Saturday, July 28, 2018

Wireshark Network Boundaries

This might be a stupid question but I have a capture file and need to identify the network boundary between a private LAN and public IP addresses.

Does wireahrk display the conversations in a way that the private source address is a gateway when communicating with a public IP address or is the source address potentially a host address within the private network and just doesn't show the gateway address.

I believe the gateway address to be 192.168.1.200 as it is the only IP address listed as having conversations with public IP addresses.

Is this a logical conclusion or should i be considering 192.168.1.254 as the gateway because DNS requests are sent to here and it is a more logical address for the gateway of a private LAN.

Regards

Brain-fart atm. Patch panel question.

Hey there guys and gals.

So I am organizing my server rack atm, and basically I have a PFSense firewall. So what I want to do is make everything look neat, I don't want cables going over my patch panel.

So I drew a picture:

https://i.imgur.com/EQ0VI0W.png

So I want port 4 (green cable) to be connected directly into my switch, port 3 the other red/blue cable is the WAN OUT of the PFSense router/firewall. The red cable on the back of the patch panel would be T568B-T568B.

My current setup is:

PFSense

Patch Panel

Switch

So basically my question is my logic correct?

Thank you for your time and help! :D

BFD; How much is too much?

Is there any reason not to crank up BFD across as many links as possible? Most of my links are private P2P/VPLS/MPLS. Any kind of practical limit to the number of peers you can or should have?

Only thing I can think of is # of PPS and/or CPU; 50ms intervals makes 20pps per peer. In an environment with hundreds of peers (i.e. VPN aggregation, multiple and redundant WAN links, etc), that starts looking like real numbers.

What is the best router to throttle bandwidth for specific devices?

I have a Netgear R7000 and it says you can only throttle everyone to a certain mbps vs specific users... I want to throttle everyone on my network to like 3 mbps, except for a select few devices.

Cheap 48p + 2SFP+ for ISCSI?

I'm currently using TL SG2452 to host virtual 12TB hdd via ISCSI program called ccboot for 30 clients.

and apparently it's not good enough, clients experiencing long loading times, freezing, etc on large sized games.

I've been thinking to go 10G (the current server is using quad nic) but the price difference is not reasonable yet in my country,

So i'm gonna try 10g uplink, i heard switches with high buffer size would help alot, but their price is insane.

I've been having pretty positive experience on Linksys LGS552 (2*8 Mb buffer), but it's for lower spec'ed clients.

The clients on LGS552 doesn't access large files all the time, unlike the one on TL SG2452

So i'm not sure if it'll do the job,

Any recommendations for cheaper switch with high buffer?

Also what is the consensus for buffer needs for ISCSI ? I read high buffer could be a bad thing too

Currently looking at arista / cisco,

arista has 768 buffer

Dell Force10 s60 interests me as well (1.25GB buffer), but i read some people having trouble configuring it

Mesh Networking with Raspberry Pis

Want to create a mesh network using raspberry pi zero ws, only need them to communicate with each other and don't need to connect to the internet, any ideas on what os to use and what mesh implementation to use that will work with the zero w

HP 5412zl - module to module traffic not working

Hi everyone,

Has anyone ever ran into issues with traffic not passing between modules in a multi-module ProCurve chassis?

I have an 5412zl where VLAN traffic within a single module works fine, but between 2 modules the traffic doesn't pass at all.

Config:

vlan 201 untagged D19-D24,H18 tagged H20-H24 ip address 10.90.x.x 255.255.255.0 exit

In this example, traffic between H18 and H20 works fine.
But traffic between D21 and H20 doesn't work at all

This is how show module looks like:

Slot Module ---- --------- A HP J8702A B HP J8702A C HP J8702A D HP J8702A E HP J8702A F HP J8702A G HP J8702A H HP J8705A

Any insight into this would be much appreciated.

RV Network Questions

Good morning all. First - I am a complete novice when it comes to networking. I am slowly building my network at my home with Unifi gear and am on a steep learning curve there.

This question, however, is about creating a network in my trailer. Let me explain what I am looking for:

I would like to create a network that can be utilized for linking devices together without actually having Internet access. If I download some movies from Netflix/vudu/amazon on my phone - I would like to be able to cast them onto my TV utilizing a Apple TV. I could additionally use that network for wireless speakers if needed (Heos).

Additionally, if the campground has decent wifi (which most wont) - I could then use my network to help facilitate the traffic on my devices.

I am open to whatever you have. IF you happen to talk over my head (which wont be hard) - I may follow up with a question. If it is a silly question, please understand that I am learning! I want to expand my knowledge of networking as it will increase my knowledge here at the house.

Thanks in advance!

MAC Flapping and NIC teaming - How bad?

Got a user who insists on running active/active teaming in switch independent mode with members of the teams on separate switches in a switch stack. There are three hosts configured this way.

The switch stack gets upset, because it's seeing source MACs coming in on different ports, so MAC flapping logs are being constantly generated for the involved ports as the switches fight over the CAM table entries.

Since the links are on separate switches, no port-channels. Since they're 2960s, no VPC or VSS.

My opinion is that to stop the flapping, the teams need to be active/passive.

User says this won't work for them because failover won't be totally seamless and some of their critical flows will be interrupted in the event of one of the NICs failing.

Here's the question - how bad is the constant ARP traffic on the VLAN? Assuming about 50 or so hosts on the stack total and only these three teams (six physical ports) doing the MAC flapping.

I'm thinking that the flapping could eventually cause larger problems than a non-seamless failover considering all of the hosts are on the same VLAN that contains the ARP broadcasts.

I'm not sure there's been a day of typical usage yet since the teams were configured recently, and wondering if we may not see the negative effects of the MAC flapping until all the users are working and generating much more traffic.

What do you guys think? Ignore the flapping or push as hard as possible to get the teams into active/passive? Any other possible solutions I've overlooked, you think?

Study network performance analysis

Hi,

I have recently took interest in the "performance evaluation" side of computer networks, and am currently looking for bibliographical references/video courses/lecture notes teaching this stuff. I am particularly interested in IP traffic analysis and ATM networks performance evaluation.

For info, I come from a compsci background and would appreciate if the material deals, to some degree, with graph/probability theory. However, it doesn't have to be "theoretical-only": some practice in the form of study cases or other would be very welcome (using, for example, packet analysis and network simulation tools).

Thank you very much!

Got a noob question about dns and reverse dns

My company changed providers and got all new ip space. Everything’s working on our new ip space but I noticed something odd by chance yesterday. The reverse dns for all our new ips does not match the forward entry

For example if you do nslookup mycompany.com you get back our correct IP address

But if you do nslookup x.x.x.x (our new ip) it shows something like ispsname-static-bunchofotherjunk

Basically forward and reverse don’t match. What problems can that cause? The migration happened months ago, and nothing is broken far as I can tell.

Basically if this causes no problems I’d like to leave well enough alone.

RADIUS Issue When Attempting to Test 802.1x

I am having a problem with RADIUS on a Cisco 4510. This is the first switch I am configuring with RADIUS. On my NPS the switch is added as a RADIUS client, my switch has the RADIUS and dot1x configs, but nothing is getting through to RADIUS. No firewall on my NPS. I turned on aaa authentication and radius debugging but I am getting no messages logged. Here is the config for the RADIUS part...

aaa new-model ! ! aaa authentication dot1x default group radius ! aaa session-id common ! dot1x system-auth-control errdisable recovery cause security-violation ! radius-server host 172.x.x.x key 7 03160E19070B28595D0C0A06 ! interface GigabitEthernet8/27 switchport mode access switchport voice vlan 100 authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto dot1x pae authenticator spanning-tree portfast

Anyone got any ideas what I have wrong here?

Friday, July 27, 2018

Website loads slowly only for certain geographic regions

(Apologies if this is the wrong place to post)

I am very confused trying to troubleshoot a website connection speed. The site loads fine (<10 seconds) for some and super slowly (60+ seconds, but does load eventually) for others.

There are optimizations I could make to the page to make it load faster, but I'm not worried about tenths of seconds here, I'm trying to solve why it takes 45+ more seconds for some than others.

From my testing, I've concluded it is somehow related to the geographic position of the client that is accessing the site.

Test results (with waterfall of loading times):

Location	Speed (seconds)	Link
New York, NY USA	60+	https://tools.pingdom.com/#!/cMAMbm/http://uprightbuilders.com/
San Jose, CA USA	60+	https://tools.pingdom.com/#!/cY3P1R/http://uprightbuilders.com/
Melbourne, Australia	6.64	https://tools.pingdom.com/#!/cLTnbB/http://uprightbuilders.com/
Stockholm, Sweden	3.94	https://tools.pingdom.com/#!/bwms50/http://uprightbuilders.com/
Dulles, Virginia, USA	4.15	https://www.webpagetest.org/result/180728_CK_94920eb047002fcfc101e0a64a073889/
Chicago, Illinois, USA	4.35	https://www.webpagetest.org/result/180728_AD_113233dbe98a58b4ccf7967f1cbc9061/
New York NY USA	120+ (timeout)	https://www.webpagetest.org/result/180728_SX_105a83765373a6b73070292217f6ec63/

The site is being hosted on AT&T web hosting. It may be tangentially related, but I tried moving nameservers to cloudflare to see if that would help but if anything it just caused it be slow in more regions.

Does anyone have any ideas that I should try? Has anyone seen anything like this before? My next step is to move hosting providers because AT&T says they don't see anything wrong from their point of view.

How does multihop BGP get traffic to the intended destination?

Say I'm advertising a /24 of 18.0.0.0 to a peer 3 hops away, and my AS number is unique and I have no other peers. I just have a connection out to the Internet from an ISP. I peer with the remote router and advertise my network of 18.0.0.0/24 to that peer, while getting a default route from that peer to send traffic out. No problem so far.

But how does any traffic get to my network? If the remote peer receives traffic to 18.0.0.3, then sends it out using the next hop it uses to establish the BGP peering, the intermediate router between him and me will drop it, because that router has no route to get 18.0.0.3 to its destination at my network.

Does the peer advertise my router's IP as the router to receive the traffic? In that case, the BGP peering is merely for propagation? How would the cost be calculated on the 2 hops that presumably aren't in the BGP table?

Am I missing something here? If not, why would anyone ever peer with anyone that's not directly connected? Johnny Cochran says it does not. Make. Sense!

Free tool to view detailed wireless statistics (RX/TX MCS, retries, drop, etc. on Windows?

I'm looking for a free or cheap Windows tool that can report on useful things like RX & TX rate, drop, retries, noise etc.

The plethora of available free Windows tools to do this do not seem to include these useful statistics, and instead only reveal the significantly less useful stats such as RSSI, SNR, and "signal strength". There seems to be lots of Linux options such as wavemon, but the Windows tools rarely show this much detail. I'm starting to wonder if this information is simply more obscured by the Windows OS or something.

Is there anything free/cheap like this that I can run on Windows and can report these statistics off of a generic NIC?

Combine Multiple Modems to Form Faster Internet

So at our small business we have 3 AT&T UVerse modems. The IT person that we hired attached all three to a mikrotik rb1100ahx2 then has one Ethernet coming out of that connecting to a switch which has multiple Unifi APs.

Is it possible to combine multiple modems to form 1 fast internet line? How does IP address work?

Thanks

Catalyst 3750 to ASA5505 Expansion of Network XPOST from r/ccna

https://www.reddit.com/r/ccna/comments/92hobf/help_with_vlans_from_catalyst_3750_to_asa5505/

By default, why does DSCP-based WRED drop DF 0 sooner than DF 8 (scavenger)?

Critique on my first rack job...Picture linked inside

Did my first cabling and rack (small network rack for a lab) job, and I'd like some critique on the work that I did. I did my best with what I had, but I look at this picture often and think I could've done better.

https://i.imgur.com/EmLRyQV.jpg

Close to ripping out a Palo Alto 220 and putting the old ASA 5505 back

This is a small remote office but their SIP phones have been down for over a week now after replacing the ASA with the Palo Alto.

I've spent hours on the phone with Palo Alto, Cisco TAC, and the provider but no solution. I'm pretty close to throwing in the towel at this point.

I'm pretty sure the problem is with Palo Alto's shitty SIP ALG. Our Cisco CME is behind the Palo with the Palo doing the NATting.

I've tried all the usual like doing an application override. Bi-directional NAT, ALG off and on etc and nothing works.

Where we are at the moment.

With ALG disabled:

Outbound calls working fine
Inbound calls fail as the SIP PRACK packet the provider sends is being sent to the Call Manager's internal/Pre-NAT address - so the packets never reach our firewall interface

With ALG enabled:

Outbound calls fail
Inbound calls fail - this time the SIP PRACK packets are hitting the Palo Alto - but for some reason the Palo is dropping them.

Anyone come across something similar before?

Xrio ubm400

Anyone configured one or got a basic manual on the setup of one.

I need to setup 3 ports one lan and two wan load balancing.

Using VLANs to further segment and control physical LANs?!?

So I have a SoHo network with 3 subnets and 3 routers doing different things (VPN, streaming, storage, etc). Is it possible, or even worthwhile, to make the additional subnets VLAN 2 and 3 on the primary router for better security and control such as more directed QoS settings, etc.? And, if so, would or could this be done based on the other router's static ip?

Connecting to Internet wired through a Coax?

Can I connect to the internet via ethernet/coax?

I have a desktop PC in my office that struggles to pick up the wifi from our Surfboard modem/router in the living room. The modem/router in the living room is connected to a coax and there is another coax in the office.

I had the modem/router connected to the coax in my office initially which worked, but then our TV struggled to connect consistently, so we moved it.

Any solutions for a wired connection in the office?

Fiber Patch Cable Resilience

We are getting ready to move from copper to fiber between our ASA and core. The issue that I am seeing, is that the cabinet in which the ASAs are mounted in are rather tight. When closing the door, the fiber cables would bend slightly. We could secure them so that the door wouldn't touch them, but it would result in a slight bend ( maybe around 25 or 30 degrees). I dont know much about fiber cables, but I don't figure having a door hit them repeatedly is good for them. We dont really have an option to get a different cabinet at this time.

Is the fiber resilient enough to handle a constant, slight bend?

Grafana status for Cisco interface with Status Panel plugin?

I'm trying to find the best way to get a status for when a Cisco switch is offline from the network. I'm trying to use the field of ifOperStatus so when the interface is offline it goes red, green for when its online.

I'm using Grafana/InfluxDB/Telegraf for my stack. Anyone else doing this and can share how to get it working? below is my conf file in the telegraf.d folder.

[[inputs.snmp]] agents = [ "10.10.10.10" ] version = 2 community = "SNMP-READ" interval = "60s" timeout = "10s" retries = 3

[[inputs.snmp.field]] name = "hostname" oid = "RFC1213-MIB::sysName.0" is_tag = true

[[inputs.snmp.field]] name = "uptime" oid = "DISMAN-EXPRESSION-MIB::sysUpTimeInstance"

IF-MIB::ifTable contains counters on input and output traffic as well as errors and discards. [[inputs.snmp.table]] name = "interface" inherit_tags = [ "hostname" ] oid = "IF-MIB::ifTable"

Interface tag - used to identify interface in metrics database

[[inputs.snmp.table.field]] name = "ifDescr" oid = "IF-MIB::ifDescr" is_tag = true

IF-MIB::ifXTable contains newer High Capacity (HC) counters that do not overflow as fast for a few of the ifTable counters [[inputs.snmp.table]] name = "interface" inherit_tags = [ "hostname" ] oid = "IF-MIB::ifXTable"

Interface tag - used to identify interface in metrics database

[[inputs.snmp.table.field]] name = "ifDescr" oid = "IF-MIB::ifDescr" is_tag = true

EtherLike-MIB::dot3StatsTable contains detailed ethernet-level information about what kind of errors have been logged on an interface (such as FCS error, frame too long, etc) [[inputs.snmp.table]] name = "interface" inherit_tags = [ "hostname" ] oid = "EtherLike-MIB::dot3StatsTable"

Interface tag - used to identify interface in metrics database

[[inputs.snmp.table.field]] name = "ifDescr" oid = "IF-MIB::ifDescr" is_tag = true

ospf redistribution and route maps help

I'm reading up on this and i THINK i know what it does but not quite sure as how to implement it.

So here's my scenario, i have an old core with a new core (hp) hooked up for testing. they're sharing routes via ospf, thru one ethernet port. old core has a default/internet route of 172.16.1.1, which new core is not picking up.

i create the default static route, do 'router ospf', do 'redistribute static', then nothing changes. can anyone help? from the examples i've seen i think i need to put a route-map in and a prefix-list in.

thanks again for your help. i've been posting a lot lately and you've all been very helpful. it sure is a lot better than reading articles, old forums, etc. i know im not great at this networking stuff but i'm trying.

Home router (ZyXEL EMG2926) listen on TCP port 263. Any tips to help me find out why?

I'm currently playing with Python network coding and I created a very simple scripts to port scan my home router.

I noticed TCP/263 is open (lan side) and I can telnet to it. When I hit enter the router sends me back some bytes... I have to evolve my script a bit to read those bytes.

Searching the web, I found out TCP/263 is used by HDAP (High-Availability Directory Access Protocol) which is odd. I suspect a backdoor or some suspicious things is going on.

Is there any tools or guidelines that could help me investigate this mysterious open port?

Configuring a 10Gb switch via LAG to 1Gb switch

hello. Our business has a Netgear XS716T 10Gb switch and a Ubiquiti 150W PoE 1Gb switch. I need to connect 4 ports via LAG to each for the CEO. On the GUI for the XS716T there (3) options via the documentation: 100Mb, 10Gb, Auto. I think the documentation could be missing the 1Gb option (you have to manually type it in on the GUI, not select the speed from a dropdown)....but it's definitely not in there.
I know I can only link similar speed ports via LAG so I need to manually enter 1Gb for the Netgear side.
Is it possible that I can keep it on Auto even when configuring them as part of a LAG? it would sense the fastest speed on the other side is set to 1Gb??? The lack of documentation about 1Gb manual setting is making me cautious. Just wondering if ANY manufacturer can be set to Auto for such purposes or does it ALWAYS have to be inputted manually.
i appreciate any help. i just know my way around to be dangerous.

Router(HSRP) -> Redundant Firewall Connection

We are currently evaluating a design which will implement to redundant routers(A - Primary & B - Backup) that are currently using HSRP with two redundant firewalls(FA- Primary & FB - Backup). So the design is roughly the following:

A -> FA B -> FB A & B are interconnected FA & FB are interconnected

The firewalls are going to be in routing mode and will be sitting between 3 different subnets. After a lot of research it sounds like its best practice to have an L2 switch between the firewalls and routers.

My question is if this design is practical or achievable. I'm worried that having two directly connected L3 devices(routers and firewalls) will have adverse consequences whiles using HSRP. However I don't have enough networking expertise to dissect this and I haven't been able to find enough information on this specific design. Any help would be appreciated. Thank you

VPN/database in Spain is slower than the government

Hey friends, my background is BSEE and i work with an american company, i also have a fundamental understanding of how networking systems behave. We have a primary office in Spain that we must obtain historical documents (PDFs) from in order to do a lot of our work. The documents originated in Spain many years ago. We use a laptop here in the US which the IT team in Spain must set up as if someone working in Spain is using it, so it’s on Spain time, and uses their OS enterprise licenses, etc with their VPN.

When we connect to their database it’s absurd how long everything takes to do anything. Is this a normal behavior for overseas VPN? Is spain a particularly poorly connected country? What could we do to improve the system? Sometimes searching their database can take 4 hours to find parts or download small to medium size PDFs, with the added problem of an automatic 4 hour timeout, making some tasks to find documents nearly 2 days worth of work. We have fiber to the building and 50u/50d connections per computer here in the US at my office.

Network discovery tool

Does anyone have a recommendation for a good network discovery tool? We'd like it to produce a network diagram and run various commands along the lines of show run, show clock, show cdp etc.

We've tried Solarwinds network topology mapper which was pretty decent, but before I go ahead and bite the bullet, i'd like to test some alternatives.

ARP Broadcast Flood

I have a bit of a unique issue on our network that is starting to stretch beyond my skillet to diagnose further. Wondering if anyone has any ideas?

We have two stacks of Cisco 3500 switches on both ends of our manufacturing plant. We have several vLANS configured, but the two primary vLANs that get used are called OFFICE and PLC. OFFICE has around 60 WYSE thin clients and label printers working on it and PLC has around 70 various makes of PLC’s connected to individual pieces of manufacturing equipment. This configuration has been working fine over the last year that it is in place, and network utilization is extremely low. Over the last month we have had a peculiar issue pop up with five pieces of manufacturing equipment that have Rockwell 5500 PLCs in them. Every 7-10 days an event is occurring that is impacting the communication from PLC to PLC within each of these 5 machines forcing them to crash. The equipment as a whole does not drop from the network, but the communication internal to the machine is impacted. What is further interesting is that it impacts all 5 of these pieces of equipment at the same time but nothing else running on the floor. There is no disruption whatsoever to other pieces of manufacturing equipped with PLCs or the PC/printers. These issues also do not occur if these 5 pieces of equipment are disconnected from the primary network.

I was able to catch the last crash with WireShark and saw that in a 2 second stretch before the crash our Cisco switch sent out a storm of thousands of ARP Broadcasts looking for 3 IP addresses on the PLC vLAN. During normal traffic patterns we are seeing 5-6 ARP requests per 3 seconds. This flood of requests seems to be enough to impact these particular PLC’s throwing them out of sync with each other and crashing the machine. Thus far I have tried:

Enabling Storm Control on the Ethernet port these devices are plugged into. a. I set the threshold at 5% and the event didn’t trip it.
I searched the floor and found that two of the pieces of equipment had been plugged into ports configured for the OFFICE vlan instead of the PLC vlan. a. Can this generate the flood of ARP requests we saw? i. Our plant floor is fairly dynamic so pieces of equipment move in and out of lines at any time 24/7. b. There hasn’t been a crash since making this change, but it has only been a couple of days. I have Wireshark still running and am hoping to catch another event when it occurs. Does anyone have any other thoughts on what might be going on or where I could look next?

Timestamps

I have network devices all around the world. We use different time zones for each, which seems to make troubleshooting difficult. I'm tempted to switch everything to UTC to simplify troubleshooting so I don't have to constantly try do time zone math in my head.

What does your organization do when it comes to timestamps, and do you do a single timestamp worldwide?

System to send ISP notifications

We provide regional ISP services to school districts. Looking to set up a notification listserv/notification system to notify clients of maintenance/downtime/etc. We have a few backup links from which we could send notifications in the event of emergency downtime. Is a plain listserv configured to use backup links still the go-to for this? Something else?

Not sure if stupidity or genius

I discovered that a customer's entire network camera system is using the IP scheme 169.254.x.y..

It's a big site with probably over 100 cameras plus the video servers. I'm assuming that the installer used the default no connection IP when they connected the server since there's no DHCP. Even the cameras have a default 192 IP, so they would have been hardcoded each camera that way too.

Sure, if someone plugs into the network, they're not going to realize that they could potentially connect to and access any of the cameras or servers but I would think this could potentially cause random network issues for the cameras. If a device is connected, it could assign itself to any of the used IP addresses and cause a dupe IP issue.

I've never seen this assignment anywhere else, so surely this can't be something that's regularly done.

How my workday is going.

A difference between Network Engineers and Project Managers:

Project Manager: I only plan for when things go right.

Network Engineer: I plan for when things go wrong.

Migrating Terminal Servers from 2801 to 4331

Hi all,

We are planning to migrate our terminal servers from model 2801 to 4331 - can you advise please if there is anything configuration-wise that we need to take care of?

Thank you.

Guest Wi-Fi Puzzle at Work

We're a small MSP that services small and medium sized businesses, so we're not necessarily pushing out the high-end enterprise grade hardware. I mean we do deploy Cisco ASAs, PoE managed switches, APs, etc. but at the same time we also typically just use the ISP Gateway or a SOHO Router as the main router for our customers' networks.

My coworker has given me an interesting Networking puzzle that I'm not quite sure how to resolve.

So typically we deploy something like this:

ISP Modem/Router/Gateway > Cisco ASA > Switches and WAPs > Workstations and VoIP phones

However we're wanting to implement a Guest Network functionality. With the typical SOHO router, you can just turn on Guest Network functionality and it's no problem, works fine. However the problem is that, most of the time, A) The SOHO router is too far away to be effective as the Guest WiFi WAP and B) The Cisco WAPs we deploy don't segregate Guest clients from the rest of the LAN, so theoretically anyone who's on the Guest WiFi has full access to the LAN, which we don't want.

The Cisco WAPs do have a Guest Portal where guest users would have to log in, but this still doesn't actually segregate users from the rest of the LAN. AFAIK this is because the WAPs are just APs not routers, which is what we need.

So the idea was to add a second SOHO router to the existing aforementioned config, connected to one of the switches, which would function as the "Guest WiFi router", which we could then connect more WAPs to if needed. However the problem here is that, even if we put this Guest WiFi Router on a different subnet than the LAN, Guest clients still have access to the LAN because the WAN Port on the router is just connected to the LAN switch and not the ISP Modem/Gateway.

So is there a way that we can have a separate Guest WiFi Router that will allow traffic to pass through to the Internet, but will restrict access to the company's LAN?

I was thinking it would have to be done with via some sort of Firewall rules or maybe VLANs but neither me or my coworker are quite sure if that would work.

If anyone has any suggestions in this regard it would be much appreciated :)

QUIC

QUIC uses udp 80/443
What do you guys think about this protocol ? i checked that this behaviour is invoked once a user is using chrome, and go into any services that belongs to google
The same on IE, it then runs on TCP via the nomal handshakes and data transmission..

I wonder how google measure those traffic in their peer links and steer away once they detect traffic is deteoriating
any thoughts ?

Router setup for network with more than 255 devices?

Howdy! We're setting up a network for an Ethernet-enabled art installation and are running into issues. We've got 300+ devices connected to our router, and each of them asks for an IP via DHCP. However, our router will only let us assign IP's in the 192.168.1.1 to 192.168.1.255 range (and not, say, 192.168.1.1 to 192.168.5.255), and so we're running out of IP's.

We're artists, not network engineers, but we know that it's possible to have a network with more than 255 devices. Duh! How might we go about this? Thank you!

Let's talk VoIP phones

Hey r/networking! Those of you with voip experience, voip phones them selves, who do you love and who do you hate in terms of manufactures? The good, the bad, and the ugly, what makes you hate/love certain brands?

Thursday, July 26, 2018

Nanog.org / blocked - down?

https://www.nanog.org/

I get a basic auth popup. Very strange.

Cisco 899 LTE to Fortigate FD200 - MPLS Primary and 4G backup

Hi guys,

Looking for some help. I want to use a Cisco 899 at remote branches with a MPLS connection as Primary and Cellular 4G with (GRE over IPSEC) as Backup to Fortigate FD200 at the Head Office

Was just going to use gateway of last resort for Cellular interface?

Is it possible to create IPSec gateways between the Cisco 899 and the Fortigate or should I be doing this another way?

Any help is appreciated.

Cheers

Need to analyse URL

hi guys, can i know where you guys go to get something like files and urls analyzed?

I have a url which needs to be analysed to check whether it is dropping something or performing any malicious activity.

Draytek Vigor 120 - Bridge Mode Issue

Hello - I've got a Draytek 2862 and Vigor 120 configured for active/active; the Vigor is connected to the WAN2 port of the 2862 and through testing with the ISP, I can see that both circuits are in sync, however the secondary Vigor won't pass PPP traffic. I've checked the RADIUS logs for any authentication rejections (i.e. incorrect username/password) and nothing shows up. Both interfaces are set to 'Always On' and both ports are enabled. I've confirmed with the end user that both devices are connected into the NTE securely and are using the correct lines, but so far nothing. The ISP can't see a fault with the service so at this point, all I can think is that either the config's incorrect, or the hardware's faulty but before I write that off, I wanted to check whether the community might have any suggestions as to what might be going on (i.e. is there a config trick I'm missing, like the auto-detect FTTC config Drayteks seem to suffer from). As far as I can tell, the only logical option for the Vigor 120 config on the 2862 would be for me to set it as PPPoE, as Static/Dynamic/PPTP/L2TP or IPv6 seems pointless. I've also confirmed the RADIUS details (as mentioned above) - apart from that, I can't really think of what else I might be missing?

I need a help with a very weird problem..

Hello, i am having a really weird problem with my internet from 2 years ago, and i still couldn’t find a solution Tried contacting everybody till i find this subreddit, so i hope some expert can help me ;P Its literally the only thing i need in this life, for it to be fixed

Okay I don’t wanna make it long I play video games, and i am quite good with it, but since 2016 something happened to my internet, most of my commands its delayed ish I believe, so the game feels so slow for me! Its just there is something fucked about it And I couldn’t compete from that day till now :( I tried changing everything in my setup, nothing comes out, I believe its from my internet, so i hope someone can help me with it please! I don’t even mind paying for it Thank you very much, and excuse my english

unable to ping SVI interface

what am i missing here? im trying to set up a portchannel to an exisiting 6800vss switch for a vmware server - created vlan99, SVI interface 99, port-channel 99 and added the interfaces to the port-channel, but still i cant ping 10.1.99.1.

Is it a EIGRP routing issue ? it almost seems like the 99.1 range doesn't go into the routing protocol ? all the other vlans work fine (77.1, 88.1 ect)

Show commands below

Current config

• router eigrp 100 network 10.0.0.0

• vlan 99 name DATA

• interface Port-channel99 switchport switchport mode trunk switchport nonegotiate end

• interface TenGigabitEthernet2/1/14 description DATA switchport switchport mode trunk switchport nonegotiate channel-group 99 mode on

• interface TenGigabitEthernet1/1/14 description DATA switchport switchport mode trunk switchport nonegotiate channel-group 99 mode on

• interface vlan99 description Data ip address 10.1.99.1 255.255.255.0 no ip redirects ip directed-broadcast ip pim sparse-dense-mode end

• MY OUTPUTS sh ip route 10.1.99.1 % Subnet not in table

• show etherchannel 9 Po99(SD) - Te1/1/14(D) Te2/1/14(D)

• Port-channel99 unassigned YES unset down down Te1/1/14 unassigned YES unset down down • Te2/1/14 unassigned YES unset down down

• show arp Internet 10.1.99.1 - 00c1.64a0.00c0 ARPA Vlan99

Recommendations for a solid gateway router with no VoIP challenges for use at a datacenter colo?

Posting the following for a friend since the automod squash'd his new account post, thanks guys!:

I'm setting up a 4-host hyperconverged hypervisor platform and I need a solid gateway router for use at a datacenter colo. I currently have an ASA5540 and it's old and cumbersome and wayyy past it's shelf life, makes it difficult to do things. Planning on running OpenShift Origin or another k8s variant on the stack, as well as some telecom VMs that need solid SIP+RTP [no ALG nonsense], need some traffic-shaping.

I have 2 pairs of redundant 3750s [one for storage network, one for management and world-traffic]. I'm used to the ASA->redundant 3750->bonded eth setups.

I've been directed towards the UbiquitiEdgeMAX 8 series, also Cisco Meraki MX84. Any recommendations in the <$1000 budget range? Thanks in advance!

Modem change and loss of MX connectivity

We are a super small rural school district and I am super green. We changed modems from Comcast to Century Link. It cut off our Meraki firewall. This is a screenshot from my test office network. If I leave NAT and DHCP on, on the modem then the Meraki works. If I turn off NAT and DHCP at the modem, since the MX does that, the internet dies. I tried putting the modem in transparency mode with a variety of VLANs. I was hoping to get away with the default vlan. I would be super grateful for any advice or help you have to offer.

https://imgur.com/a/nNwmZdK

https://imgur.com/a/Q2MmJga

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Volunteering for political parties/campaigns?

Has anyone had any experience volunteering for political parties/campaigns? I realize networking per se, particularly remotely, might be difficult to transfer, but perhaps sys admin or netsec skills? Would appreciate anyone's thoughts, particularly in the US. In light of recent hacks and the inevitable shit show that is likely to be the US 2018 election season, thought I might ask now...

Having an issue connecting one of our warehouse scanners to our network

I’m hoping someone can help with this:

The warehouse I work at uses intermec scanners and we have one that is stuck on what we call a “host” screen which contains the following.

IntermTE V1.43.01.356 Session: 1

VT340 Host:

Myself and our other staff cannot figure out how to fix this issue and we don’t want to spend money to send it out if it’s something super simple to take care of. I’ve tried looking at some manuals online but I couldn’t really find anything on it. Any help I get is greatly appreciated!

Upgrading to Cat9k

Hello everyone! I help administer a fairly large local network (Cisco only) and we currently using 3850, 3750, 2960 for our access layer switches and are looking to upgrade a large amount of them to the new 9k series.

My question for you all, cost aside, what benefits could you see with using 9407/9410 switches vs stacked 9300's in closets? We currently mostly use stacked switches with a few others scattered in. I need to present a solution to upper management with the best way forward for our network, and I was leaning more toward the chassis switches where possible.

Got Gigiabit - But No One Can Tell. (Aerohive Configuration Help?)

Background: New IT guy of ~6 months, took over all IT ops for a company that was contracting out to an ITSP, company uses exclusively Aerohive APs which can be nice as we're a construction company with lots of job sites and I can configure them all from the manager if changes need to be made, but they're overly complicated imo.

We got our brand new gigabit circuit from AT&T turned up today, only seen it go up to around 900Mbps but apparently that's normal (ripoff in my book as we're paying $2100+ a month for this)

Hard-wire works fine both before and after the firewall, servers are getting 600 minimum at peak traffic.

My APs are struggling though. The most I've gotten out of one is 250, but they're averaging less than 30 which is almost as bad as we had before this with a 50Mb circuit.

Broadcasting at 5Ghz with a 80Mhz band width, not sure what else to do to try and get this thing faster. Put in a ticket with Aerohive but not expecting much help. If anyone here has experience configuring these things I sure would appreciate some pointers. We have an AP250 and an AP230 in the office, one for each floor, they should be able to output this no problem.

Originally thought it was the firewall (Fortigate 100E), but servers behind it are fine. Set the MTU packet size to try and speed things up via removing fragmentation but it didn't seem to change much.

Thanks for any help you guys can offer, let me know if you need any more info.

SPA-1x10GE-L2 card

a 1001x was purchased with this card, but apparently its not a routed port but a layer 2 port, question is what is it used for primarily? is there a workaround to make use of it as a routed port?

Modem that support DSL, ADSL, VDSL, etc.

Does anyone know of modem that support DSL, ADSL, VDSL, etc. That may also incorporate A TR69 client (Not required)

POTS --> ethernet (LAN) --> POTS

I am needing a solution to convert 2 or more incoming POTS lines to ethernet and back again. The network was changed to Fiber and before I port their numbers over I need to be able to get the lines out to a building that is on the same LAN. I only need 2 lines, but if I could set it up for 4 then it would give expandibility.

Authenticating using NPS on Server 2012R2 (RADIUS)

I'm having a hard time authenticating using NPS on Server 2012R2. We're using Aruba IAPs currently with Cisco ACS, but it goes end of life next month, so we're trying to migrate to NPS. I have added my RADIUS clients and configured Connection Request Policy (Access Client IPv4 - allow) and Network Policy (Domain Users group - allow), but I'm still getting authentication errors. We'll be using PEAP w/ MSCHAPv2 and no certificates. I've verified the connections attempts are reaching the server, but getting Error: 6273 "The RADIUS request did not match any of the configured connection request policy. Is there anything I'm missing?

Combining Lan/Wan switches

Hi all,

I've been tasked with setting up an HA pair for a couple Sonicwalls and dual ISP's. One of the ways I've thought to implement it is by creating 2 new VLANS on our core/distribution switch (one for each ISP) with 3 ports each then connecting the modem to 1 port and the Sonicwalls to 1 port each. Our switch stack is a couple 3750's. I'm sure this would work, but I'm not sure if this is a best practice. One of our issues is one ISP modem only has 1 port, so this is a work around for that.

Time management

This is probably the wrong sub for this. Question for those who has a full time job, family, and going to school. How do you manage your time?

I'm planning to take some two general education from Straighterline, trying to get the AWS CSA and Juniper JNCIP RS this year and trying to learn Python on the side. I think I can do this before 2019 but the lack of motivation is killing me.

dynamic client vpn endpoint address? route53?

So right now i have a few sites that can host client vpns and i try and hand out the address according people on the west coast i give my sf firewall and people in the east i give my ny firewall and so on and so.

what I want to do is give all users the same address vpn.network.com and then have users connect to that and that dynamically send them to east or west or uk or where ever is there nearest vpn-endpoint or if one is down route to the next best?

iv seen some stuff in route 53 that looks like it sorta can do that but i would have to create a record for every state to send half to east and half to west.

just looking for the best/least painful way to set this up.

Thanks

UTM / Firewall for < 250 users single site

Hi guys, we are looking to replace our older SonicWall NSA2600's as we have outgrown the throughput on them.

Currently i am looking at the NSA3650's however I am tempted to look else where. I only have experience with SonicWalls however i am a quick learner.

Looking for some suggestions / recommendations on what would be a better replacement and why. All our switches are currently Dell, but we could be changing them in the next few years if that will make integrating with any UTM better.

Thanks in advance for any advice / feedback. There is only so much you can get from watching some videos and reading the manuals and with dozens of offerings out there its good to get another persons perspective.

Replacing ASA5550 with a PA-3020, thoughts?

I’m thinking about replacing an ASA5550 with a PA-3020. Any thoughts about if this is a good move?

Downgrade Cisco 2504

I have a Cisco 2504 WLC on version 8.4.1. This version has had some issues and is not even available on Cisco's website. Is there anything I need besides flashing the .aes for version 8.3.143 to downgrade it?

EDIT: Clarifying its a wireless controller.

Cisco 9300+ISE - IoT Security

I'm testing out Cisco Cat9300 switches and ISE functionality. One requirement is to configure and test AAA, and determine how secure the configuration is. For IoT devices, we're utilizing DHCP profiling to identify them and place them in a VLAN with a DACL. One thing that bothers me about using DHCP profiling alone for authentication is that it would be very trivial to spoof the MAC/IP of the device and connect to the network, assuming there is no way of enforcing the device to use DHCP. The DACLs will be very restrictive, but I still wonder if I shouldn't take it further than just DHCP profiling, or even bother with DHCP profiling. I'm trying to find a reasonable compromise between security and ease of access/management. Any thoughts?

IPv4 vs IPv6 IPSEC performance

I apparently suck at googling but I cannot find any comparison of IPSEC performance between IPv4 and IPv6. My head says that IPv6 should be faster but my gut feeling is that IPv6 IPSEC headers are not properly implemented on most gear, negating any benefit.

Anyone have any data on this? Preferably Juniper but I take anything.

Non AD computers no longer updating DNS

I know this is more of a sysadmin thing but was wondering if someone in this community had any ideas.

Our inventory Program works off DNS. It was working perfectly till today. The entries were getting updated by the DHCP Server through the DnsUpdateProxy Group. All of a sudden it stopped working. Now the Ptr records show System as the owner if that is any help. Im at a loss on what to even check where to look. Event viewer doesnt offer any ideas?

After messing with it a ton i had it working again but it worked for about 20 minutes and stopped again. Not sure what the hell is happening.

Doing my first Network install for a client!

HI friends! thank you for reading and any advice. I am quoting my very first network cabling job for a client.

I have done cabling at home before but Ill admit it was not any prof job and it wasnt always pretty.

For a client I will only do quality work with a prof appearance so I need advice on the best procedures. Its a small office needed 3-6 100ft runs. they want Ethernet and phone. I was reading I can run phone and fast Ethernet down 1 cable since Ethernet only uses 2 pairs. Is this a viable rout? Should I just run 6 separate cables?

I will need to buy cabling, keystones, wall plates and a punch down tool. Is there a good place to buy these things affordably?

Lastly, I have never dealt with phones, I can run the cable well but there are these wall panels for the phones and i don't know how to punch that stuff down. I think its called a 66 block. anything special I need to know about those?

Cause of exceeding packet in policy-map?

Hi,

Just want to ask your thought about this, Even though traffic usage doesn't exceed/reach the allocated BW of 5Mbps, there a minimal increase on "Exceeded packets", What would be the cause of these increase?

Class class-default

police cir 5000000 bc 156250

conform-action set-mpls-exp-imposition-transmit 0

exceed-action drop

Class class-default

police cir 5000000 bc 156250

conform-action transmit

exceed-action drop

Service-policy output: POL-IN

Class-map: class-default (match-any)

44633733 packets, 12625980741 bytes

30 second offered rate 11000 bps, drop rate 0 bps

Match: any

police:

cir 5000000 bps, bc 156250 bytes

conformed 44584741 packets, 12599151611 bytes; actions:

set-mpls-exp-imposition-transmit 0

exceeded 13422 packets, 19648851 bytes; actions: <-------

drop

conformed 11000 bps, exceed 0 bps

Service-policy output: POL-OUT

Class-map: class-default (match-any)

61074304 packets, 57584593170 bytes

30 second offered rate 11000 bps, drop rate 0 bps

Match: any

police:

cir 5000000 bps, bc 156250 bytes

conformed 60389018 packets, 56586377242 bytes; actions:

transmit

exceeded 685096 packets, 998203914 bytes; actions: <-------

drop

Thank you

How to create a gigabit local network that's connected to fast Ethernet router ?

So basically I have 2 pc's with gigabit Ethernet ports but my local network is only 100 Mbps. my actual internet speed is 10 Mbps . the router I'm using is a TP -link TL-WR845N which has 100mbps Ethernet ports instead of gigabit ports. When I try to use OBS NDI plugin to stream over the network OBS alone uses up 100 Mbps network so I'm bottlenecked by the router. I don't need a gigabit router but I need gigabit speeds over the local network among the 2 pc's. How do I do it? will a network switch with gigabit ports help. I don't really need the wireless router I have. I just need a gigabit local network that's connected to the interned at megabit speeds

HPE 5700 need help with basic port settings (Layer 2)

I have an HPE 5700 switch I need to configure for a SAN. I have the fans set right, SSH/Management, etc. I have left the default VLAN 1 alone and created vlan2 for production. None of the servers or my storage array can ping/talk with one another on vlan 2.

I need to setup flow control and a few more options which I have found the parameters for in my HPE manuals but I would like to just get basic connectivity going before I start flipping more switches. All of the ports that need to talk with one another look like this:

interface Ten-GigabitEthernet1/0/*

Port access VLAN 2

That's all I have so far, I know with Cisco you need to set the switchport mode but I don't see any commands like that in my documentation. I'm assuming I'm missing a parameter.

Cisco IP Phones without a PBX server.

Can Cisco IP Phones work as standalone phones connecting to SIP service from the phone itself from the config files?

I'm going to be deploying these and I am fairly new to the whole VOIP scene.

Thanks in advance for any help!

Cisco Cat 9k series for our user net (not DNA) -- some questions

We are planning to buy 9300 series (with mGig and stacking) for L2 access and 9500 (StackWise Virtual ) as the routed aggregation layer for our offices. We are running: 802.1X, PoE for APs, NEAT for our 2960cx table switches, DHCP Snooping, and some other port security. We are aware of the problem with mGig and Cat5, so we are in the process of upgrading the cable infrastructure to CAT6A in the office.

I am still a bit worried about stability in the code of 16.x and the hardware itself. Currently we are running 3750x and in that deployment we have had some bugs in DHCP snooping and memory leaks with 802.1X. We do not wanna go back to those kind of headaches. We need 24/7 365 days of stability. As of now we are happy with the 3750x except their buffers.

. .

1.) Anyone of you guys that are running the 9000 series that can say anything about the stability in the hardware?

2.) Anyone that is running 16.x IOS XE that can say anything about its stability?

3.) Is it worth paying for the mGig ports? We are planning to run the switches for 7-8 years (or as long we have support on them). The switches are going to provide access for APs, and wired access to the researchers that demand high capacity user network. Is there any chance that we will see clients with support for mGig, or is this purely for APs?

4.) Running 9500 in StackWise Virtual -- is it buggy?

. .

We have a good budget, but we do not want to waste money unnecessary. We are not in a position to look outside Cisco products. We are going to have a meeting with our VAR, but I would like to get some honest answers before that!

Thanks!

python - netmiko

Hello,

I hope somebody can help me.
I'll write a script where I get output in a text file. One command output should safed for all switches in a network. if possible in one textfile per switch.

At the moment I have written following:

from netmiko import ConnectHandler

import sys

ip1 = {

"device_type":"hp_procurve",

"ip": "192.168.48.254",

"username":"Hendrik",

"password":"test"

}

net_connect = ConnectHandler(**ip1)

print ("Wait please")

print("sh tech all will be printed in file" )

# output in Datei sh_tech.txt

sys.stdout = open('sh_tech.txt', 'w')

sh_tech = net_connect.send_command("sh tech all")

print (sh_tech)

# sys.stdout.close()

ip1 = {

"device_type":"hp_procurve",

"ip": "192.168.48.2",

"username":"Hendrik",

"password":"test"

}

print ("Wait please")

print("sh tech all will be printed in file" )

# output in Datei sh_tech.txt

sys.stdout = open('sh_tech_192_168_48_2.txt', 'w')

sh_tech = net_connect.send_command("sh tech all")

print (sh_tech)

sys.stdout.close()

It would be better if I can enter the network for example 192.168.48.0/24
and for every switch it will be created a seperate textfile.

Cisco FPR4100 backup Management Center config via SSH

So the Firepower Management Center does have a integrated backup solution, where you can choose to either download the file or specifiy a Server where the Backup will be uploaded via scp,ftp etc...

I however would like to backup this file via SSH.

Is there a way to generate the file and store it on the FPR via SSH? I could then open the file and read it that way or is there even a command like "show run" that will print the config in the SSH Window?

The only backup solution i can find is the way over the gui and a job to upload it via sftp etc..

Help is appreciated

PacketPushers PREMIUM Ignition Membership ?

Just checking if anyone here has signed up for premium membership so far on PP ? Have enjoyed the free content thus far.

Any vendors purchasing surplus APs? Cisco AIR-LAP1131AG-A-K9 & AIR-LAP1142N-A-K9

Our organization has hundreds of surplus 1131AG and 1142N access points. Are there any vendors still purchasing these devices? Feel free to PM. Thanks!

Is SonicWALL stil la worthy competitor?

First off, I don't mean to offend any sonicwall lovers out there :).

Reason I'm asking is I have a smaller client looking to replace their firewall. Currently they have a very old TZ-205 I think. It's got no warranty or support.

I'm used to dealing with the likes of Palo Alto and Meraki. I haven't dealt with sonicwall a lot in the past several years, but they seem to be having a rough go the past 5 years... or am I just disillusion?

The client is small, only about 4-5 seats in the office. I could go Meraki MX64, but I'm not a fan of the Meraki licensing model. I could go with a PA-220, but that price might shock them. Looking at SonicWALL's offerings, they have a TZ400 and that's about $800. I'm also unsure of what their licensing landscape looks like these days.

Of course, I'm always open to alternatives if anyone has any great ideas. I would like them to have some level of application aware firewall capability and they must have client-VPN.

Looking for a little guidance on a simple Palo Alto firewall setup

For clarity let me preface with a diagram:

WAN -> ONT -> PA-220 eth1/1 -> eth1/2 -> Switch

I'm using a PA-200 in L3 configuration. I have a static IP range from the local admin of the building we are leasing in. My subnet mask is /29. The IP range is 130.x.x.250-254.

Current config:

Interfaces

eth1/1, L3, netmask: 130.x.x.250/29
eth1/2, L3, netmask: 192.168.2.0/29

Policies:

eth1/1 untrusted
eth1/2 trusted

Virtual Routers:

default, eth1/1, destination: 0.0.0.0/0, next hop: IP, 100.0.0.1

Virtual Wire:

deleted

I'm not able to identify the network from the test machine off the switch. I'm no network admin by trade (am a software architect), but we needed to spin up a remote office quicker than we could hire out.

Implementing a wireless network to connect cranes in a harbour.

Good morning guys, i'm currently working on a project to connect several cranes ( 16 ) to the network. The main obstacles here are that i cannot use any wiring.

The closest location to the cranes that are connected to the company Lan are 350m away. I was thinking of interconnecting the cranes to each other and then connect the closest one to the Lan.

My issue here is tha i do not know how the metallic cranes will attenuate the signal, and if it's possible to simply cover a radius of 500m using a big antenna.

The data rate isn't an issue since this whole setup is simply to be able to collect sensors information from the cranes controllers (instead of having to go all the way up to every individual crane to monitor it). I would have used a simpler network with an implementation of a Lora network getting data directly from the sensors but the company already invested in a pc+ software setup for the cranes.

Is my solution good enough, is there any modifications you guys would suggest.

Here is the plan of the site. https://i.imgur.com/hjfONcn.png

I'm planning on connecting everything to the DEL offices, since it's the closest spot connected to the LAN.

Strange Address, extra colon and number.

What does the additional colon and number :0 in the following address indicate?

192.168.1.108:8080:0

I have never seen this before.

Equipment we need to set up a mesh network.

My home village, a rural setting, has many people using smartphones and PCs now. My colleagues and I were thinking of setting up a mesh network for everyone to get connected, share files and socialize through custom platforms we will develop. All ideas will be well received.

Security of DHCP relay - where do you draw the line on isolated vlans?

This came up in a meeting today. Getting ready for a forklift network upgrade across a dozen small sites. All have private WAN links back to a central datacenter. Onsite old IOS routers are being replaced by Sophos UTMs, on which I despise the DHCP management. So I've been replicating the utterly ridiculous list of pools on each router in the DHCP cluster and cutting the interfaces over to DHCP relay. DAI, dhcp snooping, and 802.1x are all going live when the switches arrive.

Now I'm getting some blowback on the phone and printer networks pulling DHCP from the servers being a "security risk". The concern is more what the auditors will say than anything, but I'm curious what you guys think. Does relaying DHCP traffic from a device to a server present a security risk to the server? Do you deploy independent DHCP solutions for each vlan you're supposed to isolate? Personally, I believe centralizing DHCP represents a security boon. IPAM beats the crusty spreadsheets any day.

In this specific case, all vlans hit the same firewall, travel the same tunnel, and use the same remote firewall to hit the outside or interior networks as needed.

I know Cisco has CVE-2017-12240 relay vulnerabilities, but A) that's the relay, not the server, and B) we're not going to be using a Cisco implementation.

Wednesday, July 25, 2018

HTTPS issue while installing SQL server 16 on AWS Windows Server 16 instance

I have 3 servers that I am using for this particular task - one will host SQL Server 16 and the other 2 will host applications that query and store data on the db. To facilitate the traffic one of the requirements was to create self-signed ssl certificates. That was was completed but there is an error when trying to navigate to https://<server address> or r/https://localhost

So I know we have to fix the certs. My question is - would the bad certificates cause port 443 to be blocked?

I ran the following command from powershell:

Test-NetConnection <remote server ip> -port 443,80

Port 80 connects fine but I get a failure on port 443.

I've completely turned off all firewalls, verified the security groups in AWS allow all traffic between the servers, and no network ACLs exist to prohibit traffic. These are routing between private subnets so the NAT instance IPTables should not be involved.

Are there "levels" to Network Engineer positions?

I got cold called by a recruiter today who is trying to fill a position that I actually find interesting. I would be developing a test environment for integrating new systems onto the existing networks on Navy ships. I meet most if not all of the mandatory requirements (CCNA, Sec+, security clearance, college degree), but very few of the preferred items (CCNP, a lot of the specific experience related to documentation processes). I spent 8 years in the Navy working on IT systems, and have since spent a year contracting in a systems engineer role on Navy ships, none of which was strictly networking.

The title of the position is "Network Engineer III". I'm not familiar with the "grade" of III... is there some standardized scale, or required bullet points? I'd rather not accept an interview only to get blown out because they're expecting a ton of in-depth routing/switching knowledge, I don't need the ego hit.

NX-OS v9 out finally for cisco 9Ks and 3Ks

Just noticed that Cisco ninja released v9 of NX-OS on July 18th, for anyone waiting. Way overdue for me at least been waiting for NX-OS MACSEC support for a long time(93180YC-FX and 93108TC-FX).

9k release notes: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/release/notes/921_9000_nxos_rn.html

Printing between Vlans

I have a task that is a bit perplexing to my beginner Cisco mindset.

I have to configure a vlan in such a way that I can add a new set of computers and allow them to print to a printer on another Vlan albeit on a different sub-net. My core is a Cisco catalyst 6509 ip 10.10.4.1 it is also my Default Gateway. I need to allow printing to [vlan 10, router:10.10.8.1/22, (10.10.4.20-10.10.7.254) from Cisco 3560, vlan 50, router:10.10.20.1/22, (10.10.20.20-10.10.23.254)]. This is run across to another building over 8g fiber trunk, I can ping across these so I am wondering why I wouldn’t be able to print to a machine on vlan 10 from vlan 50. If this isn’t enough info I can provide more. If it is just to bridge from vlan 50 to 10 without completely screwing up the current config and possible to reset back after this is needed. I am normally the server guy and I have taken on this new role so I am slowly learning sorry for my learning curve.

Are you a member of a network user group?

I'm curious how much interest is out there for network oriented user groups? My city doesn't have one geared towards networking yet it does for unix, vmware, net, etc. I'm thinking about starting one but not sure if there's much interest in the community for one.

Core switch selection

I have a client that is looking to do a network refresh, replacing predominately 8 year old procurve at the edge and layer 3 core, and also trickling down some H3C 10gb switches we were using for HQ storage networking to the DR site. Note, we are only considering Cisco for this deployment.

The environment is roughly 250 users, but is a mission critical professional services organization, and so fault tolerance is critical. Probably a total of about 1500-2000 hosts on the network, counting the infrastructure devices, IP cameras, IP phones, printers, VMs, hypervisors, storage devices, etc. We also have no need for FC or FCoE - all storage traffic is and will likely stay IP.

We have four IDFs, which will each get a stack of between 3 and 6 48 port 9300s. I'll plan on a two 10g uplinks from different stack members, one to each core. I'm also going to have a horizontal IDF-IDF connection for additional redundancy.

I'll need to have a total of about 40 ports of 10gbe in the MDF for my uplinks to closets, as well as SAN and hypervisor connectivity. Will also need a handful of 1gb SFP ports for various other circuits and devices. My 10gb needs do not necessarily need to occur on the same switches I use for my layer 3 core. Before the newest generation, I likely would have used a pair of 3850 stacks with HSRP with some 48 port copper stacked with the 12xs 10gb SFP+ switches to meet both my redundant layer 3 device need, with the redundant uplink connectivity need to IDF and hosts\SANs alike. I need to be able to patch and bounce cores without taking down storage traffic, closet connectivity, etc. Use of things like VPC or virtual stacking for cross-stack etherchannel is a nice perk, but not purely necessary.

I'm looking at either the Cat 9500 platform, or the Nexus 9300. I have extensive experience with IOS-XE and IOS, less so with the NX-OS. We need policy based routing, OSPF - not planning on any vxlan or OTV\TRILL\ or any of that jazz. Therefore, I was debating on a pair of either of the aforementioned switch with a 24-48 port SFP+ configuration, a pair of cat9300 stacks for my 1gb copper requirements in the MDF.

So, my question - if it were you, what would you select for the core functionality?

How much of your week is "paperwork?"

By "paperwork" I mean stuff like formal emails to clients/execs, RCAs, ticket details, work logs, notes, documentation, RFPs, contracts, etc.

I suspect about 10-20% of my week is paperwork of some kind, curious to see what's typical.

Networking gear advice

Hey,

I have 3 Cisco meraki MR34 and one MR18. 1 Cisco 2960G 48 port 1 Cisco c2960 48 port How much should I value my equipment? I’m wanting to upgrade but considering I’m a DevOps engineer networking isn’t my speciality so unsure at the current rates.

Thanks!

Patch panel to switch - without cable manager?

I am installing some cabling and switches soon. They are very straightforward installs with either a 24p patch panel and switch, or a 48p patch panel and switch, inside rack mount cabinets.

I usually favor installing a NeatPatch NP2 between the patch panel and switch, but I have heard of people buying short and slim cables to do away with cable management.

Anybody do this? What are the options? The 24 port seems impossible due to the 24 ports on the switch being offset.

THANKS!

--Dan

"Interesting" VPN idea

Hello all, first post. I had what a few of my friends have called an "interesting" idea. My home lab is currently in its beginning stages I will outline its components below. Ultimately, I want to VLAN off my network and have a VLAN that all traffic goes through a VPN running on my server. I'm looking for advice, experience, ideas, similar setups, anything to get me started on this. I think it should be a fun project.

What I have in my home lab:

Arris Surfboard sb6141 modem

Fortigate 60-E

Dell R-610 (12 core Xeon X5680, 48 gb ram)

Ubiquiti Unifi LR-AC Pro AP

(Open to suggestions of new equipment as well)

LACP on HP and Alcatel?

Is it possible? I have a HP/Aruba 5420 zl and a ton of Alcatel 6850Es. The documentation for lacp between the 2 brands is a bit sparse. Any help would be appreciated

Visio for Mac

I know this was asked not too long ago. What is the best option for Visio on MacBook? I am running a VMFusion with Windows but it just seems clunky to drag around a full virtual PC for one app. Any suggestions are greatly appreciated.

MOXA NPort 5000 Series Issues - How to send commands?

Hi,

How can a MOXA NPort 5000 series serial server be configured to allow the PC to send commands to the serial device? TCP Client or Server both seem to prevent any passing of commands to the device.

Does anyone have any experience with this? I'd greatly appreciate some advice.

Thanks in advance!

AT&T 100gb Ciena to Ruckus/Brocade link issues

Hello /r/networking,

I'm helping spin up a client's new AT&T 20gb ASE circuit, that for some reason AT&T said it had to be terminated in 100GB, not 40gb.

We are having link issues to our Ruckus (Brocade) ICX 7650-48F. We have 100GB-LR4 QSFP28 optics, and we're able to link via loopback, and to other 7650's. (not stacking) so I know our configuration works.

AT&T is also able to link via fiber loopback, and swapping the uplink on their optics. Thier gear is a Ciena 8700.

During troubleshooting I pulled their optic out, and it's a Ciena 160-9113-900, 4x25G DWM CFP. It doesn't specifically say 100GB-LR4, but according to AT&T (That keeps saying it's my issue) their software shows it as a 100GB-LR4. I also found some sites calling it a OTU3.

Does anyone have familiarity with Ciena, and can provide some insight into what may be happening?

Thanks!

Service providers reporting issues with Espial's Elevate platform (MOCA boxes)

Hi all.

Trying to dig into this a little bit today.

Any of you by chance work with any cable companies that employ all in one cable boxes that use this platform that are having problems?

The only thing i'm aware of that Espial is asking our cable providers to do is verify whether or not our DNS propogates, which it doesn't:

204.16.99.200 204.16.98.200

None of our internal DNS, nor Google's DNS gives me anything other than "Non-existant domain".

I'm getting about the same when using dnschecker.org...

Advice Wanted - Next cert to help progression

During college I studied Cisco: Routing and Switching as well as getting a BTEC Diploma in IT (worth 3 A levels) and achieved D*D*D* in that - straight after completing the course I joined my college's IT department where I've worked for the past 3-4 years (1st year 1st Line now 2nd Line Support). To further certify myself in IT instead of going to uni I went for the CompTIA A+ cert, studying it in my own time and which I have now finished this week. The great part of my current college workplace is that I've had access to all of the network be that SCCM, Cisco switches, Aruba Wifi and Citrix etc and all your normal tools i.e AD, DHCP, RDP etc and now looking at my next steps as i'm a little over comfortable in my job currently and don't want to regret spending too many years in one place to then not to have progressed far from my start point.

I'm interested in cloud technologies / MS Azure / virtualization / wifi but not sure what certifications to take next to have a better understanding whether or not its the right IT path for me. Looked at CCENT (would I skip as I've had an introduction with the CCNA R&S?), CCNA Cloud, VCP, CompTIA Network+ then CompTIA Cloud+, MCSA

So many choices >.< Any advice? Let me know your thoughts to help me form a well-informed conclusion on this predicament! :D

PS: Was going to name this post 'Advice Wanted: Cloud Engineer ' but i'd rather not let that sway ur opinions off the bat ;)

Kali for network people

Do any of you use Kali as your everday os? Specifically, Do any of the penetration testing tools make your life easier? I understand that linux is better im really just curious if nmap/armitage could make things go faster when installing a new network.

Looking for advice on a PoE surveillance setup

Even though the title says this is regarding a surveillance setup, the majority of my questions definitely revolve around the networking specific part of it.

I've been tasked with setting up from scratch a network for PoE surveillance cameras for a new business. I'll start off by saying that I'm not green at surveillance or networking, but I'm also not extremely well versed in either beyond a certain point. I have a good bit of experience in smaller projects, but this is one of the larger projects that I have ever been approached with, and it's something that has to be done right the first time so I'd like to get some input from you all if possible. It is pretty straight forward for the most part, with a couple of exceptions compared to what I am experienced with.

The questions I have are in order below as follows related to: •Ethernet/PoE distance

•Physically protecting the cable

•Hardware/physical interaction triggered recording (This one may be a surveillance specific question, I'm not sure but I wanted to throw it in here anyways if there is someone who reads this that has knowledge of making this happen regardless)

•Ethernet/PoE Distance:

This installation is going to require 16 cameras, and 9 of those cameras are estimated to be on cable runs of 270FT-400FT from the main PoE switch that everything will originate from. I've never been tasked to run ethernet beyond 300FT ever before, so I've never had to use any type of additional PoE injector/switch in the middle to boost it to that distance, and therefore I'm not exactly sure what is proper to use in the middle of those runs to achieve that required distance.

In my picture here: https://i.imgur.com/9xGe2L0.png you'll see a purple star that dictates a 2nd switch. That switch is not there, none of the listed equipment is, I just put that there as a potential location for example. Cameras 4, 5, 6, 7, 9, 10, 11, 12, and 13 are the cameras that will be on cable runs of 270FT+ distance, and all of those are on that same side of the property. The cable run from the proposed main switch and proposed 2nd switch is estimated at roughly 200FT. From that proposed 2nd switch location, to each of the 9 cameras on that side of the property that are in question, is roughly another 200FT cable run to the furthest away cameras from that point.

I plan on using Cat6 STP, unless otherwise suggested. There are other cable-type related questions in the "•Physically protecting the cable" section below, so I'm not certain exactly what type of cable I will be, or should be, using just yet. I do not believe there will be much, if any, interference with any other type of electrical lines, or anything else that I should have to cross paths on, but I am not 100% certain on that just yet, in case that matters.

•Physically protecting the cable

I plan on burying the cable from the office building where the main switch will be, under the roadway and up to warehouse 2 where the 2nd switch is proposed, and I plan on enclosing it in some type of PVC or metal conduit. Do I need to use direct burial UV/Water proof cable if it is going to be enclosed in conduit? I had planned on it, but when I looked at prices of Cat6 STP direct burial cable, I wanted to double check before spending a ton of extra money for no added benefit.

Also related to the protection and grade of cable, regardless of what I do or don't use related to the previous question, is there a need to use direct burial UV/Waterproof or any type of reinforced cable inside of the warehouses for any extra durability and protection? The cable would not be directly exposed to the outdoor elements, but the warehouses are not climate controlled, they are fairly open the majority of the day with large doors that may allow some rain and dust/debris inside, and the cables would be run along the metal building structure. Would there be a need to use direct burial or any type of reinforced cable in those conditions? Should I enclose all of the cable in conduit, even the cable inside the warehouses? If I do run conduit inside the warehouses, would I also need direct burial or reinforced cable as well?

•Hardware/physical interaction triggered recording

This may or may not be a surveillance specific question and not networking but I wanted to throw it in anyways in case anyone does have some experience with anything like this. Another thing that is required that I have not had any experience with is, there is the need for some type of trigger mechanism on camera 14 facing the "Future Fuel Depot", to trigger that camera to record at that moment that it is triggered. What is needed is some type of mechanism that would be tied to the Fuel Depot, possibly the fuel nozzle at the actual pump, to where when someone picks up the fuel nozzle it triggers the camera to start recording. It doesn't have to be a trigger on the fuel nozzle, but it does have to be some type of hardware/physical trigger somehow. Whether that be a weight sensor buried in the ground to detect when a vehicle parks there, etc, something hardware of that nature to trigger the camera. What ever is most efficient and most practical of that nature. Neither motion detection or continuous recording are acceptable in this situation.

Those are my immediate questions, and I know the distance and cable grade questions are probably the most basic questions ever but I want to make sure I'm 100% on all of this because I've never done an installation with these requirements before. The other question regarding the triggered camera may be very basic too, but I've never seen that done before so I don't know what that would involve.

I am also open to any and all suggestions, questions, or comments, regardless if they're related to these specific things directly or not.

I definitely appreciate any and all responses I can get from this.

VPN Server for High Throughput Video Streaming 1gbps+

https://ift.tt/2AgT10S

Troubleshooting network performance bottleneck

Generally, I work in the server world - but have an odd network performance issue I'm trying to track down.

I have part of my network on an HPE 1920S 24G 2SFP/JL381A switch, and part on a Unifi USW-8/PoE (Wireless APs power source, and a couple desktop PCs). The two switches are connected with CAT5e, gigabit port uplink. The HPE switch is pretty much stock HPE config - No LACP, trunks, qos, routing enabled. Unifi is pretty stock as well.

When I copy a large file (example: MKV encoded video - 5gb) from one Windows PC to another that are both on the same switch, speed approaches 100MB/sec. However, copying across the Unifi switch to the HPE (either direction), it's generally around 20MB/sec. OCCASIONALLY I see speeds start at 20, and ramp up to 80+. Occasionally, I get near 100 right off the bat, sustained for the entire file copy.

Things I've tried. Turned on flow control on one or the other switches, or on on both. I've disabled SMB 1 handshaking between the Windows PCs. I've uninstalled the Remote Differential Compression feature on all Windows machines. I've made sure the network is "quiet" when doing these tests (keeping the kids off the streaming sites, all other devices blocked other than the test machines). I've tried different Cat5e and 6 patch cables - no difference...

One thing I haven't tried yet due to not having spare hardware around, is swapping out other switches.

Any ideas on how to figure out what/why I'm seeing this slowdown? (other than trying a different switch - it's on my list of to-dos)

(And if it matters, the Unifi controller is running on a Windows VM connected to the HPE switch)

Cisco 2960-X Stacking Issue

I currently have 5 WS-C2960X-48LPD-L switches in a stack and have worked great without issue for nearly 3 years. I wanted to add another switch to the stack so I bought the same model. I upgraded my current stack to 15.2(6)E1 as well as the new switch. Once they were the same I added the new switch into the chain.

Everything seemed to go great as it auto-provisioned the switch and showed in the stack list as ready. I started to add ports to the new switch when I noticed that a number of devices were offline. If I went to a different computer (connected to a different switch) I could reach them, but couldn't access other points.

One that was really strange was I couldn't ping 192.168.1.21 from switch #1 (elected master) which .21 was connected to. PCs connected to switch #1 and other switches COULD talk to it (ping/ssh).

I disconnected the switch and deprovisioned it and everything returned to normal. It's been 24 hours and the original 5 is working normally. I'm at a loss to what could have caused this. I'm nervous to try attaching it again without having an idea of what caused the issue.

Any ideas?

Which PANOS train do you run?

Considering jumping from 7.1 to 8.1 on our PA-5050 during our next maintenance window. Any issues with 8.1 or other input?

Going from 10Gbit to 40Gbit

I'm using Lenovo / IBM G8264 switches. I have a LC fiber connection between buildings - Probably around 1000 feet. We had been using SFP+ 10Gbit with LC connections and "single mode" fiber.

We wanted to test 40Gbit so got some Fiber Store 40Gbit QSFP+ adapters and copied the switch VLAN configs from the 10Gbit port to the 40Gbit port. Plugged it in and it seemed to work.

Overnight, we started having issues with the port going up and down on its own. It would go down every so often, ending up flapping every 10 minutes or so.

We found a LOT of FCS errors on Switch A, but not on Switch B.

We decided to swap the QSFP+ adater on Switch A with a spare. Everything seemed like yesterday with the initial switch - all good. This time however, we checked the FCS error counters, and after a couple minutes they started ticking up again on Switch A. However, 3 hours and no port down event... Will see what happens tomorrow.

Anyway - does any of this lead to additional troubleshooting steps? I was thinking if we do start having the port go down again, we just move the QSFP+ adapter on Switch A to a new Switch port. But I'm also wondering if the fiber might just not handle 40Gbit?

advertising a single IP address through multiple providers

Hello, we have a /24 ARIN space we own. We have 2 different circuits with 2 different ISPs. I was wondering, is it possible to make a route-map to only advertise a single IP address from that /24 to play around with and test. I would like to move it around between the 2 service providers and play with pre-pending, doing speed test etc.. I obvisouly want to keep the /24 the same and not mess with that since it would take down our website. I'm wondering if it's possible to just pull a single IP that's not being used from out of that /24 and just play around with it by advertising it out between the 2 circuits whenever for testing purposes?

Thank you

Need Help - Cisco router nat wan port 80 and 443 to lan server.

I also posted this in r/cisco, but haven't had any luck yet.

This is just a home lab. I'm trying to allow traffic hitting my WAN IP on port 80 and 443 to be forwarded to my LAN server @ 10.0.1.5. Internally on the LAN hitting the server via LAN ip works without issue. I thought I may have a config issue on the server itself - but I've run tcpdump and verified it's not receiving any traffic from WAN.

Output of show ip nat trans:

router01#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp my.wan.ip.addr:80 10.0.1.5:80 --- --- tcp my.wan.ip.addr:443 10.0.1.5:443 --- --- udp my.wan.ip.addr:37236 10.0.1.5:37236 8.8.4.4:53 8.8.4.4:53 ... and this goes on for a while .. etc..

Relevant bits from the running config:

interface GigabitEthernet0/0 description WAN ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description LAN no ip address ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.1 description MGMT encapsulation dot1Q 1 native ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip nat inside source list autoNAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 10.0.1.5 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 10.0.1.5 443 interface GigabitEthernet0/0 443 ! ip access-list standard autoNAT permit 10.0.1.0 0.0.0.255 permit 10.0.10.0 0.0.0.255 permit 10.0.20.0 0.0.0.255 permit 10.0.30.0 0.0.0.255 permit 10.0.40.0 0.0.0.255 !

Here is a sanitized copy of my full running config:

router01#show run Building configuration... Current configuration : 3615 bytes ! ! Last configuration change at 07:30:54 CDT Wed Jul 25 2018 by [user] ! NVRAM config last updated at 00:50:26 CDT Sun Jul 22 2018 by [user] ! NVRAM config last updated at 00:50:26 CDT Sun Jul 22 2018 by [user] version 15.1 service timestamps debug datetime msec service timestamps log datetime show-timezone year no service password-encryption ! hostname router01 ! boot-start-marker boot-end-marker ! ! ! card type command needed for slot/vwic-slot 0/0 enable password [enpass] ! no aaa new-model clock timezone CST -6 0 clock summer-time CDT recurring clock calendar-valid ! dot11 syslog ip source-route ! ip cef ! ! ip dhcp excluded-address 10.0.1.1 10.0.1.99 ip dhcp excluded-address 10.0.10.1 10.0.10.99 ip dhcp excluded-address 10.0.20.1 10.0.20.99 ip dhcp excluded-address 10.0.30.1 10.0.30.99 ip dhcp excluded-address 10.0.40.1 10.0.40.99 ! ip dhcp pool MGMT network 10.0.1.0 255.255.255.0 default-router 10.0.1.1 dns-server 10.0.1.5 8.8.8.8 domain-name [domain.local] ! ip dhcp pool WORK network 10.0.10.0 255.255.255.0 default-router 10.0.10.1 dns-server 10.0.1.5 8.8.8.8 ! ip dhcp pool HOME network 10.0.20.0 255.255.255.0 default-router 10.0.20.1 dns-server 10.0.1.5 8.8.8.8 domain-name [domain.local] ! ip dhcp pool DMZ network 10.0.30.0 255.255.255.0 default-router 10.0.30.1 dns-server 10.0.1.5 8.8.8.8 domain-name [domain.local] ! ip dhcp pool WLAN network 10.0.40.0 255.255.255.0 default-router 10.0.40.1 dns-server 10.0.1.5 8.8.8.8 ! ! ip domain name [domain.local] ip name-server 10.0.1.5 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 208.67.222.222 multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! ! ! username [user] privilege 15 password 0 [userpass] ! ! ip ssh version 2 ! ! ! ! interface GigabitEthernet0/0 description WAN ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description LAN no ip address ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.1 description MGMT encapsulation dot1Q 1 native ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.10 description WORK encapsulation dot1Q 10 ip address 10.0.10.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.20 description HOME encapsulation dot1Q 20 ip address 10.0.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.30 description DMZ encapsulation dot1Q 30 ip address 10.0.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.40 description WLAN encapsulation dot1Q 40 ip address 10.0.40.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list autoNAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 10.0.1.5 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 10.0.1.5 443 interface GigabitEthernet0/0 443 ! ip access-list standard autoNAT permit 10.0.1.0 0.0.0.255 permit 10.0.10.0 0.0.0.255 permit 10.0.20.0 0.0.0.255 permit 10.0.30.0 0.0.0.255 permit 10.0.40.0 0.0.0.255 ! logging 10.0.1.6 ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 login local transport input ssh ! scheduler allocate 20000 1000 ntp master ntp server 216.239.35.0 source GigabitEthernet0/0 ntp server pool.ntp.org end

Uplink between Dell N4032 and HP L2 switch not working

2 X Dell N4032 (head switch) HP Switch is V1905-24 (Management switch for my SAN and other device in VLAN 10)

So after a reboot (Probably i didn't save the config on the HP) i can't ping the HP IP (VLAN 1 - 192.168.0.23)

Here the config : HP Port 25 (uplink to unit 1) - Untag VLAN 10, TAG VLAN 1 HP Port 26 (uplink to unit 2) - Untag VLAN 10, TAG VLAN 1-7

Dell (Unit 1) Port 10 - Trunk, PVID 10 Dell (Unit 2) Port 10 - Access, PVID 10

If i plug a laptop with ip (192.168.0.X) in port 2 (Untag VLAN 1) i can manage the HP switch. If i plug with ip (192.168.10.X) in port 20 (Untag VLAN 10) i can ping my SAN that is in port 21 (Untag VLAN 10) the san ip is 192.168.10.50.

I just dont know what it not working.. i have tried different configuration. I think is the vlan membership on Dell switch that i don't understand.

I need help !

Edit : Visio https://imgur.com/a/9TbKfcj

MPLS latency - is this correct?

I was just told that MPLS links start to experience a spike in latency once they hit 60%+ utilization, is this correct? I've never heard of this before.

Add Cisco 2960 to stack

I have a Cisco 2960 that I am wanting to add to an existing stack. The switch I want to add to the stack has already been configured to be a master in another IDF. I have to backfill this switch because we don't have time to wait for a new switch to arrive. My question is, can I just factory reset the switch that has already been configured and add it to the stack and label it the next switch in the stack like switch 4 or should I copy the config from another switch and load it in the switch in question? Thank you for your help!

Blocking international IPs to One Client in Multi-Tenant app Question Fortigate

Like the title says. Our prod app is behind the same IPv4. Using Fortigates. Customers get to their app like prod.us.com/<customer>. We promised to block all international IPs for one client. It's looking like maybe we can filter traffic by the destination URL, and apply this policy to only traffic targeting that URL?

Just looking for some insight and ideas!

Thanks :)

802.1x, VLANs, and jumping headfirst into a space you're not familiar with

Hi everyone,

I'm starting to look into 802.1x for wired and wireless and I want to make sure I understand at least the basics before I go implementing things:

Internet | | | ASA 5516-x | | | Cisco Catalyst 29xx (handles the VLANs) | | | | | | M. Switch 1 M. Switch 2 M. Switch 3 | | | PCs PCs PCs

Now-

VLANs and port authentication- is this normally dealt with by the closest managed switch? Or is this dealt with from the main backplane switch?

Port security best practice is setting specific ports to only be used by a set MAC address (and other auth methods) and also used in addition to RADIUS (NPS) for authenticating the user/machine as well.

I am just confused as to how we need to set this up and where I need to get started. If someone had a map of an example network so I could see it, I think i'd be much better off understanding what is going on.

My biggest hanging up points are understanding proper port security and where VLANs are assigned. (subnets are another story for another day)

Any help would be amazing.

Thanks!

Router or Switch on a link towards a DC

Hello Redditors,

Basically this is the situation, we're about to get a circuit towards a new data center from the data center we're currently in. We want to be in this new DC not to put servers in there we just want to be able to BGP peer with 1 - 2 carriers that are in there directly.

So here comes the question, we've got to put either a router or a switch in that DC and terminate the circuit in there, and those carriers would then xconnect to this router or switch. The thing is, we've not decided which one we should get.

First, if we go with the switch route, we would terminate each carrier in a VLAN and then peer directly with our edge-router located in main DC, we'd use this L2 circuit as a trunk basically.

If we go with the router, then we would make those carriers peer with this device and then a route back towards our main DC.

So the debate is due to the pros and cons, if we go with the switch:

Would in theory be cheaper (regular L2 switch only)
We keep things as they currently are, keeping the peerings in our already designated edge
less configuration to maintain (the switch would be kind of fire-and-forget)
plenty of ports so we can keep adding peering links if we wanted (not that it'll happen in the near future)
However there's the concern related to QoS, on the router would be easier to do this (mainly priority to control traffic in case links saturates)

If we go with the router

Would have better QoS
We would have a direct view of that DC, in the sense, if the transport link fails, we can use the public peering IPs to tshoot from that side as well (this wouldn't be possible with the switch, since it'd have a private IP only visible from our main DC)
Would have more config to do, although I hate L2, so I'm ok with this (rather everything routed)
Carriers would peer directly with this router, this allows us to tshoot peering from the perspective of the direct connection (and offload our current edge from applying policies, filtering, etc. Although current edge can work with this easily)
We could do filtering directly in there so we optimize the use of the link towards of our main DC, if we were to filter in main DC the bandwidth of that link would still be used
Would be more expensive since we'd need a router BGP capable full tables

This is a debate I currently have, if you were in this position what would you do?

Network troubleshooting practice

Hi fellow nerds !

I'm a networking beginner and thought it could be fun to do some networking practice at home.

I'm looking for a site with challenges. Does anybody know a fun site to practice troubleshooting in GNS3 or Packet Tracer? Currently I do not have access to Cisco's courses.

Thank you in advance :)

Firepower Inspection Scope

Hello all,

I have tried posting on various forums and have read a large volume of Cisco documentation, but can't seem to find the scope of Firepower inspection to ASA "self" when it is running in an ASA as a virtual module. Specifically, I know that traffic going into one interface and leaving another can be fed through the Firepower module for inspection, but what if traffic is being delivered to ASA self?

For example, if an attacker is hitting the ASA's AnyConnect web portal that traffic would go to ASA self not through the ASA so would it be inspected by the imbedded Firepower module? This would also apply to management traffic such as SSH.

Another use case would be, can Firepower throw an alert that the ASA is being scanned by Qualys or similar? Most of the scan would be filtered by the ASAs reflexive ACL and dropped before being processed by Firepower, but for services open to the public like the AnyConnect web portal, what would I see if anything?

Cisco describes redirecting traffic to the Firepower module onsite of an ASA here under the "Redirect Traffic to the SFR Module" header: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

Thanks in advance.