Unifi APs won't work on Cisco trunk ports

I'm a mostly Cisco guy but for cost-saving measures with this client I'm using Ubiquiti APs. They work fine on access ports, but don't work on trunk ports. Can't access them, can't pass any traffic to them, they won't query the DHCP server, nothing. As soon as I flip the port back to a normal access port, they're fine.

Port config is:

interface GigabitEthernet1/0/19 description Access Points switchport access vlan 2 switchport trunk native vlan 2 switchport trunk allowed vlan 20,30,40 switchport mode access switchport nonegotiate spanning-tree portfast trunk 

VLAN 2 is my management VLAN, it works fine. VLANs 20, 30 & 40 will be VLANs for different SSIDs.

Switch is a brand new 2960-X, APs are UAP-AC-Pros.

I appreciate your input, because in my mind they should be perfectly happy on trunk ports and get their management DHCP leases from VLAN 2.

Show interface trunk

Cisco Prime - Suppress Alarm for all non Infrastructure Links

Salute,

i need your advice for the following scenario: I have Cisco Prime creating Alarms for all Link Down events across all switches we have.

What i want to achieve: Having Cisco Prime creating Alarm only for Link Down events for ports in a specific port-group (Infrastructure Links).

What i tried to do: Create an Alarm Policy and suppress the alarms for Link Down events for ALL port-groups except one specific (Infrastructure Links).

My Problem: Obviously Prime do not support a negation of a selected port group (match all other except the one I selected).

We dynamically assign Infrastructure links to a port-group by a specific pattern in the description. But due to the System Defined port-groups they are assigned as well to other groups too.

How do you achieve to get alarms only for Infrastructure Links without disabling the the logging event itself at interface level on the switches?

Juniper Command Guide

So my work is in the process of switching from Cisco to Juniper. I'm still relatively new to networking, so I would often consult this book from Cisco in case I forgot how to configure something. I was wondering if there is something like that for Juniper or what documents, pdfs, or books all you Junos experts use.

Is Google WiFi a solution to my issue?

xpost: https://www.reddit.com/r/GoogleWiFi/comments/8c905n/is_google_wifi_a_solution_to_my_issue/

I have an ASUS AC68U router running the Merlin firmware and it's working great. However, the router has to be placed at one end of the apartment, and devices on the other end sometimes have issues connecting to the WiFi (these are small "smart home" devices).

Would adding the Google WiFi to my setup, use it as a range extender, work? Or is it overkill? It's $10 off right now (deal ends today).

Actually, reading on SmallNetBuilder there appears to be much better performing devices for not a lot more (for example Tenda MW6 Nova Whole Home Mesh WiFi System for $50 more).

MAC dependent port configuration

Hey r/networking, I take over and refresh network equipment on networks I did not previously manage several times a year. We spend a LOT of time trying to map existing patch panels and switch configs to new equipment.

It seems to me, we already know which vlan each of the MAC addresses belong in via DHCP/ARP and CAM tables. It seems surprising to me that I might be the first person to have this issue. Is there a protocol or software suite out there, that I'm unaware of, that can do this? I've got ideas about how to develop it, if I have to go that route, but we'd pay for and/or learn an existing solution.

I've does some due diligence and found VMPS, and we're not working with Cisco equipment. I also need to configure more than just the vlan. Each vlan usually has a silghtly different configuration.

Any thoughts out there?

Question. What is the purpose of serial encapsulation?

Basically what the title says. I've got a test in the coming days where this will very likely be one of the questions. Now, I didn't manage to find the general definition, only the different types. can somebody help?

Ansible and fortigates

Hey guys,

i don't know if i should post this here or in r/ansible, but i've been toying around lately with ansible to automate certain repetitive tasks i do in 140+ small fortigates. I know ansible has a fortinet module but i think it is for fortigates with API (FOS 5.2+) and many of these have FOS 4.0. Is it possible to send arbitrary or ad-hoc commands with it? I can't for the life of me find anything about it and i've tried with several different modules with no luck.

anyone know an online tool to find frequencies in ip addresses?

I want to pull unique ip addresses from a netflow log, anyone know of an online tool that also lists the frequencies of the ip addresses?

Some questions about Cellular and Signal Boosting

So I have no background in Cellular technologies, or RF in general. I've been given the dubious task of "boosting the signal" in the basement of a medium office building. So I've been doing my research and have picked up a test set. One thing confuses me.

I found on the FCC's website where I can look up the different band and frequency ranges of different wireless carriers in the area. But each carrier has multiple frequency ranges in multiple bands. How can I know what particular band/frequency range I'd be looking at to boost for specific users? Is it just a broad thing?

For example AT&T and Verizon for this zipcode all have at least one frequency range in the low 700s band, the high 700s band, the 800s band, and the 1900s band and the AWS band, etc.

What if I find the AT&T signal, for example, is really good in the one band but really bad in the other band?

It just seems like a nightmare of complexity and way outside of my wheelhouse. Any advice would be helpful.

We paid for a high end test set, so it should be fairly accurate.

But then figuring out what kind of boosting is needed is only the first hurdle. Then there's the whole realm of figuring out outside antenna type and placement (omni-directional vs directional?) and interior antenna type and placement (panel antenna vs dome antennta) and the media to hook it all up with, the settings on the Booster and how to figure out it's all working.

Any advice? Reading materials?

Thanks for any help guys 'n gals!

Tool For Monitoring What Websites Your Users Are Visiting

Have a client, 300 person shop, that is looking for a solution to monitor what websites their folks are visiting when on their network. Apparently there have been issues recently (compliance) that is pushing this.

Right now they are on basic, entry level, Sonicwall firewalls and no proxy system (that I am aware of).

Any solutions/providers to suggest for review?

Thanks.

1000+ new RF devices introduced to enterprise network and possible risks involved

This may be a bit low level for this sub, but I have looked everywhere and don't know where else to turn. If you have a better suggestion where to put this question, please tell me!

I work for a large call center and we are debating making the switch to wireless headsets - but some of the other leadership is concerned it would affect internet quality. I understand where they are coming from because it would introduce about 1000 new RF signals between the 2.4 GHz non-Bluetooth dongle and the headset, but all of the computers are hard-wired by ethernet; so in my mind, it shouldn't make any difference in the VOIP call quality.

The only issue I could possibly forsee is MAYBE a slight drop in internet quality for the leadership that has laptops, but very, very minimal impact. I mean, all of our agents have their cell phones in the building and are connected to it (albeit it's a guest network, but still) and there was no drop in quality when that rolled out. I just don't see how it would be an issue with the new headsets as far as the internet quality on the hardwired desktops, which is the other leadership's concern.

My question: As networking professionals, would these headsets even make a difference? Or does that radio frequency from the headsets even bother a strong wifi signal, or better yet a strong ethernet signal?

Please let me know your thoughts!

Migration question from Checkpoint to Palo Alto

Hi, I need to migrate from CP r77 to Palo Alto 7.x. The CP has Application based policies which the PA migration tool does not migrate (i.e. HR users can access Facebook Messenger).

What would be the simplest way to migrate those Application based rules to the Palo Alto?

Thanks in advance.

Too cheap to pay for inflight Wifi. What should I download to watch/read beforehand?

Specifically looking for networking-related things, not just "your favorite movie" etc. Most open to downloadable movies or pdfs. (As an example, for my first flight, I read Aruba's High Density planning guide. Good stuff!) Thanks!

Application Hosting on Cisco Catalyst 9000 Switches

Can someone please shed more light on this. It sounds convincing but i have zero knowledge on it. https://www.youtube.com/watch?v=kYxfTWN4nZI

HP/Cisco Fiasco

I started on cable management of user ports on our central HP (not core) switch and after getting through a/b modules, 3/4 of the attached Cisco switches are error disabling due to STP. All affected trunk ports are on g/h modules and no other configuration changes. HP switch shows nothing wrong.

I need assistance looking for the next step.

Question about CAT6 wiring for an apartment complex

Ok, so I am wondering if this fits spec or not. Switch - patch panel - patch panel - patch panel - PC. The switch and first patch panel would be in a wiring closet on the floor, and the other 2 patch panels would be used as an interconnect in a residents unit. I suspect that would work, but I wanted to check on this before accepting it, as this idea is being pitched to me as a solution to allow residents to patch whatever jacks they actually want by interconnecting the 2 patch panels in their space.

Routing between two customer's networks

We manage the DCs for some of our customers including B, and customer A has router in the same DC so we have BGP peering with them. "A" wants to access the internal server in B's network so we provide the connectivity (and yes due to some regulatory issues we seem to like firewalling stuff:)

https://snag.gy/EhSqtj.jpg

However they have a Skype server in the DMZ and now when we advertise the customer B's full network towards A, the traffic towards Skype comes from "internal" interface to customer's B network. And it makes life difficult when we'd have to add the rules on our own firewalls and in the customer's firewalls.

Do you see a better way to do this? Or should I just bite my tongue and configure all the rules :) We've also had problems when some customer's Exchange for example has an internal address, and can see other customer's mail server via direct peering but the other customers Exchange knows only the MX record that has a public IP address (NATted on the other customer's network) and tries to send packets back over the internet.

I'd like to advertise full networks to benefit from the faster inter-DC link instead of going over the internet. Maybe I should take the routes from different customers to internet VRF and then just have all the customers use our internet connectivity to go out? We're not really an ISP per se for we haven't had much experience with this... so far we've managed this by not routing the "public IPs" via those direct peerings but it's difficult to manage and also slower.

Thanks for any ideas!

Live ASA Replacement?

So the scenario that I am mulling over right now, is that we have a remote anyconnect setup running off of an out of date ASA (legacy device) and so the company has agreed to purchase two x series asa's to use an up to date code version, and we will upgrade to anyconnect 4.5 at that time to.

In my mind, the idea situation would be to have the new setup already running under a test.vpn.company.com address, and select specific users to login and test that vpn, and report back any issues, and once we are confident in the setup just point our dns at the new device and everything is smooth and efficent.

However, we do have a small caveat that I'm not sure if it will be a problem, several of our vpn users have static ip addresses given to them through ACS. If those users use the testvpn, how would we know to route the traffic back to the new asa instead of the old asa?

Maybe I don't understand routing enough to know if it would be a problem or not, so I wanted to check here and see if anyone had done something like this, or they had a solution that would work. If we built the configuration exactly like the current one, could we test this side by side with the existing ASA or would routing not work? Is there a way to make the route work in this scenario?

HELP - UC540 Cisco 8.6.2

Does anyone know where I could find the following without having a support contract through CISCO, this product is end of life and I was previously able to obtain these files from the file exchange... Anyone with any information on this, I am looking to try to reload my UC540 with this version, as I have run into some configuration issues with the version running on my hardware. Thanks in advance.

https://software.cisco.com/download/release.html?mdfid=282819521&catid=278875240&softwareid=282762907&release=8.6(2)&relind=AVAILABLE&rellifecycle=&reltype=latest

Patch Panels, Why do I need them?

Pretty good discussion in this thread.

https://community.spiceworks.com/topic/2127837-why-don-t-home-runs-terminate-directly-to-the-switch

Personally, I'm always looking to play devil's advocate about best-practices, but this makes me want to go out of my way to fix the home runs in my network that go directly into a switch here-and-there.

Nexus equivalent of Archive Config functionality in IOS?

Afternoon, everyone - On all of my IOS devices, I use the

Archive config 

functionality to be able to very easily send the current configuration off to a TFTP server before making changes on a switch.

I'm trying to configure that on an NX-OS device at the moment, and realizing the command doesn't exist.

Is there an equivalent function on the Nexus line?

If not, can I create some sort of a Macro named Archive Config, that I can then specify to execute:

copy running config tftp://192.168.0.1/Cisco 

Thanks in advance.

Trunk between Dell 6024F and Cisco C3560 assistance.

This seemingly simply task has been a challenge for me over the past few weeks and i'm hoping you guys and gals can help.

I have a guest wireless network that is flat and using vlan1. The aggregation switch is a Dell 6024 and the closets are cisco c3560. I have been tasks with creating a second vlan that will be stretched to all closets. the Layer 3 exists on the firewall. I'm trying to create a trunk between the dell and ciscos. For the life of me I can't get it working. The ports that should be trunk are up and passing traffic, they just aren't passing my new vlan I created or even showing as a trunk. Here is my config below.

Cisco

int gi0/1 switchport trunk encapsulation dot1Q switchport mode trunk end show int status port NAME Status vlan duplex Speed Type gi0/1 Connected 1 a-full a-1000 1000BaseSX SFP 

Dell

interface ethernet g2 switchport mode general interface ethernet g2 switchport general allowed vlan add 402 

Nexus 5500 VLAN hopping with ping - Is this expected?

I have the following setup

 +-------------+ | | | HOSTA | IP Address: 5.5.5.5 +--------------> | | | | | | +------+------+ | | | | | # Reply | | sent to HOSTA | | | | |MAC: 5555.5555.5555 | |SVI: 5.5.5.1/24 | +-------------------------------+ | | VLAN 5 | + | | | Nexus 5500 | ^ | | | | VLAN 10 | | +-------------------------------+ | |SVI: 10.10.10.1/24 | |MAC: 1010.1010.1010 | | | | | #1 Ping | | ping 5.5.5.1 | | | | | | | | +------+-------+ | | | Static ARP: 5.5.5.1 5555.5555.5555 + | BLACK BOX | IP Address: 5.5.5.5 | | | | +--------------+ 

Pings from VLAN 10 are generating replies to HOSTA in VLAN 5. This doesn't seem like the greatest security concern in my naive mind but doesn't this break separation of VLANs?

Advertising a /28 as a /29 over BGP. Possible?

Bear with me :)

I'm setting up VRRP on two routers. The customer has a public /29 and instead of eating away at 3 of these IP addresses for VRRP, instead I want to increase the router interfaces with VRRP on to a /28 but I need to advertise it out as a /29 as this is what the customer owns.

Example : Customer owns 8.8.8.8/29

VRRP Router1 : 8.8.8.1/28
VRRP Router2 : 8.8.8.2/28
Standby IP : 8.8.8.9 (falls within their actual prefix)

Customer can then use between 8.8.8.10 to 8.8.8.14 on the inside of this as a /29.

A static route to null 0 for the 8.8.8.8/29 and then re-advertising that won't work as it would get preference over the connected interface due to it being a more specific prefix.

Is there anyway this is possible? I know BGP won't advertise something it doesn't see in it's routing table. It will see the /28 of course but I can't have that advertised as a /28.

The alternative is using a completely different (private) range for the VRRP but it get's a bit messy for the customer this way.

Thanks

SNMP delay for queue drain

I am running into an issue where SNMP traps on a non-resil setup are being drained but not received on my end.

Could this be a result of the queue draining too fast after reestablishing connection?

Need help ! My college will drive me crazy

My college is total shit they have blocked even educational websites in the name of blocking porn . My college uses fortinet firewall please suggest me step by step process to bypass it . They have even slowed down the internet saying student don't need that much speed wtf we can't watch YouTube videos without buffering , they say we should study instead of using internet what the hell are they thinking ? Please suggest me some way to bypass it I can't stand this tyranny . Edit1:- I have used vpn of all sorts nothing works

Need a recommendation for a bunch of 12-port workgroup switches

Hoping someone can provide a switch recommendation for a one-off scenario.

Due to wiring limitations, I need to provide an inexpensive 12-port gigabit switch for a large number of tables that seat 10 users. The switch must be very quiet and support management access over SSH. Support for LACP would be nice as well. All the switches will be uplinked with one or two cat6 cables to a Cisco 2960X switch. Thanks

Cisco PVLAN to Juniper PVLAN interoperability

Will keep this short. I have issues setting up a cisco 3850 pvlan trunk that can act as bot a regular pvlan trunk and carry standard vlans to a juniper ex series switch Ive tried the pvlan port mode promiscuous on the cisco and then set the vlan on the juniper site to pvlan trunk but no success.

any tips are welcome

Did anyone else here prefer WCS's UI to Prime's?

I've lately been working with a company that has a bunch of old shit deployed, including WCS... And you know what, I like it so much better than Prime.

Fuck you Cisco, for ruining a perfectly functional and snappy application. :(

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Can you order additional Apex Licenses?

I don't know the exact user count in my network of anyconnect users. I want to order say, a 999 user apex license which falls into the group user range of 500-999 apex users. My question is, if I install this, and then find I need to add an additional license, would I then need to buy 1000 more licenses because I've hit my limit within that group (i.e. I would need to move up a group to the 1000-2499 bracket)?

Furthermore, if I orderd 1000 users (which falls into the 1000-2499 group user range) and I needed 1 additional license, could I actually just order 1 license and get this added to my smart account?

I am just confirming what options I have to add more users, so I can include some scalability as the user count increases.

Fastest way to accomplish Cat 9300 provisioning?

Is there any suggestions that can be given to a guy who needs to do 68 code upgrades and config uploads in the least amount of time possible?

I would like to do this in a call home/POAP method similar to Nexus but I am not sure if that is a possibility on Cat 9K's. Any suggestions?

FortiAP Wireless Issues

I have been noticing some odd behavior with my Fortinet wireless network and some of my clients. I am wondering if its specific to my setup or a more common problem.

I have several laptops that refuse to connect to the wireless. They all say password incorrect when trying to connect. I initially though that the users were just typing in the password wrong, but its something that I have come across myself and can easily replicate.

Things I've noticed: 1. Even when the password is entered correctly, Windows refuses to connect. 2. These machines have no problem connecting to the guest SSID which has a similar configuration. 3. Windows logs are not great.

Here are some of the logs I picked up:

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Killer Wireless-n/a/ac 1435 Wireless Network Adapter Interface GUID: {c1dd714a-1244-4de3-8938-affb7d4e09b6} Connection Mode: Connection to a secure network without a profile Profile Name: NCVC-Mobile SSID: NCVC-Mobile BSS Type: Infrastructure Failure Reason:The operation was cancelled. RSSI: -67

Has anyone else experienced issues like this?

Cisco Meraki..... I am disappoint

I should have posted this yesterday for Rant Wednesday, but I am still dealing with this issue and just got this email today.

"You would also need to place an order for 12 more licenses and make sure the customer knows to claim these as a renewal when they enter them into the dashboard. New licenses and renewal licenses are the same sku. They just need to claim them as a renewal to avoid this issue."

TLDR I needed 12 renewal keys for Cisco Meraki and purchased them through an authorized retailer. Missed the drop-down and added as new hardware rather than renewal... I feel like Cisco has a bad UI and clearly admits it uses the same SKU for renewal as adding hardware. I think this is personally ridiculous... any one else make this mistake?

Small business looking to downgrade server

I work for a small buisness that only has 15 employees but occupies a huge building.

Our IT support is 100% outsourced and none of the staff other than myself are particularly tech savvy.

I feel like we're being massively over charged for our server and that it is simultaneosly both underpowered AND surplus to requirements, so looking for advice on how we could possible reduce reliance on it and also move to something cheaper.

Current setup:

£12,000 per year for the leased server (on-site) 15 networked Win7 PCs spread over 3 floors

Server is handling:

• Active directory
• Accounting software (cloud version is available)
• Building/diary management software (cloud version is available)
• 3x networked printers across 3 floors
• 30ish phones (possibly...). Our separate telecoms provider logs in to a management portal by accessing a local IP on our network but don't know to what extent this uses server resources
• Wired & wireless internet access throughout the building for sublet office spaces (devices not part of our network) for maybe an additional 40 users
• Storage of 500gb of shared files regularly accessed E.g. our marketing dept often work on large photoshop files that are stored on the server instead of local machine. I once had an excel file that was connected to several other excel files for automatically importing data into a master file, all of which were stored on the server instead of locally. IT told me this was slowing down the network and to stop doing it...

Proposed changes:

• Move all software packages to cloud based versions
• Move file storage to cloud (is something like onedrive / sharepoint actually viable/user friendly when it comes to opening/working on files that aren't saved locally or would there be other alternatives if not? Or is it exactly like dropbox where files are saved on local machine but immediately synced when saved?

A cheaper server would then only handle:

• Active directory (would Azure AD be a viable cloud alternative also? Is this more difficult to manage for IT providers?)
• Printers
• Internet access
• Phones (again, possibly... telecoms are beyond me)

Just looking for ball park figues for how much an adequate server should cost for the above. Is £12,000/yr as high as I think it is?

Management seem averse to buying any hardware when they can rent it for a managable but hugely inflated monthly cost.

Ebgp-multihop...why not just 255 all the time?

I was teaching some basic BGP to some people today, sourcing off a loopback, ebgp-multihop 2, yada yada, when one of them asked "well why don't we just always set it to 255 to avoid wrong hop counts?". I wasn't able to answer that question. Researching it, I found someone that said you shouldn't do that, but he didn't even explain why. Most other articles just explained the basics of the command. So, why do you all think we shouldn't set it to 255? It's good enough for an IPv4 packet, so why not for BGP?

fwBuilder: alternatives? Command-line based?

I've been using the (apparently abandoned) fwBuilder to manage the ACLs on a core switch which supports 50+ VLANs, so it's fairly complex. fwBuilder is pretty and certainly works very well, but it's laborious when adding new VLANs because there's a lot of repetitive point-and-click.

http://web.archive.org/web/20170928231335/http://www.fwbuilder.org:80/4.0/how_it_works.shtml

We have lots of VLANs because each research group gets their own VLAN and we're 'onboarding' a lot of new groups right now. I'm trying to automate this part of the process even more.

Something using only command-line tools, build/make, perhaps?

How do you manage large numbers of ACLs or firewall rules using 'builder' utilities?

802.1x, Radius, and LDAP/AD

The money people at the top shot down the budget request for ISE, so I am going to throw on some 802.1x through a RADIUS server that will auth users by client side certs and/or AD via LDAP. It's a pretty simple except for one little caveat maybe. I have a meeting next week with the SysAdmins to flesh it all out, but I wanted to check and see if anyone else has been in my edge case so I can kind of know what to expect from them.

We are in the midst of an AD migration, and roughly half the users are on the old domain and half on the new. We have 2 different sets of RADIUS servers. And there is no pattern to how they are migrating users and workstations, so each site has a mix of both.

Is there any "gotcha's" or shenanigans I may run in to? Would it even be worth doing this, or should I press for them to speed up their migration?

SSH Server

For those of you in large enterprise environments, what do you use for a centralized SSH server to lock down your infrastructure's SSH access.

Looking at a few different options, and I would appreciate your input.

---

A few requirements:

-Multiple concurrent logged in users

-Preferably a clean UI for SSH

Single-Number voice and fax

My organization has been configured to allow a user to receive faxes and voice calls at their desk number from the outside. However after replacing one of our remote site's router with an ISR4K, and a number of calls with TAC we've been informed that our configuration is no longer supported on the ISR line (using their fax_detect TCL script on the voice gateway). Luckily this only affects the remote site for now, but the remaining sites will be replaced with ISR4ks in the future.

According to my conversations with TAC, using fax on-ramping on the ISR4k line is not supported. My research has pointed back at just setting up dedicated fax numbers and just retraining users, but I'm sure there are avenues I have not explored yet.

Does anyone have their environment configured to allow receiving of faxes and voice calls on end user DIDs, or is this just an unreasonable expectation?

Bonus Info: We have Cisco UCM and an Xmedius Fax server

Rack mounting hardware kit suggestions?

Anyone have a go-to kit for rack mounting hardware? There are at least 3 sizes of screws that I've run across, and that doesn't even get into the cage nuts. I'm having trouble locating a all inclusive kit that will work with any rack. I'd love to have one box in the toolbag that would work in any situation.

Best practice? Removing ~150 unused cables from 2x 6500s

I've cleaned up closet switches before, but never this many cables at once. It's not a complete rats nest of cables, but I don't have to salvage the cables if I don't want to, so it's likely I will be chopping off the switch side plug. Since I don't know where they are going on the patch panel I'll have to start from the switch and trace it over.

Is it better to do it one by one, blade by blade, or just unplug them all from the switch and work as much through at once to the patch so I can unplug from there.

Just looking to see what others have run into when cleaning up a large closet switch that still has a bunch of active ports.

MPLS to SD-WAN?

Anyone who made this switch? Good, bad, ugly? We are going through a POC right now and having some pains of not having complete insight into the ANAP and the environment as a whole. Obviously relying on vendor support to tell us why something isn't working or is broken. Departure from what I am used to but looking for opinions from people who went all in on SD-WAN.

ID this AP?

Hey guys - this may be a long shot, but was wondering if someone here can ID the AP they're using (second picture): https://techcrunch.com/2018/04/11/droneshield-is-keeping-hostile-uavs-away-from-nascar-events/

DAS engineer wanting to learn networks

Hello. I am a DAS (distributed antenna system) engineer who does work for enterprise level clients to provide coverage for commercial carriers (VZW, ATT, T-MOBILE, etc.) among other things. With the advent of HETNET and roll-out of 5G, my career is seeing a lot of overlap with the broader networking fields.

I would like to become more knowledgeable in networking at large as well as on specific topics like VPN/IPSec, firewalls, switching/routing. I completed a networking class in college as part of a BSEE; so, I am familiar with some basics.

Anyway, I am looking for a good starting point — maybe a couple books, certifications to pursue, or websites to bookmark. Thank you for the help.

ACI - Migration scenario

Hello People,

So we basically are going to move from a NX-OS network to an ACI Fabric. Now i've been through the stuff about ACI and have done a lot of reading and poc labbing.

But i have forgotten a few parts of the lab that are very crucial (silly me). Chief amongst is the migration from the old network to the ACI fabric. Now Cisco has written a very formal document on this:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

And everything looks clear and concise but i still linger with a few questions:

Let me tell you first that i work in a shared team, but i'm dedicated on a project. The goal of this project is to migrate the customer rescources of the shared fabric (NX-OS) to their own dedicated network (Cisco ACI).

This means that i have to involve other people that manage the shared NX-OS Fabric and they have expressed concerns that we should not connect the Cisco ACI fabric L2 to the NX-OS network as it may cause a loop in the network. I do agree on this but i think steps can be taken to minimize this risk. (I know that the ACI does not actually talk spanning-tree, it doesn't even respond to the BPDU's i think, but it can bridge a BPDU)

Is my assumption correct to say, if we define the L2 links towards the ACI as type edge's and leave them out of the STP calculations that we cannot cause a loop because ACI won't send a BPDU towards the legacy network? However it won't drop the BPDU as wel, so what's there to stop the BPDU going across the ACI and back into the legacy network. I would assume proper cabling and connection thinking goes into that.

Also has anyone done a migration of this with an ESXi Host, loads of scenario's describe that we can connect an ESXi Host to the ACI Fabric and migrate the Servers like this, this would include that the ESXi host has spare ports to be configured in ACI fabric and the vlan's only have port level significance. Did anyone perform a migration like this? How fluent is it? What were the caveats you ran into.

Thanks in advance, I hope that people can share their real life migration story here so i can get an idea of how it all works.

Cannot get TFTP to work across Management Interface

I'm configuring a 4300 ISR that I want to update but I can't get TFTP working across the management interface/VRF.

I've seen multiple posts about setting the TFTP source interface to the management interface but that hasn't done anything for me. The TFTP connection fails with:

%Error opening tftp://172.16.0.79/isr4300-universalk9.03.16.07.S.155-3.S7-ext.SPA (No such file or directory) 

I've used this TFTP server for multiple updates this week so I know it's not a problem with the TFTP server/firewall. Is there anything else I can try besides removing the management port from it's VRF?

Here's the config, this is an out of the box 4331 ISR.

vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 172.16.0.167 255.255.255.0 negotiation auto ip tftp source-interface GigabitEthernet0 ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 172.16.0.1 

Here's the Mgmt-intf routing table

Routing Table: Mgmt-intf Gateway of last resort is 172.16.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.16.0.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.0.0/24 is directly connected, GigabitEthernet0 L 172.16.0.167/32 is directly connected, GigabitEthernet0 

How do i redirect a tcp package to a proxy without losing the destination ip?

over the tcp connection tls is being used. no http/s.
do i need to add some sort of a header or how does a proxy find out what the original destination ip was so it can start a connection?

Need help for small office network

Hello everyone.

I've been tasked to build a network for a small office. No one here is experienced with computers, let alone networking. I told them I'm able to build computers and suddenly they tasked me to fix the chaotic network we have here because they're too cheap to get a pro to do it.

So our office has multiple CAT6 LAN ports where we can access our internet. For years people at our office has installed 4 wifi modem+routers that are independent to each other. As a result, we don't have a unified local network and even had to resort to connecting our printer to a global network. The NAS we have is only accessible by connecting to the modem+router it's connected to.

Our office is quite large, not sure about the exact size. Everyone here uses wireless connection and a maximum of about 150 devices connected to multiple wireless routers. Question is, how do I go build an appropriate network for something like this?

My first (naive) idea is to just buy a consumer-grade modem+wifi router like the Nighthawk X8, connect it to the wall LAN port, connect the NAS, and other wifi routers to it. We will probably install an unRAID machine later on for cloud storage accessible locally and from outside the local network as well. My boss is worried about security, as our campus recently got hacked from an unknown outside source.

Would something like this be possible and at least adequate? Sorry if the answer to this question is obvious to you pros, thanks!

Default route via OSPF - MPLS

I have labbed up a small MPLS environment and wish now to redistribute a default route which is present on CE-3 to the other CE routers, with the purpose of funnelling all internet traffic through one site. Its present in the routing table for CE-2, but not CE-1

Please see image below: https://imgur.com/a/88R2p

CE-3 Config:

router ospf 1 redistribute static network 6.6.6.6 0.0.0.0 area 0 network 192.168.46.0 0.0.0.255 area 0 default-information originate ip route 0.0.0.0 0.0.0.0 192.168.67.7 

PE-2 Config:

ip vrf CustA rd 1:1 route-target export 1:1 route-target import 1:1 interface FastEthernet1/0 ip vrf forwarding CustA ip address 192.168.45.4 255.255.255.0 speed auto duplex auto ! router ospf 2 vrf CustA redistribute bgp 234 subnets network 192.168.45.0 0.0.0.255 area 0 network 192.168.46.0 0.0.0.255 area 0 ! router ospf 1 network 4.4.4.4 0.0.0.0 area 0 network 192.168.34.0 0.0.0.255 area 0 mpls ldp autoconfig ! router bgp 234 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 234 neighbor 2.2.2.2 update-source Loopback0 ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf CustA redistribute ospf 2 exit-address-family 

CE-3 is showing the route in its table:

Gateway of last resort is 192.168.67.7 to network 0.0.0.0 

PE-2 Is showing the route in the associated VRF:

PE-2#sh ip ro vrf CustA Gateway of last resort is 192.168.46.6 to network 0.0.0.0 

CE-2 has the route in its table:

Gateway of last resort is 192.168.45.4 to network 0.0.0.0 

But CE-1 is not (this is 2 hops away over MPLS to the PE which is adjoining the router originating the default route):

Gateway of last resort is not set 

What am i missing?

What i think is the issue is that the default route is not getting into the MPLS:

PE-2#show bgp vpnv4 unicast vrf CustA BGP table version is 9, local router ID is 4.4.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf CustA) *>i 1.1.1.1/32 2.2.2.2 2 100 0 ? *> 5.5.5.5/32 192.168.45.5 2 32768 ? *> 6.6.6.6/32 192.168.46.6 2 32768 ? *>i 192.168.12.0 2.2.2.2 0 100 0 ? *> 192.168.45.0 0.0.0.0 0 32768 ? *> 192.168.46.0 0.0.0.0 0 32768 ? 

Dell Networking OS VLAN Interface Speed

Hi all,

We recently started getting alerts from our S4048T–ON saying we had gone over the 90% utilisation for a VLAN interface. I hopped on the switch and found that the VLAN interface speed is 100Mbps. Is this configurable?

I assumed since it's a virtual interface then interface speed is linked to the processor speed? Is the interface "capped" at 100Mbps or is it just a placeholder? Thanks!

Bandwidth throttling at the source, or in a network device?

I got a little dilemma. We got this new device that needs to sync a sizable amount of data every day to a Azure Blob Storage. Apparently it will use some "Azure Blob Storage Sync Agent" to perform this action. This Sync Agent has a way of limiting the bandwidth directly in the source.

We could also tell the source to go through the proxy and limit the bandwidth there. We also have the option of sending it to the Firewall; but instead of limiting through the Sync Agent, we do it in the Firewall.

So we have three options of where we could limit the bandwidth usage.

I say we limit it at the source, i.e. through the Sync Agent, and create an ACL that lets the source bypass the proxy and go through the Firewall to its destination.

However we have some people pushing for the Proxy being the one throttling, and some pushing for the ASA having the throttling role.

What do you think?

So I plugged two switches together

Hey guys, I should really know this, but I'm not actually 100% sure what I did that fixed it...

I wanted to cascade a port on one switch out to another switch (allowing multiple devices to the one port)...

It was an 300 series Cisco switch, to a 2960 (the 1 port)....

Every time I connected them at first, the port would fail on the 2960... so first thing I looked into was spanning tree and as its a POE switch the 300, whether power is still on... I found associated settings for these via the GUI and tried again (Spannig tree settings I disabled was RSTP).

So I connect again, and they seem fine, then the port fails after a minute, stays failed, then recovers for a minute or two, then repeats...

So I go searching the logs on the 300 ....it comes up with CDP errors before the failure...so back I go to the config... this time I turn off CDP, LLDP, I also found STP enable in another settings tab so I disabled that...

So now I have a happy connection of switches, but I don't know which setting fixed it and why... I presuming it was the spanning tree and the 300 was set as a route bridge, and the port I was connecting to on the 2960 saw this as a loop (FYI there were no loops at all created) .... but any other theories?

ArubaOS - guest per SSID

Hi Aruba guys,

is possible to make a guest per SSID? I've 4 SSIDs on AP but customer's network must be strict. I created a user in internal database of a controller but I can log on every SSID which is logic because I haven't seen an option to make it per SSID yet. I think it might be possible but it'd probably be a premium feature if I'm not mistaken.

Thanks in advance.

What makes you hate your network

Opposite end of the spectrum, why does your network suck?

network automation career questions

Have a few questions related to automation in networking and thought it could start some good conversations.

• What separates a network engineer that can code/automate tasks vs a true network automation engineer? Both in mindset and skills?
• How important is really understanding how a scripting language works to being an automation engineer? Do you need to understand OOP or is that just a nice to have kind of thing?
• When would a network engineer need to use classes in scripts? I can see how in certain situations in software it can be helpful, but I've written countless network automation/verification type scripts without the usage of classes, and since I've started digging deeper into OOP, I can't for the life of me see how classes would benefit/improve any of the scripts I've written
• Anyone that is currently a network automation engineer, how did you make that leap from being a network engineer who writes code, to an automation engineer? And What is your day to day like?

Cisco configuration mind map quick reference document

This is a mind map I created of nearly every topic covered on the current CCIE RSv5 lab exam. Includes configurations along with occasional explanations and examples. Great for both CCIE and CCNP, and for general quick-reference.

While this mind map was created in general for studying for the current CCIE R&S, I thought the general (Cisco) networking community might get use out of it as a quick-reference document as well. Topics are arranged in a hierarchy, and it's pretty easy to search through the document to find what you're looking for. If you know about a particular topic, but forgot how to configure it offhand, this might be able to help you out.

https://neckercube.com/index.php/2018/04/11/mind-map-for-ccie-ccnp-routing-switching/

What do you guys think about Cisco ISE? Is it widely accepted in enterprises?

No text found

QOS on Metro Ethernet

The company I currently work for has Centurylink L2 Metro E at all of our locations. Our setup is quite a few years old and we are looking at upgrading capacity which will force us to their latest hardware platform. It is sounding like they no longer offer the same QOS secondary VLAN that we currently utilize in their new infrastructure. Currently they have a 100mbps line going into their on site switch and one of the ports on the switch is a dedicated voice VLAN that is limited to between 10-15mbps (depending on what we are paying for) which leaves the other 85-90 for data on another port, 3 total ports in use.

With this voice network, which their marketing dept calls "Ethernet Quality of Svc Gold" we have had absolutely 0 voice issues over the last 6 years I have been here and it has moderately heavy use, 80+ calls at peak. If we upgrade our connections and are unable to utilize this service any more, I am assuming we could achieve mostly the same quality with our own configurations. (and save $1k/mo in QOS Gold fees)

We run our voice network completely separate with dedicated voice VLANs at each site that are all routed separate from data across the Metro E network. Our routers at each location are a mix of older Cisco tech, namely 3845 routers, 3750 and 6500 L3 switches depending on the location.

My thoughs on setup:

• Combine the voice and data on to a single gigabit port from CL to these routers/switches
• Use separate Voice/Data VLANs on the WAN/LAN (4 total)
• VRF for splitting the routing

Since the 3750 switches don't support subinterfaces on L3 ports, will throttling on the WAN VLAN interfaces work?

Should I be able to duplicate the current QOS by limiting the data VLAN to the speed of the pipe minus the speed we want to dedicated to voice? Would the routers/L3 switches we have be able to accomplish this?

How would you approach this requirement?

Does Traffic Shaping & Policing take into account L2 overhead? (Cisco IOS)

I thought I read somewhere modern Cisco routers take the L2 overhead into account when you configure traffic shaping, but our AT&T sales engineer is telling me that you have to configure traffic shaping to something lower than the CIR to compensate for the L2 overhead.

Is this true? Or is AT&T just trying to cheat me out of 10% of my bandwidth...

Alcatel-Lucent OmniSwitch 6400-48 | Console Connection Question

Hey all,

We recently got an older ALU OmniSwitch and I'm having trouble connecting to the console. After reading the documentation and configuring the terminal information I'm still not getting anything on my terminal screen. I'm using the included RJ45 - DB9 adapter and then connecting it as such:

Putty Connection Info Com3 Speed 9600 Data Bits 8 Stop Bits 1 Parity NONE Flow Control XON/XOFF

Diagram of the connection being made:

Switch - RJ45 Patch Cable - RJ45 ALU Adapter DB9 - USB - Computer (COM3)

Just a shot in the dark...

I know ya'll don't work much with home networking, but there doesn't seem to be anyone on home networking with the knowledge that I need. So.. I'm giving it a shot in here.

Basically, I have 3 goals, in this order:

1. Adult Content filtering
2. Security
3. Privacy

I'm not hiding from the FBI or anything, so by privacy I just mean that when I log-in to Starbucks wifi, no one is able to see who I am or what I'm doing, or obviously, see my passwords.

By security, I mean phishing/antivirus/malware/etc. A lot like the protection that OpenDNS or Untangle offers.

The "kicker" here, is that I'd like to have that on all my families devices, whether we are home or away. So.... My thoughts so far would be:

1. pfsense router
2. OpenDNS? Untangle? Sophos UTM?
3. VPN

What I'm not sure of (I'm really not sure of any of this) is if any of that would be redundant? I'm not concerned about paying several hundred dollars for business equipment/licenses. I just want to accomplish this.

Assuming my question can make the cut, I'll be monitoring this closely to answer any questions so I can clarify things... I'd really appreciate any advice I can get!

Open vSwitch Configuration Help

I'm working on a project that involves hosting VMs on a server using ProxMox. I was able to install Open vSwitch in order to connect the inside VMs to different VLANs and then trunk them to the physical switch. I've never used Open vSwitch so I'm having trouble understanding it. From what I'm understanding is that I need to make a bridge and then connect it to the physical port? And I can create VLANs with the tag command.

What I need to do is be able to make virtual ports for the VML to connect to on different VLANs and then have the 1 physical connection going to the switch be trunked with 802.1q. Does anyone have a beginner laptop guide on how to do this with Open vSwitch? Thanks.

[Troubleshooting] Networked PDUs become intermittently unreachable. (xpost /r/datacenter)

disclaimer: please forgive if this post is questionable, I think this is a network issue, but I'm not sure, trying to get to the bottom of the issue...

I have a couple of crypto mining "datacenters", each one consists of about 50 servers in a shipping container.

For power machines are plugged into TrippLite networked PDUs (these ones: http://www.provantage.com/tripp-lite-pdumv30hvnet~7TRP904L.htm).

Everything (servers, PDUs, a couple raspberry pi devices) is on the same flat network. There's a router I bought from pfsense.org in each container which is more than sufficient to the task, it handles DHCP, and things are generally speaking fine.

The physical topography of the network looks like

WAN <- pfsense (gateway & DHCP) <- ethernet switch #1 <- ethernet switch #2

Everything that becomes a DHCP client is plugged into switch #1 or #2. Switch #2 is also plugged into switch #1. (These are just unmanaged gigabit ethernet switches.)

The issue that I run into is that occasionally one or more of my TrippLite PDUs become unreachable.

They show up fine if you've just plugged in the PDU, they get an address and respond normally on the network, all of them work as expected at first. However, after a day or so, PDUs randomly become unreachable.

I can't ssh into them, can't ping them, they don't even show up with arp -a, they're just not present on the network. Nevertheless, the unit is powered up and the servers plugged into its outlets are running just fine.

I can workaround the issue by physically shutting off the breaker that powers the PDU then turning it back on again. The PDU comes back, finds the network and is normally responsive.

However, this defeats the whole purpose of networked PDUs when I have to actually go there to get the PDU back online.

Has anybody else seen a similar issue with this brand of PDU? Have you seen this very thing? How did you solve it?

I'm considering writing a little process that runs on one of my rpi's that just fires a tcp ping at each PDU every other minute, see if that possibly keeps them active or whatever. But I'm not hopeful about that honestly, and it's a shitty little hack even if it does work.

Any help you can provide much appreciated!

[Edit] I have some PDUs with their network plugged into switch #1 and some into switch #2, doesn't seem to be any correlation as to which ones go offline eventually

[Edit] FWIW the PDUs get a statically configured lease with assigned IP address based on MAC address (they are the only things that do, all other devices just ask for a lease and get a random address).

Network Stand-Alone switch with 100Gb GBIC uplink

Hey guys.

I was wondering if anyone had any leads on network switches that have a 100Gb GBIC (or SFP) fiber uplink, that aren't part of the Cisco Nexus cage solution. There is a very specific use case I have in which I will need to daisy chain multiple switches together, and I need this throughput.

A majority of the switches I've come across only carry a 10Gb interface.

Warning about too many STP entries. Should I care?

I'm new at a facility and I keep getting warnings about too many STP entries on Cisco switches. Is this important to deal with? How should I handle it? There are a lot of vlans but not too many physical paths or loops

Quitting ISP to be network admin in a mid-size business

Hi,

I've been working as a network analyst for a big ISP for two years now and the work has been boring as hell, and my growth was super slow (I'd say I've shrunk). I've been sent as a consultant for a mid size company to help them with their network. They are looking to hire a CCNA/CCNP level guy. I've learned so much here is the few months that I've been working that I'm thinking about quitting the large ISP and asking them if I can stay here. Is that a smart move? I only have a CCNA, (working to pass my CCNP Switch in 3 weeks). I'm afraid that this can be risky because if they fire me after 1 or 2 months, I'll have a hard time finding a job with a CCNA. Should I stay with the ISP?

I'm also afraid that since my knowledge isn't so great, that I won't know the new technologies and won't how what nice upgrades can the network have. So the work here also will become boring.

DIN power connector

I never deal with industrial networking, but I know some here have a good amount of experience. I bought a switch to handle hot temperature environments, but it is made for a DIN rail mount. I don't actually need to mount anything else, so I don't need a full DIN setup... just need to power the switch. So I have two questions.

First, it looks like it's just a regular DC powered switch that can accept anywhere from 12-48V and it has a max consumption of 24 watts. All the DIN power supplies look really beefy and frankly like overkill for what I'm doing.... am I okay with just using a typical transformer that is rated for >24 watts within 12-48 VDC?

Second, the connector isn't something I'm used to seeing. Even if I go with a DIN power supply I don't think it comes with this connector. My problem is that when I search for anything DIN related, I come back with the actual DIN connector type... not what I'm looking for. Is this a standardized connector? Anyone know where I could just get them online?

https://imgur.com/a/o6N9R

Comcast Business - IPv6: DHCPv6-PD workarounds?

Hey all, so Comcast’s current IPv6 solution for business and residential is to run DHCPv6-PD to allocate prefixes...

I have a PAN attached to my business connection - which doesn’t do that...

Does anyone know: 1- if Comcast has done a true static routed allocation for v6 for anyone?

2- If I spin up a pfSense VM which can do PD Client stuff: can I create a route for the remainder of my prefix onto my PAN (and my other downstream layer 3 devices)? Or does DHCPv6-PD require all first hops to be attached to the original PD client?

PD is still new to me. Option 1 would of course be the least “patchy”, but that requires “the Comcast” to budge.

FHX vs FHD + MPO/MPT cassettes for a new fiber installation

I had spec'd out a fiber deployment for one of my datacenters using the following products from fiberstore:

https://www.fs.com/products/57342.html

Our sales rep comes along and suggests their FHX product instead.

https://www.fs.com/products/68916.html

I've never used the FHX product, has anyone in the subreddit used them? how are they ? Any "gotchas" i need to worry, other than the obvious polarity stuff?

MPLS and routing to other BGP ASN's?

ive been labbing MPLS recently - OSPF internal, PE device's peering via iBGP, with VRF on PE devices connecting to CE devices (these 2 forming L3 neighbours)

What im struggling to work out though is how from this MPLS i would break out to another ISP via BGP.

Anyone have some pointers for what i need to be researching to learn this stuff or any tips for me to follow?

Having trouble using an ATA for faxing.

Hello, I recently switched over to Verizon's Voip Service (OneTalk) for my small business and our secretary insists on keeping our fax machine because (?), so it is up to me to figure out how to get it to work.

Called Verizon and they sent me a mifi 4g module which will not work because we don't have a good enough 4g signal and that is as far as they will go along with me. Getting an antenna isn't an option in this case as the signal doesn't improve enough anywhere where it is mountable, (They require 3-4 bars and we get 2-3 :-|)

So after trying that, I looked into ATA's so I did some research and purchased an SPA 112 by Cisco and plugged it into my network switch. I went through the configuration process and succeeded in getting it connected to the network/internet, (Confirmed through the router access webpage or whatever its called.) I sent a test fax to the hp test fax line (1-888-473-2963) and it came back as busy/no response. The light for the phone line lit up one the SPA 112 indicating that it was receiving a signal, so the Fax -> ATA -> Switch -> Router -> Modem connection was good but still, no dice.

Router is a WNR 2020 netgear if it matters.

Any thoughts on what the issue could be would be appreciated. Thanks in advance.

Weird DHCP issue

Hey guys,  

I require a little help into a matter. We currently use a windows server which acts like a DHCP server and hands out IP address to our clients connected via ethernet, all good.  

We would like to get rid of this server and configure DHCP on the router. I've configured the DHCP Pool ( dns server , def gw, domain-name, network etc ) with the necessary settings, but when I shut down the Windows DHCP Server and try to get an IP address from the router which is also the default gw of the machines in that particular VLAN, i get APIPA.  

ip dhcp pool Stations 

network 192.168.0.0 255.255.254.0 

default-router 192.168.1.254 

dns-server 192.168.100.1 

domain-name xx.yy.org 

  The DHCP is configured on the default router 192.168.1.254 and the current used on is on the same VLAN as the workstations with the IP 192.168.1.1. ( excluded from 0.1 - 0.100 and from 1.100 to 1.254 )  

Any ideas ?

 

L.E. Should I try and run service dhcp on the router ? I can't seem to find a show command thats show me if it's enabled.

BGP SDN controller for routed CLOS data center

I am currently in the planning stages of an eBGP routed leaf/spine CLOS data center deployment. I have been reading up on the work that Petr Lapukhov did on creating a BGP SDN controller for data center topologies such as this. It looks like he implemented this controller at both Microsoft and Facebook.

I would like to investigate implementing this BGP SDN controller for my deployment, but I can't actually find the controller itself. In a podcast Petr mentions using exaBGP and 2k lines of python and said he would be releasing his source code, but I can't seem to find it anywhere. Does anyone know where I can find the controller or source code? Petr if you happen to be lurking, I would love to hear from you on this topic. :)

https://www.janog.gr.jp/meeting/janog33/doc/janog33-bgp-nkposong-1-en.pdf

https://www.ietf.org/archive/id/draft-lapukhov-bgp-sdn-00.txt

https://github.com/exa-networks/exabgp

https://www.nanog.org/sites/default/files/wed.general.brainslug.lapukhov.20.pdf

http://packetpushers.net/podcast/podcasts/show-164-cool-or-hot-lapukhov-nkposongs-bgp-sdn/

Issues with antenna

My Business network configuration is Modem->Router(Netgear WNR2020)->Switch(Linksys 16 port) ->Antenna(Ubiquity Omnidirectional Featured in Pictures).

Pictures At my small business, the antenna in question is about 7 years old and when i do a wifi speed test from one meter away, I get about 30mbps and get a really poor connectivity. A test from 15 meters away through a thin plastic sheet is unusuable (.1mbps through a thin plastic sheet). Connectivity is very intermittent and unreliable. I have changed out all of the wiring to the antenna and still have an issue. Should I just Replace the antenna or are there settings i can look into or other things i should check? I already posted in r/homenetworking but this is a more appropriate subreddit as it is a business network.

Thanks in advance.

DCI / Stretch L2 / Failover

I am more of a systems guy, trying to design a high availability deployment. The requirements I was given is two datacenters in close proximity with separate fault domains, but close enough for synchronous replication (sub 5ms).

I can easily get multiple 10Gig fiber runs between the two primary sites. Its only going to be maybe two or three cabinets of equipment on each side, so I could easily have a network stack at each site LACP'd to each other and have little to no risk of loops.

Without any direct experience I was thinking of stretched vlans as I'm in a regulated industry and L3 switching is doable but a little problematic with audits, but was reading up and I am seeing a lot of hate for DCIs and Stretch L2.

What if the stretched vlan for was only for an isolated network like storage or cluster replication (no default gateway needed, no routing to / from other networks) going to be as much of a long term headache as some of the other post here make it out to be?

What else I should be looking into instead?

Thanks for the advice.

Cisco FTD certificates & enrollment

Hi;

I've integrated FTD 6.2.2 with ISE 2.2 using pxGrid and required certificates. What I don't understand and cannot find on the Internet is Certificate Enrollment on FTD. Actually I'm studying remote access VPNs on FTD and want to deploy a scenario like bellow:

• Remote clients should be authenticated with both of certificates (supposing they don't have any cert installed on their devices, yet) and AD username/password to be sure they are connecting to corporate network using their legitimate devices.
• Remote clients should be authorized based on the AD settings.

Does certificate enrollment on FTD mean generating a CSR to get a node certificate from internal CA and then trying to authenticate remote users based on that certificate on behalf of root CA? Does it like the procedure we do on ISE (importing CA root certificate on ISE trusted root CA database and then generating a CSR to get a node certificate for ISE device itself)?

If the answer to the question above was positive, then why we don't use the "openssl" tool or "Object Management > PKI > Internal Certs" to generate a CSR and import received certs to FTD database?While integrating FTD with ISE I used "openssl" command to generate a CSR on FTD.

I'm really confused and appreciate any help on this.

AutoQoS Error while generating commands

When trying to configure auto qos trust on an WS-C4506-E with WS-X45-SUP7L-E the command is not accepted on any ports on WS-X4748-UPOE+E line cards. On WS-X4748-RJ45V+E line cards its working fine.

Software Version is Version 03.04.03.SG RELEASE.

The error looks as follows:

(config-if)#auto qos trust AutoQoS Error: the following generated command was not properly applied: service-policy input AutoQos-4.0-Input-Policy AutoQoS Error while generating commands on Gi5/1.

Anyone got an idea why this could be?

Checkpoint - clearing partition/hotfixes

Hi all,
Checkpoint noob here. Literally first time touching one so bare with me.

I have an alert for a checkpoint appliance which is reporting that the partition is nearly full.

Cut to the chase, I can see that filepath /var/log/cpupgrade has a number of hotfix files that are taking up significant space.

I've tried cpinfo -y all to determine which hotfixes are actually installed but the command doesn't work:

cpinfo -y all

cpinfo: invalid option -- y

So i've tried running cpinfo without any flags and it takes forever parsing every entry when it reaches the arp section. I've also tried https:// and no single browser loads - tried all compatibility settings etc etc

Version: This is Check Point SecurePlatform R70.40 Build 001 (I know there will be at least 5 D*ckheads asking me to upgrade, but only suggest this if it is the ONLY option)

So what are my options here for determining what hotfixes are actually in use? (if any)

Thank you

Firepower access-rule with NAT?

I am new to firepower. I have a couple 4150's in act/stby attached to an FMC. I am mimicking config from an old ASA box onto these 4150's manually, and it got my thinking about firepower rules. In the ASA code, when you have a static NAT for a server to the internet (say for https), you used to have to make a ACL permit rule on the outside interface (inbound direction) destined to the original, un-natted IP. I am just wondering if firepower does the same. Do you permit NAT rules from the outside zone to the server zone, from ANY to "original IP" ? Or have they used the NAT'd IP now?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

SRX secure DNS?

I use a SRX 210 in my home, interested in the 1.1.1.1 or other secure DNS, was asked about this work, I always try it at home first so i dont look like a dufus. I really didn't see anything on the googles for this.

is it possible to use the SRX and do this?

SD-wan deployment 3 months in - Discussion, Ideas and experience sharing inside

have been some up and downs but so far i am impressed with how it is working at cost savings of 40% (after hardware purchase and all that) and everything at the remote branches is faster.

Must follow best practice for sure, like 2 different vendors, we ran into this already, a 3 connect of LTE solved this.

currently deploying Silverpeak and running on the bleeding edge of there code releases, we were the first customer to install 8.1.7.3. This release has been stable and only a few minor issues.

we caught up to the circuits getting installed so our deployment has slowed anyone else deploying/getting ready to/already have deploy some SD-WAN ?

i couldn't find much SD-WAN stuff so i started this thread hoping to help people searching google.... since i have found so much help wanted to give back a little!!!

biggest disadvantage? Upload speeds, some of out site when from 10/10 MPLS to 200/40 but some ar 20/2 and some are 200/14

luckily this does not matter as much, with sites that had a need for upload speed we did DIA fiber to the site with cable/LTE backup.

Juniper SRX QOS - reserve ISP bandwidth for VoIP

Hi. We have about 50 different office ISP lines all together. Each have their own max speed.

The goal would be to have X Mbps incoming bandwidth always available for VoIP servers that are in the Internet.

Can anyone suggest a universal config that can accomplish this?

Thanks

I think I have a misconfiguration. I'm trying to explain to myself how that could be true, yet, I'm still able to to telnet into a misconfigured router (BGP, PPP)

Here's a link to a crudely drawn topology (with shortened subnets) that will be helpful to look over before reading the rest of my post: https://imgur.com/a/isrKF

tl;dr: I can telnet from 16.1 to 100.2. I'm trying to explain why this is possible, if this misconfiguration or accidental cable swap actually exists. And I'm almost 100% certain it exists.

Does this make any sense to you guys? I left work troubled with this problem because so much didn't make sense when I was working on it. I might be trying to fit a square peg into a round hole, but after thinking about this for hours, I'm almost certain that the misconfiguration depicted in my topology is the current layout of the network. And I'm trying to explain to myself why I am able to telnet into R1 if this misconfiguration exists.

I have shortened and sanitized the IPs (to 2 octets) in the topology I provided to make it easier to look at. There are 3 "subnets", 100.0/8, 200.0/8 and 16.0/8.

The 16.1 host can telnet into 100.2 host when clearly there is a misconfiguration.

I discovered this when I tried to bounce the 200.1 port thinking I was safe from disconnecting my telnet session. When I bounced it, I lost my telnet session. That's when (i think) I realized that the 200.1 port was actually the edge port, despite fully expecting 100.2 to be the edge IP. Luckily I had a tech onsite to power cycle the router and reload the startup config. Thinking I made a mistake and losing remote access, I did not pursue that any further. (until I left work and thought about it more_

But after thinking about all of the other troubleshooting I did, I have come to the conclusion that either the port configuration is ass backwards inside the router, or the LAN/WAN cables got swapped somehow. Now I just need to explain to myself how, if that is the case, that I am able to telnet into the device. (see topology for my explanation and tell me if it makes sense to you)

BTW, I did extensive troubleshooting with tech onsite. I was in R1 and unable to ping tech's laptop connected directly to interface 0/1. I had the tech statically configure his laptop to the 200.0 network, as it would normally supposed to be configured in this scenario. Looking back, I wish I would have had him configure his laptop to the 100.0 network.

tl;dr: I can telnet from 16.1 to 100.2. I'm trying to explain why this is possible, if this misconfiguration or accidental cable swap actually exists. And I'm almost 100% certain it exists.

Windows Static Route Question

I've been curious about this for a while and was hoping somebody could shed some insight.

We have multi-homed servers so one of the interfaces uses a static route configured within Windows. The network is 172.16.0.0/17. When I came into this current job, they had two static routes configured. 172.16.0.0/17 AND 172.16.128.0/17 both pointing to the same gateway.

This seems redundant to me. I feel like I should be able to assign a static route of 172.16.0.0/24 -> gateway. I would think the subnet is irrelevant to the route. Any IP within that /24 should go to the gateway anyway, so why have two routes?

What does SIDR not protect against?

No text found

Campus environment firewalling

Hi all,

I'm curious to see how campuses perform firewalling and segmentation within their environments. I know campuses can be much different from Enterprise environments in the fact that their may be multiple IT departments which then utilize a central campus networking service.

In addition to border firewalling how do you handle departmental firewalling?

Do you use a centralized model with large central firewalls?
Or do you have firewalls at each building on campus?
What pros and cons do you see with the method you use (e.g. maintaining, cost, etc.)?
What hardware choices do you use?

What are the current top end remote desktop options?

I'm digging into the idea of using remote desktop for VFX work on after effects. I was reading about HP's RGS supposedly being a good option. But I have just setup a remote PC at the studio and attempted to run it from home with pretty garbage results. I guess HP's demos are all running on local networks and not actually running "remotely"? Is there a better solution than HP's RGS for this type of application? Or is remote desktop simply not fast enough/light enough for current average internet speeds?

Slow connection from isr4321

Trying to figure out why my connection from the ISR4321 is sooo slow. I tested first with plugging my laptop directly into the modem. From the modem directly, I'm hitting speed of up to mid to high 90's. When I plug my 4321 into the modem and use the 2nd interface to the laptop, I go down to mid or high 18's. How can I go from 90's to 18's? I posted my config. License should push 50 in and 50 out. No idea what is causing this. My g0/0/0 is inside and g0/0/1 outside. Any help?  

__-_________________

version 16.6 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime show-timezone year service password-encryption service sequence-numbers platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname RTE ! boot-start-marker boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered warnings no logging console no logging monitor enable secret 5 $1$7vG5$PIahg9O40FxoTHfozgtXW/ ! aaa new-model ! ! aaa group server tacacs+ ISETACACS server name alcise01 server name alcise02 ! aaa authentication password-prompt "Password: " aaa authentication username-prompt "Username_: " aaa authentication login default group tacacs+ local aaa authentication login VTY group ISE_TACACS local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec VTY group ISE_TACACS local if-authenticated aaa authorization commands 1 VTY group ISE_TACACS local if-authenticated aaa authorization commands 15 VTY group ISE_TACACS local if-authenticated aaa accounting update periodic 15 aaa accounting exec default start-stop group ISE_TACACS aaa accounting commands 1 default start-stop group ISE_TACACS aaa accounting commands 15 default start-stop group ISE_TACACS ! ! ! ! ! ! aaa session-id common process cpu threshold type total rising 80 interval 60 falling 40 interval 60 clock timezone CDT -5 0 clock summer-time CDT recurring no ip source-route ip options drop ! ip name-server 10.255.0.190 10.255.0.191 ip domain list ***** ip domain lookup source-interface GigabitEthernet0/0/0 ip domain name ***** no ip dhcp use vrf connected ip dhcp excluded-address 10.50.10.1 10.50.10.70 ip dhcp excluded-address 10.50.10.100 10.50.10.254 ! ip dhcp pool CLIENT network 10.50.10.0 255.255.255.0 default-router 10.50.10.254 dns-server 10.255.0.190 10.255.0.191 netbios-name-server 10.255.0.190 10.255.0.191 domain-name ***** lease 2 ! ip dhcp pool Pinicon-1 host 10.50.10.101 255.255.255.0 client-identifier 0180.9b20.b576.b8 dns-server 10.255.0.190 10.255.0.191 default-router 10.50.10.254 domain-name ***** netbios-name-server 10.255.0.190 10.255.0.191 lease 2 ! ip dhcp pool Pinicon-2 host 10.50.10.102 255.255.255.0 client-identifier 0180.9b20.b848.54 dns-server 10.255.0.190 10.255.0.191 default-router 10.50.10.254 domain-name ***** netbios-name-server 10.255.0.190 10.255.0.191 lease 2 ! ip dhcp pool Pinicon-3 host 10.50.10.103 255.255.255.0 client-identifier 0144.8a5b.e917.45 dns-server 10.255.0.190 10.255.0.191 default-router 10.50.10.254 domain-name ***** netbios-name-server 10.255.0.190 10.255.0.191 lease 2 ! ip dhcp pool Pinicon-4 host 10.50.10.104 255.255.255.0 client-identifier 01b8.8a60.3e6d.9c dns-server 10.255.0.190 10.255.0.191 default-router 10.50.10.254 domain-name ***** lease 2 ! ! license udi pid ISR4321/K9 sn FDO19490H76 license boot level securityk9 diagnostic bootup level minimal spanning-tree extend system-id ! ! ! username ***** privilege 15 password 7 ***** ! redundancy mode none ! ! ! ! ! ! ! crypto keyring keyring pre-shared-key address 0.0.0.0 0.0.0.0 key ***** ! ! ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 periodic crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set ***** mode transport ! crypto ipsec profile AES-SHA set transform-set AES-SHA ! ! ! ! ! ! ! ! ! ! interface Tunnel0 description DMVPN ip address 10.255.14.60 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication enlivant ip nhrp map 10.255.14.1 38.69.52.4 ip nhrp map multicast 38.69.52.4 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 10.255.14.1 ip nhrp redirect ip tcp adjust-mss 1360 keepalive 5 3 tunnel source GigabitEthernet0/0/1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile AES-SHA shared ip virtual-reassembly ! interface GigabitEthernet0/0/0 description LAN-INSIDE ip address 10.50.10.254 255.255.255.0 ip mtu 1460 ip nat inside ip tcp adjust-mss 1350 ip policy route-map PBR negotiation auto hold-queue 32 in hold-queue 100 out ip virtual-reassembly ! interface GigabitEthernet0/0/1 description INTERNET-OUTSIDE ip address dhcp ip nat outside negotiation auto no cdp enable ip virtual-reassembly ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ! router eigrp 2 distribute-list prefix BLOCK-EIGRP-DEFAULT in network 10.0.0.0 passive-interface default no passive-interface Tunnel0 eigrp stub connected ! ip nat inside source list NAT interface GigabitEthernet0/0/1 overload ip forward-protocol nd no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip http server no ip http secure-server ip http secure-trustpoint TP-self-signed-3430957644 ip http client secure-trustpoint TP-self-signed-3430957644 ip tftp source-interface GigabitEthernet0/0/0 ip tacacs source-interface GigabitEthernet0/0/0 ! ip ssh version 2 ! ! ip prefix-list BLOCK-EIGRP-DEFAULT seq 5 deny 0.0.0.0/0 ip prefix-list BLOCK-EIGRP-DEFAULT seq 10 permit 0.0.0.0/0 le 32 ! ip access-list extended NAT permit ip 10.50.10.224 0.0.0.15 any ip access-list extended PBR deny ip 10.50.10.224 0.0.0.15 any deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 any ! ! logging trap warnings logging host 10.255.0.150 access-list 2 permit 10.6.0.0 0.0.255.255 access-list 2 permit 10.20.0.0 0.0.255.255 access-list 2 permit 10.40.0.0 0.0.255.255 access-list 2 permit 10.50.0.0 0.0.255.255 access-list 2 permit 10.90.0.0 0.0.255.255 access-list 2 permit 10.255.0.0 0.0.255.255 access-list 2 permit ***** 0.0.0.63 access-list 2 permit ***** 0.0.0.7 access-list 2 deny any ! ! route-map PBR permit 10 match ip address PBR set ip next-hop 10.255.14.1 ! snmp-server community ALCpub RO snmp-server community 177h@ouses RW snmp-server enable traps snmp coldstart snmp-server enable traps tty snmp-server enable traps memory bufferpeak snmp-server enable traps cpu threshold snmp-server host 10.255.8.158 ALCpub tacacs-server timeout 10 tacacs-server directed-request tacacs server alcise01 address ipv4 10.255.0.30 key 7 ***** tacacs server alcise02 address ipv4 10.255.0.31 key 7 ***** ! ! ! ! control-plane ! banner motd ^CCC ********************* ATTENTION!! *********************** * * * STATE AND FEDERAL STATUTES MAKE IT A CRIME TO * * GAIN UNAUTHORIZED ACCESS INTO THIS SYSTEM.VIOLATORS * * WILL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.c * * * *********************************************************** Your session is being monitored by Enlivant network admins. ^C ! line con 0 session-timeout 40 exec-timeout 120 0 logging synchronous transport input none stopbits 1 line aux 0 modem InOut no exec stopbits 1 speed 115200 flowcontrol hardware line vty 0 4 session-timeout 40 access-class 2 in exec-timeout 120 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY logging synchronous login authentication VTY length 0 transport input ssh line vty 5 15 session-timeout 40 access-class 2 in exec-timeout 120 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY logging synchronous login authentication VTY transport input ssh ! scheduler max-task-time 5000 ntp source Tunnel0 ntp server 10.255.0.1 wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end

---

RTE#sh ip int g0/0/0 GigabitEthernet0/0/0 is up, line protocol is up Internet address is 10.50.10.254/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1460 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.10 Outgoing Common access list is not set Outgoing access list is not set Inbound Common access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector Associated unicast routing topologies: Topology "base", operation state is UP IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is enabled, using route map PBR Network address translation is enabled, interface in domain inside BGP Policy Mapping is disabled Input features: Virtual Fragment Reassembly, Policy Routing, MCI Check, TCP Adjust MSS Output features: NAT Inside, TCP Adjust MSS IPv4 WCCP Redirect outbound is disabled IPv4 WCCP Redirect inbound is disabled IPv4 WCCP Redirect exclude is disabled

---

RTE#sh int g0/0/0 GigabitEthernet0/0/0 is up, line protocol is up Hardware is ISR4321-2x1GE, address is 00f2.8b29.2400 (bia 00f2.8b29.2400) Description: LAN-INSIDE Internet address is 10.50.10.254/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full Duplex, 1000Mbps, link type is auto, media type is RJ45 output flow-control is off, input flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:03, output hang never Last clearing of "show interface" counters 00:18:46 Input queue: 0/32/0/0 (size/max/drops/flushes); Total output drops: 175 Queueing strategy: fifo Output queue: 0/100 (size/max) 5 minute input rate 28000 bits/sec, 14 packets/sec 5 minute output rate 135000 bits/sec, 9 packets/sec 40418 packets input, 9560526 bytes, 0 no buffer Received 2108 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 4419 multicast, 0 pause input 43948 packets output, 31662276 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 38 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out -----------------

=_______________-

------------------------------------------------------------- RTE#sh ip int g0/0/1 GigabitEthernet0/0/1 is up, line protocol is up Internet address is *******/23 Broadcast address is 255.255.255.255 Address determined by DHCP MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing Common access list is not set Outgoing access list is not set Inbound Common access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector Associated unicast routing topologies: Topology "base", operation state is UP IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is enabled, interface in domain outside BGP Policy Mapping is disabled Input features: Virtual Fragment Reassembly, NAT Outside, MCI Check Output features: Post-routing NAT Outside IPv4 WCCP Redirect outbound is disabled IPv4 WCCP Redirect inbound is disabled IPv4 WCCP Redirect exclude is disabled

_____________-_

RTE#sh int g0/0/1 GigabitEthernet0/0/1 is up, line protocol is up Hardware is ISR4321-2x1GE, address is 00f2.8b29.2401 (bia 00f2.8b29.2401) Description: INTERNET-OUTSIDE Internet address is *******/23 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full Duplex, 1000Mbps, link type is auto, media type is RJ45 output flow-control is off, input flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:37:59, output hang never Last clearing of "show interface" counters 00:19:48 Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 145000 bits/sec, 61 packets/sec 5 minute output rate 35000 bits/sec, 12 packets/sec 99094 packets input, 36172421 bytes, 0 no buffer Received 52087 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 129 multicast, 0 pause input 36886 packets output, 9840593 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out

---

RTE#sh ver Cisco IOS XE Software, Version 16.06.02 Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Wed 01-Nov-17 07:09 by mcpre

ROM: IOS-XE ROMMON

Pinicon_Place uptime is 6 hours, 23 minutes Uptime for this control processor is 6 hours, 26 minutes System returned to ROM by PowerOn at 23:59:00 CDT Sat Mar 24 2018 System restarted at 10:10:32 CDT Tue Apr 10 2018 System image file is "bootflash:isr4300-universalk9.16.06.02.SPA.bin" Last reload reason: PowerOn

Suite License Information for Module:'esg'

---

Suite                 Suite Current         Type           Suite Next reboot

FoundationSuiteK9     None                  None           None securityk9 appxk9

AdvUCSuiteK9          None                  None           None uck9 cme-srst cube

Technology Package License Information:

---

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

appxk9           None             None             None uck9             None             None             None securityk9       securityk9       EvalRightToUse   securityk9 ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4321/K9 (1RU) processor with 1796760K/6147K bytes of memory. Processor board ID FLM1951W070 2 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 3223551K bytes of flash memory at bootflash:. 0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Are all cables built the same when it comes to POE?

I did a quick search on Google to see if you can send POE on a cat5e cable. The answer I found was yes.

I was looking for a spool of cable and found this one here in Amazon for 40$. VIVO 1,000 ft bulk Cat5e Ethernet Cable / Wire UTP Pull Box 1,000ft Cat-5e Style Grey (CABLE-V001) https://www.amazon.com/dp/B0092TG310/ref=cm_sw_r_cp_apa_XjuZAb1FA6SC6

While watching the video I noticed that it said not recommended for p o e. Is there a special 5e cable for PoE?

Idle curiosity, what exactly might have caused this failure? (physical layer)

Dropped a brand new laptop (HP) off to an end user in a pod group, plugged into the switch, immediately discovered that the laptop only had network on WiFi, the cabled connection was dead.

Root cause: the cable running from the 5 port gigabit switch to the wall was incompatible with this laptop.

Two different switches were tried, different cables from the switch to the laptop were tried, other machines plugged into either switch worked, plugged the wall/switch cable into other machines and it worked fine, just that one specific cable if used from wall --> laptop, wall --> switch or switch --> laptop killed the ethernet connection.

I'm just curious what theoretically might have been going on to cause the failure? What made that specific cable incompatible with that specific laptop but no others?

Testing on a Fluke TS44 Butt Set

Hey guys, new to this subreddit but hoping I could get some advice. I've been doing Freelance IT for about 5 years now, and have just recently started dealing with some telephone type stuff. I found a used Fluke TS44 Deluxe Butt Set in a surplus sale, and picked it up for pretty cheap. Telephony-wise all I need it for is checking dial tone at a 66-block, etc. nothing too complicated.

Anyway, to my question: Does anyone have any suggestions for how to test it at home (no phone line), before taking it out on a job where it'll be too late to find out it doesn't work? I've replaced the battery and looked through the manual, but can't come up with any ideas on testing without access to a phone line.

Thanks for your help!

What makes you like your network

Name something you like about your network.

Could you please participate in my survey?

I am a student currently doing a research on "The Impact on Software Maintainability from the use of Agile Software Development Methodologies". I hope to get your response on my survey for this research.

Please find the survey link as below: https://lancasteruni.eu.qualtrics.com/jfe/form/SV_57oT3d5hIfu3VT7

Pushing VLAN configuration via DHCP Option on Allied Telesis X230 switches.

Hi! Does anyone here have any experience with pushing out configuration via DHCP option on AT switches? I know Cisco can do this but after searching a bit on google I have not found a definitive answer for this.

Sufficient for 41 iSCSI clients?

Alright. Everything is ordered for the upgrade following advice and research. Expected delivery this upcoming Monday. I have looked at a couple hundred diagrams and layouts online and read some best practices papers for iSCSI and VMx. I think this is right but would appreciate a yes or no so i can move forward or go back to reading.

Present layout is ISP to pFsense (firewall DHCP) to an HP v1910 with LAN to 41 clients that are all hosting their own OS but use one iSCSI game drive called CCDisk. The CCDisk server connects to the HP v1910 through an unteamed Intel QUAD pro 1000 NIC and RJ45. So partially virtualized?

Upcoming configuration when the switch and SFP's arrive will be the ISP to the pFsense (firewall DHCP) to an HP 5900 48 10G with LAN out to 41 clients that diskless boot from iSCSI OS and iSCSI game drive called CCBoot. The CCBoot server will connect to the HP 5900 through Intel 10g SFP+ .

Seems all sites say to disable all MS stuff on the NIC and CCBoot says to disable all off loading and flow control on the NIC.

From my inelegant description, do i have this correct? And will i need to disable the same protocols in the HP 5900 switch?

Thanks

SPAN Aggregation question - using spare switch vs. Gigamon, Ixia, etc.

For basic span aggregation needs, why would someone opt for a Gigamon, Ixia or similar when you can use a spare switch to ingest SPAN's from multiple switches and then feed those source interfaces to a destination port which contains your monitoring tool? I realize Gigamon, Ixia, etc. have advanced filtering options such as only feed http to Tool-1, ftp to Tool-2, and the config options of "one to many", "many to one", etc., but if you just have basic needs and want to consolidate and send all data from multiple feeds to a single tool, is there any reason not to use a spare switch?

HP/Aruba 2920 - Isolate Specific VLAN

Hello All,

I have a question, we have two switch in our rack for our main office (adding a third soon and stacking them all). The VLANs are handled by the switches, configured by previous tech. I am looking to isolate the Wireless guest vlan and re-configure anything else if needed. Problem is that I cannot seem to find the routes for inter-vlan routing, i've added the config from SW1 below, also running a Sonicwall firewall.

hostname "HP-2920-48pt-G sw1" module 1 type j9729a trunk 5-6 trk1 lacp trunk 7-8 trk2 lacp trunk 1-2 trk4 lacp ip access-list extended "100" 10 deny ip 192.168.60.0 0.255.255.255 192.168.40.0 0.255.255.255 20 deny ip 192.168.60.0 0.255.255.255 192.168.50.0 0.255.255.255 30 permit ip 192.168.60.0 0.255.255.255 192.168.10.254 0.0.0.0 35 permit ip 192.168.60.0 0.255.255.255 192.168.10.1 0.0.0.0 40 permit ip 192.168.60.0 0.255.255.255 192.168.20.14 0.0.0.0 50 permit ip 192.168.60.0 0.255.255.255 192.168.20.15 0.0.0.0 60 deny ip 192.168.60.0 0.255.255.255 192.168.10.0 0.255.255.255 70 deny ip 192.168.60.0 0.255.255.255 192.168.20.0 0.255.255.255 80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit ip access-list extended "Wireless_Guest" exit ip default-gateway 192.168.10.1 ip route 0.0.0.0 0.0.0.0 192.168.10.1 ip routing interface 1 name "SW2 Prt 1 Uplink" no power-over-ethernet exit interface 2 name "SW2 Prt 3 Uplink" no power-over-ethernet exit interface 3 name "SonicWall_LAN" no power-over-ethernet exit snmp-server community "public" unrestricted snmp-server contact "Bob" oobm no ip address exit vlan 1 name "Default_Management" no untagged 3-4,9-22,25-36,39-48,Trk1-Trk2,Trk4 untagged 23-24,37-38,A1-A2 ip address 192.168.1.254 255.255.255.0 ip address 192.168.100.254 255.255.255.0 exit vlan 10 name "Transport" untagged 3,13,46-48 ip address 192.168.10.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 20 name "Server" untagged 4,9-12,Trk1-Trk2 tagged 23,25,Trk4 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 30 name "Phone" untagged 21 tagged 23,25,Trk4 ip address 192.168.30.254 255.255.255.0 ip helper-address 192.168.20.15 ip helper-address 192.168.20.14 voice exit vlan 40 name "Workstation" untagged 16-19,35,41-45,Trk4 tagged 14,40 ip address 192.168.40.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 50 name "Wireless_Internal" tagged 14 ip address 192.168.50.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 60 name "Wireless_Guest" tagged 15 ip address 192.168.60.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 70 name "Security" untagged 20,22,25-34,36,39 tagged Trk4 ip address 192.168.70.254 255.255.255.0 ip helper-address 192.168.20.14 ip helper-address 192.168.20.15 exit vlan 1500 name "Internet" no ip address exit spanning-tree spanning-tree Trk1 priority 4 spanning-tree Trk2 priority 4 spanning-tree Trk4 priority 4 spanning-tree priority 0 no autorun no dhcp config-file-update no dhcp image-file-update device-profile name "default-ap-profile" cos 0 exit activate provision disable password manager 

Edit: Code formatting