Saturday, June 2, 2018

Getting FIN,ACK outside of a connection on Amazon Dot devices but not other devices.

I have used iptables to log the number of FIN,ACK's outside an existing connection. The FIN,ACK's only occur on my Amazon Dots and not on my Harmony Hubs or other devices.

Before I show the iptables -nvL FORWARD output I would like to mention that I am using a Raspberry Pi as a repeater for my home automation (HA) devices. In other works all of my HA devices are Wifi attached to the Raspbarry Pi, running Raspian Stretch, and the Pi is Ethernet port connected (i.e., hard wired) to my home router.

Here is a link to the iptables -nvL FORWARD list output:
https://drive.google.com/open?id=16w5U2_BkCapyf5aKO22hva7L2wS-PRNN
or
https://pastebin.com/fLuP1msU

Now, what I am going to say now should NOT be assumed to be 100% correct because,... well.... I make mistakes. I contend that the FIN,ACK's are outside of a valid connection because they are not picked up by previous rules in the iptables setup. The rule I contend that picks up the connection-less FIN,ACK's is nearly the last rule and starts with
3870 155K ACCEPT tcp -- wlan0 eth0

You will notice that, in this rule, I limit the rule to the address range of my Amazon Dot's which are defined in the first few rules.

So, am I interpreting correctly that my Amazon Dot's are attempting to respond with a FIN,ACK over a non-existent connection? If so, is there an issue with the Amazon servers or the Amazon Dot tcp stack? Also note that I do not see any of this connection less FIN,ACK on the other devices on the same Raspberyy Pi.

Thanks

Running Data Center replication and storage traffic across a stateful/IPS firewall

Having trouble finding case studies on this. I’m sure most are going to say “don’t” but I’m trying to do due diligence to find case studies or example of why not, or how bad it would be to do so.

The preamble is trying to eliminate private links and use the Internet as the sole inter-dc transport.

Any other Specifications Optimizing for 100G singlemode optical transceivers to fit data center requirement ?

100G single-mode transceivers are typically produced in lower volumes for the telecommunications market, which has a demanding set of performance requirements from utoptic.com :

Link lengths of 10 km and over.

DWDM and LAN-WDM require active cooling.

Support for a wide range of case temperature ranges

Service lifetimes, sometimes in excess of 20 years, that require hermetic packaging to withstand potential prolonged harsh environmental conditions.

Deep analyzing these factors, optimizing the specification to fit data center requirements by reducing the reach and link budget, decreasing the temperature range and lifetime warranty .

Any other Specifications Optimizing for 100G singlemode optical transceivers to fit data center requirement ?

Any insight will be appreciated ！

Private address in trace to google DNS?

Hey all,

I'm pretty green, but I thought it was weird to see a private class A hop half way through my trace route.

Recommend

If you guys want to take a cisco products, i recommend you to choose 10gtek, which is a professional company established many years. i always take fiber optic there, not only cheaper but good service.

Friday, June 1, 2018

Is it breaking a rule to have RFC1918 IP addresses visible to the Internet? Here's a traceroute to a public IP address...

C:\Users\tomdzu>tracert 162.245.240.129

Tracing route to h240129.basinbroadband.ca [162.245.240.129] over a maximum of 30 hops:

1 2 ms 7 ms 3 ms 10.0.28.254

2 * * * Request timed out.

3 1 ms 1 ms 1 ms h72-2-59-114.columbiawireless.ca [72.2.59.114]

4 24 ms 6 ms 7 ms 172.27.15.138

5 8 ms 8 ms 7 ms 172.27.15.25

6 24 ms 24 ms 24 ms 172.27.9.186

7 24 ms 24 ms 24 ms 172.27.9.194

8 24 ms 24 ms 24 ms 172.27.9.202

9 24 ms 26 ms 24 ms 172.27.9.210

10 27 ms 27 ms 31 ms 172.27.9.218

11 24 ms 24 ms 29 ms 172.27.9.226

12 24 ms 24 ms 24 ms h240129.basinbroadband.ca [162.245.240.129]

Trace complete.

C:\Users\tomdzu>

/22 that bad for production networks?

We've traditionally used /23 subnets for our production networks and I see us needing a little more growth options moving into the coming years. I've split out many of our networks into additional /23 subnets, but am seriously contemplating bumping them to /22's as well. That would make things so much easier, but I'm a little hesitant as I've read you shouldn't go larger than a /23 or /22 in some circumstances.

If I use a /22 subnet in production, is it really the end of the world?

3 routers, 3 subnets with shortest path

I was trying to decide if this fit more in the home networking section, but the point of my experiment is to have a model of a more complex enterprise environment.

Here's a simple diagram: https://imgur.com/a/4vzL8JE

What I'm trying to set up is network that consists of 3 routers on 3 different subnets. I've picked up 3 WRT54GL v1.1 routers to try and do this on a budget. I have no problems getting devices on the 192.168.2.0 network to talk to the 192.168.3.0 devices via the 192.168.1.0 router. However, I can't figure out how to create the direct route between the 2 without going through 192.168.1.0. I was also hoping to find a way to make it resilient to a cable being disconnected, but maybe that's asking way too much from this consumer grade hardware?

Is this a limitation of using consumer level WRT54GL hardware? I was able to achieve the existing configuration by connecting the WAN ports on the 2 lower routers to the LAN ports on the upper one, and adding the routes to the routing table on 192.168.1.0. For that to work, routers 2 and 3 are both addressable on the 1 network. However, when connecting between the 2 LAN ports, I don't see a way to assign them the 2 IP addresses necessary for them to communicate directly.

If this isn't possible, what hardware should I be using? I feel like it's a simple scenario. I do have a few Cisco 3550s available if they would be better to use, but I'm not familiar with configuring them.

Sorry if this was too simple. I'm mostly trying to figure out if I need to go back to the drawing board or if it would be possible to use the 3550s to not have to buy new hardware.

Thank you!

Help me diagnose: some devices on wireless network have internet access while others don't

I'm stumped. My Archer C7 wireless is super-stable for my laptop, but my phone (a Pixel 2) sometimes has internet access, and sometimes doesn't. If I reboot the router, it'll get internet for a while, but eventually it stops. My wife's Pixel 2 *never* has internet access on this wireless network. All these devices can connect to the wireless network without any trouble at all, they just show as having no internet access.

Can anyone find a moment to offer me some troubleshooting steps to check out?

What is the aggregate time lost to IOS ip domain-lookup?

How old is this feature and at what point did Cisco Marketing's intent switch from benevolence to malevolence?

Using NAT for web server redirection w/ certificate?

So basically we have 1 external IP and a webserver running on that IP. There is also a certificate server that users must authenticate with (via a smartcarde) when connecting.

My question is, I'm trying to setup NAT so that we have another webserver that doesn't use the certificate server, it's just running apache tomcat -- so I'm kind of wondering, where does the certificate check take place, is it after the user enters in the external IP (or website name) or before it even gets there?

I'm trying to forward all requests on port 3295 to our other webserver that's on the internal network via our cisco firewall, I basically just configured it so requests to the external IP on port 3295 are sent to this internal webserver, and the other regular 443/80 requests are sent to the main webserver. Is this possible if I have one server that requires a certificate? when I enter www.websitename.com:3295 in IE it just times out.

thanks

Fiber Media Converter works between router and switch, but not NID and router? HELP PLZ

Usually I'm pretty good at finding answers on the internet to problems I can't solve myself, but there seems to be a distinct lack of documentation floating around regarding this type of setup. If anyone has any knowledge about these devices, or about fiber in general (as I have little experience with fiber media outside of basic troubleshooting and connectivity), please chime in.

Current setup:

---Short version: NID > router > switch, with 2 FMCs between the router and switch due to distance

internet from provider (Verizon) > NID: via fiber
NID > router: via CAT6
router > fiber media converter 1: via CAT6
fiber media converter 1 (Building 1) > fiber media converter 2 (Building 2): via fiber
fiber media converter 2 > switch: via CAT6

Hardware list:

NID: Canoga Perkins 9145E-104
Router: Cisco 2911
Fiber media converter 1: TrendNet TFC-1000MSC
Fiber media converter 2: D-Link DMC-700SC
Switch: Netgear GS748Tv5

Reasoning:

We have 2 buildings physically connected to each other. Only Building 1 has a demarc in its telecom room.
We have 2 internet connections from Verizon that come into Building 1's telecom room via fiber.
Each building uses one of these internet connections. In this setup, we are only discussing the internet connection for Building 2.
Building 2's telecom room is a quarter mile away from Building 1's telecom room, thus the need for the fiber media converters and fiber line between them.
The NID, router, and fiber media converter 1 are all in Building 1's telecom room.
Fiber media converter 2 and the switch are in Building 2's telecom room.

Task: move the router from Building 1 to Building 2.

Problem: the fiber media converters will not pass through the signal from the NID to the router. They will only pass through the signal from the router to the switch. I have absolutely no idea why.

Explanation and notes: we have a backup internet connection (Comcast) installed in Building 2's telecom room that needs to connect to the router. The easiest solution is to move the router from Building 1 to Building 2, but even though the FMCs work fine to extend the connection from the router to the switch, I get no link light or activity whatsoever when connecting the NID to the router instead.

Images:

NID: https://imgur.com/v4SKV8m
Router: https://imgur.com/5fsuqMX
FMC1: https://imgur.com/DkrbZFk, https://imgur.com/yM3p0Za
FMC2: https://imgur.com/RtatAY9, https://imgur.com/ETykon9

Does anyone have any clue where to start? Do I need different FMCs that are able to pass through communication from the NID to the router? The existing ones are pretty much plug'n'play. I'd be happy to answer any questions that might help get me towards a resolution that doesn't involve spending countless dollars having our backup internet connection re-run. It also makes more sense to just have the router in the building it serves.

Thanks in advance.

VLAN Mapping on Arista DCS-7052S 52R

Hi guys,

The Arista guide says that EOS supports VLAN mapping using:

interface x switchport vlan mapping xxx yyy

But I can't find that command on my switch.

This is what the switch says:

arista.sslocal(config)#int eth10 arista.sslocal(config-if-Et10)#swit arista.sslocal(config-if-Et10)#switchport ? access Set access mode characteristics of the interface backup Specify a backup interface mac Configure MAC learning on this interface mode Set trunking mode of the interface port-security Configure MAC-address-based port security trunk Set trunking characteristics of the interface <cr>

I'm running EOS 4.9.8

Arista supported features guide says that my model supports it. I can't find anything on Google.

Maybe I'm doing something wrong? . I'm new to this switches.

Thanks and sorry for bad english.

EDIT: Formatting

Ruckus R500 VLAN-s

Quite new to Ruckus WiFi systems and I am experiencing interesting issue with VLAN-s.

I have configured two SSID-s:

Internal - VLAN 1 (untagged)
Guest - VLAN 2 (tagged)

Internal WLAN is working fine, no issues with it. But I am having issues with Guest WLAN. I can't get IP and 0 traffic goes to router in VLAN 2.

I have tried following packet forward settings:

Bridge to WAN
Local Subnet NAT and Route to WAN

Network topology:

CCR1009-7G-1C-1S+ -> R500

DHCP server is configured for both VLAN-s at CCR.

Is there somekind of special sauce needed to get VLANs working in Ruckus?

Deploying new firewall in a business environment...

Hey everyone. We are looking at deploying a pfSense firewall into a business environment within the next couple weeks. We had a firewall a while back but, at this point, it is best to start from scratch.

Our goal is to just block the outside world from getting in. A couple questions I have is:

Is there any software I should consider that would give me a general overview of what ports to open to the WAN? We dont care too much about blocking anything on our LAN (right now at least) but want to make sure everything can go out that needs to.
Is this mostly a "deploy and pray" situation where we just have to put it into service and then open up ports as needed?

Thanks!

Cisco SD WAN DNA

Long time visitor, First time poster here..I just wanted to get some feedback and thoughts on Cisco's new DNA licensing model that they are continuing to roll out.

I briefly came across it when attempting to put together a BOM of VEdge Routers and the more I looked into it, the more it seems to resemble the Meraki licensing model. Where you pay the licensing and manage the devices from the "cloud" or you spend $80,0000 on their DNA Appliance so that you may manage them through "on-premise".

Any thoughts? or has anyone rolled out a deployment using this model?

Is it true that every device on a LAN will see/record the MAC address of every other device on that LAN?

Greetings all,

I had a quick cyber-security fact that I wanted to validate as accurate. Is it true that every device on a LAN will see/record the MAC address of every other device on that LAN even if there is no direct communication between devices? So if I connect to WiFi then the MAC address of my device is being seen/recorded by all the other devices that are connected to that WiFi network, and all the MAC addresses of those other devices are being seen/recorded by my device?

Thanks in advance for any replies.

ISP Ring & Power Issues

So we have around 140 locations with many different providers, including Zayo, Centurylink, Level3(Legacy twtc), AT&T, Comcast, Charter, Legacy TWC, Uniti(Legacy Southern Light) and a few others.

The majority of these are serviced by a single lateral, to a CPE, normally Ciena, Adva, or Cisco, with typically a standard duplex fiber uplink, though some use BiDi. Most of those, to my knowledge, are serviced directly out of a headend or central office, meaning as long as our site has power then we should be good, because the headend or CO would have generator backup so in the event of power issues all we have to worry about is our site itself. The obvious downside of this design is if there is a fiber cut along this single path then our circuit will go down.

Several sites, including all of the legacy Level3/TWTC sites are on a ring setup. Single lateral to a CPE, but the CPE has dual fiber uplinks, meaning we could take a fiber cut on either side of the ring and still have service. They have DC batteries and a rectifier for a pretty solid uptime.

Finally we have just a few sites serviced by a decent sized independent provider, and the issue happened this week where a storm came through the city and caused many power outages. Our service went down, yet we still had local power. What we ended up finding out was multiple customers on our ring had lost power (the right combination i suppose, on both "sides" of us) and that is why we lost service.

So obviously this has posed some questions, i know they do not use DC batteries/rectifier, but did not recall if they provided a UPS to all customer sites, what the size of it was, and what the minimum uptime was. Basically they are reliant on customers power reliability and capability for the stability of their rings.

So as a customer, no matter what preparations or capacity we have (generator, etc) we could still be offline due to power issues in the area and other customers lack of said preparations, which is a bit of a downer and opens up some questions i didn't necessarily think to ask before. Luckily we had LTE backup so critical services remained functional.

So if anyone can speak from the ISP side, and other folks in a similar case from the customer side, what is your thoughts on this and what questions would you want to ask during the bidding/provider selection process to have the best comfort level with what you are purchasing?

Children's Home In Serious Need of Internet Update (x-post: r/TechSupport Sent Me Your Way, Any Ideas?)

https://ift.tt/2smzm9K

How to connect a buttset to a 66 block to test a phone line.

I need to connect a Buttset to a 66 block to dial out and find the phone number of the line. How do I physically connect the buttset to the block? I have the vampire clamps do those need to physically pierce the insulation of the line to touch copper or do I need to just clamp onto the block where the line is punched down?

Weird networking behavior with a gateway between a switch and CMC module, on Dell VRTX equipment. Am I doing something wrong?

Diagram:

https://tinyurl.com/ycb4dxgb

Here's the simplest way I know how to explain how the internal networking of this Dell VRTX works.

So, you have your 4 blades and your network switch module that have integrated remote management controllers, for the blades it's iDRAC and for the switch it's an internal OOB port that I can't actually physically plug into anything else.

According to Dell documentation these ports communicate with the CMC module of the enclosure. So technically the CMC is like a really dumb switch in some sense.

On my RT-N66U, I created 2 separate VLANs to segment the management interfaces and the rest of the interfaces of the switch and gave said interfaces 10.1.0.0 /24 addresses for management and a simple 169.254.255.1-2 /30 address set just to bridge the router and the switch module.

In the diagram I have the management interfaces set on a the range from .2 to .7, with a default gateway of 10.1.0.1. These all work fine.

However, the weird behavior is when I try to do static routes on the switch module.

The switch module supports layer 3 static routing. One primary issue is that in the Dell VRTX CMC, to access the web GUI I can set the IP for the OOB interface on the switch module. In this instance, it would show as 10.1.0.3 with a default gateway of 10.1.0.1. The odd thing is that for the switch, it sets the "ip default-gateway" property to this value and all of traffic ends up defaulting to this route which I don't necessarily want.

What i've tried:

I remove the default-gateway and I add my own static routes. Problem is, 10.1.0.3 should technically be a directly connected interface so I can't really route back to 10.1.0.0 with any gateway that makes sense.
If I do a default route of 0.0.0.0 0.0.0.0 10.1.0.1 which is the equivalent of a default gateway AND I add my other static routes for my VMs to get back out to my other networks, I am unable to access the web interface of the switch module for some reason. So here's a quick sample of what some configs look like and the behavior:

Able to access web GUI but cannot ping/access devices in 10.2.0.0 subnet

show run ... ip default-gateway 10.1.0.1 ... show ip route ... S 0.0.0.0/0 [1/1] via 10.1.0.1, 00:01:15, oob C 10.1.0.0/24 is directly connected, oob C 10.2.0.0/24 is directly connected, vlan 3 C 169.254.255.0/30 is directly connected, gi0/1 ...

Add in a static route, lose access to web GUI but can ping/access devices in 10.2.0.0 subnet

show run ... ip default-gateway 10.1.0.1 ip route 192.168.1.0 /24 169.254.255.1 ... show ip route ... S 0.0.0.0/0 [1/1] via 10.1.0.1, 00:04:32, oob C 10.1.0.0/24 is directly connected, oob C 10.2.0.0/24 is directly connected, vlan 3 C 169.254.255.0/30 is directly connected, gi0/1 S 192.168.1.0/24 [1/1] via 169.254.255.1, 00:01:32, gi0/1 ...

Lastly, if I remove the ip default-gateway and add my own static routes, the behavior is essentially the same as the first one above.

This embedded / internal port sharing setup is weird to me and I'm just wondering if I'm missing something stupid simple here. I've done a similar setup on a Cisco 3560E and Quanta LB6M and had no issues at all.

Thanks.

Help identifying the current HP switch nomenclature

Which models are what used to be ProCurve? What would be the 24 port with SFP like HP 1920S 24G 2SFP (JL381A) but that has full ssh management, MSTP, VLAN and LLDP etc support? Many of the "basic" HP switches end up having a difficult to use Web only management, and the naming is all over the place now IMHO.

Graceful BGP Shutdown

Hi,

We have two routers which peer to our two ISP's using BGP. These routers then peer between each other to work out the best route out etc. The kit is Cisco ASR's.

I was wondering how you guys would shut the peering down to one ISP for maintenance?

I have been reading about graceful shutdown command - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/irg-grace-shut.html

Thanks, Matt

iSCSI round robin across two Nexus 3064 with nxos 7.0

I'm trying to get a SAN configured on a set of nexus 3064's. Initially this was configured on a single switch with round robin working, however now that each host in the system is split between two, vm's on the esxi host aren't able to boot. This is resolved by resetting the path type to Fixed or last used.

Neither of the SAN units, nor the ESXi host are connected to the switch using a port channel in the vPC domain, however vPC is configured with 2 40G uplinks in the peer-link. vPC is functioning particularly to synchronize the cam tables, but there is an in domain port channel to another switch that is functional. Also, the SAN nodes bond their links using the balance-alb algorithm, but are not lacp.

All of the SAN traffic is on the same VLAN to simplify this, and I'm trying to achieve redundancy on the physical layer while not losing throughput. Is there a configuration I'm missing that will allow these switches to act as 1 unit?

BCP38 (reverse path filtering) Linux IPv6

Hello,

implementing BCP38 for IPv4 on Linux is very easy, just flip the switch in "/proc/sys/net/ipv4/conf/*/rp_filter". Unforunately this is, to my knowledge, not possible for IPv6. The only solution I could find is the "rpfilter" extension for ip(6)tables.[2]

My use case is for a debian x86 router which is CPU wise underpowered. I'm not doing any firewalling till now, hopeing as long as it doesn't have to do connection tracking and looking at anything above Layer 3 as much hardware offloading as possible is done via the NIC (mellanox connectX-3).

My questions now are:

Is there any other way to achieve BCP38 for IPv6 on linux (apart from individual firewall rules :) )?
Using iptables rpfilter is in the RAW table, so no connection tracking is done. will enabling this have a great impact on the CPU usage?
Would there be any difference (especially in regards to cpu load and therefore throughput) between implementing reverse path filter for IPv4 via "/proc/sys/net/ipv4/conf/*/rp_filter" vs. "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"?

Thanks for your help!

[1] http://www.bcp38.info

[2]http://ipset.netfilter.org/iptables-extensions.man.html

RSTP Root port

Hi!

I wanna ask. RSTP is enabled and if i dont´t configure anything STP configs. Then RSTP choose root port and it choose automatic one access port to the client device. What will happened?

Thursday, May 31, 2018

Ruckus(brocade) vs Aruba switches

Hey there guys

Looking to any insight or something to push me over the edge for either switch purchase at moment.

Comparing Ruckus ICX 7650-48 and the Aruba 8320-581A switch.

Needs 10Gbe Base-T ports -- although will not need all 48 to be 10Gbe or POE. However, the ICX model in Base-T option comes with PoE Regardless.

Usages; ToR switches for racks and also for Storage iSCSI Traffic..

the Ruckus ICX switches are coming in quite cheaper than the Aruba - quieter, and few inches shorter in depth. Also appear to be more flexible due to the port density/options.

However, Uncertain of the Ruckus support/warranty as well as the IOS like syntax....

I've historically used Cisco, Extreme and HPE (3com and HP)

OSPF hello packets on outside interface

I happened to be looking at the Real-Time Log Viewer on a Cisco ASA and noticed we are getting OSPF Hello packets advertised to us on our outside interface.

We are not using OSPF externally or internally, so I was wondering if this is an unusual occurrence?

All the IP's that are sending the OSPF hello's are coming from IP's that belong to the ISP. Some Private addresses and some Public.

We aren't experiencing any issues, just more of a curiosity question. Is there a configuration mistake on the ISP's side?

What workflow does everyone follow when rolling out new network?

To elaborate, I am in charge of changing out a aging infrastructure. I have the hardware here and ideas of how I want to handle it but I keep finding myself like scatter brained. Just looking for advice from the experienced on how everyone else handles rollout/programming. I did some excel work to make sure my VLANS are assigned to ports correctly but everytime I come back to the project I find myself spending more time trying to figure out where to go to next or where did I leave off. My lack of work flow sucks, looking for advice on what has worked for you guys in the past, this is my first real project, just trying not to cock it up.

Thanks!

Meraki Wireless vlan tagging and communication issues

Hello Everyone,

I am trying to setup a wireless network that is tagged as vlan 50 and make it so that devices on that wireless network can communicate with devices on vlan 1

Here is some background information about my setup

MX64 firewall --> MS320-48FP --> MR18 Access Point

vlan 1 CIDR 10.11.100.0/24 MX IP 10.11.100.1

vlan 50 CIDR 10.50.100.0/24 MX IP 10.50.100.1

All ports on the firewall and switch are set to trunk with a native vlan of 1 Aside from this I have done nothing with the switch

When a device joins the wireless network tagged with vlan 50 it gets an ip address from the right pool and it has internet access, however whenever i try to ping anything on vlan 1 or even the MX IP on vlan 50 I get this response;

"Reply from 10.128.128.128: Destination net unreachable"

I have no idea where this 10.128.128.128 is coming from as it doesnt exist in any of my configurations

I suspect i'm missing something in configuring the switch, however i'm not really all that sure about what i'm doing to begin with.

Any advice would be appreicated.

Thank you.

EDIT: /u/nappy1515 Had my answer, i completely forgot that the wireless section had its own firewall & traffic shaping section

Found this gem on "black Cisco guy".

While looking through some documentation I was greeted for the umpteenth time by the familiar face of black cisco guy. So I decided to google him and stumbled upon this funny blogpost.

https://keepingitclassless.net/2011/10/i-am-cisco-man/

I hope this isn't considered too low effort or meaningless. I had a good laugh and I hope you might too.

Recent CCENT with a 963 score, interested in learning more about the SDN side of things but not sure which college courses to take ...

Good morning all :-) After spending the summer studying for, and hopefully passing the ICND2 exam, I really would like to use my electives to take a few courses that could give me an edge with the latest trend in virtualization of routing, etc. I have heard that Python is the language that is being used in SDN, but my school doesn't offer any classes in Python :-( A professor recommended taking either Server Side Scripting or C++ to become familiar with the processes, but my IT knowledge is a bit lopsided and I don't know enough about either of them to know which would be the better choice. Any feedback or insight from any of you would be greatly appreciated ... :-)

Stuck in > prompt on Aruba switch

Good morning,

How do I get out of this prompt? I searched Google but wasn't able to find anything.

Thanks!

EDIT
Issue resolved! I entered ":" and received this message:

"Only 16 lines allowed in multi-line input - command not executed: :"

Checkpoint Firewall - Hints?

Hi guys, I'll get right down to business. We're a middle sized company, we're currently looking to replace our ASAs and having a few partners courting us.

Checkpoint came to us with a project using their 15000 series, thing is, i've been reading horror stories about them here since searching for them.

Is the situation still so dire? We do daily policing on the ASA's, interruption of traffic on policy change would be a substantial setback, as would an appliance that drops traffic without reporting, and so on.

So, here to ask your experience on the matter! Other vendors are at play here too, but obviously, they all talk about how awesome they are.

Family Small Business Network Overhaul Advice

Background information: I'm a 21-year old student with Good computer knowledge and limited networking knowledge (revamped my home network). I understand the basic principles of networking but was looking for some sort of sanity check or advice on the plans that I have been setting up over the past week. I've been asked my by family to have a look at their networking and get it into shape, it's currently a dismal mess. They've had a quote of £590 to do some rudimentary rewiring, installation of a networking switch and of a new router from a local firm but I thought that was quite expensive. Currently they have the ISP-provided modem-router-ap connected to an 8 port gigabit networking switch. They have a couple of NASs connected to the switch which handle some database backups as well as some cctv recording. Most of the other ports are connected to a patch panel which runs up from the basement (where the networking is located) to the other 3 floors of the property. The patch panel is installed correctly with 24 cat5e cables which feed up to outlets so that is not of a concern. The wiring in the networking cabinet is a complete mess with only the patch panel installed correctly and the rest of the components on a box next to the cabinet with a mess of wires connecting them.

Requirements

Organisation and wiring of the cabinet - inc. installation of new gigabit switch
Gigabit LAN throughout - currently only 6 of the 16 ports on the office floors are useable; the quick fix has been daisychaining network switches at the workstations
4-fixed workstations connected
New router - ISP provided speeds are currently 18Mbps down and 1Mbps up; upgrading to fibre soon so this will likely double soon - the issue is that the router is not sufficient for the number of users and is easily getting saturated when the users are mostly browsing the web.
Wifi-covering the entire property with work, guest, and employee personal use. Usually 4 employees on the property with a usual 10 devices connected the the internet at any one time.
Future Plans: Server upgrade; POE cctv; expansion for more employees; UPS installation;

Proposed Equipment/Changes

ISP-provided modem in Bridge mode
Ubiquiti EdgeRouter X 5-port Router - small-business class performance for a fair cost, including gigabit ethernet
Netgear Prosafe GS724TP 24-port POE gigabit switch - Can be found locally for £100 (refurbished); POE for future plans; sufficient for patch panel and all outlets; future workstation expansion
Ubiquiti UAP Lite WAP x2 - Researched Unifi and it seems to cover all our needs; POE powered for convenience/wire-management (close to outlets); do these plug into the POE switch or should i get a POE router and plug directly into that?; current setup not providing sufficient coverage so 2nd and 3rd floors w/o wifi, temp secondary WAP installed to cover area.
Maybe (cost-dependent) Cyberpower 600VA/360W UPS - Currently there is a small 8-way power outlet with built in battery? - not sure about quality, capacity, and reliability.

Proposed Network Topology Diagram

Questions

The ISP bandwith is 17Mbps down and 1Mbps up yet the internet is patchy and sometimes takes a long time to load when in use by multiple people - this seems to be an issue with the routing and not with the saturation of the bandwith as most are just browsing the internet, does this seem correct? If so, much of this should be solved when we install the edgerouter, correct? Anyway, I am looking into upgrading to fibre anyway as our ISP has quoted us a cheaper monthly bill for an upgraded service but that won't be installed for a couple of weeks.
When I will be rewiring the cabinet I will be making my own ethernet cables and cable managing it all; this is my first time taking on a project of this size so are there any tips that you would recommend?
I've never configured this router and these WAPs before, looking online the initial setup wizard seems to cover all of the bases and it's mostly specific requirements which require manual delving into the settings beyond this. Is this correct or is there any specific guides I should checkout beyond the manufacturers?
I have the WAPs connected to the POE switch, is this best practice or should I be looking at a POE router and wiring them directly?
I'm estimating that it will take me the best part of the day to get it fully configured and up and running, does that seem reasonable?
Have I selected appropriate hardware for the intended use? Is there anything that would improve performance or where I can pick a more budget-friendly option?
I know this isn't the place but have I provided myself with sufficient breathing space to allow extra expansion to an improved server and some POE cameras or is there anything I could do to allow this?

(btw, this is laid out in a similar post to mine with different requirements Link) Edit: Formatting

BFD Authentication on Juniper Firefly / vSRX

I'm trying to configure BFD authentication between a Cisco CSR1000v and a Juniper Firefly or vSRX, but I can't locate the proper config on the Juniper side.

On the Juniper side I'm trying both:

Model: firefly-perimeter JUNOS Software Release [12.1X46-D20.5]

and

Model: vsrx JUNOS Software Release [17.3.R1.10]

I was going along with https://www.juniper.net/documentation/en_US/junos/topics/example/policy-static-routes-bfd-authentication.html . When I get to the point of "set security authentication-key-chains", I find that config is not available.

I've read that authentication-key-chains are not available on vSRX(s), is that true? Is there anyway to do BFD authentication between these two virtual platforms?

PVST to Rapid-PVST Migration - Downtime

Hello,

I am a junior network engineer and I recently started a new job working in a data center environment with hundreds of VMs with applications at very high availability, I cannot allow to lose connection at any time of the day. Moreover, the system team works with Hyper-V and they told me if they lose the network for more than 20 seconds at a node, they lose all the VMs in that node. So I have to be careful at every change.

We have two Nexus 5000 running VPC and 6 Cisco 3750 connected to each Nexus (So logically there is no loop)

The Nexus are already running Rapid-PVST but the 3750 are running PVST. I want to migrate the 3750 to Rapid-PVST.

I don't know how much time the network will be down (or if it will be noticeable or not). My problem is with the 20 seconds limit fixed by the Hyper-V infrastructure.

How should I proceed ?

Did anyone encouter this case before ?

Reference architecture libraries?

Is anyone aware of decent resources for reference architectures?

I'm aware of the AWS Quickstarts, the Azure Reference Architectures and Cisco's Validated Designs Program.

Can anyone recommend any other sites or books on the subject?

hp procurves in ring topology

Hey guys

This might seem a bit trivial but for whatever reason i'm a bit unsure if this will just work out the box.

I have a set of ~10 2920's installed at a customer site. We have been working on creating a ring topology for a while and now the last fiber has been put in place.. So I want to connect the ends to create the ring.

How do I make sure that the traffic is blocked in the right place? - I would want it to be blocked at the place I now connect the new fiber to. So my ring is completed physically, but use STP to keep the looping out.

Question about VPC loops

Hi guys,

We are planning to implement the linked topology. As you can see on the picture below, there will be 3 N5K pairs in separate VPC domains, connecting to both 6500s.
Our concern is whether there will be an L2 loop in our topology or not (without using STP of FabricPath!)?
Can anyone advise on this design? We'd like to avoid using STP or FabricPath!

Our design plan

Thanks

Monitoring with Nagios if UDP ports can be accessed?

Im trying to monitor UDP ports with Nagios if they can be accessed. My issue is that it asks me for a string to send it and it also expects a string back. AFAIK, this is not UDP standard.

What is the best way to monitor UDP ports, from a networking standpoint?

Wednesday, May 30, 2018

Can someone recommend how to set up “pay as you go” WiFi?

I work for a small hotel company in the Caribbean. There is limited internet, and what they do have is LTE boxes scattered around the property. The owner wants to install a more robust system that charges people for internet WiFi. Any thoughts on how I should proceed? I was looking at a product called antamedia.

Nexus keeps resending ARP

Hello, working on a weird issue where a Nexus 5K keep showing this in the log: Sending ARP request for local IP address x.x.x.x on VlanXX, request from pid: 3874

The IP is is for a VIP on the box. I have checked to make sure its not related to a static route but the only static is for an IP not associated with the VIP or the physical IPs for the HSRP interfaces.

This one really has me stumped as even google is not helping other than saying it might be a bug in the code. Nexus 5612 system: version 7.0(8)N1(1)

Meraki Question RE: ARP

Seeing Meraki send ARP requests exactly every 16 seconds. No loss of connectivity as measured by ICMP, but that seems very frequent for any device? Is that a standard setting on Meraki, or even adjustable? Not sure if its worth pursuing or not. Thoughts from the networking brain trust?

Anyone have opinions on Aruba Central for switches?

Hi! We have about 20 ProCurves in our environment, and I just learned about Aruba Central, does anyone have opinions about it?

I'm looking for it to report to me about devices attached to the switches and traffic used within a set time range. Also, firmware management and alerting would be great.

The costs aren't too high for it, and it would be easier on me (only IT guy) to make sure devices were up to date instead of individually updating....

R.I.P. - Finally putting down our MDS 9509s

Hardware cisco MDS 9509 (9 Slot) Chassis ("Supervisor/Fabric-2") Motorola, 7447A, altivec with 1033100 kB of memory.

Kernel uptime is 2233 day(s), 23 hour(s), 3 minute(s), 29 second(s) (6 years, 1 month)

Looking for a small form factor (deck of cards size) router that can do IPSec tunnels.

Hey guys, without getting into too much detail here I have a need that I haven't been able to fill.

I need to connect to an ASA over the internet via IPsec tunnel from all over the world. This is currently do able with a 2901 no problem, however, my boss is looking for a small form factor solution. We have attempted it with Edge Routers, however, they do not have IPsec capabilities.

Currently the smallest router I can find that does it is the Cisco 819GW-4G router. This router comes with a lot of options that we don't really need and I don't feel comfortable spending the money on this beast when we need something that does much less.

Any suggestions? Thanks!

Hey, I got this idea that I would like to have some help to flesh it out the details.

I don't think that the government should become an ISP in order to create competition, but rather entrench a fiber optic line on both sides of the road, and then allow ISPs new & old to use the Gov. fiber to provide a service.

The idea would be to not create an ISP but to lower the cost of entry for new ISPs immensely to enter the scene to create competition.

What sort of fees should ISPs pay to utilize this government fiber infrastructure?

Should the government focus it's effort on rural America first as there would be fewer streets & sidewalk to dig up compared to cities, there are fewer underground utilities you would have to worry about, and that segment of the population has been greatly neglected when it comes to internet service?

How many men would you need to wire up your typical rural or small township completely within 1-2 weeks?

cisco prime as mpls aware netflow collector

i could nod found any information about this topic.

has anyone exp. with prime as netflow collector and can it is it mpls aware?

Free CCNA Classses in New york

https://ift.tt/2H3Bl7g

Best practice for replacing EOL network equipment in a live environment?

I'm curious to know what peoples best practices are for replacing EOL switches in the field. We have 100+ access layer switches which are coming to EOL this year, looking to swap these out with new switches during periods of downtime... is there an easy way to automate the config on these switches so that they are the exact same as the switch they are replacing?

What methods do your company use for roll out of new switches/replacement of EOL network equipment?

The principles in network monitoring

I'm kind of new here, so first and foremost: Hi everyone!

The size of the network in our company has recently exceeded the limit to manage it in a simple way, so we face with the choice of an appropriate monitoring system. It's all about effective monitoring of devices (switches, printers, etc.), servers (Windows and Linux), some services and applications, etc. - a total of about 250 devices (this number probably will increase).

Wanting to choose wisely, I would like to ask you, what is the most important from your POV in network monitoring and monitoring of what parameters in your networks brings you the most benefits? (please attach the size of your net).

Network management and troubleshooting/analysis tools for a large network

I've worked with Wireshark for troubleshooting small issues, RANCID for auto-backups of our infrastructure and Cacti to monitor network usage but we're a relatively small shop. I may have an opportunity as a network engineer for a much larger company and wanted to get an idea what would be most useful to manage a large network (mostly Cisco). Any software and tool recommendations that would help with network management, troubleshooting/analysis, SLA monitoring, etc would be appreciated.

[28~ showing up randomly when using SecureCRT, can't figure out why

I use SecureCRT to telnet into devices at work. Lately it's been acting very odd. It'll randomly input the characters (Not all at once)

28~

[28~

and I can't figure out why. Nothing in the settings seems to explain this and it's happening across several different Cisco Devices.

HPE/Aruba chassis vs stacked switches

I work at a MSP, and we have always used HP switches as our standard stack (procurve based is preferred, but for really simple/small customers the low end comware switches work okay). Anyways, we have done both the chassis deployments (5406 and 5412) and the modular stacked swiches (2920 with the stacking module). My question is - which one is "better"? Does anyone here have a personal preference? Has anyone done a cost analysis to see which one is cheaper per port (for 1 Gbe access ports)? Looking for opinions and others experiences here. Thanks.

Preventing network loops with secondary core switch

Good Morning, Everyone -

Working on a project to add a secondary network core to our infrastructure, to eliminate our current network core as a single point of failure - see diagram here.

Currently, I'm trying to figure out the best way to prevent network loops in this topology. I know I could leave it to spanning tree, but that doesn't seem like an ideal solution.

My two current core switches, and my DR core switch will be Nexus 9000's with L3 functionality, but my distribution switches are Catalyst 2960's with L2 only.

Any input is appreciated!

How would you configure spanning-tree in this scenario?

I would like some advice on the best way to configure STP in this scenario - see diagram here.

Two wifi controllers are attached to core switches DC1 and DC2. The core switches run MSTP, using SID 0, 1 & 2. All the VLANs passed to the WCs are in SID 0. (There are other DC switches participating in MSTP)

In order to support a new guest wifi service that doesn't use our normal ISP, VLAN 99 is supplied via a third party switch and needs to be supplied to the WCs.

As it was seen as undesirable to attach the third party switch to the core datacentre network, it is attached to a different switch - R1. R1 also runs MSTP by default.

VLAN 99 doesn't exist on DC 1 or 2, and all the links are configured only to egress the VLANs we specify, with all VLANs tagged, and with ingress filtering enabled.

The WCs support RSTP or Rapid PVST. They're currently running RSTP with default settings.

When making the connections between R1 and the WCs, we got STP blocking on R1s port leading to WC2. Currently we've disabled STP on this port, but I don't think that's the best solution. I don't think there's an actual risk of a broadcast storm here, but we would prefer STP to be enabled in case of malfunctions / misconfigurations.

How would you make this topology work?

VPN routes not showing up in ASA

I have a weird issue I don't understand, and I really want to. Familar with IPSec, just not on ASA's.

I have 3 sites. Two satellite offices, and a colo. This colo has tunnels to all the branch offices, and the branch offices have an independent tunnel to each other as well.

I received a notice that satellite office 1 and 2 could not reach each other for some reason. I thought it was a tunnel dropping and I think I am right. But when checking the routing table on the ASA, I do not see any routes for the tunneled subnets, only the locally connected subnets, and the outside public set which is set as the last resort.

While its working now, why am I not seeing any of the far subnets that are reachable in the table? If I look at the table logically it seems they get sent out through the ISP and are magically routed even though they are private addresses.

I can submit a anonymous example if needed.

Upgrading WLC 5508 HA setup

Hello Networking! I have 2x Cisco WLC 5508 in a HA setup. Those will be upgraded next week, and im a bit worried about upgrading them. Not only do i have to upgrade the IOS but also the FUS image. I've read around on Cisco forum and other forum's aswell, to find the best method to upgrade. Most documents is without the HA setup. What should i upgrade first FUS or Image? Will i just upload the FUS and IOS to the primary WLC, and start the upgrade? Will it auto upgrade the standby WLC? Should i be afraid that the old AP's connected wont be supported on the newest IOS release? Got some old AP's called AIR-LAP1142N-E-K9 and newer ones called AIR-AP3802I-E-K9

Right now it is running 8.2.151.0 it will be upgraded to 8.3.141.0 it seems this image is the newest on Cisco download page.

About FUS, will I be able to go directly to 1.9 from what below tells?

Product Version.................................. 8.2.151.0

Bootloader Version............................... 1.0.1

Field Recovery Image Version..................... 6.0.182.0

Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27

Build Type....................................... DATA + WPS

Any words/tips to calm me down would be cool, haha =). First time i'm upgrading WLC's. Upgraded alot of firewalls and routers/switches.

Greetings from Denmark!

Looking for a router that can support gigabit speeds over VPN.

Even 1/4 of 1 gig per second over vpn would be fine. Looking for AES and OpenVPN, as well as the usual PPTP, L2TP. Willing to make sacrifices to keep it cost effective. Use will be fiber, with no failover needed, so only 1 WAN. 2 is okay too. 1 transmission a day from several sources, call it 3 terabytes over a gigabit fiber line.

IPv6 growth is slowing and no one knows why.

"We are willing to bet that at corporations with large IPv6 uptake there was either an individual or group that felt strongly about the issue and were in a position to persuade those at the top."

https://www.theregister.co.uk/2018/05/21/ipv6_growth_is_slowing_and_no_one_knows_why/

Captive portal for remote IP.

I want to set up a captive portal but for a specific IP hosted on a remote server. Devices connected to the network won't have to go through the captive portal but will instead be tethered around that one website. Like the way ISPs let one explore only their website if one hasn't recharged their bill. This is a client based project btw and if I demonstrate it's possible then they'll give us the greenlight to proceed.

[Discussion/Question] OSPF and default route advertisement with multiple DHCP WAN connections.

Hello /r/Networking, You may of remembered me from my plea to advice about 8 months ago. Thank you for all the wonderful advice, This project has been a fantastic exercise in network design and architecture! One of suggestions in my previous post was to route between the buildings instead of spreading VLANS. So I decided to study OSPF. Today I have a few OSPF questions and discussions about default routes.

If this post is not suitable for this sub for any reason, my apologies.

Disclaimer; I am rather new to OSPF. If I got any of the terms wrong please let me know.

I have created a diagram to help demonstrate my design questions

Situation: A small campus with interconnected buildings and some with independent WANS, no Static IPs on the WAN links, Devices are Ubiquiti unless stated otherwise.

Goals:

Allow use of any wan link by any building/User subnet.
Minimize time to resolve issue during a connection outage if another connection is available.

Additional goal: Minimize use of backbone between buildings

Situation 1 (Fig 1.)

Assume the following.

Each building has it's own subnet for its users.
Each subnet has its own VLAN that does not cross the backbone
Each User subnet has their default gateway to 192.168.X.1, That building's router.
Each router has an interface attached to the Backbone VLAN, Which is shared between buildings.
Each Wan connected router (ASBR) is advertising a default route with a default metric of 2.
Each router is set to perform dynamic nat for all subnet (192.168.0.0/16)

My Understanding

My Understanding is that each building user subnet will default to its router, That route will default to using its connected default route, So wan usage is its building if it has its own WAN. If it does not have a connected WAN (Either lost connection or simply does not have one) It will use the wan of the nearest hop of a wan enabled router.

Things I do not fully understand

Because all routers are sharing the same subnet and VLAN on the backbone, will the distance metric for all the other routes be the same?
If one building WAN connection dies. Will all connections die untill they timeout because NAT cannot translate to the old IP.
If during intermittent issues, is it possible to have hanging TCP sessions due to using different NATed IPs during the time it takes for the issue to sort itself out for a longer period of time?

Additional comments

If I needed to connect to a building while a backbone link for that building is wrong, It might be a good idea to set up a few IPSEC tunnels to compensate.

Situation 2 (Fig 2.)

Assume the following.

Each building has it's own subnet for its users.
Each subnet has its own VLAN that does cross the backbone.
All VLANS are shared over the backbone.
There is a router/VM That has an interface on all VLANS, and is the default route for all VLANS.
All ASBRs are only connected to the backbone VLAN.
All routers with a WAN (ASBR) Are advertising a default route with a default metric of 2.

My Understanding

All user devices will traverse the backbone to connect to the "core" router.
OSPF would be overzealous on this topology. It may be more efficient to encapsulate all WAN links into a VLAN foreach and attach the VLANs to the core router to perform load balancing.
If any backbone connection is lost. all internet is lost for any devices beyond that backbone's daisy chain.

My Questions

Is there a best practice for connecting routers across buildings?
Is connecting multiple OSPF routers to the same VLAN possible, or not recommended for any reason?
Is there a best practice for configuring OSPF to use the WAN from either the building that subnet is in or the closest building over a single VLAN backbone.

Thank you in advance for any input. I understand that this is the kind of stuff people may put "Sr." Next to their title for :)

Tuesday, May 29, 2018

People who work at mobile carriers ,how does your company monitor the security of mobile networks?

No text found

Any Talari SD-WAN customers? Anyone doing SD-WAN in general?

My work has about 40 branch offices around the USA. We currently use dual MPLS links for each office (speeds vary widely from about 3mbs to over 200mbs).

We are considering a move to SD-WAN, with one of my co-workers very interested in Talari.

Interested in hearing any stories of organizations that have looked at similar setups. VOIP for us is hosted out of two data centers (one in the Midwest, one in NY) so that is a factor for us as well.

Recommended way of receiving syslog messages after an outage

We primarily use Cisco ISR routers which send syslog messages to a centralized collector. The issue of course is we never "see" the interface or BGP flap messages because, well, the single WAN connection is offline when those messages trigger.

Does anyone know of a solution to this that doesn't involve setting up a local syslog collector? Even something as small and cheap as a Raspberry Pi would pose challenges for us. We have buffered syslog messages configured so a show log will produce the missing output, but it can't reach us during the outage.

Is there a way to re-send buffered syslog output once the WAN connection comes back online? Would using TCP syslog instead of UDP syslog help at all?

Any ideas or solutions would be appreciated.

Thanks

Router has a public IP address, but no internet access

I have a FIOS Quantum Gateway Router G110. I followed this guide to put it into bridged mode: https://www.dslreports.com/forum/r31057540-Networking-HOW-TO-Bridge-G1100-So-your-Router-becomes-Primary

I purchased this Ubiquiti Edge Router X along with a Ubiquiti AP. Once I have followed all these steps, VOD works fine and my Edge Router X has a public IP. However, I cannot access the internet and I don't know why. I have tried various things to try and fix this issue. It's not a problem with DNS. Here are some links to screenshots:

1.) WebGUI showing public IP on ERX: https://gyazo.com/4883f6b103da60db09110c97a4b21777

2.) The ERX's routing table. I noticed that the next hop is the .1 of the /24 network. That strikes me as weird. My actual public IP is in the 100-150 range meaning that the netmask is /24. I thought it would be /29 or /30: https://gyazo.com/d2706c922bef77a7f5949f90b7aec2e1

3.) Traceroute. Now the LAN default gateway is 192.168.1.3(ERX). I am able to ping the router public IP which is the 72.x.x.x.

I had a similar problem on my Quantum Gateway router, but I was able to make some configurations on it. It also had a public IP with no internet access. I am not sure what to do in this case.

I know I can call Verizon and activate the ethernet instead of coax, but I rather have the Quantum router act as a modem. I have VOD. Thanks in advance!

Assistance with a Website issue

Company website is hosted offsite, by a third party.

Recently we have been unable to access the site on our Network - website loads slow, if at all, links fail to load. External customers are experiencing similar issues.

I have tried three separate web browsers - slowness, if loading at all.

I can access the website with zero issues when browsing from a proxy - hidemyass (it is still a little slow, but not as bad).

Our router admin confirmed that nothing in the logs show the site being blocked.

Our ISP (comcast) experienced slowness when attempting to access the website, but believes it is a breakdown with the Host. Tracert reveals an issue at hop 7.

The host says its a DNS issue with the ISP.

At this point I am stumped - can anyone offer any insight? Thank you.

6 15 ms 15 ms 18 ms lag-5.bear2.baltimore1.level3.net [4.68.71.117] 7 * * * Request timed out. 8 13 ms 14 ms 13 ms lumos-netwo.bear1.washington111.level3.net [4.53.115.2]

Feedback on Network of 9 Machine Vision Cameras at Remote Locations

I've recently installed a single GigE-Power Over Ethernet machine vision camera at a client's location and they are now interested in expanding to 3 locations on site with 3 cameras per location. The locations are distant enough (>100m) from both the control room and each other that we want to run fiber instead of ethernet cable as much as possible. So I've come up with the arrangement in the linked drawing as a potential solution. A switch at each location capable of PoE and at least 1000Base-T capacity to each PoE/GigE vision camera, and 10G SFP+ connection that will leave the location to the control room. At the control room a 10G SFP+ switch to bring the 3 fiber runs from the distant locations to a single computer (which is the ideal we'd like to test/implement, but it may turn out necessary to expand to more computers due to CPU limits).

Looking for feedback on any issues with arrangement or equipment selection. I've not set this up before and any being made aware of any pitfalls I might run into or information you can point me towards would be greatly appreciated. Thank you.

Camera Network Diagram

Location Switch - D-Link Systems 28-Port SmartPro Stackable PoE/PoE+ Switch & 2 Gigabit SFP Ports and 2 10GbE SFP+ Ports (DGS-1510-28P) - Will also search for a model that has fewer ethernet ports but still has PoE.

Control Room Switch? - Chatting with Cisco rep now to spec this and other switches.

Desktop NIC - StarTech.com PCI Express 10 Gigabit Ethernet Fiber Network Card w/ Open SFP+ - PCIe x4 10GB NIC SFP+ Adapter

FLIR Blackfly Camera

edit: added camera link

Netflow 9 and Cisco 3850

I am trying to configure netflow 9 on a cisco 3850, the issue that I keep running into is when I apply the monitor on the layer two VLAN interface, I get an error message that reads "Flexable Nfetflow not supported on layer 2 interfaces".

The monitor also does not work on switchport interfaces. Currently I have it configured and working on another 3850, applied to a "routed" interface.

Is there a work around to have it setup on a layer 2 switch?

Also note, the switch only supports Netflow 9 and IPFIX

Any assistance is appreciated.

Cloudflare 1.1.1.0/24 subnet BGP hijack

Cloudflare subnet 1.1.1.0/24 is currently beeing BGP hijacked by a company in Shanghai.
Details on BGPSteam

Edit : Formating

Bandwidth utilization monitoring?

Hello! My hospital has been plagued with super slow download speeds for the past few days (1-2Mbps from a 100Mbps circuit). I'm looking at reports from our ISP and it shows the circuit being saturated however when looking at our LAN side with Whatsup (network monitoring software), nothing seems to be using that traffic up. Likewise when checking our Checkpoint (layer 7 firewall) for which device(s) are using up all the bandwidth, it shows about 40-70Mbps INCLUDING the LAN traffic at any given moment.

Does anyone know of any way I can pinpoint which device is eating up all the bandwidth?

ospf route path visualization tool?

Is there a program/tool that will allow one to visualize medium to large ospf networks and their preferred and secondary paths.

Ideally a tool that would scrape my existing ptp's and their bandwidths and put together a map of routes.

Something where I can add in new nodes and ptp's to existing nodes and have it show me where the paths to the core.

I'm thinking of a weathermap for ospf.

Something more automated than my whiteboard and a marker.

Recommend me a new IPAM

I've been given a task to find a new IPAM (DDI?) solution. Today we use NetDot, which is more than OK, but lacks updates and development. We use LibreNMS for alerting and monitoring. We use some other tool for DCIM. We're a MSP with about 25 employees.

What we must have:

- IPAM functionality

- API

Good to have:

- vRealize integration

- Enterprise support

- DNS management/plugin

- Physical cable topology.

Nice to have:

- DHCP management

- Auto discover (an IPAM should be desired state. But auto discover arp/fdb would be nice)

Physical cabling topology is almost must have for me personally since I'm doing all the basic network support and need to map out fiber circuit and strands.

I have tested NetBox, which is really nice and seem to have good development, although they need to fix issues/20! phpIPAM also seem like a good alternative people here praise a lot. None of them have paid support though.

I've read some about EfficientIP which also has been praised in this subreddit, and doesn't have astronomical license costs as some of the others have?

New info about SpaceX StarLink - sat-to-sat FSO links, 25ms

https://www.zdnet.com/article/spacexs-starlink-takes-a-big-step-forward-in-delivering-internet-from-the-sky/

A tweet from Musk the other day confirmed some early test results they're seeing from the first 2 test satellites. 25ms round-trip latency!

Also interesting was the info around using inter-sat links. I did a bit of looking around and there's several players offering 10Gbps for inter-sat links over hundreds of kms:

https://mynaric.com/

What are some important things that are overlooked when initially configuring networking devices (switches for example) .. which can open up problems and cause risk to your networking environment? (If it were to ever come into contact or become a victim of an attack).

Currently setting up a homelab to practice and work on some security related research projects on the configuration of networking devices and how crucial the initial process is.

Any Online Store selling AOC and DAC cable without shipping fee and paypal handing fee ?

I bought 1pc AOC cable and 1pc DAC cable on ebay store before ,i had spent a lot of time selecting best seller , but looks like i have to pay double shipping fee if i find right products from different seller .

My question is：is there any Online Store selling AOC and DAC cable without shipping fee and paypal handing fee ?

Any tips/suggestions would be greatly appreciated! 😆

Monday, May 28, 2018

Podcasts for beginners?

Hey guys first time posting in this sub

For about a month or so I’ve been studying networking through online videos.

There quite helpful but I’m wondering if anyone could point me in the right direction for podcasts to check out for learning networking?

I’m able to listen to music in work so I have about 5/6 hours of time to learn, one hour travel home after, so loads of time for podcasts

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

command to verify received vpnv4 routes from specific route-target?

How to verify routes imported to bgp vpnv4 table? Ex. rt import 1111:1111 <--- how to know routes received from this RT w/out inspecting each prefixes extend-comminity.

tried show ip bgp vpnv4 vrf name extended-community RT:1111:1111

But there no display or no vrf display error

Thank you

Difference between Huawei S5720-52X-LI-AC and other Switches

I need to decide for a switch for an extension of our campus network. The plan is to connect switches at two locations with 10Gb/s uplink and have them spit out 1Gb/s via the normal ports.

I have now found several switches that seem to comply with my intention:

The Aruba 2930F-48G w/ 4SFP+
Huawei S5720-52X-LI-AC
Netgear GS752TXS
...

Apart from the Huawei they all cost ~1500 €, the Huawei can be bought for ~600 €. Being in danger of judging a product by its price tag, I wonder why the Huawei is so much cheaper. Is there a wager in the design that I missed? Because on paper, I can't see any difference to the other products.

Question... how do those of you who use Linux replace SecureCRT?

I had the bright idea of wiping my Windows install and going full Linux a few weeks ago, and so far everything is going great except the damn session manager. How do real Linux people do this?

SecureCRT did several very important things for me that I haven't found a replacement for:

It managed my sessions and allowed me to organize them into groups. With 700 sessions there's no way I could manually remember every one of those.
It allowed copy and paste easily moving config between sessions or a text editor.
It saved a CYA log.
It had a "chat" window where it could send commands simultaneously to more than one session.
It saved credentials, saving loads of time not having to retype the password each time I needed to log in.
And it made it super easy to write and run scripts.

So, #6 is easy, I'll just go full on Ansible and not script in the terminal. I haven't found a equivalent solution for #5. I read (but haven't tried yet) that tmux can do #4. The big thing will be finding a way to do the equivalent of right click the folder, boom 15 sessions open, instantly send the same command to all of them at once. SSH can do #3 but again, I just wish it happened automatically and I didn't have to remember to do it every time I connect. I haven't found a solution for #2 yet. And #1 can be solved by recording everything in a text file. Basically, so far, my Linux workflow works but really really sucks.

I know SecureCRT does have a Linux version, but I had trouble installing it on my distro (Arch) and besides, it just doesn't seem right to have an amazing 100% open source desktop, and then the one thing that has to be a proprietary blob is the terminal emulator.

I also tried Remmina, which is kind of the right direction but still has some serious limitations (missing #2, 3, 4 and 6, and no telnet or com ports).

Do you have startup config for new labs?

Hi,

I'm getting bored lately with setting up a new lab and assigning IP addresses with no sh commands. It takes some time and I do it so often that it bothers me.

Do you create one big lab which you copy and apply another config on it or do you export startup config?

I don't think that copying labs from videos is a good idea but better understand what a person did and apply it on your own topology, right?

I appreciate every tip.

VPN connection - IP addressing

I'm having trouble with understanding VPN addressing. If I am connecting multiple sites, do I need static IP's of end points (routers) or can I use DHCP with FQDN?

Is it a safe solution or am I better off with static IPs.

PSA: Internet Edge Router FIB Growth

I've recently been doing some work on scoping internet routers that need to take full tables BGP.

There are various platforms out there that can install up to 1 million IPv4/IPv6 routes in the FIB.

Problem is, there's a pretty decent chance that 1 million FIB entries will be too small in as little as 18-24 months. The risk is high for anything that will have a >4 year asset life. Here's a decent article:

http://bgphelp.com/2017/01/01/bgpsize/

The TL;DR is that if you are looking to buy internet routers with a 4-6 year asset life, you should probably be looking for 1.5 million FIB entries as a minimum.

Network Planning / feedback

Some of you may remember my post a few days ago where my boss wants a big flat network.

First, thanks to everyone to replied and gave advice. I think I've convinced him that we need to bring in an MSP/consultant on this. I'm also pretty sure the consultant will agree that a big, flat layer 2 network is a bad idea.

In anticipation of that - I'm trying to plan for two scenarios:

One big /8
A logically separated network w/ routers per site

I think my layout would work for both. I've never done any network design (without an engineer) and was looking for feedback as to how bad this layout would be in either scenario.

I realize none of you are obligated to even look at this - so I want to say I appreciate everyone here.

https://i.imgur.com/tsXgo8v.png

Ultimate DHCP Server. Xpost from /r/ProgrammerHumor

https://www.reddit.com/r/ProgrammerHumor/comments/8mdcde/the_utimate_dhcp_server/

vPC peer-link sizing recommendation

vPC best practices indicate to use a minimum of 2 x 10GE ports for the peer-link. I am trying to determine if I should use the minimum (2x 10GE ports) or use more ports for my design.

I have about 50 access switches separated into about 10 stacks. Each stack has 4 x 10GE uplinks to the Nexus 7700 VPC domain (2x 10GE links to each nexus switch). If the access switch uplink bandwidth is 40 GE then would having only 2 x 10GE for the peer-link be considered okay? What is the best practice in terms of uplink bandwidth to peer-link bandwidth (2:1, 1:1 or 1:2)? I have done VSS before and used 1:2 access switch uplink to vss bandwidth.

Can someone confirm - Is the PAN-OS 8.1 Stable enough for production?

One of my clients has been bugging me for weeks, asking if he can upgrade to the latest firmware.

Sunday, May 27, 2018

Is DMVPN Phase 3 functionality hindered if the routes don't point to the hub?

I understand how the redirect from the hub triggers the spoke to do an NHRP resolution request for the other spoke. I also understand the scalability it brings to the control plane if we do this. However what I am trying to understand is do the resolution requests still get CEF switched and sent to other spokes without having this setup? For example assume we have Phase 3 setup with EIGRP but we don't modify the next-hop. Routing table aside, does this increase the load on the hub or spokes? I ask because in production I see topologies like this all the time.

Looking for an odd part

Anybody know where I can find slot covers / blank plates for the back of an HP procurve 1u switch? I have a need to remove an expansion module and don't want to leave the slot open for dust and air ingress.

I couldn't attach an image, but if you search "hp procurve 10-gbe interconnect al module" you'll see what slot I need to cover.

Where to buy IT eBook these days

I stopped buying physical books and been buying Kindle ebooks, but I would like to have my own eBook local library.

I have been reading on my phone, and recently discover CalibreWeb which is nice interface for my library. So far what I have are the ePub, mobi, and pdf that I got from CiscoPress, Apress, Packt, and InformIT.

Where do you get yours?

Is Frame Relay included in CCNA Certificate exams?

hello guys i m getting ready for CCNA exams.. and i am curious if frame relay is included in ccna certificate exams... i saw similiar question on forums but i wanna make sure that its 100%

thanks in advance

Billion BiPAC 8800NL Known Compromise(s)? (VDSL2 Router)

So there was a wave of issues with Draytek routes a little while ago, but I've seen nothing about Billion routers. The reason I mention this is because I encountered this issue today (crossposted from the Billion forums):

So I recently had to have the modem take over DHCP duties as my home server is currently offline. It was fine for a few days, but then suddenly sites stopped working (or responded with an invalid certificate). I checked the DNS resolvers on one of my machines and they were wrong, so I check the router and it seems the DNS resolvers set for the DHCP server page had been changed to two malicious ones.

This is incredibly concerning for a few reasons; Remote management was already turned off (and had never been turned on) and the admin password had been changed to something cryptic (which only I have access to).

Is there some sort of remote exploit available for the 8800NL routers? I'm already running the latest version of the firmware (2.32e) so there's no much more I can do here.

So yeah, the question stands; Is there a known exploit for these routers? A google search finds nothing so either it's not widely disclosed yet or something else screwy is going on.

BT Wholesale Broadband Connect

Anyone in the UK able to provide info on how this service would be handed off to a small ISP?

I'm starting with a small ISP end of next week and would like to turn up with a modicum of info if possible.

I know they are using juniper for their backbone hosted in a couple of co-los in London, but I have no idea how they get their clients handed off to them via BT.

All my prior experience has been in DC networking so this ISP world is pretty new to me