Large network diagrams help and tips

I'm working a large redesign project that inckudes 4 datacenters. my visio diagram is getting rather complex and crammed with info. im sure this will make it very dofficult for our NOC personnel to read while troubleshooting. this made me wonder. how do you organize and make your visio diagram easily readable? any tricks and tips other than breaking down the environment into subsection?

for whatever it's worth a single Datacenter include 8x IPsec headends, 6x aggregation switches, 2x Firewalls, 2x WAN CE routers. all cross connected.

Cisco 1841 Routing Question

Hello - I've been a bit of a lurker on this subreddit.

A bit of insight on whats going on:

I currently own a Cisco 1841, 1x Cisco 3750 48PT Switch 1x 2960 48PT & a Cisco 2811. At the moment, I use Spectrum(TWC) as my ISP and my own modem or 'media converter'. Bringing in the coax signal to the box and out with Ethernet. My current speed I pay for is 100/10. I linger about 116/10 depending on the day.

I already have my whole network planned out, using a whiteboard & markers // Packet Tracer.

I have the LAN side configured on my Cisco 1841. The WAN side is set to DHCP since I don't have a static IP address assigned by my ISP. (That costs extra)

Main Question : I have my router set to a few protocols, at the moment I have RIP and OSPF set up. When I insert my ISP ethernet cable to my WAN (Fas0/1) It automatically obtains the IP which is fantastic. However, do I need anything else configured on my Cisco 1841 to allow my network to go out to the interwebs. I just want to double check and get any advice if needed!

LAN Side: Completely pings, and works prefectly.

How to capture all east-west traffic?

As the title suggests, literally all. One example to give, is if I ping bob’s computer, which is on the same vlan as me—those packets won’t leave our access switch at all. How does one go about making sure *all traffic can be pulled into each of our tools and analyzers?

I don’t think any switch really supports SPAN of literally every port on the switch. There’s always be limitations. Like if I SPAN a layer 2 vlan, I only capture ingress traffic, etc.

Is it an impossible task? I was thinking one way might be “pvlan everything” every access port network wide is an Isolated Port, to force all their traffic up through the uplink where in-line network taps can nab it.

Thoughts?

Not allowed to change port link type

Trying to change vLan 1 ports to access instead of bridge. The rules are being accepted but not applied on save.

system-view interface tengigabyteethernet1/0/49 port link-type access quit

It takes the command with no errors but does not apply it.

I am taking a guess that since its for a single default vlan they all have to change? I cant figure out how to globally apply this to all ports on vlan 1.. HP 5900

Cisco 2960G won't boot from new IOS

I am trying to upgrade the IOS on my switch, and it won't let me. I altered the boot system to boot from a file in the flash. I have already tftp'd the new IOS to the switch's flash and saved the configuration, but still, the old IOS startsup... This is the show boot command

https://gyazo.com/2b54b76404fba34fccf3fd19bbf643ee

EDIT: The IOS file is a .tar not .bin, is that why this doesn't work?

Company blocking

So in the past week or so my company installed new website blocking software. I also confirmed with my IT guy that they are heavily tracking our internet behaviors (I work for a large ISP).

He was kind enough to activate a DSL Modem under my desk that is unmonitored, but it's not on my company's network so I can't access certain websites and functions that I need for my work.

I COULD just wire to the DSL and VPN in, but the connection gets wonky and it's sort of cumbersome and I'm trying to avoid doing it.

In a perfect world I would have both Ethernet cables plugged into a hub, and then be able to hit a switch to pick which Ethernet cable to use. So I can switch back and forth during the day.

Sorry if this is a dumbass question but from what I can see a standard hub or switch won't work.

Thanks!

Multiple CCNA's?

So, I had a CCNA many years ago (when you took a test, and got a CCNA, there was no differentiation).

So, I've got 20+ years experience on all sorts of network gear (Racal Datacom, Bay Networks, HP, Cisco, Juniper, Extreme, Palo Alto, etc.). I left a job after 12 years, and wondering if having multiple CCNA certificates makes sense - CCNA R&S, Wireless, Security, Data Center and Cloud, specifically. I feel it would show that I am a generalist, and can drill down into any issue that comes up.

Thoughts?

/I did recently achieve some HPE/Aruba certs, but spent more than 20 years working on Cisco gear.

Port mode question

Hi. Just curious as to what is better. Setting all ports as 'access' on a switch or 'bridge'? It seems the HPE switch i have when i reset factory defaults sets all 52 ports to bridge mode. Where as a different HP switch sets all 48 to access. This is on a flat network no vLan.

Could I park a Radius server outside my private (home) network (say on the Internet) while perform user authentication for my private network?

No text found

Hit a wall with Nexus vPC keepalive over L3 port-channel

First off, I apologize; this is the first time I'm getting to try and configure a nexus vPC peerlink and kpa and I'm only asking here after having spent hours reading docs and trying different things. I can't seem to ping the ip in my kpa link and I can't bring the kpa link up.

 

I have two Nexus 7706's in the following configuration Eth1/23-24 & Eth2/23-24 are the peer-link and Eth5/48 & Eth6/48 are the KPA link, bundled in Layer 3 port-channel. (Everything is mirrored on the other N77k)

 

To add an additional layer of difficulty, I can typically only run 1 N77k at a time. The room they are in has BARELY enough power to support both without tripping breakers and the temp rises to 100 degrees F as soon as I power both N77ks on. (This is just a staging area, the final location is under construction and won't have these issues) These factors are outside of my control, so I can only run both for a limited time. Right now one is powered off while I work on this over the weekend. I realize this severely restricts troubleshooting a link that's supposed to have 2 sides, but I will have to wait until I'm back in the office to power the other one up.

 

Here is my config:

I've created an additional vdc and named it CORE. I have allocated all interfaces to this vdc.

From within the vdc CORE I have:

feature lacp feature vpc vrf context vpc-keepalive ip route 0.0.0.0/0 198.168.100.1 vpc domain 1 role priority 1 peer-keepalive destination 192.168.100.20 source 192.168.100.10 vrf vpc-keepalive no layer3 peer-router syslog peer-gateway layer3 peer-router ip arp synchronize interface port-channel1 description VPC-PEER-LINK switchport switchport mode trunk spanning-tree port type network storm-control broadcast level 10.00 vpc peer-link ip arp inspection trust interface port-channel100 description VPC-PKA no switchport vrf member vpc-keepalive ip address 192.168.100.10/24 interface Ethernet1/23 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet1/24 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet2/23 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet2/24 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet5/48 no switchport storm-control broadcast level 10.00 channel-group 100 mode active no shutdown interface Ethernet6/48 no switchport storm-control broadcast level 10.00 channel-group 100 mode active no shutdown 

 

When I power both switches on, the po1 comes up just fine, but not po100.

N77k-CSW-01-CORE# show vpc peer-keepalive vPC keep-alive status : Suspended (Destination IP not reachable) --Send status : Success --Last send at : 2018.04.21 03:27:23 172 ms --Sent on interface : --Receive status : Failed --Last update from peer : (106962) seconds, (834) msec vPC Keep-alive parameters --Destination : 192.168.100.20 --Keepalive interval : 1000 msec --Keepalive timeout : 5 seconds --Keepalive hold timeout : 3 seconds --Keepalive vrf : vpc-keepalive --Keepalive udp port : 3200 --Keepalive tos : 192 

 

N77k-CSW-02-CORE# sh int po100 status -------------------------------------------------------------------------------- Port Name Status Vlan Duplex Speed Type -------------------------------------------------------------------------------- Po100 VPC-PKA noOperMem routed auto auto -- N77k-CSW-02-CORE# sh int po1 status -------------------------------------------------------------------------------- Port Name Status Vlan Duplex Speed Type -------------------------------------------------------------------------------- Po1 VPC-PEER-LINK connected trunk full a-40G -- 

 

N77k-CSW-01-CORE# sh ip route vrf vpc-keepalive IP Route Table for VRF "vpc-keepalive" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> N77k-CSW-01-CORE# N77k-CSW-01-CORE# ping 192.168.100.10 vrf vpc-keepalive PING 192.168.100.10 (192.168.100.10): 56 data bytes ping: sendto 192.168.100.10 64 chars, No route to host Request 0 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 1 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 2 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 3 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 4 timed out --- 192.168.100.10 ping statistics --- 5 packets transmitted, 0 packets received, 100.00% packet loss 

 

I think the issue lies somewhere with the No route to host error when the pings drop, but I don't know how to resolve that. I specified a static route of 0.0.0.0/0 192.168.100.1 under the vrf context vpc-keepalive, but I don't think this gateway actually exists anywhere.

I thought "Hey, maybe I need to create an SVI with a gateway of that 192.168.100.1, but that didn't work either.

N77k-CSW-01-CORE(config)# int vlan 100 N77k-CSW-01-CORE(config-if)# ip address 192.168.100.1/24 % IP address is configured/resolved as the next hop of a static route N77k-CSW-01-CORE(config-if)# exit N77k-CSW-01-CORE(config)# vrf context vpc-keepalive N77k-CSW-01-CORE(config-vrf)# no ip route 0.0.0.0/0 192.168.100.1 N77k-CSW-01-CORE(config-vrf)# exit N77k-CSW-01-CORE(config)# int vlan100 N77k-CSW-01-CORE(config-if)# ip address 192.168.100.1/24 % 192.168.100.1/24 overlaps with address configured on port-channel100 

 

So that's where I'm at. I'm kinda at a standstill and still researching around. Right now the KPA port-channel is down because the 2nd N77k is powered off, but I had the same issue when it was powered on.

If anyone has any suggestions or can point out where I'm being a bonehead, I'd really appreciate it. Again, I apologize for asking, but I'm stuck and could use a little guidance.

Unable to traverse VLANs

Huge networking noob here. I've mainly been a SysAdmin most of my career but have recently had to run double duty so would appreciate any help/guidance you can provide for a novice.

I have an Aruba 5406R as my aggregation switch, which was recently replaced. Since then I'm unable to traverse VLANs or reach my default gateway (Fortigate firewall @ 10.3.0.10) from any VLAN other than VLAN 1.

This was recently refreshed Procurve 5406 ZL to Aruba 5406 ZL2. The only thing thing that changed in the hardware replacement was the config. The IP of the switch & router ID changed from 10.3.0.3 to 10.3.1.1 to clean up some sloppy IP management. Here's a snippet of my config. I'm at a complete loss as to why VLAN4 can't reach VLAN 1.

*trunk B21-B22 trk1 lacp

*trunk B23-B24 trk2 lacp

*trunk D21-D22 trk3 lacp

*trunk D19-D20 trk4 lacp

*trunk B19-B20 trk5 lacp

*logging facility syslog

*logging severity warning

*include-credentials

*timesync sntp

*time timezone -300

*no web-management

*ip default-gateway 10.3.0.10

*ip route 0.0.0.0 0.0.0.0 10.3.0.10 distance 250

*ip router-id 10.3.1.1

*ip routing

*router ospf

*area backbone

*redistribute connected

*enable

*exit

*vlan 1

*name "Admin"

*no untagged A1-A24,B1-B18,D1-D5,D17

*untagged D6-D16,D18,D23-D24,Trk1-Trk5

*ip address 10.3.1.1 255.255.252.0

*ip ospf 10.3.1.1 area backbone

*exit

*vlan 4 *name "Academic"

*untagged A1-A24,B1,B3,B5,B7,B9,B11,B15,B17-B18

*tagged Trk1-Trk5

*ip address 10.3.4.1 255.255.252.0

*ip helper-address 10.3.2.1

*ip helper-address 10.3.2.21

*ip forward-protocol udp 10.3.2.21 4011

*ip forward-protocol udp 10.3.2.21 tftp

*ip ospf 10.3.4.1 area backbone

*exit

*vlan 10

*name "Voice"

*untagged D1-D5

*tagged A1-A24,B1-B18,D6-D18,D23-D24,Trk1-Trk5

*no ip address

*voice

*exit

How to enable Routing on 2960G(L3 Switch)?

I took this switch from work, and it in fact is capable of Static Routing. However, I believe the version required is 12.2(55) and up, and mine is 12.2(44). The switch also has LANBASE license.

Currently, the 'sdm prefer lan-base' command is not available.

I've never upgraded a Switch before, what's the process for it? Do you have to pay? This is just for lab purposes so I can expand my Networking knowledge.

Thanks

3850 Swap

Today we tried to replace a stacked set of 3850-12-S with a single 3850-48-E, however we couldn't get any network access to the users. We were able to see all the neighbors on the network and ping the device once we plugged it up. We verified the configs multiple times and even took a template from the same model and changed the IPs and trunks around to meet our needs. I think there might be an issue with the switch, we were unable to upgrade it to the newest version even after clearing up memory in the flash.

Anyone have any ideas what could be causing this issue? Thanks for the help!

Looking for advice setting up Solarwinds at work.

So I recently started my first networking based job as a NOC op. I love it. I'm learning a ton, and get to work on many different projects in the department. Today my supervisor said they want me to be in charge of setting up Solarwinds for our networks. We currently do not have a monitoring solution for the networking gear in our local facility, but we monitor solarwinds for other facilities.

This sounds like a pretty intensive project, and definitely more advanced than what I've ever by assigned to, but I'm very excited to take this on.

Anybody have experience setting up a network monitoring solution? Any advice would be awesome!

Are most enterprise customers stupid?

After watching this https://youtu.be/RGf3NelUsOs , I agree with this guy to a certain degree. I see a lot of enterprise IT people buying very expensive products to solve really basic problems. Sometimes these tools work well but the cheaper alternatives work better but still the IT managers buy the most expensive. Why do you think this is the case

HP ProCurve One Services Modules

Hey All,

I have a 5406zl. I've read about the One Services Modules and Advanced Services Modules.

It sounds like these either come pre-installed with software (VMware, Hyper-V, Avaya SBC, etc), or you can choose a product from the cli.

My question is... Has anyone tried to install their own operating system on these? They are just compute modules with a cpu/memory/hdd... Should totally be possible to just install Windows Server 2016 on one?

Wondering if anyone has looked into this.

Thanks!

Cisco UC - Real Time Monitoring Tool and alerts

Hi folks,

I know Prime Collaboration Assurance is the Cisco UC alerting tool primarily. However to save costs I want to look at RTMT. Can anyone tell me what alerting capabilities RTMT has? Disk usage? Server connectivity?

Learning Server Admin stuff as a Networking Guy

What are your thoughts on learning how the other half lives? I'm talking about learning how to setup physical servers, spin up VM's, learn about things like iWARP and ROCE, get your hands dirty on all this server stuff basically, until you're a wizard at Active Directory and can set up your own Domain Controller and generate certificates like a boss.

I find as a Networking Guy all of the above stuff is like black magic, and it makes me a little upset that I don't understand any of it to a high enough level where I could just walk in, set it all up, and have it all work.

Also part of me feels like if I ever wanted to set up my own network truly, I'd have to configure the servers too, not just the routers and switches.

Any thoughts? Is this kind of a useless thing to learn? I figured with Networking Guys branching out into automation, and software defined, why not branch out in that direction, too?

I've been reading /r/homelab off and on for a bit, and it kind of surprises me how a bunch of young professionals are setting up linux boxes and spinning up ESXi just to play around, and I literally could not set up either of those things at all without Google some kind of cheat sheet. Simply amazing.

Let me know your opinions on the matter!

ASA Help - Anyconnect VPN to Azure VPN routing (bgp)

Hey there.

We are spinning up an Azure instance for some application servers. I have successfully connected our internal network to Azure with routed VPN using BGP.

At some point in the very near future I will need to route our Anyconnect VPN clients to this network as well.

User connects to w/ Anyconnect and receives a 10.1.1.x address.

Azure VTI address is 10.255.255.X

Internal network is 192.168.x.x (RIP)

router bgp 65500 bgp log-neighbor-changes bgp graceful-restart bgp router-id 10.255.255.X address-family ipv4 unicast neighbor azure_gw remote-as 65515 neighbor azure_gw ebgp-multihop 255 neighbor azure_gw activate network 192.168.0.0 network 10.255.255.0 redistribute rip no auto-summary no synchronization exit-address-family 

So I guess I need to get the routing information from the Anyconnect clients into the mix. How does one go about this? I know RIP isn't ideal, and I'm not adverse to changing it - but our internal network is pretty simple...

Cisco CVE-2018-0171 Smart Install vulnerability

What you all doing about Cisco CVE-2018-0171 Smart Install vulnerability?

Just been tasked with getting no vstack onto about 400 devices.....really should have got Linux server setup for automation prior to this point

Seeking guidance on upgrading campus network

Hello everyone,

I recently became the decision maker for all things IT in my organization and have started looking into upgrading our campus switching equipment. My desire for focusing part of our limited resources on upgrading our network infrastructure is more or less a gut feeling that things could be better, and therefore I am seeking advice from those more experienced than myself about what to look for. Below is a little background information about our current situation.

Background:

• We are a private school with multiple buildings spread throughout our campus and support around 1,000 users between students and staff
• Older buildings are connected to MDF through Cat5e and often daisy chain off of each other the further out they go.
• Newer buildings are connected to the MDF through fiber
• Current MDF switch is a Cisco Catalyst 4948 that is used to service IDFs and create three VLANs for different geographical areas of campus
• Current IDF switches are mismatched brand and, for all intents and purposes, are unmanaged switches; most being 10/100 speed
• Wifi is Aruba Instant APs, with a virtual controller in each VLAN
• Purpose of the upgrade is to have a consistent and new network infrastructure that will sustain us for the foreseeable future; Minimum 1G between switches with 10G possible.
• We do not currently have any sort of network performance monitoring solutions or anything like that but I would like to in the future and have compatible equipment

With that in mind, I contacted CDW to discuss options and they ultimately suggested Aruba for our replacements. The core switch recommended was a 3810M (JL075A) and IDF switches were 2930F (JL256A#ABA) models. I have heard good things about Aruba and have been very happy with their wireless offerings but have no experience in their wired solutions. As far as other requirements, I am wanting POE to power the access points and other equipment such as phones. Because of the budget and the equipment they are suggesting, this would be a phased replacement happening over a course of three to four years.

If anyone would be willing to share their opinion, I would be very grateful. I’ve tried to keep my post as concise yet detailed as possible but I recognize I may not have included a relevant piece of information, if that’s the case, I would be happy to further expand.

Thank you for your help.

Extreme/Zebra T3/T5 PowerBroadband VDSL Wireless System

So we have a site that we acquired last year. It is currently serviced via ~50x mc-802 802.11G access points, fed via VDSL T3 powerbroadband switch which we assumed. Obviously 802.11g sucks, speeds are not great, etc.

The issue is this site will be closing down at the end of next year for a full gut/renovation, with additional conduit/routes being installed as part of that scope. Lots of hard ceiling/etc makes it very hard to get cat6 around currently, which is why they had put this system in the first place. Obviously all of our other locations have Cat5e/Cat6 fed via POE with most having dual band 802.11 AC access points.

So what we are throwing around is possibly doing a replacement with upgraded equipment. tw-0511 which are single radio, but at least 802.11N which would be many times better and help with much higher data rates and more efficient use of the 2.4ghz spectrum. That would require the upgraded t5 powerbroadband switch as well which is supposed to offer better backhaul speeds.

Does anyone have any experience with this product line? Someone said at some point you may only get ~6mb-10mb per AP, even though normally with 802.11G you can see a max of 20mbit, and the T3 broadband switch is supposed to do 75mb down and 10mb upload per AP. T5 is supposed to do 105mbit/50mbit, but all of those values are spec sheet given.

I could probably be all in for around ~$6k to upgrade to the newer units/switches. Given all of the core drilling, wall cutting, conduit placement, wiring, and equipment, that would be required to do the ideal scenario, we could be talking 15x-20x that amount, which would be a very hard sell.

multi-tenancy vpn support with amazon using juniper vrf/vr

Hi Everyone - this is a continuation of my post on /r/juniper but some things have changed so starting a new one here..

I am trying to achieve multi-tenancy with amazon VPNs. This usually means overlapping subnets between accounts (ex: two accounts can both have VPC's configured with 10.0.0.0/16 + I use 10.0.0.0/16 internally). It has been my understanding so far that ultimately I am going to have NAT them to something that I can control but my main issue right now is I am trying to advertise routes on the VRF tunnels back to amazon that I have received from my upstream SRX650

Hopefully this graphic can shed some light: https://i.imgur.com/6UebBYo.png

My SRX650 is my main router. My SRX650 advertises routes to "APPNET" via BGP to my VSRX. I then use export policies for controlling which routes are advertised to which VRF and subsequently amazon accounts, however, no matter what my export policy is, the routes are never re-advertised even if I set an open accept. RIB groups and VRF export/import are new to me and I have tried hard on understanding it and doing but the docs assume a higher level of knowledge than I currently have. I also realize I could use OSPF for local advertisement as well but I know BGP more so I took the route I knew. I have tried routing-options instance-import MYNET-SVC-VR1 which didnt work error stated cannot set instance-import on VPN VRF.

Can anyone tldr some config for what I am trying to achieve? tldr; I need easy way to re-advertise received routes on inet.0 back through a VRF. I know I need rib groups or vrf-import/export but cant seem to figure out logistics of the configuration. Config below

 routing-options { static { route 0.0.0.0/0 next-hop 172.31.255.243; route 192.168.1.0/24 { discard; install; } } auto-export; } policy-options { prefix-list mynet-amazon-test { 0.0.0.0/0; 192.168.1.0/24; } prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX { 10.98.39.96/28; 10.98.39.112/28; } policy-statement CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY { term 1 { from { instance MYNET-SVC-VR1; prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX; } then accept; } } policy-statement MYNET-SRX650-BGP-POLICY { term 1 { then accept; } term 2 { then reject; } } policy-statement mynet-amazon-bgp-policy { term 1 { inactive: from { protocol static; prefix-list mynet-amazon-test; } then accept; } inactive: term 2 { then reject; } } } routing-instances { CLIENT-AMZ-ACCT1-VR1 { instance-type vrf; interface st0.3; interface st0.4; route-distinguisher 1103:9999; vrf-target target:1103:9999; vrf-table-label; protocols { bgp { group CLIENT-AMZ-ACCT1-EBG { type external; advertise-inactive; neighbor 169.254.47.121 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } neighbor 169.254.45.45 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } } } } } MYNET-SVC-VR1 { instance-type virtual-router; interface reth1.0; routing-options { auto-export; } protocols { bgp { group MYNET-SRX650-BGP { neighbor 172.28.255.243 { hold-time 30; export MYNET-SRX650-BGP-POLICY; peer-as 65001; local-as 65000; } } } } } VR1 { instance-type vrf; inactive: interface reth0.0; interface st0.1; interface st0.2; route-distinguisher 7224:1000; vrf-target target:7224:1000; vrf-table-label; routing-options { static { route 192.168.1.0/24 discard; route 0.0.0.0/0 next-table inet.0; } } protocols { bgp { group ebgp { type external; advertise-inactive; neighbor 169.254.46.225 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } neighbor 169.254.44.153 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } } } } } } 

new IOS XR turnup

So we're looking at upgrading from our old RSP-4Gs on an ASR9010 to RSP440s. I'm doing pre-install upgrades on the new RSPs, got them upgraded to 5.3.4, and there are two is one things conspiculously missing that I can't reconcile with documentation.

I can't create SSH keys - the crypto key command doesn't exist (the crypto command only lists other subcommands) ^{Forgot this was in exec mode not config}

The http server command doens't exist, only the http client command.

I have nearly every package installed (no BNG package or the 901 nV package) and I'm at a complete loss as to why these commands are straight up missing. Checking our existing router I don't seem to be missing anything in configuration but I'm not sure if I need to drop into the linux shell to do keygen despite the command being documented for the XR environment.

Online Labs for Learning?

I'm looking for something like these Hera Virtual Labs to start learning more about cyber security. These are pretty pricey for very limited access. Is there something cheaper?

I want to learn during my downtime at my current job. Practicing on their systems is not exactly an option. This looked to be exactly what I was looking for.

Trying to remember a command for Cisco Switch to copy output to text file

Anyone know what command I can use for this?

Running a 'show mac-address table' on our 9500 series and want to know the command that will take that output and copy it into a text file so I can then convert it to an excel document.

Multiple subnets on one switch

Hello fellow networkers! It's my first post here, related to an exercise I'm doing for university, and I would love to have some feedback on how I've done it and share with you some thought to have some kind of clarifications, if possible.

In short, the exercise is to build a wi-fi network for a town square, 40 mt. of lenght with approximately 8k people living in that town. The network has to fulfill the needs to let approximately 1k people connect for every events that would be done there. Yes, my teacher really loves practical approach to networks.

The exercise breaks down in some point: * rewriting the problem with technical language, check * a small drawing of the placement of switches, routers, wi-fi APs etc., check * the kind of techology used, i.e. layer 2 or 3 switches, if you need a router or not, why you are using 2.4 or 5 Ghz signal for wifi, (kinda) check * subnetting, dear god help me

Basically, my problems come from the 3rd and 4th point of the exercise, propagating from the third to the fourth. So, I tought to place one layer 3 switch with 4 a Gbps uplink ports all connected to a single layer 2 switch that would manage the 5 access points of the square (one in the center and one for each corner). Now, my main issue comes from the fact that if I use a subnet mask like 255.255.255.0, I can just cover 253 hosts to serve, and this is not what I need but, if I use a different subnet for every access point, I can fulfill the needs of a much more large number of hosts. Now my main problem is, can I create those five different subnets on the same switch? It's something I could do in real life or I need 5 different switches? How would you improve this solution, and above all, why in a particular way?

Final point, security of the network. It's something i can achieve with just some common blocking rules or i need something more specific like a firewall?

Thanks in advance for your help! :)

Gigabit over CAT5?

We have several floors here and have just deployed cloud based VoIP. All floors are CAT6 and the VoIP mostly works correctly. On one floor, they have lots of quality problems, video stuttering etc... Their floor is all CAT5. Testing with a proper Fluke, the lines pass CAT5 testing, but fail CAT6.

All workstations are connecting at 1gbps.

Is it possible that the cause of our problems is related to the cabling? Would it be prudent force the ports to 100mbps.?

Are the copper ports shared with the SFP+ ports on the Cisco SG350x 10GB?

Can't find a Cisco doc to say for sure, it appears to be the case, but before I spec these I want to be certain.

Best certs when you don't do implementation?

Hey guys -

In my new role I've stepped away from implementation and focus on architecture, business drivers etc.

I still need to stay very technical, just not to the point where I can turn the wrench. I have a CCNP in R&S and I'm thinking about taking CCIE R&S written... but where could I go from there.

CCDE Maybe? Another vendor agnostic certification that may offer less hands on configuration oriented certificates?

How to progress from this current role.

My current job role is building idf/mdf cabinets from scratch to complete units for enterprise clients. Having no formal networking qualifications, I was wondering what the next career step would be up the networking path as I would like to develop my skills and career in networking.

Any ideas?

UDP file upload killing other traffic on SonicWall

So we just started using Signiant Media Shuttle to upload media to a remote site. It uses UDP to maximize the upload speeds. The problem is that when Media Shuttle is uploading a file, all other traffic is slowed to a crawl. Media shuttle is capped around 90mbps, but our total upload capacity should be around 500mbps. We should have plenty of bandwidth to do other things, but even accessing web pages becomes very slow. We ran into this with another similar piece of software, but the client allowed me to set limits on bandwidth, and only caused problems when the limit was set to "max", which I assume basically told the software to push the packets regardless of other traffic. Media Shuttle does not have options to control bandwidth on the client side. I've tried setting the priority of traffic on those ports to low, but it does not seem to make a difference. Any ideas?

ASA DHCP/VPN/Bridge-group Question

Hi All,

I'm trying to wrap my head around where specifically a configuration is failing in a lab scenario.

In short, I have an ASA which is set up for remote-user access. When users connect, they're given an IP address from the local pool 10.10.10.101/24 - 10.10.10.200/24. The ASA is set up with an additional DHCP pool for devices which connect to it on the bridge-group interfaces; these devices get an IP address of 10.10.10.10/24 - 10.10.10.100/24. The original intention was that users connected to the VPN would be able to access the devices which connect to the bridge-group on the ASA. What's happening is that the users get an IP address, but have no connectivity.

Configuration

My general understanding is that this is failing because these are two separate logical subnets, so the ASA is not routing traffic between them. The part that has me scratching my head is that if both subnets have a default gateway pointing to the ASA, and the ASA is set up to route traffic between same security interfaces, where specifically is the communication failing between a user (e.g. 10.10.10.10/24) and a connected device (eg. 10.10.10.100/24)?

Thanks in advance.

Business profit loss without having a backup internet provider

I remember seeing a graph estimating a business' profit loss when losing internet but I can't seem to find it. It was a cisco graph. If anyone could find it I would be extremely grateful.

cisco aironet active sensor

has anyone purchased one of these to test wireless performance for their WLAN? trying to determine whether i'm better off purchasing this to diagnose wireless network issues or set up a raspi to do this.

Looking for resources on programming SNMP?

I know I might be asking a lot but I'm looking for some good resources on writing snmp scripts/applications. I have mentioned in my previous posts that I'm working on a Raspberry Pi monitoring project. My goal is to attach dry contacts (door sensor, on battery, rectifier failure, etc) to the Pi. When an event occurs and the dry contact closes/opens, I would like to write an SNMPtrap to our NMS with the details of the event.

I made some progress yesterday by using pass-through within the snmpd.conf file but I'm looking for some good documentation and examples if possible.

Working for Cisco TAC

Alright I checked the sidebar so this seems a reasonable question considering I'm not early in my career.

Have any of you ever worked for Cisco TAC? I saw a job posting for customer support engineer (I'm assuming TAC since it's in Richardson, TX) and I'm curious what they really look for in a new hire. I have my CCIE in R/S and 6 years of networking experience, but have found so far that it can remove you from the long list of applicants due to the average salary expected by other CCIEs I'm guessing.

Would that position be considered a bad/lateral move? Would it even be possible to get at my "level" ? I'm currently a senior networking engineer but tired of the operational aspect. I realize tac would be purely operation, but it's a foot in the door as far as I'm concerned to other things. I've looked at other positions with them at the presale level but they all seem to require presale experince so it's chicken and egg.

Thanks!

VLAN and Switches

I am fairly new to setting up VLANs but I get the premise and understanding of them.

Where in confused is on the switch side. We have a HP Procurve switch and I am confused if each VLAN needs a trunk port or of you just need one?

Changing IP Static Routes based on IP SLA - Cisco Nexus

Morning, Everyone - Looking to get some input on a project I'm working on and potential solutions.

Long story short, I'm trying to change a static route on a Nexus between two firewalls (10.10.10.1) and (10.10.10.2) if the internet becomes unreachable on one of them.

Trying to determine the best way to alter static routes in the following way ( writing in Pseudo-Code for simplicity)

If (Internet is reachable via 10.10.10.1) IP Route 0.0.0.0/0 10.10.10.1 Else IP Route 0.0.0.0/0 10.10.10.2 

Currently no routing protocols are in place (OSPF or otherwise), and hoping to not implement one if I don't have to. Any ideas on this?

I'm considering using EEM to do this, but didn't know if there was an easier way?

Cheers, mates!

Replacing primary ASA in H/A pair (5585Xs)

Hey r/networking,

This weekend I will be replacing the primary ASA in my H/A pair of 5585Xs. What I mean by primary, is when I originally configured H/A, this unit was marked as the primary unit, and the other was the secondary. Is there anyone here who was done this that can give me a brief rundown of this process? I will post my strategy as of right now below, in a step by step. If I'm doing something wrong, or missing something, please let me know.

1- Receive the new RMA unit. Upgrade the image to match that of the current active unit. Install the same license as the current active unit. Install any flash images, such as Anyconnect, directly on the new RMA unit

2- Configure the same exact set of failover commands that is on the current (failing) primary to the new RMA unit.

3- In the datacenter, ensure that the Secondary unit is Active. Remove the failing unit. Remove all up-link and interface modules, and insert them in the new RMA unit. Also take the SSP hard drive out of the failing on and insert in the new one??

4- Rack the new RMA unit and connect all of the connections. Lastly, connect the failover cable and pray that the 'Secondary-Active' unit take its config and writes it to the newly added "Primary-Standby Ready' unit, and not the opposite, like I've seen happen to people.

How does that look? My two huge follow up questions are below:

1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other.

2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter.

Thank for very much in advance for the feedback.

Need some help with our PFsense firewall.

Hello,

Recently replaced our firewall with a PFSense, or at least have it ready to.

Everything is in-line and ready to go, when we swap it out devices can connect to the internet, everything looks fine internally. I sent out a test email out, and it makes it out just fine, however I'm not getting my replies back into the email.

Our setup is an Exchange server, with a Barracuda email security gateway. I am seeing the emails coming into the gateway, but they are listed as deferred from there. So it looks like they just make it to that point, but not from there to the exchange server.

Some things I've noted:
I can access OWA via URL externally, but not internally.
I can access OWA if I type the local IP internally (https://#.#.#.#/owa/)
Pinging mail.ourdomain.com resolves the correct IP address.
Outlook connects to exchange just fine.

I'm not very good with firewall rules and I'm limited on my understanding. This is giving me a headache, so I'm reaching out to you guys. Any ideas here? Between all the options listed in the PFsense, and the 1:1 NAT/Port Forwarding/Firewall Rules inbound/outbound/source and destination ports and IPs I'm just confused on what should be set here. I feel like an idiot right now.

I appreciate the help, thanks in advance. We're currently swapped back to the old one, and everything works at that point. I don't think it's a DNS issue, as everything stays the same there and all IPs resolve the same now when pinging the domains.

Thanks!

Juniper Op Script Question

I’m currently in the middle of a migration from Cisco to Juniper. The more I play with Junos, the more I like certain aspects, but there is one thing that Cisco has that I have yet to find a satisfactory alternative to in Junos. Cisco IOS has a “Show Interface Trunk” command that will obviously display any ports configured as trunks. In all of my research Junos does not have this, you have to already know the trunk interface to find what vlans are on it.

In my googling, I ran across this forum board https://forums.juniper.net/t5/Ethernet-Switching/Simple-Trunking-Question/td-p/21857. The second answer contains an OP script that would do exactly what I want. The only problem is I have no idea how to use an OP script.

I’ve spent hours trying to learn all I could about it, but some things still don’t make sense. How do I load the script ON TO the switch? I understand how to load it into the config, but how do I get it on the switch in the first place. If anyone has detailed instructions or can point me in a direction to find them, I’d be super grateful.

Disabling TLS 1.0 on Windows SBS 2011 Breaks LDAP and OWA access

Hello!

I was hoping someone could shine some light on an issue we are experiencing. We need to disable TLS 1.0 and RC4 cipher suits on our SBS 2011 to be PCI compliant. When we turn off TLS 1.0 on the server, our LDAP connection breaks to our firewall for our VPN users and our OWA (outlook web access) breaks. Does this come down to the browsers the users are using for OWA access? Our LDAP to our firewall for VPN users is setup to authenticate Domain users. We use LDAP version 3 over TLS (SSL) on port 636. I have not been able to pin point why these 2 items break when turning off TLS 1.0 on the server. Any thoughts?

Etherner runs, takes longer to connect.

Okay so I've wired my new house up with Ethernet cables. I've got internet and I'm trying to test out each run. So far I've tested eight, and I've ran a speedtest on each. One in particular connects, but where the others connect to the network instantly, this seems to take around 12-13 seconds to connect. But it seems okay once connected (not spent any considerable amount of time on it though, literally just ran a speedtest).

My testing isn't great, my new laptop doesn't have an ethernet port, so I've had to get my old laptop out (not very fast anymore), and it's currently installing about 200 windows updates.

Also, some of the runs were a little too short, I cut plenty off, but clearly not enough, so I've used some spare Cat5e keystone jack's to connect extra cable to them. The socket in question may be one of those, but as it stands I'm not 100% sure of that.

Anyway, is this a sign there may be an issue with stability? Is it likely it's just one of cables that had to be patched up, or should I not worry?

Any software available to check line stability/speed? I normally run big files across my home network to my NAS, but I haven't moved in yet so that isn't here.

macsec encryption on DF links

Hello guys, I'm looking for solutions to encrypting ethernet traffic(2x1Gbps) over DF (xWDM) links. So far I've looked into HPE and Cisco portfolio. HPE devices that support this feature are a bit expensive and kind of a overkill. On the other hand, Cisco 3560CX should do the job, but their documentation on this topic is inconsistent; Supposedly, only downlink ports (SW to host) support MACsec.

I'm all open for your suggestions/thoughts on this matter!

Program for simulating subnet

Hey, i'm new to this subreddit so I don't know if this has been asked here, but is there program that would simulate your home subnet?

I would like to get clear image on what routers, computers and switches etc. are connected to my subnet and their ips. Maybe even see all the devices that are connected to wifi, since it would help with security. So is there some program that would give a clear image of what devices are there and what devices are connected to what (if that would be even possible to do). I know that for people experienced in subnetting this probably wouldn't be relevant but for newbie like me this would probably help to get a clear whole picture of the subnet. Also if there is some other easy way to for example debug your subnet in case of something doesn't work, please let me know.

What type of fiber connector is this?

If you look closely on the first picture you can see there are two fibers going to the connector. This made me think its not some kind of weird variation of LC connector. Maybe MT-RJ? But I have never seen nor used one before.

Link with two pictures, front and back https://imgur.com/a/qiTJaqH

Unable to connect using OpenConnect or Cisco AnyConnect VPN

I am using Ubuntu 16. I followed the steps here to get Cisco AnyConnect: https://uci.service-now.com/kb_view.do?sysparm_article=KB0010201

After I type /opt/cisco/anyconnect/bin/vpnui, the Cisco AnyConnect GUI pops up. Cisco AnyConnect on Windows works for me. But on Ubuntu, for Connect to: , when I enter same the name I enter for Cisco AnyConnect on Windows, it gives the error

The VPN Connection failed due to unsucessful domain name resolution 

When I enter the Gateway my company provided, I get

connection attempt has failed due to server communication errrors. please retry the connection 

I then installed openconnect following the steps in this link: http://www.humans-enabled.com/2011/06/how-to-connect-ubuntu-linux-to-cisco.html

Under edit connections -> add -> Cisco AnyConnect VPN -> Create, I enter the company's gateway in Gateway and the DNS they provided in IPv4 Settings->Additional DNS servers

After I choose the VPN connection in VPN Connections, I get this:

SSL connection failure: The TLS connection was non-properly terminated. Failed to open HTTPS connection to [gateway] 

can anyone help with this?

Cisco 4900 switches at the core

Hi all. I was wondering if anyone here can provide some advice for my situation. So currently I have 2 Cisco 4900's at the core of my network doing HSRP for all the internal vlan's. The 2 4900's have 2 10gigabit modules with 10 ports in each module. There are 9 stacks of 4 Cisco 2960's connecting to them at the access layer, 1 stack of 5 3750's, another 2 stacks of 2 2960's and 1 stack of 3 3850's. Now my issue is that we are expanding a part of our building and need to put in 2 additional stacks of 4 2960x switches to accommodate the new area. Will all of this be too much for the core's to handle or do you guys think it should be fine? I know that without looking at the environment and how much traffic we get its hard to just guess but any insight will be appreciated. Thanks.

What DNS do you use & thoughts on quad9.net

I was wondering what DNS others are using and why

Also, for those who have used quad9.net (9.9.9.9) what do you think about it

state of the art: rogue APs, physical detection

I searched. Been a while.

I'm looking for a state of the union on rogue APs. I manage small Cisco shops and we use basic network sanitization and strict controls with open access to admins for approval. In short, we try to make it more work to shadow IT than it is to ping us to work with the situation. I'd like to think nobody is happy. That's compromise.

That said, I've got a friend working a project who is being tasked with a segment on physically tracking rogue APs and I've been accessed as a resource. My General Sanitation and Sanity response didn't go over well. Client is HIPAA.

I'm resistant to talking about specific tooling, so my question is this:

How do you deal with the threat of rogue APs? What have I missed? I have a friend who says she's got some beta Terminator shit for visualizing radio spectrums in VR/AR but admits it's kinda half gimmick. For now.

What's the cutting edge for finding a needle in a stack of needles? How do you find the rogue APs if your network tools are abolished-- and which do you use if they aren't?

Thanks folks.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Power Cycled my Meraki AP

From bed because my gf fell asleep next to me listening to Pandora and I don't like the choice of music...

Does this make me lazy?

I got some Angels and Airwaves playing so I can finally sleep. Nothing like a 13.5hr day. NEED SLEEP.

Network Enclosure in X-Ray Room?

Would the x-rays interfere with the equipment? I can't seem to find solid advice one way or the other. I've seen PCs in the suites before, but those won't take down a whole wing if they crash.

We're looking at a wall-mount enclosure with patch panels and a few switches, and possibly a small NAS. The X-ray is a basic DR table - not anything high-output like a CT or fluoro C-arm.

The client wants the cabinet to live there so they don't sacrifice any other space, and they are worried about the noise putting it in office areas.

Very weird internet issue, beyond my ken.

Hi. We have a new internet circuit through Verizon (unsure of LEC), business class, 100/100. We get those speeds as long as we stay in the metro NYC area. Once we go out - to California, Chicago, etc - those speeds drop to 10/5.

Latency cross-coast seems normal, but we aren't used to this. I understand as latency goes up, our throughput goes down, but it shouldn't be like this.

My best guess is a BGP table entry error somewhere? duplicate paths once we get outside the LEC network? Or maybe a peering choke, but that shouldn't happen with such a small circuit on Verizon, right?

I have no idea how to troubleshoot this, and Verizon says "you're getting your 100mb, not our issue".

Thanks in advance. Scary

edit: traceroutes. latency is 72ms.

NY to LA: C:\Users\username>tracert -d 70.231.54.177

Tracing route to 70.231.54.177 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.3

2 2 ms 1 ms 1 ms 207.86.176.141

3 2 ms 2 ms 43 ms 216.156.16.212

4 2 ms 2 ms 2 ms 216.156.16.133

5 13 ms 3 ms 3 ms 206.111.13.246

6 79 ms 70 ms 71 ms 12.122.131.86

7 71 ms 71 ms 70 ms 12.122.1.2

8 73 ms 72 ms 70 ms 12.122.2.53

9 74 ms 71 ms 71 ms 12.122.28.77

10 74 ms 71 ms 71 ms 12.122.28.46

11 76 ms 71 ms 77 ms 12.122.1.185

12 72 ms 74 ms 71 ms 12.122.85.37

13 * * * Request timed out.

14 71 ms 70 ms 71 ms 75.20.1.78

15 * * * Request timed out.

16 73 ms 72 ms 72 ms 64.148.105.209

17 72 ms 72 ms 72 ms 104.191.67.108

18 73 ms 73 ms 72 ms 70.231.54.177

19 72 ms 72 ms 72 ms 70.231.54.177

Trace complete.

LA to NY

C:\Users\username>tracert -d 207.86.176.142

Tracing route to 207.86.176.142 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.3.3

2 <1 ms 205 ms 79 ms 162.195.124.1

3 2 ms 1 ms 1 ms 64.148.105.208

4 * * * Request timed out.

5 4 ms 7 ms 7 ms 12.83.38.201

6 6 ms 7 ms 7 ms 12.122.128.101

7 4 ms 4 ms 4 ms 205.158.79.241

8 70 ms 70 ms 70 ms 207.88.13.10

9 70 ms 70 ms 70 ms 207.88.12.182

10 70 ms 70 ms 70 ms 216.156.16.179

11 72 ms 72 ms 72 ms 207.86.176.142

12 72 ms 72 ms 72 ms 207.86.176.142

Trace complete.

image of d/l test from various AWS points: https://imgur.com/a/ENNrJJn

Performance Issues on 10.0.0.0/8

I was called to help out a local church with some significant network stability problems; intermittent speed, timeouts, etc. Fairly large, they see around 800-1000 people in a service. Started digging around and discovered they were set up on a 10.0.0.0/8 subnet - I know this makes ARP attacks pretty easy, but could 16 million possible IPs be contributing to the network instability?

VPN for home devices?

Is there any good products to protect home devices like console etc. Hardware or software I'm not bothered.

Cisco CleanAir and CleanLink - no BS explanation

Hey Networkers, I come from a heavy Aruba background and trying to get my head around the marketing terminology of a new wireless vendor. What exactly is CleanAir and Cleanlink (in technical terms)? Can anyone provide an explanation of a good reference?

Implementing a printer VLAN

I've recently setup a new printer VLAN at each of our sites and was able to migrate the wireless printers over fairly easily with a bit of cheap labor to connect to the new SSID. I'm now looking at tackling our existing wired printers and i'm wondering what would be the most efficient method of doing so? My current idea is to get a list of MAC addresses and find the ports via ARP. While this is still a fairly big task i can't think of any other way to go about it.

Also on a related note, do any of you groups physical VLAN interfaces together or is it just as effective to configure the VLAN on whatever port the device happens to be plugged into?

Blackhole device WiFi traffic from 1 Cisco WAP - Looking for suggestions

Hello -

I'm looking for suggestions and hoping to get some thoughts.

My problem is that we have employees spending far too long in the restroom, we believe on the internet on their phones. Only 4 stalls for 100+ employees has made this a bit of a challenge.

I've been asked to find a way to limit connectivity to the room, in hopes of limiting time people are spending in the stalls. We run a WLC 2504 with 3 access points covering ~12K sq ft (open floorplan). I was thinking about installing an additional access point into the room with the intention of forcing all WiFi connections onto that AP but am wondering how I could then just blackhole that traffic. I'm not looking to impact device connectivity throughout the rest of the space so changing routes/dns/etc. may not be feasible.

Short of building a Faraday cage or a signal jammer, does anyone have any thoughts or suggestions?

Thanks in advance!

What would be the best way to have close to 30 Ethernet connected IoT devices spread over a large area?

I cannot use any type of wireless technology for this project due to regulations. I'm thinking I'll have a Switch at the main data entry point and that will split off into the IoT devices. The problem is that many of them will be greater than 100m away from the Switch and there are no access points that far away. What would be an affordable solution to this? Some kind of ring structure where they are all connected with some kind of signal booster at certain points?

ACL to block networks from seeing each other

Hey All,

Have a question about ACLs. I have one setup on the SVI of vlan 502 that does the following

Extended IP access list DENY-NETWORKS-IN-ACL

3 deny icmp any 10.5.4.0 0.0.0.255 (133 matches)

4 deny icmp any 10.5.20.0 0.0.0.255 (54 matches)

5 deny icmp any 10.3.20.0 0.0.0.255

10 permit udp any any eq bootps (3726 matches)

20 deny ip any 10.5.4.0 0.0.0.255 (21572 matches)

30 deny ip any 10.5.20.0 0.0.0.255 (115978 matches)

40 deny ip any 10.3.20.0 0.0.0.255

50 permit ip any any (176199809 matches)

On my core switch I have vlan 504 configured with a address of 10.5.4.1 and on my access switch i have vlan 504 configured with an address of 10.5.4.11. These are both the DGs on their respective devices with vlan 504. So everything works great, except that when I do a port scan from the 10.5.2.0 network of the 10.5.4.0 network I get responses from both DGs saying that ports 22 and 443 are open. I would figure that they would be completely blocked but they are responding to the scans. So my questions are...

- Is this normal behavior since they are gateways?

- Is there are way to create an ACL so that they arent responding to scans from the 10.5.2.0 network on 22 and 443?

IPV4 /22 networks leasing to 3rd party

Has anyone here used one of the 3rd party brokers to lease out an unused /22 ipv4 network before? Looks like the going rate is $350USD/month for these. Any idea on the procedures for doing this (i.e. do I need to notify ARIN or do anything with it?)

Simple suggestion for wireless router/access point package for my church.

Hi! I need a suggestion for a wireless router (obviously needs a couple of hardware outs as well) and access point repeater combo that we can use at our church. I would typically just go to Amazon and search, but I want to make sure we get something high quality and I trust professionals more than I do Amazon's suggestions. Can someone point me in the right direction?

We will need pretty good speed as we will be using this to stream video.

I'd like to keep it around $130 (+-$20).

Thanks for your help, everyone!

EDIT: ARGH! I just looked up the difference between a repeater and access point and it looks like I need a REPEATER not an access point. Sorry for the confusion!

Documentation Request - Application dependency firewall template

Hey /r/networking,

One of the most frustrating things in my job is working with other teams (Dev, DevOps, Systems, etc) and trying to pull firewall rules for how their new App works, especially during integration of recent smaller company acquisition.

I know there are paid software/client tools as well as physical appliances that do this... however what I'm looking for is just a documentation template or similar that I can hand to the other side of these projects and help walk them through the 'firewall conversations' that happen in their app flow like DNS lookups, outbound internet access, web tier (internet facing) to DB and to App tiers, DB to App tiers, etc.

I did a few differently worded google searches but didn't find anything useful, if it doesn't exist maybe I'll try to make something and post it for consumption.

Give me your thoughts, feedback and if any documentation templates exist post em!

AiroNEt 1832i Mobility Express

hi everyone, Ive just bought a aironet 1832i but I cant seem to be able to download the conversion file from CAPWAP to Mbility Expresso from CISCO website... The file is IR-AP1830-K9-ME-8-3-141-0.zip

Does someone can send it over?

thanks in advance

Networking asides telecommunications?

Hello everyone, I'm a student of networking & telecommunications. I love networking and all computer-related stuff from the major. However I'm not really into electronics and telecommunication. Are the two subjects really meant to be together or do I havee to study both?

Anyone doing SD-WAN with multi-connectivity into CoLo/peering/exchange sites ...

... vs traditional MPLS & Internet, i.e. is anyone dual connecting remote offices, globally, into large exchanges, where they bring the MPLS, Internet, cloud connectivity (and consume security services)? Additional Q: are you also hosting in those locations (Co-Lo)?

NAT + Firewall question

Normale case: I host a minecraft server on port 25565 on my PC which is assigned: 192.168.0.100 as a local IP.

If I want other users to join I go into my Router and portforward 192.168.0.100 & port 25565.

When I disable my firewall however people can still join my server, but how does my router know it has to forward the traffic to 192.168.0.100. Lets say 192.168.0.101 also has a minecraft server running on port 25565. What would happen?

Isn't that the entire point of NAT?

What does everyone use to test LAN throughput?

I am testing an Wi-Fi AP. The datasheet says with Link Aggregation I can achieve speeds up to 2Gps, and I want to test that it will at least get above 1Gps as advertised. I have a 10G LAN. Thanks in advance for the advice.

network design help 1

Hi all,

I'm hoping for some help, full disclosure this is for an assignment so please steer me in the right direction if i'm way off. Appreciate any help that i can get and try not to laugh at some of my questions :)

Task: Redesign a corporate network, key points:

• All wired, no wireless permitted
• VPN access is required for remote users
• Currently uses public site-to-site VPN but would like a private WAN between offices
• HQ needs a DMZ to provide a www server for public
• Currently performance issues with the WAN, its a slow 1Mb link at the moment
• WAN needs to be capable of voice and video to be added at a later date
• Concerned about security
• Unlimited budget
• There is a domain controller at each site
• Approx 60 users at Corporate
• Approx 30 users per branch
• Approx 15 remote access VPN users

Here is a picture of what i've designed (rough draft): https://imgur.com/a/zKEzTpu

Notes:

• Use vlans: office, infrastructure, management
• Use EIGRP for the routers
• Use stack switches, one stack for servers and network and another for access
• Connect stacks via etherchannel

Suggested hardware:

• Cisco ASA 5555-X Firewalls Why: Clustering VPN FirePower

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

• Cisco 4431 ISR routers Why: Redundant PSU's More ports zbfw and firepower

https://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

• Cisco 9300 48 port stacks Why: Stackable Lots of ports 48P with POE+ Opt with secondary PSU

https://www.cisco.com/c/en/us/products/switches/catalyst-9300-series-switches/index.html

Security notes:

• EIGRP with MD5 passwords
• Enable firewall on ISR's?
• Use firepower?
• Disable VTP
• Shutdown unused ports
• Enable port security sticky-mac
• Multi factor auth for VPN users
• Enable banners and domain authentication for all Cisco devices
• Enable syslog
• Enable snmp with password
• Backup configs somewhere?

Questions:

1. Private WAN, i had originally thought i would get provider to connect the sites by providing an Ethernet cable and some ip's for the company. The routers would communicate routes via BGP and it would be some sort of 10Mb link or there abouts. But everywhere i keep seeing MPLS, from what i've read it labels packets and sends them via the path on the ISP's network? I'm a little lost at what i need to do as customer to make this work from my CE at a high level?

2. Firewalls, i have been going around in circles. The Cisco ISR's have firewalls built in but i can't quite work out of its a normal firewall or somehow limited. I would think its better to have a separate firewall vs an integrated one or possible use both? Firewall placement has got me a little confused here, i would have thought the very outer edge to the ISP makes sense but most designs are just inside the customer router.

3. Security design, i'd like to go off some sort of best practice, as per my picture i'm heading towards the zoning design. Is this still current, is there a new and improved design practice?

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

1. Internet connection, would the ISP usually provide access to the internet via the one connection? Is it better to have one connection from private WAN link and one for public internet? I'd like to push the traffic through some sort of filter first, i read the firewall's i've selected can do filtering, is that what others would normally do. As far as branches access internet, it would go via the wan and back out corporate internet connection.

2. I've gone with a hierarchical design approach with collapsed core and dist, considering there is no budget constraints is it generally better to separate it out? Is this still the best approach or is there another way?

http://study-ccna.com/cisco-three-layer-hierarchical-model/

1. QoS, i'm still trying to get my head around QoS, but i'm thinking it should use it for at least the servers at this at point and give them priority, when i think of QoS i usually think of IP Phones. Would you give priority to servers over users in this design? Any other considerations?

Any links to best practices or designs welcome, i'm pretty green in this space. I'm just trying to get the high level stuff sorted and will drill down into further detail as i go.

Thanks in advance.

ISE Tacacs help!!

Morning guys, We have been testing tacacs using ISE. Got authentication working but when logging on at privilege level 15 it drops into user exec mode rather than privilege exec :(

Been though all the settings but can't seem to get it to work.

Any ideas would be much appreciated.

I'm paying $60/yr for Dyn Standard on an IP that might change once a year. Any alternatives?

I also pay them $75/5yrs for a .net domain name registration.

I like my domain name which I want to keep and maybe switch it to another registrar in a few years before it expires, preferably one with their own DDNS service.

Otherwise, the only part of the "dyn standard" package that I really use is the DDNS service. I'm sure there's another DDNS provider that has better pricing and would make it easy to switch to while maintaining the domain name I have registered for.

Any suggestions would be greatly appreciated, I don't have a lot of experience with domains and registrars, I have used dyns free service with a subdomain for many years before I wanted to get my own proper domain name. I basically just use this for personal and friends usage to access a couple of services on completely non-standard ports.

nativ L2TP/IPSec not working after Windows 10 Spring Update

Regular L2TP/IPSec VPN with PSK in Windows 10 to a Cisco ASA 5506-X. After the update, the connection is terminted directly after connecting successfully (phase 2). Anyone experience the same or similar issues with the nativ Windows 10 VPN Client?

Branch office PoE switches with little inter-switch traffic: 1x48 vs 2x24 port?

I'm debating 1x48 port vs 2x24 port PoE switch configuration for branch offices where I need more than a single 24 port switch. Space in rack, power outlets, and few ports lost going 2x24 would not be a concern. Switches will be HP 2530G.

If I uplink each switch through the firewall (1 per switch), the only inter-switch traffic through the firewall's interface would be for printing, and that would only be for users on the switch not connected to the printer. No concern with traffic in terms of firewall load. All remaining traffic is out through internet, there are no other local services. Even if I uplink switches to each other than single GbE port out to firewall, I honestly don't have concern about the inter-switch traffic, as the internet connection at these locations is generally a 150/20Mbps connection or less, so there's just no way to max out a single uplink shortcut of some local computer-to-computer transfer we may need to do for some random reason.

I like the redundancy aspect of 2x24 switches, so that should one switch fail, at least I can keep part of the office up. That being said, there would be a SPOF in many other areas--firewall, power, internet, so it's minimal redundancy gained. I also recognize that in offices that only need a single 24 port switch, I have switch SPOF, and the majority of the office are single switch.

Opinion on which way to go and why?

SolarWinds can see a device with UDT but the switch's CAM table can't. Am I missing something?

I was troubleshooting a client and used SolarWinds' User Device Tracking to locate the client's port. The UDT output stated that there is an active device with an IP on that interface, but pinging that IP yielded nothing. The UDT report also stated that two MACs were present and active on that port, and yet when I looked at the CAM table I saw nothing. Is there something I'm missing? SolarWinds documentation on UDT did not clarify this nor did anything on Google. If there's anything more that I need to say please let me know!

Thanks for anything that helps me understand this guys, I appreciate it!

Help! Mounting wifi antenna?

I'm considering trying to use a long distance directional antenna to try and get internet a couple KM away.

The problem is though... The trees surrounding my house are like 70-80 feet!

I've been looking at TV towers and they appear to cost like $15,000 or possibly more if I'm needing a 100 ft.

Do you guys have any suggestions for something to mount to? One of the antennas I seen appears to mount to poles. Wondering if that would be cheaper, but I have no idea where I could even buy ones that are 100 ft tall. Or if I would have to get a bunch of smaller poles welded together or something.

Cat5e/6 Crosstalk At Patch Panel: Does it cause significant attenuation?

EDIT: Goofed on the title, should have said decreased SNR (signal to noise ratio) instead of attenuation. Apologies.

Twisted pairs are a critical part of any stranded cable. The cables ability operate at high speeds requires exact winding of each differential pair.

I found a Stack Exchange thread discussing whether an even or odd number of twists is better. One answer stood out:

The amount of magnetic interference is proportional to the area between the two wires. With a perfect even number of twists the area is effectively zero. With an odd number of twists it is essentially one twist area. That is still a vast improvement over no twist at all :)

I assume a patch panels is equivalent to the removal of several twists in a twisted pair. Even when artfully installed (with the specified 1/2 or less exposed strands) at least one twist has to be removed. Also, there are the pins inside the port of the RJ45 jack which run parallel to each other.

All of this must culminate in some measurable attenuation/decrease in SNR.

I'm wondering exactly how negligible is this? Say use 3 patch panels are run in series; each placed a few feet apart. Would this have a measurable effect on the cables ability to carry Gigabit traffic?

In optical networks we always have optical budget (often topping out at about 3 Decibel of loss). I don't often hear talk of loss budgets in copper cabling though.

How concerned should I be about splices, ports, or any interruption to the winding of each differential pairs?

Network Admin looking for career advice

Hey all,

I'm currently working as a network administrator for fairly large company in the midwest. I've only been employed with this company for about 7 months and already extremely frustrated on a daily basis. Let me just start of by saying that I have about 5yrs experience going from desktop support to a jr netadmin and now netadmin (all with different companies). I have my CCNA RS and am currently about 1/2 done with CCNP.

Now onto the frustrations.... we have about 5 people that are on the network/system team. 2 of which are Sr level, but started out as pc techs that basically just stuck around long enough to get promoted to Sr level without any certifications or what I would call "official training". Also they have not worked in IT for any other company.

So with that being said I am in constant arguments about how the network "should be" based off of my past experience with different lines of business and different areas of the IT spectrum. Since they both have the Sr title, I get shut down pretty fast with things like "thats not appropriate for us because of x, y, and z" or "How does that technology work? I'm not familiar with it" (which leads to massive delays due to them being uneducated in the subject matter). Our company requires reviews from any network or system changes to be reviewed by a Sr, so that means every time I do something without informing them first I get the "why didn't you consult with us first?" or "Yeah we've been meaning to do this for a while, just haven't had the time" (But yet they are always having meaningless conversations ALL DAY!! and getting no real work done)

I've mentioned this to my supervisor multiple times. Saying that I know what i'm talking about and that they are not as familiar with networking as I am (I know this makes me look bad but hey I try to be honest). Anyways, he refuses to do anything about it because they are his "golden boys" always brown nosing when he's around and using big words to sound smarter than they actually are. I'm really considering leaving for another company, but have reservations on how it may look leaving my first network admin job after only 7 months.

I'm so close to having my CCNP that I'm considering just holding out and applying for more of the network engineer/arch type role. Has anyone else been in similar situations and how you were able to overcome them?

Help understanding Palo Alto's NAT terminology

I'm the new/only network guy at a small company of 170 users. Two PA-3020 firewalls in HA, a primary and a backup ISP. I'm trying to understand how the NAT configuration works and what it means.

Screenshot of our NAT policies

Traffic always egresses from ISP-1, we're not doing load balancing to the backup ISP-2. Am I correct in reading this that after the packet is translated out to the internet, the source address could be any of the six of our public IPs on ISP-1 (we have a /29)?

If my Sysadmin wants a public address for one of our web servers, will I need to re-write these NAT rules to exclude that IP from being part of the NAT pool?

Am I even using the correct terminology here? My only experiences with NAT is from my CCNA course, my prior job had an entire /16. So this is my first time working in a NATed environment.

Buy Juniper online? Legit resellers?

I've found plenty of legit online resellers for Cisco equipment, but I can't seem to find any for Juniper. When I use Juniper's "partner" locator, it requires a zip code, but I don't need a local reseller. I'm looking for a legit online reseller, in addition to the ones near me. Google searches yield online sites, but it's unclear if they are authorized resellers. This is for work, so it needs to be an authorized reseller/partner.

Chance that Cisco Press will get back to me?

I'm in the process of making an educational blog on topics in engineering. It will help me study and allow a chance for others to see what I'm doing, among other uses.

I have the Cert Guides for ICND1 and ICND2, and I want to makes posts in my blog about information contained in these Cert Guides, so I filled out an online forum on Cisco Press' website asking their permission to do so. I haven't heard back and it was 3-4 days ago.

What do you think the chances are that they will email me in return, either granting me or denying me the ability to make the posts I want?

FreeRadius BYOD auth

Hi there,

My company asked me to implement BYOD for our employees throughout our main location + 36 branches. They would like something pretty "simple" in the fact like : Employee creds: ok > mac@ known > connected to secure network or Employee creds: ok > mac@ not known > dump to BYOD network.

I was thinking about using FreeRadius to do so however I have very small knowledges about it and I found that It is not very easy to find proper documentation online.

Do you guys have any recommandations ?

Cheers!

Xzi.

Anyone remember the Microsoft bluetooth alternative from 2000?

I remember seeing a demo back in 2000, developed at Microsoft Cambridge (UK) with collaboration from Microsoft Harvard (USA) where they had developed a network that was superior to bluetooth. It was hugely faster, had a range 100s of times the distance, more reliable could even locate based on signal strength and was capable of establishing its own network. The demo i saw shown how stores would know you were outside that store and could message you with offers available in that store. Also shown two people private messaging each other from almost a mile apart just using this tech. Ive searched everywhere and can't find any info on it. All i remember is the lead on it was called John and he attended Cambridge university.

What was this called and what happened to it? Can you imagine how advanced this would be now, this was almost 20 years ago, you dont just shelve this kind of tech. Ive searched the Cambridge phd papers too and can't find anything about it either.

Tip for documenting rack (rackdiagram)

Perhaps Im late on this story but I found out the other day that rackdiag (part of nwdiag which is part of blockdiag which is a python package) is a great tool to document rackdesigns and wanted to share my finding with the community (assuming more people than me will sooner or later end up having to document stuff).

If you are on an Ubuntu/Debian installation you can do this to install the needed python-package:

sudo apt-get install python3-nwdiag 

and then this if you want to use more familiar fonts:

sudo apt-get install ttf-mscorefonts-installer 

Then you create a file with a filename of your choice (example.diag) which you fill with (for example):

rackdiag { // define height of rack 42U; // define width of rack, 1RU to 19" ratio node_width = 434; // define description of rack description = "RACK 1"; // define rack units 42: PATCHPANEL SMF 48xLC 41: PATCHPANEL MMF 48xLC 40: R1 39: N/A 38: R2 37: N/A 36: N/A 35: N/A 34: N/A 33: N/A 32: N/A 31: N/A 30: N/A 29: N/A 28: N/A 27: N/A 26: N/A 25: N/A 24: N/A 23: N/A 22: N/A 21: N/A 20: KVM //19: N/A 18: SERVER1 [2U] //17: N/A 16: SERVER2 [2U] 15: SW1 15: SW2 14: N/A 13: N/A 12: N/A 11: N/A 10: N/A 9: N/A 8: N/A 7: N/A 6: N/A 5: N/A 4: N/A 3: N/A 2: N/A 1: N/A } 

Then to compile the above example.diag into a pdf-file you can use this in your command line:

rackdiag3 -T pdf -a -f /usr/share/fonts/truetype/msttcorefonts/verdana.ttf example.diag 

You can also output in png or svg by changing "-T pdf" into "-T svg" or such.

The above will look like this:

http://interactive.blockdiag.com/rackdiag/?compression=deflate&src=eJxVkEFrg0AQhe_7KwbPBTPjNjWWHEQshcQQtKaHEkKIJi4FLcbSQul_7wafaTw9dt_M995uuz-8F2Z_oh-lXJeK8mjqkqrSnKqOmiO11lda8sdb-8sUXTW4d8RpTl1DPHPsRWcaVTdFueuH5qQ9PVouyvOhNR92rr4G3N7NyUnDaEHsjNYuc_RZm-5s6wS0Dl-i53W4ipeUJU-k_e9lpDSPjOTfmASUsvJmAa3cUHm-PYryHnCcQu-hGupBBcrQSa8CnPhQ8AQ8AU_AE_AEPAFPLG-xSexjGUS2xCxON3HK9Cb59mIBztPBkt5im5K9MlQUI42RxkhjpDHaIwrdQUdzFB_-ATWx34v6VX9aHoiE

Documentation is available at http://blockdiag.com/en/

Tools to create maintainable network diagrams?

I have during the years used Visio and/or Dia to create my network diagrams (mainly for documentation) but the graphical tools tends to take more and more time to deal with when you need to rearrange diagrams because you suddently added another device or for that matter when you end up with complex networks with plenty of network connections (that is physical network diagrams) or for that matter plenty of link aggregations - quickly it becomes hard to see which cable goes were (or Im just lacking skillz to properly use visio/dia ;-)

Using something like graphviz is something Im looking forward to but I havent managed to get any good output from this.

Anyone in here using graphviz (or similar that is textbased tool where you define the connections and then "compile" into a pdf or such) successfully and can share good examples?

I recently stumbpled upon the diagrams made by Cumulus on their documentation pages but I dunno if the graphviz reference is purely programmatically (that is they cheated by creating the diagram in Visio anyway) or if the picture shown at "Basic Topology Example" (https://docs.cumulusnetworks.com/display/DOCS/Prescriptive+Topology+Manager+-+PTM) actually is rendered/compiled through graphviz?

If not (that is they cheated) the picture of the topology example is what I would define as a good looking and easy to understand physical network diagram, any of you who knows if its possible to use graphviz to create such?

It doesnt necessary need to have all the coloring (Im happy with black/white rectangular boxes as devices).

FreeZTP: Zero-Touch Provisioning for Cisco IOS

I finally got around to publishing this project I have been working on for a while.

It is an open-source zero-touch provisioning system for Cisco IOS which allows you to create unique configs for your switches by serial number. The GitHub page has all the info as well as a link to the install demo video.

Check out the GitHub Page

Access points installed in elevators

Recently visited a customer that have APs physically installed in moving elevators. Now i never thought about it and to be honest, it is the first time that i see this. The rationale behind it was to ensure signal coverage of people inside the elevator, but i think it is actually going to create more problems than it resolves, because you have continuous movement of APs up and down Any experience? Thanks

Cisco IP SLA setup

We have some IP SLAs to detect the internet connection is down in order to failover to 4G. Currently the SLAs just ping 8.8.8.8 or 8.8.4.4. I was just wondering if there was an alternative? I know that the event manager can trigger off interface down but these pings also have the added benefit of failing over when there is packet loss or high latency. I was trying to figure out a way to ping the next hop interface without knowing the IP as I assume this may change.

Thoughts?

eBGP With Two ISPs

We have two datacenters in two different states. Each has one ISP at the moment. We are already doing eBGP with one of them and will be changing to BGP (from static) with the other when we get the second ISP. Lets assume for simplicity sake that each datacenter has an ISP1 and ISP2. We want mission critical traffic (to our core platform) to route in/out of the internet using ISP1 while all other traffic should route in/out over ISP2. Lets focus on datacenter1. At datacenter1 we have a public address space with a size of /24 and at datacenter2 we have a /26. I was thinking to myself, yeah we could advertise a /32 out ISP1 so that this is more preferred from the internets perspective and would win. This would allow traffic into our org from the internet to take ISP1. I have a feeling that the ISP won't allow this though. My next way of accomplishing the desired behavior would be to get a second block of addresses at each location and out ISP1 make them preferred via BGP selection process (local pref or AS-Path prepending). The new block of addresses would also be advertised out ISP2 but less preferred. For the reverse (traffic out of the org), I suppose I'd have to find out what IPs our mission critical app connects to and have the ISP1 provider advertise those blocks to us. This is what I'm thinking of doing but how would you accomplish it?

Unetlab + CSR1000v performance

I've been using the following lab hardware for Unetlab for quite some time:

• Intel(R) Xeon(R) CPU X5675 @ 3.07GHz (12 logical processors)

• 96GB of ECC RAM

• VMware ESXI 6.0.0 with vCenter 6.5 to manage things via the vSphere Web Client

• Unetlab with images for IOL, CSR1000v, XRv, with all 12 cores dedicated to the VM, as well as 64GB of memory. Images used: csr1000v-universalk9.03.17.00.S.156-1.S and xrv-k9-6.0.1

I had been using 10 x IOL for most lab material, but decided to build-out a 10 x CSR1000v + 4 x XRv lab recently.

When utilizing this lab topology, carefully allowing everything to start and settle, I seem to get near 100% CPU utilization when doing just about anything on the CSR1000v's (memory never exceeds 60% utilization, and I have the page allocation for guests turned off as recommended):

• Config replace can take 2 - 5 minutes per node. I get CPU watchdog log messages on each CSR1000v. The XRv's either don't complain or are fine.

• Any kind of multi-console input to the CSR1000v's drives CPU to 100% (hitting enter on the console and having it send to all nodes for instance).

I've read quite a few entries from fellow labbers that they can run a 10 x CSR1000v + 4 x XRv lab without much trouble with far less of a hardware footprint (people using 2009 Nehalem architecture, as opposed to my beefier 2011 CPUs). The versions of code I'm running for the CSR1000v and XRv are in alignment with claims of a smooth experience.

Is there something I'm doing incorrectly, or is it really that the CSR1000v's can't run in tandem without blowing up the CPU? I don't want to upgrade Unetlab to EVE-NG just to find out that what I'm doing is folly to begin with.

As an addition, is there much value to running the CSR1000v's IOS-XE versus IOL from a critical feature standpoint?

Should I buy a separate Router or utilize routing functionality on Fortinet 60E's for small business Network Upgrade

So I am about to pull the trigger on some 60E's for our small business, but I wasn't sure if I should buy some stand alone router (such as Edgerouter or USG) or utilize the routing functionality built into the units. I asked this question on Spiceworks and am getting conflicting advice.

Some background information - Two locations: Corporate Office - Seven users, Plant - Six users. - Will be buying four Ubiquiti AP's and two POE switches.

Let me know if you need any additional information.

Open networking engineer position. Must have 5 years of TCP/IP experience as well as...

• Proficiency with Microsoft enterprise solutions including Windows Server 2012 and higher, Active Directory, and SCCM required. Linux and other UNIX operating systems a plus.
• Windows Domain / Active Directory
• Knowledge of VMWare NSX and VSAN
• Working Knowledge of Microsoft Exchange Server 2013/2016, Office 365
• Working Knowledge of Microsoft Azure and/or Amazon web service (AWS)
• Some actual fucking networking experience is not mandatory but preferred

On a serious note though, I really have found a lot of "network" job postings say this... I'm a networking guy. I have no knowledge of anything systems related. My job doesn't do anything systems related. Will I need to know these things just to even land a job?

Decrypting SSL packets through tshark

I've been having an issue at work where packets are being dropped somewhere between our server and an outside host that we are using across the state. I installed tshark on the server and did a packet capture. Only problem is, the packets are encrypted over SSL, so I can't decipher where the packets are being dropped.

Does anyone know how to decrypt the packet capture from tshark on the server?

F5 vpn client showing self-ip instead of ip from VPN pool

I'm not as familiar with the F5 as I am with Cisco. We have a Virtual Server configured that we use for the F5 ssl vpn. Actually we have 2, each one pointing to their own separate subnet to use for VPN. One of them is showing the self-ip address instead of the vpn address. I think this is causing some issues for them. I'm comparing the 2 configurations and I can't spot the difference on why one of the shows the vpn client address and one shows the self-ip of the F5. Hoping someone can point me in the right direction. :)

Palo Alto GlobalProtect MFA question

I have the GlobalProotect worki g with DUO Security and users are getting the push via the app. However, I cannot find any documentation on how to enable users the option for phone call verification or SMS. Anyone know how to enable this? Thank You in advance for any assistance.

Tell us about networking monitoring!

Hello, I've been in the industry for 15+ years, but mostly small shops. Currently using Veeam One, and I'm about to set up PRTG software.

Anyhow, for whatever reason, we never talked much about network monitoring where I've worked. For those of you with more experience in this area, I would like to pick your brain!

You don't have to answer all three questions, just pick whichever questions for which you feel like you have a valuable answer.

1. What is one curious or interesting thing you have learned about network monitoring?
2. What is one basic and essential thing every tech should know about network monitoring?
3. What is one more sophisticated / advanced piece of wisdom you can share about network monitoring, that most techs often don't know about.

Cheers!

Josh

Please note I have a copy of this post also at reddit.com/r/sysadmin, and I made copy here based on another contributor's recommendation.

OpenBSD router/firewall?

From what I've been reading recently OpenBSD sounds like it has very strong security and stability focused development process, and I'm reading a lot of good things about it's pf firewall. At first blush this seems like the ideal platform to deploy a router or firewall. Is it a common/good choice?

My understanding is that router focused OSes like VyOS, etc., are just management shells on top of Linux. Is there an advantage to using these besides insulating idiots like myself from the underlying Linux commands?

Possible NAT issue with Netgear R6700v2 / 3560G (xpost from /r/homenetworking)

Not sure if anyone can provide feedback, but there may be more experience with this type of setup here than in /r/HomeNetworking

Basically having routing issues between my lab networks and the Internet. Could be something NAT related. The Netgear has non-existent troubleshooting utilities.

https://www.reddit.com/r/HomeNetworking/comments/8d6w80/possible_nat_issue_with_netgear_r6700v2/

Anyone else seeing HPE Aruba switch prices skyrocket with the latest generation?

Has anyone else noticed the new low-end ArubaOS-Switching being significantly more expensive than the last generation? Looking at historical pricing, our pricing for the last gen compared to the new gen:

Old gen: HP 2920 48G POE+ 370W (J9729A) for around $3000.

New gen: HP Aruba 2930M 48G POE+ (JL322A ) for around $5400

CDW and MSRP also show roughly the same price increase between generations. The layer 2 series (old 2530, new 2540) show the same price hike.

If you wanted to make a stack of two new-gen switches you'd need:

Two switches: JL322A, $5400 x 2 = $10,800

Two stacking modules: JL325A, $850 x 2 = $1,700

Two stacking cables: J9734A , $120 x 2 = $240

Total = $12,740.

For a stack of two basic gigabit L3 switches. Without redundant PSU option. Without 10G uplinks. Can that be right?

I give up - toss in the towel

I have tried every configuration on the net, every suggestion from here. it still does not work in the network. Only works if its off the LAN. So obviously i am an idiot who cannot get this for whatever reason. Are any of you tech guys in Toronto? With HPE switch experience? i will Pay for assistance and instruction on what i kept doing incorrectly. The server and switch work. It launches machines diskless if its standalone. PM me if interested. Help me Obi Wan, you are my only hope.

McAfee Firewall Certificate Issue via SMC 5.8.3

I am having an issue trying to renew my certificate for my firewall(s) inside of Security Management Center v5.8.3. When I try to update them I get the below image, does anyone know how to remedy this? I tried to find some more information on this, but no luck. https://i.redd.it/xg1tig0s0ps01.png

Shower thought - what is going to happen to DNS based URL filtering services like OpenDNS (Cisco Umbrella) now that DNS over TLS/HTTPS is coming

Right now it is trivial to block outbound DNS to non-authorized resolvers, but it seems to me that it will be a lot harder to block TLS/HTTP resolvers because it'll be mixed up in the rest of the traffic.

Any thoughts? Does this kill DNS URL filtering?

i tried to make some network engineering shirts that don't suck

Most of the network engineering shirts/swag I've seen online are pretty bad, so I thought I'd design some of my own. So far I've taken my inspiration from streetwear and other famous designs/logos.

The number of designs is a bit sparse but I'll be adding more soon. The goal was to make stuff that is subtle enough to actually be wearable, but still get a laugh if you are walking down the street and happen across another neteng.

You can check out the rest of the designs here: https://www.debug-all.net/collections/all

If you are into this kinda stuff you should also definitely check out the store at ine.com, they have some really clever designs too (the designated router one might be my favorite).

If anybody has any links to any other places to buy network engineer stuff that is actually decent, please share it as well!

DHCP server not handing out full range of IP addresses. 172.16.20.10-172.16.21.254 /23 only works with a reservation.

I am stumped at the moment. I have been through 2 different DHCP servers, server 2008 and now server 2016. I moved to server 2016 because of the same issue. I have manually configured the scopes and we have a flat network of Cisco 3800's, some connected via fiber, which can do L3 but we are doing L2 and no routing. approximately 325 devices on the network.
The DHCP server is handing out anything in 172.16.20.x but not 172.16.21.x even though it is part of the scope. Users are calling me saying their pc is not getting a network connection and when I am seeing that they are not getting a DHCP address unless I create a reservation in any range (inc. 172.16.21.x) or delete a lease in the 172.16.20.x range. I am going to connect a PC to the same switch as the DHCP VM and see if it can get an address and then I will go to other areas. I also have wire shark. No errors in the DHCP or server logs. I know I need a relay agent if there are different subnets but this is one subnet with a 255.255.254.0 /23 mask.

I would appreciate any ideas or suggestions. thanks