Saturday, October 6, 2018

Any recommendations for SOHO WiFi AP's?

I'm in a work-from-home office.

My house is wired with cat5, but I still need WiFi throughout a large property, for certain things.

I'm currently using 3 Apple Airports which has provided coverage until now. But one Airport recently died, and whilst I would have bought another, it turns out Apple have ceased production.

So my next stop was to look at Google WiFi Hubs, but after asking around in the GoogleWiFi subreddit, I've come to the conclusion these aren't best suitable for my needs, for various reasons.

What else is there?

I'm a software developer, and I run a lot of servers on my LAN (both physical and virtual on VMWare ESXi server), my own DNS and DHCP etc.
Main edge router is a NetGate pfSense device, which I really like so far. I guess I'm kinda sitting somewhere between consumer and enterprise requirements.
I want to avoid Cisco devices, at least ones which don't have a web gui. I did have a Cisco enterprise router/firewall at one point using Cisco IOS, but it was just far too time consuming for me to get to grips with.
It's been suggested I look into Pakedge and Araknis devices, which I'm doing now and the Araknis gear looks useful. Any thoughts?
Finally, cost is not a deciding factor, but I'd like something not too cryptic to configure, and something which is pretty robust, performant, and with a well defined maintenance lifecycle. Ie I don't mind splashing out a bit so long as it will do me for a good few years

Any other recommendations (I'm UK if it matters)?

Thanks

How can I transfer data from one or several sensors connected to an Ethernet switch using DNSMasq rather than connecting directly to a computer?

Hopefully this is the right sub for this question as it deals with my work and will directly impact the design of our network. This sensor is normally plugged directly into the Ethernet port of a computer to transfer data. Here is a screenshot of the instructions that were included.

Usually I start DNSMasq and get the IP address of the sensor. So far I have attached 1 sensor to the port of my unmanaged Ethernet switch while the computer was attached to a different one. I took the address that was assigned to the PC and made it static. I then followed the instructions and made the dhcp-range variable reflect the range of the IP I was using (if that makes sense). After running the program I am not getting data.

I think my issue is that the IP I am grabbing is for eno1 which is the Ethernet NIC on my PC when what I really need is the IP of the sensor but I am not sure how I could find that.

Inter-vlan throughput question. 10GiG traffic between vlans. Diagram in comments

I'm trying to expand my routing knowledge. If I were to separate dissimilar services into different vlans I'm curious what the downside of throughput would be.

For example, if I were to separate storage from a vmware stack into different vlans.

Here is a diagram depicting a VMware stack on the right and a SAN on the left. VMs are stored on the SAN.

https://imgur.com/HywoKpc.png

Question: Would the throughput between the vmware stack and SAN still utilize the 10GiG data ports, or would the traffic bottleneck at the router?

Looking for a new network stack

Hey /r/networking,

I'm a sole admin for a 50 person development shop. We are currently running Cisco SG300s as our switches, with one of them in router mode doing all of our VLAN routing.

I've been finding them a bit of a bear to manage, especially as we start looking at implementing 802.1x. We also just had one die on us.

I'm also interested in building a pretty basic 10G backbone for interconnecting the access switches to the core, and 10G on our 6 or so hypervisors.

Additionally, we're soon replacing our sonicwall firewall and WAPs.

I've been researching Ubiquiti Unifi Switches and wondered what the professional networking folks take on them were. I've used their WAPs with success, but never their switches.

I'm looking for something with some central management, with 802.1x capability and easy to manage firewalling of the VLANs on the core switch. The only other brand I know well is Cisco, but I'm not up to date on the latest catalyst generation and whether it is a good fit for our use.

Is there a brand I'm not tracking that we should investigate?

Windows 10 VPN help

Hello to all. I'm attempting to create a VPN using windows 10. I have it operating successfully between 2 desktops on my LAN. I am using a cisco rv130w router. I have enabled all VPN passthrough. I got the WAN IP by typing whats my IP into microsoft edge, and then am attempting to use that to connect my laptop over a different internet connection. My problem is when I attempt to log into from my laptop on a different network it won't connect. It keeps coming up with error message The network connection between your computer and the VPN server was interrupted. This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN has reached capacity. Please try to reconnect to this VPN server. If this problem persists, contact the VPN administrator and analyse the quality of connectivity. I have signed out of the desktop client in case that was the issue of the username already being in use but it is still the same.

Any help is appreciated thanks

Building a Network Troubleshooting Flow for upcoming interview. How do you expert troubleshooters do it? Best practices?

I applied for a new Network Support Engineer job where troubleshooting is a huge part of the interviews.

I need to look at this from a expert troubleshooter's eyes.

It will be heavily Cisco based.

I'm trying to close all the gaps and make sure I don't miss any holes.

Usually how I go about troubleshooting a potential connection issue with a network, I:

Check other websites to see if it's isolated or widespread.
Ping gateway(this points out if it's in your LAN) -> ping 8.8.8.8(this points out if it's your WAN) -> ping google.com(this points out that your DNS is not resolving)
Check nslookup if it's resolving properly.
ipconfig /all to see configs are correct.
To figure out the network, I tracert -d 8.8.8.8

Am I missing anything?

Now the problem will likely be in the LAN since it's Cisco based and a router or a switch will probably be misconfigured in Layer 2/3.

I'm not sure the proper flow for this, what I would do is:

~~tracert to gateway~~ oops silly mistake here
Plug into console and log into switch/router
show running config/ip int brief and see anything suspicious such as a shut down port or misconfigured protocol, mismatched speeds/vpn keys

What else should I do to cover all my bases?

Thanks a lot! I really want this job and I don't want to look foolish in front of a panel of network engineers so I thought to ask.

How do you connect DC networks to a firewall?

For a while we've done a VRF on the DC (L3) switches, bound the VLAN interface in that VRF and then had a different VLAN&subnet that connects the VRF to firewall. We also use BGP between DC switches and FW.

However for smaller subnets this seems quite a lot of config, how do you do it? Assuming there is a need to firewall stuff. Just have the default gateway address on the firewall? Have static routes from server VRF to FW?

Best router under $1000 - unpopular opinion

I have the purchased a Ubiquiti Edge Router 4 and have had a horrible experience with it for the past 2-3 months. I work in the network industry and had been looking for a router that does 1gb+ throughput, I decided to go with the ER4 based on research, collective conversations and public opinion. I bought the full stack, 2 - AC Pros, 1 - 48 port Sw, 1 - 24 port POE sw and 1 - ER4 router. Straight out of the box with no customization it was very fluid and easy to use, when I started using it in a more aggressive environment it just flopped. I thought maybe I was being a cynic due to working with Cisco equipment and the ease of use. My buddy also bought one... sure enough he had problems with the ER4 straight out of the box, clunky GUI, wouldn’t take simple DHCP server config. After a few reboots ended up Bricking his router. He exchanged it for another one and had a little better luck, albeit the CLI was the best way to achieve any type of customization. We could have the exact same configs and it could work with one router and not the other. That being said I’m looking for a 1gb+ throughput, hardware heavy, and full customization with openvpn, high bandwidth, 4 ports minimum, radius capable, SDWAN capable with bandwidth aggregation.

I need sfp cables. But i can't find any in my country. Will SFP+ cables work from an sfp+ port to an sfp port?

I'm in denmark

How do I switch between hosts in a switch?

Sorry if I'm posting in the wrong area. I'm watching a tutorial and he switches between Host 1 and Host 2 without explaining how he does it inside the switch.

Inside the switch he goes from Host 1 and tries to ping Host 2 but it won't so he moves to Host 2 and tries to ping Host 1 but sine they are in different VLANs they can't ping each other.

Trouble with S3 speed - what am I missing?

My org has a 1 Gb/s Internet circuit but for some reason when we use the AWS CLI to try to copy data to S3, the most we ever see if 4-5 MB/s. This seems really slow, so I'm trying to figure out what the deal is.

I've connected a PC as close to the WAN as possible to eliminate firewall limitations, etc and I get the same result.

The only thing between the ISP and my test PC is a Cisco 3945E router. The ISP delivers our circuit as single mode fiber, which is connected directly to a gig port on the 3945E, which advertises our /24 via BGP. Our /24 is addressed on another gig port on the router, which is connected to a switch and that switch is where I've connected my test PC. The router is the only layer 3 device between the test PC and the Internet.

I've looked at every port (router WAN, router LAN, switch port facing router, switch port facing test PC) and none are showing any errors or meaningful utilization. I've also looked at router and switch CPU / memory utilization and all are fine. The router is just doing straight routing, it's not doing NAT or any other services.

If I go to speedtest.net on the test PC, I'm seeing ~600 Mb/s up/down which is a little less than I'd expect, but is still way more than what I'm seeing to S3.

A traceroute to the S3 endpoint I'm hitting seems "normal" - there are 6 hops in my ISP's network before traffic is getting to AWS.

By way of comparison, from my home PC which has 1 Gb/s service through AT&T GigaPower, I'm seeing about 25 MB/s, which again is slower than I'd expect but still faster than what I'm seeing at work.

Is there anything else I should be checking to try to determine why our throughput to S3 is so slow?

Lag spikes

So we just got fibre 50mbs up and down and it is, works perfectly. We have a dual band router and I play through an extender on the 2.4 ghz network. I will jump from (while playing on a Europe server) 130ms too 300ms and then back. It causes a sudden freeze and resume which is really annoying. Any advice would be appreciated. Ethernet is not an option atm.

Looking for someone to interview

Hello /r/networking!

For one of my school assignments I am required to do an informational interview. I am looking to interview a networking tech. If you're interested please DM me. Thanks!

QoS bandwidth constraints on ingress

I understand I have no control over the ingress queue at the WAN edge, as packets arrive serially in whatever order (probably FIFO) my ISP sends them.

But surely I can mark and shape traffic on ingress, right? Right now I have a service-policy that sets various bandwidth percent values for classes of traffic. Of course this applies to WAN egress now.

If I applied it to ingress, would it have the same effect on bandwidth management, even without the benefits of queue management?

Network Addresses help

I'm getting a bit confused with the different addresses. So I get that IP address is for the internet protocol to locate the network and arp is used to translate it for the MAC address of an individual computer. So then what is the network and host address? Aren't they the same? Also what is the point of the subnet mask?(just to find network address?) Thanks for any help.

How are your test/qa setup network vice?

With test i mean test as in "crash bang" test for new software on firewall/switches and so on. We have kind of a debate when we are designing our new network. In one way we want the testenviorment to just have oob mgmt access to the rest of the network, so we are able to copy/paste the config direct from the production firewall/network and run upgrade tests. On them after changing the ip mgmt settings.

The problem with that is that its getting abit hard to test stuff that needs traffic (cut over time during upgrades with traffic, l7 functions etc), its ofcourse possible with some kind of nat:ing.

How are you handeling this?

Gigabit Modem for VDSL Link (UK)

Hi all,

Deploying a Fortigate 30e to a remote office, office has a VDSL2+ connection at the 78mbps down rate. I have a 100mbps Netgear DM200 modem that worked just fine when they had the 36mbps connection. Now looking for a gigabit modem, don't need any other features at all, past the Draytek Vigor 130 I'm struggling to find anything suitable that isn't a business class internet gateway/hub/router. Or an older OpenReach modem that would need 'cracking' to get new VDSL credentials into it.

Thanks

CCL

Random thought

20 years in IT One thing I love about networking as a career, it one of the only IT jobs that still involves a tool belt. Not every day, but at least once a month.

Friday, October 5, 2018

Recursive Routing Next Hop Best Practices

Hi All, I recently learned about recursive static routing in my internetworking class at college. I understand that nowadays it is essentially a moot technology thanks to the wonders of dynamic routing, however I am curious as to a couple of things:

Why is it against standards to set network addresses (as opposed to host addresses) as the next hop address in recursive routes? For example, if I have a fully defined route to 10.0.0.0/28 and the router for that subnet knows how to reach the 10.0.0.16/28 subnet; why is it standard practice to point a recursive route's next hop to the IP address of an interface on that router, and not to the .0/28 network address itself? I understand that the resolution process ends up with the network address anyway, but to me it just seems cleaner (from a routing table perspective) to point the next hop at the network address and let the fully defined route handle the rest.
What is the best practice for defining multiple routes given the above assumption? Using the same example, if the 10.0.0.0/28 router also has a route to 10.0.0.32/28, is it preferred to point the next hop for the route to that subnet straight at the route to 10.0.0.0/28, or can the routes be chained together such that the route to .32/28 is pointed towards the route to .16/28 etc...? Again, to me this feels like a cleaner solution (albeit a slower one, which may be the answer to my own question), but as it breaks the rule I questioned before I am unsure as to which case should prevail.

I understand that these are exceptionally rudimentary questions, so I accept if this post is deleted for that; but I was intrigued as to why this was the standard explained to us by our professor as opposed to handling the routes in other ways.

Thanks!

Charter outage / bonding question

Most of today there was some sort of Charter/Spectrum outage around Atlanta, but the symptoms are kind of baffling.

Site J only has Charter, and has IPSec VPNs to sites D, C, and V. J is running pfSense - we upgraded it through several versions. The other sites are a mixture of pfSense versions and SRX versions. Until about 4AM this morning everything has worked for at least a year.

VPN from J to D was not interrupted at all.

VPN from J to V passed data until it needed to re-key, and then died. Packet captures show that IKE sent from V was not arriving at J.

VPN from J to C passed IKE and was able to re-key, but no data would flow. Packet captures show that ESP sent from C was not arriving at J, but IKE was.

So basically it was like Charter was filtering inbound traffic, in a random but consistent way - like some sort of header-based hash. Pings and tests from various other locations behaved similarly - some would work, some would not, but the same test always passed or always failed.

Is there some sort of LACP-like WAN link used at ISPs that can't recover if one of its' paths has failed? At the end of the day there's nothing to do but wait for Charter to fix it, but I'd like to understand what's happening.

Datacenter Structured Cabling Recommendations?

Are there any datacenter people here that can recommend fiber enclosures and MPO casettes? We've played with some corning, and while the quality is fantastic, the fact that the internal strands of their MPO casettes are purposely crossed to avoid brand mix-match is a huge deal-breaker for us. We've also played with a little bit of fiberstore enclosures and while they attempt to mimick Corning design, the quality leaves much to be desired. What other brands are out there that do high-density structure cabling like this?

Decent price is always a factor, but the straight-forward patching of strands within MPO/MTP casettes is a huge must.

Issue with downloading backup configs from 2 Cisco SG200-50s

Hey everyone,

Im trying to download a copy of our startup config from 2 SG200-50 switches.

in the web interface, I go to do the backup via Administration>File Management> Download/backup configuration/log. I pick http/https, and the screen says copy finished, but the actual download fails.

ScreenShot

Ive tried it with IE and chrome, and get the same thing

Any ideas?

YouTube access now available!!

After almost 2 years of debate, I was finally assigned the ticket to allow YouTube access to all internal users!!!! The justification finally was accepted by management. Apparently, users kept saying "we need YouTube to do our job". Now to start monitoring traffic in SolarWinds. I'm getting ready to call century link for a circuit upgrade LOL

My coworker just popped a bottle of champagne

Didn't mean to waste space with this post, but just felt it was a good day for a lot of people.

ATTN: Chicago Networking Community - Pre-Sales Engineering opportunities

Hey Networking community -

I am on the Support team at Cisco Meraki and we are hiring for our teams! If anyone in the Chicago region is interested in making their way into the IT space, we are looking for a bilingual (Spanish/English) person with CCENT level knowledge - cert not required - to join Meraki as a Free Trial Adoption Engineer.

We are developing cutting edge, cloud networking technologies and our Chicago office just opened last month.

If you don't fit the description above, but love networking and want to know more about opportunities here, I am happy to help out - feel free to DM me.

Pingable IP address for full mesh VTI tunnels

Hello,

I'm trying to decide the best way to establish an address/subnet a customer can ping to ensure our virtual routers are available. This will be over a full mesh BGP set up between 2 of their sites with 2 of ours. I suggested the VTI interface on our side but they require an address beyond the tunnel interface. My current thought is creating a loopback and advertising a /32 on each router.

Thoughts/opinions?

VLAN sanity check (Meraki firewall to Netgear switch)

Hi all, first post here.

Just want a quick sanity check to make sure this will work (going to implement tomorrow).

What I want to achieve:

PC's piggybacking on VoIP phones uplink, operating on separate VLAN's (I know the easy answer is run more cables or question why it wasn't scoped properly the first place).

How I'm planning on achieving this:

Create 2 separate VLANs (1 for data, 2 for VoIP) on the Meraki, trunk them both to the Netgear.
Setup DHCP scope for VLAN 2 on the Meraki (VLAN 1's DHCP is handled by one of the DC's on that network).
Allow untagged traffic on all ports via VLAN 1 and tag all ports to allow traffic via VLAN 2 (on Netgear)
Setup VoIP phones to listen on VLAN 2
Plugin PC to VoIP handset and pray it works.

Before you ask, the phones are all gigabit passthrough, so there shouldn't be any bandwidth issues. QOS/traffic shaping rules will be added in after assuming the above works.

EDIT: Forgot to mention, leave PVID as 1.

How do I add an additional security group to a network interface in AWS?

No text found

Signage of broken console port, Cisco 2950

Good afternoon redditors,

So i've been having an issue with a switch I recently aqquired, it would not give me a console output via a USB to console cable. So I tried different things like triple checking settings, making sure it was set correctly. Tried different baud rates and rebooted about a million times.

And eventually I got a console output for a bit, I was so happy!

Until... it turned into the following:

https://kanersps.pw/i/bbb7da91df

Just great...

After that it didn't give anymore or output, or anything at all once I tried rebooting it.

Any tips, or just say the console port is broken?

Friendly greetings

Kane

Resetting HP Switch Passwords

I have a network of 7 x various HP ProCurve and HPE 1920 - 24 & 48 Port switches throughout a building with static IP's set to them. I have their IP and MAC addresses and am able to access their web interfaces. Problem is they were all configured by a previous IT company and the information about their purchase and login information is lost. I have found there is no reset or any kind of physical buttons or pins on the devices just an RJ45 Console port. I read an article on HP's website referencing a call in line where you give them the MAC address and are able to get a one time use password, however HP support said they would not help me unless I knew who the authorized re-seller of these switches was. There are VLANs configured on these switches which is why my goal is to reset the password without resetting the configuration. The way it looks I'm going to have to use PuTTY to connect via serial and run some commands however nothing I've read is certain about what the process is for simply clearing the passwords.

Any tips are appreciated.

Sonicwall Firewall Rules

I have not worked much with Sonicwalls and just inherited two of them at my new job. Can someone tell me if I am missing something or does this firewall not restrict any outbound traffic generated on the LAN side? The rules are on the LAN to WAN tab all say any source to any destination is allowed and there are no deny rules. Even if this thing had an implicit deny it would never be hit.

There is nothing about Sonicwalls that i am missing is there that would mean there are more restrective rules somewhere else?

I just wanted to check in with you all before i go and ask WTF the vendor is doing.

TCP vs UDP ????

There are two types of Internet Protocol (IP) traffic. They are TCP or Transmission Control Protocol and UDP or User Datagram Protocol. TCP is connection oriented – once a connection is established, data can be sent bidirectional. UDP is a simpler, connectionless Internet protocol. Multiple messages are sent as packets in chunks using UDP.

TCP vs UDP full details here

Monitor hits on specific ACL on ASA

I am trying to figure out what is hitting an acl on this ASA that we just took on. I am cleaning it up and there is one allow any any to any any on all IP rule at the bottom of inside int list that keeps getting a lot of hits. (it was at the top and I moved it to the bottom and it is still getting hits)

I have added in more specific rules for everything we believe we need so it should not be necessary.

I can see that it has an identifier similar to "0xa92XXXX" however I do not see it any of the logs nor others like it mentioned.

I have logging set to debug and capture while watching the hits go up on the acl.

I want to get rid of it and I would just take it out but my director wants me to verify what is hitting it first.

Any suggestions?

FreeRADIUS 2.1.1 and MAB, possible?

We're in the process of getting ISE configured to be our RADIUS server, but that project won't wrap up until next year sometime. In the meantime, we have another project rolling out new IP phones, but we don't truly have a good way to secure the ports.

Our PCs check in via EAP to our FreeRADIUS server, and then once they authenticate, they're allowed on the network. I was looking into somehow getting our FreeRADIUS server configured w/ MAB for the new IP phones. I have the switch config (Cisco) ready to implement, but I have nothing able to respond currently.

Ultimately, I'm trying to have FreeRADIUS see the first octet of a MAC and authorize it as a stopgap until we can get our ISE licensing and servers configured to handle these authentication requests.

Anyone use Infoblox for IPAM? How do you handle loopback IP assignment?

We're working on setting up Infoblox to do discovery and handle IPAM. So far, it's working great for managing /31s and larger, but I can't get my head around how to manage loopbacks. We assign all our router loopbacks from a single /24 chunk of addresses. At first, I added individual /32 networks to the IPAM database and created a container for the /24, but Network Insight wasn't populating newly discovered "unmanaged" /32 addresses in this container, even though if I went over to the Devices tab, I saw both managed and unmanaged devices listed there by their loopbacks. What is the best practice for loopback management/assignment on Infoblox? I don't want to add them manually and have no feedback mechanism through Network Insight to make sure they're still in use.

Network monitoring - What should I use.

Hey,

Looking for a network monitoring solution to scale to a around 1000+ devices, so enterprise grade.

Needs to be distributed and run on linux. (not PRTG or Solarwinds)

Does not have to be open-source.

Specifically to monitor a mixture of Network devices. (Cisco, Checkpoint, Fortinet, Palo)

We have already a vast mixture of tools we use, i am interested to find out what people use mostly and prefer.

Any input appreciated

Are 1Gb Fiber SFP's worth a hassle vs. copper?

We're in the middle of a campus expansion. New buildings are going up and fiber runs are being made to connect the buildings due to distance. I haven't worked with fiber,

Our Procurve switches only have the front 1 gig SFP ports (no 10 gig expansions on back). While we intend to connect the new building fiber to our switches, our consultant wanted to upgrade the rest of our uplinks (different floors in main building) from Cat5e to fiber.

Should we need this, if cost and performance are the focus points? I can configure my switches either way, but I can't see how a 1Gb fiber could help any more than a 1Gb copper...correct?

Stacking HP 2940F's

I have a noobie question. We are looking to replace our aging Cisco 4507R with 4 HP 2930F's stacked using 10GB SFP. Our VAR is indicating that we will need transceiver's to stack them in this way, is this correct? The switches will be literally right on top of each other, so distance is not a problem. I assumed we could use 1 meter SFP to SFP direct attach copper cables.

Best Practices for connecting Cisco ASA FW to Cisco L3 Switch

Hey Guys,

Question for you. When connecting a Cisco ASA to a Cisco L3 Switch what is the preferred method? I've seen it done two ways and I was wondering what was best practices. The first method I've seen is with a routed port on the switch connected to the FW via a /30 transit network. I've also seen where it's just a regular switch port and connected to the network on that interface.

I was curious about which method would be better or recommended. I've also read they can be connected via a trunk port from the L3 Switch to the FW, but I've never worked with Vlans on an ASA except for a 5505, so other than that I'm not familiar with what that would be used for.

Appreciate any clarification.

TACACS+ is authenticating but can't enable priv exec

X-post from CCNA

I"m working in my lab and I finally got to the point where I can successfully login to a router using TACACS but there's something in my authorization config (either on the router or the server, I'm leaning toward server config) that is preventing me from being able to elevate out of user exec mode. No matter what I try it just always says access denied.

My suspicion is that I"m missing something in the authorization.xml file. I've read through the documentation on the tacacs.net site and also on the cisco site and I can't find an answer.

I'm using the free version from tacacs.net running on a Windows 10 laptop with the IP address 10.10.2.10. The router that I've configured for TACACS has an IP of 10.10.3.1.

Here is (I believe) my relevant config:

Router:

aaa new-model aaa authentication login default local aaa authentication login AUTHEN_via_TACACS group tacacs+ local aaa authorization console aaa authorization exec Author-Exec_via_TACACS group tacacs+ local ! tacacs-server host 10.10.2.10 key tacacs ! line vty 0 4 exec-timeout 0 0 authorization exec Author-Exec_via_TACACS login authentication AUTHEN_via_TACACS

Server - authentication.xml

<UserGroup> <Name>Network Engineering</Name> <AuthenticationType>File</AuthenticationType> <Users> <User> <Name>test</Name> <LoginPassword ClearText="password" DES=""> </LoginPassword> <EnablePassword ClearText="password" DES=""></EnablePassword> <CHAPPassword ClearText="" DES=""> </CHAPPassword> <OutboundPassword ClearText="" DES=""> </OutboundPassword> </User> </Users> </UserGroup>

Server - authorization.xml

 <Authorizations> <Authorization> <!--This entry will only be processed in the times given below--> <!--<Time>MTWRFSN,04:00-21:00</Time>--> <!--This authorization section applies to the following user groups. In case of conflicting authorization entries for the same group, the entry which appears first in the file is used.--> <UserGroups> <UserGroup>Network Engineering</UserGroup> </UserGroups> <ClientGroups> <ClientGroup>Routers</ClientGroup> </ClientGroups> <AutoExec> <!--<Set>acl=7</Set>--> <!--<Set>autocmd=telnet 10.1.1.1</Set>--> <Set>priv-lvl=15</Set> </AutoExec> <Shell> <!--<Permit>configure</Permit>--> <!--<Deny>show running-config</Deny>--> <Permit>enable</Permit> <!--<Deny>show bgp all</Deny>--> <!--<Permit>show bgp .*</Permit>--> <Permit>.*show.*</Permit> <Permit>.*</Permit> </Shell> <Services> <!-- <Service> <Set>service=ppp</Set> <Set>protocol=ip </Set> --> <!--<Set>addr=10.1.1.1</Set>--> <!--mandatory argument--> <!--Their mandatory input access list number is 5--> <!--<Set>inacl=5</Set>--> <!--<SetOptional>outacl=10</SetOptional>--> <!--These are examples of vendor specific attributes(VSAs)--> <!--<Set>foundry-privlvl=5</Set>--> <!-- </Service> --> </Services> </Authorization>

Server - clients.xml

 <ClientGroup Name="Routers"> <Secret ClearText="tacacs" DES=""> </Secret> <Clients> <Client>10.10.*</Client> <Client>192.168.*</Client> </Clients> </ClientGroup>

Issue with trunking configuration

We have a routing switch in our DC which is connected to new Switch but I can see switchport as access vlan and trunk.
I believe it is trunk but when checked interface switchport details, I can see access mode vlan also defined.
I think if encapsulation and mode is defined then switchport becomes trunk but why are we seeing access mode vlan also.
Will vlan 200 be untagged and what will be behavior of port for trunk allowed vlans?

SW04-NEW : cisco Nexus5548

RS01 : cisco WS-C6504-E

RS01#show run int Te2/2/1

Building configuration...

Current configuration : 285 bytes

interface TenGigabitEthernet2/2/1

description SW04-NEW - E1/26

switchport

switchport access vlan 200

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-399,599,900-990

switchport mode trunk

switchport nonegotiate

channel-group 27 mode active

end

RS01#show int Te2/2/1 switchport

Name: Te2/2/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk (member of bundle Po27)

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Operational Dot1q Ethertype: 0x8100

Negotiation of Trunking: Off

Access Mode VLAN: 200

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Operational Native VLAN tagging: disabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Operational private-vlan: none

Trunking VLANs Enabled: 1-399,599,900-990

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

How many of you are dealing with SuperMicro Servers in this fraternity? (Supermicro servers compromised by Chinese hardware backdoors)

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Thursday, October 4, 2018

All flash vsan - what switches are you running?

I'm running Arista 7050SX2 with 10G to each vsan host. I'm observing some output discards and have been trying to adjust the buffer queues, but I can't seem to become discard free. Arista is of course recommending a deeper buffer model.

So.. what are you guys running? Do you regularly see discards on your vsan interfaces?

Best way to provide internet to my dad's workshop?

First of all, sorry if this is the wrong place to post this (and please let me know a better place to post).

My dad has a welding/pipefitting business and he has his shop on the same property as his house. A very large portion of his job is looking at different prospective jobs' blueprints and doing research on them. Normally he gets full printouts and does his work on a blueprint table up in his shop that's worked pretty well, but now that technology is becoming more and more of a thing in his industry, he has switched to primarily doing this work on computer with digital versions of the blueprints. The problem is that his work computer is in the house, because that's where the internet is. He really wants to have a computer up in his shop so that he doesn't have to constantly go back and forth while working. This has been a problem for years for him and he's finally willing to invest in a solution to get a computer and internet up at his shop. Now, we live in Maine (so lots of snow/ice/elements) and his shop is about 600-700 feet away from the house, so the wifi doesn't reach, and with a computer setup and the large blueprint files, he would really need to have a decent download speed. His solution was to just buy a 2nd internet line from our ISP to the shop, but I feel there's a much more cost effective way to get internet up there than buying a whole new line. I'm not super versed in networking, but I feel that we could somehow figure out how to split the coaxial cable line that goes into the house modem and run one up there (could easily bury the small portion that would have to cross the lawn, the rest would lie in the woods so we could probably just leave it exposed I think) and connect it to a 2nd modem in his shop. Would this work? Are there any better solutions? If this would work, what would we need to buy (other than the cable) to do this?

TL;DR: need to provide internet to a workshop that's 600-700 feet from nearest internet source, need to know best way to do this

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Weird VOIP issue

Hey everyone, hopefully you can help me out with this... I am at a loss for what else to troubleshoot here.

So I have two sites (HQ & Remote) which are connected using a S2S VPN connection. I am able to pass data traffic through with no issue. I can ping both sides from either side just fine. The issue is that I am not able to get voice traffic to flow at all.

HQ has a Cisco 5525 (9.1) and the Remote site is using an older 5510 (8.4). I was able to connect the VPN with no issue. At the remote site I am plugging into an older 3560 which has a DHCP scope and Option 150 setup for the phone network, which is a Cisco CUCM system.

I am able to register to the phones at the remote site, they see the CUCM servers just fine. The pull the configs, and get a DHCP address...etc.. I am also able to call any phone within the remote site and have no issues at all. When I try to dial out from the remote site to an extension at the HQ site, the call is established but I am not able to hear anything. The same goes if I try to call from HQ to the remote site. The handsets ring, the call is established... but no voice. When I/user terminate the call by putting the handset back in its cradle, the call ends with no issues either. If I call out of the remote site to my personal cell, it does the same thing. Call will establish on either end, but not able to hear the voice at all.

What am I missing here? Any advice would be greatly appreciated.

Apple-sourced mDNS traffic spike this month

Hi everyone,

First time poster to this subreddit. I'm a manager within the Client Services department of an undisclosed networking company :)

We've noticed in the last 30 days a significant increase in the number of our customers complaining about excessive mDNS/bonjour traffic from Apple-heavy networks. This has tons of side effects, including but not limited to performance reduction and CPU contention on edge devices.

We've not yet had any luck identifying whether it relates to a change in OSX or iOS, but both were updated last month and are suspect. We can't seem to find any explanation for the perceived increase in traffic, but using mitigation options for our customers to simply throttle the traffic.

Has anyone else who manages a corporate network noticed an increase in mDNS or general multicast traffic volume from Apple clients in the last month? Am I missing something obvious here?

Blogging nowadays - What do you think?

So I have been longing before to do some blog posts but recently for the past some 3 years, I've seen a significant decline in it esp. on the quality ones.

I have in mind packetlife.net but has decided to no longer continue in it due to some blogs that are plagiarizing content from his site to which I thought was a real bummer.

So the thought of that is hindering me as well from proceeding to establish a blog.

Apparently, that issue is not appetizing to anyone but I just want to know your thoughts about it.

User Network Move L3 from Core to Firewall

I manage a medium sized network where all networks are hanging of a nexus core. The computers don’t need low latency, high throughout to the servers, so to beef up security we are pondering moving the user network from the core to firewall for better visibility and port filtering into the infrastructure. Is this a common topology out there?

ASA REST API doc

I keep reading everywhere that the cisco ASA has a built in interactive documentation for API. Every article I find says use https://ASAIP/doc . When I do this I get the login prompt and then the standard "this site is unsafe...." click continue anyways and then the page doesn't come back with anything. When I use https://ASAIP/api/objects/networkobjects it works perfect and gives me readout on all my objects.

What am I doing wrong to not get the doc to load? Do I even need this doc site to work? I'm trying to learn basics of automations. Long term is to apply access lists.

Firepower: blocked Facebook breaks other websites

I manage an ASA with Firepower services and my company has had me block Facebook and other social media sites. The problem is all of the various sites on the internet with links to Facebook data / Facebook buttons will regularly freeze up or load extremely slow because of my filter. Any ideas of how to fix the frozen websites without unblocking Facebook entirely?

SNMP monitoring of all switches in a stack setup

Hi All, I am in the process of pulling all of my networks systems and hardware into being monitored. Presently I'm leveraging Zabbix to do this monitoring. I'm pulling in my swithes and have a question that focusing using SNMP to monitor some switches (Dell Force10) that are in a stacked setup. I've enabled the main switch with this correct community string. That switch is seen by Zabbix. My issue is do I need to configure the other switches individually or since I am able to walk the main switch will that walk pull info on all of the stacked switches? If I have to manually configure all the stacked switches will there be any specific steps for this since? I'm asking that because when I ssh into one of the stacked switches I am looking at a "standby" prompt.

IP SLA for packet loss on IPSEC tunnel

I was wondering if people think this is possible. I will attempt labbing this when I have a chance.

There is this design where we have 2 ipsec tunnels going to the same place from the same place. We have 2 beacuse the 2nd one is a backup. Let's say a situation arises where there is packet loss or degraded performance on one of these tunnels to where it either resets the tunnel a bunch of times or just sits there and has bad performance. Is their a way to setup an SLA to monitor from our end to the other end of the IPSEC tunnel to make a switchover incase the tunnels performance is bad?

Cisco Network assistant and level 15 access

Help me out with what I'm missing here. HTTP enabled on router. Router responds to login request from CNA, but when I put in my root user and password, which is higher than level 15, it still wont let me in. Not really ever used this software but it seems pretty straight forward.

Continued network issue causing hiccup with a software, can you help me do a reset?

Sorry for the lame title, hopefully you guys can help. A client of mine uses software QB Premier 16 Pro on 3 workstations and 1 "pc as a server". I am constantly deployed to fix qb/networking issues.

Resolutions provided by QB work for a day or two and then the issue comes back.

They are using a Nighthawk router, Windows 10 on all ws. Not ideal but it's what it is.

The server pc is reachable via //server but it is never populating in Network Explorer.

How do I got about an entire reset of the network so that Windows and thus QB will be on an entirely new relationship?

Sorry, I can run fiber drops and drop cat6a racks in place all day but this damn windows networking has me stumped.

Any pointing in the right direction would be helpful.

Thanks

Wireshark not picking up udp, tcp, dns or http protocols

So my wireshark isn't picking up any of the packets I need on wifi. But when I plug in an ethernet cable it works. I don't know whats wrong. I'm using a macbook pro 2012 OS Sierra

Juniper switch interface up/down state

Has anyone have encountered this : The command "show interfaces ge-0/0/47" shows the interface is up/up. However, the command "show interface terse ge-0/0/47" shows up/down.

If you have, how did you fix this? Lldp shows it is directly connected to the router.
STP is disabled.
No routing, but a default route.
Can't reached gateway.
No arp to the gateway.
Monitor traffic mode only shows the switch is trying to arp the gateway but no reply.

How do I go about blocking daily port scans

I recently setup a Sonicwall firewall at a small business, and I've been getting daily port scans from random IP addresses throughout Europe scanning random ports.

I'm getting around 5-10 scans per day, and I was wondering what I should do.

VSS vs vPC

Hey All,

I was reading some older posts on this topic, and it raised some additional questions that I was hoping I could get further insight on.

The general consensus was that the disadvantage for VSS is the single active supervisor for the control plane. People were mentioning this could get "locked up" which would basically eliminate all methods of redundancy. I am trying to understand this a bit more. I was under the impression that in SSO mode, if the active supervisor failed, the standby would take over in a VSS.

Does getting locked up specifically mean that the standby could potentially not detect anything wrong on the active supervisor? Am I understanding this correctly?

I know VSS had it's issues when it first came out, but these days I would think its pretty solid, even with ISSU. What are your thoughts on this?

Thanks,

Why does Cisco AnyConnect create duplicate routes of other VPN clients?

I connect to a Palo Alto GlobalProtect VPN using split tunnel, and see this via the Windows the "route print" command:

10.10.0.0 255.255.0.0 On-link 10.20.206.201 1

10.20.0.0 255.255.0.0 On-link 10.20.206.201 1

Perfect. Those are the two split tunnel routes and 10.20.206.201 is the tunnel interface on the Palo Alto.

Then I connect to a Cisco AnyConnect VPN using split tunnel, sending a 10.0.0.0/8 route. Now I see this:

10.0.0.0 255.0.0.0 10.8.192.1 10.8.192.30 2

10.10.0.0 255.255.0.0 On-link 10.20.206.201 1

10.10.0.0 255.255.0.0 10.8.192.1 10.8.192.30 2

10.20.0.0 255.255.0.0 On-link 10.20.206.201 1

10.20.0.0 255.255.0.0 10.8.192.1 10.8.192.30 2

What the heck is up with the 3rd and 5th routes? 10.10.0.0/16 and 10.20.0.0/16 are NOT in the AnyConnect split tunnel. I realize it's not being followed since the metric (2) is higher, but why did it get created in the first place?

I'm on Windows 10. GlobalProtect 4.1.5, AnyConnect 4.6.03049

Attending RIPE77?

Who all is planning to attend? If you're there Monday, come to my tutorial on the P4 language!

If you're not attending but have a LIR registration code or two that isn't being put to use, I know two presenters from a young startup that would be very appreciative. I'll be happy to buy you/your colleagues a beverage or three of their choice!

Anyway, come to RIPE and come to my tutorial. P4 is the rapidly approaching future. I will "fight" you on that :-)

Unable to create HSRP channel between Cisco Catalyst 2970G and Cisco Catalyst 3850

I am trying to create an HSRP channel between a Cisco Catalyst 2970G and a Cisco Catalyst 3850. The port (Gi0/10) on the 2970G is shown as suspended (LEDs are amber). The port (Te1/0/14) on the 3850 is shown as not connected (though the LEDs are green).

For both the 3850 and the 2970G, I have included the output of sh vtp status, the port configuration, and the output of the interface status (sh int te1/0/14). On the 2970G, I have also included the output of sh log that reflect a VTP domain mismatch.

Cisco 3850

US04SW21(config-if)#do sh vtp status

VTP Version capable : 1 to 3

VTP version running : 1

VTP Domain Name : US04SW21

VTP Pruning Mode : Disabled

VTP Traps Generation : Enabled

Device ID : 00a2.89ac.ff00

Configuration last modified by 172.18.0.21 at 0-0-00 00:00:00

Feature VLAN:

--------------

VTP Operating Mode : Transparent

Maximum VLANs supported locally : 1005

Number of existing VLANs : 16

Configuration Revision : 0

MD5 digest : 0xC3 0xB5 0xAD 0x04 0xF4 0x5A 0x96 0xC4

0x7D 0xE0 0x0C 0x4F 0x0E 0xA5 0xBB 0x48

interface TenGigabitEthernet1/0/14

switchport mode trunk

speed 1000

duplex full

channel-group 1 mode active

end

US04SW21(config)#do sh int te1/0/14

TenGigabitEthernet1/0/14 is down, line protocol is down (notconnect)

Hardware is Ten Gigabit Ethernet, address is 00a2.89ac.ff0e (bia 00a2.89ac.ff0e)

MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

Full-duplex, 1000Mb/s, link type is auto, media type is unknown

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 5 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Cisco Catalyst 2970G

rlmdcswitch2#sh vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 1005

Number of existing VLANs : 12

VTP Operating Mode : Transparent

VTP Domain Name : RLMDCSWITCH2

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Enabled

MD5 digest : 0x97 0x4A 0x5D 0x4D 0xCE 0x5A 0xD8 0x87

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

interface GigabitEthernet0/10

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

speed 1000

channel-group 1 mode active

end

GigabitEthernet0/10 is up, line protocol is down (suspended)

Hardware is Gigabit Ethernet, address is 0018.736f.f90a (bia 0018.736f.f90a)

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:13, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

41435 packets input, 3311470 bytes, 0 no buffer

Received 41435 broadcasts (0 multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 41400 multicast, 0 pause input

0 input packets with dribble condition detected

446306 packets output, 31636314 bytes, 0 underruns

0 output errors, 0 collisions, 9 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

 Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 126 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

File logging: disabled

Trap logging: level informational, 129 message lines logged

Logging to 172.18.4.98, 129 message lines logged, xml disabled,

filtering disabled

Log Buffer (4096 bytes):

000093: *Mar 1 19:04:29.487 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to up

000094: *Mar 1 19:04:37.808 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/10, changed state to up

000095: *Mar 1 19:04:40.023 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up

000096: *Mar 1 19:04:55.189 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/10 because of VTP domain mismatch.

000097: *Mar 1 19:04:58.083 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/11 because of VTP domain mismatch.

000098: *Mar 1 19:05:07.823 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

000099: *Mar 1 19:05:49.120 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down

000100: *Mar 1 19:05:50.151 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down

000101: *Mar 1 19:05:51.133 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/10, changed state to down

000102: *Mar 1 19:05:51.150 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

000103: *Mar 1 19:05:52.156 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to down

000104: *Mar 1 19:06:20.904 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to up

000105: *Mar 1 19:06:28.370 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to up

000106: *Mar 1 19:06:32.740 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/10, changed state to up

000107: *Mar 1 19:06:39.619 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up

000108: *Mar 1 19:06:49.660 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/10 because of VTP domain mismatch.

000109: *Mar 1 19:06:57.009 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/11 because of VTP domain mismatch.

000110: *Mar 1 19:07:02.755 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

000111: *Mar 1 19:11:11.494 UTC: %PHY-4-EXCESSIVE_ERRORS: Excessive FCS, data, or idle word errors found on interface Gi0/10

000112: *Mar 1 19:24:24.091 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/10, changed state to administratively down

000113: *Mar 1 19:24:25.098 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/10, changed state to down

000114: *Mar 1 19:24:27.220 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

000115: *Mar 1 19:24:28.202 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/11, changed state to administratively down

000116: *Mar 1 19:24:29.208 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down

000117: *Mar 1 19:24:45.189 UTC: %EC-5-ERRPROT: Channel protocol mismatch for interface Gi0/10 in group 1: the interface can not be added to the channel group

000118: *Mar 1 19:25:49.622 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to down

000119: *Mar 1 19:25:52.012 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down

000120: *Mar 1 19:25:52.021 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to up

000121: *Mar 1 19:25:54.454 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to up

000122: *Mar 1 19:26:01.584 UTC: %EC-5-L3DONTBNDL2: Gi0/10 suspended: LACP currently not enabled on the remote port.

000123: *Mar 1 19:26:04.100 UTC: %EC-5-L3DONTBNDL2: Gi0/11 suspended: LACP currently not enabled on the remote port.

000124: *Mar 1 19:26:20.685 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/10 because of VTP domain mismatch.

000125: *Mar 1 19:26:22.983 UTC: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/11 because of VTP domain mismatch.

000126: *Mar 1 19:28:39.206 UTC: %SYS-5-CONFIG_I: Configured from console by rlmdcswitch2 on console

From the output of sh vtp status, I see that there are different VTP versions between the switches. I also see that from the output of the log, the 3850 does not have LACP enabled.

Any assistance is greatly appreciated.

Renewing CCNA:R&S via ICND2 vs CCNA:Security

My CCNA:RS is expiring in 9 months. I like the idea of expanding my number of certifications by getting CCNA:Security but I'm worried about the difficultly of the test relative to just taking ICND2 to re-certify. Is there a consensus as to whether CCNA:Sec is harder or easier than ICND2?

Replacing VTP Server (and updating vlans). Are all vlan IDs created equal?

I will be replacing all of my L3 switches (VTP Servers) at the same time. They currently have vlan databases that need some serious pruning (1000+ unused vlans etc). What is the best way to replace these and still have my access switches work? I'm running VTP v1.

My current plan is:

Create new VTP domain on each L3 switch
Create only the needed vlans on each
On every access switch, change VTP Domain to new domain
Replace L3 switch.

Would I need to also change my access switch VTP modes to Transparent before step 4, and then back to client after the replacement?

Will this plan even work? I don't have what I need to really test/simulate this at the moment but it also seems like there might be an easier way?

For clarity, all access switches are Cisco 3850s, old L3s are Cisco Nexus 5ks, new L3s are Cisco 9300/9500s.

Thanks in advance!

S2S VPN - PFS Acceptable Security Level

Hi Gents,

I'm in the process of moving some S2S vpn on an ASA 5525, that involve changing of one Peer Public IP and I think that's a good idea to harden the secuirty a little bit in the process, configuring more secure cryptos.

I've already read what Cisco say on the topic:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

And I think I'm going to use IKEv2, AES-CBC, SHA 256, DH 14.

My question is... how to configure PFS?

Should I use DH14 also on PFS? Is this well supported from Cisco and other vendors?

Or can I just go with the default DH2 without lowering too much the security level?

Redundancy at the edge for DMVPN and BGP

Hello,

I'm working on a design to provide redundancy for both DMVPN and BGP in a co-location where we will receive two circuits from our ISP - MPLS & Internet. The Internet circuit is used for DMVPN and the MPLS is what we will BGP peer with our ISP over.

This will support around 100 sites at 300Mbps throughput. We are a Cisco shop.

The problem I'm having is figuring out how to provide physical redundancy for all services. The hand-off is layer 2 so I'll have a stack of Cisco switches using Flex-stack that I run the hand-off to and the VLAN out the MPLS and Internet services. The firewalls will be in an HA pair where the Internet will terminate.However, I'm not sure how to do this with routers (physical redundancy). I've looked at using HSRP and BGP peering with the VIP (that seems to work fine in GNS3 but I'll need a /29 instead of a /30 from the ISP). I've looked at using HSRP and using the VIP for DMVPN (public IP NAT'd to the VIP from the firewalls) but I don't know what is best practice here. Lastly, I've also looked at something like SSO but to get a router that supports two route processors seems overkill for this (ASR-1004).

How have you guys achieved redundancy with routers at the edge of your network?

Requesting Explanation about vlan tagging/architecture

Hello,

I recently started a new job. I noticed on part of the network where the ISP hands off the connection to us that its setup a little odd or I'm just not normally used to seeing this. The layout is as such,

ISP Cisco 4000 series Router > Data Center Cisco 3550 switch > My Cisco Switch in my locker at the data center.

On the Data Center switch, the vlan on the local interface and the interface on my cisco switch are 50

On my cisco switch, the vlan on the local interface is 50 and on the downstream switch that comes back to my server room the interface is on vlan 20. Vlan 20 is my ISP vlan we have designated on my internal network to bring those public IP's to the firewalls.

My question is, is this a normal way to hand off/trade vlans from 1 carrier to another or from 1 carrier to an internal network? Is there a better way of doing this? Would this cause any issues?

Let me know if you need more details. Thanks!

Vlan's and Virtual Servers

So my sysadmin told me there's not enough usable IP's in VLAN 209 for about 40 virtual servers. The host machine is in Vlan 209. Vlan 210 is empty, so he wants me to put Vlan 210 on the same access port so he can have more Ip's to use.

If I put another Vlan on the same port, wouldn't that make it a trunk port? Is there a better way to accomplish this goal? I'm still fairly new to networking.

Configure Unique SSID per band with Sonicwall/Sonicpoints

Hello all, I would like to know if it is possible to create different SSIDs per band using sonicpoints. (I know you could configure band steering, already have, but I have been tasked with this specifically).

So what I have currently is two SSIDs with two respective VLANs, a "Staff" and "Guest". All is well, except I would like have a "Staff" using 5Ghz only and a "Staff-2.4" on 2.4 only. (Guest unchanged)

I have tried to do this by creating a new VAP profile "Staff-2.4" and a second VAP group. 1st group contains "VAP-Staff" and "VAP-Guest" with their respective SSIDs. 2nd group contains "VAP-Staff-2.4" and "VAP-Guest" and their respective SSIDs. My ideas was to (under base settings > SonicPoint / SonicWave Provisioning Profiles) configure Radio 0 Virtual AP group (ie 5ghz) to use the first VAP group and Radio 1 Virtual AP group (ie 2.4ghz) to use the second VAP group (there are drop down choices for each).

However when applying the change I get a warning stating that "same vap groups should be used in dual band" and the change does not apply.

Does this mean that the configuration I am trying to achieve is not possible/allowed by the Sonicwall? Or am I just going about it the wrong way?

Any if any Sonicwall pros could confirm/deny then I would be most appreciative

[Using Sonicpoint ACi's and an NSA 2600 running 6.5]

Anyway to get "range of IP" from list of random IP

So i have a csv of computer IP List (5000s computer) and from that list of IP i want it to be range of ip like 11.27.154.0/19

21.21.222.0/23 (example), any software maybe...

the reason why i don't know the range is because i'm different vendor that want to deploy apps, network too were vendor but it has a very slow respond

Anyone got an up-to-date OS overview about HP/Aruba switches series?

Hello,

Im wondering if anyone around here is experienced with the HP/Aruba switches line. Because as far as i can remember they went from pure 3COM to some bastard child of 3COM to something barely related to 3COM to something almost entirely not 3COM at all.

Then Aruba "christened" all over the place.

I don't have an HP Consultant at hand to torture about this info.

Thanks

PXE Boot slow, transfer speeds okay?

Hi all,

I'm the sys admin at a computer manufacturing place. We're having a problem where our two deployment servers are PXE booting at 650MB boot.wim incredibly slow. The servers are both Server 2016 x64. I'm not sure where else to look to find out where this problem is happening so here's what I know so far:

The problem only occures on physical hardware, not virtual. Virtaul machines are fine for deployment
Transfering files from network shares are unaffcted
Changed the TFTP Block Size to different values, no difference made
Power cycling the switches & servers & router had no effect
Replacing switches had no effect
Checked the link speed, it's 1gbps
Tried a different boot.wim file, no change
Restarted the WDS Service, no change
Recreated the NIC teams, no change
RAID array is fine

The only error I have found is "The following client failed TFTP Download, error code 1460". As far as I know error code 1460 is a timeout error where the server has cut the connection.

I have a feeling the problem is hardware related, as the deployment servers can serve virtual hosts fine. Not sure where else to look for a solution?

Wednesday, October 3, 2018

HP Comware 5 - Community Private VLANs

I was wondering how do you implement community private VLANs on a switch (HPE FlexFabric A5800) running Comware 5?

The current configuration looks like:

HP A5800 g1/0/1 <-> g1/0/25 Cisco Catalyst 3750E <-> VMware vSphere Virtual Distributed Switch

Cisco config:

vlan 50 name Internet_Promiscuous private-vlan primary private-vlan association 51-52 ! vlan 51 name Internet_Isolated private-vlan isolated ! vlan 52 name Internet_Exchange private-vlan community ! interface GigabitEthernet1/0/25 description HP_A5800_Uplink switchport trunk encapsulation dot1q switchport mode trunk

Comware config:

vlan 50 description Internet_Promiscuous isolate-user-vlan enable # vlan 51 description Internet_Isolated # vlan 52 description Internet_Exchange # interface GigabitEthernet1/0/1 description Catalyst_3750E_Uplink port link-mode bridge port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/2 description Internet_Promiscuous port link-mode bridge port isolate-user-vlan 50 promiscuous port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 50 to 52 untagged port hybrid pvid vlan 50 # isolate-user-vlan 50 secondary 51 to 52

Comware: display isolate-user-vlan

Isolate-user-VLAN VLAN ID : 50 Secondary VLAN ID : 51-52 VLAN ID: 50 VLAN Type: static Isolate-user-VLAN type: isolate-user-VLAN Route Interface: not configured Description: Internet_Promiscuous Name: VLAN 0050 Tagged Ports: GigabitEthernet1/0/1 Untagged Ports: GigabitEthernet1/0/2 VLAN ID: 51 VLAN Type: static Isolate-user-VLAN type: secondary Route Interface: not configured Description: Internet_Isolated Name: VLAN 0051 Tagged Ports: GigabitEthernet1/0/1 Untagged Ports: GigabitEthernet1/0/2 VLAN ID: 52 VLAN Type: static Isolate-user-VLAN type: secondary Route Interface: not configured Description: Internet_Exchange Name: VLAN 0052 Tagged Ports: GigabitEthernet1/0/1 Untagged Ports: GigabitEthernet1/0/2

The 5800s are new and everything has been confirmed as working on the Cisco and vSphere side for a long time. When I hook my laptop to g1/0/2 on the HP, I can talk to VMs in VLANs 50 and 51 but not 52, I can also talk to VMs in other (non PVLAN) VLANs/subnets. So my questions would be, why arent community PVLANs working on the Comware side? Obviously i'm missing some sort of config, but I've tried googling and I can find references to promiscuous and isolated PVLANs in Comware but nothing about community PVLANs. Does Comware 5 just not support community PVLANs?

iperf3 tests for packet loss udp

Hello, I'm trying to measure packet loss on a T1 circuit. I'm doing iPerf3 tests. version 3.1.3. A noob at iperf.

I enter the following commands for client server:

iperf3 -c 172.28.28.2 -i 1 -V -u -b 1.4M

iperf3 -s -V

1 time I do the test it gives me 10% packet loss, another time 60% packet loss. No matter what T1 circuit I do it on, it always gives me wonky answers for packet loss that vary all over the place. Is my syntax correct here? Do I need to add more to get more accurate results? I'm trying to get the tests right so I can use this on a regular basis to measure packet loss on our T1s.

How has your career evolved over the past 10-20 years?

For the OGs in the subreddit. What has changed in the networking world over the course of your career? What trends have you seen? What advice would you give someone with a couple years experience? What to focus on - what is going the way of the dinosaurs?

Letting My Clearance Expire

Decided i no longer want to work for DoD contracting companies. The pay is great (100k) especially compared to the amount of actual experience i have but man is it boring . Most of the time im sitting on my a$$ in my office. I get a ticket once a week .

I did take this down time to study and im close to wrapping up my CCNP and been practicing python on the side.. not going to lie im kinda scared of not being able to land a job and getting paid significantly less but its a risk im willing to take to better my career.. i dont want to end up being one of those “engineers “ getting paid 150k a year just to change a vlan on a port.

Rants over.. how big of a mistake am i making lol

site-to-site vpn

Noob here. When you set up a VPN site to site does the LAN target address that you provide to the 'other side' need to point to an active IP on your local network?

Any resources that touch on how to gauge the appropriate connection speed for a business?

Hey all,

I've spent the past few hours trying to get a better sense of how to estimate/gauge the ISP download/upload speed. I'd like to be a bit more informed than fall back on "faster is better!". Do you have any recommendations on where to go to find better details on this?

DMZ design

Hello Gents and ladies

As this topic has probably been done to death but im curious as to how a "typical" DMZ design is done. When i say typical i would like to think the standard way across enterprises with minor deviation.

For background my current org does it in a way I havent seen in some times.

Hosts sit in the DMZ zone with one NIC. Defeault gateway is the firewall. If these hosts want to talk to inside hosts then they connect to a Dmz-nat IP add. Which ok...is fine,

So every time these DMZd hosts want to connect to any inside IP (for ntp, syslog, ftp..) we need to create a DMZ nat so the hosts appear they are just targeting another hosts within the same dmz.

Im just used to a dual NIC dmz machine protected on each NIC by a firewall.

Whats your designs?

Keep Mikrotik CCR or change to Vyos and/or OPN Sense

My office network is using 2 ISP each 200mbps. One of the ISP is using BGP for public IP. Currently I use 2 CCR, 1 for each ISP. The BGP-CCR are connected to DMZ. The non-BGP-CCR, have NAT and firewall configured and connected directly to one of the ISP the BGP-CCR and to local network (around 2k wireless and wired clients). Well, the theme here is "as cheap as possible". Before using CCR, we've been using pfsense box as router GW until we add BGP to the mix and the hardware cannot handle it (I think it was aroung 80% CPU usage and slow network).

I've been trying to add site-to-site VPN to the mix and maximized the firewall. When I tried it on CCR, somehow the network feels a bit slugish. Tried L7 layer filter on CCR, and the whole network slows down. I've been looking for an alternatives that can be used with existing spare hardware.

I tried VyOS on spare hardware and combined those 2 CCR role into one box in test network with 4 network interface (WAN, BGP, LAN, DMZ). I haven't try to replace the CCR directly on main network though, so I have no idea if it will be able to handle the load. I have some setup that I have been considering.

BGP, NAT, routing, firewall, VPN in VyOS
BGP, NAT, routing, VPN in VyOS then add OPNSense for firewall
BGP, NAT, routing in VyOS, OPNSense for firewall and VPN
Other Idea?

What do you think is the best sane option?

wlc5508 licensing

I searched the sub and google, opened up a TAC case, and talked to my reseller and can't get a straight answer.

Do adder licenses for the 5508 need to have smartnet software renewed every year? My understanding is these are one time license purchases that are additive and permanent. However, each adder license is showing up as a line item in my smartnet renewal quote.

Even if they are renewed every year...is it really necessary to have each on as a line item? Couldn't I eliminate all of them except for one to keep the software support?

"Micro segmentation" with a firewall

In DC, what do you think about small IP subnets like /28-/31 and having the firewall do all the routing between subnets? That way you could do sort of micro segmentation with a physical (well or a virtual but anyway separate from the VM platform) firewall.

Does it cause much latency? I think it wouldn't, as the firewall could use the ASICs for the simpler rules.

BGP dual-homing & NAT'ing everything

Diagram: https://snag.gy/2CRojL.jpg

We have two locations and would like to use the local ISP towards the internet in each location. So the plan is to NAT anything that goes out from the city 1 to 192.0.2.0/24 and everything from city 2 to 198.51.100.0/24. This way the return traffic would also come back correctly, hopefully. We would advertise the routes to our two ISPs with AS path set accordingly. And if one ISP fails, the traffic gets routed between our internet routers and everything is fine.

How do you see this design? We would also NAT all the servers going out to this subnet, maybe have /26 for users and /26 for server NATs per location. Plan is also to have all the web traffic from internet to our servers going to the load balancers first, so we'd slice a /25 for those from each city's block. We'd also duplicate the LB config and use NAT towards the inside network so that it wouldn't matter much if we had to fail over the connection.

Any ideas? Thanks!

fs.com Fusion Splicer

Has anyone purchased or used fiberstore's fusion splicer?

The price seems too good to be true, so I'm a bit concerned about the quality of it. However, I have been using other fs.com products for quite some time and they've been working great (SFP/QSFP modules, patch cables)

We aren't doing any long distance terminations, just within our buildings. We currently use Corning Unicam, but the cost per connector is pretty high and we've been having some reliability issues with the terminations (could be due to a number of other factors...)

WiFi 6?

What's your thought on the new naming convention? Will it help the not techy people understand the differences?

https://www.androidcentral.com/wi-fi-6-next-big-upgrade-wireless-networks

Entire broadband industry sues California to stop net neutrality law

https://arstechnica.com/tech-policy/2018/10/entire-broadband-industry-sues-california-to-stop-net-neutrality-law/

Campus grade access switches?

Who is everyone using? I've usually gone with Cisco. Access at the current job is on Ruckus, but the product line we're on just went End of Sale. I'm going to investigate the Ruckus line that is replacing it, but I feel like now is a good time to check out other options.

Had a lot of issues with stacked switches through Ruckus. Random DHCP forwarding issues, SSH issues that required us to locally zeroize keys often, and even just basic forwarding plane issues.

I'm going to check out:

Cisco - 2960x (I'm guessing, haven't used them in a minute)
Ruckus - ICX7150/ICX7250 (currently on ICX6450/ICX6610)
Arista - they may have a low end offering with POE soon, after acquiring Mojo
HPE/Aruba - worth considering?

Important features for our environment:

1Gb access, 10Gb uplink
L3/Routing/Ability to add BGP (in certain cases, even if it requires a slightly beefier model)
POE
Mid to low price point
Support included a plus, but not a deal-breaker
API access/SDN support/some kind of automation support would be a plus (we can obviously just use ansible for most things)

Steelhead Mobile + Palo Alto VPN

We've got Riverbed SteelHead Mobile deployed, but haven't really been using it for the last year or two. We switched from ASA to Palo Alto and have fully embraced L7 filtering. However the PA can't identify the applications tunneled by the Riverbed optimization, so we can't filter traffic based on application for users using Steelhead Mobile. I'm wondering if anyone else is in this boat and if/how you solved it?

Anyone using 10Gtek (or other 3rd party) SFPs?

Hi all,

Just curious if anyone here is also using the 10Gtek SFP and SFP+ transceivers available direct or on Amazon. They are generally under $30 each and so far, I haven't had any problems. I am curious what the enterprise consensus is considering some of the OEM versions of the same thing are over $1,000 each. I realize some manufacturer specific units may have diagnostics or light metering capabilities.

What am I missing? I guess it's the difference between a $3 HDMI cable and a $100 HDMI cable.

Public Wi-Fi Guest Network, Separate 2.4 and 5 Ghz?

Hi,

We've got a "public" guest network where customers have problems with more demanding services such as videoconference where their connections gets dropped and they loose connection for a brief moment. However this only appears to be happening to those on older HW enforcing 2.4 Ghz band only. The others on the 5 Ghz don't seam to be affected.

So my question is, if it's advisable to create 2x SSID's one for 2.4 and the other for 5, in a way to clearly show that if they can only see the 2.4 then they won't get maximum performance. HTTP, TCP connections at their basic level sure, but maybe not more demanding traffic patterns.

I've seen similar articles but they focus on either home networks or maybe corporate however this is something between. It's a public network where customers pay by the hour, however they bring their own devices which we ofc. don't manage.

What do you guys think? Anyone had any experiences of similar situations with "public" wi-fi networks?

// David

What is the Impact of Client Upload Speed on Remote Access VPN Download Speed

User A has 250 down and 10 up. User B has 100/100. After connecting VPN and checking in chrome dev tools user A has a 4-5 times slower download speed than user B. My thinking is that the slow upload speed on user A has a negative impact on their download speed over VPN. Am I correct in this thinking or am I way off base?

Would love a solid answer on this as we have a lot of remote users and out application is primarily down only for remote access users.

What happens to phone firmware when upgrading CUCM?

When upgrading CUCM does it keep the same firmware device defaults for the phones? and if not, are the phone firmware files still on CUCM so that I could manually change them back after the upgrade so we don't have 1000 phones upgrading their firmware?

Reconvergence issue

so i have a peculiar but very impacting issue. We have dual L3 MPLS Clouds for redundancy and very low BGP timers for fast failure detection. We started to see that whenever our Primary MPLS circuit went down at any site, our CE would flush the routes and failover to the other MPLS cloud in about 10-15 secs but our other sites kept sending traffic to the downed circuit. Basically sending traffic to a black hole. 3-5 minutes later the rest of the sites would eventually flush the routes from the site and use the backup MPLS to reach the site. This Also affects any routing update, if remove a route from being advertised, it would also take 3-5 minutes to update everywhere else.

We did some afterhours tshoot and eventually saw that the local PE/CE flushed the routes right away when the BGP hold timer expired, now our SP was extremely skeptical on who was to blame. But they saw that the site route was not being removed on any of their PE's on a timely manner. Now their "solution" was to implement BFD to improve convergence. But now i am the one skeptical because BFD does not help to assure BGP routing updates get propagated. or am i wrong?

has anyone dealt with this issue before?

siteX ------------CE<-bgp->PE--- (MPLS Cloud) ----PE<-bgp->CE------------DC.site

10.x.x.x/24........failure.......................................(still sees route)

How do you organize your backpack?

I'm having a hard time finding anything on this. For the amount of stuff I like to have on hand, there's no backpack that has a 100% perfect solution, so my new thought is to have some sort of container system inside the main cmopartment of my backpack.

What I'm thinking is organizing into several smaller containers/bags within my backpack, IE:

1 bag/box for patch and console cables
1 bag/box for basic tools (multi tool, cable crimps, etc
1 bag/box for misc laptop accessories (bluetooth headset+charger, laptop charger, and in my case, my USB-C ethernet adapter
1 bag/box for other misc stuff (headphones, portable battery packs, etc)

Anyone have a good solution for this, or good type of container/bag solution?

Patch panels: Where should and shouldn't you put them?

Hi all,

I'm far from experienced in enterprise networking, however I'm 18 and currently going to school where we've started to move on to this topic. There's a question I'd like an answer to regarding patch panels and where it'd be wise to put them in a network of about 7 servers, a switch, about 30 outlets i.a.:

Would you recommend a patch panel between the server(s) and the switch, in addition to between the switch and the various outlets? (Servers > Patch Panel > Switch > Patch panel > TO). Or would to connect the servers directly to the switch? (Servers > Switch > Patch panel > TO). The switch would be placed in the same rack as the servers or in a rack just next to them, does this make the patch panel unnecessary due to the short length of the cable? What about a router/firewal, how would you patch this?

Thank you for your answers, and for understanding my level of knowledge and experience!

Am i crazy or what? Networking creating network diagram.

A little of backgroud on our company. I am a CCENT R&S certified. And my coworker is a MCSA certified. My boss is a CCNA and CCNP certified.

Current time: I just got hired 2 months ago. And we are a MSP. My boss wants me to create a network diagram for all sites. I said "sure, cant be that hard".

I look into the notes for each client, and there is a terrible network diagram for each client that my boss created. The diagram didnt use cisco networking icons, it looked like it was images pulled from google images.... No notes for interface, No notes for dhcp range, Very few notes op ip addresses for servers and router. You cant even tell what device is each in his diagram.

Keep in mind that he has a CCNP and doesnt even know when and where or why to use a /30 ip address. He most likely bought the cert.

Most of the networks on the clients sites are ROAS, and no redundacy what so ever.

So i started drawing the diagram in draw.io. I focused on my diagram being simple and super easy to read. Following the Roas style. Firewall/router at the top, switch at the bottom and the rest below and to the side of the switch.

He comes over to me and says my diagram looks ugly....

I told him, it supposed to be easy to read and understand not look pretty.

Than my coworker comes over and tells me not to use Cisco device icons ( idk what they are called) But to use pictures of the actual devices so he can understand it. I told him that my way is easier to understand because its a standard. But he said we dont have cisco devices on sites, so i should not use cisco icons to represent each device based on the job it performs.

I dont even know what to say.

Am i wrong?

Did i study wrong my CCENT???

I am starting to question if what i know is right or wrong....

Favorite multi-gig (802.3bz) switches and AP's

We're looking at doing some significant upgrades to the network and I'd like to hear about your favorite brands of multi-gig/NBASE-T/IEEE 802.3bz switches.

Centrally managed is preferred, we are not brand-loyal or dependent, so all we need is the business justification (no more slowdowns and random dropouts with the wifi)

We will probably need some multi-gig PoE-powered switches/AP's - if the switch exists, it will help with some distribution of internet to interesting areas without needing an extra power cable.

Anyone experienced with CCNP Switch (300-115)? Need help with my topology

I desperately need someone who is more experienced than me to write the configuration for my basic topology which I made. I am a slow learner and it is easier for me to learn and get inspiration from other people's configurations and get a grasp on things instead of trying to tackle on the entire thing on my own because I'm inexperienced and clueless. I know that everyone starts somewhere, but I'm basically "that guy" if you know what I mean. This sounds like a homework assignment, and I understand why, so I don't mind donating a beer, pizza or whatever. I'm going to take the 300-115 exam in 4 weeks from now on, so if anyone wants to help me, please PM me.

Company planning to move from Cisco ASA 5545's with Firepower services to Cisco Firepower 2140 security appliances. Does anyone have any experience of these devices and can give me their opinion on them ?

Hi Engineers,

Next year the company I work for have plans to move from Cisco ASA's 5545 with firepower service to these Cisco Firepower service 2140's. The 2140's basically consolidate your firewall and the sourcefire into one box. At the moment we have a sourcefire physical appliance and a HA pair of firewalls which connect into that.

I have always worked with ASA's so I am very comfortable with them, however this new solution sounds like it will be mostly GUI based which I don't usually like, especially when it's Cisco. I just want to get some feedback from engineer that have deployed and managed these Firepower service devices and find out if they are any good.

Appreciate any feedback you can provide

Monitoring - SNMP OID Juniper list of instances

Title says it all.. I can't find the MIB / OID for returning all routing instances on a SRX.

Problem is that internet is full of guides explaining how to check specific data inside a routing instance (instance-name@community-string). However i need the output of all configured routing instances.

Thanks in advance.

Streaming Telemetry + Flow data: Is there any such product/solution that collects both?

From my limited understanding of Network Telemetry technology, I'm beginning to see how this is totally different with xflow (netflow, jflow, sflow, etc.) not just in the push model but also in the data it collects where it seems that the flow details aren't present on Telemetry. Can anybody confirm if this is accurate?

TIA

aws vpn - phase2 subnet question

Say I have a VPC with a subnet of 172.20.30.0/24

I then want to create a VPN tunnel to my on-prem stuff. I have lots of subnets in my on-prem that are constantly changing, so ideally i'd just want to make a phase2 that says 172.16.0.0/12 - and then make firewall rules after that.

Will this work?

Network Telemetry - How is it different with NetFlow?

So I'm working on a project on deploying a network telemetry solution as indicated by management.

Can anybody here care to share their experiences on it on what it is, how is it different with NetFlow, what are the building blocks used for the solution?

I'm working for a small ISP using Juniper MX Routers on an MPLS-based core.

TIA for your answers

Tuesday, October 2, 2018

Deeper information in Netflow

I’m pretty new to Netflow and have inherited an existing Netflow monitoring setup. We are running all Cisco switches with monitoring on our cores which are Cisco 4500’s to Solarwinds NTA. I was looking at the traffic trying to figure out what traffic is causing some heavy bandwidth usage at some of my sites and I noticed that a lot of traffic is coming from Amazon Web Services and that is all it lists. I have been able to conclude that it may be YouTube but can’t really take that to my supervisor who isn’t really “techy”. My question is, is there something I can change to make my Netflow data more meaningful. I know that tons of sites are cloud hosted now, so is that just how it will be with Netflow data?

Which way to go

So in the next month or so I’ll be sitting my CCNA (again as it expired) and after that I’m going to be hitting wireless hard. My question to everyone is, which way do I go? Cisco wireless track or the CWNP track. Aside from “if you work with Cisco go Cisco” responses, what is everyone’s view? Pros and cons of each track. Which will more likely get me a wireless job quicker? Which will make me a better wireless engineer? Lay it all out please. I am a senior network engineer now but my job focuses more on the DC. Trying to figure this out before I get CCNA certified again so I don’t lose time deciding then. Thanks in advanced everyone

WLC/AP reachability issue on same subnet

I am working on a very small network that has a standalone ISE appliance, a WLC 2504, a 2960 switch, and 2 2800 APs. The default gateway is a FW. Everything is on the same /24 subnet. Basically a lab network. Simple, right? Apparently not.

The WLC, ISE, and FW are directly connected to the 2960. After upgrading the WLC to 8.5.150 (I think), the APs took the new image, and promptly disappeared (couldn't rejoin the WLC). Neither of the APs (previously configured with static CAPWAP IPs) can ping anything else on the subnet, and nothing can ping them. All the other devices can still ping each other.

I tried rolling back the WLC to the previous image (8.2), and that seemed to take fine, but the APs are in the same state. I took one down and consoled into it, and it refuses to take any CAPWAP command, saying "Capwap process not ready yet. Try after few moments." I have tried several solutions from Cisco forums and none have worked. A new AP from the box acts like it is only going to DHCP, saying it is waiting for an IPV4 address and uplink (to the best of my memory).

I'm at the point now of considering just factory resetting the WLC and APs, and starting from scratch. Am I doing something painfully stupid, that I should know better about, or is this just another thorn Cisco is sticking in my ass?

Can someone help me understand QOS

So I recently passed my CCNA for R&S and one topic I constantly struggle with is QOS.

I have been told to think about it as a congestion only management solution. If you have a 1gb link all the way out to the internet and you never even saturate that link, is QOS even needed or even utilized. Essentially FIFO because nothing is ever saturated.

I have always thought that if you have the bandwidth, the device will never queue packets, it will just send it out because it has the available bandwidth. Or it will just leave the queue as soon as it's entered it. I have always thought that QOS is only utilized when you have more data than what a link can hold. At which point it will start queuing the packets and sending out higher priority first.

If my thinking is correct, then are consumer or "gaming" routers that advertise gaming priority first through QOS even doing anything as long as you are not saturating your internet bandwidth?

Or is my thinking totally wrong and if so, can someone help me understand.

Thanks

Excessive ARP broadcasts.

Hi All,

I am having an issue with multiple Samsung panels and continuous ARP broadcasts. (100+ panels)
Firmware has been upgraded on most panels and has resolved issues although some panels cannot be updated.
Is there any way I can limit the ARP broadcasts without putting the switch-ports into an err-disabled state (Assuming an ACL)?
Already attempted storm-control broadcast level 0.01 / level bps 1 with no luck.

Thanks

QoS sanity check

I'm following the Campus QoS Case Study in the End-to-End QoS book (Chapter 17). So far I'm clear on the 8 queue model, except I don't see any marking or queue mapping for network control CS6/CS7, even on the core 4500/6500 config. Is there some kind of implicit default behavior I'm overlooking, or should I explicitly map CS6/CS7 to the realtime or signaling queues?

How do you tackle “unsolvable” oddball issues?

I’m talking about issues that are invisible to all troubleshooting and monitoring tools and methods, that everything looks fine, and vendor is blaming the network, and network is blaming the vendor, and back and forth it goes, with no end in sight. All the while, the users suffer, and don’t understand why the issue isn’t being fixed, and don’t know or care who to blame, they just want things to work.

I’m wondering if maybe some of you don’t ever find yourselves in this situation, if in your environment “no means no” when you say it’s not the network, and that word stands as law.

But what about environments where you just plain can’t say “it’s not the network,” and management keeps coming back and pestering you over and over again to “have another look” or get on daily calls with the vendor until it’s resolved?

What then? What do you do when packet captures look clean enough to eat off of, and nothing looks wrong at all?

How do you guys/gals approach that?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!