Network Engineering Salary

I have 5 years experience as an Networking Engineer, holding a CCNP. I have recently began to travel heavily for work. On average I’m gone Monday through Friday, 75% of the year, if not more. I’m up for a raise at the end of the year and was wondering if anyone else does a lot travel and what you may feel is fair? Thanks in advance!

I hate ASA - weird route issue

I really don't care for ASA firewalls, being a diehard palo gal and having pulled out more ciscos than I count and usually end up just keeping them running until replaced at jobs.

​

Tonight I have a window that should be super easy, and I hit a snag before I even got to the tricky bit. sadly TAC is expired so they are no help.

​

my ASA had a default gateway of X.X.X.132 which pointed over to a load balancer. LB's gateway was x.x.x.129 on the same public circuit.

I am replacing the LB with another piece of equipment that needs to be configured differently, I can't use same design.

​

Step 1 was to change DGW of the ASA to the GW of the circuit. X.X.X.129

​

I did this. ASA shows 0.0.0.0/0 x.x.x.129 as route, and last resort. no routing protocols.

.129 pings. no problems.

I do a trace to public IP from the asa and I get x.x.x.132

​

I delete 0.0.0.0 route, re-enter, reboot. same thing.

I scour the config to see if there are ANY .132 entries. there is an object but it isn't being used.

​

*headscratch*

​

Coming up empty on google, or getting "how to setup asa with DHCP" things.

​

Would be most appreciative of any help. *grumble grumble palos... *

​

CCNA or Network+

Hey guys, so im basically a self taught white hat/cybersec professional wannabe, ive learnt a lot through the course of the last couple of years in many areas including coding(c,c++,python, html,css,js), os'es, electronics and some networking too, but i feel like i still dont know enough about the latter subject, and i wanted to take a serious course to get certified on the networking field, so i'm in need of advice in terms of which cert should i get, ccna or network+, always aiming to gain knowledge thats useful in the cybersec/hacking field.

I know both could be really useful at some point but i want to know which one relates more, or has a greater impact on the hacking field.

Thanks a lot.

Shopping!

Where is your favorite place to buy gear? I just switched jobs and I can get gear from any supplier. So far fs.com and monoprice.com is really cheap.

Fiber - multimode vs singlemode?

Hi,

We ran Remee fiber - It is 6 strand, 50 micron.

Remee - 11-006-12S-AANOOF 11-006-12S-AANOOF 6 Fiber OM3, Indoor/Outdoor Riser Rated Type Buffer.

This was run in 2012 - we never terminated it and am getting ready to start using it.

To confirm with a multimode fiber, one fiber is for TX & one is RX?

So with a 6 strand fiber, we would have 3 usable connections for our SFP on a cisco switch?

Also - this fiber is limited to 1GB (is this correct)?

The fiber was pulled with a number of Cat6, Coax, etc so pulling another fiber cable between buildings might not be workable without repulling the entire bundle.

Any information would be great.

Thanks, Rich

Cheap easy to configure router for setting up WAN/LAN from Comcast EDI handoff?

Anyone have a suggestion of a cheap router I could pick up to handle the WAN (/30) / LAN handoff from Comcast Business Class EDI? ref: https://business.comcast.com/help-and-support/ethernet/comcast-business-ethernet-equipment-configuration/

I'd like to not re-use our core and break off into its own vlan and would rather have a one-off piece of equipment that handles the WAN/LAN routing for each ISP we are brining in.

Issue Connecting Devices (Wifi and Hard-wire connection issue)

My network has had zero issues for the last 3 years I've lived at my residence. This week I moved the physical location of my router & modem from one side of my office to the other. Ever since I moved the hardware I've been having an issue with; phones, tablet, xbox and PC not being able to connect to the internet when the device powers up, as well as connection being lost and not being able to establish the connection until I restart the router or modem. Which ends up with me having to reset the router & modem to connect the device. This is happening with both hard-wire connection & Wifi and it's extremely inconvenient especially when other people in the house are using the internet and their device is currently working. I'm not sure if its just time for a new router or whats going on. It doesn't make sense that just by moving the networking hardware 10 feet across the room shouldn't cause so many problems.

Routing Problem Between ASA's

I've got a routing problem between 2 ASA's. All the details are in the below link, with a diagram.

All devices are using static routing. The problem is that ASA1 routes a 200.0.0.0/24 towards ASA2. But every single IP in 200.0.0.0/24 isn't necessarily in use yet. But traffic is actually going to some of the addresses not in use (eg 200.0.0.65). This causes a routing loop between the ASAs. ASA2 ends up default routing back to ASA1, and ASA1 believes 200.0.0.65 exists via ASA2 because of the routed /24. The TTL doesn't expire and this traffic eventually blows the CPU. I need a way to blackhole traffic to destinations that don't exist on ASA2.

https://ibb.co/e7Y0mL

Cellular network impact from sudden influxes of new devices?

So, I've read a lot about how cell carriers deal with traffic during large sporting events. However, I had a shower thought this morning about the recent influx of IoT devices with cellular connectivity.

For example, thanks to the recent dockless scooter craze, my city has had somewhere around 3,000 scooters with cellular connectivity dropped on it. Another example would be something like how Samsung new sells a smart things tracker that has built in cellular. Or perhaps all the new cellular connected vehicles rolling around out there.

Obviously carriers have spent a lot of time and money deploying microcells. Is there a looming issue with the overall RF environment being saturated with the constant pings / re-auths of these devices?

This is just one of those things that really intrigues me and I'd like to learn more about the deep technical inter-workings of how it's all managed to keep the cell networks working. If anyone has an interesting article to read about this, I'd love to see it!

Thanks!

Help me setting up RIPv2 lab (self Packet Tracer lab)

I recently started to learn Cisco Networking. I was able to follow along for the Switch section, but setting up lab for Router got exponentially difficult.

https://imgur.com/a/pqM2M4O

To the left is my current packet tracer set up and the right image is how I want to set up.

How exactly would you set up the subnets (in red text) between the routers?

​

Thank you for the help!

Asus AX 11000 router?

Any idea when Asus will be releasing their new ax 11000 router? It is the updated version of the GT 5300.

I'm currently using Google Wi-Fi, which works fine wired for my gigabit connection, but the Wi-Fi speeds with the mesh system obviously dropped so I wanted to get one beefy router. Was looking into the GT 5300, but the new ax routers seem to be pretty close as well to being released

Traveling Engineers - Whats it like?

I've always been interested in landing a job that was based in the US but required travel around Europe/Asia . Typically these positions are for Consultants and require a lot of experience. Anyone want to share their experience doing one of these jobs? How much do you actually have off while on travel? Hows pay compared to a regular M-F position?How did you land your gig there and any recommendations on how to position yourself into one of these jobs?

Migrating servers across datacenters keeping their IP address.

Good practice dictates servers should be addresses by their domain name, this would make them immune for IP address changes. Good practice also dictates one should document application’s architecture so one knows which servers communicates between each other. In practice, this can be very different, resulting in a constraint that one needs to keep the servers IP address even during the migration of the datacenter environment from one location to the other. Impossible, difficult? Here’s method on how to get this done. The starting point is that all our servers are in datacenter A, in a server vlan with network range 10.10.10.0/24. There’s the network WAN access router, the core switch and the access switch where the servers are connected. The goal is to move all servers towards datacenter B, where they will be part of the identical network range and will keep their same IP address. Of course, due to operational requirements, availability demand etc. we are talking about virtual server environment, were we have the initial servers active, operational in datacenter A, and an identical virtual server environment instantiated in datacenter B. Server storage is being replicated and kept synchronized across the datacenters via a separate network range. This is different from the 10.10.10.0/24 network range via which the servers are addressed by clients, or use to communicate between themselves. Let us first describe our initial situation. All servers are part of 10.10.10.0/24, connected to the access switches, which itself is connected to the core switch in datacenter A. The server vlan is terminated on the core switch. Egress to the WAN is via the access router, which also advertises the network 10.10.10.0/24 inside the WAN, so all participants know 10.10.10.0/24 servers resides in datacenter A. The mac address of vlan 10.10.10.0/24 on core switch is aaaa.aaaa.aaaa and unique core switch IP address in the vlan is 10.10.10.a/24. Core switch default GW is access router LAN IP in datacenter A (e.g. 10.10.20.254/24). This is unrelated to the server Vlan. The access router in datacenter B does not advertise any route related to 10.10.10.0/24 itself, but knows the range resides in datacenter A. The server vlan, network 10.10.100.0/24 is already created and terminated at the core switch. The core switch IP address in the server vlan is unique and not in use in datacenter A.
The mac address of VLAN 10.10.10.0/24 on core switch is aaaa.bbbb.bbbb and unique core switch IP address in the VLAN is 10.10.10.z/24. Core switch default GW is access router LAN IP in datacenter B (e.g. 10.10.30.254/24). This is unrelated to the server vlan.

To prepare for the migration, the following actions are needed. The first one is to prepare layer 2 at both ends. As server to server communication within the same vlan or network is initiated via an arp broadcast request that never will leave the local vlan, server to server communication would be impossible if one server resides in network range 10.10.10.0/24 in datacenter A and the other server is already moved to network range 10.10.10.0/24 in datacenter B. There would be no arp reply. This is true irrespective of any routing in place. As initially all servers resides in datacenter A, layer 2 on the core switch in datacenter B needs to be prepared as follows: This for each server IP address x active, residing in datacenter A. • ip route 10.10.100.x 255.255.255.255 10.10.30.254 This is a static route to the remote server with the local access router as next hop. As he knows the route to datacenter A. • arp 10.10.10.x aaaa.bbbb.bbbb arpa alias
This is called a proxy arp. The core switch interface in the server vlan will reply with its IP address. And because also a static route is present traffic will be forwarded to the access router and reach the server in datacenter A So if you 20 active servers in datacenter A, you add 20 static routes and 20 proxy arp entries.

Let’s start moving a server from datacenter A to B. At this point in time, our access router in datacenter A advertises the complete 10.10.10.0/24 network inside the WAN.
First, we verify server data/storage is in sync and up to data at both sides. Sever in datacenter A is then shut down. In datacenter B we now execute the following changes, for this server x, and only for this one we not remove the static route and the proxy arp on the core switch. • No ip route 10.10.10.x 255.255.255.255 10.10.30.254 This removes the static route to the remote Server, as the server is now local in datacenter B • No arp 10.10.10.x aaaa.bbbbb.bbbb arpa alias
This removes the proxy arp, as the active server will now reply locally.

In datacenter A, we now execute the following changes, for this server x, and only for this one we add the static route and the proxy arp on the core switch. • Clear ip arp 10.10.10.x
Housekeeping • ip route 10.10.10.x 255.255.255.255 10.10.20.254 This adds the static route to the remote Server, as the server is now local in datacenter B • No arp 10.10.10.x aaaa.aaaa.aaaa arpa alias
This adds the proxy arp and the core switch vlan interface will reply to the arp request.

As last part of the migration, we now start advertising a more specific route 10.10.10.x/24, x the IP address of the moved server from our access router in datacenter B. That’s it, one server moved. With all servers moved, one can do the cleanup, and remove the 10.10.10.0/24 route advertisement from datacenter A access router, and replace all more specific route advertisements from datacenter B access router with the full range advertisement, as well as the specific routes and proxy arps that have been added to the core switch in datacenter A.

Foundry fastlron gs 648p switch reset?

A friend of mine just bought this switch used and already configured, how can he rest and manage it.

Thanks.

Python and JunOS

For those who work in a Juniper shop, how do you change your local password?

I was using the netmiko module and a for loop to change my local account password. For Cisco and Brocade, this works, but with JunOS it does not. Not exactly sure what to do with this one.

for i in junos_list: userssh = ConnectHandler(device_type='juniper_junos', ip=i, port=22, username=username, password=password) la_login_cred = ('set system login user ' + local_username + ' authentication plain-text-password') la_login_passwd = (local_password) la_login_confirm_passwd = (local_password) userssh.send_config_set(la_login_cred) userssh.send_config_set(la_login_passwd) userssh.send_config_set(la_login_confirm_passwd) userssh.disconnect() print("\n\tPassword has been updated for", i) 

​

ASR 1001-x crypto command doesn't exist

Cisco IOS XE Software, Version 03.16.02.S - Extended Support Release Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.5(3)S2, RELEASE SOFTWARE (fc2) License Level: advipservices 

Does anyone know how I can get the crypto commands enabled so I can create an ipsec tunnel?

From googling, it sounds like I need a different version of the IOS installed? Is that right and can someone tell me which version?

ICANN,RIPE,AFRINIC,... Why non for profit organization (NPO) ?

Hello everyone,

I would like to know why ICANN,RIPE,AFRINIC,... "Companies" can be categorized as a non profit organization ?

I ask this because, to get your TLD on ICANN, you need to pay 200.000$ (180.000$ + a value annually )
And on RIPE for exemple, to get you IP range you need to pay something arround 2.800€(around ~2950$) just to get your private IP range.

The real question is not why you pay (Seems, obviously are people are working in their side) but why they are categorized as a non profit organization ?

Rgds,
>CyberIdea

I have a many other questions, i would like to ask like, can ICANN delete a domain name if they are forced for that by authorities ? Is just a exemple

About the price to create a tld (ex:. .int,.cup,.tax,...)

Source: https://theaudacitytopodcast.com/afilias-explains-how-to-get-your-own-top-level-domain-tld/

Non profit organization (1st line on wikipedia, desktop version)
Source: https://en.wikipedia.org/wiki/ICANN

Looks like a stupid question, but i just would like to know, why they categorize this companies a (NPO)

What prevents someone from advertising ip addresses they don't own?

Doing some ccna studying and got to bgp and this popped in my head. Lets say you already have a /24 owned, and a bgp neighbor ship with your isp. What stops you from just typing in a another network command and start advertising a /24 you do not own as well?

802.1x with Open Encryption?

I have a project; I'm going to leave some pieces obscure, not because I think the people who would get enflamed won't immediately recognize it, but because I want the people who are unlikely to get enflamed to stay engaged to the end... Please don't just redirect me to r/AmateurRadio; They can't help me.

I want to set up a wide area, high speed wireless network; It's really a LAN, in the sense that it's a (Relatively) small number of users, connected directly to each other, sharing a small set of local (To the network) resources... But it's geographically dispersed among nodes across, say, a county. High RF power limits and custom engineered antennas are allowed by our regulatory licensing, so I'm thinking an access point on a pole on a hilltop... Ubiquiti Networks and the like have radios that seem to meet the performance requirements I seek... But, really, any hardware provider that gets the really obscure combination of protocols I need would be amazing:

However, while regulatory licensing allows high power and fancy antennas, it prohibits Codes and ciphers for the purpose of obscuring the meaning of the message... In other words, we are prohibited from protecting ourselves from eavesdropping.

However, access control is important for a number of reasons, primarily in the form of preventing the Access Point from transmitting packets on the behalf of unauthorized users. In other words, ANYONE can LISTEN to our network... But only authorized users can TRANSMIT.

Other attempts at solving my problem have either argued that the PURPOSE isn't to obscure the meaning, the PURPOSE is to control access to the network, therefore encryption IS allowed - Use WEP, publish the encryption key publicly, that way anyone can fire up Promiscuous mode and have their fun... But that really doesn't prevent transmitting even in the best case scenario.

Others argue that we have a regulatory obligation to prevent unathorized access, that such a requirement mandates best security practice, and since it's "Not the purpose to obscure the meaning," fire up WPA2...

BUT, it's NOT the PURPOSE of encryption to authenticate the users in the first place... That's 802.1x' job. Once authenticated, we really don't need anything more than some sort of ability to hold the authorized port open...

SO, long ass background out of the way: Is it possible to use 802.1x to authenticate users and authorize access to the WiFi port, WITHOUT using any form of Layer 2 encryption, on any standards-compliant wifi hardware?

​

How does traceroute -a get it's data?

Where or how does traceroute -a get the ASN? For example;

​

traceroute to cnet.com (64.30.228.118), 64 hops max, 52 byte packets

1 [AS198949] 192.168.1.1 (192.168.1.1) 2.931 ms 2.353 ms 2.399 ms

2 [AS0] 100.64.1.1 (100.64.1.1) 3.814 ms 2.975 ms 3.399 ms

3 [AS0] 100.64.0.3 (100.64.0.3) 3.443 ms 3.704 ms 3.563 ms

4 [AS20299] 186.176.192.57 (186.176.192.57) 5.403 ms 6.128 ms 4.100 ms

5 [AS20299] 186.32.0.217 (186.32.0.217) 4.345 ms 4.127 ms 2.770 ms

6 [AS23243] 190.106.192.237 (190.106.192.237) 42.834 ms

[AS23243] 190.106.192.240 (190.106.192.240) 42.314 ms

[AS23243] 190.106.192.237 (190.106.192.237) 43.004 ms

7 [AS0] 198.32.125.207 (198.32.125.207) 43.445 ms 45.915 ms 45.521 ms

8 [AS32787] po110.bs-b.sech-mia4.netarch.akamai.com (23.57.103.245) 53.836 ms 53.614 ms 54.332 ms

9 [AS32787] ae120.access-a.sech-mia4.netarch.akamai.com (23.57.103.249) 43.512 ms 46.006 ms 44.719 ms

10 [AS32787] 93.191.173.237 (93.191.173.237) 182.281 ms 125.422 ms 121.380 ms

11 [AS32787] a209-200-160-232.deploy.static.akamaitechnologies.com (209.200.160.232) 124.063 ms 124.289 ms 123.992 ms

​

This seems to happen almost instant, how does it get the ASN instantly?

LDAP DDoSes on the rise?

Just curious if anyone else had noticed an uptick in the number of DDoSes over UDP 389 (LDAP), about half of the packets are malformed (port 0). I don't see many DDoS attacks anymore since Minecraft is less popular than it once was, but I've had two DCs hit (different customers) just this week.

What type of connection are SFPs? UPC or APC?

Isn't it best to have an APC connector plugged into an SFP since APC has the lowest amount of reflection and SFP is a transceiver?

Here's a question for y'all...

I know that there are three types of messages in VTP; the summary, the request, and the subset.

My question is, do all switches periodically send summaries, or just the VTP server?

My theory is, since the only device in the VTP domain that can increment the revision number is the VTP server because it alone can make changes. If all switches periodically send summaries, they mostly get ignored because the revision number would always be the same until the server comes along with a higher one. At that point, the clients all send a request to the tune of, "Hey, man, what changed?"

Is this theory of mine on the right track, or do I need to go back and read the chapter again?

Networking and Scripting

Hello admins/engineers.

​

I am a network engineer in one of the biggest ISP in my country, I started learning python 3 years ago and i code a lot of network scripts in python, flask, and mysql. is really handy and it helps a lot in day to day.

​

How many of you use scripting languages, which do you prefer and what libraries do you use ???

​

Also if we can have a discussion about networking and scripting, we can share our source code and learn more from this community.

​

​

Participating in a TCP session... without actually being on the network.

Hey all, I got a weird one for you. We have a case where we need to transmit some data to an airgapped server. This server must remain airgapped, and cannot be connected to our production network.

We have a second server, that needs to send data to that airgapped server. It uses SFTP, so TCP. The airgapped server does not necessarily need to respond (it is receiving data only), but since it's TCP... if it never responds, TCP won't connect.

If it were a UDP session, I'd just connect the airgapped server to a SPAN port, and be done with it. Maybe a static ARP entry on the transmitting server, or some other trickery.

Since it's TCP though.... my only thought is to have some other server that will terminate the TCP session, and send traffic via UDP to the airgapped server. Potentially also having a companion device that would receive the UDP traffic, and initiate a TCP session with the airgapped server.

Figured I'd ask if anyone has any other ideas.

job hopping

Had another interview today seems like they didn't like I am job hopping again after 2+ years, I usually leave a company after two years, should i stop doing this? I can stick in my role right now but I'm honestly bored now and can do this pretty quickly so i need another challenge

Is it wrong to job hop like this?

WiFi analyzer recommenations

I'm a long time SysAdmin now running double duty as Sys & Net Admin. Looking for some recommendations on your favorite WiFi Analyzer. I've been using WiFi Explorer on MacOS. It's OK for basics, but looking for something a little more "pro." Anybody using Netspot? InSSIDer? Or any other recommendations? Would prefer a platform that supports MacOS natively, but not a deal breaker. Can break out to Parallels when need be.

Network Setup Questions for 60 PC Commercial L @ N Center Gaming Network

Looking into getting someone to set up a commercial 60 pc network for gaming. I have a few questions I was asked and I don't have much experience so I thought I would ask you guys. Thanks in advance for anyone that can help

-commercial location will be main use will be online gaming

-Boston Area (if important idk if isp will impact answers)

​

Do I want Cat5 or Cat6 lines?

What's the best way to set it up from a security perspective?

How much bandwidth up/down would you suggest?

Managed or unmanaged switches?

Is upload/download speed the same or is one more important for online gaming?

Any opensource program similar to c_c_b00t?

(I want to avoid c_c_b00t if possible so any other suggested alternatives even paid alternatives would be appreciated)

Cisco Vulnerability: libssh Authentication Bypass

So far this vulnerability is being investigated in Cisco's ASAs, Unified Call Manager, Nexus 9000 series switches, and WebEx meeting servers.

​

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh

Reasonable rx/tx/session limitations on a network of around 120 people?

Hey guys,

I'm on a shared network and I've noticed that lately the internet has been strangely slow at certain times for all of my devices.

I checked the bandwidth usage on the router and there are one or two hosts hogging most of the bandwidth. One of them in particular has had up to 17,000 concurrent active sessions on the network. I'm assuming he's using some serious P2P software.

I ran some tests with an excess of programs on my own laptop and ran it up to around 500 sessions. So to combat the excessive amount of bandwidth he's taking up I've put a session limit of 700 on the network

My main questions are:

• Is this a reasonable session limit?
• What are reasonable rx/tx limitations to place on the entire network to stop this type of behaviour?

I essentially want good internet for everyone. I just don't think it's fair for someone to move in to my building and use 90% of the capacity of our network.

virtual wifi adapter to control machine & surf web?

I have a sciencey machine that is operated from a windows laptop over an ethernet cable. In attempt to break this physical tether, I stuck an old router on the machine, and connected to the router's wifi from my laptop, then told the windows program to send the commands through the wifi adapter instead of ethernet. Somehow, against all odds, it actually worked. Don't ask me how, I'm sure you know better than me.

Anyway, now I would like to surf the web with my wifi adapter, and also send commands to the machine. I think I can do this by adding a USB wifi adapter to the laptop, but I was wondering if it was possible to do this from just the built-in wifi card. Let me know if I'm making any sense. :)

Terminal access tools like SecureCRT

I am a big fan of SecureCRT and been using it all my life. The easy access to have multiple tags open with login scripts and scripts to auto save all my line configurations make it very handy to use. That being said, they now made it a licensed software. Do someone have any suggestions of free software that can do all the functions mentioned above ? Thanks in advance.

Help validate a consultant's design

Hello, We have been working with a vendor to deploy new switches in our primary production datacenter. We are a Dell Force10 shop.

We have a stack of two older Force10 switches connected to a VLT group of two newer 10 Gbps switches via a fiber module that I think Dell said was 40 G. Everything has worked great with that setup.

We are replacing all of those switches with new Force10. Our consultant created a new VLT group of two switches and created a port channel from them to our older Force 10 stack and our newer 10 Gbps Force10 VLT group.

Every time the new switches reboot most of our servers seem to lose connectivity briefly. Our consultant has said there is absolutely no way rebooting our new switches would cause this but it's now happened on two separate occasions.

I am more of a systems guy than networking. I've never connected switches like this and wanted to see what any experts would think with this configuration because Dell seems confused as well.

Here is a rough diagram I made https://imgur.com/lQks9Px

Question on Palo Alto QOS tags

tl;dr - Isn't higher number = more priority with Layer 2/CoS QoS? Or is Palo Alto different?

I inherited a Palo Alto setup from the prior guy who inherited it from the prior guy who was (supposedly) a firewall expert. I noticed something weird with regards to the QoS config, and I'm wondering if I'm wrong or if maybe this guy wasn't the expert that I'm told he was.

Screenshot!

This is a flat L2 network, no routing anywhere, so I understand that CoS tags are appropriate. But . . . in CoS, isn't higher number = better? I thought the standard for 802.1p was 5 for Voice and 4 for Video.

Does Palo Alto do L2 QoS tagging differently, or did "that guy" have his wires crossed?

Cisco's remote root exploit of the week - libssh auth bypass - affects ASA, IOS XR, many others

Have a good Friday guys :\

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh

Trimmed report below. Cisco has not confirmed yet which devices are vulnerable.

Summary

A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.

The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system.

Shout out to @selfuryon's Python Library netdev

I just wanted to give a shout out to @selfuryon for creating a nice easy to use library that fully leverages python's async capabilities. One of the many things I like about netdev is that it is modeled off of Netmiko which is another really easy to use library for interacting with multi-vendor devices. If you are already used to using Netmiko that familiarity will be there.

I developed a script using Netmiko that I ran the other day; this took about four and a half hours. I rewrote the script leveraging netdev and it was able to do the same amount of work in three minutes eighteen seconds. So you can obviously see the benefit of utilizing asynchronous operations in your code.

I have only touched the surface of async and look forward to learning more about it and utilizing it more often.

​

-LongBeachHXC

Cisco ASA and OPENDNS DNSCrypt

Hi,

Recently we tried to implement the Cisco Umbrella (OpenDNS) virtual appliances, and one of the requirements is to use DNSCrypt. They have a guide that shows you how to disable DNS packet inspection for the VA's specifically and inspect everything else.

We followed their guide on their website, but now our remote offices that need to connect to the DNS servers behind this ASA is getting time outs. The OpenDNS says that DNSCrypt is still working fine however, but nothing else which uses normal DNS is.

We followed this guide:

https://support.umbrella.com/hc/en-us/articles/230562207-Cisco-ASA-Firewall-blocks-DNSCrypt

So to get normal DNS to work, we kept everything but removed the following:

access-list dns_inspect extended permit udp any any eq domain

access-list dns_inspect extended permit tcp any any eq domain

We're trying to understand how removing those two lines makes any difference security wise, or how removing them fixed it.

Thanks.

Edit:

We added

access-list dns_inspect extended permit udp any any eq domain

again and its working still, but breaks when we add the same rule but with TCP. any ideas why?

Python Webex Teams Bot - can grab down devices in Solarwinds, ping, traceroute, get BGP info

A little something I wrote that maybe some of you can find helpful. It's not really the best written thing nor is it feature complete. Plus it relies partially on screen scraping (ping, traceroute, tshoot). As is, it's heavily sanitized so before you can use it, you'll have to put your relevant info in it as well as setting it up w/ Cisco.

​

Anyway, here it is: https://github.com/naonder/python_webex_teams_route_bot

Crappy screenshots w/ a poor attempt at masking data are in the readme.

​

Oh, one more thing, this was really made w/ desktop support personnel in mind. Perhaps also other infrastructure teams that don't readily have access to ways to Tshoot a device or access to route information. As is, network personnel can use it (thinking middle of the night alerts for a thing going down, do a quick Tshoot to the device...I dunno)

Attempting to get wifi calling working.

I've beat my head on this for a little bit now, and just need an extra set of braincells.

I'm trying to get Wifi calling working, so that associates in more basement-y locations can use their phones. However, I can't get the IPSec tunnel it uses to establish. I've grabbed a capture at the router, see the ISE_AUTH exchange, and then the mobile phone sends a Next Payload: Delete.

Firewall is FTD running 6.2.3.4. These source wifi networks have a prefilter fastpass to the /16 I've identified belonging to Verizon with a destination port of UDP 500 or UDP 4500.

When I connect through my Meraki lab (on a business Comcast connection), there's no issue here. This leads me to believe there's either a PAT issue, or possibly an MTU issue with the enterprise Cisco Wifi/WLC encapsulation. In the prod network, I do see more fragments than I do with the Meraki lab.

(For the purposes of this conversation, I'm only working on Verizon at this time, as that encompasses most of our phones)

Apple TV and channels 149 and 153 on the 5GHz wireless (x-post from /r/wireless)

Sorry if this is the wrong place to post this. We've been having wireless troubles at multiple sites for a while and the cause seems to be excessive multicast traffic. We've disabled IPv6 on the network which helped a little but my boss decided today to disable channels 149 and 153 on our 5GHz AP radios, the reason being that's the channels ATVs multicast on.

I'm no wireless guru so I have to ask, that's not how wireless works, is it? Devices don't pick which radio channels to work on do they? I thought it was the AP that picked the channel.

Thanks in advance.

EnGenius ENS202 & Cloud management

Morning gents.

Preface : I'm a corporate network engineer. We're a Cisco shop - my familiarity with other platforms is passing at best. I've been voluntold by one of my bosses to help out with a new facility being set up by one of non-profits we occasionally partner with. They apparently got a donation of EnGenius hardware, so I don't get to make recommendations, just work with it. So, this is going to be a fairly basic question for anyone who may have messed with this equipment before:

EnGenius ENS202 access point brochure mentions creating an account with "Cloud Captive" provider. Does that means these are in reality lightweight APs with cloud controller/management, or can they be set up as fully standalone solution, without absolute need for the cloud soution?

Thanks in advance!

S2S VPN Issue

Good Morning Fellas!

​

Hope everyone is doing well this Friday! I have a weird thing going on with one of my site to sites and I can't seem to figure out what is going on.

​

I have a S2S between our Dallas office and Miami office. The hardware I am using is a Fortigate 60D in Miami and a Sonicwall NSA4200 in Dallas. The network setup in Miami is simple they have a single subnet well call it 192.168.1.0/24 and Dallas we have three 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24

​

Now I did this same setup between Dallas and our New York office and everything is working correctly. But for some odd reason Miami can only establish a link to 10.1.1.0/24 and 10.1.2.0/24 it does not establish a link to 10.1.3.0/24

​

If I look at the active tunnels in the sonicwall I can see that ALL of our other remote locations that we have S2Ss with have all 3 tunnels active. But Miami is the only location where I can't get all 3 network to activate. Only the first 2.

​

So yeah ... This is a basic setup, maybe I am missing something easy but I went over everything and like I said I was able to get it to work at our remote offices. Anyway any help or insight you all could provide would be greatly appreciated. Thank you!

Help me Identify this Fiber Connector

Can you guys confirm my thought that this is a Single-Mode Fiber SC/APC connection?

​

https://imgur.com/a/BELvgmf

​

Thanks for the help!

UK assistance needed locating a piece of hardware

Who might be able to assist me here?

​

I've got a commercial venue that gets OpenReach G.Fast service.

​

The modem that is needed for this in the UK appears to be the Huawei MT992

​

I can get these from Huawei - but the minimum order is 500 units. None of my usual distis carry this item.

​

Customer site has had power outages yesterday and we think the existing supplied modem might be toast.

​

Who might have stock / where can I buy one? my Google-fu is not getting me anywhere useful

​

suggestions very welcome...

​

many thanks

​

(I'm aware that this isn't the usual type of post for here - but it's not home networking and I hope it doesn't violate any of the other rules)

Anyone know of a good spot for recent Cisco ISE training?

Almost everything I find whether it's youtube, INE, CBTNuggets, and a handful of online guides are all pre-version 2.0. Udemy had one course but the reviews are not very kind on it. I know my way around some of it, but if you have used ISE before I'm sure most people would agree it's not the easiest thing to navigate, and the menus totally changing in the newer versions make guides sometimes not usable without knowing exactly what you're looking for.

Anyone know of somewhere that has up to date training that isn't a $3000 course I have to convince my company to pay for.

DHCP - central and not Windows

Boss wants to get dhcp off windows server, and while I’ve done dhcp off switches, sdwan, firewall, etc I haven’t had the greatest experience with them being as responsive and I want everything in a central place like windows DHCP would do.

Smallish company (well, like 600 people and soon 10 offices vs my last with 5k and 350 offices I supported network and systems by myself - for perspective)

I need single /24 for each of the remote sites and like 4x /24 for HQ.

I’ve really only ever used windows and dhcp off network gear in a pinch temporarily.

Anyone have suggestions on what they use/like to fill similar role?

[Question] Documenting fiber splicing

So I work for an Argentine carrier and we’ve been using spreadsheets and ArcGis to document our fiber network (network trace, splice closures and such). But still, I think there should be another way of doing this, do you guys know any software to document the fiber splicing process? Thank you!

Restrict VPN in bridged mode (tap) to access only local LAN devices

We are using OpenVPN in bridged mode

​

server-bridge 172.20.20.10 255.255.255.0 172.20.20.100 172.20.20.150 verb 3 key /etc/openvpn/pki/private/xxxx.key ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/issued/xxxx.crt dh /etc/openvpn/pki/dh.pem tls-auth /etc/openvpn/pki/ta.key key-direction 0 keepalive 10 60 persist-key persist-tun proto udp port 1194 dev tap0 status /tmp/openvpn-status.log user nobody group nogroup comp-lzo no ### Push Configurations Below push "block-outside-dns" push "dhcp-option DOMAIN xxx.ltd" push "dhcp-option DNS 172.20.20.4" push "comp-lzo no" ### Extra Configurations Below client-to-client topology subnet 

​

As you can see, we are not using the redirect-gateway option, so clients are not pushed the gateway route. Anyway, this can easily be bypassed by client configuration. How can we use iptables to allow VPN clients to communicate only with local LAN devices (in the 172.20.20.x network)?

​

I suppose we have to change our iptables rules, which currently are as follow:

​

iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT 

​

​

Best way to nail down ports and protocols used between subnets

hello, what are some ways to accomplish this? looking to verify the protocols and ports that are used between a dmz and internal network off of a cisco asa 5525. i've done a couple packet captures on the asa but the 33mb buffer fills up in about 30min so its not a great representation of all the traffic.. should I be looking into something like port mirroring?

I did just find out that asa captures can be saved as pcaps and then viewed in wireshark which is nice.

wifi for a B&B, switch and PoE Access points or mesh wifi?

Need connection for eight small apartments to be used as a small residence.

It's a rectangular construction (steel structure with aluminium frames for drywall and mineral wool) measuring almost 400 square meters and will be attended presumably by max 30 people with smartphones, tablets, notebooks and whatsoever.

I'll need the connection mostly for my guests, I'll provide a gigabit one; will a simple setup with 2/3 Wi-fi mesh router suit my needs or do you think that it's better to stay with a traditional setup with a PoE switch and PoE access points?

Note that I'll need to place the AP's in the central hallway. I was thinking about 2 or 3, any of those servicing a couple of suites.

Last thing, the management, for what I've understood whit the mesh should be something like set and forget, the switch should requre some thinkering, will it be "makeable"?

Any hints or thoughts about advantages or drawbacks, which technology shall I use will be appreciated.

Thanks in advance for any help.

Fuca

SD-Wan to Handle a throttled connection

https://ift.tt/2AideSk

Documenting IPsec tunnels

Hey all,

I'm looking at documenting all of my IPsec tunnels into some fancy document but I'd love some advice as to what information to keep in that document (and what kind of document? A simple .txt file or an Excel spreadsheet?). One thing I know I want is contact information to whoever runs the tunnel on the other side.

Do any of you have something like this already and would be willing to share it with me?

Thanks!

one wavelength mentioned on a Single mode SFP optical transceiver.

I have a cisco optical SFP transceiver which supports Single mode fibre. it is written that it supports 1550nm of wavelength but that confuses me because it was my understanding that Single mode Fibres have Bi directional channels on the same fibres and each channel have a different wavelength like 1550nm Tx and 1490nm Rx. and those SFP transceivers come in pair that is

1. TX: 1550nm, RX: 1490nm
2. TX: 1490nm, RX:1550nm

What does the single wavelength mean on the transceiver ?

Transfers from 10Gb nodes across VPN MUCH slower than 1Gb nodes

I'm having an issue with file transfers between two sites across a 1Gbps Site-to-Site IPsec VPN. If I initiate a file transfer from a node in Site 1 that is connected to the network at 10Gb, I get about 1/3 the speed compared to transfers from clients connected at 1Gbps. This is only an issue across the VPN as connections between 10Gb and 1Gb nodes on the LAN are at line speed. It also only happens when going from Site 1 to Site 2. Site 2 to Site 1 has no issues. However, Site 2 has no node connected at 10Gb.

​

I've done a packet capture when doing one of these transfers from a 10Gb node in Site 1 to Site 2. I'm seeing dropped packets, lots of TCP re-transmissions, and the TCP window size remains small since the TCP protocol is clearly not reading the connection as "smooth." The question is...Why?

​

** FYI it's not an MTU or QoS issue as I'm using standard MTU (no jumbo packets anywhere) on all devices/NICs along the path and no QoS is configured.

Ruckus ZoneDirector question?

Question for guys with experience with Ruckus ZD- so we’re setting one up with a bunch of APs for a client. I really haven’t touched Ruckus before and I’m at the junior level. Im in the very initial phase of set up. I see that there’s a built in guest network feature. And I’m confused if this guest network does everything itself, as in it the vlaning, dhcp, etc. because I don’t see a DHCP feature, I’m confused on how it’ll assign it an IP address if it isn’t allowed to touch the regular network traffic.

Can anyone attempt to clear this up to me? Do we still need to create vlans on the switches and a firewall interface etc? Need to set up a 2nd DHCP for this network? Or does this guest feature do it all? Trying to get by this without asking the engineers too many questions. Appreciate any answers, thanks

Question about switch and 2 internet lines redundancy

I've got a question about switches and BCP: Switch + 2 incoming internet lines = redundancy and no interruption if one fails?

​

Hello

I am early in my IT career. Most of my knowledge and experience is on the software side. I am working on something. I have never worked with a switch. I am trying to decipher their network diagrams. They have 2 incoming internet lines (from the same company though) and they have many different devices. Internet 1 goes to items A B C and Internet 2 goes to items D E F. If Internet 1 goes down, does that mean A B C will automatically jump onto Internet 2, by way of the automated feature of the switch (hence the name, "switch")?

Do ISPs specifically de-prioritize SDWAN traffic?

Stumbled on this as I did some diving in wireshark today:

Inbound Internet traffic, directly from the Comcast cable modem, to one of our VeloCloud boxes, is marked DSCP8/CS1 scavenger.

Got me wondering: is Comcast intentionally de-prioritizing SDWAN traffic as a competitive tactic?

The CS1 traffic was all 2426/udp, which is an IANA-registered port for VeloCloud's Multipath protocol.

Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-fxnx-os-dos

Vulnerability on FXOS and NXOS platforms were LLDP packets with certain TLV values can cause system to crash.

wifi

using the same frequency (like 20Mhz or 40Mhz) on different radios 5Ghz or 2Ghz change throughput of data which is better if using per example the 20Mhz on 2.4Ghz Vs using the 20Mhz on 5Ghz

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Command line BGP Trace tool?

Anyone know of a command line tool that will do a BGP Traceroute that can also convert IPs to ASNs? I am aware of traceroute -a, but I can't just give it an IP and get an ASN out of it.

​

Thanks!

Employer pushing to use training budget. Considering Python classes... Recommended courses or should I use the budget for other things?

My employer has a $2500 training budget that I can utilize for anything pertinent to my position. I have been doing the free version of /u/ktbyers automation course and, while it is good, I haven't been sticking with it as much as I want to for a variety of reasons (new job, moved x-country, etc etc). I know that he is doing a ~$900 course...well, evidently today. Not sure if I'd make the deadline nor what difference there is between the free and the paid training.

Are there any other python classes that this sub recommends? Outside of python, certification-wise the only way for me to go would be something in Palo Alto or on F5's. I already have my NP R/S and don't want to go for NP:Sec based on current exam state. My org is currently pretty weak on F5 experience, so it'd be cool to learn, but they're also at square 1 for automation (hardware config deployments are still notepad docs).

Cheers

DNS and VPN

I take care of a small office where some staff needs to VPN from home. right now the Sonicwall firewall is taking care of VPN access server duty

Now, what hostname should I use for public/private dns? I'd like to choose the best combo for least conflict in the future.

Public DNS is company.com (points to website)
Local and Active Directory DNS is hq.company.com (points to domain controller)

should my public hostname (pointing to WAN address) be:

vpn.company.com
vpn.hq.company.com
or
hq.company.com

Questions about DCF.

Hi,

​

So I have a general understanding on DCF, mostly from the book 802.11 Wireless Networks the definitive guide. I have a couple questions though, I've looked them up on the internet but couldn't find anything.

1. What are the differences DCF got in 5Ghz and 2.4Ghz networks.
2. What are the differences DCF got in 802.11ac and 802.11n networks.

Please note that I am not asking anyone to explain the two above. Any sources leading to anything related to what I'm looking for is appreciated. That said, I'll also appreciate an explanation, there's no discrimination. (Had to clarify the last bit).

​

Thanks,

Comcast ENS - 4 Site setup

I am being tasked with a Comcast MAN/ENS setup for our network. Understand it is a big L2 connection pretty much but what do you think is the best way to set this up. I am thinking dynamically OSPF would be best but wanted to hear if anyone had any different opinions. Currently its 4 offices pretty much that have ASAs ranging from 5506s to 5545s -- other then at Main office which is L3 sw to ASA -- at each site that hand off into switches.

Comcast ENS --

Site A - 172.20.10.1

Site B - 172.20.10.2

Site C - 172.20.10.3

Site D - 172.20.10.4

and the internals for this office would range from 10.1.x.x to 192.168.x.x's

​

Kind of stepping into this setup as I have dealt with MPLS with OSPF internally before but was wondering should this OSPF be dropped on the ASA level just exchanging those Comcast ENS IPs across talking that way or is there another way. Finding documentation on configurations for ENS are few and far between it looks. Appreciate any input

​

​

​

​

Getting Android and iOS to prioritize DNS 1 before trying DNS 2 on local network

Hello!

​

I have a home server with an SSL cert. I have a few web applications that I leave publicly accessible but a good amount are internal only. As such, I set up a DNS server on my router to handle local connections for my server.

So going to example.com is given my public IP over the internet but at home it translates to my private IP.

For DNS advertising, my router has its own IP as DNS 1 and a public one for DNS 2.

​

This solution seems to be working just find on my computers. My Android and iPad are not using DNS 1 most of the time and seems to flip flop. Sometimes, when I load the internal web app it works fine, but even on reloads it can fail because it used DNS 2. Even when manually specifying in the settings, it doesn't necessarily try DNS 1 before attempting DNS 2.

​

I also have a VPN set up. When I VPN into my network, the internal pages load properly 100% of the time.

How could I force my mobile devices to try a specific DNS first while it is on the local network?

​

R2CP/DLEP Vendor Support

Howdy All!

Have any of you ever run across microwave radios that actually support R2CP or DLEP? I have a lot of fiber connectivity with microwave secondary links in my various networks, and it seems like something that could be used to really fine tune our IGP on those links... I am also curious if any of you have used these before, and if they are actually as helpful as they sound.

I have run across a few pages for feature requests on both Ubiquiti and Mimosa's web pages, but not much more.

Thanks!

Python to crawl through HP switch and set description of interfaces with LLDP switch neighbor names and if the port is a Wireless AP

https://github.com/thewozza/configDescriptions_HP

You could do this by hand but that is super boring.

This script goes through a switch and figures out if the LLDP neighbors are switches, and if they are it writes the neighbor name in the interface description.

If it is an AP it just sets the description to "WirelessAP". This customer has a mix of Meraki and Ubiquiti APs. Meraki APs speak LLDP so that's easy. The Unifi APs do NOT speak LLDP so I pull the MAC table, and do a manufacturer lookup for anything that says "Ubiquiti" and then I mark those ports as "WirelessAP".

Once all the relevant ports have useful descriptions on them, when I add them to the NMS we'll know what is actually happening on the network.

This particular customer has 150+ Procurve APs of varying vintage, and no network management. They're all in one big VLAN on every site, it's kind of a mess but it is a fun project bringing them through the decades of network design one small iteration at a time. I think right now they're in the 90s because we got IP addresses on all the switches, and STP enabled. Whee!

Monitor CUCM without using RTMT

We are a two man shop for a school district and any way we can work smarter makes our lives ways better. I have 8 dashboards and systems to monitor and often don't get to them every day. I would love to watch CUCM data with other systems in Nagios, Grafana or something similar. I probably will end up looking at a filtered syslog. I tried using SNMP and only got a few IO stats. A buddy at a Cisco partner and google both gave nothing encouraging on getting the meat of RTMT into any NMS. Before I give up I was hoping to pull at one last straw. Have any of you monitored CUCM(in detail) with anything other than RTMT?

Packet loss occurs only with over 100 size?

Hi, Has anyone here encountered this issue?

Packet loss occur only with over 150,200 size while pinging with size of 100 work perfectly?

​

Heres the simple scenario:

VLAN10,20,30 (RTR1) ----TRUNK-------(PROVIDER)--------(RTR2)VLAN30

​

Vlans were assigned in different location, Now only issue is with VLAN 30 spefically, which exclude troubleshooting between RTR1 and the local loop provider. Tshooting should be done between provider and RTR2..

​

What would be the issue of this ping zsize?

1. No congestion seen on RTR2
2. running hardcode 100/full
3. no ratelimit
4. cpu normal

Thanks

Help verifying proper MTU/MSS config on both sides of a Cisco to PA IPsec tunnel

I want to verify that both ends of our VPN tunnels properly account for IPsec overhead, to avoid fragmentation.

Our branch offices tunnel all traffic via IPsec, from a Cisco ISR, to our central PA-5050 appliance.

I don't see any MTU- or MSS-related config on either end (Cisco ISR or PA). I've dug into configuration guides for both vendors, and I don't see anything that clearly states one should explicitly account for encapsulation overhead in my specific use-case. But my doc-fu is still strengthening, so I could have easily missed something.

I think the Cisco end accounts for the overhead automatically, without the need of explicit mtu or ip tcp adjust-mss interface config. Notice "plaintext MTU" is 1446, accounting for the 54-byte IPsec header:

interface: GigabitEthernet8 Crypto map tag: VPN, local addr 96.XX.XX.XX protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 205.XXX.XXX.XXX port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 220891623, #pkts encrypt: 220891623, #pkts digest: 220891623 #pkts decaps: 332790940, #pkts decrypt: 332790940, #pkts verify: 332790940 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 3096 local crypto endpt.: 96.XXX.XXX.XXX, remote crypto endpt.: 205.XXX.XXX.XXX plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8 current outbound spi: 0xFF506E00(4283461120) PFS (Y/N): N, DH group: none 

The PA side, however, looks like it has totally default MTU/MSS settings on the respective tunnel interface:

austindcc@PA-5050> show interface tunnel.3 -------------------------------------------------------------------------------- Name: tunnel.3, ID: 261 Operation mode: layer3 Virtual router vr1 Interface MTU 1500 Interface IP address: 172.XX.XX.XX/32 Interface management profile: Management Profile ping: yes telnet: no ssh: no http: no https: no snmp: no response-pages: yes userid-service: no Service configured: Zone: vpn, virtual system: vsys1 Adjust TCP MSS: no Tunnels associated: MyVPNTunnelObject -------------------------------------------------------------------------------- 

If I had to guess, I would say I should set the PA's tunnel.3 interface's MTU to 1446.

But this PA KB article says "For IPSec traffic, the Palo Alto Networks firewall will automatically adjust the TCP MSS in the three-way handshake. This will happen irrespective of the Adjust TCP MSS option enabled on the VPN external interface."

But the article goes on to explain how to manually adjust MTU "if...the firewall was not adjusting MSS as per ESP overhead."

So I'm confused. Is the PA accounting for ESP overhead? If so, how can I know for sure? If not, what should I do about it?

Purchase More Bandwidth vs. Implementing SD-WAN

It seems that perhaps as a response to the proliferation of SD-WAN solutions that ISP's have substantially reduced their price or started offering substantially more bandwidth for the same price as what one is currently paying. Have other people noticed this?

I bring this up because in getting pricing for a variety of different SD-WAN solutions the cost savings seems to be almost entirely on the basis that one can cancel/reduce the expensive bandwidth (MPLS, DIA etc) and replace it with inexpensive bandwidth such as cable/DSL. In addition you will supposedly get better or the same overall performance through bonding/load balancing as you would with the more expensive options.

However, in some recent price quotes I have obtained for both DIA connections and SD-WAN solutions I have noticed that when you compare what some ISP's pricing options are to the SD-WAN hardware and ongoing subscription fees, one doesn't appear to be saving much money. In some instances it might actually be more costly to go with an SD-WAN solution.

Aside from this, the SD-WAN solutions seem to always be licensed by throughput. In a few different vendor quotes that I have seen 100Mbps might be around a $2,000-$3,000 annual license/subscription fee. For that amount of money, is it even a better return on one's investment than simply purchasing or increasing the speed on an MPLS/DIA circuit? I think it is reasonable to ask that question especially considering one would have substantially more bandwidth that 100Mbps in many cases.

​

I have seen quotes recently for 100Mbps DIA for as low as around $500/month. One could pair that with a broadband connection of 300Mbps/20Mbps for around $250/month. That would seem to be a pretty good or arguably better value than an SD-WAN option that is capped at 100Mbps

​

What does everyone else think?

​

multiplexing a incoming stream to a secondary network

I have a closed caption system that will send out captions over a IP and UDP port to a single location but I would lke to multiplex it to other locations. right now I have the caption hardware sending it to my Ubuntu server on port 10010 but I would like to send this along to a secondary address off network .

currently I grab it using
socat -lf /dev/null udp4-listen:10010,reuseaddr,fork stdout >> captions.txt

​

so... my question is how can I take the incoming packets and record them to a text file and than send them out of my ubuntu server to a another network solution on the same or different port?

​

Spanning tree re-convergence on LACP links

Hi,

​

I am currently in the process of bringing up a backup link that broke before but is now fixed.

​

We currently have two LACP trunks, see below example

Primary Link

Core 1 Core 2

C10 ------------>C10 TRUNK 15

D10 ------------> D10

​

Backup Link

Core 1 Core 2

E10 ------------>E10 TRUNK 25

F10 ------------>F10

​

Now the primary link is obviusly the active link right now, and what I want to know is, if I now input the command to bring up the LACP trunks, will this force a re-convergence of both trunks/bring down the current primary while it does so?

​

Thanks

​

EDIT: The spanning tree priority for both trunks that run over this is 4

Core 1

spanning-tree trk15 priority 4

spanning-tree trk25 priority 4

spanning-tree priority 0

Core 2

spanning-tree trk15 priority 4

spanning-tree trk25 priority 4

spanning-tree priority 14

Alternative IPSec VPN service in AWS

Hello,

I was wanting to use the AWS managed VPN service to interconnect our partners/providers to our VPC resources through IPSec tunnels, but there are some annoying limitations:

- AWS VPN is a responder only VPN

- AWS VPN doesn't support IKEv2

- AWS VPN cannot establish outbound NAT rules, as requested per some partners

​

Do you have good experience with custom made IPSec VPN service that, in addition to the above prerequisites :

- is easy to operate (for ex. creation of new tunnels via web interface)

- can be used in a multiAZ deployment, possibly clustering options

- is fairly cheap :)

​

Thanks for your feedback :)

Ansible for Ruckus ICX

Anyone have any custom ICX connection modules for Ruckus ICX? Looking for something like ios_command and ios_config and be able to parse output and use jinja templates.

​

My boss tried to contract a developer to write the module, but they were not well suited for this kind of work and were incapable of doing it. I know Netmiko has "limited testing" with ICX/Fastiron devices, but I was hoping maybe someone out there adapted it into Ansible. To add there is an older, unifished Github repo from Kirk Byers to bring Netmiko to Ansible, but due to age I am skeptical that it is incomplete/incompatible.

​

If anyone has one to share, it would be appreciated. Otherwise, is there anyone out there who is capable of writing such a module for my employer? If so, please PM what you think it would cost, we have an approval for some funds already.

​

Thanks

Do I need a POTS line for 911 service for shared facilities?

More specific:

I've got two facilities about 10 miles from each other, connected directly to each other with fiber. Basically setup to be a long ethernet cable.

The phone systems at each facility can communicate to each other freely. More or less, when a phone call goes out from facility 2, it's routed back to facility 1 and then hits the outside world.

Is there a way to have the address information at facility 2 to populate if someone dials 911? Or will it only display the information for facility 1? I've been told that I need a POTS line at facility 2, but I've also been told I didn't. Not sure who's right.

Thanks folks.

Velocloud and Solarwinds NTA

Happy Thursday Networking Peeps,

Has anyone had success in getting netflows from a Velocloud device into Solarwinds NTA? There is very little documentation on this and given the lack of CLI access to the VCE device, we can not apply the typical Solarwinds NTA config. We also noticed that SNMPv3 on Velocloud only supports AES/DES while Solarwinds SNMPv3 options are MD5/SHA1.

Thanks for your attention!

Solution to wireless problems

Good day, I have problems with the wireless infrastructure in the company I work at. They have a "wireless controller" which consists of squid, dhcpd and firewalld. As you can see, it is a "handmade" WLC and not very effective. I am not very good with wireless, but afaik it is used to unify the wireless infrastructure.

Currently, thousands of MAC flaps occur daily. I think it is because roaming isn't functioning properly or smth. We use TP-Link and Cisco access points throughout the 5 story building.

I am not really good with wireless, so any help from /r/networking would be useful. If there's an effective and easy-to-use open source WLC, please let me know. I've heard of OpenWISP and some other lesser known alternatives, but I'm not sure if they'll help solve the problem.

Which is the WAN interface?

Trying to get our thresholds configured properly in Nagios, I need to know which interface on router is typically the WAN interface. We use cisco and fortigate firewalls/asa.

https://i.imgur.com/9LvAZJu.png

Going nuts with a network loop issue

Hi everyone!

Sorry to bother you guys, but I'm having an network loop issue that is driving me crazy, since it's also happening while I have to help deploy a new application for my company.

It's a small office network (20 workstations, 3 ip phones), with the ISP router (locked up to all hells), unmanaged 24 port TP-Link switch (TL-SG1024), and 5 unmanaged 2 port TP link switches connected to the bigger switch, that connect to the workstations.

Around the same time every day, the cabled network crashes with what is apparently a network loop, due to the link lights blinking rapidly and at the same time. Since I can't access either the router or the switch, I've tried to unplug every cable from the switch, and plug them back one by one, to find out which one was causing the loop, and, to my surprise, after plugging them all again, waiting a 5 minutes between each cable in case the loop took a while to happen, the loop still did not happen until the next day at around the same time.
I've also checked that no cable in the network is plugged on both sides in any switch or ethernet port.

Is there anything else that I'm forgetting to check? I'll welcome any suggestions!Thank you all!

Can't come up with a thesis title.

Hey guys, I'm a final year student at MDX University and am having trouble coming up with a title for my thesis. I'm studying BSc. Computer Networking and need to come up with a thesis title by next Friday, everything I find online is too vague and not specific enough. If anyone here could suggest some interesting thesis titles it would be great, thanks :)

POTS line monitoring solution?

https://ift.tt/2CpRDZm

Help please! Openvpn to socks5, how to setup server?

To moders: i had posted here yesterday, but not yet passed moderation because my account is too young. So i read "You are welcome to resubmit your thread or comment in ~24 hrs or so" and try now resubmit.

There is my post (little modified)

Hello guys! Can you help me?

I have multiple VPS: SERVER1 with openvpn , SERVER2 - just ssh, SERVER3 - socks5, etc

I want to connect to openvpn with same client config (without any edit on client side), but get IP at the end from SERVER2/SERVER3/etc and be able to change fast it.

I think that i must setup transparent proxy that redirect all traffic throw local socks5 (ssh tunnel from SERVER1 to SERVER2) or remote socks5 (SERVER3).

​

CLIENT (permanent openvpn config) - SERVER1 (VPN tun0) - SERVER1 (LOCAL TRANSPARENT SOCKS5) - SERVER2 (SSH TUNNEL) - INTERNET

or

CLIENT (permanent openvpn config) - SERVER1 (VPN tun0) - SERVER1 (LOCAL TRANSPARENT SOCKS5) - SERVER3 (REMOTE SOCKS5) - INTERNET

​

Is there any way to redirecting UDP or just TCP awailable ? I read that it can possible to use shadowsocks-libev as transparent udp proxy -https://github.com/shadowsocks/shadowsocks-libev / https://hub.docker.com/r/gists/shadowsocks-libev/ , but i can't understand how to setup routing propertly.

​

I am found this

#!/bin/sh _trans_port="9040" _int_if="tun0" iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port 

"By the way, remember this code. This is a universal way to redirect all traffic from a given network card through a transparent proxy" (r)

​

How i can do this? What port number i need to setup.

Can you post practical examples?

​

Thank you.

Pairing FPGA with a QSFP range extender

I am trying to connect the FPGA with a QSFP Range Extender from 10Gtek (http://www.10gtek.com/qsfp-extender) (CVT-OEO-Q/4S1C)... basically the QSFP port from the FPGA goes into the range extender and the SFP ports from the extender can be collected at the destination.

​

In this setup I am seeing very inconsistent results, that is sometimes the links come up but sometimes they dont. 

​

If I try to connect the FPGA to the destination using a DAC QSFP splitter cable, then things work just fine.

​

Also I have tested the Range Extender with an Arista switch. That is the SFP from Arista goes into the QSFP of extender box and it is output goes back into Arista. This setup works fine as well.

​

Only the FPGA + QSFP extender setup is flacky. Please help with this issue.

Women in Networking

When I took the R&S NetAcad courses (up the the CCNP level) and then passed my CCENT with a 960, I was told that there are only about 2% women in Networking. Is this really true? There are some disadvantages and advantages of being a woman in a male-dominated field, and I'm trying to get a feel for what it's going to be like as I embark on my journey :-) I'm also getting close to taking my CCNA and Net+, and work as an IT break/fix person right now to round out my knowledge. I thought about posting this in the itcareers subreddit, but this question is specifically about Networking ... Thank you :-)

Active Directory and Firewalls

I'll try not to make this ranty as I actually want advice but from a network PoV. The senior server guy has said that Microsoft now state that they only support open network in both directions to every domain controller from any Windows server as there are too many ports required. We are currently working towards micro-segmentation and securing our data center, including renewing our perimeter firewalls. For reference, although all our Windows servers are behind the firewall on private IPv4 address, there are no upstream firewalls or IDS/IPS from our perimeter firewall. Straight onto the Internet.

​

With the view of everything allowed access to and from the domain controllers, I feel like we're opening a big hole to the one of the most important components of our infrastructure internally, especially if one of the machines is compromised, and I'm finding it hard to see what the point of even being involved in the micro-segmentation project is if we just have permit any any rules to large pieces of the network.

​

So my question is, what do you currently do to restrict access to DCs (if at all) and is the server guy correct with his statement about open access to and from DCs?

Network Interface Cards depend on range (length) of optical link ?

I know that transceivers depend on ranges. Different transceivers support different lengths of optical link. For example Cisco GLC-BX-D20 SMF transceiver support 20 km of optical link.

I am not sure that NICs also depend on range/length of optical link.

rancid - show password in configs

Hello there,

We have been using rancid to backup our switches, but the issue is that anywhere a password or a smtp community it appears as "<removed>", is there anyway to show the actual password in plain text ?.

IPSEC Tunnel between two clouds while DirectConnect is already there?

Hi All,

I'm currently facing an issue that i'm trying to solve, and i'm kind of stuck on how to fix it. So maybe you guys have a great idea.
Situation is as follows :

We have a dual-cloud setup, AWS & Azure, connected to eachother with a DirectConnect/ExpressRoute connection for internal traffic, working fine. But the DirectConnect is limited to only 200Mbps and is used for some critical internal communication that we don't want to disturb. For a project we need to transfer some pretty massive files between the 2 clouds, so we want to setup a new connection between the 2 clouds, but with IPSEC this time.

So i created 2 machines, one on either side. Strongswan IPSEC tunnel is up and running fine, but the routing is a pretty massive issue, because both sides can route all the traffic. Example : If i'm on a machine in Azure and i ping test.internal it will resolve to 172.0.0.x, but if i do the same on an AWS machine it will also resolve to that IP.

So the question is : How do we get the routing through the tunnel setup correctly now? Any ideas or tips?

Has anyone else been as screwed by ARP suppression and windows clusters as hard as I am right now?

Windows cluster won’t failover because arp suppression replies to arps causing windows to detect duplicate IP and not failover. Even if you just shutdown one of the machines it won’t failover until arp times out in the switch which stops the vxlan network from being able to do arp suppression. This clears windows thinking there is a duplicate IP and it will finally failover.

This can also be reproduced by simply trying to move an IP from behind one vtep to a secondary IP on a windows box behind some other vtep. Windows will make it as duplicates be NEVER install it even after arp clears out.

PS Arista doesn’t have a way to turn it off yet.

Edit: Bit more details on topology.

Arista EVPN fabric MLAG shared VTEPs Symmetric IRB (with the routing VNI)

To temporarily resolve until Arista has disable arp suppression. I’ve removed these gateways back out of EVPN IRB and bridge the traffic over the fabric to a pair of switches that have the GW for these few VLANs.

Which cloud computing/networking path to take?

I work in a system integrator. The power that may be has decided all PMs should have at least 1 technical certification.

I am thinking of CCNA + something cloudy. Most of the time I do network infra (Cisco, F5 etc) project management.

Any recommendation for with path as an intro to cloud computing/networks?

AWS, Azure, Google or Akamai etc

anycast

What are some disadvantages of anycast? also speak specifically to connections

I got asked this in an interview. I know that one of the reasons is that a stream can change mid-connection but I want to make sure I understand the underlying issue here. In unicast addressing, if an address is pulled or whatever reason, that route to that destination is revoked from the bgp routing tables and essentially disappears so you'll never end up elsewhere accidentally. Your packet won't make it to the destination and time out and get dropped. But in anycast, because several "destinations" are all advertising the same address, if anyone of those destinations pulls its announcement, the packets will change direction mid-connection to the next "closest" anycast announcing destination and since that destination doesnt have a connection established for that particular flow, it could be detrimental to an uninterrupted connection. TCP retrans would increase for example.

​

Is that an acceptable answer/ explanation or did I miss something important in why this issue is worse in some ways than in unicast addressing

Preparing to build a Deploy-able Music Festival WiFi Network - Give me your thoughts!

I work as a SysAd in the USAF and frequently travel to help my brother produce music festivals.

Most of the time I don't help him with IT work, (I do bar/site logistics, equipment operation) until last year when he lost his normal IT guy. I offered to step in and assist (Point of Sale tablets, WiFi/3G+4G Uplinks) - that was when I found out just how absurd the prices he was paying for everything. I won't get into that, but I decided to propose a site plan for a deploy-able WiFi solution that I will pre-configure and manage at any show that I work, but can remotely manage for shows that I am not/make it straight forward for him to hire someone in my stead.

​

- I apologize in advance, as brevity is not my strong suit. (Will throw some TL:DRs in where I can)

Here are the requirements:

• Handle 20-80 Clients (75% of them being Point-of-sale tablets that are each intermittently performing transactions.
• There will only be 15-25 Clients using any meaningful bandwidth at any given time - but the P.O.S. tablets do add up.
• Must work on Either Local ISP connection that is minimum 1000ft away (without cable) or 4G LTE as a primary/backup.
• Minimal Cat5/6 runs mainly due to the limitations of cable protections at a music festival site that primary operates in the winter time. (p2p links for backhaul are what I'm primarily focusing on)
• Expandable for larger sites, but not a PIA to setup for a smaller venue.
• Weatherproof (Snow and Rain common), Durable, Reliable
• Portability (within reason) - I will have to stow all of this in hard-cases (ie Pelican) in between shows and possibly fly with some of it cross-country from time to time. Otherwise it will be thrown into a crate - put on a truck - and wait for the next festival or sit in storage for +/- 6 months.
• Cost is a factor, as I will likely be funding most / all of this initially and have them lease it from me in addition to paying me for the work of setting it up / maintaining it. Eventually we might talk about them purchasing it from me.
• My primary concern is interference from 4-7k worth of festival goers each with a cell phone in their pocket. Previous solutions for their mobile internet have been atrocious (the hardware the company sent was trash though).
• Budget $1500-$2000

**TL:DR - # 1 : Bandwidth needs are not high for 20-80 clients, mostly Point-of-Sale. Must work largely cable-less (p2p+mesh). ISP not guaranteed at any site, 4G LTE will be primary or backup. Weatherproof, Portable (ish), Good at handling interference.

​

Aside from my basic Wi-Fi experience, I have read probably a hundred posts on r/msp, r/networking, r/Ubiquiti and perused many different sites regarding product specs, cost, use cases etc. So I have a rudimentary knowledge of Wireless / RF / Site-planning. From what I've gathered, Ruckus, Aruba, Meraki are out of my price range overall. I have to cover too wide of an area to buy so many APs from them. Ubiquiti is the direction I am currently pointed, until something presents itself that makes sense for my implementation.

​

**TL:DR - # 2 : I are not the smarts. I did a read. Many Reddits. Little Monies. Ubiquiti seem gud.

This is what I have thus far:

(Progression of my brainstorming for several months) - In the words of Doc Brown, "I apologize for the crudity of this model..."

Site Map A - Layout #1 :	https://imgur.com/pZkUC0F
Site Map A - Layout #2 :	https://imgur.com/3ti7DIA
Site Map B (Blank):	https://imgur.com/C6x1XLu
Site Map B - Heat map #1 (2.4 Ghz):	https://imgur.com/en1GiAo -(Unify Legacy Map)
Site Map B - Heat Map #2 (5 Ghz):	https://imgur.com/0TltSyT -(Unify Legacy Map)
Site Map B - Heat Map #3 (2.4 Ghz):	https://imgur.com/jfjRQim -(Unify Designer Map w/Walls)

Parts Breakdown

QUANTITY	ITEM	COST PER	TOTAL
2	Ubiquiti UAP-AC-M-PRO	$175 (ea)	$300
1	Ubqt Unify Sec GW (USG)	$113	$113
8	Ubqt UAP-AC-M Mesh AP	$92	$736
1	Ubqt Cloud Key - (UC-CK)	$78	$78
2	Ubqt EdgeRouter X 5 port	$50	$100
-- -- --	-- P2P Solution --	-- -- --	-- -- --
2	Ubiquiti NanoBeam ac19, airMAX Bridge 19dBi	$100	$200
1	Ubiquiti LiteBeam AC 5GHz 802.11ac -120 Degree 16dBi MIMO	$100	$100
-- -- --	-- 4G LTE Solution --	-- -- --	-- -- --
1	MOFI4500-4GXELTE-SIM4_COMBO	$314.99	$314.99
-- -- --	-- -- --	-- -- --	-- -- --
1 (Extra for Mesh PRO)	Ubiquiti POE-48-24W 48VDC 0.5A - PoE Adapter	$18	$18
2 (Extra for Mesh / Beam)	Ubiquiti POE-24vdc 24W 1Amp	$16	$32
3	NCElec Weatherproof Flat (Cat6) RJ45, 32AWG, 1.0 Gbps - (50 Foot, White)	$10	$30
12	Net_Cafe Weatherproof Flat (Cat6) RJ45, 32AWG, 1.0 Gbps - (15 Foot, White)	$7	$84
--------------------	--------------------	-------- TOTAL --------	$2105.99

​

**TL:DR - # 3 : (2ea) AC Mesh PRO AP , (1ea) Security Gateway, (8ea) AC Mesh AP, (1ea) Cloud Key, (2ea) Edge 5 port Router, (2ea) Nanobeam AirMAX Bridge, (1ea) LiteBeam 120 deg MiMo, (1ea) MoFi 4G LTE Router, a Few extra PoE, and a smattering of Cat6 weatherproof. (in WHITE!)

*Phew* - I think that's as far as I've made it--I'm sure my numbers are off in places and the maps don't accurately portray this list yet.

All through Amazon may not be the best route (it's mostly for reference).

​

I have also wondered if it would make sense / if it's possible to just to p2p wireless bridges all over the place.But I think that might be overkill. I think the number of access points I have might be overkill as it is.

-- -- --

Thanks for reading and I'm open to thoughts / suggestions / criticisms!

​

IPSEC (IKEv2) Anyconnect VPN

Does anyone have a good resource for setting this up successfully in a lab environment? I'm able to do SSL VPN, and get an inside IP assigned (as expected), but I can't seem to do it with IKEv2.

Most guides and videos I'm finding on IKEv2 are referencing site to site, and not Anyconnect. My attempts so far end up with me getting an error of "login failed" or another one I can't quite remember at the moment, but was something like "login method unauthorized" or something similar.

I really need to get this working, as I need to deploy it in production in a couple of weeks.

Relevant info:

Cisco ASAv with latest code

Latest Anyconnect package (device and client machine)

If anyone has a decent guide or other resource, I'd love to dig in. I've been digging through everything I can find for the last couple of days with not much for results.

Anycast / BGP friendly dedicated hosting data centers?

Hello all,

I've asked last year around this time and found 6 great hosts and we continue to work with, I hope this isn't considered a spam so I'll ask again. Does anyone know any data centers that offer dedicated boxes with BGP sessions? Purpose is for our anycast based DNS service.

I will already say thank you to the folks who will link to the articles from greater than a year ago, often these articles are out of date with respect to this type of service. It seems many DC's change their opinions on offering this type of service on a whim.

Thanks

D

OSPF route issue with 2 isp's

I am using the track feature for the intelligence on when a circuit goes down. When circuit 1 goes down it inserts the route for circuit 2 properly. However when circuit 1 comes back online it does not reinsert that route. So I am stuck with asymmetrical routing.I manually clear the route and it will then insert the route for circuit 1 and traffic will flow properly then.

Random slowdowns caused by cloudflare?

We have a vendor running a special event for us. They have done this for other before and all has been well, but this time they just added cloudflare.

We are seeing random slowdowns of page loads, like pages taking 30 seconds or more, and these issues last for a few minutes then go away.

The vendor is seeing everything as fine on their servers.

Also there are basically no 502 pages, just really slow.

I don't have access, but the vendor is so so. So I am trying to troubleshoot from outside.

Has anyone seen things like this with cloudflare? I know I'm not giving much to go on.

Any Ruckus Customers Having Issues With Captive Portal Not Popping Up On iOS or OSX?

Two SSID's on Ruckus controller that have captive portal logins. Login browser opens automatically on Windows, ChromeOS, and Android but not on OSX or iOS. Anyone else have this issue? I have a ticket open with support and they had me send packet captures from an OSX machine to see if they can figure out what's going on but I wondered if anyone else had seen this.

Firepower Tasks Stuck in 'Running' for 70 days

Anybody ever run into this? I've got two policy applies apparently stuck running for 70 days... but they've actually completed. The person who pushed them out said he checked at the time and they had applied successfully.

Before I buy a bunch of beer and call TAC, was wondering if anyone might have a quick fix.

https://i.imgur.com/YwJCnbW.png

Multi layer switch Cisco Packet Tracer Help

This is the network topology for reference: image

I'm having an issue with this lab assignment I have been given. What I have successfully have done is:

• Configure MS0 as a dhcp pool for all the devices
• All devices connected to MS0 are able to get addresses
• Configure all the host ports to their appropriate vlan segments
• Gig0/1 of both MS0 and MS1 are configured as trunk ports

What I am not able to accomplish that is required:

• The devices on MS1 are supposed to get an address from MS0 but am unable to figure out how to configure ip helper in this scenario. Gig0/1 is not supposed to have an address and therefore don't have a clue how the dhcp packets are supposed to be forwarded to MS0.

• The devices in MS0 are not able to ping the devices in MS1. In the lab instructions we are not supposed to put any routing protocols between them. There was no further instruction on how to get the pings across with no routing protocol

All PC's are supposed to be able to ping eachother and to the internet.

Any help with how to configure the problems above would be greatly appreciated.

Thanks!

Older switches vs newer switches. Any substantial benefits for a small, niche company?

I'm wondering what are the downsides of buying older networking switches, compared to newer ones.

We have minimal needs, maybe 10 devices per switch, 1Gbps links, with the option to upgrade to fiber at some point. The only real feature I care about are VLANs.

What benefits will I see investing in new equipment, as opposed to buying a HP ProCurve 2824 off eBay?

For just a bit more information, we only create LANs for small clusters of computers, no internet, no VOIP, only a couple VLANs to segregate some hardware specific protocols.

802.1x CoA with MDA (pc behind a phone) and remidiation\mitigation vlan.

Hi, Trying to find a proper solution i came across when deploying the following topology : Pc->phone->switch both endpoints are authorized using 802.1x eap-tls. During posture evaulation for pc's it is some time needed to send a CoA to the authenticating port in order to bounce the port hence moving he pc to miigation vlan. My problem is that the CoA action only flaps the port, causing both the phone and the pc to reauthenticate BUT the pc stays with the same address. The phone itself ispowered by poe and therefore my pc can't sense the port bounce command. Now my pc is stuck on remediation vlan without any connectiviy :/

Can yout hink on some workaround for that?