routes since it's a very simple (2 router) topology. I setup some NAT on my Client for 172.16.64.0/29 to 10.0.100.0/24 and 10.0.102.0/24.

Below are my routes:

Vultr Router (the Server)

vyos@rt-edge-dc-vult-1:~$ ip route default via <public net gw> dev eth0 proto zebra 10.0.0.0/8 via 172.16.64.2 dev vtun0 proto zebra <public net>/23 dev eth0 proto kernel scope link src <public ip> 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.1 

Home Router (the Client)

anetworkengineer@rt-edge-ubnt-1:~$ ip route 0.0.0.0/29 dev vtun0 proto kernel scope link default via <public net gw> dev eth7 proto zebra 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.1 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.1 10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.1 <public net>/24 dev eth7 proto kernel scope link src <public ip> 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.2 

So for reference, rt-edge-ubnt-1 is a Ubiquiti EdgeRouter Pro 8 running EdgeOS. rt-edge-dc-vult-1 is a Vultr.com VPS running VyOS. 172.16.64.1 <-> 172.16.64.2 can ping each other. 172.16.64.1 cannot ping 10.0.0.0/8.

Any help is appreciated.

Will EIGRP perform one to one load balancing across two paths with different end to end Bandwidths?

Without using the variance command and assuming switch A & B are purely layer two and do not participate in the EIGRP process.

 +-----------------------------------------------------------+ | EIGRP AS 10 | | | | +--------------+ 1Gbps | | | +------------------+ | | | Router_A | 10.2.2.1/30 | | | | | | | | | | | | | +--+-----------+ +------+-------+ | | | 10.1.1.1/30 | | | | | | Switch_A | | | | | | | | | | | | | | +---+----------+ | | | | | | | | | | Path A | 1Gbps Path B | 100Mbps | | | | | | | | | | | | | | | +---+----------+ | | | | | | | | | Switch_B | | | | | | | | | 10.1.1.2/30 | | | | +--+-----------+ +------+-------+ | | | | | | | | Router_B | | | | | | 10.2.2.2/30 | | | | +------------------+ | | +--------------+ 1Gbps | | | +-----------------------------------------------------------+ 

Old Telecom Professionals, why did you guys use 66-blocks and the like? Were RJ-11 patch panels not a thing? And if so, why not?

EDIT: Thank you guys for your responses! This is all very interesting stuff.

Anyone have any experience with Exscript?

I'm trying to learn some python and make little scripts to do some tasks at my job. I found Exscript and I've made some progress but I'm a little stuck! I'm hoping someone has some experience and can help me out.

Code

When I call get_Hostname in vlan_Connected_Ports, I want to be able to pass the connection I already rather than having another connection made.

I'm not sure if this is the best place to post this but I figured I'd have the best luck here. If anyone knows a better sub to post please let me know!

Any help is appreciated.

Cabling Preferences/Best Practices - Keystone or RJ45 at IP Camera End?

About to embark on a project running 20 or so IP cameras in a warehouse environment. On the switch end I have a blank keystone patch panel where I'll terminate the runs to patch into the PoE switch, then the other end will go into a junction box (most likely an electrical work box) and onward into the camera. I'm curious on folk's preferences on whether I should put another keystone jack in the junction box and patch into the camera or terminate it into RJ45 and plug directly in.

Thanks!

I need some help.

Is there anyone here experienced in networking that would be willing to answer some questions I have via pming? Currently trying to self teach myself the basic concepts, and I have some questions. Thanks!

Our main WAN switch port randomly locks up every few weeks

We have a rack at the datacenter with a 1Gb fiber line running to it. That connects to a Dell 2024 switch SFP port, access mode vlan, then there's two copper ports on same access vlan going to two HA Sonicwalls. We also have a fiber P2P line that connects into the same switch, different access vlan, with two more ports going to the HA Sonicwalls.

Every few weeks our WAN port is seemingly locking up. Completely stops responding. I then haul my ass up to the datacenter and reset the switch, and everything comes back up. This is what we know so far:

• Replaced the switch
• Replaced the SFP module
• Verified config
• Do not believe it's a Sonicwall issue as the Sonicwall still seems up and fine during the outage
• Bringing the port up/down again fixes the issue (unplugging and plugging the fiber into the SFP)
• The P2P line plugged into the same switch continues to function, zero issues (it's from the same provider as well)

We've talked to the ISP and they want to have the datacenter check their fiber cross connect, clean it, replace jumpers, etc. I'd also like to have the ISP move us to another port on their end just in case that's the problem, but they're not wanting to do that, don't think it's necessary. I think it's necessary though. These outages are causing us major problems and they should do that simply out of good faith, IMO, NOW rather than after next time we have an outage.

Is there anything else I should be looking for here?? I'm no network engineer here so if there could be some advanced networking issue going on here I may not be aware of it.

BPDU Guard command that won't shutdown port

I thought I remember reading awhile back somewhere of a command that wouldn't shutdown an entire port when BPDU Guard violation occurred.

I think it would only block/shutdown the violated vlan on that port.

I can't seem to find it through googling, anyone know?

Network Assessment?

what software is recommended to auto do this if any.

I know live action will check qos and other issues.

I am really looking for a process to do a assessment

thank you for your suggestions

Upgrading ISR 4331 running 3.x to Denali 16.3

I found this page that says ROMMON will be auto-upgraded during the reboot process.

Anyone have any real-world experiences they can share? Any gotchas?

Sophos XG Firewall experience - feedback wanted

I was hoping for those whom work with Sophos XG firewalls could provide some feedback.

We have a few in deployment, but on version 16 and 17 of their firmware have hit a number of issues this includes but not limited to;

• NAT rules not working (version 17)

• VPN connectivity issues - to other Sophos XG's (ver 16 to ver 17)

• A lot of HA issues - mainly the cluster dying after a failover. (both ver16 and ver17)

• Default administrator account locking out, no longer can use it after HA failure

I could go into a lot of detail about each of the issues if needed, and we've been intouch and working with Sophos on all of them. A lot of the issues were in the version 16 of firmware, we were assured these were all fixed in version 17, but we are still seeing various issues out in production.

I'd be greatful of feedback from those out there who either deploy or administer Sophos XG firewalls.

IPv6 ACL performance issue, no TCAM exhaustion.

https://ift.tt/2q58Pvs

Remotely Manageable Streaming Player?

I need a media streaming device (like Roku, Apple TV, etc.) that is remotely manageable and affords control over viewable content and permitted use hours.

Does such a thing exist? Surely there must be application/demand in the education sector.

Move from L2 to L3 adjacency - OSPF design sanity check?

We currently have an environment where our primary and secondary data centers are connected via 2x10GB L2 links (stretched VLANs) and I am working through a plan to move to a separate address space for workloads in our secondary data center. The locations are roughly 10 miles apart, so we typically see around 1ms latency between the sites.

Additionally, we currently use OSPF both within the data center (area 0) and between the data center and our various office locations (stub areas, hub and spoke configuration). We are given two VLAN handoffs from our provider (one in the 100 range, one in the 200 range), both of which have the same link cost and whose L3 interfaces exist on our primary datacenter core router.

Our current design looks like this: https://imgur.com/a/nAJiK

We have identified the following issues with the current design:

• Layer 3 gateways for datacenter VLANs (and point-to-point links for OSPF to branch sites) only exist in one physical location and the loss of the primary data center would affect the secondary as well.

• There is no DIA circuit or firewall in the secondary data center, so an outage that impacts Internet traffic in the primary datacenter would also affect the workloads in the secondary data center.

• Traffic tromboning occurs for VMs in the secondary data center if they exist within the same data center but on different subnets

• Datacenter Interconnect is single point of failure for connectivity between the data center sites.

I'd like to solve those issues with the following configuration changes:

• Separate address space for both primary and secondary data centers - L3 gateways would exist on equipment local to each respective data center location

• Move backup (2xx range) VLANs to secondary data center core router, using OSPF priorities to control traffic and DR/BDR election. The backup VLANs would then be routed through our provider's DR router to our secondary site.

• Utilize BFD to more quickly respond to OSPF neighbor failures and speed up re-convergence

• Deploy additional HA pair of firewalls in secondary data center

• Install additional DIA circuit for Internet traffic to/from secondary data center

• Set up IPSec VPN between primary and secondary firewalls as backup in the event that the data center interconnect fails

A poorly-done quick simplified diagram of what I'm thinking the proposed design would look like: https://imgur.com/a/775YZ

Now, some questions:

• I've created the data center VLANs in the secondary data center - are there any caveats that anyone can see for just adding those L3 interfaces to the existing area 0 OSPF configuration, traversing the existing L2 link? OSPF is already configured for the secondary data center, but since there is L2 connectivity, direct routes have a lower metric.

• I have worked with our provider to run an additional 10GB handoff so that we can migrate our backup stub area VLANs one at a time for testing. Since our existing connection is also a simple L2 link, what is to stop all traffic from traversing this L2 link instead of our existing 2x10 link once we turn up the new handoff? I feel like I might be over-thinking this one.

• Am I missing any glaring failure scenarios or configuration changes in the proposed design?

Disclaimer: I'm a jack of all trades, and I don't consider multi-site OSPF design or networking in general to be my strong suit. We will likely be engaging a VAR to help us with final design and/or implementation of this plan, but I like to do as much of my own legwork as is practical and of course am looking to learn and grow from the experience. Thank you for the feedback, and please let me know if you need any additional context.

Running a local ISP 101?

I'm considering paying for a T1, I have 2 close childhood friends whom want to share this connection as well. So that's like $335.00 each a month. Then I figured, if I could provide a few other nearby folks a good connection then I can curb that cost down. This basically makes me an ISP. I work in the communications field, but my spectrum of IT stops at configuring a SSL VPN. I'm not clueless but I've never done this. Anyplace to get started?

Cisco IPSEC site-to-site between ASA & PIX going stale

Yes... I know... I still have a PIX in the field. It should be replaced with a new Check Point firewall this year but till then I have an issue I can't seem to resolve.

I'm able to get phase 1 and 2 up without issue but unless there is activity I the tunnel dies completely; including phase 1. Only way to bring it back is using packet-tracer. Looking everywhere Google brings me to doing searches I've tried everything I can find with no resolve yet.

The office PIX in this scenario can ping the colo1 host of 10.16.64.25 without issue yet when I configure a sla monitor to use the inside interface the timeout comes back as 'TRUE' when looking at the operational state of the sla monitor. What am I missing?

Colo1 ASA configuration related to this tunnel

object-group network ogn-colo1-office-local network-object object on-10.16.64.0-19 object-group network ogn-colo1-office-remote network-object object on-10.50.13.0-24 network-object object on-10.50.15.0-24 object-group network ogn-colo1-office-local-gp network-object object on-10.16.64.25 network-object object on-10.16.94.0-23 access-list acl-colo1-office-cm extended permit ip object-group ogn-colo1-office-local object-group ogn-colo1-office-remote access-list acl-colo1-office-gp extended permit ip object-group ogn-colo1-office-remote object-group ogn-colo1-office-local-gp access-list acl-colo1-office-gp extended deny ip any4 any4 nat (any,any) source static ogn-colo1-office-local ogn-colo1-office-local destination static ogn-colo1-office-remote ogn-colo1-office-remote no-proxy-arp crypto map outside_map 30 match address acl-colo1-office-cm crypto map outside_map 30 set peer OFFICE.OUTSIDE.I.P crypto map outside_map 30 set ikev1 transform-set ESP-AES-192-SHA-HMAC crypto map outside_map 30 set security-association lifetime seconds 28800 crypto map outside_map 30 set security-association lifetime kilobytes 4608000 group-policy gp-colo1-office internal group-policy gp-colo1-office attributes vpn-filter value acl-colo1-office-gp tunnel-group OFFICE.OUTSIDE.I.P type ipsec-l2l tunnel-group OFFICE.OUTSIDE.I.P general-attributes default-group-policy gp-colo1-office tunnel-group OFFICE.OUTSIDE.I.P ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 

Office PIX configuraiton related to this tunnel

object-group network ogn-office-colo1-local group-object ogn-10.50.13.0-24 group-object ogn-10.50.15.0-24 object-group network ogn-office-colo1-remote group-object ogn-10.16.64.0-19 object-group network ogn-office-colo1-remote-gp group-object ogn-10.16.64.25 group-object ogn-10.16.94.0-23 access-list nonat extended permit ip object-group ogn-office-colo1-local object-group ogn-office-colo1-remote access-list acl-office-colo1-cm extended permit ip object-group ogn-office-colo1-local object-group ogn-office-colo1-remote access-list acl-office-colo1-gp extended permit ip object-group ogn-office-colo1-remote-gp object-group ogn-office-colo1-local access-list acl-office-colo1-gp extended deny ip any any crypto map newmap 30 match address acl-enn-colo1-cm crypto map newmap 30 set peer COLO1.OUTSIDE.I.P crypto map newmap 30 set transform-set ESP-AES-192-SHA-HMAC group-policy gp-office-colo1 internal group-policy gp-office-colo1 attributes vpn-filter value acl-office-colo1-gp tunnel-group COLO1.OUTSIDE.I.P type ipsec-l2l tunnel-group COLO1.OUTSIDE.I.P general-attributes default-group-policy gp-office-colo1 tunnel-group COLO1.OUTSIDE.I.P ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 10 

'monitor capture' on trunk port: not just VLAN 1? (Cisco 4500-X)

Cisco 4500-X switch. Aiming to packet capture on a trunk port, using:

monitor capture mycap interface te2/1/5 out monitor capture mycap match any monitor capture mycap file location bootflash:mycap.cap monitor capture mycap start 

results in a capture including only VLAN 1 traffic. So just switch-to-switch chatter like STP. Not what I want. I need traffic from (in this case) VLAN 300.

However if I do:

monitor capture mycap interface te2/1/5 out vlan 300 both monitor capture mycap match any monitor capture mycap file location bootflash:mycap.cap monitor capture mycap start 

results in capture which includes all VLAN 300 traffic across the whole switch not just interface Te2/1/5. (This is way too much traffic to inspect, although it presumably includes what I want.)

Doing this results in similar, unwanted behaviour:

... interface te2/1/5 both vlan 300 both 

How can I capture just VLAN 300 traffic on interface Te2/1/5 ?

FWIW I'm looking to capture presumed-errant broadcast traffic (or possibly multicast) so I can't capture based on IP addresses.

Non video learning sites?

I do not learn well from watching videos and trying to replicate them on my own. I learn much better from sites like w3 schools and free code camp. However I can't find any sites in a similar vein for networking. I love how they give you a manageable amount of text to read and then a demonstration and have you demonstrate you comprehended the subjects covered in the text. I think the closest thing I saw was when I was in high school our class used a cisco like product that was similar to this but not very effective. Does anyone know any sites like this?

MMF vs SMF NIC. Issues with transmission over ~100 m.

First post in this community, so apologies if the question is extremely naive. We have a server with an Intel X520-SR2 MMF card with dual ports. We've noticed that we get many dropped packets and we think this is due to the distance over which we're transmitting.

We would like to exchange the card by a SMF NIC as I understand they do better over long distances. I would like to have a dual port SMF card, but I can't find any. Is the solution I'm proposing flawed in any obvious ways? Any input on this would be greatly appreciated.

SSh within a router :script in netmiko

Hi folks, so my connectivity is like this :We have OSS switch and from there all my networking devices gets logged on via ssh. So I first need to login to OSS switch and than other devices.

I have reached into login prompt of OSS switch by using basic netmiko commands but now how to create a python script using netmiko to achieve the desired target ?

If somebody wants I can print whole script here.

Physical Network Documentation or Digital Only?

We're moving our server racks into a local DC soon, so I'm prepping plans, vlans, equipment, etc. And I was re-thinking our documentation. We have kept everything in an on-prem Dokuwiki for a long time, but when I was on vacation a couple years ago we had a switching issues in-house and our techs couldn't get to the wiki to figure things out when re-programming. So to avoid this in the future I was considering prepping documentation that's printable, and keeping a hard copy in my office.

So the question, do you only keep your documentation digital and in what format? or do you keep a physical copy as well, and what formats do you use?

I'm considering MarkDown for my digital copy, then I can use Pandoc to make it a PDF for printing. But I'm also considering just straight HTML and CSS (because I'm a glutton for punishing myself) so I can draw the charts and keep everything in a single file without external dependencies, it would also be printable.

Guest WiFi not permitted to access DMZ. Any logic behind this?

I work in a 500 - 1000 employee environment. In our guest WiFi and our public facing LAN there are rules in place preventing clients from accessing our own DMZ servers (Public IPs) including our mail server. No one in my team seems to know why these rules were put there, and who put them there in the first place. What would be the logic behind this? In other words, should I leave things as they are?

Voice Readiness assessment software

Hey everyone, wanted to see what other people are using for this kind of thing. I work for a VAR that sells network and VOIP equipment and services. We are looking for a new tool to assess a networks voice readiness, by simulating RTP traffic on the network before we implement a phone system. Ideally we could mark QOS, and generate simulated G.711 traffic between endpoints to measure MOS, latency, jitter, packet loss, discards etc. Generating reports off this data would be a must.

We had been using AppNeta with a lot of luck but new management would like to look into other tools to do this. Is there anything out there worth looking at? I have been looking around google without much luck, either getting freeware stuff that isn't going to get us the detail we need or companies that want to sell their assessment services. Any help would be greatly appreciated.

Followup Update regarding Fed up networking HW problem

Previous post for reference:

https://www.reddit.com/r/networking/comments/88o4ad/can_someone_explain_this_to_me_please/

The professor sent a message to all students. The "solution for routing problem now posted". Here it is:

https://imgur.com/a/5rPCF

I don't even know what to say. I'm just going to keep my head down and my mouth shut for the last few weeks of this "class".

QSFP <--> 4X 10G SFP+ breakout not working. Troubleshooting tips/ideas?

Hi.

I made a post recently about QSFP to 4X SFP+ breakout and purchased both AOC and DAC for the same need. Still unable to get the connection UP. Any ideas to troubleshoot this would be greatly appreciated, as I have already lost a month over this.

Lenovo NE1072T (QSFP) <---4 X SFP+ -> Isilon NL410 I purchased custom coded breakout cables from fs.com specifying the same above setup. I bought the AOC first, and then DAC with hope that it would work, but both did not.

The connection state is DOWN on both ends after I connect the switch and Isilon with either of the cables.

@omg_the_humanity suggested that I set "system unsupported-transceiver" on the switch and I tried it already.

I made sure the 10GSFP+ ports on the Isilon nodes work by connecting a 10G SFP+ to 10GSFP+ cable to another spare server. Similarly, the 40G QSFP port on the switch works fine if I connect to a 40G QSFP port on a spare server. But the breakout cable wont work.

The Lenovo NE1072T Application guide does not even mention the word breakout. So no luck in official documentation.

The product specification guide of Isilon NL410 states that they only certify a few transceivers and that the make of their NICs are Broadcom (Page # 45), if I understand it correctly. Which fs.com says their breakout cable should be compatible with.

I'm at a loss here. The Isilon nodes only have 10G SFP+ ports and I only have 10 G Base-T ports and QSFP ports. Stuck with using those expensive Isilon nodes on 1G interfaces which frequently maxes out :-(

I cannot purchase a breakout cable from Lenovo because the other end is not Lenovo. I cant ask for EMC because the other end is Lenovo. This optical cabling is a night mare to me. I wish Isilon nodes came with simple old 10GBase-T ports.

If anybody could help me salvage this situation,I will be forever thankful.

Dmvpn error

I got the error on at least 100 of my locations out of 230. These are ISR4321s. The connections came back up about 20 min later. This happened in the middle of the night. The reason why it took 20 min to restore, might have been due to no traffic on the tunnel since it happened at about 1am or simply because if this error and it's outage. What does this exactly mean? Anyone encountered this problem before?

This is the error i got on all the 100 spokes

CDT: %CRYPTO-4-IKMP_NO_SA: IKE message from 1.1.1.1 has no SA and is not an initialization offer

Looking to use all LTE for branch wan. What kind of problems do you think we'd run in to?

My company is coming up on the end of our current service contract with our MPLS provider. While the way forward isn't paved yet (the team is split with 50% wanting to try an SD-WAN solution, and 50% vehemently opposed to doing so) one thing is clear, we're definitely leaving our current provider.

We might end up going MPLS with a different provider, at this point, or try something new. In the "something new" category we were thinking of using LTE instead of physical circuits.

I know the biggest challenge there is price. It's going to be hard to do so affordably. (Though I think even the worst case is going to end up costing a lot less than our MPLS)

By the way I'm a more junior member of the team, so the real decision makers are not me. But I'm part of the team and we're trying to do research.

A lot of us like the idea of using LTE, because it eliminates having to wait for circuit installs and build out times. We have about 50 branch offices and trying to coordinate installing brand new circuits in all 50 seems like an almost impossible task. With LTE we could order the SIM cards, slap them in a router, and ship them. "Look, ma! No Circuits!"

Then no matter if we use SD-WAN, or remain with Cisco ISR's, we can still just build VPN tunnels back to the mother ship.

What kind of issues do you think we'd have? I know LTE is supposed to perform fairly well and be fairly steady, as long as you have a good signal. If you don't have a good signal, then it'll be worst than the slowest T1 line...

Do you think it could support applications like VoIP and Interactive Video?

A few members of our team think it couldn't. They say we have to keep at least "some" mpls presence used just for VoIP because they think no other solution could possibly support VoIP.

What do you guys think?

We'd of course look for diversity so we'd probably have one AT&T and one Verizon SIM per branch if we go this route.

Upgrading JunOS

Can someone explain to like I’m 5 why do I need to use the “unlink” and “no-copy”when upgrading Juniper devices?

I know the goal is to save space, but what is the disadvantage of adding these two options with “request system software add”?

As far as I know, the unlink will not save the package in /var/tmp/install. and no-copy will not save the packages in /var/sw/pkg.

I know i can install from /var/sw/pkg/<junos-package> but what exactly the purpose of this directory and the /var/tmp/install?

thanks

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

TACACS+ Failover

Hello! I recently set up a TACACS+ server for network devices at my company. I set a local user and pass on each device so they could be accessible if TACACS went down. But the local username and pass DO NOT work if TACACS is down. Here is my aaa config.....

aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa accounting exec default start-stop group tacacs+ aaa session-id common 

any ideas?

VoIP Phone Confusion

High priority customer calls about a Cisco 7950 that was experiencing intermittent availability, one hour she could call, the next she could not. The work around she would use was to cycle the power of the phone, but she was getting tired of doing this and notified us about her situation.

When I show up on site, the phone is working. I check to see if the phone can place a call, and it can. I test the path from the phone to the patch panel to verify the L1 connectivity, and it looks a-okay. When I go to seat the cable back into the phone, I flip the phone over and notice that the connection from the switch to the phone was going into the PC port, while the PC was routed to the network port. I fix this issue and confirm that the phone can place a call. I notify the individual that I will call her front office to check if the phone is still functioning, and then I headed back to my shop.

Two hours after the visit, I place the promised call and confirm that the phone hasn't experienced an intermittent issue since.

My question is how the fuck was the phone able to place any phone calls? My limited understanding of detailed VoIP functionality thought that the link from the switch to the phone had to be in the proper port on the back of the phone. This idea is most obvious to me when PoE isn't supplied to the device if you do use the wrong port, but with this 7950 being supplied power through an injector it wasn't that obvious at first glance.

If I need to clarify anything please let me know. I appreciate any input!

CCNP Switch 300-115 Study Guide + ~280 Flashcards

Hey folks,

Last post went over well so here's my notes for CCNP SWITCH! I passed the exam earlier today and wanted to share.

CCNP SWITCH STUDY GUIDE

CCNP SWITCH FLASH CARDS

To use the flash cards, click on the flashcard section, then click option, and choose "Answer with definition".

Also, for those that missed the previous thread about CCNP ROUTE, here it is:

https://www.reddit.com/r/networking/comments/7ua4nb/ccnp_route_300101_study_guide_600_flash_cards/

As I won't be taking any kind of notes for CCNP TSHOOT, this is the last thread of this kind from me. Good luck on your studies!

Cisco 6506 SetUp

Is there any well written guide on how to setup a 6506 wit IOS? The only guide I found was from Cisco, which is pretty confusing. I never worked with those Chassis before, and I’m really confused how to set it up from RomMon.

Network topology discovery

How do you discover your networks topology dynamically? I found really neat tool after some research called Rocket NetCure - http://www.rocketsoftware.com/netcure-auto-discovery-technology

It supports a lot of protocols to discover your networks with, which is nice and has easy to read topology map. I was wondering is there any altnerative tools that do same job as good? If there is any open source project for that kind of thing, then it would be awesome.

Reading Comprehension in Network Engineering (everyone does a double take)

I can only speak for myself here when I talk about Cisco Press books, but it seems that it takes me multiple times to read a paragraph when first covering a topic to be able to retain anything more than a minute later.

Since we have many different types of people in this sub, I was hoping some of you could weigh in on your personal experiences as to how you best approach content to gain concept mastery in the least time possible. I may speak for just myself but I tend to like to spend more time on labing and less on reading cert guides.

Any thoughts?

Deploying Wireless with Routed Access LAN Design.

Has there ever been a SRND, CVD or reference to specifically deploying Wireless LANs with Routed Access LAN design?

I'm looking for a resource to explain how to deploy a Wireless Network with the following characteristics:

1. Cannot be a centralized deployment (i.e. CAPWAP tunnelled to WLC), due to my network having routine loss of connectivity to the DC (it's a maritime environment).
2. Would need to support Cisco FlexConnect as per the above reasons to ensure clients can associate in a WAN down scenario, with local switching and a local RADIUS auth server available when ISE cube is unreachable.
3. Two SSIDs - Corp and Guest
4. VRF-aware - supporting path isolation at L2 and L3 for compliance purposes.

Roaming is one of the major issues that I want to overcome - support for BSS Fast Transition (and other MAC layer functions) is lost because that part of the Cisco Split-MAC architecture is handled by the Cisco 5520 WLC and not the APs. However, I don't want to extend a VLAN across the entire LAN to support L2 Roaming between APs that are connected to switch stacks in different racks. L3 Roaming via the WLC is not feasible because of the poor connectivity to the DC, which would time out anyway. Converged Access, on paper, looked like the kind of thing I could have used but it's EoL and was buggy anyway.

It's also undesirable to have traffic tromboning back and forth across a bandwidth-limited WAN link, so the Corp and Guest Networks need to be able to securely reach local resources, whilst allowing for path isolation/segmentation with VLANs and VRF-Lite. Without moving a ISE Policy Node onto every single vessel (financially not feasible), I have to rely on a backup auth server to provide some enterprise authentication fucntions, but I'd like the onboard RADIUS server to be the backup auth server for client authentication onboard - when WAN connectivity is available, use the ISE Policy Nodes in the DC.

I feel like I've got pretty close to a conceptually valid network design that fits my rather obscure use case, but I cannot find a single resource that adequately covers implementing Wireless in a Routed Access LAN, as a reference point.

I've even considered running a vWLC onboard an ISR4K, but it would be an expensive option with relatively limited features when compared to a pair of 5520 WLCs in HA.

Any tips or advice would be much appreciated.