IPv6 Proxies: 2018-12-02

Saturday, December 8, 2018

Routing issue - overlapping subnets on two different L3 switches

Forgive the question, but I can not wrap my head around this.

On L3 switchA I have subnet 10.10.10.0/24 (no hosts beyond .240), whereas on switchB I have 10.10.10.248/29 (only 2 hosts placed here)

Network is running OSPF and the above SVIs are added to OSPF process, so that each switch has correct entries in its routing table (one entry with shorter prefix and one with longer one).

Problem is, even routing tables look good including less and more specific routes -- hosts from one subnet are unable to reach the other subnet.

At the same time either subnet's hosts are reachable from some other subnet laying outside of 10.10.10.0 range.

Is it ARP issue? How can I make this work?

I know this design is far from desired, but I'd like to make it work for a few months before this overlap could be eliminated for good.

Thank you in advance.

Comercial Routers with Linux?

Besides Ubiquiti what other commercial Routers brands feature a fully accesible Linux CLI?

Best Approach to Segmentation in User Endpoint Network

Interested in everybody's opinion on what the best approach to segmenting the user endpoint network is. User count in the thousands and locations in the dozens. Below are some suggestions that have been proffered. Curious what your thoughts are. A SurveyMonkey link is below also if you prefer to respond that way.

Traditional Layer 3 Subnets With Firewalls or ACLs
Virtual Routing Facilities
Always On VPN for all workstations
Microsegmentation with SDN

https://www.surveymonkey.com/r/X5Z85HR

In a three tier network architecture, where should the servers be placed?

Picture a three tier network architecture: two core switches, two distribution layer switches, and a couple of access layer switches. When I mean servers, I'm mostly talking about servers used internally (DHCP, RADIUS, RDS, DNS, SNMP, NETFLOW). Are they directly plugged into the distribution layer?

Need a AP IOS Image

Hello,

I am in need of the autononus image for the Cisco Aironet Air-CAP3602l-A-K9. If anyone has this image or can download it please comment on this post!

Thanks in advance!

Any good resources for automating backing up switches?

Have a few clients and we like to back up their switch config ever month. It’s starting to become a bit of a time sync as we take on more customers as it’s more switches to back up.

Ideally I’d love to automate the process so I can grab the configured from a central location once a month and stick them in our documentation / config back up repository.

What’s the easiest / quicker way to implement something like this? I’m potentially looking into python as I know it’s good for network automation but I assume there are some scripts / free applications out there that will enable us to do this a bit easier?

Just looking for some advice / guidance from those who have implemented similar solutions in the past. If it helps the majority of kit is HP and Huawei but ideally any solution would be vendor agnostic.

Edit: I also have limited Linux skills so anything that I can easily set up on a windows box would be helpful but I’m not against getting a Linux box set up should the benefits be there.

I have my VPN and network using same public IP. Is it possible to connect to the VPN within the network ?

My VPN public IP and corporate network public IP are same. We have internal host detection turned on , so that when user tries to connect to VPN it checks the internal host detection and allow users to access internet through network instead of VPN. Initial connection is not happening and packets are getting dropped.

Timed SSID Broadcast

I have a Cisco 5520 wireless controller. We broadcast a business SSID for our laptops to connect to. We broadcast a "morale" SSID in the chow hall which is open for anybody to connect to. We have pruned VLANs to where the morale VLAN isn't on the business side of the building along with not broadcasting the morale network on the business side.

I'd like to know of a good solution to add the morale SSID and its VLAN on the business side only during the break hours and being removed after the break hour is done everyday. Besides doing it manually of course.

Learning multiple vendors.

Will try to be brief.

Obtained my CCNA R&S last month. While on a phone interview a company mentioned they use a lot of juniper.

Of course I decided to be eager beaver before my next interview. I order some cheap juniper equipment to lab on so I don’t look foolish in the next round. I also watched some CBT nuggets on juniper. Overall I can navigate the modes well. Do some basic config of interfaces. Show commands are obviously simple enough. Commit all the time throws me off still.

I couldn’t get my Cisco router to form an OSPF neighbor relationship with my SRX-210 which made me feel pretty stupid. Considering I can slam out OSPF neighbors on Cisco like crazy. Granted I just went in blind to it. It’s nothing I won’t figure out with a little bit of YouTube, but still.

I know time and repetition is how you learn but damn I feel like I don’t know shit all over again.

Of all the vendors out there, how much variation is there from the way Cisco IOS works?

Also I’d like to hear feedback about the following.

What vendors are you comfortable with and how did you learn them. Work? Self study/lab?

Before CCNA: When I get my CCNA I’ll know so much.

After CCNA: There’s so much shit I don’t know.

UPS Diagraming for Networks

Hey guys,

I need to document our racks UPS systems, any tips/examples of how to do this iv`e been looking around the internet but haven`t found a way to do diagram just the UPS with connections.

Also we are getting Whats up gold to monitor our network any ideas if I can use this to map?

I need to just map the power connections to the equipment (not sure if I can map a port from the APC to a Cisco power connection)

Juniper SRX monitoring similar to Cisco Meriaki's?

I work for a smaller MSP and over the past year have managed the majority of our client Juniper SRX installs. We recently had a customer upgrade from a Cisco Meraki MX80 to a Juniper SRX340. The customer requested a similar way of monitoring network utilization like the Meraki (per website, per device) shown here. I've had a few people tell me I should be able to do this with the Juniper out of the box, but when I contact Juniper support, I keep getting the run around. As far as I can tell, the only thing that would meet his request is Junos Space or some other SNMP tool.

I have some questions regarding captive portals.

Hello, everyone! I don't know much about networking and I had some questions regarding captive portals. Complete novice. Any tutorials or suggestions are welcome.

Can I setup a captive portal on regular router?

How do I install and customize the page?

Is it possible to play video on a captive portal?

Thanks in Advance!

Having trouble port forwarding

Hi all, I’m having trouble port forwarding on my Arris DG3450 router to set up a server. Every time I fill out the information, it says “operation failed” with no further explanation. Why can’t I port forward?

Newbie question: routing protocol or vpn?

When should I use a routing protocol like OSPF instead of a site-to-site VPN to connect remote sites?

Wired and Wireless devices can't see each other

I have my router in the basement along with network mesh all over the house. We have the router using "homewifi 2.4g" and "homewifi 5g". When we installed the network mesh, we started using just one called "fullhomewifi". We also have ethernet cables in the walls going all over the house.

My issue was that even before the mesh network, my ethernet connections and my wifi connections are unable to see the devices of each other.

For example, if my chromecast is connected via wifi, my ethernet connected PC cannot cast to it.

Please help!

looking for something like bfd, but unidirectional for link monitoring...

Hi all. I'm looking for something like bfd, but only unidirectional. Basically, I have a VPN concentrator in EC2 and I want to use wireguard to tunnel from a remote site to EC2 and that site has a redundant internet connection.

I've tested various methods including pinging the WAN gateway or ISP DNS servers and then changing the default route but everything I've tested is too slow for VoIP and causes substantial gaps in audio.

I can get the performance I want with a multi-tunnel setup, BGP or OSPF, and BFD but this is kind of cumbersome.

What I'd like to do is have something on the server that the client can open a connection to and then receive a stream of numbered packets like bfd does in a configurable increment. When the client side doesn't see x number of packets, switch the route for wireguard's port. Then the client kills the connection and starts over, bringing the route back once it's received x number of packets * multiplier. It just like bfd but I only need the server sending the data stream and it needs to be over the internet instead of on a layer3 link like bfd.

Does such a thing exist?

Using a Cisco 1921 and 3560G for home

So I have a spare 1921 and 3560G laying around and want to use it for my home network. My question is does anyone have any recommended security settings for the 1921 as it will be the only device between my network and the internet?

NAT overload on Cisco Router not working as expected

I'm standing up a small office that will have one switch and one router. Switch will have all the user VLANs/SVIs and the router will do basic IOS FW/NAT functions. When I staged this on my lab gear for testing, NAT doesn't work UNLESS I put an inbound ACL on the inside interface to allow the traffic that matches the NAT ACL.

This to me seems like odd behavior and should not be the case. Is there something I'm missing?

FYI

Topology: user - switch - router - ISP

access-list 1 permit any log

access-list 101 permit ip 172.16.0.0 0.15.255.255 any log

access-list 102 permit ip 10.0.0.0 0.255.255.255 any log

ip nat pool NAT-172 192.0.2.4 192.0.2.4 prefix-length 29

ip nat pool NAT-10 192.0.2.5 192.0.2.5 prefix-length 29

ip nat inside source list 101 pool NAT-172 overload

ip nat inside source list 102 pool NAT-10 overload

interface FastEthernet0/0

ip address 172.16.1.254 255.255.255.0

ip access-group 1 in

ip nat inside

ip virtual-reassembly in

interface FastEthernet0/1

ip address 192.0.2.2 255.255.255.248

ip nat outside

ip virtual-reassembly in

Receiving Pause Frames on Cisco SG300

Figured I'd ask around in case someone happens to know..

At my new workplace, our switch (Cisco SG300-52P in L2 mode) is receiving "Pause Frames" from every single AP and possibly other devices. From what I've read, this may happen when there is large amounts of traffic and the Rx/Tx buffers are filled up. However this is still happening even when there are no traffic or clients on the APs.

Any pointers on what I should be looking for?

"Wr mem" best practices?

Might be a dumb question, but I am fairly new to networking and am working in a large enterprise environment. We are currently in a freeze and anybody that makes a mistake is put on full blast.

I am wondering, is there ever any risk at all to "wr mem"? I'm talking weird bugs, etc. Is it silly to wait until the evening to write memory or can it be done during production with 0 risk?

Friday, December 7, 2018

Giving a "VLAN" an IP address vs SVIs

Hello good people of networking,

I often hear engineers talk about giving a "VLAN an IP address." Personally I find this terminology to be extremely confusing. It's my understanding that you can actually give an SVI an IP address, which is really an L3 router/gateway. The fact that a given SVI is routing traffic between one or more VLANs is what leads to the unfortunate phrase I reference above.

Is my understanding correct, or am I off?

ASR 1001-X SFP option

Hi. We are getting a new 500 Mbps circuit installed, burstable to 1G. The carrier is delivering the circuit via fiber, single-mode LC. I was looking at the SFP compatibility matrix for the 1001-X but I am unclear what SFP I should use.

Do I need to get more details from the carrier before I order an SFP?

Experiences with Junos Fusion

Anyone out there played with Junos Fusion? Especially Fusion Edge?

We're potentially looking to deploy some, and I'm curious to get some unvarnished comments, if folks have any.

Why can't I ping other SVIs on the same switch?

Have a L3 switch with 4 VLANs and inter-vlan routing enabled.

I am able to ping and route to connected devices, but why can't I ping the actual IP address assigned to a VLAN from another VLAn on the same switch.

For example, my laptop is connected to VLAN2, I can ping a device connected to VLAN 3, but cannot ping the IP address of VLAN3?

If I plug my laptop to a Trunk Port I can ping all the SVIs.

I am looking for a quick way to the basic VLAN and routing configuration on a switch

Thanks

Ruckus ICX Port Configs

Hey folks,

Pretty simple question here for someone who configures Ruckus switches often but I’m a Cisco guy. My work has one site that’s all Ruckus ICX switches and the guy who maintained them has retired. Now I have been asked to move some VLAN assignments around.

I just want to confirm that when I issue the “untagged ether x/x/x” command to add an untagged port to the VLAN, it won’t overwrite the existing untagged statement with all the other assigned ports. In other words, do I have to re-specify all the untagged ports in the command just to add one?

Thanks

Oxidized - Not trying telnet?

I have a bunch of older Enterasys switches that Oxidized seems to support out of the box. I've been all over the web today from setting up Oxidized to debugging a few issues along the way. Somewhere, I read that Oxidized will try SSH then fall back to Telnet.

The switches do not have or do not support SSH login and send a TCP-RST when you try and SSH. Oxidized does not try telnet, it just tries to SSH 4 times in a row then gives up.

Is there something I have to do to get it to use Telnet, or is that supported on an individual model basis? I tried adding

cfg :telnet, :ssh do

to the enterasys.rb file, but that didn't help matters.

Any help appreciated!

ROBO Cable Modems - What do you use?

Just wondering for those of you with SD-WAN and even those without who are using Cable Modems at your branch offices or other small sites, what models do you use or recommend?

I've been reading up on issues with the Intel PUMA 6 chipset and so I wanted to see if there was a /r/networking favorite when it comes to Cable Modems.

This would be for a 300x20 Service in my particular example.

Should I replace my DELL 6248 switches?

I've got four 6248P's stacked together running my SMB network, around 70% of the ports being used. My VP wants to buy new switches because the 6248's are pretty old. I'm looking at some N2048P's to replace them, but I'm not sure if I'm really going to notice any difference between them in practice. I've got quite a few VOIP phones and run iSCSI for my SAN. I don't think the speed of the 6248's has been a bottleneck in the past but maybe there's security advancements or other reasons to get a new switch that I'm not thinking of.

I hope it's not too general to ask if in general workloads do you think it's worth spending 15K on N2048's to replace 6248's that as far as I can tell are doing just fine.

cisco nexus break out qsfp lacp SO close

Hey so im trying to set up a C93108TC and im useing 4 of the qsfp with sfp adapters and then creating LACP on 49 and 50 , 51 and 52 @10g on each interface, and then 53-54 will be bidi 40 gig LACP.

so far iv broken the 49 interface out to 10g sub interfaces

interface port-channel1 description "MDC 1 LACP Team" switchport switchport access vlan 2 interface port-channel2 description "MDC 2 LACP Team" switchport interface port-channel3 description "link too 1135 san switch" switchport

interfaces

interface Ethernet1/49/1 switchport switchport access vlan 2 channel-group 1 no shutdown interface Ethernet1/49/2 switchport switchport access vlan 2 no shutdown interface Ethernet1/49/3 switchport switchport access vlan 2 no shutdown interface Ethernet1/49/4 switchport switchport access vlan 2 no shutdown interface Ethernet1/50/1 switchport switchport access vlan 2 channel-group 1 no shutdown interface Ethernet1/50/2 switchport no shutdown interface Ethernet1/50/3 switchport no shutdown interface Ethernet1/50/4 switchport no shutdown

from here iv been able to get the ports to work on the own but not in a LAG.

but when i try and check the port channel i see my pc 1 has no lacp protocol and when i try and add it i get this error

Eth1/48 1 eth access down Link not connected auto(D) -- Eth1/49/1 2 eth access down Link not connected auto(D) 1 Eth1/49/2 2 eth access down Link not connected auto(D) -- Eth1/49/3 2 eth access down Link not connected auto(D) -- Eth1/49/4 2 eth access down Link not connected auto(D) -- Eth1/50/1 2 eth access down Link not connected auto(D) 1 Eth1/50/2 1 eth access down Link not connected auto(D) -- Eth1/50/3 1 eth access down Link not connected auto(D) -- Eth1/50/4 1 eth access down Link not connected auto(D) -- Eth1/51 1 eth access down XCVR not inserted auto(D) 2 Eth1/52 1 eth access down Link not connected auto(D) 2 Eth1/53 1 eth access down Link not connected auto(D) 3 Eth1/54 1 eth access down Link not connected auto(D) 3 -------------------------------------------------------------------------------- Port-channel VLAN Type Mode Status Reason Speed Protocol Interface -------------------------------------------------------------------------------- Po1 2 eth access down No operational members auto(D) none Po2 1 eth access down No operational members auto(D) lacp Po3 1 eth access down No operational members auto(D) lacp -------------------------------------------------------------------------------- Interface Status Description -------------------------------------------------------------------------------- Lo0 up -- C93108TC-EX# C93108TC-EX(config)# int eth 1/50/1 C93108TC-EX(config-if)# channel-group 1 mode active Cannot add active-mode port to on-mode port-channel

any help would be huge thanks! iv been googleing my butt off

thanks!

Stealthwatch implementation

Has anyone on this sub deployed Stealthwatch in your environment? We are in the early stages and I'm curious to hear about your experiences. What are some pitfalls that you ran into while deploying this?

CUCM to CUBE to ITSP

Hey,

I am working on an internal project. Currently I have an ITSP that I am registered with on my CUBE. I have four dial peers configured, some translation rules configured, all listed below.

My internal interface is: Gi0/1.15

My external interface is: Gi0/0

The CUBE router is a Cisco 2911, code 15.7

The CUCM publisher is at IP 192.168.15.20

I have some DIDs with the ITSP, but I am currently just working on getting one internal phone working with inbound/outbound. Currently inbound dialing is working correctly but with one way audio, I will fix that later. I'm sure it has to do with the VoIP phone being on a DMVPN spoke router remotely. Outbound dialing I am getting your call cannot be completed as dialed.

On the CUCM side, it's very simple. I have a phone with extension 7575 on it that CUBE is translating calls to. For my route pattern, I have it set to strip the predot, so CUCM is sending 1xxxxxxxxxx to the CUBE. The CUBE should then send calls to the ITSP with the 1. It appears I am matching dial-peer 3 when going outbound from the phone. There is a CSS and partition that I am giving access to everything.

Any ideas where I went wrong with my dial peers?

Here's my relevant config:

voice translation-rule 1

rule 1 /.*/ /***DID***/

!

voice translation-rule 2

rule 1 /***DID***/ /7575/

!

voice translation-profile INCOMING_FROM_PSTN

translate called 2

!

voice translation-profile outgoing_cid

translate calling 1

!

dial-peer voice 1 voip

description *** Outbound dial-peer to ITSP ***

translation-profile outgoing outgoing_cid

destination-pattern 1[2-9]..[2-9]......T

session protocol sipv2

session target sip-server

voice-class sip early-offer forced

voice-class sip bind control source-interface Gi0/0

voice-class sip bind media source-interface Gi0/0

dtmf-relay rtp-nte h245-alphanumeric

codec g711ulaw

no vad

dial-peer voice 2 voip

description *** Incoming Dial-Peer from ITSP ***

translation-profile incoming INCOMING_FROM_PSTN

session protocol sipv2

session target ipv4:192.168.15.20

incoming called-number ***DID***

voice-class sip early-offer forced

voice-class sip bind control source-interface Gi0/1.15

voice-class sip bind media source-interface Gi0/1.15

dtmf-relay rtp-nte

codec g711ulaw

no vad

dial-peer voice 3 voip

description *** TRUNK FROM CUCM ***

session protocol sipv2

session target sip-server

incoming called-number .

voice-class sip bind control source-interface Gi0/1.15

voice-class sip bind media source-interface Gi0/1.15

dtmf-relay rtp-nte

codec g711ulaw

no vad

dial-peer voice 4 voip

description *** TRUNK TO CUCM ***

destination-pattern ^7575$

session protocol sipv2

session target ipv4:192.168.15.20

voice-class sip bind control source-interface Gi0/1.15

voice-class sip bind media source-interface Gi0/1.15

dtmf-relay rtp-nte

codec g711ulaw

no vad

Here's some debugs:

https://pastebin.com/Cprz3Jy8

https://pastebin.com/KTQiwyb8

Edit:

Ran one more debug

https://pastebin.com/Chigwj5t

Looks like I'm not matching a dial peer outbound? Where am I missing?

Route Pattern screenshot:

https://imgur.com/a/NFWuSCh

Thanks!

Let me know if you need specific debugs, screencaps, etc.

Network working, but not working... but working!

Hey Guys!

Today has been a reaaaally weird day at work and I'd like to share what happened today so you can share some light of what could be the cause of the issue. TL;DR at the end. Please let me know about any misspelled word or bad wording.

Environment:

1 Cisco 3924 Router, IOS version 15.5
40+ Cisco 2960 Switches, Mixed IOS versions between 12 and 15
Router-on-a-Stick
All switches' SVIs are in the same VLAN
Multicast Routing enabled
50+ FortiAPs

This morning, for some unknown reason the WiFi stopped working for a few seconds. We didn't pay to much attention, but after a couple hours we started to notice that 90% of the switches appeared as down in the network monitor (PRTG), the APs were not working properly, but internet connectivity never failed on the end users' PCs connected via Ethernet.

After some troubleshooting we noticed that we could connect via SSH to the router and the switches that still appeared as up in PRTG. From the router we couldn't SSH to the switches that were down, but we could connect to those from one of the still "up" switches. After we connected to one of the "down" switches, it appeared as up in PRTG and then we could ping it and connect from any PC on a different VLAN.

We restarted the router and everything started working again, but after a coupled hours the issue came back.

This time, only one switch appeared as up. We could do the same process of connect to that switch and then SSH to the other for it to appear as up. We disabled Multicast and the issue persisted, so I connected my laptop to the Switches VLAN to ping every device. The ping was successful, all devices are up and we can connect to them.

So, my question is:

WTF??? What could be making the switches to appear as down when they are up? Why are they answering only to another switch? What has anything to do with multicasting? Why the ping corrected everything?

Any insight will be appreciated.

TL;DR: We couldn't connect to our switches from any VLAN and they appeared as down, but network connectivity was still working. After disabling multicasting on the router and pinging them from their VLAN, everything works.

Edit

Added Router and Switches models and IOS version

/32 or a /34? (best practice?)

If boobs were IP addressable, would they have a /32 (2 usable) or a /34 (point to point)?

New Startup Company: Network Design & Infrastructure Help

Good afternoon /networking* friends,

-- As the title stated, i'm about to write up a simple plan & map out a business network for a startup company that i've joined recently. The funding & private capital is a mixture of both internal funds & outside investment, so budget and cost should no longer be an issue, that being said I would like to maintain a healthy goal of something like /long lasting, and fully-functional while still saving as much money as I can/, in regard to final cost(s).

The company is in the clean-water membrane industry, so it is a 30k sq ft. manufacturing facility warehouse mixed with a lab environment that is roughly 6k sq ft, with a handful of small offices eventually that I will most likely want cat-5 or 6 ports in each office and work station(s) throughout the building, with secure wi-fi (ubiquity access points I suppose), for redundancy measures & ease of connectivity for staff and guests (separate guess network, etc,..)

That all being said, I really want a basic layout and design model that most businesses / companies have at start-up phase, and maybe [hopefully] ability to add another 24 or 48-port switch as we grow, like an /as needed/ type of model.

The warehouse is pre-wired for I believe cat-5 currently, and i'll be flying back out to the facility soon to actually /walk the entire grounds/, both outside as well internally of all areas, to properly map out using most likely an Android wi-fi / network mapping App or something simple, and export it as an easy to view file extension -- of which i'll be sharing with you all if needed. (as needed)

That all being said, could I please have whomever is able or bored enough and has read this far by now, to throw their '2 cents in and comment with what hardware / infrastructure you would install and maybe how you would setup and arrange a server rack, cooling methods, redundancies for power and net, etc,. etc,.. ALL ideas welcome, and if there is an easy software to use for alll of this, and or website, please feel free to suggest* !!

Thank you all in advance, and I hope without leaving a proper budget in mind, I haven't sounded too foolish.

** Please note, I have prior experience in installing a few small to medium business networks myself in the past, around 20 users / staff being the largest. My Linux exp & Windows Server knowledge are both up to par, I hope -- and as far as user system / workstations, both a mixture of Windows & Mac is what I had planned, per the user/staff member request, and I am never opposed to OS / remote virtualization techniques, etc,...

***Thank you in advance, and I will have no problem with paying and or 'tipping' for anyones services and assistance if it gets detailed and timely in replies. Thanks again!

CCIE Security 802.1x virtual lab

I tested using the IOSvL2 image in EVE-NG for 802.1X and it seemed to work well actually. Originally I had a plan to purchase a 2960CX or 3650CX (not 3850)? They seem to support TRUSTSEC. 3650CX even does MACSEC. Anyway, my plan was to get usb NICs and usb WIFI nics and pass through to virtual machines. I saw a post on reddit where someone was doing that. Should I just stick with the IOSvL2 and just use pass through for the wifi nic?

Side question: Would anyone recommend I go for the 3850 instead because of trust sec?

What do you use for remote router provisioning?

We're a business ISP planning to expand to residential this year. We're comparing residential/small business router CPE's. Right now we're considering Cambium, Mikrotik, and Ubiquity. We recently stumbled upon SmartRG which offers a remote management platform that can monitor, configure, and provision remotely. This is especially appealing because some of our locations can be a 3 hour drive. What platform do you use that does this? What do you think of it?

Choosing a brand and model of CAT6E cabling?

We're running a bunch of drops throughout the building and our electrician asked what brand and model cabling I'd like to use. I've never actually been asked this before. They said they typically use Mohawk's CAT6E cable. The manufacturer claims it can handle up to 750Mhz, so it should be good for 10Gb.

Any issues with that? I'm only asking because he said the guy down the road at a similar facility uses some other cat6e that's twice the price. Never realized there was that wide of a price range.

Packet delay on local interface

Hi guys,

I am working on a very strange performance VOIP releated issue: I can see packet being delayed for 1-3 seconds on the local interface of my cloud pbx (Debian 9) ! before ! the generated packet is leaving the interface towards my clients (doesn't matter if over a VPN or external).

I can also replicate this issue over iperf3 quite good, it looks exactly like on my RTP packets. It absoulty doesn't matter if the packet is routed directly over my WAN (to a D-NAT Port Mapping) or over VPN-Tunnel.

This is what the delay looks like in Wireshark (right part is the Time Delta):

https://i.imgur.com/gkMgsPn.png

Doesn't matter if I capture this on tshark or tcpdump - always the same. Just to be clear once again: I can see this delay on generated packets at my PBX! These packets are directly from my PBX to my phones over the Internet or VPN. I should never see this kind of delay on my own interface while capturing those packets (yes this delay will also happen if i don't capture anything).

First I though this might be a performance issue but I can't see any of that on my VM: CPU is fine, RAM is fine, IO-Load is perfectly fine, there is nothing else running. The VM is bored.

This delay results in a bunch of packets (not only one) being delivered one second later. This doesn't mean jitter this is complete silence in an RTP stream.

Have you guys seen anything like that before?

Of course i did the major things like reinstall OS, patch etc.

Any Input is welcome!

Kind regards

Create multiple Icon for single node in HP NNMi monitoring?

Since we have multiple multiple redundant link undder a single node... Our target is to create multiple icon that monitor multiple link under a single node.

Currently we monitor our node using loopback address and since with multiple link we are totally blind if 1 link fails since this were configured to be rendundant.

ex.

Icon01 - Node A -Interface 1

Icon02 - Node A - Interface 2

Thanks

Nexus switch profile correct operation

How do you default an interface or remove a specific interface from the switch profile (config-sync) on Nexus 7.X I haven't found any of theses specific in Cisco the documentation. Using default interface in "conf t" creates a mess when using config sync. What's the proper way ?

Juniper EX3300 as edge router (w/ BGP)

Hi,

can I use a Juniper EX3300 as an edge router (BGP) for colocation? I have my own AS.

The idea is to use one of the 4 SFP+ ports for 10Gbps transit. I'd only import a default route. The only thing I'm not sure is if it has full support for IPv6.

Thanks

Communication between interfaces

Hello

I have E60. I would like to achieve that clients from internal3 and internal2 can be recognized each other by hostname?

Intermal2 is office network and clients inside can ping each other on io address and hostname and can also ping internal3 but only on addresa

Internal3 is wifi network and clients can ping internal2 but cannot ping any hostname, not even to clients on same network ip or host name.

Thanka for help

Need some help with cisco SmartInstall

Keep getting errors, here are some screen shots....

https://imgur.com/a/OHdoTjN

I cant figure out what I am doing wrong. I keep getting the same errors. The dhcp part is working because I can ping the tftp server from the client switch. Can anyone point me in the right direction?

Edit: So after messing around, I realized the config wasn't being pushed through because of a naming error. Fixed that and the config is now being pushed through. Still having issues with the IOS coming through though(Same error in the pics). It looks like it is searching for some type of image list. Do I need to make some type of text file pointing to the image?

I also read that the IOS needs to be a TAR file and not a BIN file, is this true?

Rack Mounted UPS, Brand New, No Signal

I wasn't entirely sure where to post about this, but figured since it went in a rack this was the place.

Set up, connected battery, everything is tight and seemingly should work. It doesn't.

Anyone had this issue, I'm fairly new to networking but having googled it I'm under the impression it's either a faulty unit or it's been completely discharged and will require a period to charge.

I'm getting zero signal on the unit, including display and led at the back along with zero fan spin.

Thoughts?

Looking for budget gigabit switch for VLAN

I'm interested to learn and setup VLAN for my home network. Are there any cheap gigabit switches that allows VLAN just for small home network?

Problem with Juniper ACX during link failover in MPLS core

Here is a simplified architectural diagram

We operate an ISP style backbone (comprised of Juniper ACX1100) where we run IS-IS over every link. We then run LDP over the links for label distribution

We also run a BGP-free core where the PE routers are BGP peer'd backed to the Core and we have a VRF for transporting Internet traffic.

I am having a peculiar issue with a particular router, P2. When we disable the link (as depicted in the diagram), P2 cuts over to the working path (P2 -> P1 -> Core1)

The Internet (VRF) circuits at PE1 and PE2 continue to work perfectly fine (as expected). However, the VRF in P2 does not work properly, not forwarding Internet traffic correctly to the Core. Checking the logs on P2, I see a few of the below messages:

Dec 4 13:41:09 [redacted] feb0 ACX_NH::acx_nh_tag_hw_uninstall(),2326:acx_nh_tag_hw_uninstall: nh 815 egress uninstall failed: (-10:Operation still running)

Dec 4 13:41:09 [redacted] feb0 ACX_NH::acx_nh_ucast_uninstall(),2452:acx_nh_ucast_uninstall: tag uninstall failed, err: -10

It seems like the ACX is not able to remove the old next-hop from the forwarding table. Has anyone experienced this before? I am going to schedule a maintenance window to reboot the unit to see if that can be the problem - but I would like to first understand why ths happening so that we can avoid future issues.

I am running JunOS 15.1R6.7

Junos CLI how to edit 'destination address' in firewall rule

Hey folks

Very new to Junos here and I am struggling to find how I edit the 'Destination Address' in a pre-existing rule.

I have been able to view the security policy for the rule in question, but that is it. I have been googling away and I can't find anything along the lines of - edit security policy policy number etc etc.

Any help would be massively appreciated

Vince

AMP for Endpoints heartbeat overloading our proxies.

Anyone have experience with AMP4E?

We've deployed thousands of connectors and we've set our heartbeat intervals to best practice (15mins) but our proxies are getting hit really hard. Our cisco rep has been no help. I'm not here to bash Cisco, I'm just looking for suggestion to lighten the load on our proxies.

Increase the intervals? Bypass the proxies?

Losing my mind over Apple Push Notification delays that appear network-related.

I'm really at the end of my rope trying to troubleshoot APNs delays in our network.

Situation: iPhones (iOS 12, model appears irrelevant) connected to Cisco lightweight access points, piped to the internet through a Meraki firewall. These phones are Wi-Fi only (no cellular sticks).

Problem: if the iPhone is idle for 5 minutes, push notifications stop coming into the phone, and are delayed by minutes/forever. This can be easily duplicated using iMessage - it's very repeatable. Join phone to Wi-Fi > send iMessage > message received immediately > wait 5 mins (phone can be awake or asleep) > send iMessage > phone will not receive the push.

This sounds immediately like it's either a wireless connection problem, or an iPhone problem. However: this absolutely never happens when connected to a home network. 3 developers have tried it, I've tried it. Connected to my home network, push notifications come in reliably, 100% of the time within a second or two of sending it. Bring my home Wi-Fi router into work, connect the phone to it while plugged into the network here... delays again.

What I've tried (some of these are nonsensical, but I'm out of logical options):

Logged all messages coming in and out of the wireless LAN controller. Looking for evidence that the device is somehow disassociating from the AP during this time. Definitely not happening - everything looks happy.
Setting up different authentications on WLANs (PSK/no auth instead of our stock 802.1x). No change.
Tried connecting devices to an autonomous AP instead of the lightweight APs. No change.
Ran constant pings from both the firewall and from other network devices to the phones. The goal was to both keep the radio(s) awake, and ensure that all the applicable address tables would be populated (God knows why that would affect this problem, but I'm desperate here). No change.
Ran a packet capture at the firewall looking at what the traffic looks like. I didn't really expect to find much here, but as expected, a "good" notification has the source device sending APNs up to a 17.0.0.0/8 network and the recipient device getting traffic from that network, and a missed notification has the source device sending the traffic and then... nothing on the recipient device.
Modified various timers to see if I could alter that 5 minute idle timeout - I changed the user idle timeout and the ARP timeout on the WLC, changed the MAC address aging time of the switch(es).

I'm honestly confused here. I'm struggling to determine why, at home, these devices never lose their APNs connection, but it just disappears on the work network. I'm wondering if it's the NAT possibly dropping the mapping, but unfortunately it looks like our Meraki firewall is rather opaque in its NAT processes.

I'd appreciate any insights/pointers that anyone has here. Thanks!

ASA PAT no translations in only one interface.

Hello there,

Only one interface is not being translated to the outside (G1/2 - ESXi)------PAT---->(G1/1 - Dflt-Gw)

The other inside interfaces HOME LAB and DNS can get to the internet with no problem,

The ASA and hosts on other interfaces (pre-NAT) can be reached from the ESXi VMs,

When doing a packet tracer test on the ASA comes back with a sucesful message but as we can see no hits are being translated.

No ACLs configured on this device, only security levels and NAT/PAT to the outside,

Let me know if you'd like more info,

Thanks in advance for any comments on this,

5506-X# show nat

Auto NAT Policies (Section 2)

1 (DNS) to (outside) source dynamic DNS interface

translate_hits = 4702, untranslate_hits = 637

2 (ESXi-1) to (outside) source dynamic ESXi-1-OBJ interface

translate_hits = 0, untranslate_hits = 0

3 (HOME-LAN) to (outside) source dynamic HOME-LAN-OBJ interface

translate_hits = 7757, untranslate_hits = 188

5506-X# show run nat

object network HOME-LAN-OBJ

nat (HOME-LAN,outside) dynamic interface

object network ESXi-1-OBJ

nat (ESXi-1,outside) dynamic interface

object network DNS

nat (DNS,outside) dynamic interface

5506-X# show run object

object network HOME-LAN-OBJ

subnet 192.168.5.128 255.255.255.240

object network ESXi-1-OBJ

subnet 192.168.5.176 255.255.255.249

object network DNS

host 192.168.5.190

5506-X# show run interface

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 192.168.5.186 255.255.255.252

interface GigabitEthernet1/2

nameif ESXi-1

security-level 100

ip address 192.168.5.177 255.255.255.248

interface GigabitEthernet1/3

nameif DNS

security-level 100

ip address 192.168.5.189 255.255.255.252

interface GigabitEthernet1/5

nameif HOME-LAN

security-level 100

ip address 192.168.5.129 255.255.255.240

5506-X# show run route

route outside 0.0.0.0 0.0.0.0 192.168.5.185 1

Business class internet pricing?

Getting really damn tired being tied to our current ISP using MPLS and dealing with all the service headaches they have caused.

Its made me start doing a deep dive into SD-WAN offerings again. But first I'm trying to find out a good ball park price for a 100M business class broadband internet connection. I know that price will vary based on geographic location, we are spread out across the county in major cities.

Currently paying $1500/month for a 50M MPLS circuit. If I can get internet from 2 different providers pulled into our offices for a fraction of the cost, I will build a case for an SD-WAN deployment over the internet and do a proof of concept deployment.

Is there a safe alternative to cisco smart install?

I recently found out about cisco smart install, after I just finished updateing IOS's and configs on about 30-40 switches last week. I also read how vulnerable smart install is. Is there a safe alternative to this?

Agent VS Agentless monitoring

Hi everybody.

As you can read from the title, I'm looking at agent-based VS agentless monitoring.

We are planning to deploy a SIEM in the near future, and the solution we have chosen offers both agent-based and agentless monitoring.

Our office and datacenter are located in different cities. The solution we're looking at recommendeds one agent per 25 log devices.

We've already decided to use dedicated agents for each of our customers, but we're still on the fence about going agentless for our office.

Our office has around 50 workstations, a few servers and several routers and switches.

Here are the pros and cons to each (as I'm aware of)

Agentless

Pros: 1. Ease of installation (as there isn't any) 2. Less resource intensive than agents 3. Less configuration required

Cons: 1. Potential security issues because of WMI 2. Less information is logged when compared to using agents 3. Clients might not support agentless monitoring 4. No in-depth monitoring of metrics 5. More vulnerable for downtime and network issues

Agent-based

Pros: 1. More in-depth monitoring 2. Capable to collect data from multiple LANs 3. Automatic capabilities to avoid performance issues and downtime 4. Less vulnerable to downtime and network issues

Cons: 1. Settings up agents takes time to deploy 2. More resources are required 3. Managing agents can get bothersome in the long run because of growth

What's your opinion on this topic? Did I miss any pros and cons?

(I know that agentless isn't actually agentless because it still relies on some type of agent embedded in the software/operating system)

Cheers!

Newbie double network adapter question

We have two seperate networks in our school. One is used for the normal www. Other one is used for private school system. What I want to do is vnc to the system via www network, and when I’m in the vnc the I want to use private network to do work in school system. So 5900 port is gonna be used in network 1 and simultaneously network 2 will connect to school apps.

Is there any proper collection/reference about vendor-independent VPN tunnels and how they're constructed (bonus if they talk a bit also about vendor gimmicks)

I'm talking about the components of a VPN and how they stack or get combined together.

What is, by RFC, mandatory specifications and what isnt (like lifetime) ?

I've only been able to find Vendor snippets who explain a bit more than the config, IETF Drafts who are dozens about each component, and things that make not much sense (cisco VTI IPSEC/GRE)

Basically, i'm really trying to find a dummy guide that's comprehensive.

Can I detect sniffers in monitor mode on my Wi-Fi?

Attackers can sniff Wi-Fi networks in monitor mode to intercept the data without connecting to the router. Is it possible to check if somebody is sniffing my network?

Thanks!

Connect Cisco APs indirectly with the 3850 switch

The Customer have Switch 3850 with Access Point license and 14 access points and 2960X switch .

I know that we must connect the access points directly to the 3850 switch to work properly but the customer wants to connect the access Points to the 2960 switch and i can't find any configuration example on Cisco for this implementation

3850----2960-------APs

Any advise ?

ISE 2.3 Guest CWA stuck in Redirect

Wandering down a rabbit hole here, anyone else see something like this?

I just upgraded to ISE 2.3 from 2.0, imported all the rulesets, setup lic, etc. I noticed however when Guest devices self-register via the CWA redirect, they get stuck in the portal and can never actually gain access to the www. I can see in the browser that it does get redirected to the url I configured, let's say google.com, but then redirected right back into the self-registration page as if the device never registered or went through the Guest Flow at all. The accounts get created, but the devices never get auto placed into the 'GuestEndpoints' identity group like it should, without manually disconnecting the device and reconnecting it. Now, if they put in their username and password they received from the self-registration portal, everything works well. Unfortunately, this is too complicated for the user base, but that's neither here nor there.

Now if I disconnect the device after going through the self-registration portal successfully, and leave it sit for about 5 minutes, the device works as intended and matches policy set rule 1 (seen below). It's almost as if the device doesn't get matched to rule 2 and instead gets stuck in rule 3 until manually disconnecting it. Once manually disconnecting the device and reconnecting it, it matches with rule 1. These are the exact same rules as on ISE 2.0 and the self-registration portal and redirect works fine. Thank you in advance for your input.

Here's what I have:

ISE Policy Sets:

-Identity Group: GuestEndpoints, Match Airespace-Wlan-Id, Not domain Machine ----- result Guest-Internet
-Wireless MAB, Match Airespace-Wlan-Id, Network Access UseCase EQUALS Guest Flow, Not domain Machine --- result Guest-Internet
-Wireless MAB, Match Airespace-Wln-Id, Not a domain machine ------- result CWA Redirect

Hardware:

-WLC 5508

-ISE 2.3 patch 2

Impact:

-All devices, all browsers

Troubleshooting Wi Fi Drop Outs

Hi,

I have recently started working as a Network Administrator after working on a help desk for 2 years. I am loving the job so far but am finding it difficult to provide answers for some problems. The main one would be “Why does our wi fi randomly drop out at times during the day?\why is our wi fi connection sometimes weak?”. I realise this is extremely vague and I need more information to go on - what would be the best questions to ask?

What is the best way to approach these scenarios? Should I be using monitoring software to determine what devices are using up the internet link? How do I isolate the root cause of the drop outs with certainty? I’m used to break fix scenarios like installing the correct printer driver so someone can print so in depth network troubleshooting is quite new to me.

Issue with create_child_sa job (first ikev2 "p2" rekey) from strongswan to fortigate and check point firewalls

Hi,

I've been trying to get rekey working between check point R80.10 and a mobile router running strongswan 5.5.3 for quite some time. I'm getting stuck on the first rekey which sometimes causes a few minutes of pause in traffic.

I later noticed i was having similar issues with a completely different setup with strongswan - a linux server running strongswan 5.5.1 and to a fortigate running 6.0.3, took pcaps on the fortigate and noticed that it also seems to not respond to the create_child_sa rekeys coming from strongswan.

I changed the rekey margin on the strongswan, and this seems to change the balance so that there is no break/a short break in traffic. It seems that in case they end up in this rekey situation where the strongswan sends create_child_sa jobs which seemingly time out on both peers (no error message is sent from the responder firewalls) the only thing that fixes it is a reinitiation of the connection.

It also seems that if i try to match the timers on both peers for the child_SA rekey the break in traffic might be short/nonexistent but this seems to only mask the underlying issue. Another option to work around this might be to try and make the child_SA rekey be initiated by the firewalls, but optimally I'd like to know what causes the job to time out.

I've also made a ticket to check point of the issue, and taken debug logs. The only thing i can decipher is that i see the job coming in, and that it times out. In pcaps I can see that the firewalls dont respond to the create_child_sa.

I've examined these create_child_sa packets and at least the selectors (tsr & tsi) seem to be what they should and the proposal is the same,

I'm maybe inclined to believe something changed on the firewall sides in more recent releases that has broken something. In particular I'm wondering about ikev2 reauthentication which seems to be a somewhat fuzzy concept and that maybe the firewalls are "requiring" a reauthentication without properly signalling it or making the strongswan understand, but then I'm not really seeing any SA deletes coming from the firewalls either.

Has anyone encountered silent failures/timeouts of create_child_sa jobs from strongswan -> firewalls?

Thursday, December 6, 2018

[Please Advice] Visio and Edraw Max, which one is better to create network diagrams?

I'm new to the networking diagram design field, and I'm seeking for a handy offline software for network diagrams. So far, the two brands I have heard the most are Visio and Edraw Max. Edraw has more built-in templates and shapes etc, but Visio seems to be more popular in the market.

So what're your options about these two? Feel free to let me know if you have more recommendations, thanks!

Cyber Security Proposal Engineer: Interview- Planning to spend the entire weekend on preparation: Need help.

HR has just confirmed the interview date for the next week. I'm planning to spend the complete weekend for preparing for the interview.

The role is more of a requirement analyst + engage with customer and Sales team to design the complete security suite for the clients.

I have already gone through the 80% of the questions list I have compiled https://pastebin.com/a3EFUnTE . It would be great if I can get more technical documentations and materials to read through which is more relevant to Cyber security.

Do you think it would be worthy to go through CISP trainings on udemy? I have personally felt the content in reddit have more information than Udemy. Please also share some informative youtube sessions/talks in the relevant subject.I have learned good and quality contents from Defcon videos in the past. ( I'm basically looking for the latest trends, IDS,Mitigation,HW defence,IOT Security,DDOS mitigations etc)

Recommendations for WiFi access point?

I'm helping a local organization with some wifi issues. They are currently using a Linksys RE6500 WiFi extender. The router is 50' away from the extender and there are 3 concrete walls between the two. When connecting to the WiFi extender it frequently cuts out.

I'm looking for a better access point that I can run a 50' Cat5e ethernet cable to. What should I look at getting? I've read Google WiFi is a good solution. What else should I look?

The connection may have 10-15 devices connected at a time.

Thanks for the advice in advance.

Cat5E fully shielded max length 1000mbps full duplex problem.

Hi,

I have a setup with 2 gigabit switches a long distance from each other (about 70 meters). For routing purposes of the cable, I left it at 100 meters and put metal connectors (for grounding purpose) on the cable. I am unable to get a faster connection than 100mbps. I have tried to shorten the cable to 80 meters with 2 metal connectors and now it is at 80 meters with one metal and one plastic connector. Still no avail.

I know the issue is probably that the shielding is saturating which is blocking the passage of packages. What I don't get is that everywhere on the internet you read about the cables being able to get to 100 meters without an issue. But in my case this isn't working.

Is 100 meters shielded cable restricted to 100mbps?
If I would like to achieve 100 meters gigabit cat5e, should I use unshielded?

Thanks upfront for the help, I know it might be a stupid question but I'm just not figuring it out and it's my first time using such long cables.

Cisco SG500X and apple router

I have a weird issue with one of my clients dropping connection every 20 minutes for about 15-30 seconds. They are connected to a Cisco layer 3 SG500X switch, and the router is an apple 100mb device instead of gigabit. I don't see any errors on the port, nor does it flap. I do have RSTP active for spanning tree (if that makes a difference).

They are using a public Static IP while connected to the switch. I manage the switch, and I do have things like smartport turned off but do have portfast turned on on all ports.

Any suggestions?

Edit: This switch only serves customer connections, and they all have netgear or apple routers connected. one or two have complained about this same issue, but not sure if it's widespread and no more are complaining or where to go with this.

Any risk in going from VTP server to transparent?

Is there any chance that migrating a switch from a VTP server to transparent mode will delete any vlans on the switch that may have been learned via VTP?

VPN arp timeout printer issues

Sorry the title is confusing, but I'll clarify.

I have 2 sites connected with IPSec VPN between sonicwalls, the HQ has a print server that clients on the remote end use for local printing. Lately I've noticed on the print server we'll have ~5 of the 15 printers drop to offline state, they quit responding to ping on the HQ site while remaining active on the local site. It seems to take between 5-10 minutes for them to start responding to ping again, it's as if the sonicwall isn't able to arp. I chalk this up to crappy printer NIC drivers except I saw the happen to our remote site core switch, suddenly I lost ICMP and TCP traffic to our .1 for about 5 minutes even though I had full connectivity to everything behind it.

Any thoughts, we're completely stumped on this.

Understanding IP fragmentation

I understand IP fragmentation is bad. I want to understand better how to prevent it.

If all nodes on a given network share the same MTU, does IP fragmentation ever happen?
Let's say PMTUD is broken. If I add encapsulation (say IPsec or GRE), does the router performing encapsulation also perform fragmentation for any frames received that will total more than its outbound interface's MTU with headers (and that don't have the DF bit set)?
Let's say I set the router's outbound interface's MTU to 1400. PMTUD is still broken. Is the router still performing fragmentation? I assume so, because I don't know how any devices behind the router would know about the reduced MTU. So does reducing the MTU on the router even help prevent fragmentation? Surely I've missed something?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Great Firewall of China breaking the threeway handshake?

So long time lurker but first time poster. And forgive the format, I am on mobile.

I work at an MSP and recently a customer's site was blocked on main land China. And I have researched how China normally blocked traffic with dns poisoning and ip blocking but that does not mesh with what we are seeing.

From China icmp traffic passes, but when trying to complete the three way handshake we see the SYN from China, we send the SYN-Ack then the connection times out.

Is anyone familiar with China use of this blocking?

HPE Virtual Connect Manager 4.x

Hello. I work for a company that has some technical debt and is "upgrading" to already old technology, "Flex 10" with HPE Virtual Connect Manager.

I have physical Nexus switches connected to the Flex 10s. Both sides have and allow VLAN 999 on both sides. However, a VMware VM tries to ping its default gateway but can't even get as far as the Nexus switches.

VSphere Client shows the VLAN and that the VM is mapped to it, but I don't understand any of the layers of abstraction between the VMware hosts and the Flex 10s to troubleshoot and correct the configuration to allow the VM to reach the default gateway.

Can anyone point me in the right direction? I downloaded the HPE virtual connect manuals but want to have a good idea of things work instead of skimming the ToC to see if I find something. Any help would be greatly appreciated.

HSRP interface for superscoped VLAN

So, the last place I worked we did not use hsrp. We used VLAN interfaces on a L3 switch, with an IP address and secondary, then a superscope in DHCP for vlans with non contiguous IP space. I don't know if this was the correct way to do it, but it worked.

Where I am now, we use hsrp interfaces on a 9k Nexus. I'm wondering if we use IP secondaries on those, would it work the same way?

I'm wondering because we're implementing MAB using VLAN names with universal naming schemes (example (not real) user VLAN named USER, voice named VOIP across the board). So our options (I think?) Are either that, because we have some switches with multiple user/VoIP VLANs, or re-IPing.

Alternatively, if there are other options, I'm all ears. Still very new to networking.

VRF Issues with trunks coming from VMware dvSwitch

I'm running into a bit of a conundrum with a new 3-node Nutanix cluster I'm setting up. I've got a vCenter installed on the hosts with a dvSwitch plugging into a pair of Cisco C6509Es in a VSS, 1 NIC per host to each physical chassis. Each interface and the port-channel are configured as trunks allowing my 2 management VLANs and the DMZ VLANs. My original issue cropped up while setting up a LAG in vCenter and the LACP port-channel for one host on the physical switch. After moving both the host's NICs to the LAG, traffic would flow up until both interfaces were up and established in the port-channel. Turn one interface off, everything flows. Have only one interface in the port-channel, it's all happy. Have both interfaces up and in the port-channel, management traffic gets dropped and I lose access to the ESX host. Same holds true for flipping which port you're playing with. At this point in time, there were only Nutanix management servers and the vCenter server on the cluster, all of which are in the same VLAN/portgroup as the ESX hosts vmkernels.

While waiting to hear from VMware for their take on this, I decided to migrate a test machine to a different host in the new cluster to test the other VLANs/portgroups. It's at this point that I find what I suppose is the VRF-centric issue, and may also be causing the LAG/LACP issue. For my test VM, if it's in one of my DMZ VLANs, all of which are associated with a DMZ VRF on the physical switch, traffic is all fine and dandy. If I move them into management VLANs (the same vlan as the Nutanix CVMs and vCenter, and one for backups) which uses the default route table on the physical switch, no traffic is passed.

Since VRFs are assigned to the VLANs, having VLANs using the default route table and the VRF shouldn't be an issue, right?

Relevant physical switch configs:

PrimColo_SW01#show etherchannel summ Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator

 M - not in use, no aggregation due to minimum links not met m - not in use, port not aggregated due to minimum links not met u - unsuitable for bundling d - default port w - waiting to be aggregated Number of channel-groups in use: 8 Number of aggregators: 8 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 13 Po13(SU) LACP Gi1/4/14(P) Gi2/4/14(P) PrimColo_SW01#show etherchannel port-channel [...] Group: 13 ---------- Port-channels in the group: ---------------------- Port-channel: Po13 (Primary Aggregator) ------------ Age of the Port-channel = 16d:19h:05m:24s Logical slot/port = 46/8 Number of ports = 2 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Fast-switchover = disabled Load share deferral = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------------+------------------+----------- 1 FF Gi1/4/14 Active 8 0 FF Gi2/4/14 Active 8 Time since last port bundled: 0d:00h:01m:07s Gi1/4/14 Time since last port Un-bundled: 0d:16h:23m:52s Gi1/4/14 PrimColo_SW01#show lacp neigh Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode [...] Channel group 13 neighbors Partner's information: Partner Partner LACP Partner Partner Partner Partner Partner Port Flags State Port Priority Admin Key Oper Key Port Number Port State Gi1/4/14 SA bndl 255 0x0 0x9 0x8001 0x3D Gi2/4/14 SA bndl 255 0x0 0x9 0x8000 0x3D PrimColo_SW01#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip vlan included mpls label-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address MPLS: Label or IP interface Port-channel13 description *** NTX-ESX-DMZ03 *** switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 130,145,600,701,750,760,770,800,810,820 switchport mode trunk speed 1000 duplex full spanning-tree portfast edge trunk end

Seeking Network Audit Companies

Looking for recommendations or experiences people have had with companies doing a network audit. Mainly some testing for security holes and best practices, we are an HPE/Aruba/Palo Alto shop primarily. Looking at hands-on configs, ACLs, policies and some penetration/port scanning. Located in Michigan, US.

Recommend a WIPS

Currently looking at WIPS and hoping others can share their experiences.

No one particular deployment in mind, I work in the channel so the solutions we offer can literally end up anywhere.

Would be good to know what has (and hasn't) been a good solution for you?

Connected to a work network, but unable to open files in software

Hi, I am not sure if this is the right subreddit for this, but it seems to be an issue of 3 different areas - the work server, my OS, and my software.

OS Specs:

Windows 10 Home

Server:

WD MyCloud PR4100

Software I have tried:

Adobe Premiere

MS Paint

WIFI is through a USB wireless adapter, I do not have a WIC.

What's happening:
I can open files using Windows Explorer. I cannot open files using any other software. The "Network" dropdown does not populate anything else on my network other than my computer. I have been on hold with Microsoft tech support for 2 hours on and off with SOME progress (the agent actually helping me hung up), I have also already called Adobe and Western Digital and they were no help.

What I've done:

-Disabled firewall

-Modified network settings from "public" to "private" and removed all access limitations for file sharing.

-Enabled a NUMBER of file sharing and network services under services.msc, and set a few to automatic (I forgot which ones, the Microsoft agent told me to)

-Added registry key EnableLinkedConnections

-Reset network settings

Dish NOC Contact info

I work for an ISP that's having some issues with our members using DISH On Demand. I'm trying to get in contact with the DISH NOC but i'm not having any luck getting their contact info from the internet or through their customer service. Anyone got this precious info???

Need advice on building a network for a co-working space

Need advice building a network on a co-working space

Hi I'm a starting a new venture on a co-working hub mainly for small start-ups, freelancers/hobbyist and space for business meetings etc. I'm basically a newbie technical networking stuff and starting to get into setting up a network for the hub, with devices mostly be wireless (laptops, smartphones), basically just have one wall outlet for LAN in the admin office. The internet speed currently is only at 20mbps dl/up, but might bump it up to 200mbps dl/up when the hub would get attention in the future. I want the hardware side to be able handle if there's 80+ users at full capacity. The space is around 4750 sq. ft, no ceiling, concrete walls but all the rooms (thinking turf, conference rooms, private pods are glass sliding doors). Mostly open space not much walls.

My plan/requirements -Ubiquiti AC AP LR or PRO not sure what suits my needs better?

Router, just for the APs ,that can do firewall to keep members a bit of security to separate each members on a separate network as the others for security (VLAN each members?)
Captive portal that can generate a username and password when logging in the internet.
One user can't take all the bandwidth that would cause slow downs on the network (without limiting bandwidth speeds)
There's one utility printer connected through wifi to the network for member's use (can be visible on the network who ever is in)
Can handle 20-80+users max (assuming 2 devices per user that be less than 200 devices)
Able to configure network connections to enforce session time limits

My initial plan was just running 2 access points in the space connected to a switch, i guess that's not a good idea security wise. Any recommendations what set-ups and hardware i need?

Floor plan: Red= router placement Blue= planned APs placement

(https://i.imgur.com/TzsirHT.png)

It's it just me or is the Cisco website the slowest POS on the web?

I mean, who the hell had a bloody video playing on their front page? Having network issues? Lets play a ****ing video to help you out..

Why does it run like an absolute pig on IE, (yeah, I get that IE is crap anyway but a LOT of enterprises use it as their standard browser).

Even scrolling is slow and laggy on the forums / big searches making trying to find good info an extremely frustrating experience.

Trying to find the correct update? let's play guess the relevant section.

Please just strip out all the crap and make it a more nibble site, or at the very least make the support section like this please.

I don't need or care about custom fonts, css, flashy looks etc when I'm trying to fight a network issue and your site is a primary source of info.

Rogue Switch Detection

Looking for some suggestions.

My company's lab has an issue with user installed rogue switches daisy chained off of our access layer. Is there any tools that can detect this and shut them down? What makes it a little trickier is we have Virtual Machines also, so shutting down all ports with more than one MAC address on it is not really an option, it needs to be smart about it.

If anyone has suggestions or advice it would be greatly appreciated!

tcpdump filter Syn-Ack packets

Hello,

I want to filter all the Syn-Ack packets using tcpdump. I am using this filter:

krishnar:~ krishnar$ sudo tcpdump -c 25 ' tcp[tcpflags] & (tcp-ack & tcp-syn) !=0 ' -nnn tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes

This is not matching any traffic. Can anyone please tell me why this is not working?

Could use some guidance - Enterprise Environment

Hey /r/networking!

I have recently taken over an environment that is has a mix of Lenovo ThinkSystem Switches and Arista Switches, which for me was completely out of the ordinary, but I found that they can do almost everything I am used to, just different CLI and naming conventions. Here is the current infrastructure:

2x NE1072T - These serve two main functions, they have 48x 10GbE ports and 6x QSFP ports, they connect to the firewall (fortigate 500E) and all client nodes

1x NE1032T (24x 10GbE and 8x SFP+) - This connects to ~8-10 lab machines, 2x SuperMicro Nearline Storage Arrays (10GbE only) and a few old 1GbE Servers

2x Arista 7050CX3 (32x QSSP) - These are two 100GbE Swiches with 32x QSFP ports. These serve as the backbone for our primary storage (10x nodes w/40GbE ports) each node has a port connected to each switch. It also utilized 40GbE to 10GbE Breakout cables to connect to our vCenter cluster (3x Lenovo SR630 Servers) as well as another data cluster (4x nodes) using 40GbE to 10GbE breakout cables.

I am thinking of getting 10GbE or 40GbE SFP+ cards for the two supermicro nearline storage arrays and connecting them direct to the arista switches. But I am still torn on how to properly configure the switch connections.

What I am seeking is the best HA configuration through a mixture of LACP Lag, vLAG(lenovo)/mLAG(Arista) to connect these switches together. Below is a screenshot of a quick and dirty Visio drawing.

https://i.imgur.com/1q90uHQ.jpg

Traceroute is different from regular ipv4 to mpls ipv4.

Scenario I'm pinging a host outside the MPLS network and I'm getting different result between regular ipv4 trace and mpls ipv4 trace?

Simple topology:

R9(9.9.9.9) --> R1(1.1.1.1) ----> (Partner provider) -----> 192.168.1.1

MPLS TRACE: PE-PE

traceroute mpls ipv4 1.1.1.1/32 source 9.9.9.9 exp 1
Thu Dec 6 16:40:12.070 GMT
Tracing MPLS Label Switched Path to
0 x.x.x.x MRU 9202 [Labels: 34784/implicit-null Exp: 1/1]
L 1 xxxx MRU 9000 [Labels: 34714/implicit-null Exp: 1/1] 4 ms
L 2 xxxx MRU 9202 [Labels: 32607/implicit-null Exp: 1/1] 250 ms
L 3 x.x.x.x MRU 9202 [Labels: implicit-null/implicit-null Exp: 1/1] 266 ms
! 4 1.1.1.1 220 ms

IPV4 TRACE: PE-CE

1 x.x.x.x [MPLS: Labels 34784/22894 Exp 0] 291 msec 289 msec 288 msec

2 x.x.x.x [MPLS: Labels 34714/22894 Exp 0] 288 msec 287 msec 288 msec

3 x.x.x.x [MPLS: Labels 32607/22894 Exp 0] 289 msec 287 msec 288 msec

4 x.x.x.x [MPLS: Label 22894 Exp 0] 286 msec 287 msec 286 msec

5 x.x.x.x [MPLS: Label 21239 Exp 0] 287 msec 286 msec 286 msec

6 x.x.x.x msec 287 msec 286 msec

Comparing the latency, just want to ask that when regular trace, The mpls path will use the destination latency?

Thanks

Carrier vs. Network Service Provider (Terminology)

I hear people use these terms interchangeably, but do they actually refer to the same thing?

My best guesses that Network Service Providers own the underlying infrastructure, while carriers might just be reselling services. Is this accurate? And if not, what is the difference?

Thank you.

Upgrade from simple Q-in-Q to VXLAN failover setup

Hi,

right now we are running a SPOF DCI setup for customers in 2x datacenters via Q-in-Q (802.1ad). We now got a second layer2 connection between our DCs and want to setup a failover, non-SPOF Layer2 DCI for our customers. We are going to replace our old Brocade switches with whitebox switches and Pica8 PicOS as software. We thought about using VXLAN for this setup but are now sure if there is a better, cleaner and also not complex solution?

Setup now:

Q-in-Q between Agg switches
tagged VLANs (10,20,30 on customer switch01 to agg switch)
untagged port on agg switch to customer switch
customer Q-in-Q vlan 1000

+-------------------------------------+ +-------------------------------------+ |DC1| | |DC2| | +---+ | +---+ | | Q-in-Q via L2 | | | | (VLAN1000) | | | | | | | | +------------------------------------------+ | | | | | | | | +-------------+-+ | | +--------------++ | | | Agg | | | | Agg | | | | Switch DC1-01 | | | | Switch DC2-01 | | | +-+-------------+ | | +-+-------------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | VLANs: | | | VLANs: | | | 10 | | | 10 | | | 20 | | | 20 | | | 30 | | | 30 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-+---------+ +-----------+ | | +-+---------+ +-----------+ | | | Customer +---------+ Customer | | | | Customer +---------+ Customer | | | | Switch 01 | | Switch 02 | | | | Switch 03 | | Switch 04 | | | +-----------+ +-----------+ | | +-----------+ +-----------+ | | VLANs: | | VLANs: | | 10 | | 10 | | 20 | | 20 | | 30 | | 30 | | | | | | | | | +-------------------------------------+ +-------------------------------------+

Example setup with VXLAN (planned):

VXLAN between Agg switches
tagged VLANs (10,20,30 on customer switches to agg switches)
port-to-vxlan configuration on customer ports on Agg switches
vni1000 for customer vlans
let *STP block a port on the least favorite port

+-------------------------------------+ +-------------------------------------+ |DC1| | |DC2| | +---+ VXLAN via L3 (vni1000) | +---+ | | | | VXLAN via L3 | | +------------------------------------------+ (vni1000) | | | | | | | | | +-----------------------------------------+ | | | | | | | | | | +-------------+-+ +-------------+-+ | | +--------------++ +-------------+-+ | | | Agg | | Agg | | | | Agg | | Agg | | | | Switch DC1-01 | | Switch DC1-02 | | | | Switch DC2-01 | | Switch DC2-02 | | | +-+-------------+ +-------------+-+ | | +-+-------------+ +-------------+-+ | | | | | | | | | | | STP- * | | | STP- * | | | block | | | | block | | | | | | | | | | | | VLANs: VLANs: | | | | VLANs: VLANs: | | | | 10 10 | | | | 10 10 | | | | 20 20 | | | | 20 20 | | | | 30 30 | | | | 30 30 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-+---------+ +---------+-+ | | +-+---------+ +---------+-+ | | | Customer +---------+ Customer | | | | Customer +---------+ Customer | | | | Switch 01 | | Switch 02 | | | | Switch 03 | | Switch 04 | | | +-----------+ +-----------+ | | +-----------+ +-----------+ | | VLANs: | | VLANs: | | 10 | | 10 | | 20 | | 20 | | 30 | | 30 | | | | | | | | | +-------------------------------------+ +-------------------------------------+

Additional information:

customer switches are less expensive (no VXLAN, MPLS, whatsoever feature)
yes, customer needs layer2
MPLS should be possible on the Agg switches, but seems too complex for this simple setup

Thanks for reading up to this sentence :)

Specific version of Ericsson vMME found culprit of today’s 11 nation cellular crashes worldwide including O2 UK, SoftBank JP, Mobifone VN

https://www.ft.com/content/778469aa-f934-11e8-af46-2022a0b02a6c https://www.softbank.jp/corp/set/data/group/sbm/news/press/2018/20181206_02/pdf/20181206_02.pdf

vMME or Virtual Mobility Management Entity is an Ericsson product to provide MME functionality inside EPC or evolved packet core, virtualized.

The problematic vMME software caused outages in operators across 11 countries, according to Ericsson, cited by SoftBank. This version was 9 months old, and was rolled further back to resolve the issue.

TL;DR in classic 3G terms, HLR in Core crashed and MS couldn’t authenticate or BS couldn’t connect so everyone went no signal.

Does anyone know a MAC lookup site that will allow pasting in a list?

I know a few such as https://macvendors.com/ that will allow you to enter one MAC at a time but is there a way to look up multiple Macs at a time?

Dell Force 10 Default Gateway Object Tracking

Hi all,

I come from a Cisco background where I'd use an IP SLA to monitor the default gateway IP and if that went down switch to the backup address. I'm trying to achieve the same with Dell Force10 switches.

Current config:

ip route 0.0.0.0/0 172.16.3.246

track 101 ip route 0.0.0.0/0 reachability

What I don't get is how you fail over to a different route? In Cisco land you can configure which route gets tracking applied to it rather than a catchall of 0.0.0.0/0. Is this possible with a Force10 or will have be forced to use VRRP or similar on our edge routers?

Thanks in advance!

Is this equipment too much for this building?

Hi there. I hope this isn't a shitpost. I am not normally a network guy. I have my CCENT but I still am unsure about some things.

I've been contracted out to help this building owner supply internet to his entire building and all the tenants. He has 96 cables ran to the tenants and all come back to a single patch panel. He wants each tenant to be in their own bubble (Hes not a tech guy) so I assumed Vlans. He also wants a single wifi to cover the entire building. (more on that later).

So far this is the equipment I think will work.

Router: Cisco 2901-V/K9

MultiLayer Switch: Cisco SG350-52p-k9

Layer 2 Switch(s): Cisco SGE2010 48p

Access Points: Aironet 1815i x10

Firewall: Cisco 5506-x

My boss has me in way over my head. I feel like I will be okay with the config and getting everything going for the most part. But are these the right devices to be using? Especially the router and the firewall. I do not have much experience there with device selection.

I also had some questions about the Wifi and the "bubbles". He wants a tenant to have their on bubble (Vlan I asssume) to each suite (some suites have 2-4 jacks ran to them). So that if they plug two desktops in they can communicate. And if they have a network printer they can print to it. For the most part i think i got this down with the vlans. But how could someone connect to the wifi and access their respectful vlan. I saw somewhere that a radius server could do this. Would those access points be able to do that? I looked into a third party radius like IronWifi. Would this work?

Lastly. I'm not too familiar with firewalls. Is the 5506-x a good choice. I looked at the cisco meraki but didn't quite understand how they work or how much it costs? Do these firewalls need some kind of license in addition to the hardware themselves?

I am in way over my head. But hey, I gotta learn some day. And at least I will learn from this.

Thank You Guys and Gals Very much! (Please yell at me in the comments if I forgot something)

NTP slowly going out of sync

We have an ASA-5525 pointed to an internal NTP server on our Windows domain controller and at first it will sync times correctly but after a couple days the time on the ASA will be behind by a couple minutes. Same behavior happens on other network devices as well (branch routers and switches, telepresence devices).

Was also wondering if its better to use internal or external NTP servers, or both? If a circuit goes down then devices could use a secondary internal NTP as a backup.. would like to hear how you guys have it set up on your network :)

Sinefa review?

Anyone have experience with new cloud based shaping solution provided by Sinefa?

We are looking to implement it on small branches to shape and QOS business critical traffic and VPN.

Our bandwidth is around 400-800M per branch.

Any experience with this product or success story?

Network Engineer Interview with a CCIE

So I had this interview with a company out in Chicago, needless to say I made it all the way to the last interview which was done by a CCIE R&S certified director of IT and three other people who were sitting in. (I'm a network engineer with, CCNA R&S) Needless to say I wasn't feeling too well that day and was coming down with a cold.

[Not to mention my current job had me pressed with setting up a rhel 7.4 mail server most of the day. Which if you know anything about trying to get a Linux server to integrate with a predominate Windows environment, it's a total pain in the ass! SMB, SDL, CUPS, Apache....so much fun...]

Any way the CCIE was kind of a dick, he didn't really give me time to answer questions and kind of rubbed it in my face if I got something wrong. For example, he asked me a question about VMware, "how do you move a VM client over to another server via Vsphere?" So I in turn just to clarify, said "Do you mean VM migration?" Which he in turn replied, "I don't know is that migration, your the one getting the questions here."

I guess my question is, how do you deal with people like that in interviews while keeping your cool and not totally bombing your interview?

Question regarding Nmap

First of all, i have no idea if this question is okay here. I guess the only way to know is to try. I completely understand if this is the wrong place, its more of an Nmap related question but i don't know where else to ask. r/Nmap is too quiet. Here we go:

In a project for a company im working on (im a student, it's my internship) i'm using Nmap for host discovery on the current network and some more things. It will be used in a product that customers will be working with.

Nmap uses a library, NPCap, and it can also use WinPCap. I know NPCap has a silent installer, but since it needs a license, i thought to use WinPCap and ask the user to install that. It's just a few next buttons. Some users will probably still not want it though, so in that case i wanted to do as much as possible with Nmap without having NPCap or WinPCap installed.

There's a --unprivileged command which makes Nmap run without either of these libs installed, but the behaviour is so strange, i can't even explain it.

When running Nmap WITH one of those libs using the command nmap -sn 192.168.20.1/24 i can see in wireshark that it does a normal arp ping scan, and it's done in a few seconds with good results. Just as expected, but when i run Nmap WITHOUT one of those libs using the command nmap -sn -unprivileged 192.168.20.1/24 in wireshark i can see an arp ping scan starting, but it just keeps going and keeps going. It takes up to 5 minutes to do the same thing as before, it pings every ip address multiple times, and then the results are completely off.

In my wireshark log of Nmap without libs i have about 1600 entries of ARP pings over a period of 221s, and with libs i have about 500 entries over a period of 15s.

I can't explain this behaviour one bit. A simple ARP ping scan should be doable without those libs right? Why does it suddenly take so long? And why are the results completely off? Why does it suddenly ping every ip address multiple times while it didn't do that before? Can someone help me understand this?

Public and Private BGP

Hi fellow network engineers, I need to connect my site to our datacenter. But I have some challenges with this. Read no clue how to start attacking this at all.

The ISP supplied us a redundant 1Gb internet connection (small site). They did this via BGP let’s say ASN1. I need to connect to our datacenter which is a managed colo with let’s say ASN64512 (Private range). We can fully manage the routers, switches (colo side). But the ASN is provided to us and that is it.

I cannot move to another colo and it was not my decision either to go there.

I have never dealt with this kind of setup and I am wondering what would actually be effective to do. Because my idea is BGP is a no show in this instance.

Add OCNOS to GNS3

Hi, has anyone that runs IPInfusion OCNOS OS tried to get it on a virtual router on GNS3 for testing ? is this even possible to add white box switches there and add the OS?

Please help!!

Impact of changing STP prioirity and bringing a redundant link online

There's two related network changes I'll be making soon and I want to understand if they'll cause any network disruption.

The first is just changing the STP priority on a switch (S1) running RSTP. It currently has a prioirity of 40960 and I need to change it to 61440. It's connected to a core switch/router (R1) running MSTP, with priority 12228, and all the core switches in the network have priorities in the range 0-32768.

As the priority value is higher than any upstream switch, and will remain so after I change it, am I right in thinking that this should be entirely non-disruptive, or might there be a STP recalculation or reconvergence with some associated disruption to forwarding?

The second change is to make a redundant link from S1 to a second switch (S2) which will in turn connect to a different core switch (R2) which is in another DC. S2 will be running MSTP with a priority of 40960, and again, all upstream core switches have a lower priority value.

The intention is that the redundant link will immediately be blocked on S1, coming online if S1 loses its connection to R1.

Would you expect any interruption to forwarding on S1 when the redundant link comes online, or any disruption upstream?

Impact of STP changes

There are two related network changes that I'll be making and I would like to check my understanding of the impact.

The first is just changing the STP prioirity of a production switch (S1). It's running RSTP with a priority of 40960 and has a 10Gb link to a core switch (R1), which is running MSTP with a priority of 32768. All other core switches upstream of S1 run MSTP with a priority between 0 & 32768. I'll be changing the priority on S1 to 61440.

Am I right in thinking that this should be entirely non-disruptive, or might there be some spanning-tree recalculation or reconvergence which might interrupt forwarding of traffic?

The second change is to create a redundant 10Gb link between S1 and a second switch (S2), which will in turn connect at 10Gb to a core switch (R2) in a different DC. S2 will be running MSTP with priority 40960, R2 has priority 0. R1 and R2 are directly connected via a 20Gb LAG.

The intention is that the new link will immediately be blocked and will remain so until S1 loses its connection with R1.

Would you expect any disruption to forwarding on S1 when the redundant link is made, or any disruption upstream?

OSPF LSAs received but routes not installed in routing tables. OSPF debug show all prefixes unreachable

Setting up an OSPF peer between a new DC and an existing DC for migration. Both DCs in the same rack essentially. The topology is like this and the info the customer has given me so far.

(Area 0)---Cisco L3 switch----(Area 1)----Huawei USG

The Cisco L3 is the ABR and ASBR (it's redistributing static routes to area 1), OSPF comes up fine and I'm receiving Type 3 and Type 5 LSAs but the routes are not being installed in the routing table. When I run an OSPF debug every prefix says

Route 10.x.x.x/x - Route Source (AdvRtrID: 10.0.x.x, Type: INTER, AreaId: 1) is ignored due to unreachable

From what I can gather after digging around, this sort of error occurs because the ABR/ASBR is unreachable from Area 1 and there's some discrepancies in the LSAs when OSPF tries to build the topology.

When I look a the ABR/ASBR info on the USG it says to reach the ABR/ASBR with the next hop of the Cisco L3 switch, so it knows how to get there but I'm stumped what the issue could be.

During the test phase we did before all this work, we put the USG in Area 0 and all looked fine. So to me it sounds like there is something up with the OSPF config they have done.

Question on patching for final project

Hello there

I'm currently in the final stretch of my final project and I have one element I still have to write up in my report. It's about what core/backbone switches would be a good replacement in a school network (aka, low budget).

I got a drawing of the patching of the network from my mentor. When I asked him if the lay-out will stay the same after the new equipment, he told me that I should look into alternatives and other possibilities of this patching. Now, currently they are using a GBIC Core switch and the new core switch will have SPF+. Is that what he means?

Or are there other options to patch a network or am I totally misunderstanding things here? Any advice, sources and things like that would be welcome. I have to finish this by next week...

Wednesday, December 5, 2018

What is the best cat7 cable brand out there for the money?

No text found

Business Broadband

My company is working to transition certain workloads to “the cloud”. To start off with, I’m moving low criticality workloads, but I am having trouble figuring out the type of connection we need. For testing and extremely low criticality workloads, it seems overkill to have an optical connection for $1,200+ per month for 200mb at this point in time. All of the vendors I’ve talked to thus far only want to sell me a private and dedicated line, and no one seems to understand when I say “cheap business broadband” or a “shared broadband connection”. I’m basically wanting to have a cheap and fast connection, and I’m okay if it fluctuates as this is for testing purposes. For example, Id pay $400 a month for a 1gig shared connection, but it might fluctuate between 500mb and 1gig, and that’s okay. Can anyone give me a general idea of what kinds of questions to ask to get what I’m looking for?

Starting over in career?

Hi all.

I graduated with a degree in software development a couple of years ago. Although I studied more programming than systems, my original goal was networking. I earned my A+, and CCNA, but ended up getting a really good job offer a developer/administrator responsible for my company's ERP system and never really used either. I've been doing that for two years and I earn about 70k a year.

Thing is, I'm really regretting not doing something more networking related. As the administrator/developer for this system, I deal with end users on a daily basis, speak with business process owners about leveraging the platform for business process automation and improvement, and code pretty complex solutions for us, but I'm starting to become bored with what I do. I straddle the line heavily between business and IT, and am probably the only member of the IT heavily involved in operations and logistics, which is useful knowledge to learn, but has pulled me away from pure IT and my original goals.

I have a couple of questions.

- My main concern is giving up my salary. I obviously don't expect to make a ton since I have no networking experience. Obviously, I'd be willing to give up some to gain experience, but how much of a cut am I looking at?

- I don't want to go from a relatively important and integral position in IT/operations where I'm working now down to something like help desk. Will any of the experience I've gained so far give me any leg up or will I have to start at the complete beginning?

Looking for ideas for school project

I have a computer networks project due in a couple of days. The level of complexity of this course is very basic. I'm learning about packet layers, wifi frequency, ip subnetting and things of that level. I talked to a senior and he said he made a PiHole ad blocker for this class when he took it. I didn't want to buy a RP3 just for this class. If anyone has any ideas that does not require spending money and can be done on a windows computer that'd be greatly appreciated. Thanks in advance!

One way audio wired vs wireless?

So this is a strange one, some users in a remote office are complaining about one way audio on a wired network. Issue doesn't exist on wireless. Wired and wireless on are separate /24s but both take the same path out to the internet and have the same ACLs (/16) applied. If an end user changes (spoofs his MAC) they report audio works on the wired network. The only recent change was a new primary ISP but the voice provider doesn't filter on our source IPs so it should just work.

Colleague thinks its maybe an L2 MAC issue but I can't understand why that would be. Using a cat9k (16.8.1r [FC4]) at the core and a pair of PA 3020s on the edge. Co-worker seems to believe its local issue to a switch stack as well (3 x 2960 connected back to cat9k via 3 gig portchannel). Packet captures show packets coming and going from the edge back to the client machine but yet they still report one way audio.

Any ideas?