Cant't ping the internal network of our organization

Below is the firewall config (with all the company info removed) that I'm trying to deploy in our environment.

Firewall is in the internal 10.68.48.0/20 subnet, I cannot ping the other internal subnets of the organization - eg, 10.7.0.0/20 subnet from the firewall. Can someone please have a look at the below config and tell me what I'm misisng?

I have no experience working with firewalls and I'm not sure what I need to add further.

Edit : OneDrive link of the config text file - https://1drv.ms/t/s!AjSYQDbgQrcVZwnFFDs3D73VRhA

 FW001# sh run : Saved : : Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores) : ASA Version 9.4(4)17 ! terminal width 200 hostname FW001 domain-name corporate.net names ! interface GigabitEthernet1/1 description *** To Internet *** shutdown nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 ! interface GigabitEthernet1/2 description *** To Switch *** channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/3 description *** To Switch *** channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/4 description *** To YP Router *** nameif DMZ-YP security-level 80 ip address 1x.0.2.x1 255.255.255.248 ! interface GigabitEthernet1/5 description << To 100M Internet Line >> no nameif no security-level no ip address ! interface GigabitEthernet1/6 description <<Fiber_400>> nameif outside-2 security-level 0 ip address x.x.x.x 255.255.255.252 ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! interface Port-channel1 lacp max-bundle 8 no nameif no security-level no ip address ! interface Port-channel1.100 vlan 100 nameif Server_LAN security-level 100 ip address 10.68.54.251 255.255.255.0 ! interface Port-channel1.101 vlan 101 nameif User-LAN security-level 100 ip address 10.68.55.251 255.255.255.0 ! interface Port-channel1.999 vlan 999 nameif Management security-level 100 ip address 10.68.48.251 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 4.2.2.2 domain-name corporate.net same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network 10.200.0.0 subnet 10.200.0.0 255.248.0.0 object network 10.208.0.0 subnet 10.208.0.0 255.254.0.0 object network 10.0.0.0 subnet 10.0.0.0 255.255.0.0 object network 10.21.0.0 subnet 10.21.0.0 255.255.0.0 object network 10.31.16.0 subnet 10.31.16.0 255.255.255.128 object network 10.40.0.0 subnet 10.40.0.0 255.254.0.0 object network 10.7.0.0 subnet 10.7.0.0 255.255.0.0 object network 10.8.0.0 subnet 10.8.0.0 255.254.0.0 object network 10.20.110.0 subnet 10.20.110.0 255.255.255.0 object network 10.64.0.0 subnet 10.64.0.0 255.224.0.0 object network 10.204.106.0 subnet 10.204.106.0 255.255.255.0 object service TCP-4000 service tcp destination eq 4000 object service TCP-22 service tcp destination eq ssh object network INSIDE_10.68.48.0_20 subnet 10.68.48.0 255.255.240.0 object network DMZ-YP-Subnet subnet 192.0.x.xx 255.255.255.248 object network YP-Remacc1 host 1xx.1xx.167.34 object network YP-Remacc2 host 1xx.1xx.240.3 object network YP host 1xx.0.x.xx object service SSH-YP service tcp source eq ssh object service SSH-YP-OUT service tcp source eq 4000 object-group network xxx-Remote-Subnet network-object object 10.0.0.0 network-object object 10.20.110.0 network-object object 10.200.0.0 network-object object 10.208.0.0 network-object object 10.21.0.0 network-object object 10.31.16.0 network-object object 10.40.0.0 network-object object 10.7.0.0 network-object object 10.8.0.0 network-object object 10.64.0.0 network-object 10.66.0.0 255.254.0.0 network-object object 10.204.106.0 object-group network YP-Remote network-object object YP-Remacc1 network-object object YP-Remacc2 object-group network YPSSH network-object host 1xx.59.xx4.xx4 network-object host 15x.10x.2xx.32 access-list DMZ-YP_ACCESS_IN extended permit ip object DMZ-YP-Subnet any access-list DMZ-YP_ACCESS_IN extended permit ip object-group xkx-Remote-Subnet any access-list DMZ-YP_ACCESS_IN extended permit icmp any any time-exceeded access-list DMZ-YP_ACCESS_IN extended permit icmp any any unreachable access-list DMZ-YP_ACCESS_IN extended permit icmp any any traceroute access-list OUTSIDE-2_ACCESS_IN extended permit icmp any any access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YPSSH object YP eq ssh access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YP-Remote object YP eq ssh pager lines 24 logging enable logging asdm informational logging host Management 10.202.10.232 17/1514 logging class session trap informational mtu outside 1500 mtu DMZ-YP 1500 mtu outside-2 1500 mtu Server_LAN 1500 mtu User-LAN 1500 mtu Management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any User-LAN icmp permit any Management asdm image disk0:/asdm-791-151.bin asdm history enable arp timeout 14400 no arp permit-nonconnected nat (DMZ-YP,outside-2) source static YP interface service SSH-YP SSH-YP-OUT nat (DMZ-YP,outside-2) source dynamic DMZ-YP-Subnet interface nat (Server_LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface nat (User-LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface nat (Management,outside-2) source dynamic INSIDE_10.68.48.0_20 interface object network obj_any nat (any,outside-2) dynamic interface access-group DMZ-YP_ACCESS_IN in interface DMZ-YP access-group OUTSIDE-2_ACCESS_IN in interface outside-2 router rip network 1xx.0.x.0 version 2 ! route outside-2 0.0.0.0 0.0.0.0 x.xx.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 0.0.0.0 0.0.0.0 DMZ-YP http 0.0.0.0 0.0.0.0 outside-2 snmp-server host DMZ-YP 10.202.10.232 community ***** version 2c no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 DMZ-YP ssh 0.0.0.0 0.0.0.0 outside-2 ssh 10.68.54.0 255.255.255.0 Server_LAN ssh 10.68.55.42 255.255.255.255 User-LAN ssh 10.68.55.0 255.255.255.0 User-LAN ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Management dhcprelay server 10.68.54.12 Server_LAN dhcprelay enable User-LAN dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10.202.100.1 source Management prefer dynamic-access-policy-record DfltAccessPolicy username Temporary password .s86pxc3Jm62lZTh encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context : end 1#         

How inefficient would using an old android phone as a wifi Hotspot be?

I'm temporarily living in an apartment without any internet access so I bought a contract free sim card with a month of unlimited internet (speed should be 30/6 mbit optimally). I wanted to buy an LTE wifi router but they were pretty expensive for me to buy for just a month or so. So I'm thinking of using an old Note 4 as a mobile hotspot, but I'm not sure how good that would be for streaming and some light gaming and I can't find any info online. If it's really inefficient regarding speeds and ping then I'll order an LTE wifi router online, but I can't find any info comparing the two online. Anyone got some experience with this?

EVE-NG Web Question?

Hi,

Just want to ask how to enable http service on EVE-NG, Based on the docs when they the setup it's already enable and the url is visible on the login page. While in my case there's no provided URL does is it mean http service is not properly setup?

Note: the default page is the apache. Anyone encountered this isse?

Thanks

Force10 VLT between two MXL's doesn't seem to be passing traffic

These last two weekends we've been doing maintenance was to get our new Dell blade chassis onto the network, and we're having a ton of problems getting this setup - thinking I might be in a bit over my head networking wise. Basically the setup is in the back of the Dell M1000e chassis we have two Force10 MXL switches. Then we have two Dell N4032 core switches that we're connecting them to. So we're trying to setup a MLAG between the N4032 switches, a VLT to connect to the two MXL switches together and then another MLAG/VLT between the MXL's and N4032's using two 40GbE links per MLAG.

We're PRETTY sure the issue we're having is that the VLT between the two MXL's isn't passing traffic. Something we plug into MXL1 isn't able to communicate with a device we plug into MXL2 - and this traffic should be flowing across the VLT link - yet it's not. If I do a show vlt brief, I get:

VLT Domain Brief ------------------ Domain ID: 1 Role: Secondary Role Priority: 8000 ICL Link Status: Up HeartBeat Status: Up VLT Peer Status: Up Version: 6(8) Local System MAC address: e4:f0:04:76:6f:7c Remote System MAC address: e4:f0:04:76:6e:90 Remote system version: 6(8) Delay-Restore timer: 90 seconds Delay-Restore Abort Threshold: 60 seconds Peer-Routing : Disabled Peer-Routing-Timeout timer: 0 seconds Multicast peer-routing timeout: 150 seconds MXL-Switch2# 

Which LOOKS like it's up at least. But I don't know WTF we're missing. This is the config we have for the VLT:

MXL1: protocol lldp advertise management-tlv system-description system-name ! protocol spanning-tree rstp no disable bridge-priority 0 ! protocol spanning-tree rstp no disable bridge-priority 0 ! vlt domain 1 peer-link port-channel 127 back-up destination 10.10.100.209 primary-priority 1 ! interface fortyGigE 0/33 no ip address no shutdown ! interface fortyGigE 0/37 no ip address no shutdown ! interface Port-channel 127 description VLT no ip address channel-member fortyGigE 0/33,37 no shutdown MXL2: protocol lldp advertise management-tlv system-description system-name ! protocol spanning-tree rstp no disable bridge-priority 4096 ! vlt domain 1 peer-link port-channel 127 back-up destination 10.10.100.208 primary-priority 8000 ! interface fortyGigE 0/33 no ip address no shutdown ! interface fortyGigE 0/37 no ip address no shutdown ! interface Port-channel 127 description VLT no ip address channel-member fortyGigE 0/33,37 no shutdown 

Is anyone familiar with Force10 VLT and can determine if I have something messed up here or not? I'm kind of at whit's end here. We're going to call Dell and have them take a look at it as well. Doing these maintenance windows is a pain because one wrong command and we drop all our iSCSI traffic, so it's a pain in the ass because we have to shut down over 300 VMs every time, as well as do a site failover on our Exchange DAG so email stays up. :irk: I've pulled two all nighters in the past week so at this point I'm probably so sleep deprived I'm missing something stupid.

Might not even be the VLT at all, maybe MLAG issue, but I don't think so as the MLAG traffic going to the core switches shouldn't affect the problem we're having with traffic flowing in between the two MXL's.

Public hot-spot not providing IP when connecting

I am trying to access the internet by connecting to a public "xfinitywifi" hot-spot. I can connect, but it doesn't give me an IP address. I have tried 2 different computers and my phone. (My phone gets as far as "Obtaining IP address..." and then it disconnects.) I have 3-4 bar signal strength.

Here's the the relevant information from my laptop:

Screenshots of Network and Sharing Center, Wireless Network Connection Status, and Network Connection Details windows.

ipconfig:

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Stretch>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : StretchsLappy Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20) Physical Address. . . . . . . . . : **-**-**-**-**-9A DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom 802.11n Network Adapter Physical Address. . . . . . . . . : **-**-**-**-**-F1 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::d42f:27bb:bfe:68bd%11(Preferred) Autoconfiguration IPv4 Address. . : 169.254.104.189(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 238574073 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-62-2C-A6-38-59-F9-C1-19-F1 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{249E9D16-2CB8-4CED-B707-65C74318B56E}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes C:\Users\Stretch>ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data: PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure. Ping statistics for 8.8.8.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) 

If there is any more information that would be helpful let me know. Thanks for any help.

Issues with performance between an SSH SOCKS5 Proxy and a normal SOCKS5 Proxy

Hello everyone! I'm new to this sub and I apologize if this does not belong here. I saw "No advanced gaming latency issues" but at the same time I don't feel like this belongs in r/HomeNetworking. Please correct me if it's wrong and I'll move this post asap! Thank you.

I've been encountering this issue for the past few months and have not been able to identify the issue. I only work on this in my spare time with my other friend. Our goal was to create what people call a "GPN" or "Ping booster". We successfully were able to get our "socksifier" working, where we would inject our DLL and it would change the destination of the connect command from the game to that of our proxy servers. It works fine and the traffic gets sent through the routes we want it to. But the issue comes down to performance (This is where it becomes more gaming latency related).

When we direct the traffic straight through our proxy servers (hosted in Singapore / Hong Kong / Taiwan), we get latency spikes (with it continually rising..) if we input multiple commands in the game, i.e attacking + moving.. almost as if there were too many packets being sent and it was bottlenecking somewhere. If we don't input too many commands, i.e attacking + NOT moving, the latency stays low and smooth. We tried to identify the issue for a long period but could not come to an answer. So we tried using PuTTy/PLink to create an SSH SOCKS tunnel (-D) through to our proxy servers and instead set the destination to 127.0.0.1. This completely alleviated the issue of our latency spikes, and is why we're confused.

Finally we decided to test some actual proxification programs that are available on the market. We tried Proxifier and ProxyCap. When we used ProxyCap, with both their SOCKS5 and SSH method, the issue once again did not occur, ever. But using Proxifier, it would still happen. I tried ticketing the ProxyCap support staff to ask if they were doing anything different and they told me they simply set "TCP_NODELAY" remotely to the servers, which we already do. What we did discover though, is that with PLink and ProxyCap, they redirect the traffic to localhost first, whereas Proxifier did not. Because of this, we hosted a local socks proxy with chaining setup to route the traffic to the other proxy where we initially wanted it to go.. but the problem still persisted.

About the servers: We purchased multiple linux VPS's in specific locations and hosted SOCKS proxies on them. We tried a multitude of different proxy programs, all with the same results. Every proxy has TCP_NODELAY set on it's socket. TCP_NODELAY is also set on the game's socket on the client's end. We tried testing multiple SNDBUF and RCVBUF values as well as messing around with TCP_QUICKACK rather than NODELAY, but nothing has solved this issue. We also tried testing running the game between Windows 7-10, 32-bit and 64-bit. The game is Blade and Soul (Taiwan) and it unfortunately only uses TCP..

I apologize for the long post and if there's any more information that could help, please comment and ask!

Thank you.

EDIT: In a post I made on SuperUser, someone suggested it could be the VPS Providers having higher priority for SSH traffic. But in that case, ProxyCap (using their SOCKS method) would perform just as bad, but it doesn't.

Network problem on phone

Hi... im using ASUS phone when i get my new wifi the connection work fine but one day the connection start to become worse... the connection run slower on my phone while my connection to my laptop is fast? any solution???

Extending a wireless signal through a Shipping Container

Hello,

I run an outdoor ice rink and our POS runs off of a private wifi in the area. Unfortunately, our admission booth is a repurposed shipping container, and we can barely get a signal to penetrate the steel walls of the unit.

I'm essentially looking for a way to hard wire a tablet (ethernet jack already built into the dock) into a router that can connect to the existing wireless network. I assume there is some sort of outdoor rated equipment that I can mount to the outside of the unit that will receive the signal better.

Unfortunately, the IT guy for the organization that controls the networks in the area doesn't seem to care much if the hardware issue isn't his hardware. So sadly, the internet is my next affordable hope. Any basic suggestions on how to solve this would be awesome.

Thanks

How do I generate a splash page when connecting to free WiFi?

My father has a small business and I would like to create a splash page similar to what hotels have for him. There will be no AD attached to it, just agree, disagree. And if I can without a DB and extra servers, a credit systems to pay for WiFi.

I work in IT but I don't know much about networking infrastructure that involves this, but am confident if someone just points me in the direction I can handle it.

My father's set up is very similar to a home network set up for his home business there isn't a server anywhere. If there is a SaaS product that'd be awesome, or a physical router meant for this.

Accessing a subnet on a diffrent VLAN over OpenVPN on macOS?

Networks:

• 10.11.0.0/24 VLAN 0
• 10.11.1.0/24 VLAN 10
• 10.11.2.0/24 VLAN 20

I have a ClearOS router that is attached to the three networks above, and I have OpenVPN running on the router. On my macOS client (Tunnelblick) I'm able to access everything on 10.11.0.0 network. However, I can't access anything on the 10.11.1.0 or 10.11.2.0 networks, and I'm presuming the reason I can't access these networks is because they are on a different VLAN. Tunnelblick is configuring the OpenVPN connection with a tun device.

Is there a way to configure the macOS client so that it can support VLAN tagging over an OpenVPN connection?

Edit: I'm able to ping the router from the macOS client on 10.11.1.1 and 10.11.2.1. I can't ping other hosts on those networks though, so traffic is reaching the router but not passing through it.

Microsoft whitelist office 365, block personal email systems.

Sophos system - So we want to upgrade to office 365, and it seems we will need to whitelist *.live.com, however I'm trying to avoid allowing employees access to personal outlook/Hotmail/etc. Accounts, does anyone have any experience or advice on this?

3rd Party SIP failing to register over UDP, registers fine with TCP

Hello All,

I am using commend intercoms as 3rd party SIP devices here on my site. The challenge I am facing is they will only register to CUCM if set as TCP only. When I set them for UDP on Call Manager and on the Commend side, it unregisters and never comes back. Does anyone have any experience with this?

Thanks

[Help?] DHCP Relay to DHCP Server on different VLAN.

Running into a bit of a snag here, despite my best efforts. Wondering if anyone had some insight as to what I may have missed.

Current network topology:

• Sonicwall serving DHCP for:
  • a workstation VLAN(110) 10.0.42.0 (interface X0:V110)
  • a server VLAN(1) 10.0.41.0 (interface X0)
  • other VLANs that don't factor into this equation
• Stack of SG300s handling switching for multiple VLANs

Desired network topology:

• Sonicwall serving DHCP for all VLANS except for 110.
• SG300s forwarding DHCP traffic for VLAN 110 to AD Domain Controllers on the 10.0.41.0 network

I have configured DHCP server roles, scopes and failover on the DCs, and enabled the scopes. Everything on the DC end is configured as expected.

Process:

1. disabled DHCP on the Sonicwall for VLAN110
2. on the SG300s:

• IP Configuration -> DHCP Relay -> Properties -> Enabled DHCP relay, and added the DCs to the relay server table.
• IP configuration -> DHCP Relay -> Interface Settings -> enabled DHCP relay for VLAN110

In my mind, this should be configured correctly and working as of now. Unfortunately, it looks like the DCs are not seeing any network traffic related to DHCP.

I set up a monitor port on the switch, and looked at traffic for VLAN110 via wireshark:

• I can see DHCP requests being sent

Moved the monitor port over to VLAN1:

• I can still see DHCP traffic

Running wireshark directly on the DC itself:

• no DHCP traffic.

Verified no ACLs on the switch are preventing this. No windows firewall is preventing this. I can ping directly fromt he switch stack to the DCs, so routing is in place.

Appreciate any thoughts or comments on something I may have missed.

Senior Project Ideas

Hello! I am a senior in college, and will be completing a senior project in this upcoming semester. This being said, I would love to hear some ideas.

I want my project to be networking related, but I am having issues coming up with something. The project has to be "original," and can be either a development project, or it can include hardware; IE Raspberry pi's or routers, etc. As long as the project is complex enough, it should work fine. If you have any ideas, let me know. I would greatly appreciate the help!

Is it possible to limit wifi network access to one specific app like chrome?

Hi,

Looking to offer free wifi to customers if they use "our app" which will be a browser like chrome.

They will be able to access to facebook.com and etc from our app but not from chrome.

I was thinking I can use whitelist system, and append a parameter to all outgoing urls from our app and detect whether the network is from our app or etc.

Is there better way?

Thanks.

Stress Testing Network

https://imgur.com/a/hb5agVR

This is the most traffic our little network has ever seen.

Built our network way over kill for what was needed a year ago. Doing a SAN migration during business hours and not having any issues. Not best practice, but boss said get it done... /shrug

Management IP routinely goes up/down on Catalyst 3560 connected to LAN over Meraki mesh link

Hello, everybody. I've been trying to figure out why a Catalyst 3560 in my environment stops responding to ping/SSH regularly, then comes back online. Any tips are much appreciated if anyone has any suggestions.

I inherited a network at one of our branch sites where a Meraki mesh link is used to connect a small building to the rest of the LAN instead of conduit/cabling. A Meraki MR72 is getting its uplink connectivity from the mesh network; the MR72's only LAN port is connected to a Catalyst 3560 (the MR72 gets PoE from the 3560). The mesh link reports as strong, per Meraki.

Until recently, only one device was connected to the 3560. It was not being used, so I'm not sure if the devices on the switch were getting network access or not. Contractors ran another 10 drops in the remote building which terminate into the 3560. It was at this point that I realized the 3560 was not being monitored, so I started monitoring it. Solarwinds tries to ping the device every couple of minutes; I started getting spammed with alerts that the switch went down, then it came back up, etc. The duration of how long it's up or down doesn't look to be consistent.

That being said, I can still communicate with nodes on that switch even when the IP for the switch itself is not responding. It's mostly just annoying that I can't reach the switch regularly and noise from alerting. For now, I'm going to change the alerting for this switch to require the pings to fail for an hour before sending out an e-mail. I'd prefer to fix whatever is wrong, but I haven't figured it out.

• 3560 has three VLANs configured with corresponding SVI's. Only one of the VLANs is actually in use and its SVI is what I'm monitoring.

• Meraki mesh acts as a layer 2 bridge. VLAN info is dropped once traffic travels over the mesh from the LAN port on the wireless access point.

• Logging on the 3560 doesn't show any ports going down or power issues that I can see.

• The port on the 3560 connecting to the Meraki is set up as a dot1q trunk with a native vlan (the native vlan includes the monitored IP address) set to "nonegotiate" and cdp is disabled.

This is more of an annoyance than anything, but if anyone can help save my sanity I'd be quite grateful.

 +--------+ | | | Rtr | | 2911 | +----+---+ | | | | | ---------+--------+ +---------------------+ | Sw1 | | Sw2 | | 3560 | | 3560 | +---------------+--+ +---------+-----------+ | | | | | | +---+--+ | | AP | +------+ | MX74| XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | AP | +------+ | MX72 | ^ +------+ | | | | MESH 

OSPF drops

Hey Guys,

I have a network problem which I am hoping you can shed some light on.

I work for an ISP and I have strange issue with one of the routers that we manage. From this router we run OSPF to our upstream PE and run LDP as well. The issue we are seeing is that the OSPF keep going from Loading to full on the CPE:

GigabitEthernet0/0.100 from LOADING to FULL, Loading Done

On the upstream PE we see the following:

GigabitEthernet0/1.100 from FULL to DOWN, Neighbor Down: Dead timer expired

The CPU on the router does spike occasionally, but not at the time of the drop. I am thinking that it may be due to a sudden burst of traffic causing saturation of the link, causing the OSPF to drop. Saying this however, the LDP neighbor doesn't/hasn't dropped and this forms via the same physical link as the OSPF does.

I have configured an EEM script on the router to try and give me a bit more info, but nothing has been generated yet. Im just wondering if it's possible for me QoS the OSPF packets generated from the router. Also if you have an troubleshooting tips they would be much appreciated.

Thanks

Deploy a DHCP server with no IP adress on NIC serving DHCP requests? (Raspberry Pi?)

I have a fringe case. Dont know how to do this. Hope you can help point me at the right direction.

I have a VPN appliance that needs DHCP provided internet connection to connect, and call home. (Kindda like Meraki stuff).
The device needs to be able to pull an IP, DNS and GW info from a DHCP server to operate.

BUT i have a location where the only kind of reliable internet can only be had with a single static IP, and the ISP will not provide DHCP for the connection.
Right now i have made a McGuiver solution, and just plugged in the first available homegrade router i could find at the office. Plugged this in between the ISP connection and the VPN box, just to be able to provide the VPN appliance with a DHCP issued IP and GW + DNS, so it can connect home to our main firewalls.

Since i dont trust this homegrade router to keep running without nursing, i need something better to replace it.

I could spend an arm and a leg to put in a quality router, to take its place. But as the router is absolutely just another route that is entirely unneeded, i would rather find a way hand out those DHCP requests instead.

So now i am getting out of the comfort zone on this.
All DHCP servers i have ever setup (Windows, BSD, Linux, FW applicances all had an IP adress on a interface to be able to set them up as DHCP servers.

Is there any way i can just setup a Rasberry Pi on the same switch to hand out the one IP adress i need, without it having to have an IP on the same network?

The network on the public IP is a /30 (255.255.255.252) network, where my device have one IP, GW have another, one for broadcast, and one to define the net. So there is (to me) no way to place a DCHP server in this adress space.

I have no network training or education. So if all of this sounds just silly/crazy to any of you, i appologize, and just ignore me.

Need help with router

Hello I need to connect this to netgear n600 wireless router which doesn't have port for this type of cable. Is there a simple adapter I can buy? https://i.imgur.com/S9wkaix.jpg

Difficult Problem on Firepower 4150

I'm trying to troubleshoot a problem where a database server is failing to send transaction logs from one server to another. Basically two devices were connected to a 5580 on different interfaces, and permitted to speak to each other with relevant rules. I've replaced this 5580 with a 4150 pair, and the only issue I've run into is that some transaction logs are not being sent between those two servers. To try and isolate the issue, I temporarily put a permit any [interfaces] any [src] any [dst] everywhere. However the 4150 STILL shows that the packets are being blocked in the connection events log for tcp 1521 between the two servers. I can't get my head around this, how can anything be blocked if my first rule in the list is permit any any. Can someone try explain me how that is even possible?

PS: There is absolutely no asymmetric routing going off here.

Any tools to easily view Sonicwall configs?

Looking to start fresh on a Sonicwall instead of re-importing the same config that has been around for many generations. Does any one know of a tool that will allow me to easily view the Sonicwall config files in an easily readable format?

I was able to convert the exp file to a text readable format, but the names and structure of the file is so convoluted that it's impossible to use as a reference as I re-build.

Remind me of some well-known source MAC addresses?

I've got a project that will benefit from having a list of MAC addresses which are likely to show up in the L2 filter list on any given network.

Put another way, if I challenged you to type a command of the form show mac address-table address <value> on an unfamiliar network and get a hit, what value would you guess with?

So far, I've only thought of the addresses used by HSRP and VRRP.

Are there other well known addresses I should consider?

Making hundreds/thousands of attempts (even walking 4000+ HSRP addresses) is probably going to be okay for my use case, but I'm not interested in blindly groping through Cisco/Juniper/HP/Dell OUIs hoping for a hit.

Help diagnosing strange networking issue.

We have two switches connected via fibre. Both ends appear to be up and the config is correct. Port is tagged on the correct VLANs both sides.

Looking at the counters on the interface I can see broadcast traffic but no unicast traffic. Also doing a "show mac-address" doesn't show an mac-addresses on the port. Switches have been working fine for 6 months and no config change from what I can tell.

Assuming possible SFP fault or fibre patch is damaged. Any other troubleshooting steps to diagnose?

FTDv - is IPS feature managed?

Hello, we are looking into using the FTDv on the edge of our Azure network. Is the IPS feature-set managed by Cisco? Will the definitions be automatically updated? If not, would it be better to use an ASAv and then purchase a separate virtual appliance outsourced to another company?

Learning BGP

Hello I am learning BGP, to make sure I can understand how BGP is configured in real world. I have few questions to start with

1. Can BGP advertise routes that are learned exclusively through IGP like redistribution from ospf or eigrp , without network statements or aggregate network address under router BGP ? with auto summary disabled ?
2. Can BGP learn routes through local routing table on router without manually redistributing.
3. On sh ip BGP output

What is the difference between the routes * i , *>i

is *>i when we specifically configure valid internal route with AS number details using additional command "as set "?

say we configured network 10.2.0.0/16 as *i on "router A" , which has BGP peer " router B". on router A - sh ip bgp output , there is no AS path information next to network 10.2.0.0/16.

When this network 10.2.0.0/16 is learnt on Router B, dont by default *i routes gets advertised to neighbor Router B and then propagate the network statement along with AS number as *> on the neighbor Router B sh IP bgp routing table ?

Below is a general question

Those who work for ISP and in general what is the most common issue you see on a BGP networks ? what basic troubleshoot steps you do, with the knowledge of ccna and CCNP. I am only asking the most basic ones (not how you design BGP, which i will not understand at this stage), since I might use those steps to properly understand my upcoming lab comparing them to real time scenario and build my concepts.

BGP on Cisco ASA?

So I've recently taken over a datacetnre infrastructure which has a multihomed internet edge (eBGP, transit, peering, full tables etc.), feeding into Cisco ASAs which in turn have Nexus 9k switches inside connected to servers running VMware.

The switching are using BGP EVPN for VXLAN control plane. Currently there are static routes on the Internet edge routers for our aggregate public ranges pointing to the ASAs. In turn the ASAs have aggregate routes for these towards the Nexus switches, which are operating at layer 3 and have an internet VRF where the aggregates route into. The switches then have more specific routes pointing to particular end systems, some static some BGP from other network devices.

We're in the process of building another datacentre location and I was wondering if I should stick with the static routes on the border routers and ASA? My gut feeling is to run eBGP between internet edge and ASA, and again between ASA and the switching. This would allow me to originate our public aggregates from the switches, and in theory save all the hassle of static routes.

A colleague who just left was wary of running BGP on the ASAs (running 9.4 btw). But he never explained why. My own thinking is we have BGP everywhere apart from these statics, so why not remove them and make our lives easier?

Any thoughts welcome.

A little help for our final exam

Hello all! Hope you're having a nice day

For our exam we have to setup some computers and network, I won't get into detail about the specific requirements. We have done everythings required so far, except the VPN.

It's a company setting which has 2 offices, 1 in two different cities. We need to make a VPN for the file server, which should be possible to acces from away, i.e a workers laptop from home. We know that we could use Windows VPN solution, but we want to make it better. One of us has a Cisco ASA 5505 switch/router, which we want to use for the VPN connection. It will kind of act like a gateway to the server.

We've tried this: https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ezvpn505.html#wp1019263

But that didn't seem to be totally relevant to our situation.

This: https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.html

Didn't seem to work, but was in the right alley, we suppose.

We already have a set IP-adress, which is the school IP.

Do you guys have any ideas/thoughts/possible solutions?

Would love to hear from you!

Have a good day

Edit: a guy who has years of experience working with Cisco systems, and also a colleague of one in my group, will remote control his computer to fix the config. Maybe that'll work.

Running into a career rock wall, and not in the traditional sense, need some advice if possible.

So I have been a network engineer for about 2 years and network experience before that, and I have spent approximately anywhere from 60 - 85 hours a week for the past year, studying and learning as much as I can about data center technology as it seems to be the more interesting/complex aspect of the industry, at least to me.

But with the realm of network engineering, everything seems very critical thinking based, and being someone who is multifaceted (might be the wrong word to use) in the sense where I like to be a visionary/be creative and address things in ways that have never been done before, I see myself at a slight impasse. I guess in a sense it is somewhat ego-based, but it more comes down to a sense of accomplishment internally. So I can say like "wow I addressed something that hasn't been looked at from that perspective before" and then get pleasure if I see that it helps accomplish something new/increase productivity.

To that end, since I am only in my mid 20's I feel like there is very little for me to accomplish because I have had 40 - 60 years of previous brilliant engineers in front of me addressing issues across the globe. I have had a lot of feedback from other people around me, that doesn't seem to understand why I am so anxious to go a different route than most people take in their careers as network engineers when I am so young in the industry. I love understanding how networking works at an engineering level unlike anything else, and I don't know why, but it's just how it is which is why I invest so much time into it.

Does anyone have any suggestions, for those of you who have felt the same in the past or who have the same passion towards network engineering?

I think this needs to be somehow redirected towards something else as it seemingly is causing some people at work to give me grief about being too inquisitive almost to the point where I feel like they feel threatened in the job security sense despite having no intention to cause them any problems. I could be incorrect in that assumption, but I know the work world is full of politics and this is something that can't be avoided, unfortunately.

Anyways, thank you to everyone who has read through this post and especially those of you who provide some helpful feedback.

Is their any truth to the trend of putting networking into Linux, being the future of networking ?

I am following the trend of linux based networking, open networking, disaggregation, web-scale...whatever you call it, and i wonder if this is a real disruptive change or not? Soliciting the wisdom of folks here to the impact of putting “Networking into Linux” on the future of networking. Does anyone see merit(s) in having native integration of the network router/switch base operating system with Linux, or the integration of the linux community (people) and data networking folks (CCIEs), reserved earlier for Cisco, Juniper and the likes.

WIS-Q5300 subnet problems | subnet not seen

Hi guys,

I'm already pulling my hairs of my head.

Device Name : WIS-Q5300 Software Version : 1.0.0338.20161115_Release BusyBox v1.15.3 

I have 2 same devices witch basically i want to use to make Wifi-bridge between 2 places.

both devices are in bridge mode, but soho router doesn't change a thing.

one is AP mode, the other one station client mode.

One device after configuration can ping subnet 192.168.x.x and 10.2.x.x

the other one in the other hand can ping 192.168 but not the 10.2.

i tried reinstalling firmware, factory reset, adding route, iptables are flushed, importing config from one device to another.

NOTHING helps, what the hell i am missing?

routes on working device

~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0* 255.255.255.0 U 0 0 0 vbr1 169.254.0.0* 255.255.0.0U 0 0 0 vbr1 default 192.168.1.10.0.0.0UG 0 0 0 vbr1 

ARPS on working device

~ # arp ? (192.168.1.2) at 0c:68:03:9f:d4:82 [ether] on vbr1 ? (192.168.1.1) at 00:8e:73:be:6d:a8 [ether] on vbr1 ? (192.168.1.210) at ac:22:0b:7e:0a:db [ether] on vbr1 <-me 

iptables on working device

~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 

Non working device routes

~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.2.1.0* 255.255.255.0 U 0 0 0 vbr1 <- added / deleting it changes nothing 192.168.0.0* 255.255.252.0 U 0 0 0 vbr1 169.254.0.0* 255.255.0.0U 0 0 0 vbr1 default 192.168.1.10.0.0.0UG 0 0 0 vbr1 

non-working device arps

? (192.168.1.210) at ac:22:0b:7e:0a:db [ether] on vbr1 

^

didin't arped to gateway?!!!

non-working device iptables

~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 

What's the difference between these 2 TCP streams?

Hello fellow packet sleuths;

I am in a predicament writing firewall software that's supposed to middleman an HTTP connection.

Here is the TCP stream of the non-middleman'd connection: https://i.imgur.com/slD6Ke2.png

Here is the TCP stream of the middleman'd connection: https://i.imgur.com/33rDBJo.png

My problem begins once an HTTP request is made across more then 1 packet. Once a request is split across 2 or more packets it never seems to get recreated on the initiating side properly.

The unexpected behavior begins after the 404 page is sent back. Instead of acknowledging receipt and terminating the connection, the client sends a "TCP Spurious Retransmission" of supposedly non-acknowledged data.

The data that is retransmitted is equal to the 2nd packets length offset from the start of the request. Meaning for some reason the client thinks only the first couple hundred bytes have been received, and re-transmits the 1460 it thinks is missing from the end of the request.

So if packet 67 has an HTTP payload length of 400 bytes, the retransmit will contain information starting from payload byte 400 in packet 66 and go all the way up through information sent in packet 67, totaling 1460 bytes.

What can be causing this re transmit of already acknowledged information? Why doesn't the middleman'd connection acknowledge receipt and terminate the connection like the non-middleman'd one?

I've spent too many hours banging my head on this, any assistance would be greatly appreciated.

Large Verizon outage in Great Plains (OK,Tx,KS, MS)

One of the main paths for Verizon is being reported in Tulsa that the two main fiber feeds coming into that area were cut simultaneously. They come from different services and totally different directions. Impacts phone and data.

Sounds like someone is upset about NetNeutrality.

There is also starting to be some spikes about T-Mobile outages in OKC as well.

networking a modem and standalone router for static

I got a modem (arris) and standalone router (sagemcom) from isp and they provided me with static info to plugin the ripv2 section of router. I got it entered in and the connection works but im just curious that if the router is what handles the static info and the modem is just dyn bridged, is the private ips (192.x) going to be from the dynamic or the static connection?

What are some advanced tools that you guys use? (software only)

Hi, I study networking and we were asked to find an important tool for professional network admins and study it and then make a presentation about it.

Yes, I could google it, but hearing from actual net admins is obviously better.

Thnaks in advance.

How do you guys diagram multi-context firewalls and VRF's?

Title. I've always just drawn separate routers/firewalls and labeled them with each VRF/context but I'd like to be able to make it a little cleaner and evident that it's the same physical device but just separate routing instances.

Installing a RapidSSL certificate on a new Cisco ASA 5516

Hello,

I am on a contract, and my manager/supervisor asked me to install the SSL certificate. We are replacing the old Cisco ASA with this new one. The problem that I am having is that I don't have the rapidssl certificate hash. The website gives clear instructions, and we're still going to be using that old firewall until we have everything set.

I spoke with technical support, and they said you have to reissue the certificate in order to install the csr on the new ASA. My manager is giving me the run around, I've asked him repeatedly to help me get into the rapidssl security center account. He'll respond in like 3 hours with unhelpful information. I don't think he knows the credentials. Am I missing something here?

Trying to set up a 75,000 sq ft facility hardware stack after the network admin quit; looking for feedback.

I'm not setting up any of the addressing but the following hardware is what we are considering:

Wireless as primary, wired as a fallback.

Be as critical as possible, I am not a network admin.

• Redundant fiber into the "server" room
• Two Cisco Meraki MX100 connected by VRRP
• Both MX100's feed into a Cisco Cat 9300 24 port
• Cat 9300 feeds two Cisco 3504 Wireless controllers (redundancy)
• Run redundant lines to each floor core using ceiling rails
• Cisco 9300 Network Modules at each core (total of 8)
• Cisco Aironet 4000 access points for a mesh network
• Cisco VOIP phones (no model picked yet) with pass-through

Thanks!

Edit: 25,000 Sq ft

learning networking mostly the coding part

Basically, I'd like to focus more on the coding part of the network, like establishing connections, how are packets transmitted, sort of like a hacker who has enough knowledge to exploit current properties of the network hardware and software protocols to build something new, I could learn hardware but for being self taught, getting all the different types of resources to experiment around is not very feasible.

To be honest, I'm not really sure what sort of grade in networking am I aiming for. For me hackers are superheros, all the filmic and theatrical hackers that seem to be really smart. I wanted to be reaching that goal becoming such a hacker, but reality really isn't like that, you gotta aim for something, like pentester, white hat, forenseic or something. So, I really have this fuzzy goal, that I hope can be sharpened by more experienced people of the community.

Most people I know suggest to take the CCNA course, or something like that, but, I don't like the idea of being very specific with one sort of technology, I know it's a reputed one. I'd like to know the ground up, understanding the core and expressing them in code. In only these ground, could I build or create new technologies or implement my OWN ideas, and not just implement something that was invented and eased up by someone else for the rest of time. So, how do I start?

Networking as it pertains to the video game industry

Recently obtained my CCNA and have been curious as to what the science is behind the video game industry as it pertains to the Networking world. What's the proprietary technology or maybe the niche concepts as it relates to multiplayer game sessions and networking? Or what infrastructure might be required? I have been trying to find some information but I'm not sure what to search for or keywords to use , as I am finding very little information on the web.

PSA: recent Windows updates disabling SMB1

Windows April/May updates are disabling SMB1 protocol on computers / servers.

This can cause various communication issues between workstations and servers. Examples are credit card readers communicating with host software and browsing file shares via VPN.

This is detectable during a packet capture, there will be a reset packet immediately after a protocol negotiation.

Please see link for PowerShell commands for checking, enabling, and disabling various SMB versions.

https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

DrayTek Vigor2860 Port 443/80 Shows Open?

Hi guys/gals,

We run DrayTek Vigor2860 routers here and when you port scan our IP Address from an outside network it shows that Port 80/443 are both open. There's no service running on these ports, remote management is disabled etc... However it is false flagging some issues with a company we use. I've looked through the configuration page but I can't seem to find anywhere where these ports are enabled. If I go to our IP Address from an outside network it doesn't resolve, but a port scanner will find these ports to be open. Anybody know how I can close them?

OSPFv2/v3 & BGP

Hi redditors.

So, Im going for my first year exam on monday, where we made a report on the different protocols and standards. I've got 20 min presentation about ospf, bgp and a bit of IPv6 since ospfv3. Do you have any key "tips" that i absolutly need to point out?

Sorry If this is Not the right subreddit

how does multipoint GRE work?

the pluralsight article that pops up when googlin' just shows how to configure it. that's cool -- I want to understand what happens to the packets. how does it work?

What Is Dark Fiber?

The term dark fiber (often spelled dark fibre or called unlit fibre) most commonly refers to installed fiber optic cabling that is not currently being used. It sometimes also refers to privately operated fiber installations.

L2TP VPN?

We are setting up an L2TP VPN between an IP-Phone and our FortiGate Fw. I have enabled PSK and XAUTH as well on our Fortigate device, but upon running diagnostics logs. My proposal and the IP phones are matching but values are not matching

 incoming val=PRESHARED_KEY_XAUTH_I my proposal = PRESHARED_KEY 

which is causing the VPN to fail. Any pointers where am I wrong.

mid-market firewall/security appliance recommendations

I currently operate a 23 branch office business with one main "HQ" that houses almost all of our internal applications in our data center.

We are an HP/Aruba shop but utilize WatchGuard firewalls for our policy based security appliances. Our licenses are set to expire in the next year and am looking for something slightly more enterprise worthy and scalable.

I know this is pretty vague but just looking to see what is favored among those who manage more than just a handful of firewalls and if there is newer technology I should consider.

EMC subreddit

Is there an official EMC subreddit? Our company came into position of a VNX system. I am a complete newbie and I need to learn / set it up. Anyone know where I can go to ask a few questions?

Edge using different DNS?

Some quick background. My developers are trying to test using all the browsers. All of them work except EDGE for these sites which are hosted on a server locally on the network. NSLOOKUP shows the right IP and when I set up a test binding using just the IP and non standard port it still doesn't work. I'm at a lose on how to fix an issue that only resides in Edge. Any ideas? (Oh and Edge works just fine on my machine just not on anyone else's so yeah that's weird too.)

ospf default route selection

Hello network forum.

From my understanding of the RFC, OSPF route selection works like this. I > I OA > E1 > E2 >N1 >N2

Pretty basic.

I have an OSPF area 0 connected to a NSSA. Backbone area is getting a default E2 route from an edge router connected to the internet. The NSSA is setting a default N2 route via its connection to the Internet.

My ABR - It selects the N2 default over the E2 default when i sent the default route in from the ASBR within the nssa.

Thoughts on why?

I was expecting that area 0 wil use its default route and the NSSA will have the default within its area but would use the area 0 default to go everywhere.

Remote Access VPN to secure Office LAN?

My boss has put the idea across to me that he wants to implement a remote access vpn for all users at all remote sites as a means of protecting the office LAN. Reasoning behind this is that not all sites have a firewall and there is a fortigate cluster in a DC doing nothing. He says that sending all traffic to the UTM would offer security without having to spend on more equipment.

Anyone implemented something similar or seen this kind of solution before?

Performance monitoring

I am looking for a way to monitor throughput and performance from various remote sites on the cheap. Most of the sites have GRE or ipsec (various vendors) and are moving to SD wan (Citrix netscaler with GRE). I would like to be able to test with more than just ipsla. I'd like to see bandwidth for downloads and speedtests, throughput, etc. Any ideas? I'm not opposed to something like raspberry pi but need to know packages etc.

Thanks!

IPv6 and WiFi routers

Hello,

I have been trying to deploy IPv6 for a few months now, to all our direct clients. The first problem I have faced is that 99.999999% of them use WiFi routers that don't have IPv6 support. Those that do support IPv6 are disabled and clients would much rather be on a private IP (that is masqueraded) than have a public IP.

Is it the case everywhere? Meaning do WiFi routers in Europe, Australia, united states have that function by default or no?

I have been trying to get a few vendors to talk to their supplier in China to enable v6 on the cheaper routers (all they need to do is upgrade the firmware) but China doesn't care much for V6.

I know that most places will have minimum requirements for equipment to be imported and IPv6 is one of them.

IPv6 has certain security function over ipv4, would that be a reason why Chinese companies won't include it? Allegedly blocks their access?

Those who connect directly to PC are fine though but that number is really small.

I'm doing it through pppoe though by assigning a /64 per access router; clients are meant to get a private IPv4 and IPv6. How are the rest of you doing it? Why is dhcp better? Or is it?

The Power of Innovative Customers

Imagine this. You have 650 buildings distributed across a state, a campus that really is a small city with all of the IoT endpoints required to run smart energy, water, fire, safety, lighting, and cooling among many other IoT elements. Imagine all of these distributed IoT endpoints running on a flat L2 network – the same network used by all of the students, faculty, administrators, and personnel within the Penn State system. Now imagine having a team of only four people to connect and protect those endpoints – there were just too many sleepless nights for Tom Walker and his team. Tom and his team knew they needed to do something different and it started with wanting to be able to segment his systems from all of the other chaos on the shared network. He looked at the traditional IT alternatives like next-gen firewalls and VPNs and using a combination of ACLs, VLANs, and NAC with port lockdown. But the complexity and administrative overhead was just too high, not to mention they can never accomplish true segmentation.

https://zerotrust.temperednetworks.com/the-power-of-innovative-customers/

I wrote a Python script to automate the actioning of those annoying, unstructured carrier maintenance notification emails

We get dozens of these a week, and previously each of them had to be read, checked against a database, and then have an Outlook event created manually. After doing this long enough I finally cracked the shits and automated it.

The work flow is fairly specific to my organization, but I'm sure with a little work it could be adapted for anyone. Similarly, if you get notifications from a carrier that is not included, please write a function that can extract the information required and submit a pull request.

Check it out on GitHub, and I welcome any feedback positive or negative.

https://github.com/OsirisS13/Carrier-Maintenance-Notification-Automation

Static on phones after hardware upgrade

So one of my clients upgraded their MPLS from 100mb to 200mb, the only problem is that the device that the carrier was handing off to only had 10/100mb ports. So I remove the old 2800 router that was in place and moved the connection down to the core 6500 switch to take advantage of the new circuit speed. Everything went well the day of the cutover until monday morning. They called me saying that they are now getting static on the phone lines when making calls from office to office and office to the outside. I copied all of the QoS config bits from the old 2800 to the 6500 but that did not fix the issue. To add its on the branch offices that are having this issue not the main campus facility where I made the upgrade at. Any help on this issue would be awesome because I do not have any background in VoIP. I can also upload a diagram of the changes I made if that is needed.

What options are there for Company A to access data from Company B network (same physical location). Best practises? Worst?

Hi All,

I'm looking for the best way to allow access to another company's server from within our network (We are both located on same physical site). At the moment Company B have limited infrastructure and the setup is below.

Current Setup

They have an application server that grabs some info from vehicles at one or two points.

Company A has a much larger network and we are looking to assist them them grabbing the necessary data and piping it through to their application server. Future setup will be something along the lines of this.

Future Setup

I'm fairly fresh into the networking space coming from a sysadmin role and would like to know if there are any recommended solutions for achieving this.

Some points below

According to Company B this application\server does not have the ability for us to just pipe their data through the cloud and grab it from there. We are a remote site, with each company having their own internet connectivity. This is not the fastest and we would prefer to not have to rely on WAN links and to keep this data local. Their IT Dept has asked us if it would be possible to open up a trunk port to our network. I know this can technically be done, and even secured in limiting certain vlan's \traffic etc etc.

I feel like although this is possible there is most likely better options available that would not be directly connecting our network to another companies that we have zero control over.

Is there a best practise for this type of activity?

VPN device on each end ?? (even though both companies are at same location) Firewall that we control and have company B connect to that? (layer 2? ) Any other option?

Cheers

Can someone help me with the wiring of this ethernet wall port?

So I was trying to get ethernet into my room via a cat 5e ethernet wall port.

However i opened it up and found this green wire just hanging out not connected to anything.

Any help?

http://imgur.com/0U4Ux2w

Local interfaces on SRX cluster

This page and others seems to suggest that it's perfectly valid to use local interfaces within an SRX cluster to connect to 2 routers on the external side and a reth on the internal side.

This page, however, seems to contradict this:

When using SRX Series devices in chassis cluster mode, we recommend that you do not configure any local interfaces (or combination of local interfaces) along with redundant Ethernet interfaces

I've used a reth previously on the external side with an L2 bridge between the routers, but using local interfaces seems a more straighforward setup.

5506-X AnyConnect termination behind Meraki MX

As the title states I have a customer I'm doing some work for and need to migrate their older 5505 and 3900 series router to a Meraki MX appliance. Due to Meraki not currently supporting anyconnect VPN and the customer wants that functionality a 5506X was purchased to handle that role exclusively.

So here's where I would either like some experience from someone who has done this in the past or to bounce some knowledge around to help me understand or better understand what I'm going to attempt to do and know if it works or not.

The customers VPN has a hostname for clients to connect to in some sort of "vpn.abc.com" format which their employees already use. Now to my knowledge when you typically try to connect to the VPN using the FQDN it would perform the DNS functions for you and automatically connect to the port facing outside for allowing the SSL VPN to establish a connection. Here's where my question comes into play as the 5506X is not the outside facing device but is sitting behind the MX in a subnet of it's own.

If I am to have the network as Internet>MX>5506X all I would need to do the following;
1. Assign an IP to the outside interface of the 5506X which falls into a private IP subnet assigned by the MX. (example 192.168.1.1 = MX 192.168.1.2 = 5506X)
2. Perform a 1:1 NAT translation on the MX stating that 192.168.1.2 will use a specified external IP with specified ports for SSL VPN to connect.

I guess where my biggest question comes into play will be, where is the DNS name assigned? As this is my first time standing up AnyConnect on an ASA would the FQDN be applied to the 5506X in the cert? Or would I have to place the hostname up on the MX so it will translate and direct the clients to the 5506X to complete the connection? Opposed to someone having to put in something like 20.154.1.30 every time they want to connect to the VPN.

Thanks!

IP KVM with no data transfer? (x-post from /r/homelab)

Does anyone know of a IP based KVM that does not have the capability of passing data to the remote user through the KVM? Only video and keyboard / mouse?

I have a project where I have a server in another room that has to be on a separate network. There will be dedicated routers and switches for this network. I would like to control the server from my existing computers in the office.

The only other option that I have been able to find is to buy another computer for this separate network to put in the office so I can remote into the server.

HTTPS redirect on WLC

Hi all,

First post here...

We have had 7-10 users in the past week or two explain that they can't connect to our guest wireless network anymore. We have a web authentication page that pops up when they try to connect and just asks them to accept the terms and conditions. Since Google updated Chrome to version 67 Chrome only uses HTTPS which has caused issues. Our web authentication page uses HTTP so the page times out. Cisco TAC said that I should turn on HTTPS redirect and that would fix my issue. However, there is a major flaw with implementing this that would affect all users connecting to our guest wireless SSID.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html

" The warning message "certificate is not issued by a trusted certificate authority." appears on the browser after you configure the https-redirect feature. This is seen even if you have a valid root or chained certificate on the controller as shown in Figure 1 and Figure 2. The reason is that the certficiate you installed on the controller is issued to your virtual IP address. "

So if I enable HTTPS redirect all users will receive the security alert whenever they try to connect. Cisco TAC also gave me another option of using a different browser than Chrome (which I know won't sit well with users and isn't an option for others who have Google phones).

Does anyone have any ideas for me?

How to debug L1 Auto negotiation issues?

One of our linux host have started switching it gears recently.While checking the interface speed,I could see that the interface have switched down to 10Mbps. I Would like to debug to the root cause of the issue. We are planning to perform the below mentioned actions.

1. Perform the cable test to check on the sanity of the cable
2. Double check on the switch configurations.

Given that tcpdump works from L2 and up there is no point in getting the tcpdump . Do you guys have any other pointers? Perhaps, syslog/dmseg ?? How do you approach issues and collect stats on issues at L1/Phy layer?

DSL anomaly

No text found

IT hardware availability in Adelaide/SA?

I've put this in r/Adelaide as well.

I am working in SA for a couple weeks, and I need to get ahold of some business-grade network equipment (PDUs, rack shelf, cabling, etc). Is there anywhere that I might be able to walk in and buy this equipment? Google is coming up fairly dry except for mail order or a place in NSW. I'm 2.5 hours from Adelaide so I could make that work. At this point, even the cheap stuff I see at Fry's in the US would work.

Local Switching on ASR 1k

Hi Guyz,

I have configure local switching on CSRV1k(GNS3). But Im having an issue connecting 2 router interconnection via local switching. Simple diagram is (RTR)<->(CSRV1)<->.

RTR's configuration:

RTR01: int vlan 10 / 192.168.10.200

RTR02: int vlan 10 / 192.168.10.250

CSRV1 Configuration:

Method 1:

interface g1

no ip address

service instance 10 ethernet

encapsulation dot1q 10

bridge-domain 10

no shut

interface g2

no ip address

service instace 10 ethernet

encapsulation dot1q 10

bridge-domain 10

no shut

Method 2: (removed b-domain)

interface g1

no ip address

service instance 10 ethernet

encapsulation dot1q 10

no shut

interface g2

no ip address

service instace 10 ethernet

encapsulation dot1q 10

no shut

l2vpn xconnect context LOC

member Gi1 service-instance 10

member Gi2 service-instance 10

Note: as per checking using l2vpn service all details it up/up local and remote and in method 1 local bridging has the correct interface.

Any idea if there's in correct configuration or is this setup is not support by GNS3.

Thank you

Are there any proxy vendors that support UDP of SOCKS5?

I have already tried 5 vendors and none of them support UDP feature of SOCKS5. They either return relay ip 0.0.0.0, port 0, or no response after UDP ASSOCIATE request, or just don't send UDP packets to server. I know my implementation is fine because I tested it with a custom SOCKS5 proxy server that supports it.

OSPF/BGP in High Availability Environment

Hi guys,

How ospf and bgp behaves in HA ? When we have 2 routers acting as active/standby and active goes down how routing protocol will know to use secondary path?

Also where can I find case studies or study material on the subject?

Cisco catalyst 3560e won't pass anything other than management frames

My laptop cant see anything else connected to the switch, how ever, I can see the switch is green(physically) and the switch has the laptops mac address shows on the pprt in the switch (im serial connected now.)

The laptop shows its connected to a network in windows.

Lastly, the router on the other side has the laptop mac address in its arp table. Thoughts?

Low on IP, Windows Domain

I've been "given" a network on 10.0.0.0/24 with is low on IP. It was a small office before, now there is a forest with 3 domain controllers (my ip problem is on the main). What are my options?
I tough about to change it to 10.0.0.0/16 but I'm afraid of what it can do to the forest.

OTOH a superscope on DHCP seems simple (worked great on a quick lab setup) but I was not able to find it this question: on this scenario the router will be my IP Helper. In case some users try to transfer a few gigabit files at the same time, will the router be used (with will slow everyone down) or is the router only translating, and the transfer still goind from machine to machine, even on different subnets? (and in this scenario, an IP Helper is needed, right?)

Any other options?

Set up one machine access to IP address

Hello everyone,

I have been trying to find this answer, and I am new to networking, so my search skills may be off.

I have an access rule configured in my router to allow specific port access to a specific IP within our network. This allows users to access the internal database through this host computer.

I set the host up with a static IP, but it had a power surge and another machine jumped onto its IP thus making the database unreachable.

I put the host on a battery backup, but is there a way to only allow a certain machine to connect to the IP? I checked in the router configuration, searched online, and searched here. I haven't found this yet. Also, everything is running Windows 7 or Windows 10.

Moronic Monday question regarding Cisco's NGFWv

Is Cisco's NGFWv for Azure a capable replacement for an on-prem 5525 ASA? I like the fact that it has IPS/AMP built-in but I'm wondering if it can replace our ASA entirely. I see that it does support AnyConnect, but not sure if it supports site to site IPSEC through VTI's or by setting up crypto-maps... does anyone know if this is possible or if there's any documentation on it specifically?

What's the best way to sync client/server folders?

I'd like to sync a folder "John" from a user profile on the server to a duplicate folder "John" on the client desktop, as a form of redundancy.

Switchconfiguration - Client gets IP-Lease from previus VLan

Hi all,

we have 5x Dell S3048 Switches, combined to a cluster. I created our new VLANs / Subnets and their DHCP-Scopes where needed.

To explain the main problem, here are 2 of them:

• Normal User-VLAN/Subnet: 172.16.103.0/24 (DHCP-Scope from 11.-.230)
• Finance User-VLAN/Subnet: 172.16.112.0/24 (DHCP-Scope from 11.-30.)

I configured two ports untagged. One in vlan 103, the other one with vlan 112. DHCP-Server is configured in both vlans.

Notebook #1 is plugged in Port 1, gets IP 172.16.103.11. Plug it out, delete his DHCP-Lease, plug it into Port 2 and then it gets again the same IP with a fresh lease. After it got the false IP, the notebook is not able to communicate anymore.

Notebook #2, plugged in vlan 112, gets IP 112.11, plug out, delete lease in dhcp, plugging in vlan 103, gets a fresh lease from previous vlan 103.

i have no idea why this happens :(

I hope someone can help me out. Thanks in advance

[Question] Vlan mutiple IPs

Is it possible to assing the same IP-address twice without problems?

For example: Client1: 192.168.1.10/24 nothing special.
Client2: 192.168.1.10/24 in a VLAN (static/port-based) Both Clients are connected to the same switch and the VLAN is not routed.

What do you guys think will there be conflicts?

How do I connect a pair of switches in a Stack with a pair connected by VLT?

I have a pair of Dell 7048s in a stack, with SFP+ expansion cards in each. Then a pair of 4048s, connected by a VLT. I would usually stack and just port channel between the stacks. But the nature of the tech on the 4048s (Storage Spaces Direct) it is not recommended. So Dell advised the VLT, I have set it up but the switch ports haven’t 'combined' or anything to let me create a port channel. Do I just connect 1 of the 7048s (SFP+ card) to a port on one of the 4048s, and then the same on the other 2? I am worried about getting myself a loop. Any advice on connecting these?

Setting up a Dell S50N for Iscsi, question on the management config and iscsi traffic.

We retired a few of these from our data-center a while ago and I snagged one for my homelab. So I'm going to move all my ISCSI connections to this S50N and put them on their own separate physical network. I'm running 8.4.2.6, which I assume is FTOS and not SFTOS. Since there isn't a "Interface management" command, do I need to tie it to a specific port so I can ssh into it? And I'm assuming as well that I'll need to put it on a separate vlan (like vlan2 or something) and then my iscsi ports on vlan3 or something?

Why Python for Network Programming

Hey folks. I’ve been spending some time playing around with Python with a focus on network programmability, automation and SDN.

But the one thing I can’t understand is why Python?

I have experience with NodeJS and Ruby. But everywhere you look, Python is predominantly used for network automation and SDN.

Why not NodeJS or Ruby or any other programming language for that matter? Is it just preference or am I missing something?

Cisco Live is starting!

Who is in Orlando this week?

What the hell is untagged traffic?

I have been trying to understand this for weeks, and i just can't find a satisfying answer to this. Why do we have configure a native vlan in the first place? what kind of traffic is going through this damn vlan??

Can someone please give me a detailed example of what untagged traffic might be, and why it is so important to specify a native vlan in a trunk port?

DCI - VPC vs VXLAN

Hi All,

I'm doing a bit of design work and I need to make a call on a technology for a DCI between 2 DCs <100km apart. I've been reading through white papers on the technologies but wanted to get input from those who have used them in the field. Neither are designed specifically for DCI but I have seen validated designs that use them. I know stretched L2 is the devil and I understand I'm spreading the fault domain even with taking STP out of the equation. This design takes into consideration a single availability zone spread across 2 sites.

• Each site utilises UCS and TOR Fabric Interconnects for running VMs. Some of these are virtual firewalls in Active/Standby
• Active Virtual firewalls need to peer with SVIs on L3 core switches at each site (otherwise L3 Cores may not be needed as IP WAN could come into an aggregation switch at each site but I don't want to deal with routing protocol peering over VPC. No idea if this even works with anycast gateways in VXLAN).
• Aggregation switches are purely L2 (except for VXLAN underlay in Design 1.)

Design 1: Use VXLAN with MP-BGP EVPN control plane to span L2 between sites. https://imgur.com/6ZdErEH

• DCI Links are L3 P2P between Nexus 9ks
• Don't require the scale of a full on spine/leaf architecture. Only need 2 VTEPs at each site.

Pros:

• Routed L3 links between sites. Get rid of STP
• Can use routing protocols for load balancing.
• BFD for speedier convergence over DCI.
• VXLAN EVPN is an industry standard

Cons:

• More complex to setup, make changes and to troubleshoot (arguably)
• Potentially issues with HA keepalives for firewalls over VXLAN (no experience just some of the stories I've heard. Keen to get feedback from other's with this kind of setup)

Design 2: Back to back VPC with separate STP Domains to span L2 between site https://imgur.com/NgrUjqJ

Pros:

• Easier for initial setup and to make day to day configuration changes.

Cons:

• Potentially more failure scenarios and load balancing strangeness when dealing with VPC
• Need to be careful of physical medium of DCI, no BFD so need to look at fast LACP timers etc.
• Potentially issue with port-channels and out of order packets if physical path lengths are different (DCI medium will be physically diverse)

Any gotchas that pros in the enterprise networking space can see with either of these designs?

I'm used to working with Nexus 5000s and 7000s. How does the 9300 platform stack up against these? Never had any issues with VPCs on the 5500s or MPLS/VRFs/Large L3 tables on the 7000s. The 93180YC-EX and FX2 switches have peaked my interest. Keen to get away from big chassis switches as soon as possible.

Regarding VXLAN:

• Is it still recommended to run multicast even with EVPN for BUM traffic?
• Most whitepapers and examples I've seen are built around the leaf spine architecture. In this design would it better to use iBGP or eBGP between aggregation switch pairs?
• There seems to be a lot of documentation and whitepapers ranging back from 2014 on VXLAN. If anyone has some favourite up to date documentation on VXLAN EVPN deployment on the 9300 platform that would be most appreciated.

Problems matching dialpeers, inbound SIP to FXS port

Hi,

I'm working on a CUCM deployment with an ISR4331 CUBE gateway, The CUBE terminates the telco SIP trunk and also has FSX ports (for fax machines) and an FXO port for an incoming POTS line.

Calls in and out of the SIP trunk to CUCM work perfectly fine. Calls outbound from the FXS ports work perfectly fine. Calls inbound on the FXO port work fine. The FXO port has a PLAR on it.

The problem is when ringing one of the numbers assigned to the FXS ports, it ends up matching a dialpeer and sending the call to the FXO port (and, thus rings the PLAR). I cannot get the calls to match the DP for the relevant FXS voice-port.

I tried shutting down the dialpeers for the FXO ports, yet, calls still somehow end up ringing the PLAR.

I'm stumped and an engineer I work with (who has a wealth of CM experience) is also stumped.

Here's a link to the relevant parts of the config; https://pastebin.com/hvP4rHtA

And, here's a link to the output of debug voice dialpeers inout; https://pastebin.com/BPQ3Cu0b

Really hoping someone here can see where I am stuffing up the config. This router is also running SRST, so I have a lot of the SIP stuff in voice class tenant (for the ITSP). I only have the one tenant setup for DP's to the telco. I didn't set up a second tenant for DP's to CUCM. I also didn't setup Dial-Peer Groups as per the SRST guide I was reading, not sure if that could be causing me grief.

Thanks ...