Issue connecting to SQL server.

I'm having an issue connecting to a MySQL database hosted on amazon AWS via MySQL Workbench.

I can connect fine when i use my mobile network tethered to my PC. However when i try to connect via any PC in my house, i get error 10060. I've temporarily disabled both the firewall on my PC as well as the firewall on my router. I've also temporarily forwarded every port (TCP/UDP from 1-65535) in my router. Ontop of this i have set my PC to the DMZ.

In MySQL Workbench i'm connecting via Standard (TCP/IP), This works on my friends computer in his house (he is using the same model of router and same ISP) - I am able to connect via my mobile network tether. Is there anything that i can still try?

Packet Loss using Ethernet Cable

Hello Everyone. I have a gaming desktop directly connected to the router with anethernet cable and recently i've been experiencing severe packet loss in games like Fortnite and Counter-Strike which in practical terms are equivalent to lag spikes even though my ping is stable (around 40 ms).

Also, I use comunnication apps in simultaneous like discord or skype but these seem unaffected by the packet loss. Furthermore, i've ran speedtests everyday and everything seems fine. I also should add this packet loss isn't constant as there are times of the day which the games work just fine.

Any ideas on what might be causing this issue? Thanks in advance!

DHCP unable to give IP address to Ubuntu virtual machine after switching physical locations

I have recently move and now my virtual machines are not able to get IP addresses consistently (it fails a majority of the time). I have not change any settings my vm configurations.

My VM is set up on virtualbox with ubuntu server 16.04 LTS. I am using a bridge network. On ifconfig, the interface does not show the inet address. I have try creating a fresh new install of ubuntu server to no avail.

I have try to change MAC address but was still unable to get an IP address. After some digging around. If I manually add an IP address, then I am able to connect to the internet, but on reboot it would fail again. I have recently purchase a new laptop and it works fine on my laptop.

Luckily, for some reason today, it start to work and my VM's are now able to get an IP address.

I am afraid to shutdown my computer and risk it not working again. Does anyone have any clue what is going on?

Learning network automation - best place for help?

I've been digging pretty deep into network automation over the past months. I went through David Bombal's course on udemy along with Krik Byer's free 8 week course shortly after. Now I've moved onto a book called "Mastering Python Networking".

I'm at a point where I'm digging into Ansible for the first time and I've hit a snag that I can't figure out. I realize this subreddit is more for enterprise technology so this isn't the best place. There is both /r/learnpython/ and /r/ansible but it doesn't seem like either of those are appropriate to post in for say a niche issue I'm having with Ansible communicating with a NX-OSv switch.

I'm all about doing some digging before I just needlessly post but I'm truly at a point where I'm just scratching my head. I'm posting here for direction to hopefully find a good community but I'll provide my issue for context.

I'm using GNS3 with NX-OSv and the network automation docker with all required packages and such installed. I'm just following along in the book where I'm using a yaml template with jinja2 variables to connect to the NX-OSv device and configure snmp contact. When trying to do so I get the following output...

root@NetworkAutomation-1:~/ansible# ansible-playbook cisco_2.yml PLAY [Configure SNMP Contact] **************************************************a TASK [configure snmp contact] ************************************************** fatal: [switch1]: FAILED! => {"msg": "from_buffer() cannot return the address of the raw string within a str or unicode or bytearray object"} to retry, use: --limit @/root/ansible/cisco_2.retry PLAY RECAP ********************************************************************* switch1 : ok=0 changed=0 unreachable=0 failed=1 

DHCP Timeout/Renewal Question

TLDR version: When a client boots (Any OS) do DHCP standards tell it to make a DHCP request and will it accept a new IP address from the server if it is different from it's current IP? I know it SHOULD take the new IP, but sometimes with Windows machines they like to keep their old address until I manually /release /renew them from in the OS.

Additionally, when a client reaches it's DHCP lease timeout and the server is not available I know it will assign a 164.255.0.0 address to itself, but how often does it check for the DHCP server to come back online and how fast will it require a DHCP assigned IP?

I realize it may be different for different OS's but I am dealing with a proprietary linux distro and I believe/hope it sticks to the normal standards for these processes. I am trying to figure out what steps will happen if a power cycle outage on the clients and dhcp server occurs and the dhcp server takes longer to come back up than the clients, and the clients have very short DHCP timeouts.

Suggestions: Enterprise Network Monitoring

I’m taking a new Network Admin position for a large network (9 buildings each segmented on their own subnet), and I’m looking at different monitoring software, any recommendations?

I’m playing with Cacti for hardware monitoring. Any other recommendations or IDS recommendation?

It’s important to note, this is a schoo district. We have little hacker kids we have to allow on the network. So I need to figure out how to allow people on a network and monitor for nefarious activities.

Why use routers instead of switches?

In a enterprise network, where/why would you buy routers when you can get switches lot cheaper? I can get a switch with 4x10+24x1 gig ports, MPLS/BGP/OSPF, 1M FIB for 1/3th of what a router with similar amount of ports would be. And of course when you need lots of 10Gig ports the price difference is going to be a lot larger in favor of a switch.

Maybe if you get multiple full BGP tables from different ISPs, couple routers there would make some sense.

We operate our own MPLS network in few different cities, and we've built everything with 1U or chassis switches. Just wondering what we're missing :)

service provider MPLS VPN

i'm a little confused at this given i've never done it, but when procuring a private MPLS vpn would the provider give you internal IP addressing configuration or this would still be designed and configured by the client?

Dual WAN with VLANs

In our environment we have a dual wan setup with a vlan for servers and a vlan for workstations.

Right now we are running Untangle with WAN Balancer running but the issue we find is that the balancing doesn't really work that well.

Would it be possible with extra hardware or something with Untangle to bind a WAN connection to a VLAN so that one WAN is sending traffic to a VLAN and the other WAN is sending data to another VLAN?

STP and MAC learning

So I was thinking about a project I’ve been working on while folding laundry (exciting right?), and I ran across a spanning tree question I didn’t have an answer to. So here it goes:

If a parallel link has a port in STP blocking mode, does the switch still learn MAC address locations for that port? I could see the argument for it to learn the binding, since you want the fastest possible recovery when moving a port from blocking to forwarding. However, that could also pose a resource problem for the switch and potentially make FIB lookups slower since one could find multiple valid exit interfaces and then need to check for STP forwarding state before making a decision.

How does this work? Or do different vendors implement it differently?

Redundant firewalls for internet connectivity between two datacenters - How to?

Hello, I'm just curious what others are doing in a multi-datacenter design. We have two datacenters each with their own internet connection (and same shared IP space). The distance is too far for HA, so we will have a stateful HA pair at each datacenter. How are you routing your traffic? Do you prefer one location over the other? Also, how are you synchronizing your rules? Any insight would be much appreciated.

What (if anything) does a partially-lit link LED on a ProCurve 2810-24G mean?

We have a subtenant moving-in to a vacant floor this weekend and the company told them they could use the existing networking and telephone equipment, which would be fine if there was any to begin with other than a couple abandoned and unlicensed Meraki access points and a bunch of ancient Shoretel phones.

I have pulled a ProCurve 2810-24G out of storage and I am finding that the link LEDs on ports 3 and 5 are barely illuminated.

Searching for information online has proven nearly impossible because other ProCurves have the DIM status LED. Reading the documentation I don't see any failure mode reflected by a partially lit link LED and I can't find a console cable around here.

I have tested the ports and they're negotiating a Gigabit link and there are were no errors in the time I had it plugged in. There are no trouble tickets for this switch but there have been so many layoffs that IT just ceased to function in any organized manner so I wouldn't draw any conclusions from the absence of a trouble ticket.

Does anyone know if the poorly illuminated link LEDs either reflect or foreshadow a future hardware failure?

Thanks

why am I seeing traffic generating on my NIC as loopback: lo0 when looking at wireshark?

First of I hold my hands up, I'm not familiar with wireshark.. infact today at work was the first time I used it and I am now sat watching a tutorial.. (I work in firstline support) I can see all my network interfaces and there appears to be some called loopback:lo0.. what is this? and why is traffic being generated..? I cant really find a simple answer to this from researching online

Arista EOS Help

Hey folks,

I'm learning Arista (on my own dime) and was able to get my hands on a pair of Arista DCS-7050T-52. I want to MLAG these together and treat them as a single logical switch with, LACP across them for my Hypervisors similar to how I do it with my Cisco switches.

The issue is that one of the switches has EOS 4.10 and the other has EOS 4.17.

After a bit of reading, I couldn't find the answer to a few things... 1) Can I copy the firmware from one switch to the other? 2) Could I break things by trying to MLAG these with such different versions? 3) Is there a way to get the latest 4.18.x EOS for these to make them match and have the latest supported by this EOL gear?

My prefered option would be to get the newest EOS for these so that I can test all of the latest features and have all of the latest bug fixes.

But that would require a good samaritan that would already have this downloaded, or a valid subscription to download it.

Any assistance is much appreciated.

Thanks!

Cody

ISP and Sonicwall each blaming the other for dropped link

One of my managed service clients uses a local fiber ISP for their primary internet access. My company uses Sonicwall at all our client sites, generally with no issues.

Sometime near the beginning of this year, the fiber link stopped routing traffic. The link to the Sonicwall TZ400 was live, and an IP address was pulled, but none of our traffic reaches beyond the ISP's gateway. This of course caused the Sonicwall to switch to the backup link from another (much slower) ISP, where it stayed until I manually disabled the failover configuration and tried sending pings and traceroutes across the problem connection. Suddenly they started going through and everything was fine, so I switched everything back and wrote it off as an ISP hiccup.

3 days later, same thing happened again. Same fix again.

At this point, I contacted the ISP, who (predictably) blamed our equipment, despite the fact that we can ping their gateway. After some back and forth with them, we got the link back up and running.

Over the next weekend, same thing happened again.

Long story short, the ISP finally did some troubleshooting, and is absolutely adamant that the problem is NOT on their end. Their rationale is "we have hundreds of clients on this same equipment, same configuration, and you're the only one experiencing this issue." The issue persists to this day, recurring about every 3 days or so, though sometimes it runs as long as a week and sometimes as short as 1 day.

Here's what has NOT permanently fixed the issue so far:

• Disconnecting or rebooting the Sonicwall doesn't even bring the link back up.
• Getting a new static IP from the ISP, or a sticky DHCP address brought the link up, but it drops again after a few days.
• Replacing the Sonicwall with another model changed nothing.
• Factory resetting and redoing the Sonicwall configuration from scratch changed nothing.
• Following the recommendations in this article, as recommended by the ISP, changed nothing.

Here's what brings the link back up (for a few days):

• Changing the MAC of the Sonicwall so it acquires a new address via DHCP. The new IP routes traffic just fine, after which I can switch back to the old IP and it will work fine, too.
• Sending pings or traceroutes across the problem connection. They'll fail to reach beyond the ISP's gateway, but a few minutes afterwards the link will start routing traffic again.

When I arrived to replace the Sonicwall for troubleshooting, the link was down, and remained down after I physically replaced the device. Only when I started sending pings across the link did it come back up.

I brought Sonicwall support into this during one of the outages. After spending a good hour capturing ARP traffic and verifying that they could, in fact, reach the ISP's gateway, they said they'll need to work with the ISP and figure out what's happening to the traffic on their end. They confirmed that my config is good, and that there's nothing on the Sonicwall that they're aware of that could be causing this issue.

The ISP continues to insist it's not their end, but is willing to talk to Sonicwall directly about this to try and get to the bottom of it. Right now I'm just waiting for the link to fail again before I get everyone on the phone.

I'm not new at this, and everything I can see tells me that the issue is 100% on the ISP side, but they have a good point; if it's their end, why are we the only ones with a problem?

I'm out of ideas. Has anyone else run into an issue like this before?

ipv4 checksum recalculation after ip change.

Hi,

RFC 1624 https://tools.ietf.org/html/rfc1624 defines a method to update the checksum after a change in the IP header. However, it is for 16 bit field changes. So if modify a 16-bit IP header field (total length, identification etc) I can follow this RFC. But what about an IP address change which is 32 bit? I need to run this update twice? once for "lower half" and "upper half" of the new ip address?

thanks.

Looking for input on IGP implementation

So I have recently inherited a network that is much larger than what I have previously built. Once again I am the sole proprietor of said network and I have some plans to "fix" what the previous person did and did not do. I have identified the potential of an IGP on a certain closed network to make general configuration and maintenance easier, so on to my question.

In a previous role when we used OSPF one of my senior network guys told me when adding a new MLS to the network to simply add the supernet of a network that was probably broken into like 20ish subnets. i.e. 192.168.0.0 0.0.255.255 as opposed to actually adding the subnet that was on the OSPF interface. Something smaller like 192.168.1.0 0.0.0.255

Everything always worked, but this seemed like bad practice to "overscope" a network like that, and since I have not had the pleasure of working with many experienced networking people I was wondering if there were any thoughts that some of you all may have on the topic.

Cat IOS 16.5+ ZTP via Guestshell

Anyone ever have issue's with configure commands?

from cli import configure,cli configure() 

AWS and MPLS L3VPN

So I'm part of the transport team for our company and we have started looking into AWS. We have an MPLS core providing L3VPN connectivity to our customers. We are looking at using a carrier for direct connect to a Transit VPC. I want to extend MPLS to a router in the Transit VPC (CSR1000v or vMX) via a GRE tunnel. The goal is to make that router in the Transit VPC a PE, and each customer VRF in that PE will have an IPSEC connectivity to the customer's VPC. Basically making a VPC a part of a customer's L3VPN. I don't see any reason why I can't do this. But I'm pretty new to AWS and have not seen this done on any documentation I've researched.

For those experienced with AWS infrastructure, is there anything that I'm missing that could prevent me from doing this? Is there a better way to accomplish what I'm trying to do?

Networking / Cisco games?

Are there any decent quality and up to date networking or Cisco based games? Preferably web based and free but I will take whatever.

I know of these: https://learningnetwork.cisco.com/community/learning_center/games

Are there any security concerns with OSPF packets?

My company is about to get a security audit next week and I'm trying to tighten up my network. I'm not sure if it's normal but I am getting OSPF Hello Packets on all of my VLAN interfaces. I only use OSPF on the main switch that talks to our core router. We usually do static routes at all of our locations so these packets only show up on this one network that uses OSPF. We only do static routes to adjacent IDFs in our buildings.

The switch is an HP 5820 running Comware 5 plugging into a Cisco 6880.

(Cisco)

! interface TenGigabitEthernet5/6 description te1/0/24 ip address 128.66.0.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip pim sparse-mode ip policy route-map voip ! router ospf 100 router-id 128.66.0.10 redistribute connected subnets redistribute static subnets network 0.0.0.0 255.255.255.255 area 0 default-information originate 

(HP)

# interface Vlan-interface1 description Default VLAN ip address 10.27.0.1 255.255.0.0 dhcp select relay dhcp relay server-select 1 # interface Vlan-interface100 description Apple TV ip address 10.28.100.1 255.255.255.0 dhcp select relay dhcp relay server-select 1 # interface Ten-GigabitEthernet1/0/24 port link-mode route description Uplink to Cisco6880 Te5/6 ip 128.66.0.1 ip address 128.66.0.2 255.255.255.252 sflow sampling-rate 1000 sflow flow collector 1 sflow counter interval 20 sflow counter collector 1 # ospf 100 router-id 128.66.0.2 description external routing area 0.0.0.0 network 0.0.0.0 255.255.255.255 

I'm thinking the hello packet isn't that big of a deal. I was thinking of adding

ospf network-type p2p 

to the interface ten 1/0/24 on the HP 5820. I'm going to wait until after hours though before I try that.

The Cisco is owned by my ISP so I don't like making changes on it but I can if I have too. I'm more comfortable with HP Comware anyway.

Staff network wired and wireless same subnet.

We have laptop users that dock their laptops and connect via Ethernet into lan. When they undock they are on wireless and need same access to network resources.

What’s the best practice for wired and wireless trusted networks, should they be separate subnets or not. Pros and cons please.

Ip depletion not an issue.

Stupid routing question (/31 from ISP and then routed /30)

After posting about the ancient router that an ISP reseller has sent us for our shiny new 1Gbps line, I may be in the market for a new router.

I thought it was worth making sure I understand this fully. This is how things would fit together if I don't change anything:

The fibre will be terminated on an ISP supplied switch, which will then connect to a Cisco router. The 'WAN' side of the Cisco is x.x.x.129/31 The 'LAN' side of the Cisco is x.x.x.133/30 and will serve as our GW The one usable IP is x.x.x.134/30 which I can assign to our pfSense firewall.

So, I get how all this works. However the supplied Cisco clearly isn't suitable for the job. Either they replace it, or I'll have to.

If I replace it, I could get a Cisco (expensive) so I'm currently thinking more along the lines of a Ubiquiti edgerouter 4.

Or.. Is there a way to just skip the separate router and go straight from ISP switch to pfSense. I guess I could put the pfSense WAN interface on .129/31 and ignore the rest? Or maybe treat the WAN side of pfSense as a /29? Not sure that would work as presumably the ISP is using a /31 mask on their side. Is there a way to use both the /31 and /30 on the WAN side of pfSense and avoid having the router in between? Am I mad to consider it? I'm happy having a Cisco or Edgerouter in between, but it just feels like it's a bit of a waste.

Some duplicate packets on PortChannel

This was a weird one, and I'm still not sure what happened. I'm going to try to run some more tests, but I won't be able to until next week. Knowing my luck, it'll be something totally obvious...

Scenario is the following:

• Unix machines, running two i40e-driver cards
• Cisco 6509E VSS
• one interface from each card in a multichassis EtherChannel
• Each EtherChannel interface is configured with a native VLAN plus three dot1q VLANs

• Cisco side example config is:

  interface Po42 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport trunk allowed vlan 500,600,700 switchport mode trunk switchport nonegotiate

• Server side config matches, interfaces come up on both sides, traffic passes fine between the server and other similarly configured servers, etc

Now here's the fun part... some UDP packets, sent by only a couple of the other machines, are received twice on this server, with some delay (a few microseconds) - once on each physical interface of the EtherChannel. After I removed "switchport nonegotiate", there were no more duplicates.

I've looked at pretty much any PortChannel 'show' command I could think of and/or find before and after the change, nothing looked wrong on either side (switch & server). I genuinely cannot figure out why the duplication was happening... Has anyone seen this before?

(to be continued, once I manage to run some more tests!)

Torn between using OSPF or EIGRP

We are in the planning/testing phase of moving from a collapsed core layer-2 design to layer-3 hub and spoke topology given the current network equipment and limitations. There are future plans to eventually connect some of the other spokes to one another creating a partial mesh topology. Each spoke is a different site throughout our county wide network. We will be readdressing each site as we move along with route summarization being the driving force for the IP address changes. Each site is rather small in size, we will be using a /27 mask for every site which will contain multiple subnets. This gives every site the potential to be summarized with one single route.

To make the transition from the layer-2 trunk links, we are going to create layer-3 point-to-point links over fiber between the core and each sites distribution switch. The core is a Cisco 6500 and the distribution switches are a mix of Cisco 3650 and 3560. To give an idea on the amount routing involved, there are roughly 15 distribution switches with the expected addition of multiple sites each year for years to come.

Here is where I’ve run into a dilemma so to speak. At the moment I’m torn between using OSPF or EIGRP due to licensing issues and current network layout. I know that may sound kind of silly but hear me out.

Originally the intention was to use OSPF for reasons such as being vendor neutral and OSPF scalability with future growth expected. We would be using a single area 0 design throughout the network given the current size and had plans to add additional areas as the network size increased. Each link between the core and distribution switch would be setup as OSPF network point-to-point with hub and spoke and then eventually some links would be configured as OSPF point to multipoint for the partial mesh.

Realizing that our distribution switches all have the IP Base license this would currently limit the network to a maximum of 200 OSPF routes for a single OSPF AS. Certainly this wouldn’t be a problem if we created additional areas but as it stands, we have no ABRs between the core and distribution switches which we could use to summarize our routes. With no summarization we end up with about 5-7 OSPF routes per site. Unless I’m missing something here we either would either have to purchase an additional router to use as an ABR for summarization or purchase a IP Services license for each distribution switch to remove the route limit.

We have considered EIGRP as we are currently all cisco but would like to stay vendor neutral as we could potentially have non-cisco down the road.

Using EIGRP we would be able to summarize at each distribution switch without additional equipment which is nice due to our situation but obviously there are still problems with using EIGRP. The drawbacks of EIGRP are that with our licensing all distribution switches would be in stub mode so we couldn’t pass the routes beyond that switch which is fine for now but later down the road when we want to take advantage of the mesh topology we will run into problems passing the routes between the stub routers, unless I am mistaken. Again, we could purchase licenses and use EIGRP without limitations.

On a side note, purchasing additional equipment and licensing is a possibility in the future but not at the moment.

Obviously, this is a decision that I have to sit down with my supervisor and thoroughly discuss but it would be great to get some outside opinions on the matter. I’m always open to suggestions as well, like I mentioned I could be missing something. Thanks for reading if you made it this far.

How do you handle prefix lists between customers?

We've been building a MPLS network that connects few customers to each other and then to our datacenter. Customers also want their network to be segmented and that all the traffic should go via firewalls (because of the nature of the customers and some regulatory stuff).

We run BGP between the VRFs and firewalls, and try to route the networks everywhere we can to avoid NAT and then limit the traffic with firewalls and routes with prefix lists. As it's a lot of legacy stuff and private IP address networks from here and there we can't really do summarization like "Customer A: 10.128.0.0/14, Customer B 10.132.0.0/14" etc.

The actual question being is that how do you manage such prefix lists between networks? Do you only allow the actual subnets being used, or allow larger prefix and hope that there are no collisions? (For example if customer has 10.128.0.0/24, 10.128.5.0/24 and 10.128.11.0/24 used do you just add 10.128.0.0/20 to the prefix list?)

I know ISPs can use DBs that have routes added by every party, but as it is private networks I'm not really sure if we can do this

Or should we still try to have a centralized database where every subnet is added and then prefix lists would be generated automatically based on that data? Our IPAM is a bit mess but if we fixed all the networks there to correct VRFs and so we might be able to pull the data from there...

Also the decisions when to advertise what network where is a bit problematic, as the customers also host their own servers and might provide some connections to our other customers.

Any other ideas doing this kind of larger network that connects multiple organizations running different subnets with private IP addresses?

Thanks!

Where are your favorite Visio stencils?

I do a lot of graphic design on the side and I just accepted a role that will require me to spend more time designing networks then configuring or troubleshooting (Senior Network Analyst woop woop!). I typically use the defaults on Visio 2016 but they are so bland to me now. I am wondering if any of you have stencils that are both aesthetically pleasing and very functional for your drawings!

High OutDisgard Count throughout campus

welp! im at wits end. I've amplified all my lacp trunks to my 3750X distribution switch to at least 3 interfaces at the least. I'm baffled, should i (being a one man team), implement QOS (w/ no experience) throughout the campus consisting of a pair of 6509's, 3750x and various 2960X switch stacks ?? The network is heavily segmented and bandwidth is policed w/ a new pair of 500E firewalls. I've exhausted and therefor AM exhausted over user complaints of intermittant connectivity drops to the outside and within. Only clue i have are all of these OutDiscards throughout all the switches. I read someone had a similar issue with the 2960x's where the frames were'nt being processed by the appropriate ASIC. I'm in between a rock and a hard place. I'm alone, with no cisco support and inexperienced with QOS, I hope its not saturation but some feature im missing. help? please? :( https://paste.ee/p/DTxiK

ISP Policing causing issues for egress traffic, how can I fix this?

We have a 100M DIA on GigE and have been having issues with Internet performance ever since we turned it up a few weeks ago. The carrier claims that everything is great on the circuit and has provided a rfc2544 report that confirms.

I'm pretty sure the problem now is the difference in circuit speed vs CIR. We're using an ASR1001X and I've tried to put a very basic traffic shaping policy on the egress interface and that didn't work.

policy-map fair-queue class class-default fair-queue policy-map shape-100m class class-default shape average 100000000 service-policy fair-queue interface GigabitEthernet0/0/5 bandwidth 100000 ip address x.x.x.x 255.255.255.252 load-interval 30 no negotiation auto service-policy output shape-100m 

I've also attempted to tune the shaping bandwidth down as low at 50M and still had issues.

Symptoms are reasonable download speed (80-100M) but upload speed is 0-10M at best and generally starts out around 10M and by the end of the test is in the Kbps range.

What am I doing wrong here? Are there questions I should be asking the carrier about their policing config that would help with setting up the shaping?

This connection is basically only used for a couple of small web servers and office users to browse the web.

So far I've mitigated the problems slightly by forcing the LAN side of the router to 100/Full, but that's not a solution.

Any help on this would be greatly appreciated.

In light of recent BGP hijacking I became curious, what are your thoughts on BGPSec or other alternatives?

Hey everyone,

After reading about a couple more BGP hijacks this week I was wondering what everyone is thinking about BGPSec or just the future or BGP in terms of internet routing in general. I read one of the BGPSec RFC authors apparently said he’s not sure if it will ever actually get implemented, but I’ve also read up to 5% of the Internet have begun acquiring cryptographic keys for securing BGP (doesn’t sound like much but some areas appear better than others, Latin America is up to 24%).

Do you guys think BGPSec is the future or a different alternative? Or do you think BGP will continue in its current state without needing/wanting to be changed?

DR solution

I have 2 remote sites and need a build a tunnel in between them, to pass all the user traffic in case one of them goes down. I have ASA 5525x on each site and 4500x. Was planning to build a gre tunnel in between the 4500x and encrypt the traffic using the ASAs. Is this a feasible solution, am I missing anything, or is there a better way to do this. If one site goes down, I need the user traffic to be terminated on the 4500x on the other side, to be routed properly on the internet

Question Friday (is that a thing yet?)

So, I am currently designing and building out a new 90000 sq ft, 3 floor, 450 person, corporate headquarters.

ASRs on the WAN

Cisco NGFW running asa code for firewalls

Cat 9Ks

Layer 3 to the access switches

MPLS

Separate AV network (all later 3 to the TOR and Core switches)

I got a free DNA appliance from Cisco

The question is as follows.

For everyone that deployed corporate networks in the last year — what are some lessons learned that I want to look out for? What are some things that you did that you wish you didn’t and vice versa

For everyone that is building a corporate network now or just finished in the last month — what worked and didn’t work? Pain points?

For everyone else — what do you wish was around or was cheaper so you could deploy?

Talk to you all soon and happy networking!!

How do I get router top speed upstairs?

Hi,

Quite a newbie post here, but struggling to sort it myself.

I have a 350mb broadband package with Virgin Media (UK). I get these speeds wired and wirelessly downstairs, but can't get a solid or fast connection upstairs. This is a common problem, I'm sure.

Anyway, I'm wondering how best to deal with this. Would powerlines and a second router upstairs be better?

I'm really quite clueless, so any ideas would be great.

Should I be worried that our ISP just sent us this router?

Cisco 3845

I joked with a colleague that all Cisco stuff looks 10 years out of date even when new. But from looking at it, it looks like this thing is 10 years out of date...

What's the chances of this being able to handle our new 1Gbs internet connection? Just literally to route between the ISP and us with (presumably) one static route. Everything I've read suggests there's no chance. I'm beginning to wonder if they literally drop shipped the damn thing to us from eBay!

Anyone willing to share their Computer Use IT policy?

Hello was wondering if anyone would like to share their computer use policy and internet use policies with me? Working on renewing ours and would benefit from seeing different implementations.

Thanks.

P2P and NAT - How do I get through?

Hi. I'm building P2P network and wondering how do I get through NAT, to be more precise how to connect peer that is behind NAT to another peer that is also behind NAT. My network will also have peers that have a public addresses and I want (don't how it is possible) use them to establish connection between NATed peers.

What I know: How to establish connection between NATed and non-NATed peer (NATed peer ---> non-NATed peer)

What I do not know: How to establish connection between non-NATed and NATed peer (non-NATed peer ---> NATed peer). How to establish connection between NATed peers (NATed peer ---> NATed peer)

Thank you in advance. :)

Alternative to Cisco for PE and CE?

Hello, we currently use C6500/sup720 as PE for our MPLS backbone. Our CE are simple C2960 layer 2 (dafault gateway are hosted directly on the PE).

We have to rebuild our network, and I would like to know the Cisco alternative: - for the backbone (I need chassis doing MPLS, with quite a lot of portes - around 200 per chassis) - for that PE that I would to transform into L3 CE, doing MPLS (at a reasonable cost, which is difficult to find by Cisco).

Thanks!

Is there any portable version of Cisco Packet Tracer?

?

Looking to replace 40 Watchguard APs throughout 20 sites

We have a Meraki Demo, and a few Fortinets thrown our way. Looking for something cost efficient, manageable without too much headache. Right now we cannot do a captive portal, our Watchguard Controller cannot be upgraded and another needs to be updated. Thoughts on the FortiAPs if anyone has used them. I know this sub has a lot of love for Ubiquiti, I have one in my home. Anyone use open mesh. At this point the wifi is unreliable, ports configured wrong.

Open source web proxy recommendations?

Hi, I'm planning on making a lot of proxies for automation software using Google Cloud as my provider with my instances being on Linux. My main goal is to achieve the lowest latency possible. For this purpose, would Squid or 3proxy be better? Or anything else?

Thanks

Restricting IKE traffic to ASA

Hey everyone,

I'm looking to restrict traffic to an ASA by only allowing specific IP addresses to be able to establish an IKE connection to my ASA's public IP address. I thought about adding an ACL to the outside interface of the ASA, but after doing some research, I hear that an ACL on the interface will only block traffic going THROUGH the ASA and not to the device itself. I only want my verified devices to have the ability to establish a VPN connection.

Verified Public IP > IKE Traffic to Build Tunnel > Public IP of ASA

I was able to do this on a SonicWall by adding an ACL rule between my WAN zones. Does anyone know how this can be done on the ASA?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

End-to-end campus QoS help

I am trying to implement a end to end QoS solution for a three tier hierarchical campus network and rightly stumped. I'm confused as to which interfaces require a queuing service-policy and whether it should be ingress, egress or both. I also need help with marking classification (typical tcp/udp ports so i can create the access-lists for marking) of a 2p6q3t configuration.

I have access to safari, can anyone recommend me a book which will go through QoS in a practical sense and easy to follow which I can then translate to this network type?

Netflow for specific SVIs?

Haven't had much luck googling this because I'm not even sure this is possible or I'm wording it incorrectly. Is there a way with a Cisco 6500 series switch with several SVIs configured, to explort Netflow for those specific VLAN interfaces and only send source/dest information in regards to that specific SVI?

Scenario:

Customer A has SVI VLAN 20.

Customer B has SVI VLAN 30.

so on and so forth

Each has a dedicated link directly to the Cisco 6500 connected to a switch on their side (basic layer 2 connection passing their vlan ID). They are routed upstream after 6500 to internet. Simple hub n spoke topology.

The goal here is to export Netflow to a parser (LogicMonitor collector) in this case. These collectors have a cap of 1000 top flows. I want to break this out and have separate collectors for each customer as to capture as much data per collector. Is this possible? Or does Netflow not work like that.

How do you set up your MDF/IDF cabinets?

At my previous job the IDFs would have a patch panel/switch/patch panel/switch stacking. This allowed us to use 6-inch patch cables and everything looked pretty clean.

At my present employer, the put all the patch panels on top of the IDFs and switch stacks below. Then they run like 7ft cables to patch everything in and it looks like a cluster!

Recently, we had a vendor ask about angled patch panels but suggested the same setup as they have here, patch panels on top and run cable down the sides to connect the switches.

I prefer the way my former employer set up everything. Is that the wrong way? Is there best practice I should be following?

Status LED is Blinking fast RED on Cisco C6880-X. Is it dead?

Woke up to find the status light on the 16port 10/1GbE supervisor on the C6880-X blinking red rapidly. No response when I tried connecting via console. Turned it off. Took out fan module and supervisor, cleaned them out thoroughly too. But still nothing. Is this device officially dead? It's out of contract, so no Cisco support for this.

Anyone who had similar experience? Thanks

Looking for vendors for small deployments

Hi, This is my first post on reddit, please be kind ;-)

I'm a network engineer working with Cisco and Juniper gear. I know what you can (and cannot) do with particular boxes and software.

From time to time I am asked to help with a small deployment, where there is no budget for Cisco or Juniper. However this is justified by a very little feature (and performance) requirements.

I don't have much experience with other vendors (my home network is built on Juniper, Cisco and one MikroTik for LTE backup).

I am looking for some advice - can you recommend something between soho and Cisco/Juniper for L2 switching? Features I am looking for are mostly:

DHCP Snooping BPDU Guard MAC limiting LACP SNMP :) RSTP

Also, anything for routing which can PAT up to 300-600Mbps of IMIX traffic? I was looking at Mikrotik RB3011UiAS-RM, looks promising. And stateful firewall is a plus here.

I would really appreciate any hint or advice. Cheers!

ISE and TACACS+ on the same Cisco ISE box?

Hi, I can't find much info on this but I know someone may help here. I'm planning a deployment of about 20000 endpoint with ISE (most functionality, using Base/Plus/Apex/Anyconnect licenses), and would certainly use a 3595 server for it, which should support the endpoints with no issues, but I also want to enable the Device Admin license to configure a number of devices (let's say 2000). How should I decide if the almost topped 3595 will support a number of TACACS+ sessions (say 1000, don't fix on my numbers, I know that 1000 sessions for 2000 devices is way off). How can I know if the device can handle all the traffic? In Cisco I can find comparison tables with number of simultaneous devices for RADIUS sessions (NAC), and TACACS+ sessions per second, but I can't find the limit for the TACACS+ sessions. I'm pretty sure that I can mix them, but the main thing is that we want to find a technical reason to NOT mix the two.

Thanks for your time.

Strange network issue with one VM - Help Needed..

I have a strange issue with a Windows 2012 R2 VM.. Apps team said they were having an issue transferring a file. They did a running ping from the server doing the transfer to the server receiving the file.. When they specified a byte size of 5000 it would randomly drop pings but the latency was fine.. This is all over the WAN..

To troubleshoot I have done the following:

• When I do a running ping with a packet size of 5000 on another VM on the same host I get no drops from two different WAN core switches.
• Moved VM to another host (even though host not suspected to be issue) - issue persisted.
• Rebooted VM
• Removed VMNIC (was VMXNET3) and Added New VMXNET3 - issue persisted.
• I can ping local LAN physical and virtual servers without issue on the problem VM.

I'm out of ideas of things to try.. If the server can ping local LAN nodes with no issue that would point to it being the WAN, no? But then why are other VMs on the same vmware cluster (and same esxi host) not having the issue??

Thanks for any ideas!

OTV too expensive - Using VXLAN for L2 Extension via DCI instead?

Afternoon Everyone - Working on a project to bring online a second datacenter and a DCI back to our primary site. We are going to have a L2 Psuedo-wire between the two sites, and I was originally hoping to terminate that connection into N7K's on both ends, and use OTV for the L2 extension.

Unfortunately, even refurb'd N7K's will be north of $60K, which won't be possible for this project.

So I'm now looking into using VXLAN on some N9K's to accomplish the same goals. Has anyone had success with this?

RADIUS doesn't work with management vlan for first switch only

I have a RADIUS server which works for 3 of my 4 switches and I don't understand why.

192.168.18.1

192.168.18.2

192.168.18.3

192.168.18.4

18.2, 18.3, 18.4, works fine, the radius sees they and the AUTH is ok, but for 18.1 it doesn't work. The error message on ther RADIUS server is coming from the ip 192.168.15.3 which is the managment ip for the MPSL of the main switch there. I don't understand why can't the RADIUS pick up the ips of the management of the first switch.

Create pinhole (port forwarding) in Palo Alto 3020

I am having issues with a NAT for palo alto. I am trying to do what is in the diagram below. It works from our IP address and a few others, but the majority of the internet canno't get to the site after the NAT statement is created.

The frist link is the current NAT translation that works from out site (not in the same subnet as the server we are trying to static nat for, nor do we have a VPN to this colocation space). https://imgur.com/7BCCAzp The second image is what I am trying to do: https://imgur.com/a/GEdUSlP

I have set up a VPN and am trying to allow/deny traffic for certain networks with UFW

I have been trying to allow/deny traffic to certain networks with UFW. The I have several others, but the one in the picture is the one I am working on first. I have tried many things so far, we are probably on hour 4 of this. I cant figure out why UFW is still blocking the traffic in the picture.

https://i.imgur.com/WpJdEqf.png

Any input would be greatly appreciated. Thanks!

Mellanox Connectx3 40gbe - Can't get past 20gbps from Windows VM to Windows VM

Scenario: Two Windows Server 2012 R2 virtual machines, one on each of 2 Esxi hosts. Hosts are directly attached to each other via connectx3 infiniband cables (card models and cables confirmed to be compatible via mellanox) I have spent hours with Vmware & Mellanox support. EsxiHost1 to Esxhost2, via SSH, DOES achieve 40gbs using iperf directly in the CLI of the esxihost, so I know the drivers should be good. I have tried the following:

• I have tried PCI passthrough, allowing me to achieve 20gbps

• When using VMXnet3 i can't push past 17 or 18gps

• I have tried many small tweaks in windows including Jumbo packets/TCP offload/etc etc under the "configure" section of the network adapter

Help me achieve 40gbps throughput (please)!

Ciena 3930 SFP module part numbers?

Can anyone tell me what part number a Ciena 3930 uses for SFP modules? I called fs.com and they weren't sure, but were going to have an engineer check. I've heard that they will work with prolabs XCVR-000CRJ - but I really would like to find a sfp module that will work with what we need....the scenerio is att circuit to Ciena 3930 with fiber handoff to us, Sophos XG125 firewall doesn't have a SFP port so we're using a media converter...I know, I know...media converters...but, it's what I've got in this situation.

Anyone have any insight into this? Anyone have a specific media converter/sfp module they know works with a 3930? I found an old thread with this same issue, but, I need LC to LC sfp modules, no SC...

( https://www.reddit.com/r/networking/comments/5feduk/fiber_converter_question/ )

I tried this media converter:

https://www.amazon.com/Converter-SFP-Transceiver-20KM-ipolex/dp/B0716XT1QT/ref=sr_1_7_sspa?ie=UTF8&qid=1524763716&sr=8-7-spons&keywords=10gtek%2Bmedia%2Bconverter&th=1

but, going from the sfp module that came with the cienna to the sfp module that came with the media converter, no luck - you think if I had matching sfp modules that would help?

I'm thinking about getting this media converter:

https://www.amazon.com/StarTech-com-Gigabit-Ethernet-Fiber-Converter/dp/B011KH1TTC/ref=sr_1_3?s=electronics&ie=UTF8&qid=1524763639&sr=1-3&keywords=startech+media+converter

My reasoning being that the startech one in the thread I mentioned earlier seemed to work for the OP of that thread...but he was using SC sfp modules that weren't multimode...

I wish I could just change the handoff from the ciena to us from fiber to cat5/6 but, AT&T basically said to do that we need to cancel and reorder the circuit...even though the cienna 3930 can do it by simply changing a setting...such bs...

Any insight is greatly appreciated.

Easy most likely dumb network question

Hello everyone, I got a small problem with some of the PCs on my small company, I'm using a single "server" PC to store all the installation files necessary to update our accountability programs.

The issue:

Some of the PCs are not connecting to the "primary?" wifi, they're connecting to "accountability 2". Is this caused by reaching the limit amount of computers in "accountability 1?"? I don't even know if that is possible and it only happens to wireless connected PCs/laptops. Most devices are connected to "accountability".

A quick glimpse at the subreddit rules shows no rule breaking with this post.

Help iptables

Hello, Having those few lines.. Would you say that is a machine acting as a server or as a client? Do you detect any error on the configuration?

iptables -t filter -F iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -P FORWARD DROP lan = “192.168.1.0/24” www = “eth0” iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -s $lan -o $www --dport 80 -j ACCEPT iptables -A OUTPUT -p udp -s $lan -o $www --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -s $lan -o $www -j ACCEPT

Throughput limited by Cisco 2960 switch

I have a 300x300 fiber internet circuit. When testing directly to the ISP’s CPE using Speedtest.net and iPerf to HE’s public server using 40 parallel streams to saturate the link, I’m able to get 300M up and down.

I have a EdgeRouter Lite as my router. Eth0 is the WAN and Eth1 is my LAN. When testing directly to the LAN interface, I’m also able to achieve 300M.

Now on the Cisco 2960 switch, there are 2x 1G copper interfaces. When I connect Gi0/1 to Eth1 on the ERL and Gi0/2 to my test machine, I can now only get around 150M up and down when testing with Speedtest.net and iPerf.

My Speedtest latency is only about 2ms and the iPerf latency is about 18ms.

Obviously my switch is the bottleneck. I have a few more things to test such as a local iPerf test with two machines connected to each Gi interface on the 2960.

I won’t have a chance to do this for a few more days, but I was wondering what may be causing this? My interfaces on the 2960 are negotiating to 1000 full, and there are no errors incrementing on the counters. There’s no special configuration on these interfaces.

Am I missing something?

Looking to build and manage a public lab anyone interested?

Hey all, I'm looking to assemble a rough public lab for remote and local learning.

Give me a up/down if you'd be willing to subscribe to such a service, and the equipment you'd like to see.

I'll be posting a similar link on sysadmin.

May end up doing a GoFundMe or kickstart, but I do take crypto too.....

Give me your thoughts!

Depending on of I do open a fund we'll have support brackets. I've already got a sole proprietor company ready to go I can wrap the lab in, and if funds are high enough I'd migrate the environment to a dedicated Colo facility. On hand training would be allowed at a second site away from the service infrastructure. Cable requests would take a day or two at present due to existing gig work,but if this got big enough we could have it sub 5 min on requests.

The lab would be for anything you could think of that's legal.

Mining would not be allowed. Tor would not be allowed.

AWS MPLS vs MPLS -> Direct Connect

Just wondering if anyone is currently utilizing a MPLS connection directly into AWS? We are developing a new product that is going to be located in the Virginia Region (primary) and the Oregon Region (backup).

Our business partner is going to basically be the PE and we are going to be the CE. They do not want to do AWS Direct Connect because apparently it is too hard for them, they would rather do MPLS.

We have a primary data center on east coast and a backup (DR) in midwest. We were going to take in the MPLS into both data centers and on the back end have 4 Direct Connects (one into each region from each data center). I would then just route traffic back into MPLS to complete the connection.

Then my VP was wondering if we could just do MPLS directly into AWS and just bypass the Direct Connect entirely. I imagine we would just have VPC that goes into either a CSR1000v or a vSRX. I have not done this before so curious to see if anyone else has. I know AWS does it because I have a few PDFs but looking for people who are actually doing this in prod.

Link Aggregation for Video Editing (?)

Skip below to TL;DR if you don't care about the background.

Hi all, looking for some help to understand what's going on with my link aggregation. I'm the de facto IT guy at a small public access TV station (with my background more in video and audio engineering).

For those who aren't familiar, public access is basically the library for video: anyone can come in and check out cameras/equipment, use the studio, and/or edit in our community editing room - all free of charge. For that community editing room, patrons are currently logging into network accounts and storing archived files on our NAS. As of now, all the editing needs to be done locally on a SAN connected device (we use 2TB LaCie Rugged Thunderbolt bus powered drives). When someone comes into edit, they check out "their drive", which is shared among 4-6 people.

To avoid the scheduling nightmare of people sharing these drives, we've decided to take the step towards folks storing their edit on the NAS. The speed theoretically works, but rendering is a bit slow.

TL;DR

I'm looking to create a link aggregation from each computer to the NAS using the physical ethernet port and a thunderbolt ethernet adaptor. For some reason, I'm getting the same speed whether I'm using either of these connections or both of these connections (roughly 500/500Mbps for read/write). Why does creating a link aggregation not double my speed?

Late 2013 iMac running macOS 10.13

• Gigabit Ethernet port

• Thunderbolt Gigabit Ethernet adaptor

• ^ bonded to theoretically create 2G connection

Late 2012 Mac Mini Server running macOS 10.12.6

• 10G fiber connection to switch

• Thunderbolt connection to RAID

At what rate does the efficiency of the network drop when using hubs?

I am creating a network topology for a class and have to provide multiple scenarios in regard to the economic impact of the whole network. In the first scenario I was using switches to switch between the 8 hosts, but for the second one I need to use a hub for the same purpose. What is the efficiency drop and how can I measure it in terms of congestion, dropped packets etc. when switches are replaced with hubs?

Suggestions for phone system refresh?

Our organization currently runs Cisco voice for everything (CM, CCX, ER, UC). Our phones are 79xx and are failing at exponential rates.

Current environment:
- 500 7961G-GE
- 10 7962
- 25 7936
- Most phones use Line 1 and possibly Lines 4-6 for organization speed dials
- 30 or so phones use Extension Mobility
- All phones are PoE (except 7936)
- Skype for Business Hybrid configuration (not currently integrated with CM, but there is future opportunity)

I am hoping the community can offer feedback or suggestions on the following:
1. Cloud PBX/PTSN? Our organization has been slowly transitioning to more Microsoft cloud services and I am wondering if we should position ourselves for Cloud voice services.
2. Cisco or Other? #1 might dictate whether we stay with Cisco or move to other vendors. Exchange might be able to replace Unity Connection (voicemail) and Skype for Business might be able to replace Contact Center Express (call queues, auto attendants).
3. New or Refurbished? I see a $1,000 new phone on CDW that is only $300 refurbished on third-party sites. If we stay with Cisco, should we purchase new or refurbished phones? We will not be adding the phones to SmartNet coverage, so is there a practical difference between new and refurbished?

Cost is the most important factor. SmartNet coverage is not cheap, by any means, and my general feeling towards Cisco is that they try to lock you in wherever possible. User acceptance could be a hurdle if we migrate to another system, but if the cost savings are significant enough I'm sure this could be tolerated.

I appreciate any and all feedback.

Simple render farm for Macs

Hi, apologies if this isn't the right place for this question. I have some Macs located near each other in an office. I want to connect them together via ethernet to share files quickly and form a small render farm. I also want the Macs to connect to the internet via a WiFi router. But the file sharing must not take place over WiFi. What is the simplest way to achieve this? Thank you!

catching loops on non-managed switches

https://imgur.com/a/ZzfmxD5

Hello,

I wonder if someone can help me out with a HP Procurve -> layer2 switch situation.

I have to put up with some users plugging cheap layer 2 switches into our network. Ideally I would just stop them right there and disable the port, but I'm not allowed to.

If a loop is created on the cheap none-managed switch, loop-protect doesn't stop it.

Do you guys know of any HP procurve commands that can detect the downstream loop and disable the port?

PS: in the case of a loop, I am OK with shutting down that segment of the net.

TIA

WLC 5508 Load Balancing

We use a 5508 controller in our network environment. My question is about Load Balancing policies on the controller. I see where load balancing is set at, and ours is at a default Client Window Size of 5, and a Maximum Denial Count of 3. My question, which I seem to not be able to find in Cisco documentation, is is this setting globally turned on, or does it have to be enabled per WLAN to be turned on. We have 3 WLANs and all of them do not have load balancing turned on. Any help would be appreciated! Thanks!

Shaping yourself for the future of network engineering

I have been a network engineer for a few years and work at a large company that has many different silos for different technologies. For example my department deals with engineering anything networking below firewalls. Those are handled by a dedicated IPS department that I work very closely with. My question for anyone willing to answer would be, how should I be shaping my expertise in order to stay valuable in the job market? I have a couple years prior experience as a systems administrator at a very small company where I did everything, so I at least have working knowledge of all other technologies. Should I be going outside my current job description to master firewalls? Polish up my scripting abilities? concentrate on server infrastructure, and virtual networking? I am very happy at the job I am at now, but you never know what would happen, and I want to keep myself current and viable. Thoughts? Experiences?

Different Port QoS on C6.5K VS-S720-10G Module with VSL

Hello,

I've got a question regarding different QoS policies on a VS-S720-10G Module which also hosts a VSL.

Setup: - 2 x Catalyst WS-C6509-E (IOS 12.2(17r)SX7) with a VS-S720-10G Supervisor Engine and a VS-F6K-PFC3C submodule as VSS - The Te2 interface is used as a Virtual Switch Link (the other is located on a WS-X6708-10GE module), Te3 is used as a L3 interface. - Gi1 is used for Fast Hello Dual-Active Detection in the VSS - Gi2 and Gi3 are not in use.

I would like to use Gi2 as a L3 interface with a set of QoS rules (WRR). From my understanding a special QoS is needed for the VSL ("no mls qos channel-consistency") and the cisco documentation states, that "Port-based queue types are determined by the ASICs that control the ports"[1]. The only thing I could find out is that "The Supervisor Engine 720 features the PFC3, which is equipped with a high-performance ASIC complex"[2].

I'd like to know if the Gi2 interface is served by another ASIC and therefore can be configured with different Qos rules from the VSL interface Te1.

One more thing I found: "12.2(33)SXHI will allow diverse QOS configuration on the unused 10G port of Sup720-10G".[3] So would maybe upgrading to 12.2.(33) help? Or does this only affect the 10G ports?

Thanks for any advice!

Sam

[1] https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/qos.html [2] https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html [3] https://www.cisco.com/c/dam/global/da_dk/assets/docs/presentations/VSS_0109.pdf

What’s the best way to distribute the bandwidth & client connections (in my scenario) on our network?

Our setup:

there is a coaxial to a basic Arris modem. That Arris modem is connected to a board of coaxial that then have a main line that feed into the wall where spectrum comes from.

As well, there is a 2nd coaxial that comes from the board of coaxial that goes to a Arris Surfboard. It’s like data modem to allow phones and enternet to work once connected via wan Ethernet. So that Arris Surfboard has a single Ethernet wan port that has a Ethernet that plugs into the Nighthawk wan router. Which allows the nighthawk to allow WiFi and enternet to work. Then the nighthawk router has a Ethernet lan cable that runs from it to the Cisco switch and the Cisco switch then makes all the wired computers and phones working.

What I want to do:

is to somehow make that nighthawk router the one for the Cisco switch so that only the wired phones and computers use it. The nighthawk is securely passworded for connectivity and for the router login too. Then have a separate router, (I have a Mac airport express) that will be open without a password to be a public WiFi for everyone to get on.

I want to be able to disburse the network equally without having too many clients on one router so that it doesn’t mess up and reboot. Cause today there was 60 connection on the nighthawk at lunch and it had to be rebooted. Would I be able to get a surfboard with 2 wans port and wire up the 2 routers from that? Cause the surfboard now is only 1 wan port.

Or should I just upgrade the nighthawk router to something much better to help handle the traffic and client connections? Cause the connection is business standards and is 1 internal in and 1 external out. Right.

I trying to learn MPLS and have a basic question.

*I'm

I have read through this: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15-mt/mp-l3-vpns-15-mt-book/mp-cfg-layer3-vpn.html

Looking at the topology, how would routing/switching a private network over it work? Where are the ips encasulated? I'm confused because to me it looks like you'd have to send private ips to the first hop off the customer premise.

nat loopback/hairpinning router list?

how am I suppose to know which router supports nat loopback/hairpinning before buying one?

any tips or routers that support nat loopback is greatly appreciated.

Any Catalyst 9x00 labs for writing/testing apps?

I have one or two ideas for IOS-XE hosted apps on Catalyst 9000 series that I want to try out. However I am a freelancer without access to devices. Anyone know if there are any labs out there that I can use for development purposes?

dcloud.cisco.com doesn't appear to have any Catalyst 9000s labs.

What exactly is a MIM? Hows do they work compared Sim?

As the title goes,I want to check whether any of the telecom vendors support MIM in my country.But I'm interested to know how exactly they are programmed by telecom and is there any difference in operation.

Fiber VS Copper: racks interconnection in a pre-existing environment

Hi everybody, I run out of ports in an office room (solid cat6 from the main rack) , so I have to add some more... I have at least two different way to add them: - run 6-10 new cat6 cables for 65 meters each from the main rack to the room; - buy a new little wall rack (60€) for the room, run two cables (fiber or copper?) from the main rack to the new little rack of the room one and connect old and new room ports using the "old" cat6 pulled from the tubes (it's only 4 years old, perfect status).

I think that the solution with the satellite rack would be more clean (there are already too many cables in the main rack with servers etc) and future-proof, and the cost would be similar: 300m of cat6 costs ~90€ vs 40€ for pre-terminated 4-strands SMF + 60€ for the little rack. I also think that running the backbone between racks in SMF would be much more future proof (either for bandwith and diameter) than another pair of copper... what do you think about it?

Cisco 350x48 10GB ports

We recently added one of these switches on one of our floors. It has two 10GB Ethernet ports labeled XG1 and XG2 at the end of the switch next to the four SPF ports. Image here-

https://imgur.com/a/EWe0DXc

Is one of these suitable to use as the uplink back to the core switchs? I assume they (or the SPF ports) were intended to be used as stacking ports. I can find no answers in the Cisco literature.

I tried it and it seems to work OK but I want to make sure I'm not heading for unseen consequences.

Thanks

ASA 5525-X SNMP not responding

Hey all. For full transparency, I posted this same question over on the Cisco firewalling forums earlier but haven't had a response yet. I figured I'd give /r/networking a shot too. Thanks in advance for any replies.

I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result.

I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently.

On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100.

On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet.

I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group.

Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL.

Here is a santizied version of my SNMP config (not including location, traps, etc):

snmp-server group snmp-asa v3 priv snmp-server user nms snmp-asa v3 encrypted auth md5 HASH priv des HASH snmp-server user-list snmp-grp-asa username nms snmp-server host P-Config 172.x.x.x version 3 nms 

At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem.

Any assistance is appreciated.

Multi-homed routes took a new path to Level3 yesterday, preferring Century Link now.

We are multi-homed to Century Link and Cogent, both sides are burstable to 10GB, typically we would see a daily peak of about 1GB on Century Link and 1.7GB on Cogent. Currently billed at a base of 1GB on CL and 2GB on Cogent, so that has actually worked out very well for us as far as not seeing overage charges etc.

Yesterday, something change.

Cogent was essentially carrying all of our Level3 traffic and CL was carrying a significant portion of everything else, as of 4:15 UTC yesterday AS209 took over as path to all AS3356 (Level3). Using the Level3 looking glass, AS174 doesn't even appear as an available path anymore. We are now seeing about 2GB on CL and 800MB on Cogent, so we are going to get hammered in overages from CL every month unless this changes back.

Not sure if this is related to the CL/LVL3 merger or if there is a peering issue with Cogent/LVL3 (which would not surprise).

We are connected to POPs in Pittsburgh. Not really looking for anything specifically here, just a bit of a gripe, although I would love to hear any thoughts if anybody knows why this happened or any information about the situation. Going to have to explain to management why our Internet costs just went up $20k/year if this maintains.

Edit - We are in Western PA and we connect to POPs in Pittsburgh for both CL and Cogent.

Sooooooooooooooooooooooo Level 3 issues?

Outages distro feed is buzzing with chatter on Level 3 outage(s) in Southern California, SLC area and NC. Ya'll see anything?

How do private Internets works if the main line and outbound in bound switching centers are owned by big corporations loosing ground to private internet

Many of the undersea cables are owned by large corporations like samsung,vodaphone etc. These days many communities & cities are creating their own wireless internet but for the data to acess something on the other continent it has to go through these cables eventually so whats stopping these big corporations from stopping such data,offcourse encrypted data cant be but the end points of the packet are specified by the ip so how do these small private community grids plan to operate.

Warehosuse & Office Network

My company has been looking at me for upgrading there network infrastructure but I've never done too much networking. A lot of the networking here has been done by someone who has moved to a different position and they found me to have be as a dedicated to IT. Anything you guys think I should do or recommendations would be awesome, i'm looking to improve my skills and become a better overall sysadmin.

Important Stuff:

• 80,400 sqft Warehouse Building
• 20,000 sqft Office.
• About 10-15 Metal Racks - WiFi will need to be accessible from within racks.
• 3 Zebra TC 1700 - For picking orders.
• 15 Computers in Warehouse - Half of these are wired, half are on wireless.
• 10 Computers in the Office
• 5 Access Points - 1 in Office and 4 in the Warehouse. AC-Lite Access Point
• Patch Panel runs about half of the office.
• 16 Channel 1080 Camera System.

The main issue at the moment is the connectivity to the access points with the Zebra Mobile Scanners. The access points are right were they would be doing anything with network connectivity.

Switching and Routing Equipment:

• Main Switch HP 1920-24G Networking Switch
• Netgear Prosafe 16 Port 10/100 Switch - Server is connected to the main switch so were are already limited right there.
• Netgear Gigabit Switch GS108
• We have two other switches that are 100 that are only connected to a couple of those access points and 5 of the computers.

Heres my issues:

1. The internet coming into the building is coming in with cooper and we have the max twisted pairs coming into the building. We have another building that we are paying over $800/months so that Frontier has a dedicated line going over to the other building. I'm going to be looking at VPN solution for other building to connect to this building. Unless there is something else I can do? Our internet connection is capped out at 20MB with the twisted pairs. I'm currently looking at upgrading or switching to cable please advise on this?
2. I also have an issue with the connectivity to the access points with the Zebra Mobile scanners they get random drops to the access points.

Please advise me on if there are any good upgrades to the system. I have a call with Frontier today about upgrading our internet. We are looking at upgrading switches if there are some good recommendations for 48 Port Switch to replace two in one room.

Configuring new brocade switches on a new c7000 bladesystem enclosure?

We are getting a new c7000 bladesystem with virtual connect and embedded brocade switches. The enclosure and virtual connect modules will be configured by someone else but ive been tasked with configuring the brocade switches. This will be brand new switch config. Ive configured new brocade switches before but this will be my first time doing it on a blade enclosure.

I assume the process is the same? Or are there a few differences?

How is ping actually measured?

So I have researched all I can find on ping and I cannot seem to find the level of detail I am looking for.

Basically I want to know if ping relies on NTP and system clocks on a network being in sync and just measures the difference in between time sent and recieved, or if there is a specific method to how the ICMP echo request and replies are measured so that a ping can be measured even if NTP is not working correctly and the times are not in sync?

What tech magazines are you reading??

I am currently working on a CCNA and wanted to keep up with the latest developments in IT, especially networking. I am aware of many publications that address technology developments but wanted to know which you guys thought were the most worthwhile.

Cisco IWAN DIA with CWS - Is Cloud Web Security replaced with Umbrella?

Trying to work out if the CWS integration for DIA with IWAN is to be replaced with Umbrella branch since CWS has been EoL for a while.

My client is going to need to migrate from Webroot DWP by October but I wasn't aware of the EoL notice on CWS until recently. Yet, as far as I can see, CWS and Umbrella are not working at the same layers or solving the same problems.

Does anyone know the path for IWAN DIA for customers who already implemented CWS on ISRs for centralised security policy management?

SFP+ to Laptop

I found this post from a few years ago.

Besides using something like a JDSU tester, has anybody used a laptop with thunderbolt and maybe an external PCI enclosure with a 10G SFP+ adapter?

I need something somewhat portable for testing 10G connectivity to the Internet as well as iperf to a server in my core. (We are a service provider)

Any recommendations on hardware for this?

Need a network visual aid

Everything I can find actually makes VMs for all the network devices, unless I'm overthinking things, that doesn't sound like what I want.

Trying to setup a visual aid for new network setup so I can better plan things, I don't even need simulated traffic flow, although it would be cool. I literally just want something where i can say "generic firewall" connects to "generic/cisco switch 1" and visualize how the network is physically connected.

TL;DR I want something (preferably free) that visually looks like the cisco network simulator but I don't need anything crazy like vm's to truly simulate the traffic.

Cisco ACI - Spine - IPN Connectivity

Hi Guys,

I know there are quite some ACI experts here. I am in the process of putting the final touches on the multi-pod design.

I have a question to the connections from the spines towards the IPN devices. Every Cisco example uses single connections or a 7K with seperate VDC's.

I would want to use redundant connections, because i will have 2 IPN devices per data center.

So this means Spine 1 and Spine 2 will have 4 physical cables towards the 2 IPN devices. But since the spines will have to peer OSPF to the IPN's i presume i can configure all those 4 physical ports as 1 route peering to the IPN or how does that work? Because from the IPN devices (not in the fabric) that would be a L3 port-channel per IPN back towards the Spine.

And since the IPN devices will ne Nexus 9K's in NX-OS mode, can we configure a vPC towards the ACI for IPN to Spine connectivity? Last time i read somethinh that peering L3 across a vPC can sometimes lead to mistakes in the hashing of the traffic.

That's a bit fuzzy to me.

ASA 5525 - is it possible to specify multiple NPS servers for VPN access?

As title says. Does ASA 5525 allow for this, or is it just one IP? I'm planning a cutover to a new NPS server, and wondered if I can configure it to work in tandem for VPN access.

How many IPS hits do you see?

I am relatively new to the Network Admin role and I am curious about IPS events hitting our firewall. We have 2 physical sites with a watchguard M series firewall at the edge of each. In the daily summary reports for both I am noticing between 3 and 10 IPS detections listed. This has been consistent over the past couple days. The report states they have been stopped but I am curious if this is something that I should be panicking over. How many IPS events do you normally see on a weekly basis?

Layer 2 Fiber link having odd issues with VLAN 1 from Service Provider

Hoping you guys might be able to provide some insight on what the ISP is doing in this case that might be causing my problem.

So we use Cisco and have VLAN 1 as our native VLAN (I know shitty practice). We recently got a Layer 2 Fiber Uplink to a remote office. We realized DHCP isn't working across the link but routing works fine and all the correct IP Helpers on the SVI are added.

We have a redundant (different provider) link that works normally at this site and is also Layer 2 fiber up link. The only difference is that it is a direct fiber hand off and the link that is giving us trouble is using a fiber to Ethernet hand off.

After some troubleshooting with the provider and running a packet capture on the trunk link I discovered any kind of broadcast would come up with "Ethernet Frame Checksum Errors". If you google this you get alot of generic responses saying its just a wire shark error and to filter it out. As I dug deeper into the issue I noticed that STP is not working for VLAN 1 as well but for other VLANs it works normally (pointing to our core switches as the root) VLAN 1 seems to point to it self as the root. In the packet capture all the STP Frames for VLAN are bigger (94 bytes vs being 64 bytes for the other vlans) and it also comes up with the Ethernet Check Sum Error. I noticed that alot of the broadcasts are VLAN 1 related or somehow leverage it to some capacity. I worked with the SP on this and sent them all the packet captures and they did some monitoring on there end but they have not been helpful at all and tried some meaningless tests. I feel like they are doing some kind of extra tagging or filtering out VLAN1 in some way but they keep denying this and saying tagged and untagged traffic should pass normally. Q and Q is not needed per the ISP. I requested they remove the Ethernet hand off and just use direct fiber and also to open up a case with there equipment provider because somewhere along the lines this is not working properly on their end.

Anyone ever experience something like this or have an idea what the SP is doing? I feel like they are not giving me the full story. They are a small SP and after speaking with some of their onsite techs it seems this fiber to Ethernet hand off thing is new for them and they are trying to no do fiber only hand offs apparently.

In the meantime I am looking into other SP for this service. There support has been really unhelpful.

Multiple VMs accross different segments in one VM box

Hi all. Noob question here.

My DC has a internet facing Tier 1 Firewall and internal facing Tier 2 firewall. Each Firewall are gateways to certain segments. As part of the DC transformation, lots of the servers are consolidated into VM boxes.

My worry is that VMs in one box are comimg out of 1 NIC card going to a segment where the Tier 1 firewall is the gateway amd another nic card which goes to the segment where the Tier 2 firewall is the gateway.

Is there any risk to putting tier 1 and tier 2 segments in 1 box? Are individual NIC cards like individual PCs in its own network that will never interfere in the box. Will VMs interact with each other in the same box?

Thank you reddit in advance.

Cisco port forwarding issue

Greetings,

When I open port on Cisco router C892FSP-K9

ip nat inside source static tcp 192.168.1.100 22 interface Loopback0 22

Loopback0 is public IP

I have management interface that is not part of the port forwarding and even in different VRF.

But still if I connect too the router on the management IP that is on that different interface on the router. I will get forwarded too 192.168.1.100.

So pretty much by forwarding port 22, I have disabled my ability to connect too the router with SSH.... anyone knows how to avoid this?

How do you manage SNMP traps

What do you use (and like) to display and manage the important, and filter out the not so important snmp traps?

Dhcp snooping problem with Avaya IP phone

Turning up a new site with a 2960x stack of 4. 10G uplink back to core switch. Decided to enable Dhcp snooping for the users vlan and tested my pc but it couldn't communicate to the core so I did the no ip dhcp snooping information option and that did the trick.

However, Avaya phone boots and picks up the voice vlan but returns a -1 when downloading the settings then goes into discover.

Turning off dhcp snooping fixes it. Anything I'm overlooking for the phones to work with dhcp snooping?

EDIT: Trunk is a trusted port.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Do you feel there’s a trend towards moving complexity off of the network and onto the hosts?

To me it seems to make a medium to large enterprise network work, it requires a lot of different features. In the past most of these features lived on the switches and routers, and hosts were dumber—and we made the magic happen.

But I’ve kind of felt like there’s a trend to move those features and complexity onto the hosts until we’re left with a simple network.

Just some small examples I remember a time when our systems guys always wanted lacp port channels. Now they just want stand alone ports and they do nic teaming that’s independent of our switch.

Also I read in another thread here that the op’s sys admin guys want to run hyper-v network virtualization which is basically switch independent vxlan... not sure how that works but it seems to move the complexity of vxlan completely off the routers/switches and onto the hosts.

Another good example is multicast. You used to have to configure PIM for stuff like iptv, media conferencing, and music on hold. Now you can easily run all of those with zero multicast routing... because vendors started coming out with media servers that basically act like rendezvous point and abstract multicast into the application layer.

It seems like after a point Networks won’t have rich features and complex configuration to make stuff work any more. Or like server guys said screw you to the network team and can do most of our stuff on the hosts without our help anymore.

Anyone else notice this, or is it just me?

Help? Trying to figure out a project

Let me start off with, I am not a networking guy by trade, but do work in the IT realm. I know enough to get into trouble, at that's where I'm currently at.

I am part of a statewide emergency communications team. One of our duties is providing internet and VOIP services to public safety agencies during disasters. We have multiple vehicles and trailers that currently have separate small office type networks on their own (non-standardized) /24. As we add more server type services to our units, I thought it would be a good idea to start standardizing some of these networks so we could tie into the servers from other units while we are deployed together.

My original plan was to setup a /16 across all the units, with each unit utilizing the space of a /24 (but still set to a /16). Then, if we bridged any two or more networks with a switch, clients one one unit would see the servers on the other, and vise versa. The downside to this is there would be two or more DHCP servers that may answer. Their address space would not overlap, though. It's still not a very elegant solution.

Someone then suggested RIP. But looking at it,, I can only configure it on one of the WAN ports on our router. Because of NAT, I don't think this, by itself, would help us. Clients on network A could see the router of B, but not the clients on B's subnet (assuming I'm understanding RIP and how it works with NAT correctly).

I was then thinking, if I could combine RIP with a static route, but again, I know just enough to get myself in trouble with static routes. My understanding, I could set 10.10.1.1 255.255.0.0 with a gateway of 0.0.0.0 pointed at the WAN port RIP is on. if my local subnet is 10.10.1.0, and I wanted to go to 10.10.2.2, it would route it out through my specified WAN port which, with RIP, would be set up to deliver the the packet to a router at 10.10.2.1, and then to 10.10.2.2 that sits behind it.

Would this work, or should I stick to the kludge of putting all the units on 10.10.0.0/16 and deal with the multiple DHCP server issue? My biggest hurdle is this network needs to be adaptable, because we don't know in advance what other units will be there, and the routers we have won't allow enough static routes for one for each unit.

Question on network bandwidth

We are an office of 8 people. Almost all of the people working at office listen to music (even from youtube videos) with earbuds while working. Company policy allows listening music.

However, we have a problem. With all this music activities on the network, our nextcloud, installed on unRAID server gets pretty slow which is unacceptable. When I test nextcloud when people are not at the office it is pretty snappy.

Some info on basic components: - Gigabit Switch (3com Baseline Switch 2928-SFP Plus) and gigabit network - An old OpenWRT router (Netgear WNDR3700) - A PoE switch for 8 IP cameras. This switch and recording device connected to the 3com switch)

Do you think employing QoS for unRAID at router level will help the solution? Or QoS is just for sharing the internet, not for LAN bandwidth? Could this problem be due to a weak router we use? If so does installing pfSense help? Or any other advise?

Thanks for your support.

What does this WCCP do and is it fully configured on my router? I can only see being part of DMVPN.

The below is my full config on WCCP.

interface Tunnel0
description DMVPN
ip address 10.255.14.1 255.255.254.0
no ip redirects
ip mtu 1400
ip wccp 62 redirect in

sh access-l WAAS-REDIRECT-LIST
Extended IP access list WAAS-REDIRECT-LIST
10 deny tcp any eq telnet any
20 deny tcp any any eq telnet
30 deny tcp any eq tacacs any
40 deny tcp any any eq tacacs
50 deny tcp any eq bgp any
60 deny tcp any any eq bgp
70 deny tcp any any eq 123
80 deny tcp any eq 123 any

#sh run | i wccp
ip wccp 61 redirect-list WAAS-REDIRECT-LIST
ip wccp 62 redirect-list WAAS-REDIRECT-LIST
ip wccp 62 redirect in

LDAP and SMTP from DMZ to LAN

Is this safe? My boss wants to enable AD user authentication and email generation from public facing FTP server in DMZ to LAN. I could just open up those specific ports to specific ip address but I'm not sure from a security standpoint if that is best practice.

UPDATE: Do iBGP speakers advertise their update source to neighbors?

Link to previous post.

Quick refresher: iBGP neighbors peered loopback-to-loopback in the usual fashion aren't advertising their own loopback address (their update-source) to their neighbors. Is this normal?

The consensus in that thread was:

• Wanting the update-source advertised to peers is a reasonable thing to want.
• Other platforms don't surprise in this regard.
• Maybe it's a bug.
• Call Palo Alto TAC.

The answer (drumroll please)...

It's a feature.

Transparently dropping your own peering address¹ from BGP advertisements was added to PAN OS around version 6.1. This was added to the code to prevent tunnel recursion problems^2.

So that's... Weird. Without revised software I'll need to provision extra loopback IPs on each box, just for BGP to use. Then do all of my normal management stuff using other addresses.

This should be fun for the next guy to figure out.

[1] This may only apply to loopback interfaces and iBGP peers. The wording in the internal writeup wasn't clear about exactly how to trigger the feature.

[2] Fixing a recursion problem this way is a super weird choice IMO. I'd much rather have all the rope required to hang myself, plus the tooling to protect myself.

DCI and MPLS Question

This might be a really stupid question but for whatever reason, I cannot find a straightforward answer. Do DCI solutions like EVPN require MPLS or can it be done over regular IP connections? I always see the layer 2 over layer 3 solutions referenced alongside MPLS. The DCI side is a bit new to me so I'm just looking for some clarification.

Layer 2 Filter Outbound

Running into a problem where an AP needs to broadcast a message on a segment to communicate with its controller. However, I want this broadcast message filtered out on that segment to the devices it's not supposed to go. It's a bit dirty doing some sort of outbound layer 2 fitlering, but since it's a broadcast frame, I can't filter based on some sort of inbound mac-acl where the AP is connected. However there doesn't appear to be an option to do outbound mac-acl filtering. What other options do I have?

Cisco SG350X-48P stacking question

I am having a hard time finding how the stack works on the SG350X series of switches

The SG350X-48P has 4 x 10G SFP+ ports. The last 2 can be used for stacking

Does that mean I can stack 2 x SG350X-48P’s together, and then have 6 x SFP+ Ports left over for devices? That would make the stack link 10GB

I would assume so, however I could also see them being reserved for stacking once its in a stack

So, does that then mean that I would connect both of them, giving me a 20G stack link and have 4 x SFP+ ports left over total?

The Cisco documentation for the SG series seems a bit lacking...

Packet analysis

Greetings everyone !! I am looking for suggestions on which vendor to look at when it comes to packet capturing and analysis. I am working with a financial organization moves traffic at 10Gbps at a minimum and 100Gbps as a max. I need the ability to gather historical data at least for a few days to analyaze packet drops and do capacity planning. NetScout has some offerings but im looking to compare.

HyperV Network Virtualisation - VXLAN

I've recently started working at a MSP and the system's architect wants us to implement Microsoft HyperV Network Virtualisation as per microsoft's design guide below on a new platform:

https://docs.microsoft.com/en-us/windows-server/networking/sdn/plan/plan-a-software-defined-network-infrastructure

I'm not experienced with VXLAN but this solution seems to involve running the HyperV hosts as the 'VTEPs' rather than running the VTEPs on the network equipment, using BGP as an underlay. It seems to have a software based controller that determines if the frame needs to be encapsulated and sent to another VTEP (via the HNV VLAN) or if it's external traffic that should be forwarded directly to the (transit network) gateway with no VXLAN encapsulation.

If this is the case, what are the benefits of running VXLAN on our network equipment or is there something fundamental that I am misunderstanding here? I can see how microsoft solution may work within one DC but don't see how this would be scalable across two or more DCs. It would also need to communicate into a VMWare environment so i'm concerned about inter-op there.

I'm trying to put together a justification for buying VXLAN capable network equipment which is proving difficult as the system's architect is stating that it's too expensive and not worth the cost when we can run it on the hosts. Has anyone else run into these kind of arguments and how did you justify the expensive network kit to management?

Cisco Stratix Switches

Does anyone have any experience with Stratix switches? Looking at a config, it looks like they just run IOS. I'm curious if anyone has some feedback, good/bad/neutral, best practices, etc.

Are there any copper sfps that can handle 10g over a distance of 200 feet?

No text found

Cisco IOS MAB - How exactly does it learn the MAC addresses?

I know, the question sounds dumb - of course it learns the MAC addresses from the source MAC of the frames it receives. That's not quite what I'm asking.

I know that when the switch receives a frame, it records the source MAC address into the CAM table, for that port/VLAN. Got it.

When the MAB process is executing, it uses the known MAC address to authenticate. What source does MAB use to determine the MAC address? Does it look in the CAM table for the MAC addresses on that port? Or does it require an actual frame to enter the switch before it can begin the MAB process?

---

Consider this scenario:

• 802.1x/MAB reauthentication timer is 1 hour.
• MAC address inactivity timer is the default of 5 minutes.
• MAB passed successfully at 4:00:00.
• The device sends its last frame at 4:56:00, then goes to sleep for ten minutes
• At 5:00:00, the switch begins reauthentication.
  

If the switch uses the CAM table, it still has an entry for the device, and can authenticate the device, and it will reauthenticate at 5:00:00 (+/- some seconds)

If the switch requires an actual frame, the port will unauthenticate at 5:00:00, and remain unauthenticated until 5:06:00 when the device sends its next frame. This means the device was 'down' for six minutes.

---

Thoughts?

Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed

This originally looked like a DNS issue, then a route leak, and now it's thought to have been a man in the middle attack mounted from within an Equinix data center in Chicago. We had a lot of customers with issues this morning.

Here's an article on it with more information.