IPv6 Proxies: 2018-10-21

Saturday, October 27, 2018

BGP VPNv4 Route Reflectors and Next Hops

So I know in VPNv4 peerings the next-hop (in iBGP) is automatically set. I also know that if you throw in RRs that the code is smart enough to know the RR clients shouldn't receive VPNv4 routes with their NHs changed. Obviously we don't want traffic going through the RRs. Now here is what I don't get.

If I have 2 RRs (redundancy yay) and they peer only via VPNv4 (regular iBGP VPNv4) why is their NH not modified when they share routes? I know it's working out of the box because I didn't need to do it in my lab. I just want to know the mechanisms as to why or how they know they are RRs and between each other. Is it because they are passing routes with originator IDs and they do some type of internal check (wild guess)?

Also, bonus question :D I've found some documentation state that the RR should have LDP enabled but I've found that you don't need it as long as the RR is out of the dataplane/path. Can someone confirm ?

IPMI is Dope

When building a homelab, don't underestimate the usefulness of IPMI.

Just ended up needing to make a quick network interfaces change, and instead of going to the basement, digging out a VGA cable and keyboard, hooking up the monitor, and camping down there for 10m, I popped open ipmiview and it was done in a few min from my desk.

Not critical, but quite nice.

(ESXi 6.5) Can someone please help me? I forcefully added a data-store (partition?) into my local ATA disk and now I cannot access my computer other than VMWare. I can pay $5 for any kind of solution (college student)

I'm a college student and just started getting into networking. I messed up badly while trying to forcefully create a datastore, and I did it on my local ATA Sandisk (I think my hard drive?). I'm a complete noob, and I was very dumb to do this.

Now, my partition diagram looks like 232.38 GB on VMFS and 63kb free space. I have no idea what I did

When I try to clear "Clear Partision Table" so I could get my free space back and access my actual computer again, it gives me "Failed, cannot change the host configuation" and "Failed to clear local ATA Disk"

Now, when I boot up my computer it goes directly into the VmWare and when I try to boot manually, it gives me cannot boot and restarts my computer.

Did I just throw away my computer? If anyone can help, thank you so much.

Got myself and anyone else kicked out of a customer switch.

I've managed to screw the AAA by removing the authentication statement, had to raise an emergency change and reload the switch to get back to square one. 👏🤬

The right setup for a comm rack

Hello everyone, I’m about to setup a comm rack with switches, organizers, servers and a San, which is the right setup for this in your experience.

Please advice.

Monoprice CAT6

Anyone used these cables before? Have a crap ton of patch cables I need to buy for between the edge switches and patch panel. I am suspicious about the quality at that price. But cant over look it as an option. https://www.monoprice.com/product?c_id=102&cp_id=10232&cs_id=1023201&p_id=2115&seq=1&format=2

Anybody using BGP-LS for monitoring links?

Hi everyone. My network consists of a large number of microwave links forming IS-IS adjacencies between routers (Juniper ACX)

I am currently using netconf to monitor the state of all of these adjacencies - but it's slow and puts a somewhat heavy load on the CPU of the routers.

I'm thinking about using BGP-LS at a few points in my network and writing some software to parse the data. This way I am not actively polling every router to get adjacency state.

Is anyone doing this? Any gotchas to using BGP-LS for monitoring?

Anyone using VXLAN in campus environment?

We're planning a refresh for a somewhat large campus network, and was thinking if we could/should do it with VXLAN.

There would be quite a few different segments that are terminated on the central firewall (for security and compliance reasons) so having ACLs on switches or doing VRF lite doesn't seem very feasible. Comparing to running MPLS it would make addressing easier as all the addresses in the same segment could come from the same IP subnet.

Not really sure if we should include remote sites to the fabric, as most sites have only couple or few different segments. Originally we had plans on using small remote site FWs but we could of course just do a remote site VNI and connect it to the FW in the central site. Remote sites would have 100-1000Mbps connectivity to the main site. We're using MPLS connections from two different ISPs and they support MTU of around 1638 or something. (Here private MPLS lines are cheaper than internet connectivity so SD-WAN wouldn't help us)

Any thoughts? Thanks

Which basic services should (or should not) an ISP provide in 2018?

Besides the obvious IPv4/IPv6 connectivity and local DNS servers, what basic services do you think an ISP should provide as part and parcel of Internet service?

ISP email service used to be a thing, but it's become superfluous as people get their email from an online service provider, host their domains or run a mail server.

Things that should not be part of the required basic services are:

content filtering (Hello Utah!)
customer firewalls
...

How proactively should ISPs protect their network and counteract known bad actors? For example use drop lists for spammers, botnets, malware and trojans to curtail connectivity?

For the sake of discussion we can ignore legally mandated services (CALEA, etc.) as this differs depending on jurisdiction and normal business services (billing, customer service, etc.).

In case you missed it, Juniper have put out the SRX4600: A 100Gbps single RU firewall

Pretty insane if you ask me. No word yet on if it's x86 vSRX-powered like the 4200 architecture, but I wouldn't be surprised.

https://www.juniper.net/us/en/products-services/security/srx-series/srx4600/

That 1RU form-factor, so hot right now.

802.11N/AC Broadcast channelization

troubleshooting some multicast video related issues.. i saw someone mention that multicast is only sent on the 20mhz primary for 802.11n or 802.11ac.. i cannot find any where that dictates this in IEEE or CWNA documents .. is anyone aware of this ? It makes sense to me as... if a broadcast/multicast got sent and the client wasn't 40 or 80mhz capable they would never see it ..

Odd slowness on 6506-E with Sup720-3BXL - post 10G upgrade

This really has me stumped... But here goes. I have a Sup720 6506-E with a few BGP peers. Everything was fine, then I decided to upgrade one of my 1G peers to 10G. So I bought a 4-port Xenpak module, WS-X6704-10GE, with DFC, so it shows up as CEF720, the rest looks like this:

router#sh module

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

1 8 8 port 1000mb ethernet WS-X6408-GBIC SAD03432184

2 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAD042102V9

3 48 48-port 10/100 mb RJ45 WS-X6148-RJ-45 SAL0752RE8Q

4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL13442VZ2

5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL SAL12330437

6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD0951034L

Cogent is on module 4, my other 1G peers are on modules 1 and 2. We take partial routes, so well within the 512k default limit, but close like 390k IPv4 and 55k IPv6.

As soon as we upgraded the Cogent link to 10G, we noticed that on any given test session, we can only reliably do about 20Mbps outbound. When I say test session I mean I grab a server here thats not doing anything, and upload a 100MB file to a random server I have in the cloud, the cloud server is also barely loaded with good network. The upload maxes out at 20Mbps. Heres the kicker, if I open, say 4 ssh terminals, and do the upload to cloud test 4 times concurrently, each upload still maxes out at 20Mbps, but because I have 4 going at once, so my net throughput is 80Mbps.

Inbound traffic to my router is uneffected, inbound tests maxed out close to 100Mbps.

What the hell could be going on? This router is a very basic edge router setup with BGP, has been running for years. Literally, only thing changed was adding the 10G card and turning up my 10G Cogent peer.

Any ideas?

Logger Product

We are developing a two new products.That product name are 1.Data Logger 2.Log Manager.

Data Logger:

Monitoring RS485(RTU,TCP/IP)[Ex:Monitoring Weighing System]
Monitoring Serial Port
Collecting and storing IOT Data and Visualise

Log Manager:

Monitoring windows active directory,sql,printer
1. login success,failure events,account creation/deletion,
2. table,database,schema creation/deletion/update/
3. who printed,no of page printed
Monitoring disk space and sending notification
Monitoring Printer status
1. paper availability
2. low toner
3. jammed
4. door open

Here our question ,what are the requirements for sysadmin/admin/network admin in Data Logger/Log Manager?

Is this helpful to you?Based on your inputs we will add feature to our products.

Thanks

Options for Multicast and Encryption over WAN (L3VPN and VPLS)

Looking for someone to confirm my thought process on the options below.

L3VPN w/ DMVPN - Multicast (replicated unicast) and encryption possible.
L3VPN w/ GETVPN - Multicast not supported, unless provider has multicast enabled core. Original header preserved; provider can't forward multicast destination. Encryption/auth possible.
VPLS w/ DMVPN - Multicast (replicated unicast) and encryption possible.
VPLS w/ GETVPN - Multicast (replicated unicast) possible and encryption possible natively with GETVPN independent of service provider multicast core.

Unknown forwarded ports Tereda Demonware

Under the port forwarding option under the port forwarding option on my router well there's money for these two specific names tereda and demonware and I don't know what these are four and I feel like they are viruses maybe does anybody know what these programs are

Best 2-post rack with wire management

We are moving sites, and have the opportunity for a greenfield redo for our network equipment racks. The current racks at our old site are 2-post Chatsworth with no vertical wire management channels between them, and some bolt-on horizontal wire management. When we build out the new site, I’d like to do a much better job on the racks. What do folks like in 2-post racks with wire channels between them? I need one rack for network equipment, and 2-3 for 48-port patch panels.

I also have a Cat4510 with 6 48-port 1G modules and two empty slots in this site; was thinking of pre-wiring 8x48-port patch panels to the switch so that the cables into the switch are all pre-wired and neatly bundled, and they never have to be messed with when we make moves/adds (did this in another site, and greatly helped to alleviate the typical wire mess into the chassis switch.) This would take another patch panel rack to implement, then switch port interconnects to the floor jacks would be patch panel to patch panel. Good idea, or a waste of rack and panels? (I just can’t seem to make my co-workers run cables neatly...)

BGP site of origin - seems unnecessary

Here's the topology:

https://www.cisco.com/c/dam/en/us/td/i/200001-300000/230001-240000/230001-231000/230446.ps/_jcr_content/renditions/230446.jpg

Can someone show me a topology where this is actually required? Everything I look at seems like it's just not necessary, even when using AS-OVERRIDE because eventually the loop is prevented. I can see it being helpful in a case where EIGRP is the backdoor link routing protocol but then the SOO needs to be maintained. If you configure an SOO with the same ID at both sites you end up losing redundancy. Configuring a different one works but loop prevention should kick in too.

WS-C3560E-24TD-S with SFP uplink

I have a very simple question for Cisco people.

Have a WS-C3560E-24TD-S switch. My ISP in the colocation is upgrading my link to 200mb from 100mb. For some weird reason, anything above 100mb requires fiber optics (Multimode or single mode).

To be able to connect it to my WS-C3560E-24TD-S, what do I need?

CVR-X2-SFP + X2-10GB-SR

There are so many options here that it confuses me: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-e-series-switches/prod_bulletin0900aecd805bac33.html

Thanks.

How knowledgeable you guys are as Sysadmin can you do advanced Windows Server and Linux stuffs ? and at which point it become irrelevant to learn Cisco for a sysadmin CCNP, CCIE ?

Do you guys think that SDN could hurt Cisco or replace it inside datacenter (private or public cloud too etc) ?

Google Cloud is now supporting private DNS zones

Friday, October 26, 2018

I wrote a custom youtube-dl extractor for Cisco Live videos

u/m1xed0s asked about how to download Cisco Live videos. Nobody had a great answer, and it turns out I was wrong-- youtube-dl couldn't download anything from https://ciscolive.cisco.com/on-demand-library/

So I took it as a challenge to write some python. Submitted the pull request to the main repo, but I expect to take time before the code is merged.

It's not as feature-rich as other extractors, but it gets the job done.

You do NOT have to log in to your Cisco account :)

You can wait for the merge, or run my branch directly:

$ git clone -b ciscolive git@github.com:austind/youtube-dl.git Cloning into 'youtube-dl'... remote: Enumerating objects: 32, done. remote: Counting objects: 100% (32/32), done. remote: Compressing objects: 100% (21/21), done. remote: Total 91088 (delta 17), reused 23 (delta 11), pack-reused 91056 Receiving objects: 100% (91088/91088), 51.35 MiB | 22.15 MiB/s, done. Resolving deltas: 100% (67022/67022), done. Checking connectivity... done. Checking out files: 100% (917/917), done. $ cd youtube-dl/ $ python -m youtube_dl https://ciscolive.cisco.com/on-demand-library/?search.event=ciscoliveus2018#/session/1509501642762001PaDs [ciscolive] 1509501642762001PaDs: Downloading JSON metadata [brightcove:new] 5803751938001: Downloading webpage [brightcove:new] 5803751938001: Downloading JSON metadata [brightcove:new] 5803751938001: Downloading m3u8 information [brightcove:new] 5803751938001: Downloading m3u8 information [brightcove:new] 5803751938001: Downloading m3u8 information [brightcove:new] 5803751938001: Downloading m3u8 information [brightcove:new] 5803751938001: Downloading MPD manifest [brightcove:new] 5803751938001: Downloading MPD manifest [hlsnative] Downloading m3u8 manifest [hlsnative] Total fragments: 662 [download] Destination: 1 Video Delivery Technology to Rule Them All; Adaptive Bitrate Streaming-5803751938001.fhls-487-3.mp4 [download] 4.5% of ~278.70MiB at 17.32MiB/s ETA 01:04

Ethernet Cable Stripper?

What happens when two ethernet cable strippers are dancing together at the gentleman's club?

Cross Talk!

DHCP renewal issues

I work for a small ISP and recently have been noticing people reporting their internet going down until they reboot their modems. And when the modems are unresponsive they have a red light. Now we have two different vendors of modems with two models each. This red light issue indicated no ip address on the WAN.

That is just to sum up the issue. So I dug into the issue and the DHCP server. After some captures I was able to find that the DHCP request are hitting the server upon request and getting a valid IP on boot. Ok, good so far. The problem now lies with the lease renew. The request is sent to the server and the server processes it and send out the ACK. The problem now is the host is not getting the ACK. So it sends it until it expires and boom, modem is down.

A few notes

- ip helper is configured for private IP on 1 server interface

- no DHCP snooping

- Relay is setup on access platforms

- DHCP server has a private and public interface and gateway is off public interface.

I am stumped why it the initial lease goes through but the renew does not as both are able to route to the DHCP server. My only thoughts are related to the modem's firewall as the renewal is going through the private IP but leave its public. But then again the tcpdumps on the access platforms dont even show the ACK returning. Also go easy on me as I didnt set this up originally and am a CCNA noob.

Urgent help needed on IOS XR 6.1.3

I'm not really a networking person but for a task I'm running a IOS XR 6.1.3 device on GNS3. I have set up a BVI interface and linked it with an interface on the device. However, if I try to ping the BVI interface ip from the parent device, all the packets are dropped. It cannot ping its own interface. Can anyone help me solve this problem? I'm linking my running-configuration here:

https://pastebin.com/X5fbqcvA

Running TinyDNS in front of "slower DNS" server?

Hello all,

Anyone ever run TinyDNS in front of your slower DNS server? We use a slightly custom built DNS server for a handful of reasons.. Anyhow the custom DNS server our company uses it a bit slow, or really just doesn't handle high volume very well. Does the idea of putting TinyDNS in front of it cache the results make any sense?

P.s. I know alot of people will say "replace your custom DNS" but that is not my question so thanks for already in advanced (;

Thanks!

China Hijacking BGP routes - incompetence or malice?

Just ran across this story - definitely is interesting! BGP hijacking has always been an issue, but never really thought about a nation state doing it consistently on purpose!

https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/

Thoughts from the other network engineers around here?

Maximum cable length questions?

I wanted to make sure I have all my facts before starting this.
Task:
-I need to run approx, 130ft of cat5/6 directly to a trailer on property, which will end with a WAP(an ac cisco router I set as wap, I forget the model)

-Purpose of trailer network connection, gaming/plex streaming from house server.

Hardware:
-Current, I have an Asus RT-AC66U doing the routing in the house(starting point). -Spare, I also have a Linksys WRT1900AC on hand, I do not know which is better).
-WAP, (AC Cisco Router in pass-through)

TLDR Questions:
-Do I need some kind of outdoor grade cable? the ends will be inside/dry of course.
Majority will be going through the attic, down the house across the ground then to the trailer.
-Cat5e/6/6a? (HD Streaming/Gaming/etc) Not trying to save money, just want to be safe/comfortable.
-at 130/150ft do I need a booster or additional hardware?

Thank you for your time/help/suggestions

Aerohive AP245x antenna direction

We have a bunch of Aerohive AP245X's mounted about 22' high in an auditorium. Currently the antennas are vertical - pointed at the floor.

We also have some AP230's without the external antennas, and it seems that the clients gravitate to connecting to the AP230's vs. the AP245X's. This leads me to suspect that we need to address the antenna situation on the AP245X APs.

I'm just wondering what the optimal direction is to point these? There doesn't seem to be a clear answer when googling this. I suspect that with the APs so high, we should have the antennas horizontal to the floor. Am I right in this thinking? I would love some insight in to this. Thanks!

Pleas explain Cisco's firewall releases

We have 5508-X firewalls at all of our locations. We are currently running version 9.8(2)28. I just logged on to Cisco as we want to do some maintenance this weekend and here are my options. Interim 9.6.4, Interim 9.8.3, Interim 9.9.2. They all say Interim. Should I jump directly to 9.9.2-27?

Out of band console connection without analog phone line?

We've been using US Robotics modems and analog phone lines and DB25 to console cables to provide out-of-band access to our routers for years, but the costs of the analog lines keeps going up. I got my hands on a Verizon Wireless NOVT2000 (wireless home phone) device that works for basic phone line and fax service. I dial into it, then my US Robotics modem is connected to the 'box' instead of an wall jack. It works and I can connect, but I get tons of line noise / data corruption across it even though I've got great LTE signal. The device is supposed to provide "G3" fax functionality, but is not working well with terminal mode from our dialer and I'll be sending it back.

Are any of you using any kind of LTE based device for out-of-band console access? I'd be ok w/ something where I could set up a static IP w/ the carrier and SSH into it, but I'd really prefer something that presents a phone number I could dial into for access since we have a vendor/partner that needs dial-in access for first-response monitoring of the devices.

Any recommendations that you've actually used?

Thanks in advance.

Monitoring Network Devices Outside Firewall

Hi Guys! We have several devices outside of our firewall that we are currently not monitoring (other than ping). Some of these items are BGP routers and internet switches. What is the best/safest method to expose these to the internal management network so we can fully monitor, take config backups, etc? Is out of band management really safe to be plugged into an internal network? Should we just create ACLs that allow our internal monitoring software to reach these devices and enable ssh,etc from those specific IPs? Thanks!

Min-Links

Stupid question.

Does changing the min-links value on a port-channel with LACP enabled flap the PO?

IP address rate limiting on Windows?

I've been looking for a tool that allows the user to limit the amount of requests/packets that specific IP addresses can send to a server, but I haven't been able to find anything. Can someone point me in the right direction or possibly even link me a tool/program that can do what I've described above?

Thanks in advance.

[Recommendation] WAP with built-in/stand alone client management

A small non-profit is currently using a residential router/WAP. This is mostly working, but some people have trouble with the connection. I would like to recommend ceiling mounted WAP that will fit their budget and have the ability to manage multiple users (no WPA-PSK with one password for everyone). There are around 25 users and all the apps are in the cloud. The only onsite equipment they have besides the router/WAP is a network switch.

From the research I have done, it looks like either Ubiquiti or TP-Link WAPs would fit their budget and needs. I have been looking through the user guides and have downloaded/installed the controller software for both products. Unfortunately, without hardware, I have not been able to determine how easy it would be to manage users.

I would appreciate any feedback on these products or recommendations for other products that might be better.

question about HP5120 using CISCO BiDi 1G optics Wil it work?

hello,

before you jump in with the obvious, why not buy a cisco switch (or HP switch) or the right optics, ETC. its not my hardware, or money. it is for a client and i do not have much say in what they do. i just need to know if it will work.

the switch is running 5.20.99 possibly, this is the info i was given, and not necessarily the actual version, however it may be HPE at the least?

Most of my Googling has told me that the Cisco GLC-BX-U/D is IEEE MSA compliant, as are the HP BIDI JD098C/JD099C SFP's. the module for the HP switch HPE 500/4800 2-pt GbE mod (JS367A) supposedly accepts all IEEE MSA SFP's and this should include the BIDI ones.

we plan to try the command: "transceiver phony alarm disable"(if its even compatible) on the HP 5120 to allow third party SFP's.

Cisco ACI and VMware NSX

What is the concern around organizations using Cisco ACI and NSX Together? It seems like the Networking Team fights against an NSX Implementation every time we start talking about it.

TPlink Smart Switch answering for devices IP, randomly.

This will come back to me, but a former customer has another IT guy who put in a TPlink Smart switch with some L3 ish capabilities. Randomly, accessing an internal website or the router for the internet via IP (single subnet LAN with no VLAN's), the web page bounces to the switches web gui after a few seconds. I have never seen this is 20 years. I am not sure how such a feature could be used. Any tplink experts? This is likely bleeding over to any device like server shares etc. as we are seeing clients access to anything go off and on randomly. I can understand why as it would likely hand the mac address of the switch to requested IP to be cached on a PC until it expires.

25G - the future-ish next step

So we just got a pair of c9500-48Y4C switches, an interesting and very new platform allowing for 48 ports of SFP+/SFP28 1G, 10G, 25G with 100G links between them; for our Nutanix installation using 25G adapters.

The sad part is that these don't support StackWise Virtual yet, I'm just ranting here but I'm wondering if 10G would have been better because they support SWV or if going this route is best becuase SWV should be supported in 16.10 Q2'2019.

We also just picked up a pair of c9300-48UXM (copper) which are cool, they are the replacement for the 3850 and are stackable. They also have an interesting port setup: 36 ports @ 100M, 1G, 2.5G; 12 ports @ 100M, 1G, 2.5G, 5G, and 10G with 25G uplinks to the c9500s. Click for more!

We basically used campus switches as our data center switches rather than going the Nexus route.

Currently using 2 6509-e (OLD) and moving toward c9K, which technically is going from 42ru used down to 4ru.

We are also consolidating a 40ru Cisco UCS and NetApp down to 2 2ru nutanix servers.

All in all I think we are saving a good 74ru using High Performance switches and HCI.

*Edit, I forgot about the 100M connections on the 9300.

Ruckus ICX7150-C12P woes

I'm wondering if anyone else has experienced issues with these switches?

I have around 50 of these deployed for an out of band network, and I've been experiencing a fairly high rate of failures with their power supplies...

I was just curious if we were the only one's who had these deployed, or if we had stumbled onto a bad batch.

These are rack mounted, generally in climate controlled room's, connected to a UPS.

I have 24 port and 48 port switches (6610's, 6450's 7150's) in many of these IDF's that aren't experiencing the same failure rate.

It feel's like I'm going to be riding the support/RMA band wagon until the fine folks at Ruckus stop supporting these switches?

Network Scanner ( Suggestions )

Hello guys , im just got in a new company where noting is documented or have policy about im accutualy loking for a good network scanning im currenctly trying ZABBIX ( too poor on info ) PRTG ( very well populated but paid ) and LANSSWEEPER ( very good for inventory but paid )

Does anyabody have sugestions about Opensoucer solutions that worked on the same way of PRTG or LANSWERPPER ?

Thank you ALL.

Is it possible to measure throughput speed to a IP address using ping?

I just need to get a rough estimate. For example:

1) I have a synchronous Internet connection. 2) A standard 60byte ping packet takes, on average over a ton of pings, 23.732ms, roundtrip. 3) A 15,000 byte packet (using the -l option), takes 30.525ms. 4) So, 15,000 bytes took an extra 6.793ms, roundtrip. 5) That 'should' mean that it took an extra 3.393ms to get there(half the round trip). 6)15,000bytes/3.393ms = 35,366,932 bits/s = ~35mb/s

Am I looking at this completely wrong?

And in case anyone is wondering, we have someone complaining of slow offsite backups(6mbps on a 100mps link), and they did a traceroute. The traceroute shows the destination having no packets dropped, but it shows that 2 hops in the middle are dropping 99% of the pings to them. I have explained that is most likely not the issue since they are sending the packets to the next hops just fine.

Our ISP has said that everything is checking out fine. So I would like to be able to show that we are capable of much higher speeds all the way from source to destination. Is this a valid way to do that?

Is there still a way to download CiscoLive recordings?

There was a way to download CiscoLive recordings by finding the video source link but since they made change, that way doesnot work anymore...

Wonder if anyone still can download from their site?

Switch experts, need this explained.

Client just updated their FIOS to 300/300. Out of the ONT their feed goes into a Cisco SG250-08 (as the phone system needs to be pre-firewall, yeah I don't get it either but the Toshiba installer did it this way.)

Once the FIOS speed increased, the traffic to the servers dropped from 150/150 to 13/88. Did the usual checks, rebooted the usual stuff (ONT, Watchguard.) Nothing made the speed increase.

On a lark, we rebooted the switch and bam(!), 300/300 server side.

Why would the switch, working at 150/150 for a year, slow down the traffic to 13mbps incoming when the outside edge speed increased and what happened internally during a reboot that suddenly allowed it to flow at 300?

Best network mapper

Hello, I'm looking for advice on the best network tool to create maps that would integrate into Solarwinds Orion instance.

What do yall think?

The Solarwinds Network Topology Mapper is a bit rough around the edges.

Need help setting up guest Wifi network on Ubiquiti

I'm trying to get an open guest network working alongside my secure company network. My company wifi is currently up and running with no issues, but I've tried adding the guest network several times with no luck.

HERE is a poor man's topology of what I'm trying to do. I want to have a secondary internet connection come into the closet of my core switch, then go to a router, then to my switch. From there I want to to ride the same ports to another switch/closet where my AP is.

Here's the hardware I have:

Core switch: HP ProCurve 3500
SWITCH A & B: HP ProCurve 2920
Access point: Ubiquiti AC Pro
Guest router: Either a spare ASA 5505 or Comcast router (depending on what I end up with)

I'm just getting Ubiquiti products in my environment, so I'm not 100% on the capabilities of them in Unifi yet. I am aware of pre/post rules for wifi clients (so they can't access devices either by IP range or name) but I'm really looking for as close to air gapping this network as possible, without actually airgapping. I want all traffic for the guest SSID to enter/exit out of the guest internet connection without ever touching my dhcp servers or connection.

My thoughts are to just add a new vlan to the core switch (lets use 172), untag the port that connects to my comcast router as vlan 172. then tag 172 on the uplink of the core switch that connects to switch A. on switch A, add vlan 172 then tag vlan 172 to the uplink connected to the core switch. But on the port that goes to the AP, do I tag or untag vlans 10 and 40 so that both SSID's can use their own VLAN?

FYI: I do have firewalls and other devices in line of this topology map, but I didn't list them in order to clean up the diagram.

Any legit way to do mass scripted whois queries?

We have a database of public IP's exported from our SD-WAN implementation, that represents the circuits we have at every branch.

Basically people got tired of manually updating the spreadsheet to reflect who the ISP is, as we transition between two different resellers, the moves/adds/changes of our branch circuits are crazy right now.

Our SD-WAN lets up export a list of all the IP information for every branch circuit, but it doesn't give us the name of the carrier.

For that we've been relying on whois lookups, and manually hand jamming the carrier name into the spreadsheet.

Now that this list has grown from around 300 or so to 1500 and is steadily growing beyond that, it's too much work to do so.

I think I can write a script that pretty easily automates doing the whois command, but there is one problem that concerns me. This ominous warning from ICANN

Uses of WHOIS WHOIS is used for many purposes. Under ICANN organization's agreements, WHOIS may be used for any lawful purposes except to enable marketing or spam, or to enable high volume, automated processes to query a registrar or registry's systems, except to manage domain names. In addition to identifying domain name registrants, WHOIS data also allows network administrators and others to find and fix system problems and to maintain Internet stability. With it, they can determine the availability of domain names, combat spam or fraud, identify trademark infringement and enhance accountability of domain name registrants. WHOIS data is sometimes used to track down and identify domain name registrants who may be posting illegal content or engaging in phishing scams. These are just a few examples of how WHOIS helps maintain a healthy Internet ecosystem

Damn. We're not supposed to automate a script to hit their database like that? So where does one turn then to do this legitly?

Ethernet Cabling

Is Cat7 ethernet cables worth it at this moment in time?

Where to locate server/provider for overland internet route from London to Japan? (If possible)

Sorry the title should say overland route from Siberia/Russia to Japan (not London -- London works fine and the server is not there). Hello so we have this service that arbitrates between London and Tokyo. I was trying to put a server in the middle so I created a VPS in Novosibirsk, Russia (Siberia) (I tried servers in India and Singapore and the latency seemed very bad.) It seems to have a fast ping to London, but the Tokyo ping is very slow and the traceroute mentions the Netherlands, New York, San Jose. So it seems to be going the opposite way around the world.

I was hoping that this Transit Europe-Asia fiber link that I read about, or another similar one, would connect overland between Siberia and Japan. But at least with the provider I have tried (it is called adelinahost), this does not seem to be the case.

Is there no such route on the internet? Or if there is, how can I get a server with a provider that will allow me to do that... ideally it would just be a VPS, but if there is no other option besides some kind of co-locate or whatever then maybe we will do that, if it really is a faster route.

Thanks for any ideas or information.

dot1x Wired Authentication

I'm labbing up a wired 802.1x config - initially using a Ruckus ICX7450 and Aruba 335 AP.

I'm using NPS as a RADIUS server. Authenticating wireless clients via 802.1x isn't a problem.

The AP switch port is enabled for 802.1x in multi-host mode, and correctly authenticates - allowing wired & wireless traffic to pass.

I was wondering how session-timeouts and re-auth periods etc are handled normally? By default, the NPS server sends the switch a 30s session timeout parameter which seems a little short but I can override this easily if required.

The problem with the re-auth process at the end of the session timeout is that it puts the switch port in an unauthorised state in a different VLAN for a very short time. Some packets will drop from wired clients (and the AP on the management VLAN) while the re-auth process takes place which means I can't roll it out in this state.

Do people generally set long session-timeout values? That doesn't seem like the best solution as it could still result in some disruption unless we are careful and ensure sessions timeout after hours.

I have an active support contract so will see what Ruckus have to say but I'd be interested in your thoughts as well.

Visual Representation of Global IP to Private IP (NAT)

Below is a chart based off of arbitrary numbers for the sake of providing an example. This example can help some to more easily visual an overview of the IP assignment. Please note that RIRs do not play a role in deciding who receives specific IP address pools; however, RIRs are still the recipients of the IPs provisioned by IANA. The decision process of where the RIRs's IPs are allocated belongs to that of the IETF.

https://imgur.com/a/4nep0ck

(/educational topic - for the purpose of education and understanding through visual examples)

Thursday, October 25, 2018

What am i doing wrong? I cant run these commands

Hello all I am supposed to be creating a policy map to increase queue buffer. Here are the commands i am supposed to follow

policy-map Test_Policy

class Testclass

priority level 1 percent 10

class class-default

bandwidth percent 90

queue-buffers ratio 50

however I get this error when following the commands

3850Switch(config)#policy-map Test_Policy

3850Switch(config-pmap)#class Testclass

class map Testclass not configured

so I created a class-map Tesclass but then i don't see where I can configure priority ?

3850Switch(config)#class-map ControlTraffic

3850Switch(config-cmap)#?

Class-map configuration commands:

description Class-Map description

exit Exit from class-map configuration mode

match classification criteria

no Negate or set default values of a command

any help is appropriated!!

Any smart software to analyze 2 ACLs and tell the difference? Not a diff checker type!

I work for a big telecom company. Myself and another guy maintain 2million lines of ACLs for 300million subscribers + internal traffic. Everything was cool until we migrated to pronghorn to make the life easier. But it turned into hell... There is no way to compare an ACL after a change. We used to use kdiff which was showing all the differences nicely. Pronghorn is a cisco company and working on NSO. When it generates ACL, it does summarization and randomize all the IPs if you set up a pool of IPs that are belong to same ACL rule. It could probably work OK, if we did a line by line translation and create an IP for every single pool, but that would have taken forever to migrate the size of ACLs we have. We have ACLs as big as 25000 lines or even more. So we had to create a pool of IPs, if there was a common rule from or to same source, destination IP or port. This wont be fixed until next phase of the software development which will take at least 1.5-2 years. With the speed t hey completed thus far, I am not even hopeful for 3 years.

So is there anything out there to analyze 2 ACL and display the difference. I am not looking for a diff checker type of program. Something like do line by line analysis and see if the current line covered by any of the line in the other ACL. Needs to detect summarization, change in the line orders etc... May be something even paid, if worth it, I can convince my boss to pay for it. I thought about developing one myself, but it would take years since I have to re-teach myself python since I didnt touch progamming for years and do it slowly when I have free time at home or work.

VxLAN with multiple IP/MAC

Hi, Has anyone configured a VxLAN with multiple IP Addresses (each in their own subnet) and each IP having its own MAC address? Using standard Linux networking. Thanks!

Do all DMZ servers have their own public IP?

Where I work, all DMZ servers have a public IP. Wondering if this is the case in all big enterprises. I thought one would assign private IP's and NAT them?

Cisco CSR 1000v memory usage on ESXi

Hello all,

Recently we deployed some CSRs on ESXi 6.5 u2, they run fine.

I have noticed that vsphere is reporting that the VM's are triggering the "Virtual Machine memory usage" alert.

2 different CSRs on different hosts, dedicated to these routers.

4 vCPUs and 8GB of ram per CSR.

The hosts have nothing else on them and have 32GB RAM, so I'm lost as to why these VM's are reporting high memory usage.

Vsphere shows that they are using the full 8GB.

8192 MB, 8192 MB memory active

The kicker is that the actual routers are functioning just fine, I've had Cisco confirm what I see, the memory usage looks fine.

sh proc mem

Processor Pool Total: 2450272320 Used: 334367648 Free: 2115904672

lsmpi_io Pool Total: 3149400 Used: 3148568 Free: 832

Has anyone seen this before ?

Thanks peoples!

Existing Cisco vs Sophos UTM

A potential client is moving into an office with the following kit which can be had for $4k AUD.:

Qty Equipment

1 Cisco ASA 5506-X firewall with FirePOWER services

2 Cisco Catalyst 2960-X 24 port Gigabit PoE switches

2 Catalyst 2960 Stacking Module

1 Meraki MR18 Cloud managed wireless access point

10 HP Elite desk 400 G2 (PC including Monitor)

1 HP Colour LaserJet Printer/Scanner/Copier

I would normally use a Sophos UTM sg135 for this sized office of 10 people with a 400/400 Mbps pipe.

I don't know Cisco so I'd need to partner with a Cisco Engineer to maintain it.

We also need to set up a voip system as well.

Should I keep the Cisco or stick with the Sophos I'm used to.

cisco 3650 radius auth -and- ssh pubkey?

Got a bunch of cisco 3650 version 16.3.5b. These are set up for radius auth, and that works. All of my old boxes are set up for ssh pubkey auth, and that all works. Can I also use ssh pubkeys for auth as well on boxes that are set up to use radius? If so, can some kind soul point me to how to get the two auth methods to coexist? I can get one or the other to work on a given box, but not both.

thanks.

When did OpenGear become such a bad company?

I am heading up a pretty sizable network project for a fortune 100 company, that requires we network large geographic areas. Seeing how I didn’t want to drive/fly hundreds of miles, I purchased about two dozen OpenGear console switches and they have been a pretty big disaster. Had a lot of luck with them a few years ago, and they used to have a reputation for good service.

Basically, there is a pretty obvious bug when using SFP uplinks where upon reboot, they just don’t come up. If you console into them and issue an IFCONFIG there is no IP under the interface or bond. The only fix is multiple hard reboots, it even weirder, removing and reinserting the fiber. Shut/No shut on the Cisco uplink side has about a 10% of working. If you bond the interfaces it’s even worse. We replicated this issue on six different devices.

It took us seriously 6-7 tickets, three RMAs, and and dozens of emails before their support would even admit the issue. I was told it was everything from us purchasing suspicious SFPs, which were genuine OpenGear and Cisco, to that we needed to wipe the switches with an unpublished command. Their tech support refuses to do any sort of troubleshooting except “run the show command” and then we wait for several days. This has been going on for months.

I find it pretty hard to believe I’m the first guy ever who rebooted a console switch with an SFP and had this issue. I’ve reached out to their sales begging for help and have gotten zero replies. Our reseller is frankly shocked at how they are acting.

On top of this we had two dead RMAs. Also, their central management software, LightHouse, won’t take the license we received, but I don’t have the energy right now for that one. I’m sure their support will be right on that.

I really want to like this product, but I’m at my wits end. Any advice? Also a fair warning, stay away from their product for a bit.

QoS for transferring database files

Hello network friends,

We have this 10gig metro-e circuit that is a backup of connecting our 2 sites - site A and site B. This circuit also gets used for copying large DB files between these 2 sites. so my point is that this 10gig circuit never really gets used unless the primary circuit goes down or we need to copy a large file between the 2 sites. Coming up soon is the latter - they would like to copy a 2TB DB file using this 10 gig circuit between the 2 sites. I'm being told that last time the speeds were very slow, so put QoS on it. Now I'm wondering, is their any point of even putting in place QoS policies, if it's only being used to copy this DB file?

I can't see the point when the circuit is not being used for anything else to prioritize these DB files over general traffic. Is anyone here in a similar situation. Thank you for your feedback

btw, these are nexus 9ks connecting the circuit at each site if that makes a difference.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Network tuning to the ? level

How far do you all go in your network tuning? Turn all the knobs, default only, sometimes in a blue moon?

I know I've had to adjust firewall timeouts, jumbo frames (not always a great idea), flow-control, MTU/MSS, tried various window sizes in iperf, etc. Does anyone go so far as to adjust TCP directly on a host? If so, how do you go about that process and how do you deploy it? How does one find out which TCP algorithm is best suited for a flow?

Low-latency seems really interesting but I have no idea where to start.

Public Wifi Setup Help

Hi All, I am a small business owner (restaurant) trying to get my public wifi whipped into shape. I'm currently running off a 150/150 verizon fios connection through their G1100 AC router. The router isn't very reliable when it comes to the wifi, it just doesn't have the specs to accommodate my needs. The wifi connection typically loses internet connection, however it has good enough range. I need 2 wired connections (1 for a credit processing terminal and 1 for an office pc) and about 4 other wireless connections for business needs and I also need to be able to support another ~20 wireless connections for public wifi for customers. I feel like I'm stuck in a weird place where consumer grade probably isn't enough and commercial may be overkill. I could really use suggestions on what product would suit my needs. I'd like to keep my budget in the ~$200 range if possible.

ISP Saying They Can Put Me on a /32?

I have been seeing malicious local broadcast traffic on the internet-facing interface of a few of our firewalls that appears to be coming from MikroTik routers that are infected with the Coinhive mining script that are looking for other MikroTik routers to infect (CVE-2018-14847). The traffic is broadcast traffic over UDP port 5678 (MikroTik Neighbor Discovery Protocol). Because we do not have any MikroTik routers in deployment we are not vulnerable to these attacks, however in the last three days there have been over 1.2 million session attempts against our firewalls. If this is left unaddressed we could potentially see degraded performance on these circuits.

I requested the following actions from our ISP at these sites:

Patch any hardware on their network that is vulnerable to CVE-2018-14847.
Get our connections at these sites converted to a /30 that will isolate us from these broadcasts.

Today I got a reply from one of the ISP's saying that they could put me on a /32, but not a /30... Here's their reply:

"On the option of a /30 we may be able to get you guys on a /32 but it would need to be on a different address range(we rarely use /30 due to how we have our sub nets split up. To make put your current address on a /32 we would have to break the current sub net and in turn would break multiple customers which is something I would avoid. If a /32 is something that you are interested in I can see what I can get approval on for you guys to get things in the works on that."

Huh? Is there something I don't understand about subnetting that is different for ISP's? My understanding of subnetting is that the smallest segment for a direct connection is a /30, which leaves two available IP addresses after you subtract one for the network address and one for the broadcast address. Someone please either blow my mind, or tell me that my ISP is high as a kite.

Looking for Incognito (Address Commander) REST/API help...

This is for those unlucky few stuck with Incognito Address Commander...

So, I'm thumbing my way through the terrible documentation on AC's API, in the hope of writing a simple web-based front-end for IP lookups for my subpoena/technical-support team.

While I can get responses working in the form of returning a subnet, I can't get searching within subnets to work.

In other words, if the search term is the IP that correlates to a subnet, it'll return data.

If the search term is an IP within a subnet, the query returns zero data. This occurs regardless whether I specify CIDR boundaries or not.

I appreciate any information anybody can provide. And I'm totally willing to share code, once it's working.

How do I get my wisp network to connect to a fiber ISP which is 100km away from my wisp?

So am a newbie but very interested in setting up a wisp business. I am having a hard time understanding something. The community where I live and intend to start the wisp is 100km away from the major ISPs that can provide fibre bandwith. How do I get my wisp network to connect to the internet? Sorry I don't know much about networking. I am in a developing country. Just be kind and present things in an eli5 if possible.

What is a better website or program to test my internet speeds than ookla speedtest

No text found

Better solution than whitelisting ips for VPN access

We have people working remote on some stuff and they are using att hotspot devices and use OpenVPN to get on the network. I’ve been whitelisting IPs as people need and as the IPs change, but it’s annoying to do.

The only solution I can come up with is whitelisting the ip space that ATT uses for their lte devices, but I’m not sure what that ip space is or finding it.

Is there an alternative to this?

Question: Virtual FW and Router inline - How to isolate multiple vlan trunks on one dSwitch

Hello Reddit,

Posted in /r/vmware and received a negative answer so I'd like to have your opinion about this:

I'm learning vmware networking with my lab at home.

I want to use a virtual Check Point security gateway in L2 mode to filter inter-vlan traffic before it reaches a virtual VyOS router.

Basically:

VMs <---> dSwitch <---(vlan trunk)---> Check Point FW (L2 mode) <---(vlan trunk)---> dSwitch <---(vlan trunk)---> Vyos Router <---> dSwitch <---> Internet

With this configuration, I use 3 dSwitchs and minimum of 3 uplinks.

I guess that's because I can't find a way to isolate multiple vlan trunks on only 1 dswitch and force the traffic coming from the VMs to enter the firewall first and proceed to the router.

Any ideas if it's possible to use only one dswitch ?

In a previous exercise, I was able to achieve this with physical equipment. Check Point was running on a DL380 and I bridged the built-in nics.

Opinions on contract to hire positions?

After a couple years of IT experience I'm looking to move into an admin/junior engineer position. I've seen a lot of contract to hire positions and get calls from recruiters about these types of positions as well. What's your all's thoughts on these? Are they good jobs? Seems to me like if the company wants you full time, they would just use direct placement instead of contract to hire.

book/resource suggestion for Networking

https://ift.tt/2Arr1WE

Juniper announces cross-track recertification, my biggest gripe

Juniper finally jumped on the cross recertification bandwagon. That's one of the things I really liked about Juniper, if you wanted to recertify you have to do the actual not track you certified in initially.

I don't know about the rest of you, but personally I don't like it. The whole point of a certification is to validate your skill set in routing switching, cloud, security etc. Say for example, you haven't done security in 5 years or so and only focussed on routing switching there's no value in re-certifying in security. Now it's just an excuse to say "hey look me at I'm a 4x JNCIA, CCNA" or whatever, just becomes a numbers game. I get there are engineers out there who are multi-disciplined, so getting recertified in that sense makes life a whole lot easier in terms of study time and finances.

What are you thoughts on cross recertification, do you feel it devalues certifications more?

Loading a new image to Cisco ASA 5506 and 5505

Bought a new FW off Ebay and it had the no service password-recovery command. So I had to wipe it, I think I used 1 out of 1-7 no idea if that is a complete wipe. Anyway, I need to load the new image for both the 5506 and 5505. I tried looking for it on Cisco's website but got a bit confused on which image to download? Is it the IOS or ASDM? I believe I have to set up a tftp server probably using SolarWinds one but if there's a better way to do this via the console please let me know. Thanks!

Symbol errors on both ends of Huawei switch fibre link.

Am I right in thinking symbol errors are usually related to layer one? Assuming issue is with the fibre run as it’s quite old.

Intercept files uploaded to my HTTPS site to sent them to an AV

I have a website where different providers upload files pdf, words, etc... I would like a way to intercept those files even if is done in parallel and send them to an AV engine to be scanned.

The files are store in a SAP database and the specific AV that integrates with SAP API (Netweaver) is quite expensive therefore I'm asking for this alternative to intercept the files uploaded.

Is there a way commercial or custom to do this?

Thanks in advance

Why would a device respond to an arp request not meant for it?

So.. something weird's happening:

I just deployed a new L2 switch with a mgmt vlan12. This vlan is trunked to an uplink switch, which is the default-gateway svi for the subnet.

The issue is: all devices connected to this vlan on the new switch cannot be pinged or accessed from either the new switch, default gateway (on uplink switch) or anywhere else on the network.

Gets even weirder: I did a capture on the new switch, I see the ping requests and responses, but looking further into it, my new device on vlan12 is sending the reply ping to the wrong MAC address.

Why would this happen?

Test device: 10.0.0.59

DG: 10.0.0.1

New SW mgt SVI: 10.0.0.15 <-- I can SSH into this fine.

new-switch#sh monitor capture test buffer

Starting the packet display ........ Press Ctrl + Shift + 6 to exit

1 0.000000 10.0.0.1 -> 10.0.0.59 ICMP 118 Echo (ping) request id=0x0149, seq=0/0, ttl=255 <-- request from uplink switch

2 0.000005 10.0.0.59 -> 10.0.0.1 ICMP 114 Echo (ping) reply id=0x0149, seq=0/0, ttl=64 (request in 1) <-- reply from new device

new-switch#sh monitor capture test buffer detailed

Starting the packet display ........ Press Ctrl + Shift + 6 to exit

--Ommitted--

Ethernet II, Src: ac:bb:6b:12:3f:35 (ac:bb:6b:12:3f:35), Dst: aa:36:bb:00:a1:b7 (aa:36:bb:00:a1:b7) <-- This MAC belongs to 10.0.0.40, not 10.0.0.1

--Ommitted--

Source: 10.0.0.59

Destination: 10.0.0.1

Internet Control Message Protocol

Type: 0 (Echo (ping) reply) <-- this packet is an ICMP response from my new device

Code: 0

--Ommitted—

Before you as: Yes, I checked the subnet mask and default gateway configuration on all the new devices, they match what's on the SVIs.

TL:DR

New devices in a certain vlan seem to be arping for the default-gateway, but getting the mac address of another node on the same vlan connected to the uplink switch (which unfortunately I don't have access to), so no one is able to connect to the new devices on that vlan on the new switch. Other vlans work fine.

VPN Issues ASA <--> AWS - Transmits but no Receives

I've just configured a AWS VPN with our Cisco ASA. I'm a bit unsure on the NAT exemption rule and thinking this might be the issue only because it was the only part of the AWS ASA config they gave me that I wasn't really confident with. Looks like the tunnel is up, but I'm not getting an RX. https://imgur.com/xHiVRIT When I ping a remote node in the VPC from the ASA it just times out. I have static routes setup on the AWS with all our subnets Some info: Its a Cisco ASA 5525. Here is a Show Crypto IPSEC https://cloud.healthydirections.com:5001/sharing/ttMdyxlPu Here is the config. https://cloud.healthydirections.com:5001/sharing/DnoyQtqnx . Also im sure im not including some obvious piece of information. Please ask away, ill try and respond ASAP with whatever info I can provide. Thanks for any help at all.

OSPF advertisement

Hello guys,

I've ran into a CCNA question that's giving me a headache and I hope you can help me figure this out.

I have to include the following interfaces in my OSPF

E0 192.168.12.65

S1 192.168.12.125

S2 192.168.12.121

While leaving out the interfaces

E1 192.168.12.129

S0 192.168.12.187.

Possible option are

A) #network 192.168.12.64 0.0.0.127 area 0

B) #network 192.168.12.64 0.0.0.63 area 0

and 3 more that I won't include because they are obviously wrong and not worth considering.

I did my math and I chose A, but the test says that the right answer is B because with a 0.0.0.127 I would have a range from 192.168.12.64 to 192.168.12.191, including interfaces I don't want in my OSPF.

I tried to calculate network ranges over and over but I'm just getting lost, I'm not getting the same results and from what I did, option A looks fine to o.

For sure I'm being dumb and I'm missing some obvious details.

Can someone give me a step by step procedure of the solution of this question?

I thought I was very good with network range and subnet calculation...

Please help me out guys, my head is exploding :)

Thanks a lot!

Ciao

Network security monitoring / SIEM

Just had a bit of a breach here at work. Thankfully the attacker seems to have been interrupted and didn’t have enough time to cause any issues (as far as I’ve been able to detect). When going through the logs it seems that someone has potentially gotten access prior to this event as well.

So it would seem I need to keep better track of what’s going on on our network. I googled around a bit and found quite a few different solutions.

We’re a small company with maybe 15-20 computers and a few servers. What solution would you recommend for a company our size? Ideally, I’d like something that can analyze network data from our main Mikrotik router + collect and monitor event logs from all our computers (that part might be off topic for this subreddit, if so I apologize).

Cat6509-E replacement (cat 9500 or nexus?)

Hey everyone,

So i'm faced with replacing our current very traditional environment with collapsed core/distribution switch, C 6509-E with the Sup2T (VS-S2T-10G). We have two identical chassis running in VSS mode. It's contractual so i cant replace modules or anything like that. The new core will be running for 5 years.

The whole chassi and all modules has to go.

Besides the Sup, we have the following modules:

16 x 10GE using 11 of these for connections to main firewall, wireless controllers, server farm, WAN

24 x 1000mb SFP using 10 of these for headquarter Multimode fiber to the main building switches )

48 x 10/100/1000 mb Rj45 mostly for management to other devices. will move to an oob mgmt switch

We have a layer 2 WAN, 50 sites with 130 L2 switches. 400 AP:s

Obviously Cisco told us the whole DNA story and want us to replace it with Cat9500, the C9500-48Y4C (48 x 1/10/25 gig + 4 x 40/100 gig)

To build the DNA campus fabric we would need:

Cisco Wireless (which we dont have now, and are not planning to change)
Layer 3 access switches (which is not realistic, we have around 100 sites with all layer2 switches.
Cisco ISE - not planning on buying this, we have another solution.

So, basically switching out most of our current environment. Which is out of the question :)

The cat 9500 does seem like an ok switch though, but if i compare it with the nexus 93108YC-EX i would get alot more bang for the buck. Basically Cat9500 with 1.6 Tbps compared to Nexus 3.6 Tbps.

I dont really need any fancy stuff, just pure l2/l3 and vrf support.

Cat 6800 is out of the question, oversubscribed ports and does not seem future proof.

Also, it almost seems like a downgrade to go from Sup2T to Cat9500, fewer routes, fewer mac addresses, etc. (i do understand that the comparison is not that easy, im comparing a chassi switch with a 1 RU unit).

The plan is to implement WAN routers in order to move the L2 to L3 termination point and then run pure layer 3 between Core and WAN routers. Right now the Core is very vulnerable to loops in the WAN.

I cannot run anything else than Cisco for this solution unfortunately.

Any experience with the nexus model above? found some caveats? ( i know, no ip sla or netflow) Happy with your C9500, which model?

have you regretted going from chassis switch to fixed core?

i would get around 25 free 1/10/25 gig ports, and 4 or 6(depending on the choice) 40/100gig.

would love to hear your thoughts on this.

FirstNet/Band 14

Wondering if there are any network engineers working in the government space here and if you have had any experience with this service and the networking requirements that go along with this service. AT&T is basically telling me we have to completely redesign our existing APN’s for mobile data users and they are asking for us to peer with a private AS using BGP on our core routers and I’m hesitant at this point to commit to that.

Hoping someone here has dealt with this and can talk about how you’ve designed the connectivity based on the requirements they have given. Not a lot of information online that I have been able to find on this topic. Any insight would be greatly appreciated!

Telecom professionals, what fiber optic monitoring systems do you use?

I have a client that has developed a solution to localize faults/cuts on fiber and copper cables. I know that this technology is not new. I am helping them define a go-to-market strategy. The solution is already installed and operating at one customer (mid-size in EU scale), monitoring about 10 000 km of copper and fiber.

In this context, I would like to ask telecoms professionals who have encountered such technology to ask the following questions:

- What solution do you use?

- What drove the need to find it? How important is remote monitoring of cables?

- What selection criteria did you use when deciding to buy it? Why?

- What operational and cost benefits do you get from using the solution, if any?

Wednesday, October 24, 2018

Cisco Python multithreading script

Hey all,

I am pretty new to reddit, so I am not sure if this is the right way to cross post. But I just created a post on r/learnpython that includes my most recent accomplishment in python. I have script that utilizes testfsm/ntc-templates used to gather infomation on the network and store that information in a MySQL database. The best part imho is the threading. When I first started my python journey I could not find many examples to work with on threading netmiko connections. So I figured I would share what I have and hopefully save someone hours if not days pouring through docs for this same info. Hopefully y'all find this helpful or useful!

https://www.reddit.com/r/learnpython/comments/9qzw7g/python_script_for_network_engineers/

Office Expansion (adding Distribution layer) and Layer2/3 topology

Hello there.

Our main office building is currently composed of a pair of 4500-X (32 port + 8 port expansion) in VSS functioning as a collapsed core/distribution. We have about 15 stacks of 2960X-s hanging off it. LAN is Layer 2 to the edge, WAN is BGP + some local sites using OSPF.

We are now running out of ports on the 4500-Xs and need to add a dedicated distribution layer. Any thoughts on keeping the Layer 2 topology or converting to Layer 3 to distribution layer (or all the way to access?). Also any thoughts of which type of switch for distribution or follow the CVD (https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Campus-LAN-WLAN-Design-Guide-2018JAN.pdf) ?

Regards

help me set up policy-map to aliviate congestion

Hello experts!

I have a 3850x as my core for all the routing to my sites(all sites are using 3750s), any traffic that's coming from the internet side is coming on a 10gb interface and going out to my sites at 1gb interface. This has caused bottle neck and i am seeing tons of drops on my 1gb interfaces(on my core facing the sites ). Many of you have suggested I either upgrade my links or upgrade my 3850x, at the moment something like this is out of my reach as I don't make these kind of decisions (tho I wish I did..). right now I have no qos or policy map set up. After long hours of research and planning I came up with this plan to set up qos on my interface that's having the most drops, I was following this cisco document when planning out my service policy https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/200594-Catalyst-3850-Troubleshooting-Output-dr.html

please tell me if I doing this wrong because this is the first time I work with qos and policy maps. This is the action plan I came up with. Please let me know if my configuration will do the job and if I'm applying this policy map in the right place.

1. create a policy map and apply it under the interfaces with the highest drops
a. policy-map Buffer_Policy

class ControlTraffic

priority level 1 percent 10

class class-default

bandwidth percent 90

queue-buffers ratio 50

apply the policy at the 1gb interface facing the sites
b. interface Gi1/0/4
service-policy output Buffer_Policy

Increase the softmax multiplier
a. "qos queue-softmax-multiplier 1200" command

If you guys have any experience is setting up QoS for a situation similar to mine and have a better idea please let me know!! Thanks in advance!

Switches with "stream processing module" ?

Bit of an odd question here.

I was reading a networking related patent, US 7,142,509 B1, which describes adding a "stream processing module" to a switch to help reduce the amount of client traffic that needs to be sent directly to the server offering up the stream.

As of yet I can not find any implementation of this idea in the wild. The invention is a bit before my time in networking so I may just be missing something obvious but from googling I can not find any products that ever made use of a module like the one in the patent.

Has anyone ever seen a device with something like that inside it or did ExtremeNetworks just invent and patent something they never actually used?

Determining voice vlan information

Scenario for you;

Let's say I have a Cisco 2960x with a switch port that has switchport access vlan 10 and switchport voice vlan 10. I plug a voice vlan capable IP phone in. Is there some commands I can run on the switch to determine if the phone joined the VOICE domain or the DATA domain?

Cisco firepower reporting woes

Trying to grab some basic info on a user, i can see all this info thru the connection events but thats just a ridiculous amount of pdf pages all bundled up with alot of scrolling.

in the reports section i cant figure how to put this info in a simple to read report.

date/time

username

url category and or site (adult, music)

action (allow/block)

access rule (which rule if possible)

VTI vs DMVPN vs FlexVPN?

A SMB with ~75 branches is migrating from policy-based to route-based VPNs to support dynamic routing. Would you recommend moving to VTI's, DMVPN, or FlexVPN if there isn't a need for spoke-to-spoke tunnels? VTI's are attractive because they have less protocol overhead, but DMVPN appears to be the popular choice. Thoughts on ease of management/monitoring?

Has anyone successfully used any 3rd party SFPs with Cisco Catalyst 9300 switches?

Generic SFP-10G-SR modules cost 75% less than Cisco branded ones. But, I'd like to know whether they work before buying them. I've used non-Cisco SFPs with Nexus and 3850 switches, but not the newer C9300s.

Mapping a route to server?

Hi guys, I am currently trying to map a route to a server. I am using early ccent level skills to find the route. I tracerouted to see the last hop before the server ip. Then I telneted to router and and looked at arp table to get the Mac addess. Also for some reason I have trouble using the pipe or tab to help me filter my sh commands it just tabs like a reg tab. Third I used cdp and sh run to check what he router is connected to and started going to from there. Also I am running into things like this, when I get one of the switches the Mac tables tells me the server is on a PO1 ports, so I checked and ya a port channel, which I researched what t is and does and checked the port summary and saw the interfaces. Next I arrived at another switch and found the Mac I’m looking for in the Mac table but the int is shows me is listed several times int tengi 9/1/1. Servers macs on he same int to me means similar to port or EtherChannel aggregation. After that I’m stuck as to where to go next. Any advise on what I can use to help me map this route. I know how to read cdp outputs ect. I don’t have a network mentor or anyone, I’m self thought and testing for ccent soon. Thank you in advance.

Looking for advice on my ISE BYOD setup

Not sure if we have any ISE experts on here, but I’m looking for confirmation that my design is workable. I work in healthcare IT and we have ISE, Prime, MSE and HA paired 5520 WLCs. We currently have too many active SSIDs (6). The design I’m working on would be one SSID (to rule them all). If the device MAC is known by ISE as an enterprise owned device, it would just connect them to an internal vlan based on the location it is assigned to. If not, it would present a page asking if you are a guest or employee. If you choose guest, it brings up a page to enter some information then pushes you over to a guest vlan. If you choose BYOD it would push you to sign up for MDM (XenMobile or AirWatch. We’re deciding between the two now). I’m still in the design/learning phase of this and will probably employ professional services to help out, but I want to make sure I’m going the right direction here. Thanks everyone.

Urgent help needed : Mapping IP on local PC to another local IP

I'm demoing my game at PAX on a PC and have a build of my game that connects to the local multiplayer server with an ip of 192.168.1.10. The problem is now that I'm in another country and have connected with mobile tethering, so the IP of the local multiplayer server has changed to 192.168.42.39 and the multiplayer server software has thus changed this.

Is there any way I can route any connections to 192.168.1.10 to point to this new IP?

I tried setting a hosts file entry to 192.168.1.10 localhost, hoping that would work but it doesnt.

Any ideas? Please this is quite urgent I cant demo my game if I dont get this sorted :(

Favorite centrally managed/single pane of glass networking?

Hi Network Gurus!
It's hardware refresh time and we're looking for an expandable centrally managed network infrastructure to allow us to remove the scattering of Cisco SG switches that are slogging through the day.

Yes, Ubiquiti is on the list and is one of my favorite systems to work with, but we're not committed or required to use it.
What are the other comparable centrally managed brands for about $600/switch? (Number is flexible, but hoping to be sub $1000/per)

Nice to haves would be switch models that have 10gig uplinks for future proofing in the core.

Crimper tool? Cat6a

I'm looking for a good cable crimper tool. I have one but it sometimes strips too much so it breaks my cable!

What are you guys using? What are the better brands?

Thanks

10G firewall for filter intervlan traffic

Hi!

We are looking for redundant feasible cost firewall just to filter intervlan routing traffic. I want to only allow some traffic from user vlan to some critical servers vlan. similary Development users can reach to all servers where other normal users can only reach to some specific subnet.

We will not use this firewall as edge firewall as we already have Fortigate 100E in place for that.

Please guide in this scenario.

Thanks

Script for mass download of Packet Pushers Podcast?

Hi all,

I stopped listening to the PPP around episode 200. Now I see they are up to 400, and have spawned a whole bunch of other sub-topic podcasts. Does anyone have a script to do a mass download (preferably tagging with the release date)?

If not, who's up for some collaboration to get this done?

I recall hearing/reading that they weren't keen on people downloading and sharing as it would affect their download numbers which they use to find sponsors.

10Gb over 62.5/125 OM1

Looks like I can get 10Gb over OM1 (62.5) up to 220m, using 1310nm optics and mode conditioning patch cables [source]

Does this BoM look correct?

Transceivers: Cisco SFP-10G-LRM Compatible 10GBASE-LRM SFP+ 1310nm 220m DOM Transceiver Module
MCP cables: LC to ST OM1 Mode Conditioning Fiber Optic Patch Cable

Anything else I should consider, other than SMF on refresh?

How would you do routing/crypto to 100,000 WWAN spokes?

Scenario: You want to design a central solution to connect 100,000 WWAN devices into something topologically resembling Dual Hub DMVPN.

All of the devices are uniform in that they all have only a single /30 IPv4 LAN behind them that needs to be routed to the hub(s).
Dynamic spoke-to-spoke tunnels are not needed since all traffic will go Hub<->Spoke.
The spokes only need a default route from the hub.
All of these spokes are on the same WISP on a "private" APN carried over redundant leased lines into the hub sites.
End-to-end encryption is a given because you don't trust anyone ever.
Spokes are authenticated to join the network using RADIUS.

I guess this could be done using BGP over IPsec+mGRE but I guess the overhead alone would probably saturate the leased lines to the WISP. WWAN connection's nature to jump up and down every now and then, especially at scale, would probably make the hub routers sweat.

What's a good solution here? Am I too stuck in my old DMVPN thinking in that I might as well forgo mGRE completely and just go straight IPsec tunnels? Would I reach a better scalability/price if I used a couple separate IPsec Concentrator instead of terminating IPsec on a router? Is a traditional routing protocol even needed? Could one perhaps do some magic with the RADIUS attribute Framed-Route? Should I just give up and start using NAT on all the spokes?

PingPlotter help please

Hey everyone, I've lately felt like something is wrong with my internet, so I downloaded pingplotter, could anyone help me read the results please?

https://gyazo.com/925859fb60e13e273782354dec027cdb

Thanks in advance

Simple/free 802.1x solution?

I'm looking to find a simple 802.1x solution. The intent is to possibly replace (or augment) the need for Port Security and for the client devices to authenticate with a RADIUS server before being given access to the network. What I'd like to avoid is some sort of big software suite that provides not just 802.1x but a bunch of other features that I won't use. My understanding is that Cisco ISE is more than just a simple 802.1x solution.

I was also told once that 802.1x can reconfigure the VLAN that the port is a member of based on which devices (identified by MAC Address?) get plugged into it. I'd like to know if this is true.

For example, if some person decided to switch desks and they disconnect their PC and VoIP phone from their current port and move to a different location and the guy plugs the VoIP phone into a port that would normally be defined on a different VLAN, 802.1x would authenticate the phone and then change the VLAN membership of the port to remain in the voice VLAN. Is that a typical feature of 802.1x? Is this something that FreeRADIUS can provide?

I'm already using TACACS+ (free tac_plus solution) for AAA of network hardware (switches and routers) but it doesn't have any 802.1x capabilities. Thanks for any comments.

Looking for a ping tool

I need this ping tool to run a constant ping, but only pop up when a ping *doesn't* work.

Something I can run locally from a windows command prompt maybe?

So instead of:

Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127

request timed out to 10.0.0.1 at Forsday 25:11:09oclock February 31st 2092

Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127

request timed out to 10.0.0.1 at Forsday 25:11:12oclock February 31st 2092

I get

request timed out to 10.0.0.1 at Forsday 25:11:09oclock February 31st 2092

request timed out to 10.0.0.1 at Forsday 25:11:12oclock February 31st 2092

Is this a thing, somewhere?

arp-on-stp

Anyone using arp-on-stp for particular use cases in production?

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/arp-on-stp-edit-protocols.html

We have a number of RVIs that are OSPF enabled, which support next-hop reachability for iBGP sessions running on lo0. We are seeing some instances of iBGP flapping if we have a rstp TCN. I believe it is due to all the mac learning going on, the routing-engines on the ToR switches end up losing the BGP keepalive packets from the upstream peer.

I'm thinking I can use arp-on-stp to help minimize the impact of this. Although, the documentation is pretty spare - it says you must have RVIs to take advantage of this (which we do), but docs are totally silent on if we have to enable this feature on all physical interfaces that carry the vlans where the RVIs live?

I'd love to get rid of the RVIs and just have fixed layer 3 boundaries between ToR/Core, but we have a number of folks that need to span VLANs between switches, in a very heterogeneous environment (multi-tenant, some physical, variety of virtual). But alas, I can't figure out the config to make it work on EX series switches we are running as ToR.

Network Scans displaying IP addresses that do no exist

Using IP scanning software or monitoring tool (nmap, angry ip scanner, darktrace, beyond trust, etc) will display IP addresses that do not exist within the network. What is strange is that it displays all IP addresses in the range of the scan. For instance, if we scanned 172.16.1.1 - 172.16.1.254, it will display all active IPs from 1-254.

Our network is sort of a hub and spoke network with SD-WAN (from velocloud) implemented at all of our locations. Our main headquarters houses all the servers, so the other remote sites will be coming through to our main site. Since our ISP (TPx) doesn't allow us to control what is on the SD-WAN, we have a fortigate firewall installed behind the SD-WAN at our HQ. The other remote sites do not have a firewall in placed, just SD-WAN. If we did a network scan from a remote location to another remote location, the scan works perfectly. However, the issue only arises when scanning is between one HQ and another remote site (both HQ to remote and remote to HQ).

Our fortigate simply has an allow all rules from all other remote sites to be allowed into the HQ network. There is no special configuration at the other remote SD-WAN sites, other than having a static route at the HQ site of our main IP address (10.10.x.x) so that other remote site knows how to communicate with our main site.

Cisco dhcp on vlan issue

Some months ago I set this up as a test for a client to use when ready. It worked when last tested. I went to hook up clients today and they do not received DHCP on this wired vlan. Wireless clients on the same vlan work just fine. It's possible that the access switch that they are connected to might have had its config messed with by another person, but I cant' confirm and I can't see what's wrong.

I have a particular vlan 30 that I set up for its own dhcp pool. The clients on this vlan all connect via an access switch that has this vlan configured on it. They receive dhcp from another switch that has the pool configured on it.

This is the switchport config:

interface TwoGigabitEthernet3/0/14 description *** TEST *** switchport access vlan 30 switchport voice vlan 10 trust device cisco-phone storm-control broadcast level 10.00 auto qos voip cisco-phone spanning-tree portfast spanning-tree bpduguard enable service-policy input AutoQos-4.0-CiscoPhone-Input-Policy service-policy output AutoQos-4.0-Output-Policy end

This is the part of the config that might have been messed with, but I can't see what it's missing. The DHCP pool works as wireless clients are using it on the same vlan through a wlc 5520.

If I set a static IP, the network operates correctly.

Wireshark shows DHCP discover broadcasts sent, but there is no reply.

There is a ip helper-address set on the vlan interface on the switch that runs the dhcp server.

can anyone see what I'm missing? Can share more config if someone wants. Everything is pretty standard.

Thanks!

Minimal Packet loss exist on Ping Plotter?

Hi, Here's the story, Customer always raising this packet issue using their ping plotter and upon checking they do have a packet loss but its "0.3%" only.

I have provide the necessary details from switches interface etc.

What would be the cause of this 0.3% loss is this because of the hardware which is ping plotter was installed? Upon looking up their mac. seem the source is HP then the destionation is VMware. Any technical explanation... Though im still searching how to answer this but maybe someone here encountered this?

Thanks

CISCO - how do jumbo frames work on point to point links? Fragmentation?

Quick question for you all,

I'm wondering how to properly implement Jumbo on my network.My team is looking to start off by implementing Jumbo frames on our Cisco L3 switches from our access layer to our distribution/core layers on point-to-point links.

My question is:

Say I have 5 x L3 Vlans (with respective L2 vlan mapping) where all switch ports are configured for the standard 1500 MTU.I then configure another SVI Point to point link to my distribution layer, both sides configured for JUMBO MTU (Let's say 9000).

Would fragmentation not occur from the distribution layer to access layer during the conversion from Jumbo MTU to standard 1500 to reach my access vlan's?If not, how exactly do the switches perform this?

By doing this, am i just increasing CPU use due to fragmentation with no real traffic optimization benefit?

Thanks

Do MANs exist today? What are they used for? Why not just use a VPN?

Sorry for my ignorance

Anybody using an ASA with FTD?

Decided to setup an ASA in this, and while the interface makes a ton more sense than the crazy ASDM/Firepower separation that it had before, I keep running into things that bewilder me. For instance, as far as I can tell, you can't make any config changes through the CLI, however you can only make more CLI users and not any more GUI users.

Then comes to the spot where it came with 20 lines of AOL instant messenger objects, that are freaking unremovable. They just sit there at the top of my objects list every time I click it, taunting me.

Now I don't have it planned for an important connection, but is the FTD just too beta right now or have people been using it successfully? The interface makes sense and functions great I just keep running into things that make me feel like I'm testing pre-launch software.

Cisco fpr appliances in asa mode any good?

You don’t have to look far to find all the fmc/firepower horror stories. Is anyone running the fpr 2100s or 4100s in asa mode? Any problems or painful experiences? I think you still have to manage the underlying fxos which can be an operational challenge but aside from that I have heard much good or bad.

Do most organizations have well-documented troubleshooting playbooks?

Asking this question to get a sense of what documentation everyone here has available when they run in to an outage or slowness. Things that have worked in past or new tech deployed by someone else might provide helpful clues. Do you have this info easily available?

Cisco Port-Security

I have Cisco port-security enabled (MAC address sticky). An unauthorized device shut down the port and further investigation revealed a MAC address 0000.3600.10ab which comes up as an Atari device. Obviously the user in question says nothing was plugged into his workstation or jack.

MAC address spoofing is in the back of my head but, does anyone know what type of Atari mobile type console I should keep an eye out for in the office area?

This has happened twice in the past two weeks

Juniper Config Recommendations - EX Series

Hi Everyone,

I am stepping over from the Cisco world to the EX series. While I am reading up on them I was wondering if anyone tips or to go configs for their setups especially for the access layer / device side ports.

My setup would be:

Green field deployment
voip phones
VC Chassis with the EX4300 (all QSFP interfaces to be used)
Multiple VC stacks in separate wiring closets.
multi user vlans (around 10)
trunk via the SFP+ modules to a spine pair (Arista) with lacp with mlag.
Looking to use 802.1x with NAC to authenticate network access.

Somethings I found that were quite interesting are:

dhcp snooping to reject rouge dhcp servers on the network
enabling arp inspection (DAI) to prevent spoofing
QSFP at the rear cannot breakout to 4x10GbE :(

Any points or tips would be appreciated. Thank you!

First job in a NOC

Hi all,

I've landed a job as an ops engineer in a NOC. This isn't my first role in IT as i've done a couple of service desk jobs over the last few years.

I'll be doing shift work as it's a massive company that needs things running 24/7, they've said there is lots of scope for moving up (I've spoken to people that work there and I believe this is accurate)

Any advice for someone new to this line of work? I'm studying for CCNA R&S in my own time, is there anything else you would recommend?

Tuesday, October 23, 2018

Calculate number of subnets

2^(CIDR-Classy bits) = 2^(22-32) = 2^-10? I'm not understanding how to get the number of subnets.

Cisco FireSIGHT 5.4 to 6.2.3 Upgrade

I'm looking to get some help on upgrading our FireSIGHT and FirePOWER devices from 5.4 to 6.2.3.

Here's my current state:

FireSIGHT VM: 5.4.1.11

3D7030: 5.4.0.10

2x ASA5516-X with FirePOWER: 5.4.1.10

I've heard the horror stories about upgrades. I inherited these devices when they were at 5.3, so I've done my share up upgrades and seen the failures. I attempted the 6.0 upgrade on FMC and it failed horribly (thank you VM snapshot).

So I'd like to build a new FMC at either 6.1 or 6.2.

My question is how do I import all my configs and licenses into the new FMC? Can I just take a backup on 5.4.1.11 and import it straight into 6.1 or 6.2?

And my next question, how do I manage the sensor upgrades? Because 6.2 can't manage 5.4 devices. So should I go to FMC 6.1, import my sensors and then re-image them? Or go straight to 6.2.3, re-image my sensors and then add the sensors to FMC?

I've done some Googling and read the Cisco forums but I can't find a straight answer for this scenario. I'm sure I'm not the first person to go through this. Everyone just says build a new FMC and re-image the sensors but I can't find these specific steps.

Anyone else go through this FirePOWER nonsense!?

And I guess, what version should I land on? I just saw the post that said 6.2.3.6 is buggy. Cisco recommends 6.2.3.5. Or should I stay on 6.2.3?

Why isn't this VLAN interface being added to the routing tables on a Cisco 9300 stack?

I’ve configured VLAN 100 on my soon-to-be core 9300 stack for a routed transit network to my edge firewalls. It’s configured similarly to all of the Access VLANs on the stack:

! interface Vlan100 description EDGE_TRANSIT ip address 10.1.100.101 255.255.255.252 !

However the network isn’t showing up in the routing table, and even though the command “ip default-network 10.1.100.102” is in the running-config it’s still not showing up in the routing table as having a gateway of last resort:

Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 26 subnets, 2 masks C 10.1.12.0/24 is directly connected, Vlan12 L 10.1.12.1/32 is directly connected, Vlan12 C 10.1.13.0/24 is directly connected, Vlan13 L 10.1.13.1/32 is directly connected, Vlan13 C 10.1.14.0/24 is directly connected, Vlan14 L 10.1.14.1/32 is directly connected, Vlan14 C 10.1.15.0/24 is directly connected, Vlan15 L 10.1.15.1/32 is directly connected, Vlan15 C 10.1.16.0/24 is directly connected, Vlan16 L 10.1.16.1/32 is directly connected, Vlan16 C 10.1.17.0/24 is directly connected, Vlan17 L 10.1.17.1/32 is directly connected, Vlan17 C 10.1.18.0/24 is directly connected, Vlan18 L 10.1.18.1/32 is directly connected, Vlan18 C 10.1.19.0/24 is directly connected, Vlan19 L 10.1.19.1/32 is directly connected, Vlan19 C 10.1.20.0/24 is directly connected, Vlan20 L 10.1.20.1/32 is directly connected, Vlan20 C 10.1.28.0/24 is directly connected, Vlan28 L 10.1.28.1/32 is directly connected, Vlan28 C 10.1.60.0/24 is directly connected, Vlan60 L 10.1.60.6/32 is directly connected, Vlan60 C 10.1.70.0/24 is directly connected, Vlan70 L 10.1.70.1/32 is directly connected, Vlan70 C 10.1.200.0/24 is directly connected, Vlan200 L 10.1.200.1/32 is directly connected, Vlan200

Why isn’t that network for VLAN 100 showing up in the routing table, and why isn’t it taking the default-network command?

2 NAT statements for the same public IP address - fundamental network question

This might be a strange question but let's say I have a webserver that hosts a website.

Internally this website is 172.28.250.2 and lets say I have a NAT statement on my firewall to resolve this to some public IP address of 67.x.x.67 for customers to hit from the outside.

Let's say the URL to this website is www.abcd.com and now I want to add a second url that goes to this same website as well lets say www.dcab.com ( I guess they would call this an ALIAS in DNS) so they would both go to the same website. Lets also say that these 2 URLs internally resolve to the same IP address of 172.28.250.2 as mentioned above, but the second url has a different public IP address lets say 68.x.x.68

Let's say I didnt have access to DNS to make the 2nd one resolve to the same IP address for customers on the outside to hit. As a backup plan, Is their a way that I could make a NAT statement on the ASA to take this new URL outside IP address also NAT against the 172.28.250.2 address. I believe that this is a fundemntal problem since now you probably can't have 2 different outside IPs resolve to the same internal IP...but maybe there is a trick here that I'm not aware of?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

ASA VPN Issues with default NO ACCESS policy

I have setup an ASA to authenticate to the AD server in conjunction with VPN access. Everything works except for two things:

When using assigning a default "NO ACCESS" policy to the AnyConnect Profile, I am unable to access the VPN using an account that has access. Once I change the default policy back to a policy that grants access, I can sign in with out issues.
Upon successful connection and access to the VPN, I cannot access any servers or shares on the internal network. Secured routes include the network that the servers are residing on.

I am using the anyconnect fat client downloaded to the laptop that I am testing this out with.

If more information is needed I can provide more but I figure this might be enough to help me figure out where the issue may be.