Promiscuous Mode on Debian -- only receiving broadcast traffic (no tcp/udp)

Hi r/networking!

I have been having some trouble over the past few days in a network monitoring deployment with Alienvault OSSIM.

​

I am attempting to configure a spanning port that feeds traffic into a dedicated interface (eth1) on the server that is in promiscuous mode.

​

If I run tcpdump -i eth1 I receive a small amount of broadcast traffic. If I run tcpdump -i eth1 tcp or tcpdump -i eth1 udp I receive no traffic at all.

If I run netstat -i eth1 does show BMPRU flags which I believe confirms that the interface is in promiscuous mode. If I run ifconfig eth1 shows UP BROADCAST RUNNING PROMISC MULTICAST

​

The spanning port is configured on a Catalyst 3560 as follows:

monitor session 2 source interface Ge1/24 #This is the uplink to my firewall

monitor session 2 destination interface Ge1/20 #This is the Port that is connected directly to eth1

​

​

Other notes:

Machine in question is a VM on ESXi 6.0 - there is a separate vswitch configured which is bound to eth1 and the Alienvault VM is a member. (I have working deployments configured exactly the same and configure the servers with a powercli script)

Iptables is off

​

I'm stumped! Any help is appreciated.

Tips for Apartment Network

There are a lot of WiFi networks from other residents that are causing a lot of interference. Lots of slow downs and dropped connections. I have a 200 MBPS down from Spectrum. I currently have a AirPort Extreme and I have tried every channel I could but everyone still had a lot of noise. Any advice? Is there a better router that handles this situation better?

PTP connection degradation.

I'm trying to troubleshoot a problem between two places .. router configs are all set on auto-negotiate and full-duplex for 1Gbps . The ports are also Gig ports. But, the download speed is TOOOOOOOOO slow.. Like 6Mbps or lower. Only the upload speed is optimal. Any ideas on what the issue could be?

Mass Configuration Changes

Hello all. For anyone pushing mass configuration changes via Python, are you using Netmiko to SSH to devices? Is this effective when managing hundreds of network devices? I created my first python script today to deploy a VTY ACL to 10 devices. I quickly realized that if I had to do this to 200 switches, it would take quite a bit of time to create a definition for all 200 devices. Is there a better way to do this? I am just starting my journey in the network programmability realm so please forgive me if this is a stupid question.

Is Cisco Prime Collaboration just as bad as Prime Infrastructure?

I think the UI on Prime Infrastructure is clunky as fuck and the platform is buggy as hell. Is the same true of Prime Collaboration?

Backup Running Config HPE 1920S

How do you backup the running config of a HPE 1920s?

Running PD.02.06

When I go to Maintenance > Backup and update Manager, and click on backup via HTTP, I choose startup config. The file it gives me is not the running config. (I did save first). I also tried copying the running config to the startup config before backing up. Still getting the old config.

Seems like I have to reboot to make the saved config become the running config. Then when I download the startup config I get the config. However, this seems very odd to not be able to backup the current running config. Also impractical for a production environment.

Am I missing something?

Does Ethernet over twisted pair die with 40GBase-T?

I frequently try to field questions on /HomeNetworking from people about to install Ethernet wire in their homes who want to future-proof of know what they should install instead of CAT6a wire. I always recommend conduit, because we don't know what wire to use yet.

Based on the current standards we can get 40GBase-T on CAT8 cable for up to 30M, but there's no matching standard for 100GBase-T. Is this the fastest Ethernet over twisted pair wiring we are going to get? Ten years from now, will everything go to fiber for long-distance runs?

Ultimate Video editing NAS setup with offsite and cloud back up.

For the love of god can someone help me with this...

​

- Video Editing

- 2 studios - 200 miles apart

- 80TB Data

- Need a hard working copy in each + cloud storage

​

In the studio we have a 80TB QNAP TVS-1282 RAID SERVER which works great (850mbs) and currently it backs up via the internet to another 80TB Qnap TS-831 in my home. I'm setting up a new studio so would like to move the TS-831 there and start using it as a live drive. Very light use, maybe 1-2 users.

​

My question is what's the best way to sync the two drives and cloud? I have unlimited storage from my google business account although I'm not sure you can set the storage location to a network drive rather than the HD. Projects are generally about 300GB to 2TB so will take a while to sync over the internet when they are first copied onto the primary drive.

​

Is there a way to make this work seamlessly (like google team drives does) so I can copy only either drive with no data loss / overlap risk?

​

Am I better off continuing to buy IP transit or should I start looking into peering at IXPs?

Hello, I'm in charge of the network for a small ISP. Up to now we've been buying 10G waves as transport to peer directly with IP transit providers in Chicago, Atlanta, and Dallas. We're up to 70 Gbps of Internet capacity using this method now. For 2019 I've been thinking about changing my strategy a bit by trying to get a 100G wave to 56 Marietta in Atlanta and then collocating a switch and router there using the wave as backhaul back to my network. Then I could join the IXP and peer with Google, Netflix, and anyone else who is willing. Plus, I could cross connect to IP transit providers there more easily (no more waiting six months for individual 10G waves to be delivered by our transport provider anymore). Is this the direction I should start going, assuming the recurring costs for collocation and the 100G wave aren't significantly more than say two 10G waves + two 10G IP transit circuits? I'd really love to hear from anyone who can offer feedback about their experiences joining IXPs too. Is it worth it?

Calculating Throughput from cwnd

Hi 'yall,

​

I have a simulation which I need to calculate the throughput (by hand!), and bit confused.

​

I have plotted cwnd against RTT/time and am assuming the MTU is 1,500 bytes.

​

What calculation do I need to do to calculate the throughput?

​

Cheers in advance!

​

​

Service providers running Adtran TA5000 OLT + Adtran ONTs: Where do you do your SNMP polling?

Do you poll the ONTs directly over a management address or do you grab all your stats from only the TA5000? Ideally I want to start tracking ingress and egress traffic numbers for every ONT's ethernet port but it'd be cool to be able to graph other stuff like optical stats and CPU utilization. How are you other FTTH folks doing this today? Are counters updated fast enough to do brief sessions of real-time monitoring or are we limited to five minute intervals?

Best way to measure convergence?

I currently am undertaking my university project, in which I am planning on creating a number of virtual networks running the ISIS routing protocol, and want to measure the effects of modifying certain parameters within the protocol. I am struggling to find a good way in which I am able to measure the speed of convergence within the virtual networks. I also plan to measure CPU usage of certain nodes within the topology.

Can anyone share some tips on how I can achieve this?

Is my router a problem?

So I have a 200 mbps internet plan. I only have 2 devices that are hardwired to the router using cat6 cables. A tv, and a gaming console. The modem line is cat6 as well. I was running speed tests the other day and noticed this. Using my iPhone via WiFi I was pulling 230+ down and 1.3+ up. But when I login to my router, using a speed test in the software from speedtest, I was pulling 60 down and 1.5 up. The router in question is a Netgear Nighthawk R7000, has been updated per last available update. My Xbox had even worse numbers, clocking 1.5 down and 1.2 up, using the network diagnostics on the device.

Is my router robbing that much of my speed? From what I could find that’s extremely low on a wired device.

I tried contacting Netgear for troubleshooting some settings to see if this was something I could adjust with my router settings, but was only being sold a “package” to talk to someone about their product.

Something just don’t seem right. And I don’t have a laptop or desktop to do any other testing at the modem.

Do you need one horizontal cable manager under each patch panel/switch/server?

I'm re-doing a rack for a small office with two non-profits.

We have several 24-port 1U patch panels, but I'm consolidating it into 48-port 1U patch panels (Monoprice).

I've also bought several of these cable management bars (fs.com) .

This is what I'm planning:

https://i.imgur.com/9NXi6Db.png

My question:

1. Do I need one horizontal cable manager under each patch panel?
2. Do I also need one horizontal cable manager under each switch or server?
3. Is there a neater way of doing the above?

Moving customers from /31 to /24 subnet? ISP wan addressing.

Greetings! My first post on Reddit, be kind.

I work for a small ISP who is growing. Today we are manually/statically assigning each customer to a /30 or /31 subnet, which still wastes a gateway address per customer. We wish to look at more modern solutions as we are running out of IPv4 addresses. I know my home ISP and a close-by data center is using /24 subnets for customers.

I believe through research keywords are “private VLAN”, switch vs routed ports. As far as I understand private VLAN will make L3 traffic break between customers unless we implement proxy-ARP, which I haven’t managed to grasp fully. And all documentation I find ignore the fact customers need to be able to communicate on L3.

Can someone tell me what is industry preferred and maybe explain a good solution or refer me to some good documentation? I’d also love to see a hands on use of DHCP Option 82.

We are using Cisco Catalyst 6509e today, but are moving towards ASR920 and Metro in 2019. Customer edge is today a simple HP 2530 switch with an SVI or Ubiquiti GPON (uFiber+ONT).

Add a 10gb Switch or Replace Existing HPE gb Switch

Need advice if I should add a new standalone 10gb switch or replace my existing switch ( HP 1820-24g-poe+ J9983A ) with something that has 4x10gb ports, 24x1gb and is also poe. I will likely only have 4 devices running 10gb : 2 servers and maybe 2 workstations the other ~24 devices are gigabit.

I’m not a networking expert, so appreciate any advice (ie if the 1950 will be over my head to setup - the hpe 1820 was ok for me). This will mainly be used in a small business environment supporting 5 users and a handful of poe devices (ap’s and cameras), 2 vlans.

Switches I am considering:

Standalone 10gb:

HP 1850 6xgt JL169A

HPE JH295A

Unifi US-16-XG

Replacement Switch Considerations:

HPE 1950-24G-2SFP JG962A

LS work around on the missing features on EVE-NG Community Edition

What's a good software substitute for making your own basic NAT cloud node? Docker is only available on the paid version. Is it just a matter of configuring Docker on your server or is there a mechanism that will prevent you from making it work?

IOS Firmware consistency hundreds of remote sites?

Just started a project with the objective being to have all of the Companies remote devices keep consistent firmware and the ability to do a mass update of firmware if need be.

Does anyone have a solution or know of a product that would be able to accomplish this?

Almost all of the remote devices are Cisco and we are pretty much 100% a Cisco shop in our DC.

I think we may be accomplish this with Cisco DNA, but not all of our Cisco devices are supported at this point, so I'm not sure it'll be the "best" solution at this time.

Any thoughts or advice???

Thanks!

Century Link outage discussion

I'm just curious to see what explanations people got from their account reps or whatever about what happened in this outage. So was it confirmed that this was a software upgrade failure....or a dwdm problem. I'm hearing so many different stories, I'm just wondering if we've reached a verdict here.

Question for Seattle/West Coast SEs

So I am a current SE who will soon be moving to Seattle. I am coming from a low COL Midwestern city so trying to get a feel for what kind of salary I should expect in Seattle. Right now I am planning on shifting within my current company but I will explore other opportunities if the potential salary increase is worth it.

Any SEs care to share their current roles (VAR or Vendor) and their OTE? I plan on also reaching out to some recruiters to get their feedback but I have found their numbers are always quite optimistic.

Internal vs External Network File Transfer Speeds

I have a somewhat theoretical and practical question about file transfers/downloads. If I have 100 megabit download speed from my ISP and I download MS office, it will download at 100 megabits (as long as no one else is using bandwidth at the same time.) Now, if I have a NAS connected on my internal network, in other words, my computer can talk with the NAS through my router without ever touching the internet, and I download MS office again but from the drive this time, I only get 2.5 Megabytes (which is about 20 megabits) download speed. (Both the router and NAS is capable of handling the equivalent 100 megabit speed, but it never does it no matter what computer/device I connected to the NAS and download it to.

​

Any ideas why that would be? Is it something related to the smb 2.0 protocol that it isn't able to handle file transfer speeds at that rate? Or is it something strictly related to the router that would be limiting the file transfer speeds?

​

I know you would need more details, but this is all I have since it is a theoretical question.

​

Thanks!

responding to a purged thread on bandwidth

A thread on bandwidth usage was deleted by a mod. I had written out all of this, but before I could finish typing it and submit it, the thread was locked. I felt others here might get some value out of it, so i'm starting a new post with my response as the other thread is locked.

This was the original thread: https://www.reddit.com/r/networking/comments/aaapzi/how_much_reserve_bandwidth_for_videoconferencing/

I'm currently using a curved formula for estimating per-user internet connectivity average bandwidth requirements.

• y= 0.0001x² + 1.4x + 30

https://i.imgur.com/kdQmmom.png

Users = 10, bandwidth ~= 44Mbps ~= 4Mbps/user Users = 100, bandwidth ~= 171Mbps ~= 1.7Mbps/user Users = 500, bandwidth ~= 755Mbps ~= 1.52Mbps/user Users = 1000, bandwidth ~=1530Mbps ~= 1.51Mbps/user Users = 5000, bandwidth ~=9530Mbps ~= 1.91Mbps/user Users = 10000, bandwidth ~= 24030Mbps ~= 2.4Mbps/user 

Explanation of my values:

1.4x: This is a basic Mbps per user estimate for concurrent usage. 1.4Mbps is higher than you probably need, but my formula is based around my network's observed usage and includes more than just VC and streaming.

0.0001x^2: This represents the "network effect" of multiple users all having the software installed, whether they are using it or not. i've estimated 10Kbps of network traffic per user, per user, for various "chatty" things like wireless printers or bonjour bullshit. at 100 users, this is negligible. at 1000 users it starts to have an effect, totaling about 100Mbps network wide. at 10,000 users, network-wide "background chatter" is a considerable portion of overall network throughput. certainly not a majority, but a consideration.

In my environment, all users' machines are more-or-less talking to all-users machines, so it might make more sense for you to adjust this portion of the formla to:

0.0001x * min(x,254), because it's unlikely in most networks for any end-user machine to be trying to talk to more than 254 devices (subnet size, or devices at an individual site, or whatever).

30: This simply baselines the network circuit at 30Mbps.

1 users? 31Mbps per user. 2 users? 16Mbps per user. 3 users? 11Mbps per user. 4 users? 9Mbps per user. 5 users? 7Mbps per user.

However, with 5 users and 7Mbps per user, realistically, 3 users are working on word documents, 1 user is watching youtube (3Mbps) and 1 user is downloading a torrent from TPB (35Mbps).

So, I throw 30 in there as a basic buffer against people sizing circuits for "only a small branch office with 10 users, they only need 15Mbps, right? "

I would suggest for typical usage this formula:

• $A = percentage of active users. (ex. 100 users, 15 max active, $A = 0.15)
• $B = max theoretical bandwidth of single active user (say Netflix @ 4Mbps + video conf @ 8Mbps, $B = 12Mbps)
• $C = bandwidth floor AKA peak download minimum (the smallest circuit you would want, or, the speed you need a single download to operate at. say 25Mbps? 50? 100? I use 30)
• $D = amount of bandwidth of "chatty" applications. I'm looking at you, bonjour. if you have 3 devices and you measure 400kbps of chatter total, average, then there are 3 device-to-device paths, so $D = 400/3 = 133Kbps = 0.133Mbps. If you have 50 devices and you measure 5Mbps of chatter total, average, then there are [N*N-1]/2 = 1,225 device-to-device pairs, so 5Mbps/1225 = 4Kbps = 0.0004, so $D = 0.0004. I use 0.0001.
• $E = number of devices that could possibly talk to eachother per site. If you have 100,000,000 users, you don't have 1 site. This is the number of devices that could possibly talk to eachother directly, through unicast. if you have 5000 users at a site, enter 5k. if you have 50 users at a site, enter 50.
• y = $D * X * min( X , $E) + $A * $B * X + $C

So, for example:

if you have 20% active users at any given time (no more than 1/5 of your employees are actually "using" the bandwidth at the same point in time), 1 user maxes out at 7Mbps of video conferencing data usage, you never install less than 50Mbps per site, you observe 6Kbps per-user-per-user of "chatty" other bullshit traffic, your sites are limited to 1000 people, then you get this:

• A = 0.2
• B = 7
• C = 50
• D = 0.0006
• E = 1000
• Formula = y = $D * x * min( x , $E) + $A * $B * x + $C
• substituted = Y = 0.0006 * x * min( X , 1000) + 0.2 * 7 * x+ 50
• simplified = Y = 0.0006x * min( X , 1000) + 1.4x + 50

ok, so we get this formula based on those example constraints:

Bandwidth needed = 0.0006x * min( X , 1000) + 1.4x + 50, where X is the number of users at a site.

That looks like this:

https://i.imgur.com/YM4Tidt.png

Users = 1, bandwidth ~= 51Mbps ~= 51Mbps/user Users = 10, bandwidth ~= 64Mbps ~= 6.4Mbps/user Users = 100, bandwidth ~= 196Mbps ~= 2Mbps/user Users = 1000, bandwidth ~=2050Mbps ~= 2.05Mbps/user Users = 5000, bandwidth ~= 10Gbps ~= 2Mbps/user 

Network Troubleshoot Questions!

I came across a couple of networking questions for trouble shooting and would like to get some feed back of what you would do in these situations. Lets get started...

​

1. There is a stateful firewall between Host A and Host B.  When the firewall allows all the traffic between Host A and Host B, Host A can correctly detect a closed UDP port on Host B, but when the firewall blocks all the traffic between Host A and Host B, Host A falsely indicates that UDP port is open instead of being closed. Why?

​

​

1. We have a web application being load balanced by a F5 LTM and it’s been working fine for months. Today, users reported that sometimes the page displays an error but after hitting refresh, everything works fine again. It is happening intermittently. What seems to be causing this issue?

​

​

1. A customer reports that they are experiencing intermittent loss of connectivity across a VPN tunnel – the tunnel is UP and ACTIVE and most of the connectivity works fine; sometimes a few of the hosts in the tunnel are unable to connect to hosts on the other side. How would you troubleshoot?

IP Phone - Home Ebay Business

Hey Community -

​

I am trying to start a new side hustle and wanted some information from the community! I have gained access to a continuious supply of Cisco/Nortel/Shortel/Mitel/Avaya IP Phones and Cisco/Aruba WAPs of different models and makes.

​

I want to use this to try and fund my IRA/Retirement but want to find out what customers are looking for when buying secondhand/refurbished pieces!

​

I want to be able to do the following initially - but would appreciate more input from you.

​

This could turn into a full time job as I think I would even be able to gain access to higher end computer units to strip and sell for parts...I AM VERY EXCITED ABOUT THIS OPPORTUNITY!!

​

Phones:

Test To Power On

Check for Cracks or Large scratches (All Units Will Be Cleaned)

Check Functionality of Buttons and LCD Screens

Check Functionality of Handsets

Preform Factory Resets

Label Phone as Tested etc. and What type of Phone (Sip/Sccy)

​

Access Points:

Test to Power On

Check for Scratches Damage (All Units Will Be Cleaned)

Check to See if Unit is Pushing Signal

Preform Factory Resets

802.1X MAB best practices?

We have some devices that don't support 802.1X, so first I was thinking of doing the authentication profile so that it tries 802.1X first and then falls back to MAC authentication. And if MAC authentication also fails then set the port to visitor network. Then apply this profile to every switch port whether there was a 802.1X capable client or not.

Would this cause problems for some devices, as they have to wait until the 802.1X authentication times out? Or would I be better of configuring three different profiles and for a new switch just configure most ports with 802.1X and then the rest with MAC authentication and visitor VLAN where needed?

Having the same profile in every port would be easier, but what are your experiences? Do you use 802.1X for wireless access points uplinks too?

Thanks for any ideas!

3650 Switch Stacking

Been building a switch stack and noticed a blinking "actv" light... which tells me that these switches are not a "stack." Rather, they are primary/secondary. It needs to be a stack. I'm not finding the command to make that a thing and Cisco documentation, as always, is not a help (or I am simply incapable of finding exactly what I am after on that site.)

I have another issue too... renumbering.

These switches are currently reversed in order, but the only option I get:

​

(config) switch 1 provision

​

There is no renumber or priority command, so I'm missing something else here.

​

That last stack I built DID have this, and there is no difference in firmware or model.

ADSL Near-End Crosstalk

Do you know why UPSTREAM is really much affected by Near end crosstalk, while DOWNSTREAM is not?

Port forwarding

Hey, I dont know if this belongs here but I would like to ask what did I do wrong when port forwarding. I know that I got all the ips right and firewall was disabled, dmz too. I have 4g wifi running on orange duobox. Thanks

Arista MLAG - Configuration of LACP to hosts?

Hi folks,

I got started with my 7050S-52 switches. I got 2 of these. I am very interested in the MLAG features as I am coming from a Cisco stack environment.

I managed to configure MLAG between the 2 switches with a consistent configuration. Now I am looking at configuring LACP/Bonding to my various esxi and proxmox hosts. How does this work?

On Cisco you would create a port-channel of e.g. 1/0/1 and 2/0/1, but how does it work with MLAG? I can’t really seem to find any specific info on this, could perhaps also be that I am blind. :)

Would anyone be able to explain a little bit about how this is supposed to work?

Thanks! Chris

IKEv2 DDOS documentation for IOS XE

I've been going through the book "IKEv2 IPsec Virutal Private Networks" and they discuss IKEv2's ability to prevent DDOS. However they don't go into much detail.

I found this cisco article was shows some good implementation and monitoring but I couldn't find anything to reference IOS XE.

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-2/IPSec/21-2-IPSec-Reference/21-2-IPSec-Reference_chapter_010011.pdf

​

Does anyone know of anything?

​

​

​

EDIT:

​

ANSWER -

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html#GUID-8412F9B6-A3E2-4C28-A6E3-1A995FF71500

​

EDIT2 : All I had to do was keep reading as this is all addressed in page 200 something

HPE Aruba 3810/5400 stubbornness with non-HP QSFP+ DAC cables

I've recently acquired a number of HPE Aruba 5400R ZL2 switches equipped with QSFP+ connectivity. I've also discovered (the hard way) just how finicky HP is with regards to non-HP branded SFP+ and QSFP+ devices, especially DACs.

​

Even with "allow-unsupported-transceiver" mode enabled, I've found that it'll still outright refuse to work with most non-HP DAC cables. I've got a few from FiberStore and a few from Cisco, but they're no go. It's been kinder with optics, thankfully.

​

I'm in need of some QSFP+ cables (JH235A), but I'll sooner rip and replace all this HP gear, forswear the brand for good, and plead mea culpa to the boss before I'll dare pay the current street price of $400 per 3-meter cable. That number needs to drop a zero.

​

Can anyone recommend any generic DACs that they've had better luck with on the 5400R series, or its smaller cousin, the 3810?

ELAM egress, N9K?

I am trying to validate that an N9K is tagging a specific frame on egress (like verifying the switch sends the frame to the end host with the correct tag). I haven't been able to see the frame with ethanalyzer or ERSPAN - the closest I've gotten is a monitor with a sup-eth destination but I still can't validate for sure that the switch is tagging the packet outbound. The Tahoe ASIC seems to only support "trigger init" not trigger init egress, and I've tried to just trigger using the dst_mac address as well as the outer IPv4 header. I am able to see the packet on ingress to the switch with just the IPv4 fields set.

SPAN is impractical in this particular case. I can't trust the host for a correct capture. I don't have a network tap. Do I have any other options?

Fiber noob in Asia: suggestions to testing the quality of outsourced fiber runs?

Greetings!

I’m redoing the network setup for some non-profits in Asia. I have a few building I need to network together, and I’m trying to avoid wireless bridges at all costs.

Fiber is inexpensive to have installed here, but I want to be able to confirm the quality of the install somehow, and to be able to diagnose problems in the future.

I’ll be running the fiber directly into fiber modules on Unifi switches, so avoiding media converters at all costs. Is throughout tests enough?

Or is there some “entry” level fiber testing equipment that I’d actually be able to use in self diagnosing an issue? I know fiber can be complicated, so I’m not asking for the equivalent of an MRI to do brain surgery, just a simple way to check if it’s the fiber that’s the problem.

Thanks!

network automation testing tools? (Currently using Spirent iTest)

Hello guys,

So I do some code vetting for my company and most of it is by hand so far.

Alot of it is repeating the same steps over and over. Setting up the topology, breaking BGP, OSPF, pulling links etc. while pumping traffic through this lab network and then recording results and seeing whether a code is suitable for production or not.

We do have Spirent iTest thrown in for free and I'm gradually picking it up, but I was wondering if there are any other competing products you guys would recommend?

I've looked at Quali Test Shell and Ixia Test Conductor. I'm wondering if there are any other similar products or open source impelmentations of these testing software.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Help with small network / remote data access technologies

Hi,

I have a small network of 8 mobile 'nodes' ? Each node is a self contained system with 6-10 computers, 2 WAN sources, and a router. WAN is through SAT coms or Cellular modem.

On each 'node' there is a server at 192.168.1.100. This server provides data that I need at the central location. I need to be able to query the server and automatically populate a database.

I have been using TeamViewer and RealVNC to access these nodes, but I need something different. I need to be able to make a connection with one node, collect data, close connection, move to the next 'node'.

I have not been able to get Windows VPN server to work, not even on my local network. I have had varying levels of success with BitVise and SoftEther, but never able to work over the internet, and I don't know if that software is even quite what I want.

I tried setting up NeoRouter, however the required port is blocked ? This is over a cellular connection. Oh, and I set up DuckDNS and that seems to work, but I think my ISP might be blocking and I'm out of luck there.

I need something that works like TeamViewer, in the way it connects. Or I need to do what TeamViewer is doing in order to make the other software work.

ISP is ATT.

Thanks for any ideas !

Cisco ASA and second WAN link

Hoping someone is able to point me in the right direction on configuring a secondary WAN on my cisco ASA.

I believe my issue is security, but I'm not 100%.

The goal is our internal networks (to the DC) go through the interface named "outside", and all other (ie internet) traffic go through "2ndWAN" interface. I've tested this link with a laptop and static IP, and can confirm its working as expected.

​

2ndWAN is in gb eth 0/2. Port is enabled and given its static IP (as per ISP). In config terminal mode, from the interface, i can ping the default gateway.

Current setup has a route like "outside 0.0.0.0 0.0.0.0 {next hop}".

I deleted that route, and set up a route for internal data to go through that link (its a private link), like this "route outside 192.168.0.0 255.255.0.0 {next hop}" - and this works, i can still contact my other sites.

I then enter a route for all other traffic to go through the 2nd WAN - "route {2ndWAN} 0.0.0.0 0.0.0.0 {next hop}". From the interface, i can ping internet fine.

Devices on my LAN can ping my 192.168.0.0 subnets, but cannot ping internet, packets not getting further than the ASA.

This leads me to think that its security settings I need to change, but I can't copy the settings from the "outside" interface, because its all open (private link to DC). The closest working config i have to copy from is the router in my DC, but its got a LOT of extra stuff that I wont need for this branch's router, and I dont yet have the eye to pick what i do and dont need with certainty.

I'm a little confused about when, where and how to use access-lists and access-groups, and if this is even the correct direction to be heading in? Maybe i've made a mistake with the route?

I did try briefly "access-list {2ndWAN} extended permit ip any any" (copying the "outside" configuration) with the rationale being "open the firewall to check its the firewall", but that didn't change anything.

Securing a Master Key

What plan do you have in place for storing master keys for things such as database encryption with sensitive information? We are opting to not use our HSM for this project, instead will use DPAPI software encryption.

​

There's been a proposal of having primary / backup of two different groups who come to the table with half the master password. Therefore no single individual would ever know the full password.

​

Thoughts? What's your plan?

CompanionCube, Ver. 1

Photo: https://imgur.com/gallery/DyJFolm

Nothing groundbreaking, but I thought I'd share because I'm actually quite proud of it. So I work for the second largest ambulance company in the US (second only to AMR), and as anyone who has had anything to do with EMS at any point in time knows, fast response times are of the utmost importance - whether we're talking about dispatch, ground operations, or support. Many companies offer these sort of "crash kits" that can be used to deploy networks at a moment's notice. In fact, for the past few years, we've actually been renting these from a local MSP. Two problems with that though. Although their iteration is very well engineered and fairly reliable, they are extremely expensive to lease, and they can't provide us AT&T FirstNet. 

Enter the Companion Cube. This is a full-depth 4U ruggedized rack on wheels with a Cisco 891-24X ISR (running DMVPN back to our data centers), a Cradlepoint CBA850 with FirstNet LTE Modem, and a Cisco 3702i wireless AP. Pictured is my first iteration which was just shipped out to a new site yesterday. Her name is Eve (in keeping with our radio shop guys who have a Sierra Wireless LTE modem named R2D2, and another named Wall-E). Soon to be deployed are Johnny5, Rosie, DATA, and T-1000. And yes, you bet your ass that hearts will be stenciled onto each rack case, as well as their respective names. Future iterations will also include integrated connectors for the cradlepoint antennas, and a 3702e AP so that the antennas can be mounted externally along with the LTE antennas. I'm also working with our fab shop on modifying shelves to more securely house IP phones. As you can see in the rear photo, we simply shipped a phone in its box just because it was more secure and convenient at the time. It looks like alot of wasted space, but the goal is to be able to store a dozen or so of these complete with patch cables and a handful of phones to deploy either to new offices, or to send with Strike teams during natural disasters where mobile command posts are needed. I've also configured the router with the ability to automatically prefer a broadband connection when provided one (say if we use a hotel conference center as a mobile command post).

If any of you guys have any suggestions, please feel free to drop them in. I'm always open to feedback.

IP Source Guard issue

I've configured IPSG on my switch, but once enabled all legitimate traffic is dropped instead of only filtering spoofed IPs.

After reviewing Cisco's documentation and a number of tutorials I seem to be following the configuration guidelines correctly. Can someone who has deployed this point me in the right direction?

I've confirmed my DHCP snooping bindings are present for the devices attempting to communicate.

The IPSG commands are just: "ip verify source port-security" on each port which then populate "show ip verify source" with the expected allowed addresses, however legitimate traffic is still dropped.

When I debug IPSG with "debug ip verify source packet" it doesn't trigger anything so I don't have visibility on that front. Wireshark just shows ICMPs being requested but they don't make it past the switch.

​

Thanks in advance!

​

​

Having an issue with AWS Site to Site VPN to Sophos XG

Hi All, at my wits end here. We typically don't use AWS or Sophos but the customer isn't ready to migrate yet and I need to get this site to site working.

I have a customer with an XG Firewall on firmware 17. I've been going off of this guide https://community.sophos.com/kb/en-us/133057

​

The VPN tunnel connects, but I cannot reach any of the servers on AWS. I even created a brand new VPC and brand new micro instance per Sophos' guide for testing, but still nothing.

The internal network is 192.168.10.0/24 and the test network I put on AWS is 192.168.11.0/24. The test server on AWS is 192.168.11.10

My routes look right to me. I set the security group to allow all traffic from 0.0.0.0/0 (again, just for testing). I cannot ping my AWS test server from the Sophos' tools menu. If I do a traceroute from the Sophos to 192.168.11.10, it correctly tries to send over the ipsec0 interface.

​

https://imgur.com/a/OAEv7SV is a link to some screenshots.

​

TIA

Proving network drops

Hi All,

​

We use a centralized application that remote branches access via RDP sessions over IPSec VPN tunnels. Occasionally some branches complain their RDP session will disconnect, sometimes reconnecting where they left off and other times kicking them completely out. This is obviously some loss of network connectivity isolated to the branch otherwise the whole company would be screaming. How can I prove out these are typical public ISP network drops? We have monitoring on our firewalls, but these drops appear so brief nothing is being tripped. Any tools or utilities that I could set up to constantly ping and report back with time stamps of missed pings?

Hardening Internet Facing Routers

What special precautions (if any) do you take to secure internet facing routers that go beyond what you do for internal devices? I'm mainly curious to see if there are any gaps in our current methods.

Things we do for all devices (Cisco):

• Restrict SNMP access to our monitoring hosts

• Restrict SSH access to our jumpbox subnets

• Disable 'outbound' SSH from vty connections

• Disable Telnet, HTTP, and HTTPS access

• AAA via TACACS+ for vty and console connections

• Secure physical access to the device

• Syslogs, traps, and netflow data being sent to centralized servers

Additional steps on internet facing devices:

• Inbound ACLs to filter traffic sourced from RFC 1918 and our own public blocks.

• Disable CDP/LLDP

• Change passwords for local fallback accounts monthly

• Enable authentication for all eBGP sessions to our ISPs

• Inbound filters for eBGP sessions to stop our own public blocks from being advertised back to us

• Disable ICMP redirects and unreachables on internet facing interfaces

Show tech-support tanked Cisco 3650

We had an avaya phone take down a Cisco 3650 switch stack last night. After disconnecting the bad phone I ran a show tech-support for the tac case I was opening. My colleague also ran a show tech-support while mine was still running. This promptly maxed out CPU and tanked that switch in the stack. It needed to be manually rebooted via power cable.

We’re wondering if this was a bug or just a result of maxing out the CPU and tipping over the switch.

IOS version 3.06.06E

Happy holidays!

Interview questions for potential employer (feedback)

I’m in the process interviewing for a Lead position as an audiovisual/videoconference technician. I understand the content of what I’m asking but am a little shaky on more advanced networking stuff; I wanted to ask questions that show that I’m engaged with what’s happening on the backend (without overplaying my hand). Here is what I have so far. Can you tell me how this sounds and if I’m making sense here? Anything I should take away or additional questions you think would be good to add? Any terminology I’m using incorrectly or rewording? Thanks so much.

1. Are your current video-on-demand and streaming services strictly cloud based or do you have on-prem deployment behind the firewall, or is it a hybrid? Is it the same for videoconferencing? Do you see this moving in one direction or the other?
2. How many videoconference endpoints are currently deployed within the organization and are the all centrally managed? Are they cloud based or deployed behind the firewall?
3. What is the kind of material that will be streamed (classes, executive addresses, training modules etc.) and who is the intended audience for this video material and will they be primarily inside or outside the company WAN and on what type of devices? Will it be viewed primarily in real-time or on-demand? What is the level of interaction?
4. How many conference rooms and classrooms do you have onsite that will require A/V support? What kind of technology is deployed in these rooms?

Knowledge of Structured Networking

Hi!

If any of you can could you please tell me the answer for each :

​

-What is the best way to have more knowledge about networking.

-Which is the best course you could take for such knowledge(and if there is any online)

-In which country do you have the most value for networking and why.

-How could someone get knowledge of fiber cable production.

​

If its a bad post please tell me why and how to make it better.

I am kind of new here and I am still learning.

​

Thank you in advanced.

Checkpoint FW failing Network Scan Test. Please help with hardening

How do I harden my CP firewall? I have all sorts of ports open that I do not want open and I'm failing scan test. I have UDP port 500 open, some other port of 18264, 264, and worse of all I'm unable to turn off SSL externally and it is supports TLS.1.0.

I have worked with my other firewall and never had an issue like this. I had about 50 ports open, and their tac had me make a stealth rule. This stealth rule blocked a lot of ports, but this CP still has open ports.

​

I have never had this issue on my SRX, Palo, Fortinet or ScreenOS, I more of a CLI Jockey, CP and the way they do things are very counter-intuitive to me.

​

PIM Multi cast

I saw an article saying PIM was old and not recommended. Is this true? If so what replaces it.

Tplink tl wr840n 4mb flash openwrt mesh?

I just bought for a good price 2 tplink tl wr840n routers and plan to use them in a mesh wifi config with open wrt if possible. Wan comes in a gigabit mikrotik router which distributes via cat6e to each room of my house. However I would still want a wifi mesh for smart home devices.

I have already tried openwrt with the tl wr 840n, but due to low flash any additional package needed for mesh is not persistent after boot. 1. Any ideea how to still use these devices in a mesh setup? 2. Other ideas of having cheap mesh? Google mesh, tplink mesh, etc solutions are out of my budget

CenturyLink Outage - West Coast?

Wondering if any you have details on the CTL outage. It seems like it is affecting a lot people out west, According to this: https://downdetector.com/status/centurylink

I have them as a residential (fiber) and I'm out west seeing the same problem.

I can hit their next hop address just can't seem to get out of the CTL network.

what is black ethernet and white ethernet cable?

No text found

DHCP Snooping help

Hi, I have tried to google this but not managed to get a concrete answer. I am seeing these messages on a Cisco switch with DHCP snooping enabled.

​

%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa:xxxx.xxxx.xxxx

​

The MAC address in the message varies so I assume that is the MAC address of the client the DHCP server is attempting to make the offer to? Is there a way to track down the port that has got the 'DHCP Server' connected to it?

​

​

Fog computing

Can anyone describe a real-world example of fog computing and/or mist computing?

The New Year is Almost here. What are your study plans and goals?

So much going on in the world of networking its always good to have a plan, goals, and what to study next. Curious to see what everyone is up to.

Currently I will be reupping on my CCNP next month and dive deep into python and will be getting familiar with SilverPeak SD-WAN.

Powerline adapter problems

I Dunno if this is the right place to ask but I recently got a d-link av 1000 powerline adapter (and bear in mind i dont know anything about networking)so I could set up a wireless network in a room of my house that couldn't get wireless from my router. It appears to work but the problem is when I go to configure it on the admin page through d link the two adapters don't connect to each other.

Odd DHCP Issue

So today I was working on a odd issue with a Meraki MX-64 firewall and two MS220 switches.

One network with two VLANs. One data VLAN and one voice VLAN. Pretty vanilla. The phones are all VoIP broadsoft phones are completely unaffected in their safe voice VLAN. Everything else in the data VLAN are pulling APIPA addresses if they didn't have a DHCP reservation. Also I learned that if I removed the reservation and cycled the interface it would not come back even if I added the reservation back.

Now here is what I did. I did packet captures on the switch uplink and I see the DHCP discover messages going through. But not on the interface on the firewall. Remember this is only for the Data VLAN. The phones seem fine. So naturally I checked the DHCP settings and they were correct. I checked the VLAN settings and those were good too. I looked for a rogue DHCP server and found nothing.

Everyone had left the office for the day so I was free to troubleshoot as I pleased. I threw a hail Mary and rebooted everything. No change. I have a device on the network that runs CentOS for troubleshooting and runs a network monitoring. It's on VLAN 100 and was fine because it had a reservation. It's the device that went offline as soon as I removed the reservation and cycled the interface. So I created a new VLAN and then added it to the interface. Boom goes the dynamite and it came online.

As far as I know there were no configuration changes or cabling changes. Everything is as it was when it was working. They already had the carrier out before they even called me. The whole network is up and fine. I'm at a total lose and even Meraki support was stumped.

Any thoughts? Ideas?

Need some Network engineering/business advice

Hey Guys Happy Holidays,

My company seems to want to go full cloud so we are planning on moving everything to cloud now, this includes domain controllers etc.

So far I decided to use Sliverpeak for our SD-WAN and take business internet 400mb to cut DIA expansions to Azure.

For our LAN we have ex2200`s and SG300s`s of which was installed this year ( I want to get rid of all of them and go Cisco 9300 we were quoted 8,168.06 USD for one) any idea if this would be a good access 10G+ switch? I want to run 10G back to the ex4300`s

Lastly our core is ex4300 but ill replace those when they are EOL (im a cisco guy now in a team leader role so thats why I want to replace the junos) We were quoted 3,580.16 USD for the ex2300.

​

Would it better to go Cisco fully rather than Juniper as im more Cisco and Cisco is easier to get than Juniper in my region?

​

My plan is to have full layer 3 across the access to our collapsed core using BFD/ECMP with OSPF and have our access as a totally stubby area (i`m also considering ISE for PCI compliance and agent less NAC)

​

Lastly I want Cisco DNA as my team is mainly system admins who are 50 years+ so i don`t have much time to train them also any new person I would just hire with a CCNA and have them use DNA to provision.

​

I need to present this to our board as this is across 5 companies within the sector. In the future Ill roll this out to 85 other companies across 8 sectors so I need solid advice from the experts here because our board usually asks 1 million questions from a cost/business and a technology perspective.

Thanks

Multi-Tenant Network, 802.1x?

Had something come by my desk the other day that was interesting. I am no network guru, but in my office I am the closest thing to it.

We are looking at designing a network from the ground up for a shared work space. The initial idea we had was simple, each tenant or client has a VLAN specified for them on wall ports, and an individual SSID for wireless. But it turns out the scale we are looking at goes much beyond that. There is around 250 users, mix of wired/wireless, and they don't stay in the same spots.

So we started looking at 802.1x authentication for both wired and wireless. We would spin up a Active Directory environment with a RADIUS Server(NPS). Create user accounts for all tenants, all that good stuff. When people connect to the wired or wireless network, it will prompt them for a login. They use their user account, RADIUS authenticates, the switch will dynamically assign that port to the VLAN that RADIUS specifies.

I've set up something basic like it in our lab, and it works, but it does have some quirks. We use a cheap netgear switch in our lab, which might have something to do with it. But my general question is has anyone done anything like this before? Does it work well? Any recommendations of other ways to accomplish the same thing?

Network Monitoring?

What are you guys using to monitor network devices? Basically I just want to get an alert if a switch or a network device has lost its connection to the network.

Network Firewall Engineer or Cyber Security Engineer

I am working for last 5 years in Network and Security domain. But for last 3 years, my primary focus is on Security working on FIrewalls. I am working as contractor and applied for 2 full time positions listed on their website(for same employer). Now I have 2 offers:

1. Firewall Engineer - Operational, Supporting Customer, Working on Frrewalls(Palo Alto), Working on Firewall related projects.

2. CyberSecurity Engineer - OSIEM, Malware Detonation/Analysis, Machine Learning Systems, Insider Threat Solutionsverall security for organization, Working with Cloud Security, Endpoint Security, Review Threats,

I am currently working as firewall engineer and If I go with CyberSecurity Engineer position it will be big change for me. But I always wanted to learn new technologies and work on projects.

Just looking for opinions of redditors in this subreddit.

Thanks in advance.

Any podcasts or material I can listen to in the car to better understand networking concepts?

No text found

Anyone ever work with a Netapp cluster switch?

My storage guys came to me today because they are looking to hook up some Netapp nodes together. Netapp makes it seem like you have to use their specific switch, which are a few different Nexus switches that are loaded with Netapp specific firmware.

Now my first thought is skepticism. From what I gathered it's just to be 100% sure you have the right hardware so you can't complain about data loss or anything.

However, I don't exactly see any reason I can't use some of the Nexus 5548s I have sitting in stock. I can't find any reasoning given by Netapp of what is different, and why you need their firmware etc instead of just taking a 10gb switch, set to jumbo, and just sticking them on there with open trunk ports.

Anyone have experience in this able to enlighten me?

VoIP & CCTV VLAN Best Practices

I am in the process of redesigning my network and have been trying to determine the best way to VLAN VoIP and IP CCTV. I will be putting the devices in a separate VLAN, but I am still trying to decide the best way to handle VLANs for the servers (VoIP PBX/NVR). As I see it, there are three options:

1. Devices and the server in the same VLAN

    +--------------+ | Firewall/ | | Router | +----+---+-----+ | | +-------+ +-----+ | | 
   

   +-------------+ +-------------+

   | VoIP VLAN | |CCTV VLAN | | - PBX | |- NVR | | - Phones | |- IP Cameras | +-------------+ +-------------+

2. Devices and the server in separate VLANs

    +--------------+ | Firewall/ | | Router | +----+---+-----+ | | +-------+ +------+ | | 
   

   +-------------+ +-------------+ | PBX VLAN | | NVR VLAN | +-----+-------+ +-----+-------+ | | +-----+-------+ +-----+-------+ | Phone VLAN | | Camera VLAN | +-------------+ +-------------+

3. Server in server VLAN

    +--------------+ | Firewall/ | | Router | +-+---+-----+--+ | | | +--------------+ | +---------------+ | | | 
   

   +-------+-------+ +------+-------+ +---------+---------+ | | | | | Server VLAN | | Phone VLAN | | Camera VLAN | | - PBX | | | | | | - NVR | +---------------+ +--------------+ | - other servers | +-------------------+

In each case, router firewall & host firewall rules will limit connections to the minimum required for each device/server to perform its task and allow administration/monitoring.

Cisco ASR BVI Question?

Hi,

Anyone tried setting up an BVI under physical which converted as l2transport? Just want to have a quick check if anyone experienced or this setup is possible.

​

Simple topology(1.1.1.1)CE------->PE1---l2vpn----PE2

​

PE1:

interface GigabitEthernet1

desc facing CE

load-interval 30

l2transport

​

interface BVI10

ipv4 address 1.1.1.2 255.255.255.0

​

l2vpn

bridge group VLAN10

bridge-domain VLAN10

interface GigabitEthernet1

routed interface bvi4

Since I want to test the reachability between PE1 and CE router without breaking the l2vpn-PW, I'm thinking to configure a BVI if possible, But ex. if I add the routed BVI on a bridge group/bridge-domain does it affects or create an interruption on the pseudowire(l2vpn) circuit configured between PE1 to PE2?

​

Or this setup is not possible? Still checking the docs given by cisco.

​

Thanks

I need suggestions concerning my MPLS VPN Thesis.

Hello everyone,

First, let me know if this post is misplaced. I have to start working on my masters’ thesis on the subject MPLS VPN, and I need help to make something slightly different and better, how can I do that? Lab and content wise. I thought about including some DevOps automation (Ansible), any insights on this?

My main aim is to master the subject and learn as many new technologies alongside by doing.

OAM or BFD in LSPs

Hey,

I want to collect some extra metrics from our LSPs around traffic quality.

I have been looking into BFD vs OAM in LSPs (JunOS house).

I'm leaning towards OAM since we run BFD in the underlay and I dont really want to test the path reachability, rather the LSP quality.

Anyone running OAM that have some gotchas, notes or comments?

Bridge Mode = no internet??

Here’s one that has me screaming....

Multiple Modems (VDSL2+) ISP: MyRepublic (Australia) 50 up 20 down Router: Dell Server running Sophos XG firewall IP is static.

It appears when our modem, which we’ve tested this on multiple however the main is a Netgear DM200, is in bridge mode we either have no DSL connection at all or, we obtain DSL and are able to use the network before it drops out, reconnects and will drop out. Drop outs can happen minutes apart, hours apart or days apart and last for 2 minutes to hours.

We’ve resorted to a backup cellular service when the dropouts happen however this is expensive.

Naturally, our ISP has no clue what’s happening and their on call techs who have come out don’t know either. Even the fiber company who put down all the cable don’t know.

Is there anything which could be causing bridge mode to disconnect so often? It appears that when NOT in bridge mode our connection is a whole lot more stable and there’s nowhere near the disconnections compared to bridge mode. However that means our firewall isn’t able to run due to clashes with the inbuilt firewall of the DM200 which it seems isn’t able to be turned off...

Thank you in advance

Merry Christmas to me!

Got some great reading ahead!

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

[QUESTION] How to setup a encrypted connexion between two computers ?

Hello,

​

I have a desktop and a laptop computer. I wish to have an encrypted remote connexion from my laptop to my desktop computer. Both computers run on Windows 10 Pro v1809.

​

I know that I can use services like TeamViewer, Chrome Remote Desktop etc, but I would like to have more control and setup up a " personal " VPN or somekind of secure connexion. ( knowing that nothing is 100% secure xD )

​

Do you have some YT videos, tutorials, blogs that explain how to do it.

​

Thank you,

​

K.

Does changing your default DNS enhance security/speed?

I've read many times before changing your default dns address to something like cloudflare's DNS or Comodo's DNS could increase security, spam, and often times speed.

My questions are, is this true, what benefits are there, and are there any drawbacks?

Need help with LAN and Networking.

I don’t know much about LAN and networking stuff but I am planning on upgrading the main computer at my business. Right now there is a really old widows XP computer that communicates with the main system which is used to adjust pricing and whatnot for my business. The main system is connected to the old pc using two LAN/Ethernet cables (input and output I’m guessing). Most motherboards only have one LAN port now and I don’t know how I’ll connect the New PC with the main system and have a internet connection at the same time.

I’m guessing that I need to buy a network switch but I’m not sure.

LDP Session Hold time vs Discovery Hello

Hello,

​

May someone of your guys explain to me the difference between Session hold time :180; keep alive interval:60 vs Discovery hello: holdtime 15 sec; interval: 5 sec?

​

router#show mpls ldp parameters

Protocol version: 1
Session hold time: 180 sec; keep alive interval: 60 sec
Discovery hello: holdtime: 15 sec; interval: 5 sec
Discovery targeted hello: holdtime: 90 sec; interval: 10 sec
Downstream on Demand max hop count: 255
LDP for targeted sessions
LDP initial/maximum backoff: 15/120 sec
LDP loop detection: off

Question a out EIA T568A/T568B

Hi everyone,

My question may have already been answered but I just wanted to know what the significant differences between both ANSI/EIA standards of terminating Cat5e/Cat6 cables based on T568A/T568B - other than the cable strands being a different order between the two. My question is more along the lines of... Why do two standards exist?

I'm becoming a junior technician at a company that deals with networking IP based cameras, and scalable networks and such, but that's another story for another day.

I understand how to terminate the cables, I just wanted to know which standard is most commonly used, and why? I seem to be hearing about how T568B was similar to AT&T's standard which was something like 258A but I dont quite understand the relevance.

Any information would be appreciated! I am still reading up on this as well but I'm willing to learn more if anyone is able to explain it!

Provisioning hundreds of VLANs for residential centralized routing

I am developing a system for a residential user-base where I am required to centralize routing for an MDU. I am planning on providing customers with their own VLAN. I need to choose a centralized router/firewall that will route their VLAN to the Internet.

I need to be able to handle at least 300 VLANs. Of course, each VLAN will need a DHCP pool. Each VLAN will source NAT to their own public IP.

I looked at PFsense a while ago, but had scaling issues with adding such a large number of VLANs. It was also difficult to manage at this scale. What are some recommended ways of handling this? I have never run into a situation with these specific requirements. I am also considering using a standard Juniper SRX firewall and using Netconf to provision the VLANs/NAT/DHCP on-demand. I am using 802.1x to dynamically assign customers into their proper VLAN (they can be connecting from multiple locations)

Any Ideas?

Edit: I understand these requirements may sound weird - but I don’t have too much room to change them, it’s what we’re stuck with.

Edit 2: I am only looking for help with the routing portion of this project.

Is this a good router?

I recently built a new gaming PC. I just contacted my ISP he said he'd come over tomorrow and give a new connection. This will be the first time my family has Internet in our house. These are the plans he gave me to choose from: One Two I'll be choosing TMT - PUMA from Picture 2 where I'll need to pay 600 Rupees for 500GB of data at speed of 50mbps and Post FUP is 1mbps.

Router model : Dg-hr 3300ta which I'll need to pay 1000 rupees.

So my question are is this router any good? Are there any good routers for the same price? The same router is 2000rupees on Amazon.

For conversions 600 rupees or 8.54 dollars for monthly fee for internet. Company router price 1000rupees or 14.23 dollars. Amazon price for the same router 28.47 dollars or 2000rupees.

Use case: Game downloads, Gaming, will be used by 1 or 2 mobiles simultaneously. Thinking of getting into streaming. Will this work?

Thank you and merry Christmas all.

Juniper vWLC Config Questions

Is there anyone out there familiar with the Juniper WLCs? I'm struggling to find information on a few things. I'm familiar with Cisco and Aruba wireless, but not with Juniper and unfortunately I inherited this little problem child.

​

I have a vWLC at the HQ site, and some APs I'm trying to get configured at a remote site. There is an MPLS connection between the remote site and the HQ site with routing enabled (BGP). There is full reachability between this remote site and the HQ site. What I'm trying to figure out is how do I point the WLA532's I have to the Juniper controller at the HQ site. I can probably fumble my way through configuring the SSIDs and such based on other configurations already on the device.

​

Is there a DHCP option I need to set that points to the WLC? Option 43, perhaps? The DHCP server is at the HQ site with a DHCP helper address to the wireless VLAN at the remote site.

Ansible users: do you keep track of what playbooks you ran?

Do you maintain a historical record of what playbooks you executed? Maybe with columns like

+-----------+----------+-------------+-----------------------+-------------------+--------+ | Timestamp | Playbook | Git Version | Environment Variables | Command line args | Result | +-----------+----------+-------------+-----------------------+-------------------+--------+ 

If yes, how do you populate such a record?

If not, is it because you think it is overkill or unnecessary? I have a feeling that something like this may be a change-control/ISO/process requirement, but am curious about what others think.

Dynamic ip reset

Hi. Im a networking noob and I have a question. If you have a dynamic ip does it automatically change and if how often? Do you have to do something in the router and modem settings if you want to do it manually or you just have to unplug the router and modem from the power source? (I have a cable modem/router+ a seperate router from Asus)

Where do port exist on your computer? I know they're part of the Transport layer, but is there a less abstract way to think about them?

Not to say that thinking of the transport layer is overly abstract (it's very helpful actually), but is there any other way to describe a port, maybe in terms of things you can access on your machine?

Obviously a port is not a physical entity; it's strictly digital. But where might you "find" a port? Where do they exist? On your network card? Or is there some file that represents each socket (on a *nix machine)? Or a file that describes sockets in any way?

The context for this question is in socket programming (using Python specifically). For example, I'm not understanding what exactly a program is connecting to when you give it an IP and a port number. I get that it's connecting to a certain port on a certain device, but that doesn't tell me much about what's actually going on. Where are the packets going to and coming from? I know that they're going to and coming from a port, but what is a port? Hence this question

What may be another source of my confusion is how ports relate to sockets. I know (stream) sockets to be things that can transfer packets two-way between two ports using the TCP. I don't know much else.

TLDR What is a port? Is it possible to view a port or its representation in any way?

I'm a beginner and just trying to get a better idea as to what a port is, as well as a better understanding of the big picture. Any help, whether it be directly or tangentially related to this topic, is welcome and greatly appreciated.

Network Design and Topology Questions (Update)

This is my new topology plan and this is what I would envision the expansion looking like. In the second diagram the yellow connections are the expansion devices connections to existing devices and the red connections are the ones that I think are questionable and I am not sure if they are necessary.

I really appreciate everyone's feedback on my original post and it has given me a lot to think about. I understand that fiber would be a much better option compared to cat6a, but it's not possible for this particular customer, at least not yet. If they were to wire the whole building it would be much easier to justify the cost of adding new conduit and at that point everything would be connected with fiber. However this does mean the distance used for the cat6a will be much shorter and will only be going to two floors.

One big change I made is that I decided to go with the SG550XG-8F8T because it would supply the needed throughout and IO. The EX4300 only has 4X 10GB SFP+ ports and the SG550XG-8F8T has 8 along with 8X 10GB copper ports. For now I only have one planned, but depending on what everything comes out to it may be possible to have two and for them to be wired for HA. After looking at the stacking guide for them I'm not sure if I wired them correctly, rather than having a connection for each switch, would it be better for everything to be plugged into the second core switch and the master just be connected to the backup?

Right now I still plan on going with mostly Juniper switches, but I'm curious on what people think about going with the Cisco SG switches or even another brand such as HP, Dell, etc. If you do have a switch recommendation for other switches compared to Juniper I would love know. Also if anyone has a core switch recommendation for under $3,000 that has at least 8 sfp+ ports and 10GB copper ports or has support for 10GB copper sfp+ optics I would love to hear those as well. Please keep the below pricing in mind when recommending a switch, if it goes over by much it won't be a viable option.

Device	Price	Notes
FG-80E-BDL-974-60	$3,792.99	FortiGate 80E - Enterprise Bundle - 5 Years
EX3400-24P	$1,839.99
EX2300-24P	$2,073.99	Includes Virtual Chassis Price
EX2300-24T	$751.99

I really appreciate people taking the time to look at this and give me advice.

This is a link to my original post.

Passiv DWDM Multiplexer - Overdrive?

Merry Christmas everybody!

I ask my self if its possible to damage passive optical Equipment like a multiplexer by overdrive it, for example if the signal is too high or if we miss the attenuators for it.

That its possible for active Equipment like an sfp module i know. For example with 10G-ER (40km) the Damage thereshold is 5db.

So i wonder if this can also happen with passive Equipment lile a multiplexer?

thanks

Are networking concepts or scenario type questions asked more in interviews?

Have you been asked more of networking concepts related questions or scenario questions in interviews? In your experience, approximately what percentage of questions was related to networking concepts & what percentage was scenario based questions or some other questions?

I am a CCNA & CCNP Route certified L2 network engineer. I am somewhat strong when it comes to concepts covered in CCNA and part of CCNP but have not applied these concepts extensively in workplace as i have worked only in maintenance projects. So i am hoping to clear interviews using of knowledge of networking concepts studied in certifications as iam not sure how many scenario type questions i can handle. Your interview experience may give me insights on how to tweak my strategy further.

VPN on Linksys WRT54GS

Hi Guys, so I have a VPN connection from my enterprise, i can connect trough Check Point Mobile. As im always away from the company facilities i need to connect to the intranet and receive computer updates, work on multiple apps. i would like to know if it is possible to setup a router with this configurations so i dont need to be always logging in the Check Point Mobile.

​

The connection on CPM is done with user/password and the only setup in the app was with a server name like "servername.company.com"

​

i have a linksys wrt54gs with DD-WRT installed

​

ps: sorry by my english, not mine native language

Modem -> Firewall -> L3 Switch -> VLAN no internet access

Hey,

First time configuring something like this. I can't seem to get internet access on the switch

Configuration

Modem -> ASA 5506 (Firewall) -> L3 Switch (Aruba 2930)

I can't seem to get internet through the switch but can on the firewall. Not sure what im doing wrong, any help would be appreciated!

L3 Switch Config:

ip default-gateway 172.25.1.254 snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" no untagged 2 untagged 3-28,Trk1 ip address 172.25.63.1 255.255.255.0 exit vlan 64 name "Data VLAN" untagged 2 ip address 172.25.64.1 255.255.255.0 dhcp-server 

Firewall (ASA 5506)

interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 interface BVI1 nameif inside security-level 100 ip address 172.25.1.254 255.255.255.0 ! 

Modem is connected to ASA 1/1 ASA 1/2 is connected to L3 switch Port # 1 L3 Switch Port # 2 is connected to a laptop

DHCP is setup on the L3 switch which works but internet access is the only thing not working. Internet works if I directly connect laptop to the firewall.

When labbing and testing, what are your go-to services you setup as part of your mock network (e.g. SSH, FTP, HTTP, iperf, ?)

When setting up a test lab/homelab for networking what are you go to end host services you setup to test connectivity too to make the network feel more than solely a "network protocol" configuration lab?

Currently my lab does not have any type of services, it's all just mocking up with loopbacks or routed interfaces. Does anybody go further with things like Clusters, ESXi hosts or anything that would be deemed "exotic" for Network Engineers or is it enough what I have listed in the title of the post?

From the Network Engineer perspective is it good to dabble in a little bit more of the server side to understand the network from the "user side" as opposed to purely the network side? I find a lot of people in my team are really weak on ESXi and other "user applications" as they're mostly network heads and have no interest in what's attached.

Looking for benchmarks for wireguard on an APU1D board

Hello guys, I am a proud owner of an APU 1D board now. I want to run a wireguard VPN on it.

Has anyone of you seen benchmarks of wireguard on an 1D board? If only found benchmarks of the gen 2 boards with AES enabled, but my board doesnt have that.

I wish you all nice holliday's, see ya.

Rollback and update on Cisco Catalyst 2960

Hi Everybody , I have a catalyst 2960 on my environment I did the firmware upgrade thru the Web interface but I put the wrong firmware version on it and right now I cant connect thru the Switch by web interface it works only by telnet does anybody have any idea about the best way to roll back the upgrade on even upgrade with the right version of the software on it ?

by the way the model is : Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 50 WS-C2960-48TC-S 12.2(50)SE5 C2960-LANLITEK9-M

​

Does this network design make sense?

I recently did an infrastructure build for a small company that wanted to break off their parent company’s network.

It goes 1Gig fiber modem, CAT6 uplink to sonicwall firewall, and then here’s where my question lies:

The consultant chose to use two Cisco SG small business smart switches. There are 24 active CAT5e ports. 12 of these poets go to switch one, 12 of them go to switch two, “for redundancy”.

The switches are uplinked together and one of them obviously gets the feed from the firewall.

Why would he do this? Doesn’t it make more sense to use one switch as an access switch and another as a distribution switch?

Am I poisoned by Cisco enterprise studies?

NLA ports?

So big boss wanted all ports blocked to our “jumpboxes” except 3389 and ssh. No worries.

Get call at 5am, gee nobody can login! I allow SMB standard ports but keep getting NLA errors.

Anyone know what ports to allow for NLA to work correctly. It’s 6am and I haven’t had coffee yet and haven’t found much when searching.

I did an allow all until I can get coffee, pants, and big monitors :D

(This was wide open until yesterday. Asked to move jumps to a new zone and secure by only allowing 2 ports. So I did. Rather anticipated this issue, but NLA!)

VPN Users and load balancing!

We have active active datacenters with LB web apps across the two. The DC's are in the UK and the office users are LB across to two using F5 GTMs.

The problem I now have is how do I ensure that my VPN users (Active/Active) get the local version of application?

All the clients (Office or VPN) use AD for DNS. Been racking my brains on this one for a while.

Is hosting DMZ VLANs on physically separated switches is no longer a good practice?

Hey guys, i was recently designing a network and I always suggested to have DMZ vlans hosted on a separate switches, with only L3 termination on an internet-facing firewall. I thought it was important not to let DMZ vlans to span into inside switching fabric. The risks I see are:

1. VLAN-hopping attacks
2. human errors (somebody connecting a host with a trunk to DMZ and INSIDE vlans at the same time.

Until I tried to sell it to my customer and failed. He thinks DMZ, inside and any other VLANs are OK to span into entire switching fabric, including DMZ, core and access switches. Based on this, I wondering about two things:

1. is this really risk free to span DMZ VLANs everywhere and i'm imagining the risks?
2. Is there any network design guides which outline how exactly DMZs and Internet-borders need to be built to be secure?

​

Squid: Local Traffic is Going Through the Proxy

Hi All,

I'm looking for some help please, I'm obviously missing something so obvious so would appreciate a fresh pair of eyes!

I've got a few servers in Azure that are using Squid for Windows (a proxy is baked in to code!) to allow whitelisting...

Some calls from these servers are for http://servername/service/service.wsc for example - the calls are for the hostname, not FQDN. However, Squid is proxying these...it feels like I have endlessly Googled and haven't found a solution...the most basic of setups is that I have the local DNS server in the squid.conf file...when I click http://servername.domain.com/service/service.wsc it works fine...I'm going mad!!!!!!!

Thanks for your time :-)

Punchdown Keystone modules vs Coupler Keystone modules?

I need to consolidate several 24-port 1U patch panels in high-density 48-port patch panels (our server rack is too small)

I saw this 1U 48-port voice patch panel going cheap:
https://www.thatcable.com/brackets-stands-racks/19-racks-accessories/austin-taylor-48-port-voice-patch-panel-over-cat5-cat6-1u-19-high-density

However, then I saw fs.com also has new empty 48-port patch panel:

https://www.fs.com/products/68554.html

Then you can get their coupler keystone modules - you just plug in RJ45 cables in each end:
https://www.fs.com/products/41486.html

What are the pros/cons of this, versus your normal keystone module that you punch down?

LAN routing design assistance

I’m blowing my brain up trying to figure out both a VLAN set up and LAN routing design for a new SIP service coming via a new 2nd ISP.

The equipment I manage is shared by two businesses and there are two VoIP telephone systems that I want to move to SIP.

The voice VLANs work aces and have done so for some time. All VLANs are routed via a HP switch (switch1). One VoIP telephone system is connected to another HP switch (switch2) and voice traffic for it (VLAN 17) is tagged through switch2.

The second VoIP telephone system is connected to a third HP switch (switch3) and it tags the traffic as VLAN 130.

I’ve recently signed up for a second ISP (for redundancy) with SIP connected via a Ubiquiti EdgeRouter which is connected to the third HP switch (switch3).

All of the switches are interconnected via fibre and are located in separate buildings.

The SIP service has an external IP address and I can ping it via the new service. I’m able to indentify each SIP service with its own username and password.

My fundamental question is how do I design the internal routing so that SIP calls are routed to the telephone system/s and the EdgeRouter correctly? Do I assign an IP address from each voice VLAN on an interface on the EdgeRouter or does that occur at switch3?

Thanks!!

What is the cleanest way to deal with QSFP+ 10g breakout cables?

I'm curious if anyone has a good system for installing these guys while keeping the cabling clean and making efficient use of rack space. It just seems so... inelegant to leave them dangling, and impractical if you have more than a couple of these guys.

Best CCNA Course Training Institute in Indore

No text found

Can packets be compressed?

Can packers be compressed before being sent over the internet to reduce the amount of data used? Is this being done already? What are some limitations if this were to be done?

Enhance Firewall monitoring?

For the past few days I've been trying to come up with ideas to enhance our firewall monitoring services but unfortunately nothing that interesting came out of it. I've been thinking about monitoring VPNs (traffic, connections, user activity and such) because that would make it look more interesting, maybe more complete, but I didn't get into much details about it (yet).

​

After reading about (and understanding) the difference between SIEM and SOAR, I decided to look for some tools that would assist us in monitoring our Firewall (currently we use SonicWall) by parsing our log files and separating what is deemed to be more imporant. Right now we can monitor many things at the hardware level (CPU, RAM, number of connections, bandwidth, etc) and recently we were able to use SNMP traps to track some security events such as port scan, Christmas Tree (which is quite relevant for this time of the year) and even use Graylog to parse some of our log files to inform of incidents that occured and couldn't be obtained by using, for example, SNMP but it still feels it is not good enough.

​

Aside from the VPN, which is still at the beginning, recently we've been working on trying to find a way to monitor the ACL of our Firewalls since our clients have access to their own Firewall (one in each company) and they can change the rules as they wish without informing us which is not good. Whenever a change occurs we are not notified of it so it require us to look at each rule (especially the ones about SSH, HTTPS and SNMP) to determine if everything is ok or not.

​

So aside from what I mentioned my question is: how could we enhance our Firewall monitoring services? Is there anything in specific that you monitor at your company that you deem to be important?

We haven't had any complaints about our services but I look at it and still have this feeling something is missing that would actually make our service much better.

Local Internet breakout for SaaS (+++) only

Hi there

We can get really cheap high quality internet circuits locally on the west coast of Norway with the best peerings for low latency cloud access. Instead we transport our data to our main DC somewhere else through our expensive managed WAN and security boxes, and doubling - quadroupling latency to say O365...

Wouldn't it be better to put one of those software defined-X appliances locally at this location and allow outbound access to certain SaaS, PaaS and even IaaS services locally while tunneling Reddit-traffic back to main DC? Had a look at Viptela with Cloud OnRamp, but it seems its not straightforward if your WAN isn't already on the "fabric".

Anyone have any experience with this kind of scenario? Better off with some other approach such as filtering BGP routes or doing routing based on app-ID on a PaloAlto?

​

Regards

​

CBTNuggets down?

I may be in the wrong sub, but is anyone else having issues accessing CBTNuggets at the moment? The times I can get into the site, it says my subscription is inactive. It definitely is not lol

​

​

What should an application designer plan for in terms of performance for an average datacenter network in 2018?

We are currently conceiving of a data processing system which would analyze large amounts of data (terabytes to petabytes at rest) whereby which the storage and compute are separated. We would attempt to be smart about bringing the minimum amount of data over the wire, but network performance will still be a major factor. In AWS today, network performance is excellent and it is possible to move 40GBit/sec from S3 to an EC2 instance with high concurrency. There are now 100Gbit/sec instances and conceivable those could be saturated with data coming from S3.

I know there are lots of upgrades and 100GBit/sec top of rack is becoming common, but I'm out of touch with modern datacenters. What kind of performance could we nominally expect in the average enterprise datacenter today?

Is there a unified wiki for network related information?

Cisco's Docwiki is EOL in a month, and I'm not familiar with any networking wiki where our massive community can actually share information.

Looking to intercept and redirect communications from a WiFi power strip

Pretty much what it says on the tin. I recently purchased a WiFi enabled power strip with individual relays controlling each outlet. Right now I can operate it using the Android app the company provides, and it integrates with Alexa/Google home.

What I'd like to do is capture the traffic moving in and out of the strip so I can create some custom ifttt endpoints and allow myself slightly more control over the device.

Anyone willing to help point me in the right direction? I was thinking about Wireshark to capture traffic, triggering each possible command to try and intercept the API used by the strip, then blocking it from phoning home to China and writing my own interface. Does this sound like the right idea or am I actually making it more complicated than I need to?

How to handle link flapping with routing protocols?

So say you have a crappy link that every 10 min you lose IP reach ability to your peer for ~ 6 seconds.

If you run OSPF / EIGRP its going to flap back and forth all day long. BGP has dampening, but is there any way to basically set a 'backoff' timer for other routing protocols?

e.g. it must maintain its neighbor adjacency for ~5 min before you consider putting traffic back on it?

SD-WAN helps here in WAN scenarios, but I'm just wondering how others take on this challenge.

Build or buy 2 piece mesh?

Hi folks. My home network base is located on one side of my house, connected to my PC, a TV and a few consoles. On the other side of my house is another TV, and for most 1080p+ content via Plex, the coverage is spotty and playback suffers.

Currently I have an Asus RT-68U router. It’s a decent router, a few years old, but quick up close, it just has a bit of difficulty reaching the furthest parts of the house, which unfortunately is where the other TV is.

Should I:

• Scrap the RT-68U and pick up a Netgear Orbi AC3000 mesh system with 1 base and 1 node. This seems to be a more plug and play option and it may save me some real headaches.

• Buy an Asus RT-AX88u router and use Asus’s “AiMesh” technology with the old RT-68u to build a similar 2 piece mesh. This option gives WiFi 6/ax support, and it would be easier to add a 3rd router down the road if I have problems in the basement I intend to eventually finish in the future.

These are similarly priced where I live and the cost difference isn’t a factor. I just want the best performance all of the time.

Any input? Does anyone have any experience with Asus AiMesh?

Client-side Networking Primer?

Hello,

I'm trying to learn more about how networking works from the perspective of a host. I've got a CCNA in routing and switching, so I have a good understanding of networking from a switch/router perspective but I want to know more about how a packet is handled once it hits the NIC of a single host (not a switch or router).

I've seen the term "sockets" or "raw sockets" thrown around, but I'm fuzzy on how a running process within a host interfaces with the NIC of that machine and constructs packets to be transmitted on the wire. How does a service/protocol "open a port" and listen on that port? Is there an OS-level process that runs on Windows that handles interfacing between services that want to communicate on a network and the network itself? Is the Linux solution different?

Any sources for reading would be much appreciated! Google didn't have much on this specific topic, though maybe I wasn't searching for the right thing

20 And CCIE ?

hey guys , am currently 19 and preparing hard for ccie , i might next year try for ccie , is this any good for my career i mean ofcourse its good , how good is my question ? am with computer since when i was just a kid , and when i hit 15 i become serious for cybersecurity and set it as my career goal , so lmk your suggestion or anything you want say share

​

About me :-

preparing for CCIE security

Already know alots of topics in networking

have some deep knowledge in security field

Python

love for Technology

Dynamic path decisions for multihomed WAN interconnect

Due to my lack of multihoming experience I'd like to ask for any advices/experiences. I have two sites and I would like to interconnect them with site-to-site VPN. The VPN endpoints on both sites would be connected to two ISPs. Now I would like to dynamically send packets to ISP which momentarily performs better (latency, jitter etc.). Are there any signaling protocols or other technologies which are designed for two endpoints (which communicate over network which is out of our control) to communicate information about actual path behavior?

Subnetting a IPv6 /48 across multiple VLANs?

(x-post from pfsense as it's more general networking)

My ISP doesn't provide dual-stack IPv6.

Hence, I created a Hurricane Tunnelbroker IPv6 tunnel, and added it to my pfSense router (Netgate SG-3100) using this guide:

http://thirdinternet.com/wp-content/uploads/2017/11/Configure-6in4-Tunnel-in-pfSense.pdf

Most things work, I got the dancing Kame turtle etc. Only issue was some sites had higher latency - but I think this is due to the way HE routes traffic from me here in Australia, to the US etc.

I then found out that our ISP can provide a IPv6 tunnel (which I suspect goes over Hurricane anyhow), however, they only provide a single routed /64 - not a /48.

According to this answer on ServerFault, subnetting a IPv6 /64 is not recommended, and will break many things.

Currently, I have pfSense configured with IPv6 RA using the /64 from Hurricane - I've been told I should be using the /48 instead - which I will change it to.

However, how do I take the /48 from HE (2600:70ff:c097::/48), and allocate part of it to each VLAN in pfSense?

https://i.imgur.com/Pph5krs.png

https://i.imgur.com/ZeCwICR.png

Any other advice on the proper way to do this?

Understanding TCP, UDP and videoconferencing protocols

I am an AV and VTC technician and am trying to get a better handle on networking as it pertains to my role. I was hoping some of you on here could help me with a few questions I’ve found specific answers on elusive. Sorry if this is noob stuff.

1.) I understand the difference between UDP and TCP. I have all of my videoconference endpoints and live-streaming devices and servers set for UDP to minimize packet loss, but would it be better to have the Video on Demand transmitted for TCP since it isn’t real-time. I’d assume yes but I just wanted to see if there was something I was missing.

2.) RTP, RTCP, RTSP, H.323, SIP...could anyone possibly give me the practical application where each of these protocols might be appropriate for VTC and AV in as lay terms as you can?

3.) For having multicast streams accessible to remote users on various branch offices. Would it be considered a best practice to have a designated edge server at each of those locations?

I’m really just trying to get a better foundation so I can communicate confidently with the networking engineers in my organization. Thanks so much for the help.