Protecting your Network from Attackers / Clients

Hey guys, I got the following situation:

Every month or two we get a volumetric DDOS attack that overwhelms our network edge (A 10Gbps link to Cogent).While it doesn't last long, its pretty pesky to be knocked offline for an hour at a time, and manually contact our provider to null route the IP (We have a backup 1Gbps link for monitoring and finding the affected IP).

In addition, we have some clients (not that brightest) that leave their servers open to various attack methods, or have improperly configured services. (We had someone use the number 4 as a password for root SSH). After their machine gets taken over, they start sending out DOSes themselves, or start brute-forcing other IPs over SSH.

To combat this, we plan to setup a BGP session designated for blackholing to our provider to speed up the blackholing process. So here's my question, what do you guys use to automate blackholing an IP via BGP?

Iv'e done some research and looked into the following solutions:https://www.andrisoft.com/software/wanguardhttps://fastnetmon.com/

While we are a pretty small shop, I don't mind paying for a license if its reasonable (FastNetMon for example is $115 a month which is reasonable for our budget).

I'm looking for the following features:

• Quick detection time (1-3 seconds)
• Ability to monitor ingress / egress
• IPV6 support (Finally got clients to start using it)
• Blackhole an IP if they are transmitting a DOS attack (Would like support for as many attack types as possible)
• Blackhole an IP based on PPS or Bps (egress / ingress)
• Monitor total traffic of each individual IP (Or the top ten in total Bps / PPs)

Bonus Points If:

• We can do traffic analysis (Monitor flows between ASs, see traffic information per IP, etc)
• Can call a script on detection (Could use this to send alerts to us / the client)
• Can see if the client's server is doing other bad things (brute-forcing, scanning, etc)

Basic Infrastructure Maphttps://i.imgur.com/hWWRWRU.png

Can you configure the UPS for me?

Should be easy. I'll just plug my regular console cable into the APC UPS in the rj45 port that is clearly labled as a serial port. Oh the entire rack just rebooted... Turns out the console port is actually a headphone jack looking thing. You would think there would be a little more safeguards preventing noobs like me from doing this, but I guess the terrifying feeling of everything shutting off at once is a pretty good learning tool.

Unplugging booted ethernet cables

I suspect this is a pretty simple question. I apologize if it's kind of dumb.

I'm going to be plugging ethernet cables into two 48-port switches on top of each other. From top to bottom, that's 4 cables in only 2u height. That's a lot of cables in a very tight space; High-density.

My fat fingers have a lot of trouble removing booted ethernet cable sometimes. And I would find it very difficult to do so in a tight space, between giggle management. Does anyone have a suggestion for this?

Is there a tool for removing booted ethernet cables from a port easily? Is the answer simply to use needle-nose pliers? Or should I be looking at some other kind of cable end?

Thanks

Proper way to expand at the edge

We are in the process of upgrading some facilities infrastructure. The new gear has more network connected devices than the old gear. There are locations where demand exceeds available ports. Is it acceptable to expand at the edge with something like a Netgear pro safe switch, or should I insist on new cabling back to the IDF to connect each device individually to the switch stack?

Gaming Party calculate bandwidth needed

How much bandwidth does Xbox One, PS4 online gaming take up per second? Let's say I am playing Fortnite with 5 consoles, another game with another console maxing out what they can take up per second. I want to calculate what is the minimal speed I should on my plan to not face lag? Where can I find this info? Also does the LAN speed matter at this point?

Setup vm router and clients

So I know basics of networking (finished course in university, came 2nd in class) but when im trying to setup a basic 1 router (NAT, Internal Network) and 2 clients (Same internal network) using Virtual Box, Ubuntu server each one, im starting to get confused.

My goal is to use the router as proxy/dhcp server and the clients must pass packets to the router for outside network connection.

My confusion is really how to setup this. What do I need? I understand the theory bit struggleing to impliment this sort of thing...

I make my own shielded Cat 7 cable with shielded crimp connectors --> test with cable tester: 1-8 blinks correctly. Ground (G) does not blink. What's wrong?

No text found

Traffic shaping requirements for Comcast Fiber/DIS using Palo Alto firewall?

tl;dr - Comcast's welcome kit says I should set our traffic shaping to their CIR. We don't have any traffic shaping equipment. What to do?

I set up a friend's small business of ~35 users, using a Palo Alto PA-820 for all network functions in a ROAS configuration. I just switched them from Comcast cable internet to Comcast Dedicated Internet Service (fiber) with a 200mbit CIR.

I'm going through Comcast's welcome kit/requirements, and they state that we should shape our traffic to their CIR or severely degraded TCP performance will result. But we're not doing any traffic shaping and I'm not even sure this little Palo Alto firewall is capable of that. I've used Riverbed and Silverpeak traffic shapers in the past when I was squeezing data over constantly congested satellite connections, but I would have though hardware like that is well out of scope for a small organization like this.

Is this something I actually need to pay attention to, and how severe could the problems be if I don't?

(My background; junior engineer with a CCNA and no real WAN experience yet, feeling my way through these things slowly)

Trouble with Hyper-V Guest and VLAN networking - DHCP not working

I feel like I have tried everything and am still unable to get this guest VM on the network.

Background:

Running Hyper-V on a Windows Server 2016

Guest is also Windows Server 2016

This is connected to a Meraki MS320 Switch

Switch port is configured to VLAN 80 and set as an Access port (I tried Trunk as well)

Server has 4 NICs, 1 being used for the Host, 2 are teamed for my other guests, and the last one is being used for the virtual switch. I set the virtual switch to external, and set a VLAN ID of 80.

I set the VLAN ID for the Guest to 80 as well.

I confirmed that there was a helper/relay to the DHCP Server but the guest can never get an IP address from the DHCP server. I confirmed the DHCP server is running, I rebuilt the DHCP scope and failover. I packet captured the port and saw that the traffic is indeed tagged as VLAN 80, and was sending both DHCP Request and DHCP Discover to the Broadcast IP but never got an ACK.

What I've tried (no particular order):

• Checking the Device Manager Adapter settings for the Nic to make sure VLAN is enabled and set VLAN ID to 1 to enable it.
• Tried to set Device Manager nic adapter VLAN ID to 80 -- no luck
• Tried the same in the guests device manager -- no luck
• Rebuilt DHCP scope
• Recreated virtual switch
• Set a Static IP -- still unable to ping any other device so probably not a DHCP issue
• rebooted a few times for good measure
• I probably tried many other things as well as I've been working on this for well over 5 hours.

Any ideas?

Port Forwarding with two routers

Hi,

Not too long ago I've purchased a TP-LINK router in order to boost Wi-Fi signal in my room to act as an Access point and a cable switch instead of buying those separately.

Basically I've got a cable running from the ISP's router to the TP-LINK router in my room and another cable from there to my PC, So far so good and everyone has internet connection.

Now the problem is Port Forwarding, I can't freaking open any ports I'd wish too.

When I try opening a port in either of those devices the ports remain closed no matter what.

Beware that my previous IPv4 (before I connected the damm thing) was something like 192.168.1.X, now it's a little bit different at 192.168.0.X, idk if it has to do with it, my knowledge with networks isn't really great.

I've heard about something to do with DHCP or smth, I've tried disabling that on either of those while the other one had this option on but it didn't made a difference.

I'm desperate... thanks for any help in advance guys :/

Console port physical connector

I have a few Cisco 2960 switches where the console port is broken, i was thinking i would try to solder some new ports on the switches before i throw them in the bin. My question is, is the physical console port just normal RJ45 ports? or do i have to look for something else (if it's even possible to do so)

Need Help! Setting VPN Server at VYOS

Hi guys!

I am tasked to deploy a vpn server using vyos; it's going to be my first time using vyos and implementing vpn.

I also need to implement it with pre-shared key authentication and certificates.

If you have materials videos or reading materials to share I would really appreciate it thanks.

VPN clients will be implemented using openvpn pfsense.

Next Steps for a Tier 1 tech to Troubleshoot a FUBAR network?

This situation is a bit over my head. The short and sweet of it is that I'm a Help Desk tech with 5 months of experience in IT and due to recent departures of our 2 most experienced techs, we're lacking people with the skills necessary to troubleshoot a complicated network setup.

 

The situation is complicated by a hybrid network management setup where the ISP handles some of the internal network while we manage some of the other parts of it such as the WiFi and Sonicwalls. Also there is no clear documentation for either side on what gets plugged into where.

 

If I had a wishlist it would probably be credentials to access all the managed switches on premises and use a tool like Auvik to at least get a logical map of the network for me. Although I'm not sure if every managed switch on premises makes use of SNMP, at the very least I doubt the $30-$40 TP-Link switches are capable of that.

 

The main complaints from the client is that 2 buildings have Point of Sale systems that will sporadically become disconnected from LAN and will need to be switched over to WiFi (iPads really). The network is spread between 3 buildings. Buildings 1 & 2 are on the same local network under Sonicwall A, Building 3 is under Sonicwall B connected using Point to Point VPN between the Sonicwalls, so basically using the internet to link the two networks(different subnets) under the same domain.

 

Building 3 might have some network issues but generally not considered huge since PoS systems are only in buildings 1 and 2. I've been using PingPlotter on a free trial basis to try to narrow down the issue. Thus far I would say Building 3 has the least issues as far as latency spikes are concerned. Although Building 3 had issues where web browsing was impossible until DNS was pointed to Google DNS for the workstations. The DC/DNS server is located in Building 1, suggesting that subnet B under Sonicwall B was having issues communicating with subnet A under Sonicwall A which is where the DC/DNS is.

 

I've also noted that when the POC calls to note that they're having network issues it generally takes quite a while to remotely connect to their servers.

 

Because of poor documentation I'm having issues differentiating between Building 1 resources and Building 2, but let's say the subnet of Sonicwall A is overall pretty bad with internal latency of 200-500ms max in any given 3-hour period whereas Building 3 under Sonicwall B subnet is very happy at about 23-40ms max latency at the same time scope.

 

The only notable thing I've seen is that the latency graph for TP-Link switch 1 & 2 mirror each other almost exactly. Switch 1 and 4 are located in the same building within 30 feet of each other, but switch 1 shows high latency whereas switch 4 has almost none.

 

Client POC wants to know what the long-term plan is and I don't have an answer for him with what I have to work with so far. I just figure we'll have to set aside a weekend to compile an actual map of their network and figure out what plugs into where. May have to ask the ISP to have us both there at the same time.

 

Kind of wondering if I overlooked anything in terms of remote data gathering. I've used iperf a few days ago to test internal network bandwidth to see if the router was a chokepoint for another different client site by running it from one computer to another and wanted to see if this might force symptoms to appear if I can narrow down the potential location of the problem, at least logically on the network?

Will HPE drop Comware (H3C) based switches?

Hello,

my HPE sales guy behaves kind of strange when I talk about Comware based hardware. He always promotes Aruba and doesn't provide any hints about Comware based gear. Does anyone know whether HPE will drop Comware hardware within thus year?

Bringing a router online caused an outage

I was tasked with swapping out a router in our core last night. When I powered it up it caused a 15-20minute outage and I’m looking for some advice on finding the cause of this.

Think of our core as a 4 router core, iBGP and mpls running over it. Router 1,2,3 and 4 all have independent ebgp session with internet carriers pulling in the full routing table. Remote sites come in via router 1. I replaced router 3.

When I brought the router down there was no issues. When I powered up the replacement router the remote sites immediately lost internet access, although a colleague working remote was able to ping router 1 loopback over the internet(public IP, he was at home)

I’m a bit stumped as to why the remote sites connected to router 1 would face issues when router 1 has a direct feed to the internet.

I’ve pulled the logs off all 4 routers after the outage and will take a look at them on Monday, just looking for some advice or tips before I spend hours looking through lines and lines of logs

Vertical Cable Management in an enclosure....

Hello everyone. Good evening. Cabling newby here...

I am getting ready to move our company to a new building. We will be punching down 240-ish cable runs into 5x 48port patch panels. Short cables will be jumped to Ubiquiti 48 port switches. And all of this will be going into a used 42U enclosure. The basic design is stacked below, if it makes any sense. Few basic questions though....

- How long of a jumper am I looking at? Six inches? One foot?

- What are the options for vertical management? For the fiber between the switches, if nothing else? Keeping in mind that it is in an enclosure.

- Any general suggestions for what we are doing? All thoughts are welcome.

Fiber Firewall Core Switch Switch 1 U Blank 2 U Patch 2 U Patch 1 U Blank Switch Switch 1 U Blank 2 U Patch 2 U Patch 1 U Blank Switch Switch 1 U Blank 2 U Patch ESX Server 

Dell s4048-on FTOS inter-VLAN routing

So I do basic switch configurations for some of my clients. We have one client that needed three switches configured. I think I'm 98 % done, but I can't seem to get inter-VLAN routing working. We normally rely on the client IT team to route elsewhere, not on our supplied switches. I think this client relies on freelance IT that will not be managing these switches. Also, our supplied switches will be isolated, no uplink. It seems like the config should work. The VLAN's have IP's and no shut is applied, but the VLAN's aren't communicating. Does anyone know the basic config rules so I can get this working? The FTOS docs don't clearly show how it's done. Thanks!

FS 100 gbe switches in ISP core

Has anyone used anything like https://www.fs.com/products/69229.html?currency=USD&paid=google_shopping&gclid=CjwKCAjwkMbaBRBAEiwAlH5v_p9dQWxKrIdTa5x5kzsvuoC-2JXhHdScW-acKQgQepRvRrlu72wSJxoCybYQAvD_BwE for a service provider core, running ospf, about 8k IPv4 routes, bgp free. Wonder if it could replace a nokia 7950 or juniper ptx.

Opendaylight

Is anyone out there using Opendaylight? Cisco is really pushing hard now on CiscoDNA but I have been burned before with their new platforms (WaaS/Prime Infrastructure/iWan) and would like to find a more open solution to manage our network infrastructure. Any advice/flavors of choice that you are using that wouldn't mind sharing your opinion?

Should I Stay or Should I Go?

I just got an offer from a company for a 3 year contract that is also offering to give me a security clearance. I have always thought that the security clearance would be a great boon for my career. The only problem is that I like my current job and have become a very important member of the team. I have been working here for close to 5 years.

Would it be worth the risking of moving to a new job with a 3 year contract in order to get that security clearance?

For the sake of argument, let's say that the pay at both jobs is the same.

The Rambling Engineer episode 1 Granddad Noooooo!

Hey fellow engineers, I'm starting a podcast as a therapy to release my inner frustration of the shinanigans I've witnessed over the years.

The podcast is just starting but I'll be looking in talks from all aspects of networks, systems, virtualization, military systems, scada, and more from my decade or so experience in the world of all things connectivity.

The first one is a dough rage after my name sake decided to buy a dl850L from BIG CHINA BOX DOLLAR STORE and I just had to rage as he had put it inline with a brand spanking new cots wireless build I had done for around 400-500.

Here's the links have a listen and comment at your leisure.

No Google play or Spotify yet, but the rest are loaded and ready to go.

I comment under a different account so reply here and I'll comment back later, or on my podcast site once I actually build a guest page....

Links! Main feed host (for now) https://www.buzzsprout.com/193567

Hot off the iTunes press: https://itunes.apple.com/us/podcast/the-rambling-engineer/id1414773350

Stitcher: https://www.stitcher.com/s?fid=212151&refid=stpr

Or Alexa with play "The Rambling Engineer" once Amazon approves it.

Twitter is @DCuplink

Follow me like or hate and comment, DM, or otherwise to get your spot on the show for a one on one, or story submission. Happy to read your story on it too anonymous or public either way!

May your weekend be uneventful, on call phone be silent, and your mug full of brew!

2 ways into the network

Hello friends. Let's say I have 2 datacenters I want to connect together. These 2 datacenters currently have a way into eachother through our MPLS provider by a 1gig circuit at each datacenter. Lets say I want to connect up a 10gig metro-e circuit directly between the 2 datacenters as well now and do that through a couple of /30s with EIGRP(our IGP) to exchange routes between the 2. So now I'll have a 10gig metro-e circuit and an MPLS way to get back and forth between the 2 DCs.

As far as the BGP configs for our MPLS, we redistribute every route from EIGRP to BGP and vice versa. So any BGP learnt route like our branches will be advertised into EIGRP and every EIGRP learnt route for stuff in the datacenter will be advertised into BGP. The second I connect up that 10gig circuit, will this cause problems? I feel like having 2 ways into the network is a little scary..and since we redistrubite between our IGP and EGP so freely this might cause issues. I'm going to try to lab this on VIRL, but just wondering if anyone else has ever setup a config like this before?

Looking for a bandwidth/capacity calculation tool

It seems as though I’m in the right subreddit to ask this question but if not please guide me to the right one. I am currently in the military and have taken advantage of a program that allows me to intern for a local company 6 months prior to my retirement. I am learning the intricacies of being an RF Transport Engineer and am looking for some type of tool that would calculate network bandwidth across my microwave shots. The idea would be that if I increase bandwidth on a link I would like to know how it affects bandwidth on my other microwave links in succession so to know if I could add customers to the original link. Or better yet it could turn “yellow” or “red” to show that I am reaching capacity on my further links before reaching the drain. Any help would be appreciated. Thanks.

Draytek Locked out of web GUI

I have tried to create a greeting page for a Draytek router, however after saving and re-logging the web interface does not take any button presses to login. I have already tried to edit the code on the login page in hopes it will allow me to login, tried using different browser and using auto-login option on password manager.

Does anyone know if there is a way to disable custom greeting through the command line? I only have remote access to the router, so I am not able to factory reset it.

Fellow NOC techs, I need some help.

Hello everyone. We are rearranging our NOC, but we aren't sure how we want to do it. I'm looking for some inspiration and was hoping that the other NOC techs in the sub might be able to help me out. Would some of you be able to maybe post some pics of your NOCs for some ideas? Here's a picture of ours currently (part of it that is) to show you why we are wanting to make more efficient use of our space.

Taken from my desk: http://imgur.com/v31jX9j

Thanks!!

Looking for a tool to monitor ISP packet loss and generate reports

I own an IT service company, but one of my weak points is advanced networking. I'm only saying that to express that I know a lot about IT in general, so you can use big boy terms with me. I'm fighting with my ISP right now over severe packet loss on their end. I could go in to a huge spill about how their techs on the ground are completely incompetent not even knowing what ping test, or a packet is, much less troubleshooting packet loss, but I'll just leave it at that for now.

Finally after 3 trips of "finding nothing wrong", the local tech assigned to my case got some help from his advanced support and was told how to do packet testing with his equipment. Only at that point was he able to actually see my issue himself, even though he didn't understand what it meant, but at least that didn't matter as long as he could figure out how to fix it I guess.

Long story short is the packet loss is intermittent and random. When they did some repairs on their equipment and the packet loss cleared up, they thought they repaired the issue. It was unfortunately just coincidental timing and the packet loss came back in the same manner the next day. Now they are telling me that they need me to provide them with record keeping of what time(s) of the day packets are getting dropped, what percentage, etc... so that they can better troubleshoot the issue. I'm pretty annoyed that I'm being tasked with doing their job for them, but whatever, if this gets my internet fixed then so be it.

So here I am. I need some kind of software that can run a constant ping in the background to Google or anything, and generate some type of time-logged report showing dates, times, percentages, etc.. anything like that of relevance to help them out as much as possible. Are there any suggestions on software to achieve this type of thing? Thanks in advance.

NTP on networking equipment

This is probably the newb in me posting, but NTP has always confused me meaning, why can't it be something simple such as (ignore syntax, trying to keep it obvious and neutral)...

set time source primary 'insert FQDN of ntp server 1 here' set time source secondary 'insert FQDN of ntp server 2 here' 

When I watch videos, read CLI manuals, etc almost all of them discuss summer time, offsets, etc. I get all that, but it seems that having a couple of master NTP devices, on the network, and have all your devices point to the NTP devices for time is much easier. If I change the time on either NTP device, all the devices that point to the NTP devices should instantly change to the new time.

In smaller networks that may not have the option to have a NTP server, simply pointing them to an internet based time server should be better than not configuring the time at all.

NETCONF and YANG support on Linux

Has anyone started working on NC/YANG for Linux?

New Network Engineer - Am I Being Undercut? UK vs USA

I’m trying to get some insight here. I’ve been reading through previous posts and I’m BLOWN away by the salaries of guys from the US. Being a network engineer seems to be making $60k-150k+

I’m from the UK, just out of uni and making £28k as a network engineer, which equates to around $38k in the US. So am I being undercut, or is the USA crazily more expensive,or is it just a better job market out there?

I kinda had the impression a senior network engineer in the UK would max out around 45k? Or am I way off.

Any insight would be appreciated!

When using point to point network products, are licensing involved?

Are there any licensing restrictions to utilizing a device such as the Uniquiti airfiber 24? Assuming you had the money and space.

To clarify, any need for FCC involvement?

WIFI Question

We currently are a Ruckus company but we're looking at overhauling our network for the 2019 calendar year. New switches, APC units, and upgrading or moving to another wireless solution.

When on a call with a vendor they mentioned moving to Aruba controllerless APs.

Our environment consists of our main facility that has about 25 APs and 3 remote sites that have 3-4 APs. We currently run our Ruckus with two zone directors for HA. We're primary an HP company. Servers, switches, and now consider our WIFI.

Do any of you have all three under HP / Aruba? If so is there some central management that would make managing all three products under one application? I think the vendor was trying to explain how HPE Systems Insight Manager could be used for all 3 products.

Now our Ruckus environment just works. I inherited it but when we added WIFI to a new facility all I had to do was add the zone directors IP to the AP and approve the AP from web interface and assign it. So setup was a breeze. With these controllerless APs i'm assuming.. not so much. However we're talking less than 40 APs total.

Monitoring

Greetings,

Looking to see what other engineers do when it comes to monitoring specific links. Currently have a SolarWinds deployment and my firm is monitoring SVIs and Tunnel interfaces. Do anyone typically monitor these? If so , why?

EAP-TLS Windows server 2016

Hello,

I’m having a lot of issues setting up radius authentication using AD. I have added NPS and set it up for EAP and certificates. I have created a template off of Computer and issued a server cert and client cert. both have the client and server auth eku. The error I’m getting is “authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect”. I have a user created that matches the CN set in the cert. My client (for testing purposes) is an android phone that has the root ca and the client cert. Any help would be greatly appreciated.

Is the Asus AC86U (running Merlin) the best consumer based router for maintaining high speed using a VPN with encryption enabled?

I love love my Asus AC68U router but your speed will be severely limited using a VPN connection with encryption enabled.

I have read that the AC86U will be able to achieve high speeds even when using an encrypted VPN.

Is there a better choice than the AC86U? Anything even faster that is supported and works as well as the AC68U running Merlin?

Or have there been any announcements from Asus to a successor to the AC86U that will run even faster?

Has anyone used Unifi AC Pro in an office?

It's time to renew out Meraki MR32s and we've decided to go with a cheaper solution. Has anyone ever used the Ubiquiti Unifi AC Pro in an office setup? I have a Unifi AP at home and love it. I assume this will work fine for our office, but I'd just like to know if anyone else has a similar experience.

We have 6 MR32s looking to go to 8 Unifi AC Pros. Maximum 160 clients over the last 30 days. Moved 811Gb over the last 30 days as well. Link for usage chart. https://imgur.com/a/fIORv3y

Having trouble setting up ospf on an hp switch 3800

Been trying to setup ospf on three hp switches. below I have attached the running configs for each router, one being in area 2 and the other two being on the backbone area (0). I can get the back bone area to build a neighbor table with each other but not with the switch in area 2. My only experience before this is working on cisco sw at school. Would appreciate some guidance.

hostname "CHI-R1"

ip router-id 50.0.0.1

ip routing

interface loopback 1

ip address 50.0.0.1

exit

snmp-server community "public" unrestricted

oobm

ip address dhcp-bootp

member 1

ip address dhcp-bootp

exit

exit

router ospf

area 0.0.0.2

area backbone

enable

exit

vlan 1

name "DEFAULT_VLAN"

no untagged 1/1-1/3

untagged 1/4-1/52

ip address dhcp-bootp

exit

vlan 10

name "VLAN10"

tagged 1/1

ip address 10.10.39.129 255.255.255.128

ip ospf 10.10.39.129 area backbone

exit

vlan 20

name "VLAN20"

untagged 1/2

ip address 10.10.39.1 255.255.255.252

ip ospf 10.10.39.1 area 0.0.0.2

exit

vlan 21

name "VLAN21"

untagged 1/3

ip address 10.10.39.5 255.255.255.252

ip ospf 10.10.39.5 area backbone

exit

vlan 30

name "VLAN30"

no ip address

exit

BEN-R2# show ip ospf neighbor

OSPF Neighbor Information

Router ID Pri IP Address NbIfState State QLen Events Status

--------------- --- --------------- --------- -------- ----- ------ ------

50.0.0.11 10.10.39.5BDR FULL 0 6 None

BEN-R2# show run

Running configuration:

stacking

member 1 type "574A" mac-address xxxxxxx

exit

hostname "BEN-R2"

no rest-interface

ip router-id 50.0.0.2

ip routing

interface loopback 1

ip address 50.0.0.2

exit

snmp-server community "public" unrestricted

oobm

ip address dhcp-bootp

member 1

ip address dhcp-bootp

exit

exit

router ospf

area 0.0.0.2

area backbone

enable

exit

vlan 1

name "DEFAULT_VLAN"

no untagged 1/2-1/3

untagged 1/1,1/4-1/52

ip address dhcp-bootp

exit

vlan 10

name "VLAN10"

tagged 1/1

ip address 20.20.39.129 255.255.255.128

ip ospf 20.20.39.129 area backbone

exit

vlan 21

name "VLAN21"

untagged 1/2

ip address 10.10.39.6 255.255.255.252

ip ospf 10.10.39.6 area backbone

exit

vlan 22

name "VLAN22"

untagged 1/3

ip address 10.10.39.9 255.255.255.252

ip ospf 10.10.39.9 area 0.0.0.2

exit

hostname "IND-R3"

no rest-interface

ip router-id 50.0.0.3

ip routing

interface loopback 1

ip address 50.0.0.3

exit

snmp-server community "public" unrestricted

oobm

ip address dhcp-bootp

member 1

ip address dhcp-bootp

exit

exit

router ospf

area 0.0.0.2

area backbone

enable

exit

vlan 1

name "DEFAULT_VLAN"

no untagged 1/2-1/3

untagged 1/1,1/4-1/52

ip address dhcp-bootp

exit

vlan 10

name "VLAN10"

tagged 1/1

ip address 20.20.20.1 255.255.255.128

ip ospf 20.20.20.1 area 0.0.0.2

exit

vlan 20

name "VLAN20"

untagged 1/2

ip address 10.10.39.2 255.255.255.252

ip ospf 10.10.39.2 area backbone

exit

vlan 22

name "VLAN22"

untagged 1/3

ip address 10.10.39.10 255.255.255.252

ip ospf 10.10.39.10 area backbone

exit

IND-R3# show ip ospf neighbor

OSPF Neighbor Information

Router ID Pri IP Address NbIfState State QLen Events Status

--------------- --- --------------- --------- -------- ----- ------ ------

Has Anyone Used Unified Endpoint Management?

Hey, I am a journalist for an enterprise tech publication. I am writing an article about Unified Endpoint Management.

Has anyone here embraced UEM yet? Would you be willing to share your story?

And, if not, could you please tell me why?

Cisco Catalyst

I was told recently that the Cisco Catalyst 9300 series has a usb only console port. However, when I looked it up there was still an RJ-45 connector. Does anyone have any info on a Cisco switch with a USB only console port?

Also, Does anyone know about an upcoming 4 port switch?

Which countries are the best to work for?

I've heard that Dubai has good salaries for IT ~ 400k per year with all expenses paid. Is that true ?

Also which other country are good for people in IT? I'm quite young and considering travelling to the most profitable one to make some buck and come back to my home country.

configuring network between two sites

Hi Guys,

Hope this post is suitable for this reddit.

in my company we have two departmets that are physically located 5km apart. We just switched to fiber internet and were offer by the provider to deliver to one department direct internet access and to the other something called data transfer. The provider claims that these two can be connect so we get access to the internet in both departmets and do't have to pay for two internet lines.

So in depatment 1 - HQ we received from the provider a switch with 2 active ports. Port 1 is for internet and Port 3 is for LAN. We connected our router to port 1 of the providers switch and our local switch to the router and everything works fine.

In department 2 we also received a switch but with only port 3 active for LAN.

Now here is the troublesome part. The provider claims that we should connect our switch in HQ (department 1) to port 3 on providers switch and then connect a computer to port 3 on the other providers switch in department 2. As a result the computer in department 2 should be able to access the internet. Well it isn't.

The interesting part is that when I connect the computer to port 3 of the switch in depratment 2 the leds on the switch turn green and the computer claims that it cannot identify the network. However on the other end when i connect local switch to port 3 on the providers switch in HQ leds are dead. But when I direcly connect a computer they turn green.

Can anybody help me? What am I doning worng? Should I make some special settings?

The local switch is a cisco SG200-26, the providers switches are SG300-10

Thanks

Visual description-> https://imgur.com/a/1b6eOkk

Connectivity issues with Comcast

Scoured the webs for an answer but couldn't find one, so I'm posting here.

TLDR: If I have too many machines on my internal network trying to access the outside world, is there any reason that my modem should lose connectivity altogether? I would assume, I would just really long lags and some packet loss. But, it appears that my entire connection to the ISP is completely lost.

My story: I have Comcast as an ISP. I've been having severe trouble maintaining connection to the outside world. I'm confident my internal routing is working fine. Every so often, my connection goes down and I get "Request timeout" or "Destination Net Unreachable" trying to ping 8.8.8.8. It seems to happen around noon time when it does occur, but that might just be a red herring.

I can verify that my internal network is working because I can ping my wireless router at 192.168.1.1 and I can ping the modem itself at 10.1.10.1. But, pinging any external address does not work. Also, when viewing the WAN admin page on the modem, it still has an assigned IP address.

Usually, the problem will just correct itself after a few minutes. Sometimes, I get impatient and power cycle the modem. Sometimes, I break down and call their tech support which ends up taking 30 minutes every time. After some checks the tech will always tell me that everything is working "fine", which is a lie.

Additionally, the tech will tell me that I should upgrade my service because it's only 25mb throughput. I cannot understand how this would solve the issue. If I'm running too many devices trying to get to the outside world, wouldn't I just experience a slow connection? It doesn't make sense that running too many devices would BREAK my connection altogether and I'd have to reboot my modem. When I pose this question to the tech, they kind of shrug their shoulders and dismiss it.

Please correct me if I'm wrong. But, I don't think that upgrading my service is the answer.

Cisco ASA 5520 Confi

I recently picked up a Cisco ASA 5520 to replace a Cisco RV320 for my home lab which I use for both testing and for personal connectivity. I am not much of a routing or Firewall expert, not even close, but every project I have worked over the years has had the Cisco ASA involved, just not config'd by me. I was able to get the CLI up and running and engage the ADSM. I was able to update the Username and password and get logged into the ASA via the ADSM. However that is about as much success as I have been able to have. I have a pretty complex network with four VLANs: Server, Wired Client, Wireless Client, and DMZ. I also have a static IP address through my internet provider. I started off by configuring the interfaces. 0/0 was configured with my Static IP. I then created the for VLANs off the 0/1 interface. So now I have: 0/1.1 (192.168.79.X) , 0/1.2 192.168.80.X) , 0/1.3 (192.168.1.X) , and 0/1.4 (192.168.0.x). Each has been configured with an IP address from its respective subnet. Next I created a Static Route which pointed 0.0.0.0 to the gateway IP address for my internet provider. I guess this would be a good time to mention that my modem is in bridge mode. Next I setup the DHCP Relay's for each of the VLANs. At this point I figured I would start seeing my clients getting IP address from the DHCP Servers in the Server VLAN however they are not. The servers in the Server VLAN are getting IP address as they should since they are on the same Subnet. I know I am missing a step somewhere. I though it maybe creating the NAT objects but when I opened the NAT Rules they were all already there for me.

Any ideas or suggestions are greatly appreciated.

Cisco support forums down until the 24th

Thanks for you shutting down a good resource to find help. You just killed all the top search results. Granted I know this is a free resource. It just shows how much contempt for the community you have if you shut something like this down - https://supportforums.cisco.com/t5/custom/page/page-id/MaintenancePage

Rolling your own 10gig BGP router

Alright fellow networking nerds. We have an aging infrastructure of Cat 6506Es w/ VS-S720-10G PFC3CXL as our BGP routers. We take multiple full feeds. As you might have guessed the memory and cpu of those sups are starting to struggle greatly. When a BGP link flaps depending on the time of time will cause other routing processes to fail and even drop packets flowing through the device.

Now I know what you are saying just by a new router and I agree something needs to be done but I'm one of those people that sometimes like to do things the hard-way.

The Cats are still more than capable of doing just internal routing and switching and in the ever on going battle to reduce costs I'm open to the idea of rolling my own BGP 10gig router.

I know the FRR project seems to be the latest hotness but I wanted to ask if anyone has really put it through its paces.

What underlying hardware did you use to run the software on?

We have a lot of opensource software already within our network so that isn't a major concern.

So anyone here seen or done it before?

I'll most likely end up going with one of the major networking vendors but it really grinds my gears at the nickle and diming they do with features and support.

So feel free to tell me I'm an idiot for even considering it but tell me WHY I'm an idiot.

Hope everyone has a great day.

Any way to include a full block (U+2588) character in the login banner of a Cisco Catalyst 3560?

I am trying to do something silly and superfluous with a giant ascii art banner. Specifically it breaks for me when I attempt to include the full block character or a few others.

The full block is interpreted incorrectly and becomes circumflex+full block like so:

This:

"█████╗"

Becomes This:

"â█â█â█â█â█â•╗"

Any workarounds?

[AMA Request] AOL network engineers from the 90's and early 2000's

A lot of us grew up on the free floppy disk providing internet provider, but not a lot of us know what was going on in the background. What was it like working at the largest internet provider at the time? How did you manage the network? What was it like during the transition from dial-up to broadband? Where are the bodies buried?

Crazy IPSec VPN Issue

I was recently turning up a VPN with a new outside party and have been running into some issues (as you do). The tunnel would not come up on phase 2 between Cisco IOS and a Fortigate device. I didn't have PFS configured on my side, but it was configured on the remote side. My fault, whatever. However, this is the weirdness starts.

They could initiate a ping and successfully ping a device (echo, echo reply) on my network, but I could not initiate phase 2 and send any traffic from the same interface on the same device. I would only get "send errors" on my phase 2 SA. This is with PFS enabled on their side, but not enabled on mine, which I would expect given the way it was configured. I verified they sent ping packets from their side to ours and saw the encaps and decaps on that specific SA.

Why is this?? What kind of black magic mess am I dealing with here?

How to explain to management what network requirements are?

A little background, I'm currently working for a company that has habitually neglected infrastructure to the point that the business started to fail because of it. The board rallied, fired the problem management, hired new people, and spend a boatload of money. One of those new people hired is myself. I've been tasked with constructing a brand new environment from the ground up, so naturally I schedule a meeting with the CIO to determine the companies network requirements. Unfortunately, the CIO has no idea what I meant, I tried to explain that the network has to meet the requirements of the business and so I just need a list of objectives. The CIO didn't know what that list of objectives needs to entail, and I honestly don't know how to explain what I need at a company, whose business objectives are still brand new to me. Does anyone know a way to prompt non-network people into understanding what I need to know so I can start designing the network?

Which SFP...

Howdy Reddit.

Exhausted all of my local options and navigating the maze that is cisco.com has not produced results that make me feel warm and fuzzy.

Long story short, I'm standing up a new WAN circuit. Provider is pitching me an optical signal, 1300nm, 100 Mbps MPLS. That is all the details I have on the circuit. Is it single-mode, multi-mode, I dunno. Provider is vague on those details and the patch panel/fanout tray jacketing is stripped clear into the wall. @ 1300nm, I'm *assuming* SM. For all intents and purposes, courtesy of the MPLS this is just an incredibly long wire for a point-to-point structure we're standing up. I've pushed 1300nm across MM fiber before, but I felt dirty about it. I'm really not worried about the cable type as much as I'm sweating the SFP.

I cannot seem to find a correct SFP that meets 100Mbps *AND* 1300nm. I'm feeling right stupid about it. It shouldn't be this hard.

My device I'm landing this on is an ISR 4431. I need an SFP with an LC jack. 100Mbps.

I bought this one in the blind:

https://www.cdwg.com/product/Proline-GLC-FE-100BX-D-Compatible-100Base-BX10-D-SMF-SFP-module/2456833, a GLC-FE-100BX-D . Based on specs, it matched wavelengths and speed so I felt good buying it. Then it showed up and half the damn thing is half-shielded. Never seen an SFP like it. I need both tx and rx.

Because I was unsure about this SFP and we're cool with our budget people and RMAs, I also bought:

https://www.cdwg.com/product/Proline-GLC-FE-100BX-U-Compatible-100Base-BX10-U-SMF-SFP-module/2456832, a GLC-FE-100-BX-U . Same problem. Half-shielded.

I've run through the Cisco compatibility matrix, can't seem to find a winner. 100Mbps seems to be what's gumming up the works.

Open to suggestions if anyone has the time. All inputs are appreciated.

- A

looking into pocketethernet tool, anyone have any thoughts on it or anything better in that price range?

https://www.pockethernet.com/

Internal firewalls, Palo Alto and Fortinet model comparison

Hello, I work in a midsize company in the production industry, we have 1000 employs, 300 of these are working in the office space, we host all of the servers\systems here in our own datacenter, about 200 virtual machines.

We are now starting to look at internal firewalls and have been in contact with both Palo Alto and Fortinet and have gotten price offerings and models that they want to sell us, that they think should be good in our enviorment.

Fortigate want to sell us 1500d and Palo Alto want to sell us 3220.

It’s obvious that these are two different types of products and the real questions is about Palo Altos counterpart for 1500D and Fortinet’s counterpart for the 3220. What models are comparebale in price\preformance?

We have tried to measure the throughput in our HP core switches that do the core routing at the moment. The bandwidth are low except for short burst of backup jobs and data transfers that could be excluded from the internal firewall. It’s hard for us to give an exact number for the bandwidth because of how the network infrastructure is built.

The problem is that we feel that we are given price offerings at two different places in the product ranges which makes it very hard to compare the prices and the performance.

Edit1: I removed some text, it just made the question more complicated than it needed to be.

Daisy chained switch right next to main trip switch.

I have a question i am currently doing contract work in a factory where they have 3kA of power running over the cat 5 uv shielded cable for less than 2 m. When you get close to the trip switch your arm hair stands up and I also told them its causing the phone interference. Is there a way to show them that amount of electricity is causing a lot of interference. The network switch that is giving the phone's VOIP is also very close to the power bord and a lot of the ports have started to die in past 2 weeks and im being blames. Just looking for explanation and advice.

Network Racks for cabling

Specing out a whole new facility. What racks would you recommend for cat6 and 72 or higher fiber coming into? These racks would basically be for switches, and Cat6 and fiber patch panels. Needs to be a 4 post enclosure. I feel like going with the standard 4 post server racks doesn't allow enough space on the sides.

What kind of network racks do you all use branding wise?

Cisco ISE "deployment trust"

Hey fellow networkers,

does anybody know which certificates are used to establish the trust in an ISE deployment? I just renewed the "admin usage" certs on two Administration Nodes because the selfsigned certs are running out in a few days.

My guess is, that the initial trust between the nodes was made with the said selfsigned certificates - because I had to install the certs across the ISE nodes before I was able to join them. Will the new certificates from now on be used in the trust deployment? Or is it more like a "trust an ISE node once and forever, I don't care about certificates anymore"? Or is there a mechanism which is independant of (installable) certificates because a hidden trust is established?

Thanks in advance

[Question] Does anyone know of a videostreaming protocol with following behaviour?

Hi! I have a drone, which i would like to control from pc. It can be controlled by app, so it should be possible. If I connect via tcp, the drone sends a message of 20 bytes and if the app doesn't answer with the correct 12 bytes, the drone closes the connection. Has anyone here seen something like this before? Sorry, if this is not appropriate on this sub...

The 20 bytes are somewhat organized, with a counter and something like a pattern, the 12 bytes are completely random, the reverse engeneered code uses arc4random() functions.

Thanks in advance!

Cisco ASA 5520 Confi

I recently picked up a Cisco ASA 5520 to replace a Cisco RV320. Now I am not much of a routing or Firewall expert, not even close, but every project I have worked over the years has had the Cisco ASA involved, just not config'd by me. I was able to get the CLI up and running and engage the ADSM. I was able to update the Username and password and get logged into the ASA via the ADSM. However that is about as much success as I have been able to have. I have a pretty complex network with four VLANs: Server, Wired Client, Wireless Client, and DMZ. I also have a static IP address through my internet provider. I started off by configuring the interfaces. 0/0 was configured with my Static IP. I then created the for VLANs off the 0/1 interface. So now I have: 0/1.1 (192.168.79.X) , 0/1.2 192.168.80.X) , 0/1.3 (192.168.1.X) , and 0/1.4 (192.168.0.x). Each has been configured with an IP address from its respective subnet. Next I created a Static Route which pointed 0.0.0.0 to the gateway IP address for my internet provider. I guess this would be a good time to mention that my modem is in bridge mode. Next I setup the DHCP Relay's for each of the VLANs. At this point I figured I would start seeing my clients getting IP address from the DHCP Servers in the Server VLAN however they are not. The servers in the Server VLAN are getting IP address as they should since they are on the same Subnet. I know I am missing a step somewhere. I though it maybe creating the NAT objects but when I opened the NAT Rules they were all already there for me.

Any ideas or suggestions are greatly appreciated.

Cant connect to anything via VPN?

It's DNS.

Clients were connecting fine via VPN. Successful authorization.However they couldn't access anything in the network or access internet. Turns out the DNS servers the clients were assigned after login were not responding. Me being the smartass send a screenshot of telnet to port 53 timing out. Then one of the senior engineers reminded that you cant use a tcp service to check udp port.

TIL:- That DNS works on udp port 53 and tcp port 53 is used for zone transfer and other exotic stuff.

Need some resources

Hey there. I've been working in desktop support and help desk management for a few years, but networking has typically been one of my areas of opportunity. Every team I've worked on has had "the networking guy" that swoops in when any issues crop up, so I haven't had as much exposure to these topics as I'd like.

Anyway, I've got an interview for senior technician/supervisory position in a few days and part of the job description lists L2 networking, firewall configuration, and VPN deployment as desired skills. I have a basic understanding of these topics, but I'd love to brush up on them and round out my base of knowledge so that I'm confident and prepared going into the interview.

Can anyone suggest any resources, online courses, etc that would give me a strong foundation with which to answer questions about these topics? Any help is greatly appreciated!

Transfer AP licenses from Aruba

I have an Aruba 4704 which has an Alcatel skin on it. I want to move the AP licenses to a 7210 so we can finally decommission it. I called Aruba and they said I need Alcatel to do it. Sadly we don't have support with them anymore. Is there a way I can do this myself?

Factory reset switches in prod. network

Hello all,

I’ve been tasked with fixing an existing network that I don’t know much about (config wise), furthermore the old technician kept everything in his head so I have no passwords. All the switches are HPe and the clear button to clear passwords has been disabled. This is a production network with 4 servers (dual NICS), and about 200 static IP’d Devices split between 2 locations.

Building A has 6 switches which all connect back to a fiber switch that brings the connection to building B.

Building B had 6 switches. Main MDF has 3 switches and the fiber from building B along 2 pairs of unlabeled strands. The other 3 switches all have 2 pairs of fiber strands going back to I don’t know where yet, still trying to hunt it down. I have no idea how everything is configured now but there are two different IPs, vlans I think and this network does not have any outside access, just to it’s own devices.

We need to reset all the switches as we are finding ports have been disabled when trying to add new devices. So my plan is to factory reset all the switches and make a flat network however seems that we are getting close to our IP limit so I need to think about future proofing the setup a bit. My new plan is to create a few new vlans, some for the new IP range when we re-IP all the devices (at some point since we don’t know what device lands where) and some for the existing IP range so I get them back up and running as soon as possible. Just looking for some advice on the config. Also vlans can cross communicate with one another, no segregation needed.

Should I create all the vlans on all switches, trunk them on the fiber ports, and assign the ports to each specific vlan at the switches?

Need Help Configuring an ASA 5506

We have a legacy machine pre win 7 that needs to stay on the network, as it runs old software that pulls from devices. It was decided to put an firewall in front of it. It's been awhile since I used a Cisco ASA,it's been Fortinet,so I just need the legacy device to access a few ports. It also still needs to retain it's IP Address.

Need Assistance with Cisco to Checkpoint Site to Site VPN issue

Hey guys,

I used CCP to setup a site-to-site vpn between a cisco router and a checkpoint firewall

Upon debugging i get the following phase 2 error:

https://imgur.com/a/mnxpVS4

Tunnel checks in CCP shows that the tunnel is down

running configs-https://pastebin.com/Y9PrVaJX

my local traffic is 10.192.0.0 remote is 172.16.54.0

Load balancing two different consumer grade internet connections?

I have one adsl line and one fiber over coax connection. Through the power of cabling(tm), it means I'm able to present 2 live internet connection to a load balancer of some sort.

Also part of the setup will be a bitdefender box, probably located just before the load balancer on the insider of the network. i don't need a DMZ.

Is there a simple, generally accepted solution for something like that?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

At what point did you realize that you were a senior?

No text found

[meta] How would /r/networking feel about adding reddit's new chatroom feature?

I guess this is a poll so to speak, to see how the /r/networking community feels about adding the chat functionality to this sub. It is similar to what you would expect from an IRC channel or Discord.

There are many pros and cons. Pros I can think of are real-time support and a home to general chit chat that doesn't deserve its own post. Cons would be increased moderation load and distraction from the subreddit.

Also, if you have no idea what the hell I'm talking about, check out these links:

http://reddit.com/chat

https://www.reddit.com/r/community_chat/comments/8465bl/welcome_to_rcommunity_chat/

Spanning tree + Allows vlan question

Probably an obvious question...but with regards to spanning tree...

I have 2 access switches connected to the core (root). Each access switch is mostly dedicated to a particular VLAN, lets say VLAN100 and VLAN200 respectively and are limited to these vlans thru "allowed vlan" on the trunk.

Now I want to add a redundant link between the 2 access switches.

So now lets say the link to the core goes down for the switch with VLAN200 ports. Those ports now have to traverse the redundant link and ultimately thru the core link that is only allowing VLAN100. This effectively blocks VLAN200, am I right? So for this to work I would need to add all possible VLANS that might flow thru those trunks to the core?

Catalyst 9500-40x caveat with Stackwise Virtual and a block of serial numbers

A co-worker of mine ran into a fun issue last week where the stackwise virtual configuration would not come up between two brand new Catalyst 9500-40X switches, spending hours in diagnostics, and getting TAC to verify the configuration.

They discovered when issuing the "show version" command, the MAC address listed in that output showed the base ethernet switch mac as being 00:01:02:02:aa:bb, instead of the actual burned-in address of the switch. Both switches shared the same MAC address, no wonder Stackwise Virtual wouldn't work!

TAC had to guide my co-worker into the rommon bootloader, and the procedure they performed is as follows:

Once in rommon, run set command and check the MAC address of the switch listed there, it should match what is on the chassis, and not the aa:bb address. Also run the settlv command and verify that the MAC address - Base is also set to the MAC address in xxxx.xxxx.xxxx format.

Once you have collected the MAC address from the above commands, issue the set MAC_ADDR=xx:xx:xx:xx:xx:xx, make sure you take the MAC address you collected from settlv and convert it to the xx:xx:xx:xx:xx:xx format before using the set MAC_ADDR= command!

Once done, issue the reset command in rommon, and watch the system reboot. This should make the MAC address correct in show version, and consequently allowed switchport virtual to work correctly!

Apparently this affects some switches with serial numbers starting with FCW2146XXXX to FCW2217XXXX.

In case it helps this is in reference to bug number CSCvj43609.

I don't feel qualified, despite being 8+ years in the field.

Kindly ignore my writing skills. English is not my first language. I finished my bachelors in electronics and communications a decade ago. The only subjects in bachelors that I scored " A " are wireless communications, Network Theory, digital communications, microwave theory, satellite communications and Linear integrated circuits. Continued my masters in electrical engineering with major in computer Network Theory, Advanced network theory. Built my very first router on Free Bsd that can function as " router on a stick" with fail over capability. Even created a script that can send me snmp alerts to my mail, which of course never worked. As I graduated, I passed CCNA with help of packet tracer, internet and basic cisco switch hardware. That where my real struggle started, for 9 months after graduation I did nothing but studying , practicing on packet tracer to find my first job. It was fairly well paid job but was a short 3 month project. My task was to design and build a security NAC device that runs linux with HA with single sign on capability. I spent hours in the lab, building and testing the design. Even spent weekends, trying to make simple configuration work. Passed the final pilot design to the full time engineers and called it a day. It gave me enough thrust to push my career to land in second job, which was of a "certified network engineer" role. Job was easy and simple with enough scope to learn new environments and technologies. Level 3 Engineers used to prepare the design, configuration for us(admins) to execute during weekends and off production hours. This is where I first implemented routing/switching protocols in real production environment. Here is when I learnt how PPP technology work, how WLC/LWAP and Autonomous APs , mesh APs, data center switches like Nexus , WAAS, QOS and as I became senior I got hands on CSM and ACE, VGs and H3.323 protocols etc and I was laid off after 2 years because of budget. Ever since for the past 6 years, I was purely working in routing and switching environment and recently decided I should try a new job that gives me same hands on experience in network security, wireless security, load balancers/application managers, cloud or SD WAN. As I appear for interview, I loose all my self confidence failing to answer some of the questions that are considered very basic by some. Like for example, in one interview, interviewer asked me how DHCP client-server requests are exchanged. I was able to answer how the multicast are sent by the client, and how ip helpers act as relay for dhcp packets , how option 43 is required for lwap dhcp clients etc, but to the question about what are the dhcp messages (discover, offer, request, acknowledge)?, I had no answer. I can answer questions on how BPDUs are exchanged for STP etc, but when asked what is the lowest priority you can use for STP, my answer was 4096, which was in fact very wrong. And this happens with dynamic routing protocols like eigrp, ospf as well. While troubleshooting eigrp, I probably have seen 6 to 7 scenarios all my life, most of them being L2 loops , SIA and issues like unidirectional multicast issues where seen mostly while troubleshooting PPP telco links. When interviewer goes little out of my comfort zone and shoot a scenario that has predefined answer, I cant simply answer him as if the answer is right in front of me . I start analyzing the scenario and I start the answer with multiple sh command outputs, logs, recent config changes and debug output then coming up with a possible conclusion on where the issue probably sourced, based on multiple possibilities. Where as interviewer expects me to give a "BINGO" right away as if I work on that scenario, everyday ! This makes me introspect, do i real worth it ? Am I really poor with my skill set ? How do you folks out there prepare before hand for interviews? Is there a particular type of homework that i have to prepare before hand? Should I upfront prepare for more scenarios than those that I actually ever implemented and be ready to answer ? And second I would like to be a wireless security guy, I have wireless experience with couple of certifications but no experience working with firewalls, proxy servers, ACS or ISE. Recently took CCNA security and palo alto ACE. But with this level of confidence that I have at the moment, I feel myself terrible looking at how fast network field is moving towards cloud / virtualization and I am still here introspecting what should I do to present myself better during interviews. I am sad that I am not the same network engineer when I first graduated from unviersity :'(

Need Help! Cisco 3850 48PoE switch

Hi All,

Im a Help Desk Manager and we recently had to let go our network engineer and i kid you not, the next day the internet goes down. I Have just very very basic knowledge of all things networking but managed to get a few people hardwired connections.

I know the problem is the Cisco 3850 thats the problem because when i walked in, all the AP's were off. I look in the MDF and theres just a blinking green light over "SYST" which i think its failing POST?

We have a Cisco 3850 switch in both our MDF (1st Floor) and IDF (2nd Floor). The MDF 3850's port 48 was set up to be the port that accepts the incoming internet via ethernet. The IDF 3850 was set up to accept internet via fiber via fiber cards in the front.

1. Would it be easier to just swap out the 3850's and change the IDF's port 48 to be the internet input? If so, how do i do this??!! Really, I need to learn this

2. would it be easier to fix the blinking green light?

Utilizing two Fiber Channel Switches with one big zone

So, if I were to have two Brocade G620 switches. We have 2 NetAPPs with a total of 4 controllers. We would like to use the two FC switches in a way that would allow for one to crash, but still keep the storage network up. Is there anything such as "stacking" to make this possible?

Thanks

802.1x Wired Security

I am thinking about implementing wired security on my network. We already have the radius server and certificate server because we use 802.1x for wireless. I had a very limited time to see a wired implementation at my last job. And there, when a client was not authenticated the port went into a vlan with no access to anything. I've pulled up a bunch of articles on the 802.1x today but haven't been able to find anything about assignment of a vlan to a failed client.

What I would like to do is have it drop into a vlan with access to the internet only (guest setup) when it fails dot1x. I can't really contact anyone from my last job because all the people who did the configuration are in different countries and I'm just not finding what I need. Can anyone point me in the right direction? I can build out the vlan and acl just fine. But I'm lost on the dot1x configuration of it.

Which route should win

I'm troubleshooting a backup connection. Which should win if these routes are listed in this order?

ip route 0.0.0.0 0.0.0.0 192.168.58.253 250

ip route 10.22.6.0 255.255.255.0 192.168.58.251 250

Adva FSP 3000 U-Boot Issue

Hi there,

I have an Adva FSP 3000 R7 which is failing to boot, U-Boot shows the following error:

U-Boot 1.2.0 (rev. 34 - Sep 29 2009 - 17:19:58)

CPU: 8544_E, Version: 2.1, (0x803c0121)

Core: E500, Version: 2.3, (0x80210023)

Clocks: CPU: 799 MHz, CCB: 533 MHz, DDR: 266 MHz

L1: D-cache 32 kB enabled, I-cache 32 kB enabled

Board: NemiV3 PCB: 3 Assembly: 1 (2c0e) CA-ID: 3

LBC: 33 MHz

DRAM: 1024 MB

FLASH: 8 MB

SRAM: 4 MB

L2 cache 256KB: enabled

FPGA: Revision: 5 ID: 6

In: serial

Out: serial

Err: serial

Net: eTSEC1: PHY is generic PHY (221450)

eTSEC1

IDE: Bus 0: OK

Device 0: Model: SanDisk SDCFAA-004G Firm: HDX 6.02 Ser#: AIZ052711233519

Type: Removable Hard Disk

Capacity: 3815.0 MB = 3.7 GB (7813120 x 512)

Error (no IRQ) dev 0 blk 0: status 0x51

Autobooting in 3 seconds

## Booting image at 00400000 ...

Bad Magic Number

=>

Environment is as follows:

=> printenv

bootdelay=3

baudrate=19200

loads_echo=1

pppuse=no

resetpasswords=no

ethact=eTSEC1

SN=

ethaddr=xx:xx:xx:xx:xx:xx

eth1addr=xx:xx:xx:xx:xx:xx

ethbpaddr=xx:xx:xx:xx:xx:xx

bootcmd=diskboot 400000 0:2; diskboot 900000 0:2 2E0000; bootm 400000 - 900040

applarg=/dev/hda6

bootargs=root=/dev/hda7 idebus=66 hda=bswap rootflags=data=journal

FSPxx=ncuII

stdin=serial

stdout=serial

stderr=serial

Environment size: 396/3548 bytes

=>

I assume the firmware image is somehow corrupt, can anyone assist with recovery?

Many thanks,

Intercom on network to allow communication between 4 people

Probably a bit hardware related but worth a shout. A medical centre wants to set up an intercom type system. 3 rooms for Doctor, Dentist & Chiropractor all share 1 nurse/receptionist. They want the ability to talk to the nurse from the treatment room but not broadcast it to each of the other rooms. Ideally would like the nurse to be able to talk back also. Phones are an option. I was thinking of an intercom like Hosmart 1500FT LONG RANGE 7-Channel Digital FM Wireless Intercom System for Home and Office (4 Stations) but this does not have the ability for the nurse to be able to reply without changing channel and it will broadcast to everyone if not careful. Has anyone any ideas of a system that would do what I want? Have wife in the building and 3 spare ethernet cables in each room. The main cabinet is in the reception beside the nurse. Thanks

Force authentication failure

On a network port we have a POE phone and PC connected together. Both devices authenticate successfully using 802.1x, I want to block the PC but keep the phone running. Is there a way to force the PC authentication to fail until we can retrieve it from a remote site. We still want the user to use their phone in the mean time. Is there a way to do it on the switch (Cisco 3850) or does it have to be done using ISE?

120v on 220 backup

We have our main network rack plugged into a 220v plug with a 220v ups. All our equipment is on with the exception of our cable modem and phone modem. They both list 115v on their boxes. How can I connect them to the ups.

USG+edgeswitch+UAP=troubles

my configuracion:

usg:

• defalut ip(192.168.0.1/24)

• create vlan_10 (teachers) as 10.0.10.1/24

• create vlan_20 (students) as 10.0.20.1/24

edgeswitch:

• vlan_1 default vlan
• vlan_10
• vlan_20

first:

interface 0/23 description 'trunk to USG' vlan participation include 10,20 vlan tagging 1,10,20 exit 

and:

interface 0/21 description 'UAP library' vlan participation exclude 20 vlan participation include 10 vlan tagging 1,10 poe opmode passive24v exit 

also for testing purposes:

interface 0/16 vlan pvid 10 vlan participation exclude 20 vlan participation include 10 exit 

UAP:

• conected to 0/21

currently if a connect my laptop to 0/16 got an 10.0.10.x ip range(works!!), also can see the status of my USG(works!!!) but UAP connected to 0/21 cant be adopted, got an adoption failed. UAP is already adopted and previously configured(same USG).

SOLVED!!!!

update the firmware from 1.0.1 to 1.8 and got "switchport mode trunk" and now the damn thing is working.

anyconnect over wifi

Would anyone could think of a reason why the same machine can use anyconnect over wired network just fine to VPN into us but not over wireless?

Management Interface on Cisco 2960XR

I'm doing a new install at a customer site, utilizing the "routed access" design model with 2960XR switches in the Access Layer. We also have a complete out-of-band network for all network devices and use management ports instead of in-band VLANs for Management.

I am seeing that the 2960XR does not support VRF-lite which is used on other platforms to segregate management traffic. So I am having trouble managing these devices on the out-of-band port. (Because we are running ip-routing and EIGRP locally) I have been thinking about using a local route-map on the device to set the nexthop for traffic hitting (and originating from) the management port, but was curious if anyone else had any advice on a better way to use the out-of-band management port on the 2960XR.

Thanks in advance!

If you had to: Cisco vs Aruba Wired

I'm in the middle of a bake off between Cisco and Aruba wired solutions for an enterprise switch replacement project. Comparisons are focused on newer technologies - Aruba's dynamic segmentation/secure fabric, Cisco non-fabric/traditional, and fabric/SDA. While building my list of pros/cons, things that work and don't work, I'm sure there's things that will get missed or not tested, so I'd like to get some feedback from the community to help pad my pros/cons list. Out of these options, what do you like, not like, and what would you buy if cost was no issue?

1) Deploy Aruba dynamic segmentation

2) Deploy Cisco non-fabric, convert to SDA later

3) Deploy Cisco SDA now

L2vpn xconnect mac issue?

Mac address from SW02 can't be learn from SW01.

Setup: SW02--PE02--VC123--PE01--SW01

(XR920)sw02#sh bridge-domain 108

BD mac addr type ports

----------------------------------------------------------------------------------------------

108 609c.9fe3.6548 DYNAMIC Gi0/0/3.Efp108

108 88a2.5eb7.7a76 DYNAMIC Te0/0/24.tefp100 (MAC FROM SW01)

(IOS)sw01#sh mac address-table DY V 108

Unicast Entries

vlan mac address type protocols port

---------+---------------+--------+---------------------+-------------------------

108 88a2.5eb7.7a76 dynamic ip,ipx,assigned,other GigabitEthernet5/11 (RECEIVED FRM OUTSIDE)

Currently VC status is up since PE02 received mac address. On PE01 statistics it increasing.

SW02

interface GigabitEthernet0/0/3 (Outside)

mtu 2018

no ip address

load-interval 30

negotiation auto

service instance 108 ethernet

encapsulation default

bridge-domain 108

interface TenGigabitEthernet0/0/24 (TO PE02)

mtu 9216

encapsulation dot1q 108,500-501,822,920-921,2002-2003

rewrite ingress tag pop 1 symmetric

bridge-domain from-encapsulation

################################################

interface TenGigabitEthernet0/2/0.108 (PE02)

encapsulation dot1Q 108

no ip redirects

no ip proxy-arp

xconnect x.x.x.x 11111encapsulation mpls

mtu 1600

################################################

interface Bundle-Ether1.108 l2transport (PE01)

encapsulation dot1q 108

rewrite ingress tag pop 1 symmetric

mtu 1618

service-policy input INTEROUTE-BU1.108-IN

################################################

SW01# Trunk pointing outside and pointing PE01/

Tried creating BDI and SVI on SW02 and 01 and it's working and mac can be learned from both switches.

Have you encounter this issue?

Thanks

SNMP traps if I already gather syslog?

Should I get SNMP traps too somewhere if I already get all the syslog messages to ELK stack?

We're almost "every-vendor environment" with devices from basically everyone, so we'd like to consolidate all those vendor specific tools to a common open source platform we can manage. Currently we're running LibreNMS, Nagios and ELK stack for logs. Next step would be Elastiflow (or a really good commercial one but haven't really figured out how those are), though last time I tried it I ran into java heap overflow errors...

I'm wondering if we should also get SNMP traps? Right now I don't see why but maybe I'm missing something? Nagios/LibreNMS polls devices every 5 minutes so maybe to get info on something that's happening right now?

Also any ideas what we should actually monitor? For access I'm thinking something like cpu, mem, link utilization, interface errors, uplink state (up or down), maybe temperatures too? For distribution I'd add OSPF/BGP peerings

Thanks!

Anyone familiar with HoVPN? Is it any different than HVPLS?

My employer has a customer asking if our equipment supports HoVPN or HVPN. They're researching internally but I thought I'd do some research on my own to see what the rest of the world is talking about in terms of these technologies... get myself up to speed on what the community's doing, then look at our internal implementation of it, if there is any.

My initial thought was that this was just another way to ask about HVPLS I but wanted to resarch rather than assume. The first page I found was this one, however nothing out of the ordinary there. To me that page just describes HVPLS with other terms, kind of how like MEF and Cisco use different terminology for some of the same basic concepts.

The second page I found was this one, which is a Huawei support page, which leads me to believe these are Huawei terms and our customer must be talking to them. That page goes a little deeper than the other page did, but still, this page only describes what I would call a Layer 3 HVPLS service with VRFs configured in multiple places so those VRFs could do route summarization ... unless I'm missing something? I see the page does also mention route reflection but I would presume that's in support of the overall network, not inside the customer's individual HVPLS services.

Then I found this IETF draft document but it only mentions the term HoVPN once and seems to be about MPLS stitching, which can be done with pseudowires as well as multiple VPLSs so I'm not sure if there's anything special there.

All the other pages I'm finding appear to be related to Huawei. Anyone else have any info they can share? TIA

Audible (or other audio book) recommendations for daily commuting?

Audible is my trusty co-pilot for my daily commute, and while there's plenty of good novels available, I was wondering if /r/networking had any recommendations for good non-fiction related to networking.

I've listened to and thoroughly enjoyed Where Wizards Stay Up Late, and Tubes was a mostly enjoyable read as well. Not so much network focused, I've listened to The Soul of a New Machine. I gave up on Hackers - Heroes of the Computer Revolution, although that may have partially been due to the narrator.

Beyond those, I'm mostly at a loss for anything worth getting through Audible for networking. I'm not opposed to using another platform of audio book, Audible just makes things easiest.

Openvswitch connectivity problem

Hey all,

i built following environment:

both hosts:

 Operating System: CentOS Linux 7 (Core) Kernel: Linux 3.10.0-862.6.3.el7.x86_64 Architecture: x86-64 

ovs-host 1 with the local ip of 10.1.247.123

2 physical ports: eth0 and eth1

-eth0 is connected to an ip-network (network is in a vlan) with connectivity to the internet (isp)

-eth1 is connected to a switch and on this switch there is a device (centos7) machine

i installed ovs version 2.9.2 on the host to use vxlan tunneling over the isp-network

host1 interfaces:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 70:71:bc:62:d6:38 brd ff:ff:ff:ff:ff:ff inet 10.1.247.117/24 brd 10.1.247.255 scope global dynamic eth0 valid_lft 1192219sec preferred_lft 1192219sec inet6 fe80::7271:bcff:fe62:d638/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovs-system state UP group default qlen 1000 link/ether 00:10:18:2b:a7:90 brd ff:ff:ff:ff:ff:ff inet6 fe80::210:18ff:fe2b:a790/64 scope link valid_lft forever preferred_lft forever 4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ea:ec:ff:79:00:8f brd ff:ff:ff:ff:ff:ff 5: bridge1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 00:10:18:2b:a7:90 brd ff:ff:ff:ff:ff:ff inet 192.168.0.35/24 brd 192.168.0.255 scope global bridge1 valid_lft forever preferred_lft forever inet6 fe80::210:18ff:fe2b:a790/64 scope link valid_lft forever preferred_lft forever 6: vxlan_sys_4789: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 link/ether 46:ce:7a:80:34:e9 brd ff:ff:ff:ff:ff:ff inet6 fe80::44ce:7aff:fe80:34e9/64 scope link valid_lft forever preferred_lft forever 

host 1 ovs-output:

# ovs-vsctl show 15b312e1-50d3-4670-9783-2ff89dd7645e Bridge "bridge1" Port "eth1" Interface "eth1" Port "bridge1" Interface "bridge1" type: internal Port "vxlan0" Interface "vxlan0" type: vxlan options: {local_ip="10.1.247.117", remote_ip="10.1.247.123"} ovs_version: "2.9.2" 

this setup is mirrored to the other side of the isp-network

host2 interface:

# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:1a:64:20:5f:b5 brd ff:ff:ff:ff:ff:ff inet 10.1.247.123/24 brd 10.1.247.255 scope global dynamic eth0 valid_lft 1191064sec preferred_lft 1191064sec inet6 fe80::21a:64ff:fe20:5fb5/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovs-system state UP group default qlen 1000 link/ether 00:1a:64:20:5f:b6 brd ff:ff:ff:ff:ff:ff inet6 fe80::21a:64ff:fe20:5fb6/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 90:e2:ba:49:1c:cc brd ff:ff:ff:ff:ff:ff 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 90:e2:ba:49:1c:cd brd ff:ff:ff:ff:ff:ff 6: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 90:e2:ba:49:1c:ce brd ff:ff:ff:ff:ff:ff 7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 90:e2:ba:49:1c:cf brd ff:ff:ff:ff:ff:ff 8: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 12:ea:06:d9:3b:de brd ff:ff:ff:ff:ff:ff 9: bridge1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 00:1a:64:20:5f:b6 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global bridge1 valid_lft forever preferred_lft forever inet6 fe80::21a:64ff:fe20:5fb6/64 scope link valid_lft forever preferred_lft forever 11: vxlan_sys_4789: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 link/ether 5e:38:af:9a:f4:e2 brd ff:ff:ff:ff:ff:ff inet6 fe80::5c38:afff:fe9a:f4e2/64 scope link valid_lft forever preferred_lft forever 

host2 ovs output:

# ovs-vsctl show da282d04-5f50-43c5-89c4-19a7db4e99f7 Bridge "bridge1" Port "vxlan0" Interface "vxlan0" type: vxlan options: {local_ip="10.1.247.123", remote_ip="10.1.247.117"} Port "eth1" Interface "eth1" Port "bridge1" Interface "bridge1" type: internal ovs_version: "2.9.2" 

the issue:

connectivity between host1 and host 2 via the ip network is given:

PING 10.1.247.123 (10.1.247.123) 56(84) bytes of data. 64 bytes from 10.1.247.123: icmp_seq=1 ttl=64 time=0.285 ms 64 bytes from 10.1.247.123: icmp_seq=2 ttl=64 time=0.236 ms 64 bytes from 10.1.247.123: icmp_seq=3 ttl=64 time=0.234 ms PING 10.1.247.117 (10.1.247.117) 56(84) bytes of data. 64 bytes from 10.1.247.117: icmp_seq=1 ttl=64 time=0.294 ms 64 bytes from 10.1.247.117: icmp_seq=2 ttl=64 time=0.244 ms 64 bytes from 10.1.247.117: icmp_seq=3 ttl=64 time=0.247 ms 

also the connectivity from the bridge to the switch and the device connected to the switch is given on each side:

PING 192.168.0.22 (192.168.0.22) 56(84) bytes of data. 64 bytes from 192.168.0.22: icmp_seq=1 ttl=64 time=1.06 ms 64 bytes from 192.168.0.22: icmp_seq=2 ttl=64 time=0.214 ms 64 bytes from 192.168.0.22: icmp_seq=3 ttl=64 time=0.217 ms PING 192.168.0.40 (192.168.0.40) 56(84) bytes of data. 64 bytes from 192.168.0.40: icmp_seq=1 ttl=64 time=0.344 ms 64 bytes from 192.168.0.40: icmp_seq=2 ttl=64 time=0.168 ms 64 bytes from 192.168.0.40: icmp_seq=3 ttl=64 time=0.162 ms 

so basically i created 2 seperate vlan's , but somehow i cant connect them into one vxlan , because if i try to reach any interface / device on the other side of the isp-network, the packets just get lost / network is unreachable

can anyone help me with this issue becaue i really don't know what to try anymore !

thanks in advance

Arista vs Juniper 2018

Hello, we are a colo/cloud/hosting provider looking to replace some older Juniper kit. We have some MX240s(MPC2), QFX5100, EX4300 and EX4200.

I know some items are not EOL, but we want to redesign to a full Layer 3 Fabric with EVPN/VXVLAN.

We have four transit providers @ 10g each. Would need full tables at the edge with the basics..BGP, OSPF, line-rate filtering, Flowspec (which we know is coming Q3 for Arista)

We are hearing lots of good things with Arista in DC and now at edge and wondered what people with experience with both think. If we stayed juniper we would likely do MX204 for edge, QFX10002 core, EX4650 for TOR.

We are also not against looking at edge-core/cumulus for everything but edge also.

Thoughts? / Experiences?

[Academic] Survey for B2B companies! Need your help!

Hi,

I am a graduate marketing student from Imperial College and are currently doing a research about B2B topic. Anyone who is Account Executives/Sales Directors/VPs or people who have influences on purchasing decision are welcome!

It is my first post on this forum. Do not know how many people I can get but I will really appreciate it if you participate in the following survey.

Just some questions about how B2B companies do business. Take no more than 5 min. My teammates do not put any hope on this survey because it is hard to get respondents in B2B topic, but I will give it a try anyway since I am personally interested in the survey result.

Thank you! :)

https://imperial.eu.qualtrics.com/jfe/form/SV_8FX1MV6IXYPRkaN

ipfix Barracuda FW and PRTG

I am working on an IPFIX setup to view flow statistics in PRTG of our Barracuda firewalls.

Did follow the very few manuals on how to setup IPFIX on Barracuda but either the data is unreliable or totally incorrect.

Did anyone succeed in configuring the Barracuda to work with PRTG?

Juniper OAM LFM action Link-down

I've been asked to look at implementing OAM LFM on some point to point links on our network so have been reading up on the Juniper implementation.

When you set an action "link-down", does this shut down the interface or just notify the RE/PFE? If the PDU's were to then recover, would the status move to "up" automatically?

Eigrp flap issues, holding time expired.

My setup look like this. Core 1 <-> layer 2 port channel 1 & layer 3 port channel 2 <- > core 2 .

And new cisco-edge switch was added to the core with default gateway pointing to new hsrp vlan 340 on core pair. There where few native vlan mismatches as I was still making changes. Long story short, while making changes for native vlan mismatch, layer 3 loops and layer 2 loops flapped eigrp ne consistently. I am trying to find traces of loops but cannot find anything in the logs. I never seen this happen before while configuring new hsrp and layer 3 vlan. There where no spanning tree loops as per sh span tree summary. Also I observed that one of the down link, primary switchport on edge switch went in to err_Disable state. I am trying to figure out, if this is case of layer 3 loops. **What are some design precautions and config design elements that I need to verify to make sure this dont happen again**

Jul 19 12:10:57 utc: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet4/0/11 (999), with cisco-edge switch GigabitEthernet0/25 (240). (CISCO-CORE_switch)

Jul 19 12:12:16 utc: %SYS-5-CONFIG_I: Configured from console by areh on vty0 10.32.0.10

Jul 19 12:12:26 utc: %SW_MATM-4-MACFLAP_NOTIF: Host 0024.8088.8088 in vlan 340 is flapping between port Gi4/0/11 and port Po1

Jul 19 12:12:28 utc: %SW_MATM-4-MACFLAP_NOTIF: Host 0024.8088.8088 in vlan 340 is flapping between port Po1 and port Gi2/0/11

Jul 19 12:12:33 utc: %HSRP-5-STATECHANGE: Vlan922 Grp 0 state Standby -> Active

Jul 19 12:12:33 utc: %HSRP-5-STATECHANGE: Vlan326 Grp 0 state Standby -> Active

Jul 19 12:12:33 utc: %HSRP-5-STATECHANGE: Vlan901 Grp 0 state Standby -> Active

Jul 19 12:12:33 utc: %HSRP-5-STATECHANGE: Vlan222 Grp 0 state Standby -> Active

Jul 19 12:12:33 utc: %HSRP-5-STATECHANGE: Vlan600 Grp 0 state Standby -> Active

Jul 19 12:12:34 utc: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 10.22.3.20 (Port-channel2) is down: holding time expired

Jul 19 12:12:36 utc: %HSRP-5-STATECHANGE: Vlan800 Grp 52 state Standby -> Active

Jul 19 12:12:36 utc: %HSRP-5-STATECHANGE: Vlan330 Grp 0 state Standby -> Active

Jul 19 12:12:41 utc: %HSRP-5-STATECHANGE: Vlan922 Grp 0 state Active -> Speak

Jul 19 12:12:41 utc: %HSRP-5-STATECHANGE: Vlan800 Grp 52 state Active -> Speak

Jul 19 12:12:41 utc: %HSRP-5-STATECHANGE: Vlan326 Grp 0 state Active -> Speak

Jul 19 12:12:41 utc: %HSRP-5-STATECHANGE: Vlan330 Grp 0 state Active -> Speak

Jul 19 12:12:41 utc: %HSRP-5-STATECHANGE: Vlan922 Grp 0 state Active -> Speak

question about multiple interfaces

Hi,

So I am currently working on project which involves setting up a simulated wifi-Direct network. This network is currently running the BATMAN routing protocol, so the interfaces were already set to the bat0 master interface. I have one node which has two interfaces (batman (bat0) interface already set up). I have noticed that packets are only sent through one interface when testing with traceroute. I would like to have packets sent through both interfaces at the same time. I have tried using interface bonding, but get "operation not permitted" when trying "ip link set sta1-wlan0 master bond0". I think this is due to the active bat0 interface. Is it possible to have two master interfaces, or any work-arounds?

Thanks

Cisco WAAS Enterprise

Does anyone have any experience with using Cisco WAAS in the enterprise to decrypt and accelerate SSL traffic? How well did it go? Lessons learned?

SSH commands through bash

Hey all,

Long story short I'm trying to chain together some commands with bash but I can't seem to understand how to properly make this execute on a switch.

ssh -t 10.6.4.95 -l $myuser "conf" && "int vlan $vlanvar" && "name $vlannamevar" 

The first "conf" command is issued just fine, but I can't seem to make it issue any commands after that and I get the following:

./autodeploy.sh: line 101: int vlan 1700: command not found 

I'm obviously doing something wrong, any advice?

Edit: Got it working. Thank you, wonderful people!

So I had a national provider tell me this was my RFO:

"Our Metro team reports a field technician was dispatched to our equipment and replaced the padding and cleaned the fibers and once the circuit was normalized the errors cleared"

This was their explanation for two separate days of issues. I'm willing to accept that >>>maaaaaybbbbeeeee<<< the end of a fiber cable was allowed to get dirty prior to installation because someone was eating peanut butter without a spoon or something.

But (1) how the hell does a connected fiber cable get dirty? And (2) WHAT THE F(#$ IS "PADDING"? I've honestly not heard this term before and none of my fiber gear has anything looking like padding on it.