Hardware recommendations for sniffing WiFi traffic?

I'm doing IoT device development work and I don't have a good, reliable way to capture WiFi traffic. Wireshark doesn't show my WiFi network interface on my Windows development system, and sniffing WiFi traffic on my Ubuntu laptop causes the network connection to drop and sometimes also crashes Wireshark.

For now, at least, I'd be satisfied with capturing traffic off the wired side of the network. Ages ago, when I was a sysadmin for a 3000-user site, we had managed switches with monitor port capability - and before that, dumb hubs. What I have now is very little budget for extra hardware and an office with consumer-grade network gear - a Linksys E2500 and a handful of other access points, bridges, and unmanaged switches, none of which have any kind of port mirroring.

I'm really hoping to avoid standing up another Linux box that I have to maintain, and try to remember how to configure. Can someone recommend a reliable access point / router with port mirroring? Or a dedicated tap device?

There's also stuff I will need to capture off the air eventually, since the Silicon Labs WiFi modules we're using are full of weird quirks and bugs, so I'm open to recommendations for wireless capture hardware that works reliably with Wireshark.

I'm way out of date on some of this stuff, short on time, and the signal-to-noise ratio for all of the Google searches I can think of is awful. It's 2018 - there ought to be a cheap off-the-shelf solution that just works. Can someone point me in the right direction?

​

Thanks!

Networking Cash $$$

A couple of colleagues and me recently hit the local bar after being called to hit a rather bizarre issue with our company’s network.

We had some drinks and got onto the conversation that ‘we don’t paid enough for this’ which I assume most of not all Network Engineers think atleast once in their career. This got me thinking who within the Networking Space really tops the payscale?

We all agreed that the network architects seem to look like they get paid more ...either that or they just shop at nice suit stores.

I’d love to know what you think r/networking - is it the CCIE or JNCIE is the company or the Architect? Is it the sneaky Tier 2/3 Network Engineer who goes under the radar??

Home Network Administration. RDP/Folder Mapping

So I'm going to try to keep this within the rules.

I just bought a little project PC running windows 7 professional. My primary PC is windows 10.

I've found all of the RDP setups I can find, but I can't get RDP to behave the way I want.

I want to be able to RDP from my windows 10 PC into the windows 7 PC, as the current user logged in on the windows 7 machine. Similar to how teamviewer will just connect and allow control.

It looks like RDP will work, but I need a seperate user/pass setup on the 7 pc... I doesn't seem like I can just take control of the 7 pc...

What steps am I missing? I can remote in, but not as the current user.

I just realized that ipv6 will eliminate the need for vrf/MPLS or am I wrong?

Since every network can have unique addresses, does that mean we can have a flat SP network?

Looking for a guide or docs to start with OpenDayLight SDN controller with Cisco devices

Hi guys

I am reading that the ODL controller from Cisco is EOS so this is not a product that Cisco markets anymore

Is there any other SND Controller that is compatible with Cisco devices ?

The other thing that I am looking for is what devices (if any) are compatible with Open Day Light (the open source, community project I think)

checking if i can make this happen for my routers !

Hi i got few routers here and there with dynamic ips, is there a way i would make the router do for example a cron job or something by upload text with the current active dynamic ip every like 25 minutes to a vps in excel or table shape view time ip live since ??

​

​

router i got Dlink Tplink !

OpenVPN TAP Server - Can't Access Bridged Subnet - But Can Access Other Subnets

https://ift.tt/2r3zxWr

Can someone explain the 32-bit CRC polynomial and how it is used?

I've been writing a program for raw packet networking and have had few issues until I arrived at the end of the ethernet frame. I have not found any good explanations as to what the 32-bit CRC is and how the polynomial is applied. Thanks to anyone who can help.

Troubleshooting Network Performance

I'm interested in troubleshooting wired network performance (Enterprise; We use Cisco). I've been in the field for 1 1/2 years as a NetOps Eng and have gone through numerous CCNA books. From them, I feel like I can fix stuff that is blatantly broke, but my main weakness is troubleshooting subtle performance related issues.

​

I don't have a mentor, If you guys have any good reads/docs/tools/advice on this topic, could you provide them? I have been researching & googling this topic for the 2weeks, but sifting through alot of garbage and I'm not sure what to trust/not trust so I'm asking for senior advice/direction on it.

[UPDATE] I shut down my company over thanksgiving to do a network migration and somehow it all worked.

I'm baffled as to the how and why, but it's all back up.

Interestingly, when I got to the office at ~8am on Thanksgiving day my first couple hours were spent dealing with a problem of actual tubes instead of metaphorical tubes. Our fizzy water machine had decided to start leaking sometime in the middle of the night. If I hadn't been doing this work today, no one would have see this until Monday and the damage would have been MUCH worse.

So after shutting off the water, making the required phone calls and letting in the cleanup crews, I was able to get to work. Wearing my lucky shirt I took one last snapshot of all configs and a deep breath, and at 10:43am shut down all the interfaces on the edge firewalls.

By 11:30 I'd cleaned out enough of the old mess to be able to start building new security policies. We previously had ~180 rules, and almost all of them needed to be adjusted in some way and none of it was common enough to script. Once I was done with those I moved onto the NAT policies, then the Policy based forwarding, and by 1pm I was starting to re-patch everything.

The patching took a solid 4 hours, but it was some of the most fun I've had in my career. I knew what needed to be done and was so excited to finally be getting to clean up this mess after months of planning that I was jogging from IDF to IDF because walking was just too damn slow. I had my charts and diagrams printed out and I'd pre-staged most of the new cables beforehand, so much of the time was removing the old pile of spaghetti and installing new cable management.

At 5:15pm, I got OSPF neighbor relationships forming between the new core switch and the edge firewalls. At 7:15pm all of the IDFs were back online, and at 7:25 the DHCP relays were pointed back to the servers and I was greeted by the "Bloo-loo-loo-looop!" noises from around the office as all of our VoIP phones started regaining connectivity. At 9pm, after verifying that all of the VLANs had internet connectivity and I could get to our network drives and AWS VPC, I sent a status e-mail and went home.

Yesterday (friday) I arrived at 9am to let in the next round of clean-up crews for the water damage, and got back to testing and documenting the changes. There's been some minor glitches that I've taken care of, but almost all of yesterday and today has simply been cleaning up the old switch configs, clearing out now-unused VLANs and labeling things both in the configs as well as with physical labels on the devices themselves (And almost complete depleted our stock of label maker tape). This cleaning up has taken a surprisingly long time in the Palo Altos because VLANs and interfaces are referenced in SO MANY DIFFERENT PLACES that you have to hunt through the entire system clearing everything out before you can actually delete them.

I only ran into one real roadblock that required a call to support. It turns out that when you're putting an Ether-channel pair through a Palo Alto firewall in Virtual Wire mode, you have to create two separate virtual wires instead of aggregating the ether-channel onto the firewall itself (as described in this article that the nice support lady linked me to: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHTCA0). Once I got that straightened out, it was mostly clear sailing and everything went according to plan. Which still kinda freaks me out . . .

Now I'm standing here looking at everything and it's all working. Quite, happy little packets just humming along, getting where there going in a much more logical way than before. But there's a very real part of me that is utterly perplexed that I was able to implement this whole thing and that it actually worked.

If there's a single most valuable lesson that I can take away from this, it's to ALWAYS MAKE A CHECKLIST. There were so many times that I was getting overly excited and flustered that I absolutely would have missed something major if I had not made a very long and detailed list beforehand when I was not quite so fizzy-brained. Every time I started to get ahead of myself, I could turn back to the list and just focus on the next step.

And now I'm going to spend the rest of the day relaxing by writing documentation, and then head home this evening to do some MORE obsessive planning and engineering. Because a transfer window to Jool is opening soon and I've got contracts to land my little green men on Laythe as well as do a rescue from Vall, and when you're playing with an unforgiving life support mod you need to plan your missions out in great detail if you're going to have a hope of getting home. ;)

NXOSv 9000 9.2.1 stuck on " Escape character is '^]' "

I downloaded the nxosv.9.2.2.qcow2 and imported it as a QEMU VM. Upon starting, it stays on " Escape character is '^]' ". How do I fix this? I'm running the GNS3 2.1.11 gui with GNS3 2.1.11 VM. The host is Ubuntu 18.04 KVM.

1GigE Copper RJ45 SFP modules

Hi,

​

I have a bunch of legacy servers that need connecting to a new switch fabric. The problem is that the switches are all 10GigE SFP+ and the servers only have 1GigE copper RJ45 NICs.

​

I'm looking at buying some copper SFP adapters from https://www.flexoptix.net/en/transceiver/sfp_-copper but I'm confused about wether I need SGMII or SerDes and also if I need NO_RX_LOS or RX_LOS or Preferred Master etc..

Can someone shed some light on the differences?

​

The switches I'll be using are Dell S4148F-ON and the NICs are Broadcom based.

​

​

​

scope vrf "name" vs address-family ipv4 vrf "name

Hello,

​

Could someone be nice and explain to me the difference between both commands?

​

router bgp 1

scopre vrf "test"

neighbor 1.1.1.1 activate

​

router bgp 1

address-family ipv4 vrf "test"

neighbor 1.1.1.1 activate

ZeroShell: it looks good, but nobody seems to be running it...

https://ift.tt/2PRtvqK

Sanity Check - BGP Multihoming with 2 ISPs and 2 Routers

I'm going to be turning up a secondary ISP connection in one of my data centers. I have little real-world experience with BGP, so I wanted to double check that nothing I was planning on doing is egregiously wrong.

Requirements

• All inbound and outbound traffic routes through ISP-A by default
• ISP B is only used in the event of a failure on Router 1, or if I lose routes from ISP-A
• In the event that I do lose routes from ISP-A, I don't particularly mind if outbound traffic has an extra hop through Router 1 to reach Router 2 and ISP-B, so I'm not planning on tracking HSRP at all

Topology

https://imgur.com/a/RFsBu1l

BGP Configs

Router 1:

ip route 3.3.3.0 255.255.254.0 Null0 name BGP_SEED_ROUTE ip prefix-list TO_ISP seq 10 permit 3.3.3.0/23 route-map SET_LOCALPREF permit 10 set local-preference 150 route-map TO_ISP permit 10 match ip address prefix-list TO_ISP router bgp 3333 network 3.3.3.0 mask 255.255.254.0 neighbor 172.32.1.2 remote-as 3333 neighbor 172.32.1.2 description iBGP Connection to Router 2 neighbor 172.32.1.2 update-source Loopback0 neighbor 172.32.1.2 soft-reconfiguration inbound neighbor 172.32.1.2 next-hop-self neighbor 1.1.1.1 remote-as 1111 neighbor 1.1.1.1 description Connection to ISP A neighbor 1.1.1.1 soft-reconfiguration inbound neighbor 1.1.1.1 route-map SET_LOCALPREF in neighbor 1.1.1.1 route-map TO_ISP out 

Router 2:

ip route 3.3.3.0 255.255.254.0 Null0 name BGP_SEED_ROUTE ip prefix-list TO_ISP seq 10 permit 3.3.3.0/23 route-map TO_ISP permit 10 match ip address prefix-list TO_ISP set as-path prepend 3333 3333 3333 router bgp 3333 network 3.3.3.0 mask 255.255.254.0 neighbor 172.32.1.1 remote-as 3333 neighbor 172.32.1.1 description iBGP Connection to Router 1 neighbor 172.32.1.1 update-source Loopback0 neighbor 172.32.1.1 soft-reconfiguration inbound neighbor 172.32.1.1 next-hop-self neighbor 2.2.2.1 remote-as 2222 neighbor 2.2.2.1 description Connection to ISP B neighbor 2.2.2.1 soft-reconfiguration inbound neighbor 2.2.2.1 route-map TO_ISP out 

Looking for some quite specific software

First of all, I dont even know if this is the right sub for my question but well gotta give it a try

Im looking for a software which can access a remote PC like teamviewer does but that gives me the option to bridge a virtual network adapter from my pc to an real adapter on the remote pc

Softether VPN could do something like that but I would only want it temporarly, for example accessing a plc that is connected to the remote pc

Satellite Admin Connection ?

Well this is more a curiosity question:

​

How does admin from Nasa or SpaceX do connect to satellite's to administrate them ? This satellite's have normal computers running Windows and Linux ? And so they connect over SSH and Terminal Services ?

​

Since its OTA i imagine they use a special protocol that is fault-tolerant !?

​

Can anyone throw some light in this or maybe point out some article !

MPLS-OSPF Redistribution Woes part 2

I posted a few days ago in regards to an issue redistributing routes from MPLS/BGP to OSPF and have returned with more concise info and the issue as i see. Hoping for some more valued input!

​

Simplified topology is below:

​ image.png

​

MPLS/L3VPN running on the core routers, with a corp vrf we use. Between the CLL routers and R1 i want to use OSPF to redistribute the routes learnt from all core routers. The export policy on the core routers is as follows:

​

term 1 {

then accept;

}

​

Pretty standard and simple. Redistribute all the routes it knows into OSPF. These routes are in the OSPF database on the core, but they are not going into the routing table of R1. Upon looking at the OSPF database on R1 i see the following:

Type-5 AS External Link States

​

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.010.2.50.22359 0x80000005 0x0044F8 3489681806

10.0.0.010.2.50.2580 0x800000D0 0x00F6A4 0

10.2.50.010.2.50.2545 0x800000D0 0x00C89B 0

10.2.60.010.2.50.2510 0x800000D0 0x005AFF 0

10.2.70.010.2.50.2475 0x800000D0 0x00EB64 0

10.2.80.010.2.50.2440 0x800000D0 0x007DC8 0

10.20.0.010.2.50.22324 0x80000005 0x00D04E 3489681806

10.20.2.010.2.50.2406 0x800000D0 0x000280 0

10.44.50.010.2.50.22290 0x80000005 0x00874D 3489681806

10.44.60.010.2.50.22255 0x80000005 0x0019B1 3489681806

​

The routes marked with a tag of 3489681806 are routes that are originating from a router which is not directly attached, and it is these routes that are not populating the routing table.

​

I have googled this and it seems to be an MPLS PE-CE OSPF loop prevention method as linked here:

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/118800-configure-ospf-00.html

​

The thing is i want these routes in R1's table! R1 is running vrf-lite, and the corp RD is 20878:10, on the core routers the RD is 20878:101. I think im right in saying that the whole string should match for it to be recognised as a loop, not really sure what is going on

​

Anyone able to shed some light on this please?

​

​

​

Connect 3 sites to eachother, via OSPF?

Hi,

I have 3 sites, with 3 VyOS routers.

I currently have site 1 connected to site 2. Site 1 is also connected to site 3. This is all via site-to-site IPsec VPN.

However I would like to connect site 2 to site 3, so that if one fails, I still have a route via the other way. As far as my knowledge goes, site-to-site isn't the way to go, but I should use OSPF.

It's hard to find any good guides for VyOS, and my knowledge is very limited, so is anyone able to advice me if OSPF is the way to go?

Thank you in advance.

(clueless) Bought a router, thought it could give internet from inserting micro-sim card. Help

I don't have cable internet to the house I currently live in, I rely on the wifi - internet from my mobile. (micro-sim). I thought I could buy that product and insert the sim-card and it would give me better wifi connection.

Then I realised it has no place to insert the card so I started googling and now I know the difference between Router and Modem. Great.

Here is where I know nothing. If I buy a modem, will it work with a microsim or do I need cable internet to connect to it and the router only makes the cable internet into wifi. Or do I have to buy a router modem hybrid?

basically I'm just asking, is my router a completely wasted purchase if I don't have cable internet, or can I somehow utilize it with micro-sim wifi depending on which modem I buy?

Please help, I'm clueless about these things

Cheap whitebox 10GbE switch for non-profit? (x-post)

x-post from r/homelab

I'm a volunteer at two non-profits that share an office-space and server room.

We have several Dell servers running a Proxmox cluster, and we virtualise everything on top of this.

The servers have Mellanox ConnectX-3 cards in them, with SFP SR optics - but we can replace with DACs if needed.

I need a "cheap" 10GbE switch to tie it all together.

A second-hand Arista 7150S seemed like a good option - 24-ports, SFP+, and I assume one of the cheaper 10GbE options from Arista (and we have some other old Arista gear), and it supports VRF to help keep the tenants separated (they process credit card payments on-site, and also handle some sensitive personal info).

However, they're very keen to save pennies - and in this case, volunteer time is cheap/free - so DIY switch came up. Basically, spending money on hardware isn't so great, but spending money on time is OK.

The first thing I thought of was to buy an x86 box, some more Mellanox ConnectX-3's, and load it with VyOS. This video seems like a good starting guide.

But then, what about an ONIE-compatible whitebox switch?

In terms of ready-to-go software it seems like there's Cumulus Linux and SoNiC, but Open Networking Linux requires you to build a lot of it yourself, and OpenSwitch isn't ready yet. Is that all correct?

I see that a Cumulus license costs money (and remember it's hard to get money around here) - but you can get Cumulus VX and run that in a VM - so we could conceivably virtualise that on an x86 box that had SFP+ cards, right? Any issues going down that route?

Also, seems like Cumulus might tie in nicely to our SaltStack infrastructure.

What are our other options in terms of hardware for running Cumulus?

I looked on Aliexpress, and I found things like this or this but I can't find any options with SFP+ ports? (I assume this will only run Cumulus VX).

What are our hardware options for running Cumulus on bare-metal? (I read that 8/16 port vs 48 port was about the same cost, due to ASICs, but still not sure what the cheapest option here is, hardware wise).

In search of....

Looking for a small PoE Gb switch (brand doesn't matter, as it's for my garage) that can connect to a wireless network.

Seems there is no viable path between the home and the garage for copper. My searches have been fruitless. Is there anything like this out there?

Mods please remove if this is the wrong place to ask.

Thanks in advance.

Networks for Software Engineers

Hi everyone. I'm a reasonably experienced software engineer (10+ yoe) and am trying to build up some Network chops.

I'm pretty comfortable with IP (v4), TCP, and the higher level protocols like TLS, HTTP, etc. because that's where I normally write software. I'm OK with iptables, and troubleshooting high level problems (things gleaned from ping or telnet or Wireshark).

Discussions of IPv6, routing tables, routers, switches, ICRs, BGP, etc. are over my head (at least the speed of these in verbal conversation is tough) but I need to learn these for work.

What are some good resources I can check out to fill in these gaps? A coworker suggested starting with the Network+ cert books - not to get a cert, but to learn some fundamentals.

I've also never logged into a router or hardware load balancer, but I need to for devops type work. We have Citrix netscalers, F5 Big IPs, and Arista and Junipers routers. What are good resources to learn these? Are there commandline emulators? Or cert paths to study?

40gbit Routers!

In the market for a new 40gbit router considering using pfsense.

Anyone have any experience with the above or any other recommendations thanks

How to check if a serial number is valid?

I'm writing some bunch of data import tools for our database. However I need to make sure that the SNR which we got via CSV is valid. Is there any way (API) to check if a SNR is valid for Cisco, Juniper, etc...?

​

Does the Cisco SNR has always the same number of digits?

​

The ideal way would be to have a API where you can make a call, provide the SNR and get all the device information. That would make things much less complicated.

​

Thanks!

SD-WAN with LTE Support

Are there any SD-WAN providers that:

-Allow you to install their software / operating system on generic X86 or ARM systems.

-Support internal LTE Mini PCIe cards from guys like Sierra Wireless? These cards are supported by linux.

Most SD-WAN provides all say the support LTE, but they want to use a LTE to Ethernet bridge type devices, and say they are compatible with all Ethernet connections. We want an all in one device.

​

We already use Cradlepoint and Peplink, and are looking for more SD-WAN capabilities that what either of these two provide.

Wireless roaming

We have an Aruba 315-iap environment with half coverage around the building. In order to help roaming I would like to enable 802.11r. But I’m not sure about 802.11kv. Should all three be enabled out the gate or should only 1-2of the three be used at a time?

I understand the three protocols as R- cache radius results on a controller V- improves throughout K- help load balance roaming clients on other APs if the strongest signal has too many clients.

Oxidized WebGUI for Adding/Editing/Deleting Nodes

Thought I share this, created this for our company in a couple of days.

Allows you manage router.db and config file via simple web gui. Useful for our network team to add switches/routers on the fly without requiring access ssh access to the server.

https://i.imgur.com/7toCdQN.png

​

Will setup a demo when I get a chance.

https://github.com/naeemarsalan/Oxidized-Node-Managment

​

Let me know your thoughts and any bugs. I'm not dev by any means. Just a sysadmin helping out.

​

Future Plan: Creating in Sentera and packaging as a gem.

(Does contain a few copy and paste JS)

Best way to track down an ARP Storm

I have a Ubiquiti EdgeRouter 6, a WAN + 2 LANS. Each LAN is connected to a separate switch. One for private communication/vpn traffic, the other for public traffic. All the machines connected are public facing LAMP stacks.

The Private Range and Switch act normally, but the public switch, all lights on all devices are constantly blinking in unison. It makes me think there is some sort of ARP packet storm going on.

What's the best way to go about tracking something like this down? Nothing seems really slow on the network or anything like that, but it's probably pretty under-utilized.

5506-x ASA connected wireless router cannot reach internet

I'm close to getting having connection but I'm missing something. I ran a packet tracer from the ASDM and the test made it all the way to the end where the traffic is denied with an error of (nat-xlate-failed) NAT Failed.

​

Wireless router is subnetted to 10.0.0.0/24

​

Below is the current config:

ASA Version 9.8(2)

!

hostname ciscoasa

enable password $sha512$5000$n86mPKCXeuoYgTcHuuQYDg==$/NMKr1heK0UVDsakFgB5Sg== p bkdf2

names

​

!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.11.3 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network Wireless

subnet 10.0.0.0 255.255.255.0

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

access-list ACL_IN extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

no failover

no monitor-interface inside

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (inside_1,outside) source dynamic Wireless interface

!

object network obj_any1

nat (inside_1,outside) dynamic interface

object network obj_any2

nat (inside_2,outside) dynamic interface

object network obj_any3

nat (inside_3,outside) dynamic interface

object network obj_any4

nat (inside_4,outside) dynamic interface

object network obj_any5

nat (inside_5,outside) dynamic interface

object network obj_any6

nat (inside_6,outside) dynamic interface

object network obj_any7

nat (inside_7,outside) dynamic interface

access-group ACL_IN in interface inside_1

access-group ACL_IN in interface inside

route inside 10.0.0.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.11.0 255.255.255.0 inside_1

http 192.168.11.0 255.255.255.0 inside_2

http 192.168.11.0 255.255.255.0 inside_3

http 192.168.11.0 255.255.255.0 inside_4

http 192.168.11.0 255.255.255.0 inside_5

http 192.168.11.0 255.255.255.0 inside_6

http 192.168.11.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

​

dhcpd auto_config outside

!

dhcpd address 192.168.11.7-192.168.11.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

​

I really need some help - I broke SSH access and I'm not exactly sure how

An application that the company I work for relies on SSH to poll configurations - it's essentially an added feature of this app. It hadn't been polling configs in about a month, and so I thought there may be something wrong with the SSH creds it uses. So here's what I did:

​

First off, we use AAA radius set up on a Windows box.

1. I tried to log in from a local jump box using Putty with those creds to no avail - so I thought..I'll re-enter the exact same SSH creds into the configuration: username: example secret example2
2. I'm an idiot, so I generated a new RSA key pair as well
3. I could no longer SSH into this device
4. It's a core switch in production (3850)

The problem here (I think) is that we use AAA and a radius server, so I'm thinking I may have broken a trust between the switch and the radius server (windows box) but I'm not really sure. I raced down to the data center to try and console in, but could not - if you see the below configs..it appears even console access is tied into AAA..

If I didn't save the configuration, would a reboot help at all? I've read that crypto keys generated are stored in the private NVRAM section immediately, but I'm unsure if it's hard saved. I'm a relatively new/young professional and this is probably my first big screw up - I could really use some suggestions/advice here.

​

Here are some notable configurations from the last running config before I screwed around:

​

aaa new-model

aaa group server radius RADIUS_SERVER3

server name X.X.X.X

server name Y.Y.Y.Y

ip radius source-interface VlanXX

​

aaa authentication login VTY_AAA group RADIUS_SERVER local

aaa authentication login CONSOLE_AAA group RADIUS_SERVER local

aaa authentication enable default group RADIUS_SERVER enable

aaa authorization exec default local if-authenticated

aaa authorization network default local

​

ip domain name XXXX.ca

​

crypto pki trustpoint TP-self-signed-3017148022

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3017148022

revocation-check none

rsakeypair TP-self-signed-3017148022

crypto pki certificate chain TP-self-signed-3017148022

certificate self-signed 01

​

username XXX privilege 15 password 7

username XXX privilege 15 secret 5

​

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh rsa keypair-name 3850.companydomain.ca

ip ssh version 2

​

radius server Y.Y.Y.Y

address ipv4 Y.Y.Y.Y auth-port 1645 acct-port 1646

key 7

radius server X.X.X.X

address ipv4 X.X.X.X auth-port 1645 acct-port 1646

key 7

​

line con 0

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication CONSOLE_AAA

exec prompt timestamp

transport preferred none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication VTY_AAA

exec prompt timestamp

transport preferred none

transport input ssh

line vty 5 15

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication VTY_AAA

transport preferred none

transport input ssh

​

Thanks in advance all

​

EDIT: Password recovery is disabled on this device...*le sigh*

Wanting to fill gaps in my networking knowledge

Hi All,

​

I have been working in IT for just over 4 years now which is crazy because a month before that time having started my first ever IT job, I didn't even know what a server was and can happily say I am glad to have come this far and know what I know now!

​

However, I must admit that my knowledge of networking isn't what I feel it should be as I haven't been exposed to networking as much as I have other aspects of IT e.g. AD, servers, data security, scripting, databases etc. And I wanted to know how i can start learning and understanding networking better when it comes to corporate environments and how you guys got started and what helped you understand and learn things along the way.

​

The more I learn about IT and network infrastructures as a whole, the more I begin to understand the importance of networking and how in my opinion it is the most important part of IT and if you are a champion at say configuring network equipment such as firewalls/switches/routers and understanding DNS for example that it will make troubleshooting any issue a whole lot easier.

​

Im open to learning from any medium be it books, courses, youtube videos etc so anything you guys can recommend is much appreciated and thanks in advance!

​

​

Bulk cable supplier?

For those of you that order a bunch of cable in bulk, where do you order from? I'm on the market for a bunch of short power cords for Network racks and a dozen or two spools of Cat6 plenum. I know there's a couple local suppliers that sell it but I'm wondering if there's some online retailers I should be considering other than Monoprice.

If this post is inappropriate for this subreddit, please point me to the right one, I found one called cabling but there's no one there.

802.1x/MAB Inaccessible Authentication Bypass not identifying a domain

I'm implementing 802.1x/MAB on our access ports throughout the organisation, and have so far come accross very few issues. However, I'm at a stage now that I'm preparing to apply inaccessible authentication bypass to our IT support ports, as well as other critical ports, but hitting a brick wall.

I've created a new vlan for falling back to if our authentication servers fail, and when hosts are attached to that vlan without any 802.1x config applied, they can access the rest of the network as normal - all network resources are available, user profiles are logged into etc. Also, when the standard dot1x config is applied to the ports, hosts are authenticated, and again all resources are available.

But when the inaccessible config is applied, the assigned access port authenticates with no problem, but when I simulate the authentication servers going down, the fallback vlan does not authenticate properly.

Port config is:

interface GigabitEthernet3/14 description dot1x-fail-test switchport access vlan 100 switchport mode access switchport block multicast authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator authentication event server dead action authorize vlan 150 authentication event server alive action reinitialize storm-control broadcast level 5.00 no cdp enable spanning-tree portfast end 

Output from "show auth sessions" for the non-authenticated host on vlan 150 is:

Interface MAC Address Method Domain Status Fg Session ID Gi3/14 feed.beef.cafe mab UNKNOWN Auth 0A986401 

On the first test, "radius-server deadtime" was set to one minute, and this caused a loop where the host would fail to authenticate on vlan 150, the radius server would be marked as up and the port would be assigned to vlan 100, the authentication would fail again and repeat. During this DHCP was failing. I adjusted the dead timer to five minutes and the loop stopped and DHCP was successful.

I've just removed the "authentication event server alive action reinitialize" command, and removed the vlan assignment from "authentication event server dead action authorize vlan 150" to "authentication event server dead action authorize", and now the same issue occurs but on vlan 100.

Has anyone come across this before, any advice?

(Using mab here as an example, because it's from our lab and we haven't configured a cert store. I've done the same test in our operational network with the same issue but with dot1x)

tldr:

• 802.1x/MAB standard config works without issue
• Both vlan 100 and vlan 150 have network access
• Except when used in the Inaccessible Authentication Bypass config
• When the authentication server is reachable, everything works as expected. When the server is unreachable, vlan 150 does not get authorised to the DATA domain.

Thanks for your time.

Understanding Security in a Data Center Environment

Hello,

I was hoping someone could clarify/explain, in more detail, security architecture as it relates to a Data Center environment for an enterprise hosting a business application for external customers, especially having to do with securing east-west traffic vs securing north-south traffic, and various deployments.

Obviously every business is different and I realize that different business have different requirements for things like, latency, availability and security among other requirements.

Typically I've just been exposed to the traditional Core/Distribution/Access layer with a Firewall holding the gateway for all applications and services, and the Firewall controlling via 5 tuple ACLs what and who can talk to what.

I've been learning more and more about modern Data Center architectures (ie VXLAN over MP-BGP EVPN), but one area with that I haven't been either able to understand fully or haven't been able to get a good explanation for designing for security to protect east-west traffic.

For simplicities sake, lets assume topologies within this whitepaper by Cisco: https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-735015.pdf

In my specific scenario (in my head), there are two tenants. Obviously in this case each tenant would be assigned their own VRF (A & B) and VNIs would be assigned to each tenant's VRF. By default, a Tenant's VNIs would be isolated from other Tenants in this architecture by the way of the VRF.

Moving on, protecting north-south traffic with a standard NBFW that is context aware seems to be a simple and effective solution (again disregarding other business requirements).

What about east-west traffic? Where and how do you protect various services/applications/databases from each other within the Data Center? I'm imaging that in my scenario, the database would live on a separate subnet, a group of applications on another subnet, another group of related applications on another subnet and lastly webservers/proxies in a DMZ.

I've read about deploying virtual firewalls on each host (seems expensive especially as you scale out), and passing through the NIC(s) directly to the firewall VM, then bridging the vSwitch to the LAN ports of the virtual firewall appliance (may have said that wrong). But I also have read about the bandwidth limitations these virtual firewalls have. Mostly that a lot of firewalls are limited in their throughput compared to their baremetal cousins.

I've read about deploying services like iptables on the servers themselves (using automation tools like chef to set this up/manage). However, this seems like a no-go or very risky at the least simply because if someone were to gain root access to the application (well you have other problems then but still), they could just simply disable the iptables.

Among other designs/scenarios.

What are some of the ways people go about properly protecting east-west traffic between services/applications/databases in the Data Center? Especially lets say if those services belong to the same tenant and reside on the same physical host, but are in two different subnets.

I want to hear this thread's stance on this one.

Yes, I know, I'm a Huawei employee. I'm also considering myself pretty much neutral.
I'm really interested in your stance about this. I'm expecting some extreme bashing.

U.S. officials have reached out to their government counterparts and telecom executives in friendly countries where Huawei equipment is already in wide use about what they see as cybersecurity risks, according to the WSJ report , which cited unnamed people familiar with the situation.

https://www.cnbc.com/2018/11/22/us-government-reportedly-asked-allies-to-avoid-using-huawei-equipment.html

Advice for studying

Sooo I am in a Networking 101 course for school, and I just am not getting it. One week I'm like fuck yes I can do this! and the very next week I'm so lost because I have no idea what's going on.

Does anyone have a good study guide or something that I can use besides my 300,000 flash cards and pages of notes it seems?

MPLS-TE : Moving traffic off a over utilised link?

I'm looking at the possibility of enabling MPLS-TE to start using links in our core which at the moment are only ever going to be used in the event of a failover.

We have 10Gb links which at busy times of day are hitting around 80% usage. What I would like to to if possible is to enable MPLS-TE on the core only so that when a tunnel/link is seen to go over 75% that it starts using another explicit path/tunnel over the network to the same destination.

When the usage again drops down to below 75% then traffic goes back to the regular (less hops) path.

Is this level of control possible with MPLS-TE? I know you can create tunnels with an amount of bandwidth allocated to that tunnel but can you set it up so that it only uses up to a predefined amount of bandwidth and then get it to either use another path or another tunnel?

Example

So in the example above traffic from S to D will normally take the R4/R5 route but if this is experiencing over 75% of usage then all new traffic will go via R1/R2/R3 until the traffic again drops on the shorter path.

In case it helps it's a BGP free core running OSPF. PE routers are in a iBGP/MPLS VPN mesh.

Thanks

VeloCloud and pppoe

I have about 30 sites with Velo running in production right now. Most are running pretty darn well and give us a lift over our old (emphasis on old) Cisco equipment. Cable and DSL in tandem seem to work well, however some older pppoe connections are causing me grief. I have 4 right now and the ones on Bell work fine. However the ones on Bell MTS in Manitoba have caused me nothing but headaches. Most never connect. And if they work it’s for very limited time. Has anyone ran into troubles with pppoe with some isps and Velo? Those who have had to deal with Velo support know a reddit shot in the dark can be just as useful.

Why does nodes start-stop on Eve-NG

I followed the instructions here: http://www.eve-ng.net/documentation/howto-s/121-howto-add-images-from-virl.

Lastest Eve-NG running on Ubuntu 18.04 KVM. I have no problems running other VMs.

​

cat /sys/module/kvm_intel/parameters/nested = Y

​

EVPN switches that don't require selling kidneys

Does anyone know of a N*10G switch that can;

1/ support independent customer VLAN domains (Cust A 1-4094, cust B 1-4094 etc)

2/ support this in conjunction with EVPN-VXLAN stitching

3/ support this in conjunction with rate limits per VLAN

4/ that isn't ASR900 or Juniper ACX

​

The QFX can get close, but fails on points 1 and 3.

4500-X and multi-chassis EtherChannel

Hey Everyone,

Building a collapsed core network with about 6 access layer stacks and a core. I've ran through several designs, and at this time I'm considering deploying 2960-XR at the access layer with x2 4500-X in a VSS for the core.

My other deployments have typically been collapsed core with either 4500s/6500s in VSS acting as the core. I have never worked with the 4500-X.

This design requires all SM fibre between access layer and core due to the campus size. I plan to run x2 links per switch stack in LACP/Etherchannel back to the core. I have two questions;

1. Has anyone had any issues with using multi-chassis etherchannel on 4500-X?
2. Has anyone had any issues with ISSU on the 4500-X Business runs 24x7 so ISSU is essential.

Thanks for your help!

Matching QinQ on XR and Cisco Switch?

Hi, I'm working on this task that I need to ping/match traffic to XR-Subinterface then passing thru switch with qinq enabled interface.

Simple Topology:

XR(Sub-Interface.200) ---> Cisco Switch ---> Router(Sub-Int.100) .

​

Target Ping from XR to Router:

XR Router Config

interface g1/1.200

vrf test

ipv4 address 192.168.1.1 255.255.255.0

encapsulation dot1q 200 second-dot1q 100 <-- I'm matching this double tag.

​

Switch Config

switchport access vlan 200

switchport mode dot1q-tunnel

​

Router Config

interface g0/0.100

ipv4 address 192.168.1.2 255.255.255.0

​

Issue: I'm able to resolve mac address on both routers but I'cant ping. Mtu support jumbo frame and no filtering applied.

​

Thanks

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Had To Explain Network Hardware To C Levels ***facepalm***

The higher ups wanted a presentation on what exactly switches and firewalls were used for. At the end of the presentation a C level said this to me: "sooooooo the firewall is like the bouncer of the network restricting who can come in and out? And a switch is the bartender serving everyone a connection to the party?" Time to freshen up the old resume!!!

About GNS3CA Certificate

Hello there,

I just found out that GNS3 Academy is offering GNS3 Certified Associate Official Course and its certificate for $9.

Should I enroll? What do you think guys?

If anyone had passed the certificate, was it worthy?

Thank you!

How to connect to DMZ

Wondering how I could get a pair of DMZ L2-only switches in a pair of datacenters to work with a FW implementation (Note: I don't have the DMZ switches, this is theoretical, as I am seeing how it would work before considering buying them). I've put a scenario in the link below.

https://imgur.com/a/n2J1IDJ

I'm guessing the way you would put these in, is just by physically connecting them at layer 2 to the top of rack switches. Would this be normal practice, or how else would you do it without connecting these DMZ switches to the core. I just need a link between the firewalls for the outside interface to connect to the edge firewall, so a VLAN between the two is just fine. I have a public subnet used for this VLAN, so my outside FW has an IP of x and the edge FW has an IP of Y in the same subnet. There is another interface on this FW that needs similar access.

It feels straight forward, but I'm trying to see if anyone implement these DMZ switches in a different way, or better way for a larger scale of devices.

Playing with CSR1000 in the lab; Looking for a sample config showing VXLAN and EVPN using BGP as control plane

Assume I have 
(two lan interfaces)R1----R2---R3(two lan interfaces)

R1 has two LAN interfaces each one connected to a vlan (vlan 100 and vlan 200)

R3 has two LAN interfaces each one connected to a vlan (vlan 100 and vlan 200)

The target is to bridge the two vlans 100 and 200,across R1,R2,R3

Here is a similar config but using muticast for host reachability and only one vlan 

https://www.packet-forwarding.net/?s=BGP+EVPN

If this would be in the Data Center I know that I have to associate the vlans to their VNIs and then associate the VNIs to the the NVE
Since vlans can't be defined on the CSR I guess I have to create a bridge but I can't figure out how to associate that with the NVE. I am getting an error like below

bridge-domain 3
member vni 6000
member GigabitEthernet4 service-instance 3
member GigabitEthernet5 service-instance 3
interface GigabitEthernet4
no ip address
negotiation auto
no mop enabled
no mop sysid
cdp enable
service instance 3 ethernet
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
!
!
interface GigabitEthernet5
no ip address
negotiation auto
no mop enabled
no mop sysid
cdp enable
service instance 3 ethernet
encapsulation dot1q 200
rewrite ingress tag pop 1 symmetric
interface nve1
no ip address
source-interface Loopback0
host-reachability protocol bgp
no mop enabled
no mop sysid

CSR3(config)#int nve 1 CSR3(config-if)#member vni 6000 %Host-reachability protocol bgp is already enabled for the NVE interface,so not allowed to configure L2DP VNIs

​

This seems to be a SP topic and I am out of my domain here

2 Offices, 1 in Mexio and 1 in the US: Best method to create a private LAN

Hi /r/networking
There is a requirement for one of my clients who have a call center is Mexico to dial out through a US ip. Our head office is in the US, and we join both locations using 2 Fortigates 60e. What is the best method to route all internal traffic through the site to site and have all incoming and outgoing traffic through one of the WAN interfaces for our US Fortigate 60e.

​

I have tested policy routing to force internal browsing traffic through the VPN tunnel, and deleting the static route between the WAN and 0.0.0.0/0. I have also create a couple of rules direct all LAN traffic to the VPN's virtual interface and out through the US firewall. These tests have failed.

​

Please let me know if you can provide any direction on the setup, or if more info is needed to answer this question.

​

tldr: Have Mexico office using a US public IP when accessing the internet

​

Spine and Leav with BGP for overlay and underlay: at overlay level can I peer with border leafs only instead of peering with the spines?

Hi guys

I am looking at the design options for spine and leaf using BGP for overlay and for underlay.
The Spines are all in one AS and the leaves are all in one AS. We are using allowas-in and we peer all the leaves with the spines
A colleague of mine told me that instead of peering with all the spines (let's say we have 4 of them at the moment) we could peer all the leaves with the border leaves and have dumb inexpensive spines that don't have to support BGP EVPN

Do you see any drawback with this design?

Happy Turkey Day to the oncalls

Saw a similar thread on /r/sysadmin and as a network monkey who just got off a bridge I thought it was relevant here, too.

Ways of learning/Playing with Palo Alto gear

We are going to be getting some new Palo Alto - PA5250 at work. This will be the first PA gear we will have so I would like to get a little exposure to it. Is there any VM versions of the OS i can play with or even older cheaper HW i could get off ebay to play with at home? The VM version I found all online won’t let you use it without a license from what I could find.

Any recommendations? Just out of curiosity we just the CLI on all of our Juniper gear, with the PA gear is that still the preference?

Rack Cable Management

I am about to start patching stuff in my new rack, and I'm wondering what the best method of cable management is for it.

If I follow suit with the existing method they company uses, it's usually something like this:

1U Fibre patch pannel 1U Fibre patch pannel 1U Cable management bar 1U Fibre patch pannel 1U Fibre patch pannel 1U Cable management bar 1U Switch/Firewall/router/whatever 1U Cable management bar 1U Switch/Firewall/router/whatever 1U Cable management bar ETC until the rest of the rack is full 

The fibre patch pannels are just pannels that go to another rack in the center of the comms room (the comms room has about 50 racks in). In the center of the comms room there is a few racks that all other racks have fibre connected to. This way, I can easily patch any switch to the top of the rack it sits in, and then in the center racks jumper this lead over to the other rack it's destined to.

The reason theres a lot of fibre patch pannels is because there is a core switch in the rack, so all of the distribution switches are connecting to this cab.

Is there a better way of managing cables, and if so, please share with me your method. Thanks!

Open source answer to Cacti for snmp graphing?

been exposed to cacti and its a process for me to graph devices via snmp (memory, cpu, uptime, bandwidth).

i dont like its gui, management doesnt understand the reports, it looks outdated, is their something better looking with graphs, ive done some searching and i see zabbix mentioned alot.

Cisco vs Fortigate

Hi Guys,

​

Being a newbie when it comes to firewalls, I am confused between buying Cisco ASA 5545-X and Fortigate 200E. I would like to buy this firewall with features like IPS, Antivirus, Antispam, Web filtering and applicaiton control. Plus obviously 24x7 support.

If money isn't the concern, which firewall i should buy? and why?

​

PS: our company is 150 users and we have 6 sites (needs small FWs as well). We are dealing with a big company and they want to make sure our security is strong.

​

Thanks in advance.

Senior Network Admin -> Network Engineer trajectory

I've been debating for the past few months which route I wanted to take next in my career. I'm currently a "senior network administrator" with about 5 years of experience. At first I thought it was just a title, but I do think i'm doing that kind of work. I'm in charge of the infrastructure of a medium sized local financial institution with 15 branches and about 250 employees. While I don't have anyone reporting to me officially, the help desk (two people) are pretty much under orders to take anything I delegate to them.

Currently, I'm doing a redesign of the network (it is completely flat, including voice) as well as some migrations to off site data centers. I'm also doing all the planning for that project as well as a couple others.

I was debating management vs more of an engineer/architect route. As much as I enjoy the challenge of leadership (I've been there before), I think I want to go more of the latter role.

Experience and what I know about myself: I have background in Cisco, Dell, and now Juniper networking equipment (the former is my most extensive, but I'm currently rolling out Juniper equipment to replace really old Dell equipment). My experience includes everything from deploying to maintaining and includes wireless and VOIP. I also have a decent background in Linux, VMware (considering NV certification), firewalls, and SAN's. I admit I am a "big picture" kind of person and love to see how everything interacts, but struggle more when it gets down to the finer details of things.

I'd like to go more of the network engineer/architect route. I absolutely love networking. What I'm wondering is what is the best thing I can do to prepare myself in order to merge into that lane from administration. I'm finishing up my bachelor's (IT related) and thinking of starting to go down the certificate route just to kind of bolster both the knowledge and for the resume padding for the future but am not sure what the best angle is to give me a shot into that field. There are several Fortune 500 companies in my city and I think I would love to jump into positions where there is more structure.

Anyway, any advice for me at this point (even if it's "Don't do it" because of where I'm at) would be much appreciated.

Ruckus Replacement

Hey all, Just started a new position focused around leveling-up an office with two floors. We have about 4-500 clients on a busy day.

Currently there's an EoL ZD1100 running the show and we're considering changing vendors; looking at FortiAPs as they'd integrate well with our on-prem firewall.

What's your experience with the FortiAP lineup? Would you recommend them over Ruckus or Ubnt?

I've used Meraki in the past but it's a little out of our budget at the moment, any recommendations are appreciated!

Thanks!

What the juddering fuck just happened here?

So today I was busy trying out a route-map on our core switch stack of X6 3650's.

It wasn't doing what I wanted it to do, so deleted the access list that the route-map related to. Within this ACL were a source and IP address for hosts with no relationship to the ssh connectivity to the device.

As soon as I hit enter I lost connectivity to the switch and the entire business lost access to all services, everyone lost connectivity to file servers etc etc. I couldn't ping any layer 3 interface on the switch from any source, but other switches with layer 2 connectivity could see it up and active via CDP.

Unfortunately our datacentre is remote so after realising there was no way onto the switch despite quite a few redundant paths, i asked for the entire stack to be power cycled.

15 minutes later the stack had rebooted and access was restored.

Has anyone else had this from such a simple innocuous command? It seems like the switch completely locked up for no apparent reason

Switch stack query

I'm currently studying switch stacking but I have come across this:

https://s5.postimg.cc/sfjlydh7b/20171022_095221.jpg

I believe the cables on the left at the stack cables but what are the ones on the right (the ones with green and yellow) used for?

Edit: It's used for power

Cisco VIC 1457 and Nexus 3524

I'm eying this VIC adapter for a couple of Cisco UCS C220 M5 servers. I like the mLOM form factor, and although I don' t have 25 Gbps switching, I do have Cisco Nexus 3524 10 Gbps switches.

​

A bit odd that the Nexus 3524/2548 isn't on the support matrix. I deploy these switches a lot, but I usually don't build rack servers with VIC adapters. Is this just an omission in the support matrix, or should I be beware of an actual incompatibility?

Cisco ASA behind Draytek Router

So, I thought I would try out an FTD image on a Cisco ASA 5506 firewall and boy oh boy... wish I never did! Everytime you make a change, you have to deploy it and that can take anywhere between 5 and 15 minutes to take place.

​

Anyway, it's up and running on a BT fibre with a DrayTek router in front of it doing PPPoE because Cisco have decided to disable this feature on FTD, god knows why! So now I am having to resort of having to have another router in front of it, while we are waiting for a lease line to be installed. I will then remove that router to simplify things.

​

On the Draytek router I see there is an option to enable LAN for natting or Routing. Should I be selecting routing so it's just the ASA that does all the natting in the mean time? I have also got AnyConnect setup and for now just redirected port 443 to the ASA.

​

Has anyone else had any experience with the new FTD on a Cisco 5506?

​

​

Starting as a Network Engineer with a new company

I'm about to start a new position as a network engineer and want some tips on things you guys seek out when starting at a new company to add to a cheat sheet. Things like Default Gateways, VLANs and what they're servicing, Subnets, potocols and topologies these type of things.

What’s your favorite networking joke?

No text found

Women in Technology: Hollywood Workshop to Focus on Networking

https://www.mesalliance.org/2018/11/19/women-in-technology-hollywood-workshop-to-focus-on-networking/

Question regarding TCP sessions, TCP retransmissions and packet loss

Hello fellow networkers, I have a couple of questions about TCP.

Here is the scenario: one Siemens PLC connected on a switch is "chatting" with a machine connected on the same switch.

The PLC sends 2 packets/messages per second to an application on the machine, machines sends 1 ACK confirming both packets. The PLC itself is meant to report real-time data, so retransmitted packets are ignored by the application due to them no longer being relevant.

So what ends up happening is that, during any one day, 3 to 9 packets fail to reach their destination and get retransmitted, however seeing as retransmitted data is not treated, they are considered as "lost" by the application.

There is little to no utilisation on the switch ports themselves, CPU is stable as well. No visible anomalies on the machine receiving the packets either.

The packets sent are 148 & 150 bytes in size.

On Wireshark I can see the packets correctly leaving the PLC switch port, however the port on which the machine is connected I can see only one of the two messages reaching the device and an ACK that acknowledges the last packets that succesfully reached the machine, this is done 3 times after which a Fast Retransmission is triggered and the process of working correctly resumes until the next packet loss occurs.

My question is this: TCP is built for packet losses, complementing them with retransmissions and fast retransmissions, but is it normal to experience packet loss/retransmissions from time to time on a nearly 1 to 1 connection ?

Also, I'm relatively fresh to packet capture analysis, shouldn't I see the TCP Fast retransmission on both ports ? I can only see them on the receiver's end, is it because those kinds of things are managed at a protocol level ?

Thank you

i failed my 1st CCNA Exam

i tried my best and studied as best as my ability

managed to get 750 out of 1000

passing score needed was 810

to be honest all questions werent hard or took too much time to answer

though, lab questions took most of exam time that i was forced to skip them due very limited time i had despite i studied them well

still they came with some unexpected scenarios that i didnt see coming

i talked to many network experienced ppl in my work and they said you did really awesome for your 1st attempt and you were very close

but i still feel very discouraged now and i dont know what to do

i got the most harsh responses from my family

like "what were you doing all that time studying for 2 months and still not pass it?" and yes they got 0 idea what is CCNA and what is networking and how deep that is

Cisco ASA ASDM - Java license change

I'm no licensing expert, but as of January 2019 Oracle will change their licensing model for Java, which looks to be impacting enterprise customers. Essentially you will have to buy a (at least) software update subscription, if you plan to use Java in the enterprise, which affects amongst other things Cisco ASDM amongst probably other software.

Tbh, I'm not 100%, not even 50% sure whether you have to license Java in the enterprise, if you're using ASDM, as I would think Cisco, as the software "vendor"/developer should ship their software with the correct license.

Has anyone a better understanding of this issue?

Test connectivity using local connection and not external servers

Hi,

​

I am trying to find a program, website, app or code that will allow me to test connectivity to a website using the wifi /3G /4G.

​

If you are using a PC with good internet connection, the site works great, but on slower connections it times out and it only happens for some of our customers. So I want something to give to our guys who go out to the field and do some testing for me. Maybe a simple tracert would find what im looking for, but I want as much data as possible.

10G SFP+ LACP between compute node and 2 shared storage nodes *help*

Hey everyone,

Here is would I would like to achieve:

I have a Proxmox node with a 2-port SFP+ PCI card and 2 OmniOS CE boxes with 2-port SFP+ PCI cards attached. My goal is to connect the Proxmox node to each storage node, and for the 2 SFP+ ports on each node to use one logical interface. I want to avoid having 2 separate 10G IPs on each node, and I also want to avoid buying a 10G switch. Eventually, I will have another Proxmox node with 4 10G SFP+ ports, and I will add another 2 to the original Proxmox host in order to create a Proxmox cluster. At that time, I can add 2 links to the aggregation group in my original Proxmox node and still have the same logical interface with one IP.

​

Here is what I have tried:

I configured the Proxmox node for LACP L3+L4 with both 10G SFP+ nics as the slaves, and I did the same for my 2 storage nodes. The results were strange as Proxmox could see 1 or the other but not both. I have just 2 cables. 1 goes from Proxmox SFP+ nic1 to storage node 1's nic1, and the other goes from Proxmox SFP+ nic1 to storage node 2's nic1. Yes, I have configured LACP on the 2 storage node even though I am only using one physical link at the moment. This should not matter, though right?

​

What happens in this configuration is that Proxmox can see only 1 at a time. I can turn off 1 storage node and then reboot the other, and the other is now communicating with the Proxmox node.

​

Am I missing something? I have played with Active/Passive stuff, but I have not gotten better results. Can anyone make sense of this enough to assist me? I am very new to LACP stuff.

Cisco 6509 help getting config

So I've got an old 6509 sitting around in the network acting as an aggregation switch for a number of "mission-critical" service, but it seems that the enable secret has been lost.

Fortunately, we've still got SNMP-write access to the device, so, ccCopy, right?

Unfortunately, I'm getting an error when running the script that the mib in question doesn't exist

Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.26

IOS version: s72033_rp-ADVIPSERVICESK9_WAN-M Version 12.2(33)SXI

Cisco's MIB navigator seems to say that this should be working.

I've also tried the legacy .1.3.6.1.4.1.9.2.1.55.172.25.1.1 OID, but that's not supposed to work in 12 and above, and doesn't.

Any ideas? I'm pretty sure at least one of the SNMP strings i've got is the RW string, but i really don't know how to tell any other way than this tftp file test.

How do you stop older folk from checking out?

So some background here; I came into my current position two and a half years ago and quickly made countless changes to the network and security practices in general. Relatively standard stuff that should have been implemented years ago; ACLs on the switches, restricted switch management access to jump hosts, PA firewall that is actually configured in a way to limit traffic, a firewall that separates internal clients from the data center, device configurations controlled by config files on a Bitbucket server, ect. The network changed a lot in a relatively short amount of time. All of this I attempted to bring everyone involved along for the ride, one came willingly with a dedication to learn new things, and one is being dragged through the mud kicking and screaming.

The issue that I'm running into is an older engineer that is close to retiring (like 1.5-2 years, can't come soon enough) doesn't put any time or effort to keep up with changes. Every week I spend two hours going over the same information in a training session that never seems to move past the same material, because it isn't being retained. I've separated the training sessions because the other Network Administrator is so far ahead of this dude; maintaining the same session wasn't beneficial to anyone anymore. Even large changes where this guy by title should be taking the lead, he takes a complete hands off approach and never asks any questions. Even leaving out the automation stuff, he doesn't understand the basics of how the devices seem to function.

I wouldn't be upset if this was more difficult concepts to understand, if it was Git access or actually scripting things I could work around that. Instead, the simple fact that the switches have ACLs on them seem like a foreign thing. The firewalls I can't give him read/write access to, because he doesn't even understand how the policies are analyzed (again, countless hours of training). The fact that he has to log into a jump host to access any of the switches is something we talk about on a weekly basis, every week its "That's new".

I don't know what to do anymore. I can't find a way to train the dude, documentation is never looked at, conversations and hand-holding last a day but are promptly forgotten, and he just doesn't come to the board anymore. Everything I do is brought up, it's documented to a point where our manager and the other Admin can easily understand it, diagrams are constantly being modified, but he never looks at any of it. Basic concepts that should have been deployed even when everything wasn't automated or scripted just seem to go right overhead; I mean seriously having to look at an ACL on the switch to see if the traffic is even allowed is something he just can't remember. The firewalls are a black box to him, can't even reliably look at logs and interrupt them correctly.

I don't know what to do to make this easier then simply forgetting he exists. I can't train the dude. Hand holding doesn't work, documentation doesn't work, one-on-one training doesn't work, hands-on lab practice doesn't work. Weekly meetings with everyone that works on the Network and the Security teams where every change is reviewed and talked about, no questions ever come out of him. I can't find a way to engage him at all, and I can't get him to retain anything.

I don't know how to make this easier and kick him back into gear, or really if he ever even was in gear? Have any of you had to deal with someone like this, and what made it finally "click"?

VPN Tunnel bouncing, help me understand the debug output

I have a cisco 819 with VPN tunnels going to my other lab router. I reloaded the device and started noticing tunnel is bouncing, I tried to debug and google what I didn't understand but that raised more question than it answered. So I am seeking the experts help to help determine what's up with this VPN configuration. I am 100% sure my other router is configured correctly but there are other VPN tunnels connecting to it and they are all fine so I know the issue is with the 819.

​

​

debug cry isak===============

000271: Nov 22 04:00:38.075 UTC: ISAKMP:(2001):purging node -108306351

000272: Nov 22 04:00:40.775 UTC: ISAKMP:(2001):purging node -1984004343

000273: Nov 22 04:00:48.679 UTC: ISAKMP (2002): received packet from xxxx dport 4500 sport 4500 vpn(I) QM_IDLE

000274: Nov 22 04:00:48.679 UTC: ISAKMP: set new node 1824528058 to QM_IDLE

000275: Nov 22 04:00:48.679 UTC: ISAKMP:(2002): processing HASH payload. message ID = 1824528058

000276: Nov 22 04:00:48.679 UTC: ISAKMP:(2002): processing DELETE payload. message ID = 1824528058

000277: Nov 22 04:00:48.679 UTC: ISAKMP:(2002):peer does not do paranoid keepalives.

​

000278: Nov 22 04:00:48.679 UTC: ISAKMP:(2002):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0xABFD32EA)

000279: Nov 22 04:00:48.679 UTC: ISAKMP:(2002):deleting node 1824528058 error FALSE reason "Informational (in) state 1"

000280: Nov 22 04:00:48.679 UTC: ISAKMP: Failed to find peer index node to update peer_info_list

000281: Nov 22 04:00:48.679 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down

000282: Nov 22 04:00:51.050 UTC: ISAKMP: set new node 0 to QM_IDLE

000283: Nov 22 04:00:51.050 UTC: SA has outstanding requests (local xxxxx port 4500, remote xxxxx port 4500)

000284: Nov 22 04:00:51.050 UTC: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE )

000285: Nov 22 04:00:51.050 UTC: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1875605379

000286: Nov 22 04:00:51.050 UTC: ISAKMP:(2002):QM Initiator gets spi

000287: Nov 22 04:00:51.050 UTC: ISAKMP:(2002): sending packet to xxxx my_port 4500 peer_port 4500 (I) QM_IDLE

000288: Nov 22 04:00:51.050 UTC: ISAKMP:(2002):Sending an IKE IPv4 Packet.

000289: Nov 22 04:00:51.050 UTC: ISAKMP:(2002):Node 1875605379, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

000290: Nov 22 04:00:51.050 UTC: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

000291: Nov 22 04:00:51.278 UTC: ISAKMP (2002): received packet from xxxxx dport 4500 sport 4500 vpn (I) QM_IDLE

000292: Nov 22 04:00:51.278 UTC: ISAKMP:(2002): processing HASH payload. message ID = 1875605379

000293: Nov 22 04:00:51.278 UTC: ISAKMP:(2002): processing SA payload. message ID = 1875605379

000294: Nov 22 04:00:51.278 UTC: ISAKMP:(2002):Checking IPSec proposal 1

000295: Nov 22 04:00:51.278 UTC: ISAKMP: transform 1, ESP_AES

000296: Nov 22 04:00:51.278 UTC: ISAKMP: attributes in transform:

000297: Nov 22 04:00:51.278 UTC: ISAKMP: encaps is 4 (Transport-UDP)

000298: Nov 22 04:00:51.278 UTC: ISAKMP: SA life type in seconds

000299: Nov 22 04:00:51.278 UTC: ISAKMP: SA life duration (basic) of 3600

000300: Nov 22 04:00:51.278 UTC: ISAKMP: SA life type in kilobytes

000301: Nov 22 04:00:51.278 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

000302: Nov 22 04:00:51.278 UTC: ISAKMP: authenticator is HMAC-SHA256

000303: Nov 22 04:00:51.278 UTC: ISAKMP: key length is 256

000304: Nov 22 04:00:51.278 UTC: ISAKMP:(2002):atts are acceptable.

000305: Nov 22 04:00:51.278 UTC: ISAKMP:(2002): processing NONCE payload. message ID = 1875605379

000306: Nov 22 04:00:51.278 UTC: ISAKMP:(2002): processing ID payload. message ID = 1875605379

000307: Nov 22 04:00:51.278 UTC: ISAKMP:(2002): processing ID payload. message ID = 1875605379

000308: Nov 22 04:00:51.278 UTC: ISAKMP:received payload type 21

000309: Nov 22 04:00:51.278 UTC: ISAKMP:received payload type 21

000310: Nov 22 04:00:51.278 UTC: ISAKMP:(2002):Node 1875605379, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

000311: Nov 22 04:00:51.278 UTC: ISAKMP:(2002):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT

000312: Nov 22 04:00:51.282 UTC: ISAKMP: Failed to find peer index node to update peer_info_list

000313: Nov 22 04:00:51.282 UTC: ISAKMP:(2002):Received IPSec Install callback... proceeding with the negotiation

000314: Nov 22 04:00:51.282 UTC: ISAKMP:(2002):Successfully installed IPSEC SA (SPI:0xE7461622) on Tunnel1

000315: Nov 22 04:00:51.282 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

000316: Nov 22 04:00:51.286 UTC: ISAKMP:(2002): sending packet to xxxx my_port 4500 peer_port 4500 (I) QM_IDLE

000317: Nov 22 04:00:51.286 UTC: ISAKMP:(2002):Sending an IKE IPv4 Packet.

000318: Nov 22 04:00:51.286 UTC: ISAKMP:(2002):deleting node 1875605379 error FALSE reason "No Error"

000319: Nov 22 04:00:51.286 UTC: ISAKMP:(2002):Node 1875605379, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

000320: Nov 22 04:00:51.286 UTC: ISAKMP:(2002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE

000321: Nov 22 04:01:38.674 UTC: ISAKMP:(2002):purging node 1824528058

000322: Nov 22 04:01:41.282 UTC: ISAKMP:(2002):purging node 1875605379

000323: Nov 22 04:01:43.182 UTC: ISAKMP (2001): received packet from xxxx dport 4500 sport 4500 vpn (I) QM_IDLE

000324: Nov 22 04:01:43.182 UTC: ISAKMP: set new node -501181912 to QM_IDLE

000325: Nov 22 04:01:43.182 UTC: ISAKMP:(2001): processing HASH payload. message ID = 3793785384

000326: Nov 22 04:01:43.182 UTC: ISAKMP:(2001): processing DELETE payload. message ID = 3793785384

000327: Nov 22 04:01:43.182 UTC: ISAKMP:(2001):peer does not do paranoid keepalives.

​

000328: Nov 22 04:01:43.182 UTC: ISAKMP:(2001):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0xA91CA6B)

000329: Nov 22 04:01:43.182 UTC: ISAKMP:(2001):deleting node -501181912 error FALSE reason "Informational (in) state 1"

000330: Nov 22 04:01:43.182 UTC: ISAKMP: Failed to find peer index node to update peer_info_list

000331: Nov 22 04:01:43.182 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2103, changed state to down

​

​

debug cry ipse=============

00381: Nov 22 04:07:45.100 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)

000382: Nov 22 04:07:45.100 UTC: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5059

000383: Nov 22 04:07:45.100 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

000384: Nov 22 04:07:45.100 UTC: IPSEC: still in use sa: 0x25081C4

000385: Nov 22 04:07:45.100 UTC: IPSEC(key_engine_delete_sas): delete SA with spi 0x5CB389E7 proto 50 for xxxx

000386: Nov 22 04:07:45.100 UTC: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= xxxx, sa_proto= 50,

sa_spi= 0xFF76B8AF(4285970607),

sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 167

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= xxxx, remote= xxxxx,

local_proxy= xxxx/xxxxx/47/0,

remote_proxy= xxxxx/xxxxx/47/0

000387: Nov 22 04:07:45.104 UTC: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= xxxx, sa_proto= 50,

sa_spi= 0x5CB389E7(1555270119),

sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 168

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= xxxx, remote= xxxxx,

local_proxy= xxxxx/xxxx/47/0,

remote_proxy= xxxx/xxxx/47/0

000388: Nov 22 04:07:45.104 UTC: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS

000389: Nov 22 04:07:45.104 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down

000390: Nov 22 04:07:45.108 UTC: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS

000391: Nov 22 04:07:45.108 UTC: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB

IPSEC get IKMP peer index from peer 0x21DAEBD8 ikmp handle 0x80000002

IPSEC IKMP peer index 0

[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x140000A7,peer index 0

​

000392: Nov 22 04:07:53.623 UTC: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= xxxxx, remote= xxxxx,

local_proxy= xxxx/xxxx/47/0,

remote_proxy= xxxx/xxxx/47/0,

protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

000393: Nov 22 04:07:53.807 UTC: IPSEC(validate_proposal_request): proposal part #1

000394: Nov 22 04:07:53.807 UTC: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= xxxx, remote= xxxxx,

local_proxy= xxxxx/xxxx/47/0,

remote_proxy= xxxx/xxxx/47/0,

protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

000395: Nov 22 04:07:53.807 UTC: Crypto mapdb : proxy_match

src addr : xxxx

dst addr : xxxx

protocol : 47

src port : 0

dst port : 0

000396: Nov 22 04:07:53.807 UTC: (ipsec_process_proposal)Map Accepted: VPNList, 55555

000397: Nov 22 04:07:53.807 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)

000398: Nov 22 04:07:53.807 UTC: Crypto mapdb : proxy_match

src addr : xxxx

dst addr : xxxx

protocol : 47

src port : 0

dst port : 0

000399: Nov 22 04:07:53.807 UTC: IPSEC(crypto_ipsec_create_ipsec_sas): Map found VPNList, 55555

000400: Nov 22 04:07:53.807 UTC: IPSEC(create_sa): sa created,

(sa) sa_dest= xxxx, sa_proto= 50,

sa_spi= 0xC38C347E(3280745598),

sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 171

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= xxxx, remote= xxxxx,

local_proxy= xxxx/xxxx/47/0,

remote_proxy= xxxx/xxxx/47/0

000401: Nov 22 04:07:53.807 UTC: IPSEC(create_sa): sa created,

(sa) sa_dest= xxxx, sa_proto= 50,

sa_spi= 0x8C46F874(2353461364),

sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 172

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= xxxx, remote= xxxx,

local_proxy= xxxxx/xxxxx/47/0,

remote_proxy= xxxx/xxxx/47/0

000402: Nov 22 04:07:53.807 UTC: IPSEC: Expand action denied, notify RP

000403: Nov 22 04:07:53.811 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

​

​

Can I get some SNMP help from those of you running Dell N series switches & OpenManage Enterprise 3?

I am trying to better manage several Dell N3048P switches and PowerEdge servers. I've just set up Dell OpenManage Enterprise 3 (which looks far better than the previous OM Essentials) and I've added my switches and some servers in order to gather data and monitor and get alerts, etc. I do have device data and some alerts coming in, so, SNMP is set up at least partially correctly.

 

The issue I am having is that I don't seem to be getting all the data I would expect with the switches. For example, Dell OpenManage Enterprise is showing my switches with their IPs, MACs, and a few hostnames (not all) but there is other information that is missing. It's been hours, so I don't think it's a matter of waiting for the logs to come in.

 

Additionally, I have one switch added that is throwing hundreds of these critical alerts but I can't quite make sense of what it actually means:

"An authenticaionFailure trap signifies that the SNMP entity has received a protocol message that is not properly authenticated. While all implementations of SNMP entities MAY be capable of generating this trap, the snmpEnableAuthenTraps object indicates whether this trap will be generated."

 

The servers I have in OME seem to be giving me full information, so there is no problem with them. I just connected OME to them via iDRAC username/password and it pulled in everything beautifully.

 

I'm not an expert at SNMP and I've had trouble wrapping my head around it and setting it up in the past, and this is like round 4 for me. I am hoping someone can take a look at what I have configured to see if I'm missing something or doing something I shouldn't. I have been reading through the Dell N series user manual and CLI guide, but it's still confusing. I don't really have support right now and I'm a bit stuck. Again, the SNMP seems to be working to a degree, but I am still missing a lot of information.

 

I am also hoping to be able to do firmware upgrades and pull configs on the switches through OME, so I'm really striving to get this working.

 

Can anyone help me with my config, if that's even the issue?

 

Here are the SNMP lines contained in two of my Dell switch configs:

 

Building 1 - Dell N3048P:

snmp-server engineid local 800003a202e4f00437f356 snmp-server community "catfood" rw snmp-server host 192.168.1.95 "catfood" snmp-server enable traps dvmrp snmp-server enable traps pim snmp-server enable traps captive-portal snmp-server enable traps captive-portal client-auth-failure snmp-server enable traps captive-portal client-connect snmp-server enable traps captive-portal client-db-full snmp-server enable traps captive-portal client-disconnect 

 

Building 2 - Dell N3048P:

snmp-server engineid local 800003a233f3b156407df4 snmp-server community "catfood" rw snmp-server host 192.168.1.95 "catfood" snmp-server host 192.168.1.22 "catfood" snmp-server enable traps dvmrp snmp-server enable traps pim snmp-server enable traps captive-portal snmp-server enable traps captive-portal client-auth-failure snmp-server enable traps captive-portal client-connect snmp-server enable traps captive-portal client-db-full snmp-server enable traps captive-portal client-disconnect 

ISR 44xx vs ASR1xxx vs C9300

We have about 50 branch offices -- none of which have more than a 1G internet connection. In fact, most are in the 50mb to 100mb range, which is anemic for the number of users we have (dozens to 100s).

​

We currently have a topology where each office has a L3 router (usually a C3850 or 2960XR) and a stack or several stacks of L2 C3850s or 2960X. Offices are connected via MPLS to our main DCs which are also our main internet access drains for all offices. Classic hub and spoke. In the offices, we use basic routes (some static) to our ISP. We also use QOS extensively.

​

One of my colleagues is suggesting that we start deploying ISRs -- in both our DC as well as our branch offices. I am worried that the 100mb-2gb speeds are going to be a problem. I am especially worried that once we turn on QOS the ISRs will choke. I'd rather invest in ASRs or maybe try to squeeze by with C9300s. At least the C9300s do more of the work in hardware. However, I can't tell if ACLs and QOS are done in hardware or software/CPU by the C9300s. Also not sure about the ASRs. But from what I can tell the ISRs are basically all software/x86 CPU.

​

Thoughts?

I'm shutting down our company for the next three days to do my first network migration and I'm super excited but also freaking the fuck out

Earlier this year I got a job that I'm barely qualified for (I made a post about it here, you guys were great) and inherited an environment that was . . . messy. I told them it was going to cost half a million dollars to fix, and they were like "K" and now I'm looking at some new core switches and a big honkin' firewall that I'm bringing online during a three-day outage starting tomorrow.

And fucking hell I'm just a jangly ball of nerves. I'm taking the entire company offline to do this cut-over/migration, everything is going hard down. Everything. My checklist is like a hundred items long, I've got a preemptive case open with Palo Alto, I've got detailed visio diagrams for exactly what gets plugged into where, the commands are already written and ready to be pasted into the switches, I've got the fiber run and the SFPs are in place (just waiting for me to push them in and no shut the interfaces), I've got some pro services on standby in case anything goes wrong.

But fuck fuck fuck man there's still so much I don't know. Like I spent most of yesterday re-watching the OSPF lab videos from my old CCNA course, and I'm pretty sure it all should work the way I think it will but maybe I missed some kind of really obscure command somewhere. There's a LOT of stuff going on in our edge firewalls (both set up by "that guy" three engineers ago who didn't document a single thing and even Palo Alto has looked at the configs and been like "wow . . . he's doing some weird stuff with the Policy Based Forwarding") that I've only halfway got a handle on. I had to spend like a solid week going through the configs menu by menu and every day I was finding something new that I was like "Oh, wow. Yeah that would have fucked me if I don't change that during the migration". Even today I was STILL finding things! Like the fact that our Service Route Configuration has the firewall getting updates through one of the other VLAN interfaces that I'm planning on removing (rather than the management interface like the usually do). Gotta remember to change that, add it to the list. Now there's 101 things on my checklist of things to do.

I don't know how I'll be able to sleep tonight. I've been obsessively planning every step of this process for the last three months and now it's just one day away and it's kinda like when you're a kid and Christmas is the next day? Like man, I just want to be hitting "go" on all this stuff already! But then it's tempered by the impending sense of dread that I'm going to reconfigure it all and get it all patched in and nothing's going to work and I'll be caught in a routing loop somewhere and I'll end up in the fetal position crying on the floor of the datacenter.

And this is only Phase 1! I get to do this again in May! :D

Fuck man this is gonna be awesome. I can't wait. But I'm so nervous.

WAN redesign, available options?

Hey guys,

I have been tasked to work on our WAN redesign. Currently we have remote offices all over the world with old school MPLS connection to head office. We're moving more and more services to Azure and we're working on re-designing our WAN.

I was thinking of implementing SD-WAN and removing MPLS all together or having it as backup.

I was reading below and Cisco SD-WAN seems to be a good solution:

https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html

​

From my understanding, SD-WAN is basically having VPN tunnels on remote offices routers via internet and then use PBR to determine what traffic goes through the tunnels right?

​

Has anyone had experience with replacing old school MPLS with SD-WAN? Are there any alternative options to re-design WAN to connect remote offices to the cloud? Any comments highly appreciated! thanks!

​

Cheers,

Hoomi

Help increasing Win10 UDP receive throughput

My company has a product that transmits large amounts of data over UDP. Some recent performance modifications have permitted us to generate more data, and thus in testing, it was observed that if the receiving end was running Linux, performance was perfectly fine, whereas under Windows, throughput suffered.

As a test, we set up 'iperf3' on a couple of machines connected to a switch. The packet sending side always ran Win10, and we dual-booted the receiver between Linux (Ubuntu 18.04) and Win10. (FWIW, the receiving device is a 4-core i5-7400, using the on-board Realtek gigabit NIC, with the latest drivers.)

With a linux receiver, I effectively get zero packet loss when iperf is instructed to send a flurry of 1400-byte UDP packets with a 2M window, and unlimited bandwidth ("-b 0"). The task manager reports the NIC is effectively saturated, and iperf displays throughput numbers in the high 900 Mbps. Everything's awesome -- no weird loss at the switch, no dodgy cabling.

Boot receiving device into Windows, repeat the same iperf test, and I get 70% packet loss reported at the application layer. Windows 'netstat -s' command shows the appropriate level of incoming packets such that there shouldn't be loss, but clearly something is underbuffered since those packets aren't making it to the iperf application to be decoded.

I have tried disabling power saving modes on the receiving NIC, adding 'DefaultReceiveWindow' and 'DefaultSendWindow' entries to the registry (set to 0x00200000), disabling the network throttling, disabling the firewall ... to no avail. I can't believe 'iperf' wouldn't itself have sufficient buffering via a 'setsockopt' call ... and I know our application has a large buffer for packets. Ultimately, I'm not getting much more than 300-350Mbps worth of UDP traffic into ANY application running on Win10, but the same code on Linux is quite happy. TCP flows do not seem to exhibit this issue, but that is not an option for us, so please don't ask :)

Thoughts? Things to tweak, features to enable/disable, settings to poke at?

If you're interested in more specific details, please ask away.

Many thanks for all suggestions!