Recommendation/Advice on Small Office Set Up

I am looking for some advice into setting up networking for a new space. Originally our business (2 employees) was very small and piggy backed on our old landlord's internet, so we never set up our own. We just moved in last week, and is temporarily running everything through a Netgear AC 1900, Ideally, I wanted to do Modem--->Router-->Switch, but we got no ports :(

Our new space is on the 2nd floor of a 5 floor office building, the internet connection is 500 Mbps down/25 mbps up. We now have 6 staff. At this new location, we also switched our phone service to Ring Central (VOIP). We got four medium sized offices, and one conference room. The hardwares in our office are - 3 desktop computers, 3 laptops, one smart TV for conference rooms, 6-7 cell phones, and two printers.

Unfortunately, none of the rooms have ethernet ports. The Modem is set up in my office right now, and we have the router in this room as well. We only had this set up for two days, but generally speaking we haven't had much problem with our staff running everything on wifi.

The only issue is our quality of our Voip. My phone is connect by ethernet to the Netgear router, but everyone else uses the Ring Central App on their cell phones. Speed tests shows that the Phones are getting pretty good speeds, but for whatever reason everyone gets occasional dropped calls for a few seconds.

Should I invest in new wiring in our floor so everyone gets ethernet port in their office and set up my office like a server room? Can I get by with just using powerline for the Voip phones (we have the physical cisco phones, just couldn't use them since we don't have ethernet ports)?

Thanks! Very appreciative of any response.

Hardware needed for a LAN-Party

Hi. I and some of my friends are planning on hosting a LAN-party for the youth of my hometown. Based on the numbers from previous years, the total amount of attendees will be around 120. Does anyone here have any experience hosting LAN-parties and which equipment would you suggest us using (switches, routers, servers etc....)

We will rent a local community center for the occasion.

10Gb Intercity Transport

Looking at options for 10gb wave transport between STL (Walnut) and PHX (PNAP). Both are pop's for lots of carriers, i have relationships with several, some direct and some through the channel.

Centurylink Telia Zayo

Cogent and HE.net both do Ethernet transport which would be an option as well, and wouldnt be taken down by a single fiber cut.

3 year pricing for he.net for the Ethernet transport and wave cost from zayo are pretty close at right around ~$18xx.

I hear Telia can be super competitive on wave's, waiting to hear back on that.

Anyone have price comparisons for long haul? Experiences with any providers listed (or others?)? Any thoughts on wave vs Ethernet? Obviously wave is guaranteed capacity and Ethernet could technically not be.

Possible DNS and/or DHCP issue?

Hello,

I have an environment where I have around 30 devices connected at times, mostly wireless, but a few devices are wired into the router, such as a Windows 2016 Server, which acts as a file server and RDP server. The router is a new Asus RT-AC88U.

I'm encountering a strange issue that seems to only affect some devices, but at different times...

For example, I have a HP MFP M477fdw which some computers will lose connectivity to every now and then. If I do a constant ping to the printer, sometimes it will say destination host unreachable, but then after a while it will respond.

If I do the same ping from the server to the printer, it always responds.

I can have two computers both ping the printer at the same time, sometimes one computer will show a response while the other shows destination host unreachable, but after a while they both can ping it fine. It's one of those inconsistent issues that is driving me nuts!

All devices are using the router for dns, 192.168.1.1

The Windows 2016 server has the router in the DNS forwarding config.

There are no special settings, such as firewall rules, routing paths, etc.

This happens with 2 other printers on the network as well...

I've tried things such as turning off ipv6 on the router, disabling roaming assistant, and some other options. The router has the latest Merlin Firmware.

Thanks for any help!

Also posted in TechSupport: https://www.reddit.com/r/techsupport/comments/96kx3s/dns_andor_dhcp_issue/

Fast high quality cable labeler recommendation

I am in need of labeling a large set of cables Ethernet and Fiber 1000+ and was wondering for those that have cable labelers what you would recommend that prints and cuts various custom labels fast, readable, cost effective and easy to maintain.

Need software recommendation

my connection drops sometimes at home. I suspect the netgear switch the provider has in my garage. It's old. really old. Especially my gaming router does drop any pings. So, i want a tool to continually ping somewhere in the internet, and track statistics on dropped pings and latency spikes. Then I can show this small provider, hey, might be worth changing out this little, old switch.

Suggestions?

Dialing 911 if cloud based phone system goes down

Hey guys, some of you may have seen my post the other day about moving to a cloud based phone system from a Cisco on prem system.

I was wondering how do you handle doing things like dialing 911 if your system or ISP is down? We are running SDWAN with multiple connections so that should never happen but what if.

Is it possible to match the TLS SNI field on a Cisco ASA without Firepower?

Just curious if this is possible, might make for very effective on-off SSL filtering without Firepower.

This is purely hypothetical so no tangents on design please...

If you could be THE perfect/ideal Networking B.S course for a university, how would you do it?

Here’s a scenario: you’ve been tasked by a university to completely and utterly revamp their CS division entirely to your liking. You have unlimited funds and the ONLY stipulation is this: create a CS/Networking course(s) SPECIFICALLY designed for its graduates to be prepared for the real world networking/IT problems literally from the moment they walk across the stage after getting their degree. In other words, if an employer sees that your student graduated from your program they’d immediately count it as experience or want to hire him/her immediately because of your programs reputation for cutting through the bullshit.

What do you do?

Tp Link Archer Ac1200 USB Sharing Server Setup

Hey guys I'm trying to set up my tp link for a small media server and use it as a place to store documents for my devices.

I am doing a test run by hooking up an 8gb flash drive. Currently the USB can share over network (quite slowly because it's a pretty sad old USB). I am able to connect to it using my laptop and exchange files, but my desktop CANNOT access the service for putting files into the server. It can, however, browse and open files.

Why is it that my laptop can access while my desktop cannot? Also is it possible to set up a login to edit but free reign to browse?

Half Duplex issue

Hi,

While I am no CCNA certified, I've been messing around and configuring Cisco switches for the past 6-7 years so I know my way around. I've been having an issue for the past few weeks that I can't figure out and I hope I can get some replies here that will help me out.

We recently moved our main distribution switch (previously a Cisco 4510R) to a new distribution switch (stack of 4x 3850'). The duplex issue began after the migration. Some of the trunks to some buildings are negociating at half duplex since we switched over the new stack. Previously, these buildings were connected in the 4510R with fixed MT-RJ connectors running at 100Mbps. At the building's end, some buildings are connected with Wireweks tranceivers to Cisco 2960 swiches while other buildings are connected to GLC-GE-100FX into Cisco 2960 X. For the migration to the stack of 3850', we bought some Cisco GLC-GE-100FX to replace the fixed MT-RJ connectors and thought it would work. It doesn't. The buildings are negociating at half-duplex with the GLC-GE-100FX. This happens either if there's a tranceiver at the building's end or an SFP. There is no duplex half in the config of the trunk, all is negociated auto. Forcing duplex full results in no connection.

We are now thinking about the fibers being an issue. We tried switching to other pairs, but still running with the same issue. Those fibers are Multi-Mode and probably 15+ years. Could it be the fiber quality ? Could it be that the MT-RJ connectors in the previous 4510R were more "powerful" than the new SFPs ?

Thanks for any comments.

Neo.

Making a distributed downloading system

So, I stay in my college hostel. There is speed cap on individual connections to the wifi, so I wanted to build a software that would allow me download different chunks of a file in parallel with more than one laptop co-operating with each other, then transfer all the downloaded chunks to one of the laptops and then merge all the chunks. This would let us download files way faster. I have a fair bit of knowledge in basics of networking, but I have no idea how to do this.

If someone could give me a general framework of how this can be done, I'd appreciate it. Let's assume it's a legal torrent file I'm download, to be more specific. Thanks :)

P.S This is not a college project, it's just something that I want to do out of my interest. :)

Switches as AP controllers

I have come once again to seek the wisdom and knowledge of this sub

My next project requires deploying some access points, and i have 0 knowledge about wireless. I've been looking at what kind of switches to deploy and I've been wondered if there are any switches that can also function as AP controllers.

I've been looking at Aruba 2930M and it says it can support APs but it's unclear if it can actually work as a controller. If it does, then is there something like it in Cisco's arsenal?

TLS1.3 final RFC published.

https://tools.ietf.org/html/rfc8446

I have been working in Networking domain since almost 8 years. Did not clear CCIE R&S. I still feel I am not up to the mark in terms of being an expert . Am I the only one feeling this way? What do I do to get to that level?

No text found

Back to back VPC, spanning-tree port type normal

So I know that in a back to back vpc the port type (of the ports facing the other pair) are suppsoed to be type normal, and not network for bridge-assurance. I've even had this cause major issues. I just don't understand why it would.

Need help creating Access Point (via Pi's WiFi adapter) and connecting to a router via external WiFi adapter

Hi guys, I need help with something I'm working on. Sorry if this is not the right sub to post this on. Also, this is my second post on Reddit (first one is in /r/raspberry_pi, so this is a duplicate of that one).

I have Raspberry Pi 3 model B, running latest Kali image (kali-linux-2018.2-rpi3-nexmon.img) and I would like to create an AP using the Pi's internal WiFi adapter (wlan0) and then connect to a router using an external USB adapter (Alfa AWUS036NH, wlan1).

I have attached a scheme of how exactly I want to do this. I've been trying to find articles and how-to's, but they're either outdated or they are for different OS versions (Raspbian, Jessie, etc).

https://imgur.com/a/c9Xzfwz (Visual Scheme of what I'm trying to accomplish)

So, basically, I want to connect from my Laptop or Smartphone to my RPi running in AP mode (hostapd and dnsmasq) via SSH (wlan0) and then connect to the router via the WiFi adapter (wlan1) and be able to see and communicate with all the clients in the network (Internet Access is a plus, but not mandatory). The AP on the internal adapter would be configured to run on startup automatically when the RPi is powered on and I would manually connect to the router once I'm logged into the AP (I'm guessing by providing the BSSID and the Passphrase of the router in the wpa_supplicant file).

Is something like this possible? If so, can someone point me in the right direction or help me set this up? Any kind of help is very much appreciated!

Thank you!

Want cat6 for IP video cameras in an elevator

I am a PM for an elevator maintenance company and I have the task of getting cat 6 into an elevator for IP security cameras. Due to US elevator and electrical code true cat 6 is not used in elevator traveling cables because the minimum wire gauge is 22. I hoped to use use 4 sets of 22 ga twisted/shielded pairs connected to terminal strips at each end and reduced to 24 ga cat 6. Will the increased wire size and/or the terminal strips negatively affect the video signal? Without going fiber optic is there another way I should approach this?

Outdoor ethernet termination box or patch panel?

Hi,

They're about to redo the siding where I work and I was notified I need to "fix the wiring situation" at several locations around our building... over the years, everyone (security camera installers, telephony, alarm/access control, WISP, etc) has been drilling holes to pass individual wires through our outdoor walls, usually doing a terrible job at plugging it with caulking, and in some places there's a dozen+ wires sticking out the wall like it's growing hair. It looks like crap. And management doesn't want the new siding to have a ton of holes drilled through it. The siding company has no recommendations. Our wiring people just want to drill new holes for each able again like it currently is...

I was thinking of having something like a short PVC pipe passed through the wall, ending inside of a junction box mounted outdoors on the wall, and having some sort of weatherproof connector (screw on gland style? M12? Neutrik?) for each network port/cable. Ideally, I'd like something premade as I have at least ~10 spots where I would need termination enclosures, and I would rather not have to drill/machine each box by hand... I've found a bunch of NEMA/IP6x enclosures, some with knockouts for pipes/etc, but many of them don't have a knockout facing the wall to allow a pipe with wiring into the building...

Anyone got any thoughts or recommendations? Is there some other way of doing this I should be looking at? Thanks!

8C8P plug recommendation

Hi!

Can someone recommend which 8C8P plug would be best to use with the GMP Modular Plug Presser with #8 die? I need to make some Ethernet connections. I'll be using solid cable, UTP.

Dead Vlan with SVI but no IP Address vs No SVI

Specifically working with Dell N-Series Switches.

Is there effectively any difference between an interface with no Ip address vs no interface at all security-wise.

I'm using this vlan to park ports that are not in use.

The difference it makes to me is I will get an interface up/down log if the interface exists.

Sample output.

_______________________

configure

vlan 999

exit

slot 1/0 4 ! Dell EMC Networking N2048P

stack

member 1 4 ! N2048P

exit

logging console informational

logging monitor informational

interface vlan 1

exit

!

VS.

________________

configure

vlan 999

exit

slot 1/0 4 ! Dell EMC Networking N2048P

stack

member 1 4 ! N2048P

exit

logging console informational

logging monitor informational

interface vlan 1

exit

interface vlan 999

exit

!

Do I spend the extra to get MacBook Pro?

I am shopping for a new laptop with 32G memory(need the ram to run virtual machines). Looking at thinkpad T480, dell XP’s 15 and MacBook Pro 15 inch. Currently thinkpad t480 is the “cheapest” with XP’s 15 a little bit more expensive when I try to spec out the three similarly. MacBook Pro is about 1k more...

From what I use daily as consultant, I am not sure how I can adjustify the extra spending with the MacBook Pro, performance? A recent PC mag video on YouTube showing MacBook Pro is not the best performing laptop from their testings. So want to come here ask your opinion(weather you are a network engineer, consultant or SE) Why you would choose MacBook Pro over the windows laptops? Any particular applications you use works better on MacBook Pro?

Frankly speaking, the only reason I am even considering MacBook Pro is because I kinda like macOS and integration with iPhone. But I am not sure if that is enough to spend the extra money.

Thanks,

What are the likely causes high latency in an enterprise environment?

I know it's a general question. Just trying to troubleshoot this whole 'my internet is slow' ticket. When I do a trace route to the internet I noticed the hop that goes to the internet/public is at 100ms over the rest of the other hops. Any general tips is greatly appreciated

Juniper vSRX - AWS Only?

Hi guys, as the title already says, more of a licensing question than networking knowledge;

Is it not possible to get the vSRX license outside of AWS in Europe? Specifically in Germany, if it makes any difference.

Spent a few hours now looking around and called a retailer but their answer was pretty much "Uh yeah... I'll have to ask around, not sure if we even sell that still".

Found a few US sites that say they sell the licenses but all of them only ship to US, which is interesting with a virtual appliance.

Does AWS have an exclusive on vSRX's or what's going on, how come it's so difficult to find?

Are there any network/security engineer focused news sites like HackerNews?

The title says it all, here is a link for reference https://news.ycombinator.com/news

Can you help me?

So i think my internet speed is capped.On my pc when i do a speed test it shows 10Mbps but when i plug the cable into my laptop it shows 90Mbps.I'm paying for 100Mbps.I did everything everything that's shown in this video that's shown in this video https://www.youtube.com/watch?v=bAke9R-k3so&t=73s,but it didn't work.Can you help me?

The "golf induced recommendations" and subsequent Q: has anyone deployed Azure Stack alongside an SDN solution, in their data center?

As a "normal" business practice, someone plays golf with someone else, and subsequently we are supposed to look into bringing Azure Stack in our data centers (already users of some Azure public cloud services), as PoC, while in the process of deploying Cisco ACI and some small NSX footprint.

Of course the most immediate reaction is to read more about it, and make sense of technology - BTW - TIL that Cisco tops other vendors in this solution offering!! - but I would appreciate one's feedback on real life usage and integration, pros and cons.

Would you still deploy IWAN?

We have been POCing a few SD-WAN Vendors (Silver Peak and Velocloud). They've been pretty good but I don't exactly get the warm fuzzies with their software. Both POCs have had their software bugs. Their devices feel more like a software platform than the feel of an appliance I can rely on like switches and routers of old.

I know IWAN isn't exactly the new hotness anymore but is it still worth looking at? Viptella is nice a look at but the Cisco Tax on that thing is nuts.

I don't believe IWAN has subscription fees so that is kind of attractive. I'm pretty sure Management of 77 WAN sites would be hell though.

Cloud Based VoIP Solution with a Contact Center

To all my Collaboration guys: We're on the hunt for a cloud based phone system for our company of about 150 users in one building and remote employees.

A few key features we need: - Contact Center with with some features to design call routing to our needs (not very complicated routing) - Reporting capabilities. The more the better for our managers to view hold times and things of that nature. - Soft phones. We want to be a full soft phone based environment - Of course Voicemail

We are currently using an on prem Cisco system but would like to migrate to a cloud based system.

Let me know what you guys are using and how you feel about it.

Sending a huge file to many receivers simultaneously in a fixed speed would be most efficient if most receivers won't get first part first

Everyone gets the same part in the same fixed speed. Sender reads continuously the file from begin to end in a loop while sending the part it reads to 10 or 100 receivers. When a new receiver starts download, random part comes first, then every part in order until the loop is complete when previous to first-received part comes.

If the server is sending only one file, then spinning drive seeks only at end of file. Even if sending 100 files to 1000 users, seeking is reduced.

If receiver's speed is not enough, every n th part is received and loop is repeated n times. File gets fragmented, unless big write buffer is used.

Multiple senders streaming different parts of the file in different speeds would help.

This has distant resemblance with the BitTorrent protocol.

This is easier on CPU, RAM and disks.

OS could help make this more efficient on both sides.

Preserving NAT (and other issues) across multiple, varied DC interconnects

Hello networking friends!

The long short of this is that my organization is moving from on-premise servers to a colocated data center. My job is to engineer the primary connection, failover, and DR connection.

The primary connection is a wave product from an ISP. The backup to that is an IPSec VPN terminated at an NSX virtual appliance. The DR connection as planned, is an IPSec VPN.

Over the primary connection we have OSPF in place. At the data center end, there is a static route with a high metric to initiate failover if the primary connection were lost. This works. Failing back, when the routes become available over OSPF again, does not work so well. But we're working through that.

The IP space at the DR and Primary DC sites is different. So, an issue I see looming is preserving the NAT address during a DR test/failover event.

Another issue, since the VPN is terminated on the firewall, any traffic destined for either data center from the outside will likely be forwarded through the VPN instead of downstream.

Simple diagram

So, how do you guys combat these issues?

Balancing QoS

I've started working at a company that has very simple vlan priority QoS setup. We are implementing a teleconferencing solution, and I'm working to fix the QoS. Currently, we have VoIP, and IP Cameras that are on separate vlans, but have the same QoS priority. I want to change the priority queues, and implement GMB on them to keep things simple. I have HP switches if that matters to anyone.

Question, how would you rank priority? I'm going to prioritize the teleconference, voice, then camera vlans. Would anyone disagree with that priority? I'm not sure if I want the teleconference to have a higher priority than the voice, but it won't be used all that much comparatively.

Cisco WLC centrally switched SSID takes a couple of times before joining

Got a weird issue on the WLC. We have a new SSID that is configured wpa2, centrally switched using a psk that takes 2 times before joining. My linux laptop only took one try. I thought maybe it was the SSID but I tried some other SSIDs that are centrally switched and they also seem to have the same issue.

I ran some debugs and this is what it shows. If I removed the preshared key they connect right away. Maybe it's a timeout issue? None of our flexconnect ssids have this issue.

apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 Setting active key cache index 0 ---> 8 *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 Deleting the PMK cache when de-authenticating the client. *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 Global PMK Cache deletion failed. *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 apfMsAssoStateDec *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 apfMsWepPskStateDec *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 apfMsExpireMobileStation (apf_ms.c:7818) Changing state for mobile 9c:f4:8e:25:24:71 on AP a0:23:9f:f4:d0:a0 from Disassociated to Idle

*apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 10.2.10.191 START (0) Deleted mobile LWAPP rule on AP [a0:23:9f:f4:d0:a0] *apfReceiveTask: Aug 10 08:49:56.491: 9c:f4:8e:25:24:71 Deleting mobile on AP a0:23:9f:f4:d0:a0(0) *spamApTask6: Aug 10 08:49:56.499: 9c:f4:8e:25:24:71 apfUpdateDeleteAckInMscb (apf_api.c:51664) Expiring Mobile! *spamApTask6: Aug 10 08:50:00.811: 9c:f4:8e:25:24:71 Received DELETE mobile, reason MN_REASSOC_TIMEOUT, from AP a0:23:9f:f4:d0:a0, slot 0 ...cleaning up mscb *apfOpenDtlSocket: Aug 10 08:50:12.936: 9c:f4:8e:25:24:71 Recevied management frame ASSOCIATION REQUEST on BSSID a0:23:9f:f4:d0:a0 destination addr a0:23:9f:f4:d0:a5 *apfMsConnTask_0: Aug 10 08:50:12.936: 9c:f4:8e:25:24:71 Updating 11r vendor IE

What networking related topics would students be interested in?

Hello r/networking, I'm a student in my final year of college. We have a student run group where we organize talks and workshops by experts or the students from the group themselves talk about any topic related to CS. What do you think would be an interesting topic? We have CS students ranging from sophomores to final years.

One of our seniors gave a demonstration using Bro showing us how to sift through logs and identifying a malicious payload and the source of it with some common flash vulnerabilities. That was well received

I thought of talking about IPv6 deployment and what it brings to the table but I couldn't think of any content that would last for more than 15 minutes.
What about SDNs? I figured I could spin up a network using mininet and pox and show them how to programmatically configure a switch.

Or how about automation using Ansible?

Thanks

Tracing Ping Requests Through Hubs, Switches

Diagram: https://i.stack.imgur.com/ZxFWd.png

Am I correct in my assumptions:

• If PC1 pings PC3, PC1, PC3, PC4 and PC5 would see the ping request but only PC3 would respond
• IF PC4 sends a ping request to PC5, then PC4 and PC5 would see the ping request but only PC5 would respond
• If PC2 sends a ping request to PC5, PC2, PC3, PC4 and PC5 would see the ping request but only PC5 would respond
• If PC 1 sends a ping request to PC3, then PC1 and PC3 would see the ping request but only PC3 would respond
• If PC2 pings PC5 then PC2, PC3, PC4, PC5 would see the ping request but only PC5 would respond

and

• In all the above ping requests, the ARM would be seen by all computers on the network

Though I tried to set up two virtual machines to be able to test this, I haven't had the chance to do so due to an error with the networking interface I'm trying to configure, but need to understand these for an exam.

Thanks

Anyone else taking Kirk Byers' Python course right now? Can we get a discussion thread?

Network Engineer first time learning Python. Started with the "Learn Python the Hard Way" course, and am now in the first week of Kirk Byers' course right now.

Figured if other people are in the same boat, we could discuss and bounce ideas/questions off each other?

• Matt

ER-8-Pro port forwarding through LAN masquerade

Hey there,

I'm sitting in front of a network with some difficulties. My solution is somewhat documented here.However there's a few twists. I'm gonna refer to the network structure of that link.

Imagine the WAN interface being a LAN interface and WAN being somewhere else. So no firewall rules, just masquerading. I want to forward a port als also translate it.

Example: someone in the network of eth0 calls the interface address on port 8080 which then gets forwarded to 192.168.1.10:80

I did this like described in the article, skipping the firewall thing (because there is none) and have not tried doing it via CLI (maybe I'm foolish to think it wouldn't do the exact same thing)

Problem: when I try to access, I get a timeout

Question: is there anything I'm missing completely or maybe just an edge because of the different setup of WAN/LAN?

I can confirm that the firewall is working (or not working) as intended, as enabling it does lead to the connection being refused instead of dropped (depending on the setting).

Any hints (apart from "route it properly") are appreciated.

Cisco learning store - worth the 1000$?

Hi team,

Has anyone tried to online training with labs offered by Cisco - like for example: ccnp security ?

It costs 1000$ which are a lot for the average central European salary but it looks very promising - offering web based pre configured labs (Screenshot).

Any opinions?

Thanks!

Could someone explain the differences between 'managerpriv' and 'operatornoauth' for Aruba's SNMPv3

Specifically which group should I use to give an application read-only access to all objects?

Thanks

Brocade ICX 6610 10G SFP issue

Hi networking,

I need some help figuring out why I can't get my 10g fiber connections to come up. Some background:

I recently did a 10g fiber install between my mdf and idf, the fiber installers tested the connections and were getting near 10g speeds. I have Brocade switches and am specifically trying to connect a Brocade ICX 6610 to a Brocade ICX 6450, these are both 48p models. Here is what I have done so far to troubleshoot:

1. Purchased the required 10G Brocade licenses and applied them to both switches. I then rebooted these switches to make sure the licenses were applied.
2. Tried to use multiple SFP's to rule out a module issue. I confirmed that both switches are able to see the SFP's and have thus far been able to see all of the modules I've tried. I have used:
   1. https://www.amazon.com/gp/product/B079TGFVN8/ref=oh_aui_detailpage_o03_s00?ie=UTF8&psc=1
   2. https://www.amazon.com/gp/product/B01HOBLREU/ref=oh_aui_detailpage_o04_s00?ie=UTF8&psc=1
   3. https://www.amazon.com/gp/product/B01CSC3TQ4/ref=oh_aui_detailpage_o04_s01?ie=UTF8&psc=1
   4. https://www.amazon.com/gp/product/B072FVV4CM/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1
   5. All of these SFP's match what the fiber installers actually installed and this is confirmed on my purchase order form.
3. I replaced the Fiber jumpers going to both switches.
4. I tried flipping the Fiber jumper connections to see if they were crosses. Again I did this on both switches and only one side at a time.
5. I configured the ports for the correct speed using speed-duplex 10G full and confirmed this on both switches. I also issued the enable command.
6. I added the ports to the appropriate VLANS to match the current 1G ports they will be taking the place of.

Currently, the 6450 shows the port state as up, however, the 6610 is still down and shows a state of BLOCKING. I tried to do some STP troubleshooting that I read on some forums because that was the only lead I could find regarding this issue and the blocking port state. I rebooted the switch again to undo those changes and did not save the running-config. I then reissued the commands mentioned above.

I am at a loss for what the problem is and I am having difficulty finding much information about Brocade. I do not have support on these switches, but would be willing to purchase it if all else fails. I will supply any outputs needed to solve this issue.

Please Help!

Are VLANS enough for separating open WIFI and business networks?

Is it considered a good practice to have an open wifi network run through the same switches and routers your business network is going through? The open WiFi is on a separate VLAN, however, I am concerned that Denial of Service attacks can still be implemented on the wifi VLAN and used to target the switch interface or even the router interface bringing down the business connection as well.

X not working. what do?

Say something goes wrong with a router, or a switch, or anything else really. Do you have some standard procedure that you follow to find out what went wrong? Or just whatever comes to mind for me its: - ping IF no ping check cables else - check services status - check logs - tail -f logs and try connecting again - google error codes

I have literally been using linux for like 3 months, and my job is to manage 50 routers system, what commands do you use the most to monitor health/debug the network? Thanks!

Hi, is there a way to track data usage from a drsktop/laptop of the entire network?

So we have dsl and the network slows down every once in a while, and everyone always says nobody is downloading anything. Is there a way to view the data usage of all the private ip addresses without messing with the router? Like just a program or even an Android app? Thanks.

Reverse Proxy (End of my rope) I'll buy you lunch! (or drinks)

Hey folks - I'm having a heck of an issue here - I've managed to work through this and get it working before, but something along the way seems to have broken my ability to establish communication with a reverse proxy. I'm able to share certain things - I had a blue iris server that was forwarded out which has since broken - I'm at a total loss lol. Anyone willing to take a quick look at a PFsense instance for a Drizzly order or me buying you a dinner via favor/uber eats? At this point, I'm sure its something stupid that I've failed to see due to looking things over so many times, but I'd really just like to drill this down.

ESXI>vswitch with no external link>pfsense hosted on server with vlan providing dhcp/dns to that segment. The machines within can connect to the web just fine, but for some reason my caddy and ngnix instances won't let me get a certificate for my domains, even with 80 and 443 forwarded to the specific ip. I had it working for 24 hours, but then it just...stopped, and I cant recert now. Thanks for your time guys - I'm at the end of my rope.

Cant plug computer into cable modem

Hey everybody. Before i discuss this issue, im am going to try to try to prevent the flame war before,it happens. I work for a major cable company that provides internet service. My job exists at the PHYSICAL LAYER. I get sent out to homes to install coax in a way that it will work. I also verify the integrity of those cables. In case it isnt clear, I operate at the physical layer. So with that being the case, please dont bitch at me because i work for a major cable operator and am asking questions beyond the scope of my job. Sorry for the rant, but the last time i posted here, it was a nightmare. Just needed to get that out of the way.

Ok! I have had issues c9nnecting a computer to a cable modem at my house. I was trying to see what my speed was when bypassing my POS router. Easy enough, plug in the computer and youre online, worst case scenario a reset might be needed, right? Well typically yes, but not now. I have tried multiple computers and ethernet cables, but the computers cant connect to the modem if the modem is online. If the modem is offline however, the computers have no issue at all connecting to the modem and going into the gui, but as sooon as the modem finished synching up with our,central office, it disconnects the computer from the wan port. Plugging a router into the modem works just fine, and you can plug the computer into the router and it works just fine. But not directly to the modem. Interestingly enough, the modems are also reporting T4 timeouts, which is not the case. T4 timeouts are characteristic of signal issues, of which there are none. Typically when connected to a modem directly, the comouter will receive a public address. Whats happening now though is the computer is receiving a private address that is in the same subnet as the address used to reach the modem gui page (cant remember what that's called, internal address maybe? Anyway, its not important) and its not receiving dns servers either.

I suppose my question is, whats different about the router that it can connect without issue, but a computer will reset the modem? I tried changing the mac address of the computer to be identical to the one used by the router, thats not it.

Thanks guys! Like i said in the,beginning, and i cant stress this enough, please dont berate me for asking this question. I understand that i work for one of the most hated industries in the nation, and they should make sure i can do my job effectively. My job is at the physical layer, which is confirmed as being a nonissue. The issue has been escalated to somebody who's problem it is, but this is going to keep meup at night and I need to know.

Thanks!

Edit: forgot to mention a couple things. This issue isnt just at one location. Its been happening more and more throughout the city and seems,to have no correlation of variables between affected modems.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

What are you guys using for OOBM in your DCs?

I've been looking at OpenGear. I think it'll do what I want, but their sales stuff is just leaving me with questions because it's so high level.

What I want is a device I can remote into, in the event that someone makes a bad commit on our core switch or firewall in our datacenter, that will have console access to these devices. Ideally console to switches, firewalls, and server (by this I mean iLo/DRAC, etc).

OpenGear is confusing me because it seems like it's supposed to act as an internet failover for my datacenter... unless I'm reading it wrong. I just want a cell line I can dial into if things go south in the DC which is remote.

Can OSI layers bottleneck a big UDP stream?

If all my cpu cores are handling and sending UDP datagrams at high rates, does the datalink/physical layers of the OSI model act as a bottleneck making the use of concurrent processing inefficient? Are there any good reads on this matter?

Thanks in advance.

How to prove it's not the network

As we all know network gets blamed first every time something bad happens. In an enterprise (30k users, 30 locations) network what do you think would be needed for 9/10 cases to prove it's not the network?

At least for us, first thing people ask is what has changed in the network. For that we're starting to use LibreNMS with Oxidized pushing configs to git. We could then quickly show what config changes have been made. I'm wondering if I should also get routing tables to Oxidized? Or is there a better way to monitor routing tables in the network?

Besides config auditing it's probably all about monitoring the network? Some things I think would be useful to alert on and have on higher priority monitoring: (besides of course device availability)

• BGP sessions in our network (we run our own MPLS network)
• Bandwidth usage on core and uplinks (core <-> distribution)
• Errors on core and uplink interfaces
• something else?

We're also implementing NetFlow monitoring to understand the traffic patterns, and maybe see the situations where the client did send the traffic but the server didn't respond?

Wondering though how we could monitor application latencies? We've tried installing Raspberry PI's to our remote locations and have them do connection tests to see if some location has suddenly worse response times than other. But it's quite hard to manage those if you have lots of services. On the DC side we could probably have everything behind our F5s and use their monitoring tools to get some data at least whether it's the client or the server.

Thanks for any ideas!

What kind of Internet services do content providers like Netflix buy? And how does this differ from the kind of service a consumer buys?

I'm going to try and answer the question myself a little bit, so please point out any flaws in what I think the answer to this question is if you see them :)

Also let me know if this is the wrong subreddit to post this question in, thanks!

I'm an EECS college student interested in networking. I have been learning about how the internet works and its history, as well as the protocols, hardware, and companies are that make the internet work. I think I understand a lot about networking from a consumer perspective: I pay an ISP that is probably a tier 3 provider and they probably own the last mile of internet connection from my house to a Point of Presence(POP) in a city near me. That tier 3 provider only charges me for the data sent between that POP and my home, no matter where that data is coming from. Even if data came from a far away server and had to go through many intermediate networks, peering agreements, and interconnection points (that might cost these in between companies money to maintain), I still only pay for the data from the POP near me to my house. This seems like a great system for my local ISP since it probably costs more calculate my bill depending on where i am getting traffic from then the minuscule amount of traffic I am actually sending or requesting from outside my local network (due to things like CDNs putting content much closer to my local ISPs network).

If this is the case. Then if I wanted to be Netflix, I could serve traffic from my home to anyone around the world, up to the max speed of the internet package I purchased, and my bill would still be the same, even if all of my customers were based around the world from me. However, my traffic would then be susceptible to being slowed down due to congestion in any of the hops in between through interconnection points in ISPs and things like that. Also my ISP might have a max speed available to me, and if I wanted to provide more content than that bandwith allows, I would probably have to negotiate a deal with my ISP to get an uplink of appropriate speed and at some agreed bandwith usage. I can see this agreement charging me based on where my content is going since the ISP might have to pay a lot more if I am sending substantial traffic to somewhere far away on another network. Alternatively, I could pay a CDN like Akamai, to put serve my traffic from edge servers put closer to my customers, reducing the effects that spontaneous congestion might have on my traffic. I would then pay my local ISP for enough bandwith to connect to Akamai servers that are close to me, and probably not have to pay much extra since I am not going through lots of interconnections. Akamai would probably have to pay for internet service that has lots of interconnections and agree to peering agreements however.

I heard that Netflix was trying to make its own CDN, and that means it could potentially have to start paying for interconnection points were it couldn't get a free peering agreement. This means Netflix had to pay Comcast for example since Comcast didn't want to peer for free (side note - why would companies not want to charge Netflix for peering agreements for Netflix's CDN traffic? Netflix only really needs to send data in one direction so wouldn't the be an imbalance in traffic at the peering point?). Then I read that Netflix had to buy a direct connection to Comcast. But this doesn't make that much sense to me. Shouldn't Netflix just be able to make an agreement with a local ISP for some amount of traffic, and then pay that ISP based on how much the ISP has to pay for sending all of this traffic (which means paying for additional interconnection fees that ISPs might need to pay if Netflix has a lot of traffic leaving the local network)?

I think I am getting kind of lost and confused even trying to explain this. But my main question is: What kind of internet service is Netflix (or a similar content provider) paying for? Who are they paying? And how does this differ from how a consumer level internet connection is paid for? Why can't Netflix just buy a 10 GBps up/down connection for each of it's datacenters/CDN boxes?

Looking to replace our wireless over an MPLS network

Looking at Meraki, IT director is not a fan of Cisco however. Might look at Extreme, Fortinet and Ubiquiti. What are you fine chaps using these days.

Odd devices on my home network

Hello Reddit. I had a question for you. I noticed today some odd devices on my network while doing a LAN scan. They have bizarre names like,09ab01ac521702hg.surewest.net or amazon-07b4a2663.surewest.net . Yes I know surewest/consolidated sucks donkey balls and dong when it comes to service. The house was bought with internet and phone bundled into the price and the building courtesy of surewest and the real estate agency, so sigh. Anyway, the devices are static, not pingable, not network interface, no protocols, no nothing; just a name. What the arf are they? Should I be worried about them? In terms of network performance.

Creating a Site-To-Site AND Remote User VPN using Ubiquiti Unifi Security Gateway? Extensive details inside

I am a non-expert that provides most of the IT services to my 30 person company. We keep everything very simple and use mostly Apple hardware and cloud services. We have never had a VPN and never had any need for it because we do everything in the cloud. We use a cloud provider for shared storage, cloud hosted email and calendaring, cloud hosted password management, etc.

My office network uses Ubiquiti Unifi APs and switches. Historically we had a router running RouterOS that I know is very adaptable but when that router broke and when my preferred IT contractor that set it up wasn't available to help, I ended up purchasing the Ubiquiti Unifi Security Gateway as a replacement. Setting it up was super simple and its nice to have some of the router analytics coming through the Unifi dashboard, so overall I am a big fan.

Fast forward to today, and one of our clients is asking us to set up a site-to-site VPN so that they can share some of their databases with us. Additionally, my company's employees that need access to those databases often work remotely, so I need to be able to "daisy chain VPN connections": I need to set up remote user VPN's for my colleagues here to VPN into my office network so that they can access the client database through the site-to-site VPN with the client's office. Right now I am trying to figure out how best to achieve this VPN/network configuration.

In the short term I have asked the client to provide my colleagues with VPN credentials for their network, but in the medium term I would like to move to the site-to-site solution because its better for my company to be able to grant and revoke VPN credentials without having to notify the client. For example, every time we hire a new employee, or every time an employee leaves, I don't want to have to make urgent requests to my client to grant/revoke VPN credentials.

Reviewing the Unifi Security Gateway documentation and online information, it appears that this router does support both site-to-site and remote-user. Only remote-user is documented in the User Manual but Ubiquiti has additional info about site-to-site on their website. I am wondering if even though the Unifi technically supports these features, whether it would be best to use a different device. I could either swap out this Unifi Security Gateway for a different router or I could add an additional piece of hardware just to enable the VPN configuration if that is a good option.

This is what the site-to-site VPN configuration page on the Unifi dashboard looks like

For the task of setting up the site-to-site VPN, my client sent over a "questionnaire" where they ask for the parameters of our VPN. Comparing to the Ubiquiti site-to-site VPN setup page, most of the line items that the client sent seem to relate directly to Ubiquiti settings, but there are some things that are missing and some things that I have other questions on. I definitely don't want to make this client a guinea pig to test the (possibly) limited VPN capabilities of Ubiquiti so if achieving this setup with my current router is sketchy then I want to take a different route. The client's VPN document is separated into 3 relevant sections: (1) VPN Tunnel Configuration Requirements, (2) IPSec Parameters (IKE Phase 1 Proposal):ISAKMP MAIN MODE NEGOTIATION, and (3) IPSec Parameters (IKE Phase 2) IPSEC QUICK MODE NEGOTIATION. The first section seems to be related to overall settings, whereas sections (2) and (3) seem to be different types of VPN connections. I am not sure if I need to set up for both types or if I only need to set up for one type. The Unifi has a section called "Key Exchange Version" that allows you to select "IKEv1" or "IKEv2", possibly those relate. I have separated the different sections below.

In any case, I have already written up an extensive comparison between the options that the Unifi router provides and the options that my client's questionnaire provides, but before I triple the size of this post, I was wondering whether anyone has experience with Ubiquiti routers and knows whether it is advisable to go with that route.

If anyone wants to read a writeup of all the options available in the Ubiquiti compared to the options that my client's IT department provides, I can post it immediately!

Followup: UDP Broadcast forwarding

I originally asked a question about a month ago regarding forwarding broadcast traffic across a firewall and it was determined that that this was not a feasible or recommended option.

https://www.reddit.com/r/networking/comments/8xggdi/udp_broadcast_forwarding_through_an_asa_firewall/

Because the hardware/software involved in this project is proprietary and ancient, we are trying another route that I hope will be successful, but I would like some advice regarding this configuration.

We have 3 VLANs, lets call them VLAN 101, 102, and 103. VLANS 101 and 102 are considered more critical and are on the "inside" of our firewall with no direct outside access. VLAN 103 is a DMZ on the "outside" of our firewall. All three have direct connections to the firewall. We have broadcast traffic on VLAN 101 that needs to get to a computer on VLAN 103. As a proof of concept, we installed a Cisco router between VLAN 101 and VLAN 103 and used the iphelper command to convert the broadcast stream into a unicast stream. This was successful, but by doing this we have now made our router an access point into our critical networks.

I would like to move the router behind the firewall and use ACLs on the firewall to direct traffic to this 103 VLAN. What I wanted to propose was putting a router between VLANS 101 and 102, use iphelper to send a unicast stream to a VLAN 102 address, and then use a NAT and an access rule to get that traffic across the firewall. So in summary,

VLAN 101 broadcast --> VLAN 102 unicast --> VLAN 103 nat to 102 --> udp ACL.

Is this possible? Thanks

Can you set a static IP to a client machine from the router end?

I overheard a co worker mention a vendor had set a static IP on the router for a client machine. It caught me off guard and made me think about it, but the only thing I can think where you could do something like that would be to assign an IP based off of the MAC address.

Is something this possible or even best practice if the client is set to DHCP?

I honestly feel dumb for asking this, but I can't recall ever doing something like this before. I've always set the static on the client end, never the router end.

edit: Clearly I answered my own question :( Back to feeling dumb

Thanks everyone!

New deployment. AC / AC Wave 2 / AX?

I am not seeing many clients with ac wave 2 chips nevermind ax. What is everyone else doing today in terms of new deployments? ac? ac wave 2? ax?

How Many People are Using White boxes?

Really curious whether this is now a mainstream effort or still fringe. Please share your experiences with white boxes and software-defined networking.

Can you use 10g SR SFPs with SMF patch cables or short runs (less than 100ft)?

I ask because I got a new 9300 and a stack of 2960xs with 10g SR SFPs on both ends and the link is up using SMF patch cables. Granted this with them sitting right next to each other but I just assumed the link wouldn't come up at all.

NAME: "TenGigabitEthernet2/0/1", DESCR: "SFP-10GBase-SR" PID: SFP-10G-SR-S , VID: V01 , SN: NAME: "TenGigabitEthernet1/0/1", DESCR: "SFP-10GBase-SR" PID: SFP-10G-SR-S , VID: V01 , SN: NAME: "Te1/1/5", DESCR: "SFP-10GBase-SR" PID: SFP-10G-SR-S , VID: V01 , SN: NAME: "Te1/1/6", DESCR: "SFP-10GBase-SR" PID: SFP-10G-SR-S , VID: V01 , SN: #show cdp neighbors switch02344 Ten 1/1/6 146 S I WS-C2960X Ten 1/0/1 switch02344 Ten 1/1/5 155 S I WS-C2960X Ten 2/0/1 

Took server offline, yet I can still ping it's IP, is there any other explanation than a duplicate IP?

What is the best way to find a duplicate IP out there if so? On zenmap I only find one host with this IP. What other possibility could there be if I physically unplugged this server from the network, yet still got ping replies from it's static IP?

Mobile App Test Environment

So we have one PC set up as a server and that PC must talk to 6 others. That PC must also be available for HTTP requests from a cellphone. I was hoping there is a way to use a single router for this. I would like to do this without plugging the router into any network at all. Is this possible?

Toner/probe question: Why does the tone stop at the patch panel and not continue to the switch?

I'm new to this and recently got a Fluke Intellitone Pro 200. I noticed if I tone from the wall jack to the IDF/MDF the tone stops at the patch panel. I'm wondering why it doesn't continue down the cable from the patch panel to the switch. Also if I connect a cable straight from the tone generator to the switch, I don't hear a tone on the cable. The switches are PoE. Just wondering how it all works.

Does the degree matter when trying to enter the networking field.

I am close to graduating with an associates degree in computer information systems, but I’m considering transferring and getting my degree in computer networking .The classes for both are similar but I’m wondering with compTIA certifications and getting my CCNA CIS degree would well warranted .

Anyone use a Cradlepoint for failover with a Juniper SRX?

Got a few questions if you wouldn't mind assisting. I plan to use the Cradlepoint for cellular failover however, I'm trying to get a clear understanding on it's "IP Passthrough mode".

I'm assigned a static IP from my ISP through my cable modem. I set a static default route to the gateway on my SRX (all fine and dandy).

Now, according to Cradlepoint's tech website, their IP Passthrough mode would allow me to use cellular WAN IP mimicked onto my SRX (so I can use RPM/IP monitoring to failover.

However, I'm getting competing info on whether I set my interface to DHCP or manually assign myself the Static IP cellular info. Anybody have any thoughts?

Problems with some Cisco 1850 Mobility Express APs

Hi there! On my Work Place we have 2x Cisco AP1852 (Mobility Express) and 3x Cisco CAP3602 as CAPWAPs connected to the virtual controller provided by the 1850s (so no dedicated appliance controller here)

Problem, when there are more people on the Office (about 70 distributed by all the APs), the clients connected to the 1850 loose conectivity multiple times per day :( The clients drop and then reconnects to the clossest AP, I can't find the reason... Halp!

Here are the Logs from when it happened just now:

Controller:

*spamApTask0: Aug 09 17:08:56.559: %LWAPP-3-REPLAY_ERR: spam_lrad.c:44908 The system has received replay error on slot 0, WLAN ID 1, count 2 from AP 20:3a:07:48:32:30

*apfMsConnTask_0: Aug 09 17:06:56.945: %APF-3-ASSOC_REQ_FAILED: apf_80211.c:9606 Ignoring 802.11 assoc request from mobile 60:36:dd:b9:6b:12 Since Dot11Radio 0 is not Enabled for AP:APPTL101 MAC:dc:ce:c1:23:3d:c0

*apfMsConnTask_0: Aug 09 17:06:56.934: %APF-3-ASSOC_REQ_FAILED: apf_80211.c:9606 Ignoring 802.11 assoc request from mobile e4:a7:a0:7d:a0:9b Since Dot11Radio 1 is not Enabled for AP:APPTL102 MAC:dc:ce:c1:23:48:a0

AP:

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.5066] DOT11_DRV[0]: Stop Radio0

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.5966] DOT11_DRV[1]: Stop Radio1

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.6866] DOT11_DRV[0]: Start Radio0

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.8165] DOT11_DRV[1]: Start Radio1

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.8565] ol_if_dfs_enable: called

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.8565] ieee80211_dfs_cac_start CAC Still Valid. Skip CAC

Aug 9 17:06:56 kernel: [*08/09/2018 16:06:56.9065] ol_if_dfs_enable: called

Aug 9 17:06:57 kernel: [*08/09/2018 16:06:57.1564] ol_if_dfs_enable: called

Controller Version: 8.5.131.0

Regards, John

Cisco & Arista VLAN / Config help

TL;DR: Host's don't communicate at 10gb speed when on the same vlan & connected to 10gb switch. Arista has to be set to dot1q-tunnel for cisco vlans to work.

Forgive my basic level of networking - still learning, but i'm having problems with my lab's switch setup. As my L3 switch i've got a 3750E, my vlans are defined here and shared to a second 3750E in my primary rack (via VTP). This 3750E is connected to an Arista 7050QX-32 which provides 10gb (and some 40gb) uplinks to my servers. My upstream router is a Ubiquiti edge router.

Problems:

• Hosts don't seem to be able to talk to each other at anything more than 1gb speeds when on the same vlan (verified using iperf3). I would assume that as the traffic doesn't need to be routed out of it's subnet (by the L3 3750E) it should 'stay within the arista' at it's native speed?
• The Arista has to be configured with the ports as 'dot1q-tunnel', from my limited knowledge this is wrong? When setting them to 'switchport mode tunnel' my hosts are unable to access my lans.

I've checked the network & interface assignments in ESXI and that is all correct, so i'm at a loss as to why I can't get more than a 1gb speed.

Any help would be greatly appreciated.

Here are the configs for each switch (trimmed so i don't take up your entire screen):

Core L3: (i'm aware a few vlans are missing ip addresses, but that shouldn't cause my issue.. should it?!)

version 15.0 switch 2 provision ws-c3750e-24td system mtu routing 1500 ip routing ! ! ip domain-name a.domain.com cluster enable name-here 0 ! license boot level ipservices spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0 no ip address no ip route-cache shutdown ! interface GigabitEthernet2/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface TenGigabitEthernet2/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 ip address 10.11.0.2 255.255.255.0 ! interface Vlan22 ip address 10.22.0.2 255.255.255.0 ! interface Vlan24 no ip address ! interface Vlan32 ip address 10.32.0.2 255.255.255.0 ! interface Vlan33 ip address 10.33.0.2 255.255.255.0 ! interface Vlan34 description Lab no ip address ! interface Vlan35 description ASA_BUILD no ip address ! interface Vlan36 ip address 10.36.0.2 255.255.255.0 ! interface Vlan44 ip address 10.44.0.2 255.255.255.0 ! interface Vlan55 ip address 10.55.0.2 255.255.255.0 ! interface Vlan56 ip address 10.56.0.2 255.255.255.0 ! interface Vlan66 ip address 10.66.0.2 255.255.255.0 ! interface Vlan77 ip address 10.77.0.2 255.255.255.0 ! interface Vlan88 ip address 10.88.0.2 255.255.255.0 ! interface Vlan99 ip address 10.99.0.2 255.255.255.0 ! ip default-gateway 10.11.0.1 ! ip http server ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.11.0.1 

Rack 3750E:

version 12.2 ! switch 3 provision ws-c3750e-48td system mtu routing 1500 ip subnet-zero ! spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet3/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet3/0/14 switchport access vlan 66 ! interface TenGigabitEthernet3/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 ip address 10.11.0.3 255.255.255.0 ! 

Arista:

! device: rack-40gb (DCS-7050QX-32, EOS-4.18.5M) ! ! boot system flash:/EOS-4.18.5M.swi ! transceiver qsfp default-mode 4x10G ! hostname rack-40gb ip name-server vrf default 10.88.0.10 ip name-server vrf default 10.88.0.11 ! spanning-tree mode mstp ! no aaa root ! environment fan-speed override 50 ! clock timezone Europe/London ! vlan 1 name Native ! vlan 22 name vlan-22 ! vlan 32 name vlan-32 ! vlan 33 name UserLand ! vlan 34 name Lab ! vlan 35 name ASA_BUILD ! vlan 36 name vlan-36 ! vlan 44 name vlan-44 ! vlan 55 name Storage ! vlan 56 name Storage-SAN ! vlan 66 name OOB-Management ! vlan 77 name vlan-77 ! vlan 88 name vlan-88 trunk group 88 ! vlan 99 name vlan-99 ! interface Ethernet1/1 switchport trunk allowed vlan 1-100 switchport mode dot1q-tunnel switchport trunk group 88 ! interface Ethernet25 speed forced 40gfull switchport trunk allowed vlan 1-100 switchport mode dot1q-tunnel ! interface Management1 ip address 10.11.0.4/24 ! ip route 0.0.0.0/0 10.11.0.1 ! no ip routing ! end 

How to use Route Maps to get traffic to the Internet

Diagram: https://imgur.com/a/J6qNYnN

Red text is default routes on those layer 3 switches, and blue text is vlan identifier.

We are evaluating a Palo Alto instead of our ASAs. I'm currently using a tap port to see our current traffic but I want to see some real traffic going through it as well. I have a network called IT Test hanging off to the right. Instead of the IT Test internet traffic going to the ASA, I'd like it to flow through the PAN but I'm having a hard time coming up with how to do that.

I don't want to prevent that network from talking to the rest of my internal network, but I do want 'any' destination traffic to head out to the internet via the palo alto. The only ways I can think of doing this is via Route Maps or VRFs and I'm not sure how to configure this properly.

4500-x

Int Vlan 272 desc IT Test Network IP address 10.1.72.1 255.255.255.0 ip policy route-map Send-To-Pan Route-Map Send-To-Pan match ip address ITTest-To-Pan-Traffic set ip next-hop 10.40.0.163 ip access-list extended ITTest-To-Pan-Traffic 10 deny 10.1.72.0 0.0.0.255 10.0.0.0 0.255.255.255 20 deny 10.17.72.0 0.0.0.255 172.16.0.0 0.15.255.255 30 deny 10.17.72.0 0.0.0.255 192.168.0.0 0.0.255.255 40 permit 10.17.72.0 0.0.0.255 any 

There are several issues I see with this. 1. Putting a next hop like that skipping the 6513 and it's not directly connected so that might not work. 2. I don't know that using a 'deny' statement on the route map actually fixes continuing to allow that network to talk to the rest of the internal network (especially 10.x.x.x).

Do I need to put the route map on the 6513 even though the SVI for that network lives on the 4500?

I don't even know if route maps are the right way to do this. Is a VRF a better/cleaner way? If I did a VRF for this network, would I have to run a new cable from the 6513 over to the 4500 to assign the VRF to a new interface?

ASA 5506 As Router Vs Managed Switch

Hey,

Im trying to convince our company to get a managed switch for our locations vs having the ASA 5506 do all the routing.

Though - im having difficulty finding the benefits of a managed switch vs the ASA aside from the fact that the switch will be able to do PoE.

Were going to be running VOIP/IP Cameras soon at the locations and I have no ports available on the firewall so they want to run unmanaged dummy poe switches :/ (think neat gear etc..)

ASA & Managed Switch can do both of the below:

QoS

"VLANS"

Switch Benefits:

Possible Bandwidth priority to certain VLANs

Limiting Bandiwdth on certain ports

PoE

Juniper: BFD logging to remote syslog server

I am currently setting up BFD (for IS-IS) on select links in my network. I'm using ACX1100 routers.

We would like to receive syslog messages to my syslog server when a BFD state transition occurs, but I am having a hard time getting BFD state transitions to be sent to my syslog server.

I am currently doing the below:

system { ... syslog { ... host 172.x.x.x { authorization info; daemon any; source-address 10.x.x.x; } } } protocols { ... bfd { traceoptions { flag state; } } } 

I am receiving normal syslog messages (such as authorization attempts) at my syslog server, but nothing pertaining to BFD. I also tried logging BFD to a file just to see if messages are being logged at all, and I do see messages in the file.

Is anyone currently doing this? What am I doing wrong?

Improving performance of latency sensitive internet hosted application

The main LOB app my company uses is a client/server type application where the developer of said application provides all hosting of the back end in their datacenters, where we are hosted out of Chicago. They spin up a VM for each customer and size accordingly. We then install a client on our machine (a very fat .NET client) that makes calls over the internet to our instance in their datacenter. No data is cached locally in the client, everything is a request to the datacenter, from opening a full record, to changing screens within a record that load different field data.

Latency is the #1 enemy of this application, and I have offices all over the USA. My corporate office is in the Chicagoland area and average latency to the hosting DC is around 5ms, can't be more than 40-50 miles of fiber distance in this instance. My offices in California are generally 45-50ms depending on provider.

To give you an example on impact of more latency, the Chicago area office takes about 14s to open application, 4s to open a data record, and 2-4s to flip between different screens within the record. The west coast office times are 30s to open application, 13s to open a data record, and 2-6s to flip between different screens within the record.

I've been ask to "find a way to make the experience faster for the slower offices". I understand that I can't make light move faster, and that distance is always a factor. I can explore alternate internet providers for a given location to see if latency would go down due to better routing, reduced hops count, etc., but I would expect this to not have much more than 5ms improve on average, maybe 10ms if I was lucky. Would you concur?

Another thought is an MPLS/PNT type connection between west coast offices and my corporate office in Chicagoland, routing them over this link and out to the hosted DC. But, I don't know if this would yield any substantial performance improvement or not.

Next thought is an SD-WAN provider, to see if one of them can do some magic in their black boxes to reduce latency once traffic hits their cloud. Zero experience with any of these whatsoever though.

Last though Is standalone WAN optimization/acceleration gear (as opposed to SD-WAN offering it).

SD-WAN/WAN optimization seem like they could offer the most potential benefit, assuming this application proves friendly to that kind of optimization. Easy enough (relatively speaking) to vet that out I suppose.

Looking for feedback from those of you more experienced than me to suggest where I focus my efforts and prioritize my options.

Cleaning Up Mess - Subnet/VLAN question (X-POST /r/PFSENSE)

(X-POST on /r/PFSENSE - here )

I am fairly new to pfSense and have some questions.

Anyways here is my issue: someone didn't plan things well and I am trying to cleanup behind them. I am racking an environment and cleaning up a huge mess. Current setup looks like this:

Dedicated Fiber <-> Copper Handoff <-> 5 port switch (eth0)

5 Port Switch (eth1) >> Sonicwall >> Public IP xxx.xxx.xxx.146 / Private 192.168.1.1/24 >> LOCAL LAN

5 Port Switch (eth2) >> Netgear Home Router >> Public IP xxx.xxx.xxx.147 / Private 192.168.1.1/24 >> Forwarding 2 ports to 2 addresses for PBX

5 Port Switch (eth3) >> Linsys e1200 Home Router >> Public IP xxx.xxx.xxx.148 / Private 192.168.3.1/24 >> Forwarding various ports to NVR System

My problem as it appears to me is that the PBX and LAN are on the same private networks. I am waiting to hear back from the phone provider to see if they can push an update to the phones and move them to a different network and my life would be great. From others who have dealt with them I am told that they will want to come out and update every phone manually when I imagine they could push an update and I then just change the private network address. If this isn't an option am I stuck readdressing the entire LAN?

I am currently switching out the Sonicwall & home routers for a Supermicro 5018D-FN8T Xeon D, 16GB DDR4, and 256GB NVMe running pfSense, it has (6) 1GB ethernet & 2 10Gig SFP+ ports. Possibly getting rid of the copper hand off also but that is another issue to be dealt with later. I will also have a Cisco SG300-52 (Layer 3 Managed Switch).

Would it be possible to have 2 identical subnets with different VLAN tags on different interfaces with pfSense?

Place on same subnet/vlan and 1:1NAT or Virtual IP map ports to internal PBX IP?

Readdressing the LAN won't be an option until the following weekend as this is a warehouse/retail and downtime is not an option.

Deep Search Pro

After My Background Check, I Had To Find Out If My Public Information Was Hurting Me! Deep Search Pro Helped Me Find Out!

IP Migration

we have 500-600 hosts in the HQ divided into 3 subnets. We are running out of IPs on one of the subnet. The bosses are urging for a migration from 192.168.XX.XX /24 to 10.0.0.0. We also have 53 branch sites. Note that in HQ and branches, The computers are on static IPs

I'm making a migration plan. Any tips on what to do first or anything? thanks

I'm the new guy in my company

For ITs working for Gambling Sites, how do you protect your sites? How do you Optimize the website loading speed in different countries? How do you reach countries from the other side of the world?

Basically, how do you run a gambling site successfully, on the networking side?

I know about Cloudflare, Incapsula, cloudfront, akamai. So for a gambling site, all you need is a good CDN, and ddos protection? Any more services needed?

Thanks guys!

Everybody want's to play *Rant Warning*

I'm in a team of 4 Network admins. I'm the most senior Network admin there with only 6 years in the field. I've been working for this company for all of my 6 years

Size is around 3000 users + Public web services to somewhat large audience

70 remote sites

We have a large inventory of products to cover:

Fortigate

ASA

Pulse Secur

Nexus

load balancers

Catalyst switch

ISE

MSE

WLC

Physical infrastructure

I've inherited a clean network originally by people who knew what they were doing. The network was much smaller at the time and had a lot less features. Now, it feels like it's slowly getting worst everyday.

I've always told management we needed to split the work so each of us is responsible for certain types of equipment. This way I believe there would be a sense of responsibility and I wouldn't be responsible for other people fuck-ups.

I've often been responsible for cleaning other people fuck-ups.

When shit hit's the fan, they know who's going to solve the issue quickly. It takes quite some time to know all these different platform well, and honestly it's very hard, almost impossible to keep up to date with all of them.

New comers are often against the idea of being constrained to a certain area of work or expertise, they like to get their hands on everything. This tend to create a messy environment, lack of care, and yes... problems.

New admins get the key to the kingdom really early on. Management thinks we should all be able to solve the issues efficiently on all these equipment (So they have redundancy if somebody leaves). In reality this dream never get's achieved.

We've never found someone in the job market that had experience other than Cisco Catalyst, and routers. Newbie just want to learn, but they often, are not very productive, most often do not follow internal documented guidelines (this create havoc in firewall). I always feel like I've got to clean up behind them, because I'm going to be the one that get's asked to tshoot when things go sideways.

One of the guys has been practicing for is CCNP doing GNS3 75% of is job shift for the last year and a half. After the dude got told he wasn't hired to do GNS3 and seen is admin right to is computer removed, he proceeded to do his labs on the production environment. Recently, he crashed all vpns doing some kind of labs on the production environment. The guy still has trouble configuring an access switch properly...

I told management I wanted him gone, I wasn't going to deal with his shit again. But the guy is still there after a week. They seem to think there's a way they'll be able to recoup this guy.

FYI we have a full physical lab he didn't use, and there's plenty of jobs to be done. It's just that it seems like nobody want's to do what need's to get done, they just want to learn for their personal knowledge.

When there's a project like replacing a core switch, everybody want's to get their hands on the device, nobody want's to the cabling inventory, physical planning, upgrade planning and documentation.

I've recently seen one of big projects I've initiated, done all the justifications and administrative work for , being pulled from under me from a newcomer without anyone letting me know. I'm making a decent pay there, I'm not sure I could something similar if I went somewhere else, but the environment I'm working in is very frustrating.

Management is quite deaf, I've spoken with them many times about this, They might tell me they are going to change things to hold me from leaving, but I doubt they will execute.

I've always been a team player, I've been in the army, people who were not pulling their own weight would get smoked. But at this place, very often, it seems like it's only going one way, no consequences, no hierarchy outside of management.

I plan on finalizing a couple of projects and start looking for something else, I'd like to avoid this type of environment in the future.

Any advice ? Have you lived something similar ?

Hardware Firewall to block Traffic to IP Addresses of Porn Websites

Hello,

Ive been tasked to set up our FIREWALL to block based off IP Address ports. (DNS, Open DNS, Norton DNS) is not applicable, because the goal is to block to IP Addresses of Porn Websites of our users.

I noticed the Open Dns, nor Norton provide a copy of the IP Address list to download so that you can block via those, so Im thinking I have to do:

nslookup pornwebsite1.com

nslookup pornwebsite2.com

and so forth on every porn website in order to build a list of IP Addresses.

Does anyone know if there is a IP Address Listing (NOT Domain Name nor DNS listing, but rather RAW IP Addresses) for all porn websites? This is a tough scenario, but the only way I know is to do name server lookups for every single ip address in the porn.

Ideas?

The only crappy Idea I can think of is:

1. Download the Badhosts list of porn from: http://www.hostsfile.org/hosts.html (Actually the best safest Host File list which includes i-porn, is this one: https://n0where.net/the-ultimate-hosts-blacklist ).
2. Nslookup each domain name of the webserver list in that file
3. Save and block each ip address manually as a firewall rule

Help?

Quick DHCP Snooping Question

I am studying for my CCNA Sec for my WGU Bachelor's program.

Anyway, I am using both CBT Nuggets and Chris Bryant's Udemy course to study but am confused about 1 aspect of DHCP snooping.

Do I have client ports as trusted? Keith and the Cisco whitepapers say no, however Chris' video says yes and he even does a lab wherein he shows that not having the client port trusted doesn't work.

It makes common sense to not have it trusted, otherwise the purpose seems to be defeated.

Testing ports on remote hardware

So there is this industrial widget connected to a computer.

Tge widget is assigned to 192.168.1.2 I want to attempt to see if communication is being blocked to it. Wireshark right now on a 3rd computer is not an option.

It is assigned to port ****** I forget if the port uaes tcp, udp or both.

The computer and the widget have a direct connection and no additional networking.

Ideally I'd run a script from the computer to test the port when I have a communication failure.

https://code.google.com/archive/p/paping/

Or could I use wireshark without the need of additional hardware.

The widget translates data to the computer to other devices. We are loosing communication with all devices. Wiring, power supply, widget, devices and cabling have been replaced.

I susspect something else but have been tasked with testing the network to it. I'm by no means a network professional.

Datacenter Layer 1 - do you do TOR switches or patch panels to a big fuckin switch?

This is the first time I've worked at a place that doesn't use TOR switches. Goddamn it is annoying.

Oddball question - Take home network box

OK, I've done this at a job before and just chucked everything into a cardboard box, but the person setting it up was familiar with the install procedure.

My boss and I are talking about setting up a portable box (akin to the loaner laptops of the old days) that has a silverpeak SD-wan box that would build tunnels and route automagically once it pulls a DHCP ip off the person's home network (I've done THIS bit about 300x....so I know it works well) and either a small POE switch and an aerohive AP connected to it, OR possibly one of the new Aerohive Atoms that plug into a wall socket - they are seriously pretty cool looking...

In my ideal world I'd have everything cabled and just have a "plug power here, plug network cable there" and bingo....corp wifi being broadcast at person's home.

We have lots of small remote offices where users are on VPN or since we are primarily cloud don't even need that much, and also have on-call or medical reasons working from home for extended periods and it would be nice to hand them a box with easy to follow "plug in here" directions. Executive easy :D

My issue is.... I need to find something easy and portable but won't invite mucking with cables. I wondered if anyone had ever set anything like this up or had suggestions?

I wanna buy a dremel and some old school metal lunchboxes, but boss is worried about wifi signal ;)

[Question] C9500-48Y4C-A StackWise Virtual?

Here is a simplified drawing of my current layout: https://imgur.com/a/KkZeyhh

We're upgrading our 2960-S access switches to 10G 2960-X switches in the coming months. We have a pair of 3850-12XS in a stack for our collapsed core. Unfortunately, the 3850s do not have the port density I need for all of the new 2960-Xs to have 10G uplinks. I could stack another 3850 in place, but we are growing to a point where we've decided to move to an actual aggregation switch model: the C9500. This would remove the old 3750-X from the picture entirely, and move all of our access switches directly to the 10G core.

Proposed setup: https://imgur.com/a/PmiPfjN

Our VAR informed us that the C9500 is equivalent to the 4500-X and did not stack like the old 3850. Instead they use a newer version of VSS: Stackwise Virtual. They also gave us a great deal on a pair of C9500-48Y4Cs -- they were even cheaper than the C9500-40X that I was originally looking at. UADP 3.0, more port density, 25G and 40/100G capable--so we have much more flexibility in the coming years... It all sounded great.

Let's jump to today. I've discovered that the high performance version of these C9500s are not currently capable of Stackwise Virtual. I read the datasheet on this switch and I must have just missed that the particular model we bought doesn't support it. So I've got a pair of these suckers soon to be shipped to our location that will not be capable of hardware stacking or Stackwise Virtual.

My question: Has anyone heard when we might be getting Stackwise Virtual on the high performance series of 9500? I have to imagine it's on the roadmap for these since the current versions already support it. Secondly, I would assume the only way I could hope to achieve ECMP on these 2960-Xs would be to use static routes on each of them? I'm just trying to come up with some way that I can have some hardware redundancy in our core until we get Stackwise Virtual on this model.

Nornir - a pure Python, pluggable, multi-threaded inventory management framework in the same vein as Ansible and Salt, written by David Barroso (NAPALM co-founder) and Kirk Byers (netmiko author)

Have yet to try it out, but looks promising!

https://github.com/nornir-automation/nornir

(disclosure: I am not affiliated with the project)

IPv6 Secondary address?

Hi,

Anyone here tried configuring a Secondary ipv6?

Im using XR and there's no secondary command on ipv6.

(config-if)#ipv6 address 21:1:1:1::1/56 ?

eui-64 Use eui-64 interface identifier

route-tag Route-tag to be associated with this address

<cr>

Thanks

Junos port security

I have qfx and ex switches. I have port security configured for my access ports.

I configured it in switch-port stanza. Basically just a sticky Mac and the action is shutdown.

The problem now is on xe-0/0/0, I'm not seeing any Mac entries. I have a server plugged into xe-0/0/0 and the interface terse shows up/down, but the show interface xe-0/0/0 shows it is up. Even the show ethernet-switching interface xe-0/0/0 states is forwarding. I ran the monitor traffic on xe-0/0/0 and I see an arp from my server requesting for a Mac for another device. But somehow, the switch is not reporting anything on the port and the interface terse shows it is up/down.

Any idea? Is this a bug in the switch firmware?

Local VLAN traffic

I have been troubleshooting this issue between our main VLAN (we'll call V1) and V4 which is the native. The 2 host devices (1 on V1 and 1 on V4) are not able to establish a TCP handshake.

This network is running on a Fortigate and the policies exist to allow all traffic over any port from V1 to V4. There is also a separate, but identical policy for V1 to V3 and the connectivity when testing the hosts from V1 to V3 works just fine.

Upon doing a pcap from the successful connectivity of the hosts from V1>V3 I am able to see a series of syn/psh/fin and their corresponding ack packets. The pcap from the failed handshake only shows a long list of syn packets sourced from both hosts to each other without any corresponding acks. So the conclusion I've come to is that the host on V4 is receiving the packets from the V1 host, but just not establishing a handshake and acknowledgments.

I'm sensing it might have something to do with V4 being the native or some other policy I am not catching somewhere. There is also no policies that allow any traffic into V1 initiated from any other VLAN, but as mentioned, traffic sourcing from V1 to elsewhere allows bidirectional traffic once the handshake is established.

Thanks in advance for any suggestions!

New WPA2 crack

I have not seen anyone post about this but this looks to be a big deal to me.

https://hashcat.net/forum/thread-7717.html

Fiber vs Copper uplink

setting aside distance, why do most setups have fiber uplinks between switches rather than copper? Is there somehow better throughput via fiber? Fiber and SFP's are more expensive and I just don't understand the rational there.

Assume uplinks are all 1G

New attack on wpa /wpa2 makes it even easier to crack

https://youtu.be/ve_0Qhd0bSM

BGP, two Cisco routers, two Cisco Meraki firewalls, and two separate lines from our ISP. Could use help.

You guys have helped me a lot in the past, but I'm on a difficult task now that I could really use some help on. This is a fun one.

To start this off, I'll provide a brief history with what my company is trying to do for link and device failover.

A long time ago we had two Cisco 1921 routers. We deprecated those and got a single Cisco Meraki MX100. We later bought a second MX100 that we were hoping to configure in a warm spare configuration. This is somewhat easy with one line and enough private IP addresses in a subnet (one IP for each router and one IP for the virtual link). And if the main MX100 fails, we could just plug in the line from our ISP into the second MX100. (I think)

But we now have two completely separate lines from our ISP that go to two different places in the state. Effectively, it's like having two different ISPs.

For maximum load balancing, this is the path we'll most likely go on:

First, configuring our two Cisco 1921 routers each with it's own line from the different locations. Our ISP wants us to use BGP on each router so if one link goes down, it'll automatically switch to the other link.

From there, we'll configure the two 1921 routers to connect to each other via iBGP. Then we'll use three IP addresses for the two routers. Two for the routers, and one for the virtual link.

We go on to naturally connect those 1921 routers to our two Cisco Merakis in a warm spare configuration. In theory, if one 1921 router goes down, we have an extra. If a Meraki goes down we have spare. If a link goes down, we have another. This is all for making sure we have little down time if a device or link goes down.

So here's what I think we need: 6 IP addresses from our ISP (3 on 2 different subnets. 3 for the 2 Cisco 1921 routers and 3 for 2 Cisco Meraki firewalls), and AS numbers for each BGP connection (including the iBGP connection).

This is all theory-crafting at the time, but does all this make sense? This is my first time configuring anything quite like this or working with BGP (or really any dynamic routing protocol for that matter) so it sometimes it's difficult to wrap my head around.

Does anyone have suggestions on what we could do? Would this even work? Do I theoretically have everything I need? Could just use some help theory-crafting and getting ideas from people who are much more experience than myself. Any help is appreciated.

tl;dr I have two Cisco routers, two Cisco Meraki firewalls, and two separate lines from our ISP. The two lines each need to have BGP configured. I need to configure all of this into a failover setup so if one single thing fails, it will all still work with minimal down time.

Force10 MXL 10/40GbE management IP external access unstable

Hi,

We're using a stack of Force10 MXL 10/40GbE mezzanines on a Dell PowerEdge M1000E blade enclosure, which are linked to a stack of Dell N3024 managed switches.

In this setup, the N3024 stack is linked to both the M1000E CMC controllers via Ethernet and with the MXL stack using the N3024 10 GbE rear IO cards.

The MXL stack works great with the N3024 stack, but we're having an issue related to the MXL management interface since the initial setup, in 2015.

When we try to connect to the MXL management IP using SSH, it works one third of the time... and the connection is not stable and does not work for more than 30 seconds... It's not a big issue, since we can connect to it using the CMC internal bridge whenever we need it, which works great.

SNMP is configured on the MXL stack and, you guessed it, it does respond one third of the time... which isn't very practical for monitoring purposes...

The three components (CMC controllers, MXL switches, N3024 switches) have the latest firmware installed (as of August 3rd 2018).

Earlier this week, I investigated the issue and noticed that when I log in to the MXL using the CMC bridge, and then ping an IP address, the management IP responds correctly and remain stable for minutes... until the ping stops...

Here's our MXL configuration about the management interface :

interface ManagementEthernet 0/0 ip address 10.255.254.31/23 no shutdown ! management route 0.0.0.0/0 10.255.254.1 ! 

In addition, if we connect using SSH to the Dell N3024 switches, the MXL can always be pinged/SSH connected/SNMP probed without issues.

We don't know where to begin searching...

Router recommendation for simultaneous Client Mode and Access Point

Hi,

I'm looking for a router which has the capability of acting as a wireless client to one SSID and also broadcasting it's own SSID with it's own DHCP subnet.

The one router I have is currently doing this as it has 2 radios - 2.4Ghz and a 5Ghz. It uses 1 radio as a client and another for the AP, but it can then only connect as a client to 2.4Ghz network and distribute a 5Ghz AP.

Are there any routers out there anyone can recommend that have this functionality? Are dual radios required and can I get around the frequency band limitation?

The reason I want to do this is because I want the devices connected wirelessly to the router (acting as client and AP) to be hidden from the main router - hence the need for separate subnet, but via a wireless connection.

Thanks for any help.

Policy maps and TCP traffic - limiting ACKs?

I need a sanity check on this. Update- platform is Cisco ASA

• ACL: permit tcp any any
• Class Map: match ACL
• Policy Map: use class map, police outbound traffic to 2Mbps
• Service Policy: use policy map, applied to outside interface

This should limit all outbound TCP traffic on that interface to 2Mbps, which it is doing successfully. Problem is that somehow it's also limiting inbound traffic to 2Mbps. Vendor told me that this is happening because inbound TCP ACKs are being limited. If that's the case, I would expect that 2Mbps worth of inbound ACKs would equal a larger amount of overall outbound traffic. I don't have any data/numbers to support this, just my gut.

Curious to see everyone's thoughts.

loss of bidirectional communication?

Hi Guys,

I just want to here your thoughts about this.

Issue: I cannot ping the next hop-address but I can learn the mac address of the next hop.

Topology:

Provider(PE)-----(Partner)-----(CE)Customer

PE# Show arp

10.2.2.1- e0ac.f163.bb5e Interface ARPA TenGigE0/0/2/2.8

10.2.2.600:00:18 ecbd.1d8b.aca1 Dynamic ARPA TenGigE0/0/2/2.8 <--CE MAC ADDRESS/IP

So if I can learn it mac address this means "RX" is working(I know how to reach the nexthop),

PE TX---------------X------------- RX CE

RX------------------------------ TX CE

Now is there any possiblity that the reply from CE has an Issue, In this case do you think they can or cannot resolve our mac/Ip from CE side?

In case of udld issue should both side can learn it mac address?

Let's exclude the filtering/acl/fw on this scenario because there is none.

Thank you

jperf/iperf representative file

So basically what i'm trying to understand is how does the representative file work and what are the differences between using jperf to test throughput speed for a file and using network sharing over two windows machines. i.e. will it show any huge difference and if so what are they and why?

If someone has experience with this please share with me I can't seem to wrap my head around it.

https://github.com/esnet/iperf/blob/master/docs/faq.rst

bottom of the page is a tiny bit of info and i know it works over the link layer but not much more than that.

edit: spelling

Dell EMC N1548 Switch stack and ShoreTel VoIP issues

Hi all

I've wasted hours trying to configure our Dell EMC N1548 Switch stack (sw ver. 6.5.1.3) to work with ShoreTel 230 handsets, so I'm hoping someone out there can help. Basically, handsets don't switch to the Voice VLAN, despite the config looking ok to me.

Setup:

Switch version:

stack_1#show ver Switch version: Machine Description............... Dell EMC Networking Switch System Model ID................... N1548P Machine Type...................... Dell EMC Networking N1548P Serial Number..................... CN0MVV1J1111111R1111A00 Manufacturer...................... 0xbc00 Burned In MAC Address............. 1418.77F5.64B2 System Object ID.................. 1.3.6.1.4.1.674.10895.3066 SOC Version....................... BCM56150_A0 HW Version........................ 2 CPLD Version...................... 16 Image File........................ N1500v6.5.1.3 Software Capability............... Stack Limit = 4, VLAN Limit = 512 

Our switches are fairly simple, in that we only have 2 VLANs: the Default (VLAN 1) and Voice (VLAN 2).

We have global voice vlan enabled:

switchport voice vlan 

Auto VoIP mode is not used:

stack_1#show switchport voice gigabitethernet 2/0/19 Interface Auto VoIP Mode Traffic Class --------- -------------- ------------------ Gi2/0/19 Disabled 6 

(all other ports are the same)

IP Helper is configured globally and in the voice vlan:

ip helper-address 192.168.32.51 ip helper-address 192.168.32.52 ... interface vlan 2 ip address 192.168.40.20 255.255.255.0 ip helper-address 192.168.32.51 ip helper-address 192.168.32.52 exit 

Port config: (note that vlan 1 untagged and pvid vlan 1 does not show in the config as these are default)

switchport mode general switchport general allowed vlan add 2 tagged switchport voice vlan 2 

DHCP is configured on Windows Server 2012r2 - each scope has this configured: (Data, Voice and TestData as mentioned below)

Option 156 "IP Phone Boot Server"

ftpservers=10.100.0.1, country=7, language=4, layer2tagging=1, vlanid=2 

The phone model I'm testing is the ShoreTel 230 (various handsets tried)

Symptoms:

The phone starts up, gets an IP in the VLAN1 range, then "Reconfigures" (meaning it tries to switch to VLAN2) and then it just sits waiting for DHCP forever.

I've noticed that the mac address table has two entries for this handset at this stage:

stack_1#show mac address-table interface gigabitethernet 2/0/19 Aging time is 300 Sec Vlan Mac Address Type Port -------- --------------------- ----------- --------------------- 1 0010.4946.196E Dynamic Gi2/0/19 2 0010.4946.196E Dynamic Gi2/0/19 

Attempts:

At first I thought there might be an issue with the fact that we use the Default (1) vlan for data, so I creted another vlan (100), configured it to use the same ip-helpers and also created a new scope for the new VLAN.

The new config looks like this for the switchport (which brings it in-line with Dell's documentation):

stack_1#show running-config interface gi2/0/19 switchport mode general switchport general pvid 100 switchport general allowed vlan add 100 switchport general allowed vlan add 2 tagged switchport voice vlan 2 

So, I reset the phone and tried again, but the same symptoms persist. The mac address table looks similar again (it gets an IP in vlan 100, then tries to switch to VLAN 2):

stack_1#show mac address-table interface gigabitethernet 2/0/19 Aging time is 300 Sec Vlan Mac Address Type Port -------- --------------------- ----------- --------------------- 2 0010.4946.196E Dynamic Gi2/0/19 100 0010.4946.196E Dynamic Gi2/0/19 

So, please!

Are there any kind soul out there that can help me out of this problem please?(replacing these switches with Cisco or HP switches is not an option, just saying!)

edit: typo - Option 156 not 158; option configured for all scopes

Help newbie with routing issue

I'm testing a new setup.

Cisco Router interface 192.1.1.14

hp 2920 stack 172.16.1.253 (plug into cisco router)

New hp 2920 switch 192.1.2.200 (plug into switch stack)

cisco router config:

interface GigabitEthernet0/0/1.1 description DATA encapsulation dot1Q 1 native vrf forwarding 58 ip address 192.1.1.14 255.255.255.0 no cdp enable ip virtual-reassembly !

interface GigabitEthernet0/0/1.35 encapsulation dot1Q 35 vrf forwarding 58 ip address 192.1.2.203 255.255.255.0 !

interface GigabitEthernet0/0/1.200 description IP SIMPLE PHONE LAN encapsulation dot1Q 200 vrf forwarding 58 ip address 172.16.1.1 255.255.255.0 ip virtual-reassembly

I can't seem to ping the new switch at 192.1.2.200.

Traceroute shows first hop at 192.1.1.14 and time out.