Saturday, January 5, 2019

dhcp-snooping nuisance - unauthorized server 0.0.0.0

I am battling a nuisance on an HP core switch with dhcp snooping syslog messages indicating an unauthorized server 0.0.0.0

00854 dhcp-snoop: backplane: Unauthorized server 0.0.0.0 detected on port ...

I believe it's linked to a Windows 7 client problem described here: https://community.extremenetworks.com/extremeswitching-exos-223284/dhcp-snooping-false-positives-5899530 - basically a client is sending an offer packet rather than an acknowledgement/request.

There is no impact on the network as far as I can tell as no issues with IP assignment were reported.

Still it is my task to get it ironed out.

Now the complication is that the only information in the syslog is what port these packets are coming on - and these are trunks to distribution switches which have no dhcp snooping enabled so the trail stops there.

If that was on an access switch - the port information would allow me to identify the machines or some such. Sadly as it is it seems I need a "creative" solution to be able to track down machines which are doing this to get the IT to slap on a hotfix or some such. Hoping I'll find it here :-)

Cheers

Is ROAS/Hairpinning really a 50% performance cut?

I'll cut straight to it. We have a firewall in our environment that I call the "Spiderwall." I call it this because it has 8 physical interfaces on the box that each represent different subnets (internal, external, dmz, vpn, etc.)

I was told at one point, each of those physical connections went to different dedicated switches. But over time, those switches were retired and replaced with a single switch stack that (properly, imo) separates the different subnets via VLAN. So in other words, it all collapsed down and went VLAN (the way it should, again, imo.)

So the Spiderwall sits above this stack in the rack, and connects to the stack 8 different times on 8 different cables, each of those cables going to a different VLAN.

Physically, it looks a little absurd to look at.

I have been arguing that we need to replace those 8 cables with a pair of connections between the firewall and the stack, LAG them up, and configure it as a trunk. The Firewall then configures the LAG interface with sub interfaces, one for each subnet.

At that point the spider is no more, and the firewall basically would be a Router on a Stick (ROAS.) This will clean everything up imo. No more 8 separate legs all connecting to the same switch.

The firewall guy absolutely refuses to do this. He says that "Hairpinning" traffic like that will reduce the performance of the firewall by 50% for every vlan we add to the trunk. I reminded him that our monitoring tool shows we never have high utilization on any of the connections, but he kept insisting that "you are doubling the traffic on the line every time it has to go in and come back out the same physical port." He also said the "best practice" is to always use a different physical port.

What he is saying can't really be true right?

Custom router (VyOS or pfsense) - offloading?

Hi there, I’m currently running an ERX router and am thinking about setting up a custom router (would be a VM on my unraid server). There’s one thing I don’t get yet. The ERX benefits from offloading, especially hwnat. But what about a custom router (VyOS or pfsense), would it also use some kind of hardware acceleration and which hardware would I have to use? If its not using any kind of offloading I would probably need a lot more cpu power than the ERX to get the same results? Probably needless to say, I’m pretty much at the beginning of understanding all this router stuff...

EAP Type? PEAP, EAP-TLS, or EAP-TTLS?

I’m curious as to what type of “secure” EAP the following configuration would classified.

I used a test lab to try out some ideas I have been reading on. The lab has about 5 machines (laptops) and a single hypervisor running several Windows Server VMs.

I have configured a PKI for an Active Directory domain using an offline root CA and an online intermediate CA. All domain-joined clients automatically enroll a CSR to the intermediate CA and have it signed. Also, all domain-joined clients are configured to trust the root CA certificate. So, all domain clients have a trusted machine certificate to present to one another.

I created a test SSID on our wireless infrastructure which uses 802.1X authentication to a Windows Network Policy Server in the test lab. The NPS server has a server certificate in the domain’s PKI to present to clients to establish TLS. It also authenticates the clients based on whether their machine certificate is trusted.

I used a GPO to configure client computers to auto-join the wireless network, setting the clients to only attempt to authenticate if the authenticator (and thus, RADIUS server behind the authenticator) presents a trusted certificate (and specifically in the chain of trust of my root CA, not any CA).

So, clients attempt to authenticate with the RADIUS server, establish a TLS tunnel to the server, and are authenticated based on their certificates.

It seems to me that this would be an example of Protected EAP (PEAP) which just so happens to authenticate based on client certificates. I don’t think this is EAP-TLS exactly since I don’t see any evidence that the TLS tunnel for authentication requires the client certificate in order to be established; rather, the certificate is used after the TLS tunnel is established simply as an EAP authentication mechanism. EAP-TLS would require both sides to have trusted certificates to establish the TLS tunnel, and then would pass on an authentication mechanism, right? Too, I suppose that this could be an example of EAP-TTLS? Still a bit confused on how to tell the difference between PEAP and EAP-TTLS.

Anyway, how would you all classify this kind of configuration? And would you consider such a network secure?

Disaster recovery networking / HA

Hi all,

We’re currently building out our disaster recovery (DR) facility which is offsite from my main building.

At our main site we have a Meraki MX100 Firewall connected to 2 ISPs and at the DR we have a Meraki MX84 Firewall connected to 2 ISPs. These appliances are setup in a Meraki hub and spoke model- the hub is our main facility and the spoke is the DR facility.

I’m going to be locating several mission critical servers at the DR facility. We want these offsite servers to connect to our main building’s MX100/Cisco switches for regular daily operation. We run a lot of file transfers to these servers and I don’t want to have to use the site to site VPN for file transfers between the buildings.

Also, our main building and the DR facility have dark fiber between them and we’ve already setup a 10G network between the buildings which gives us great file transfer speeds and access to our main buildings switches/network.

All of that said, if our main building goes offline for whatever reason my DR servers will not have a router or connectivity since they are fed through the dark fiber by our main building’s network.

What are the best options for allowing my main facility to go offline and for the DR facility’s gear to “take over”. Basically we want to be able to operate independently from our DR facility with no reliance on the main site should it go down.

Some thoughts I had (whether good or bad)...

Dual NICs into each offsite server, 1 from our main building’s network and 1 from our DR facility’s network. I know, not a pretty solution.
Setup a Meraki High Availability pair and locate a backup MX100 in our DR facility. If the main building goes down the backup Meraki will take over?

EDIT: The servers I'm placing at the DR facility are not the primary servers, they are clones of the primary servers we have at our main site.

Thanks so much

A nightmare for network engineers or a good challenge?

http://bit.ly/2AyiwZl

Any gotchas before changing Supervisor card on Cisco 4510?

Hello guys,

I am fresh network administrator. I manage a Cisco 4510 and need to change the Supervisor card in it....It has 2 in it and 1 of them went bad the replacement part comes in next week. I dont know if there is anything special that needs to be done before putting it in.

Could you please let me know if the replacement is simple as it is, or are there any things I should be cautious about?

Handling ephemerals

IANA's ephemeral port range seems to be more of a suggestion than a standard, so I'm curious about how folks might craft input control-plane filters on their network gear in light of that.

If it doesn't already, you can't force gear you don't control (ie: EBGP neighbours) to behave.

So, do you make your ephemeral range as wide as possible, ie: 1023 - 65535?

Or, assuming the following:

term SERVER { from { source-prefix-list { AP:BGP:VRF:V4; } destination-prefix-list { AP:PHY:GLOBAL:V4; } protocol tcp; destination-port bgp; } then { count ACCEPT:BGP-VRF:SERVER; accept; } } term CLIENT { from { source-prefix-list { AP:BGP:VRF:V4; } destination-prefix-list { AP:PHY:GLOBAL:V4; } protocol tcp; source-port bgp; tcp-established; } then { count ACCEPT:BGP-VRF:CLIENT; accept; } } term DISCARD { from { protocol tcp; port bgp; } then { count DISCARD:BGP-VRF:UNKNOWN; log; discard; } }

What's the security implication of not filtering ephemerals at all?

IPv6 and cyber crime.

http://bit.ly/2CShJnL

High ping on all games

So I'm from West Bengal, India and I have a Hathway 50Mbps up and down connection. The speeds are fine but my ping to SEA servers (Singapore) are always >200ms. Once in a blue moon, I get like 70-80ms ping then it's again back to >200ms ping. I'm kind of talking specifically about Fortnite but it's still remain true for other games. I play on PS4 via ethernet from my Netgear R6120 router which is using PPPoE to connect me to the internet. I tried to port forwarding using the ports for PS4 from portforward.com but still I get high ping (I forwarded them to a static IP for my PS4). Any help would be appreciated. Thank you.

Issue with Guest SSID behind a VPN

I have almost figured this out, but am running into a very annoying issue.

My goal is to have a guest SSID that is behind a VPN (I followed this guide) and a default SSID that will have a normal ISP connection.

As it is currently, I can have both the guest/ default SSID's behind the VPN, or both behind the normal ISP connection, but I am having issues separating them. I've tried tinkering with my forwarding rules, and I think this may be the culprit.

When I start the router with the configuration listed below, my default SSID will have no connection, and my guest SSID will be connected behind the VPN.

Once I stop the NORDVPN interface, my default SSID gains connection to the ISP, and the guest SSID loses network connectivity.

If I change the forwarding rules in /etc/config/firewall, to forward both lan and guest to vpnfirewall, they will both have a VPN connection, if I change them both to forward to wan they will both have an ISP connection. It is only when I try forwarding to different destinations that I encounter a problem.

If anyone is experienced with this type of thing and can give me some pointers, I would be very grateful.

/etc/config/firewall

/etc/config/network

/etc/config/dhcp

Friday, January 4, 2019

New Sublime Text 3 User... Suggestions?

Hey everyone,

I've been working as a network engineer for about a year full time now in enterprise environments and trying out various utilities and learning what I like to use the most. Today I decided to give Sublime 3 a go and purchased the license for it. Are there any suggestions out there for plugins, tools, snippets, etc that you find invaluable in your every day work?

For context, I run macOS as my primary OS (hence the need for Sublime vs Notepad++) and I'm just looking for tips and tricks if you have any!

Thanks!

Edit: Enterprise Cisco* Environments

HP 1810-24G V2 cant upgrade firmware to 2.08 or 2.10

Hello reddit Forums

When I try to upgrade my 1810-24G V2 J9803A switch to the latest firmware 2.10 I get an error. It says that the file is to large to be uploaded with http. I have noticed that firmware version 2.08 amd 2.10 are both .bin files and previous versions of the firmware are .img files. I upgraded to version 2.07 which is the last version on your site to be uploaded as a .img file without a problem. How do I resolve this issue?

Firmware download page:

https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=J9803A&lang=en&cc=uk&prodSeriesId=3963985

Any interesting reads on IGP technologies?

Looking for information regarding IGPs and the acceptance of the different choices within the industry.

Books, research papers, podcasts and any other sources all welcome, just wanting some material to read during my time out of education.

VeloCloud Price

Folks, I was looking into the VeloCloud offerings but got confused: do they now have two tiers (Enterprise, Premium) or three tiers (Standard, Advanced and Enterprise) now? Also, where can I find the list price? Seems not available on their website. Thanks!

Why are thresholds for energy detection and preamble detection different in 802.11 standard ?

Assuming a 20 MHz band, it is -62 dBm for the data and -82 dBm for the preamble.

Source: August 2013 doc.: IEEE 802.11-13/0994r0

Splitting a Networks on an older Allied Telesis x908 for Web Filtering

Good Afternoon Everyone,

I am reaching out to you all today in need of assistance with our Allied Telesis x908 (outdated, i know). We are looking to split the traffic to route internet traffic through to our Web Filter Appliance, and all other traffic to its local destination. We tried implementing a route-map using both access lists and preflix lists with no dice. We have three private networks (10, 172, 198) that we are looking to filter.

I can expand on what we tried, or answer any questions, but any assistance would be greatly appreciated!

Timeout to SAP over VPN

Hi all,

We're having a problem with transfers to an SAP system timing out. We have 5 locations, all connected to a DC via L2 WAN except one is over an internet VPN tunnel. The connection to SAP is from DC over a VPN tunnel as well, all sites can send fine except the one on the public ISP circuit. My thinking is the extra overhead of 2 VPN tunnels is causing so much fragmentation when SAP is running it's process it's getting too many timeouts. Does anyone have any experience with SAP to know if it's sensitive to fragmented packets or does the double VPN and too much overhead seem plausible?

Edit: left out info. The transfers to SAP from the impacted site DO work, they just go very slowly and we get occasional timeouts. This also occurs if we use mobile VPN to transfer to SAP as well.

Help with fault tolerant topology choices for an exceptionally budget-conscious manufacturing plant

I am rolling out a new wireless network to one of our sites, a 490,000 sq.ft. manufacturing facility. The existing network is a hot mess that the company has no interest in fixing, with no fault tolerance at all between the core and edge switches. All edge switches connect to one core via either a single pair of OM1 fiber or via copper, and several of those edge switches have other switches or even hubs downstream from them. Don't get me started, it's not getting fixed.

The existing edge switches do not have the open ports to accommodate the ~64 access points being installed. The wireless, once operational, will be for our ERP solution and therefore business critical, so a degree of fault-tolerance is required. Not getting crazy with it, but just anything other than having four switches in a daisy-chain would be an improvement, so I want to build a disparate edge network for the wireless equipment.

What I've planned for is to run four-strand armored OM3 MM 10gb fiber to each of four new IDF cabinets, and to have the switch at each of those cabinets connect via an LACP/dynamic LAG group back to a fiber aggregation switch stack, one landing in the top ag switch and one in the bottom. Those ag switches will be subsequently cross-connected to the core. This is a pretty standard Core-Aggregation-Access model.

I'm getting some resistance from my well-meaning manager (who is probably reading this) that this is overbuilt and too expensive for the site. It is a fairly small operation. He has suggested that a more cost effective solution would be to build a ring(Core 1 --> IDF1 --> IDF 2 --> IDF3 --> IDF4 --> Core 2), which will provide comparable fault tolerance for a switch failure or a severed fiber. We would use EAPS/ERPS instead of STP, so convergence times are very minimal were the ring to be compromised.

I feel like my preferred design offers more scalability and better theoretical performance, but I'm having a hard time convincing him/the company to spend the extra money to buy the ag switches (a whopping $4500, wherever will a $3bn company find that money?).

Is he right? Is the cost not worth the difference in performance which I imagine will be completely unnoticed? Are there other architectures I'm not considering that would work better?

I appreciate your thoughts and feedback.

Here is a very quick-and-dirty drawing of each option I've talked of here:

https://imgur.com/a/dBaWSMA

Please help with Guest VLAN with Cisco Router and Huawei Switch.

Configuration Details:

Gateway Cisco 2800: 192.168.20.1 Core Switch Huawei S5700: 192.168.20.10 (VLAN1) and 192.168.22.10 (VLAN2 - Guest)

VLAN1 has proper connection to local network and internet.

VLAN2 can ping 192.168.20.1, 192.168.20.10 and 192.168.22.10 but for some reason can't access pass the Gateway.

Tracert to 1.1.1.1 from VLAN2:

1 4ms 5ms 4ms 192.168.22.10 2 1ms 1ms 1ms 192.168.20.1 3 * * * Request timed out. 4 * * * Request timed out.

What am I missing in this Cisco router configuration?

Cisco Router Config

Thanks!

Experiences with FPGA based NICs and Server Compatibility?

I've been tasked with trying to find programmable FPGA based NICs for interfacing to 100G (and maybe beyond) speed networks for my research group. Another group here at Cornell had a lot of problems getting some FPGA based NICs to work in servers due to what appears to be PCIe bus issues - they would only work with certain Intel PCIe chipsets.

Does anybody have any experience (good or bad) in this space?

Thank you for your time.

Calculating protocol overhead of a single HTTP response using Wireshark

I'm a newbie when it comes to networking and Wireshark so go easy on me :)

I have an assignment for school, where we are instructed to capture HTTP requests and responses of a VM with wireshark, calculate how much (in bytes), the different protocols (ethernet, IP, TCP, HTTP) used and then calculate the protocol overhead.

The teacher's example solution was this

Ethernet: 14 bytes

IP: 20 bytes

TCP: 32 bytes

HTTP payload: 291 bytes

Trailer: 4 bytes

Protocol overhead: (14 bytes (ethernet) + 4 bytes (trailer)) + (20 bytes (IP)) + (32 bytes (TCP)) = 70 bytes

I can find everything else using Wireshark, except for the trailer. Where can I find this in the interface?

Theoretical: SoHo/Small Business 5ghz Spectrum

In your personal experience, and in theoretical "best case" scenarios, which is preferred:

a) 5-6 clients on 5ghz with high-bandwidth use connecting to a 5ghz AP through an ethernet switch to the AP via a single 5ghz router/wifi bridge. Assuming the router is of high quality. b) Those same 5-6 clients on 5ghz directly connecting to the AP using whatever adapters they have on-board.

Now scale a) and b) from 5-6 clients to 15-20 clients. Same result?

There will only be a single 5ghz AP in this scenario.

(I'm trying to figure out cost/benefit for an upgrade I have coming up.)

Seeking recommendation of cheap 1G TOR switch for management ports

We are going to be needing a lot of 1G management ports in our lab, each rack will need to have at least 1, possibly 2 management switches to supply 1G connections to all of the servers in that rack. Can someone recommend cheap switches that we could use for this purpose?

Ports per employee

So had a question come up in a meeting today, we, on average have 5000 ports per network engineer. We were looking for any info on average ports per engineer. Granted i know each business location etc has different requirements, and uses, but was curious of an average. Anyone care to weigh in?

Thanks!

Network Scanner Tool Configuration on Server

I've installed Network Scanner Tool on a server (Server 2012) that I'm trying to get everyone in my work environment setup to scan through. I'm having issues with users being removed when I add a new user. I create the user in Network Scanner tool, point the scans to the appropriate folder and associate the user with the appropriate scanner. I also verify that no other users are selected when selecting Apply & OK. For some reason, it is still removing users. Not all of them. Any suggestions?

Thursday, January 3, 2019

srx-240 dhcpv6 client and dhcp client issues.

I am trying to use the new dhcp-service on my srx-240b but I am not receiving any dhcp from comcast when using the new way. I will update the post tomorrow after work with my configuration.

Does Remote Desktop Protocol retain entries on the host computer registry, or anywhere?

I'm just wondering if RDP retains any history of RDP entries anywhere in the registry or files? or does it only save history in the RDP app?

Why is it required that if we choose auto negotiation then it has to be both Auto/Auto and cannot be Auto/ 100 Base TX?

I would like to understand why we cannot mix Auto and Manual configurations. Please help.

delete current bin file for software in use 3850 to free up flash

I'm planning on doing an upgrade of my 3850 stack and just don't have the space when doing the installation(expansion of flash to install file)

The current version I'm on is 3.6.4 and if I remove the 3.6.4 bin file from flash, I'll have enough space to upgrade to 16.3.7. Is it ok if I remove that file?

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 56 WS-C3850-48U 03.06.04.E cat3k_caa-universalk9 INSTALL

2 56 WS-C3850-48U 03.06.04.E cat3k_caa-universalk9 INSTALL

3 56 WS-C3850-48U 03.06.04.E cat3k_caa-universalk9 INSTALL

sw6#dir flash:

Directory of flash:/

80811 -rw- 2097152 Jan 3 2019 19:14:17 -08:00 nvram_config

80803 -rw- 302988468 May 26 2016 22:54:28 -07:00 cat3k_caa-universalk9.SPA.03.06.04.E.152-2.E4.bin

80806 -rw- 82665136 May 26 2016 22:55:20 -07:00 cat3k_caa-base.SPA.03.06.04.E.pkg

80807 -rw- 4913852 May 26 2016 22:55:20 -07:00 cat3k_caa-drivers.SPA.03.06.04.E.pkg

80808 -rw- 33784816 May 26 2016 22:55:20 -07:00 cat3k_caa-infra.SPA.03.06.04.E.pkg

80809 -rw- 43021636 May 26 2016 22:55:20 -07:00 cat3k_caa-iosd-universalk9.SPA.152-2.E4.pkg

11 drwx 4096 Dec 14 2014 23:40:59 -08:00 dc_profile_dir

80802 -rw- 5376 Oct 12 2018 11:34:33 -07:00 vlan.dat

80810 -rw- 27417488 May 26 2016 22:55:21 -07:00 cat3k_caa-platform.SPA.03.06.04.E.pkg

80812 -rw- 2147728 May 25 2016 16:23:23 -07:00 show_tech_5-25-2016.log

80813 -rw- 111180608 May 26 2016 22:55:21 -07:00 cat3k_caa-wcm.SPA.10.2.140.0.pkg

80805 -rw- 1244 May 26 2016 22:55:38 -07:00 packages.conf

80804 -rw- 537489817 Jan 3 2019 19:22:40 -08:00 cat3k_caa-universalk9.16.03.07.SPA.bin

As you can see line item #2 is the bin file for installing the old version 3.6.4. Is it ok if I delete that so I can install 16.3.7? I'm scared because I don't want to break the stack before doing the software upgrade to 16.3.7. I can't seem to find any documentation on the software release notes to mention if you can delete the bin file of the current software version that your stack is running.

How to restrict traffic from internal to data centre network?

Hi all

Hoping for some solution suggestions here...

We have a data centre environment connected to our internal user network via a 10G port between two Nexus 9Ks. Currently when a user is connected to our internal network they can access the Data Centre resources. Our goal is to only allow port 80 and 443 traffic from internal to DC and block everything else EXCEPT for 5 admin users who should be allowed to access all IP ports across the link. We've considered Cisco ISE with SGTs but it seems overkill for the scale of what we're trying to do and we don't want to change our whole authentication architecture. We can't base it on IP addresses because the 5 users need to be able to access DC resources when on wireless too, so static wired IPs isn't enough. Also considered sticky MAC address port-security, which would be fine if we didn't need to allow all users on ports 80 and 443. Ideally the control would be based on usernames but separate to Windows AD. Perhaps we could implement a small next-gen firewall to control the traffic? Any other ideas on how we can achieve this?

Thanks

Layer 1 Design

How do you all handle planning the layer 1 aspect of a new greenfield build out (physical placement in the racks, cabling, patch panels, etc.)

Are there any good guides or reference material specifically for physical layout and cabling in the data center environment, or especially for a collocation space?

I was more or less thinking after designing the “logical topology,” i.e. the layer 2/layer 3 connectivity, that the physical layout and cabling would sort of just fall into place. However, I can see many ways to do it, and it could either end up absolutely pristine or a hot mess. Especially since our design foregoes such as “inside/outside switches” in favor of vlan segmentation, which is kind of abstracting the layer 1 choices and making it all a little jumbled.

Working smart not hard. (help needed)

Working on Cisco and HP equipment

I was wondering if you guys know of any python script that might solve the current dilemma that I'm facing:

^{cue super long story in which the network admin ends up doing all the work ...}

So basically i need to create access lists on each of the ports of 600+ switches for the devices that are currently connected there (could be just a PC or a Phone and pc or a printer)

So, here is my process right now:

Sh mac-address table | inc Fa0/
- [I get the entire list of mac addresses that i learn from the ports]
Cross reference that with a list that an onsite tech gathered a few weeks ago
- [+50% of the information is Incorrect]
Start pinging the entire segment from the switch 1 IP at the time
- [This gets better by the minute]
once the ARP table has been populated
cross reference the IP and mac address to find the port where the access list will be created
create the access list
apply the access list via CLI on the switch

So far this has taken me over 2 hours per switch and i feel that 600 switches it's going to drive me nutz (deez nuts)

If somebody has gone through this, how did you solve it? and if so, where do i send a r/RandomActofpizza?

Thanks!

if you qualify - get a free meraki switch - 'watch their latest offering'

Sadly - I've never qualified - even though I've installed hundreds of their devices...

https://meraki.cisco.com/videos/switch

" Qualified viewers of the recording will receive a free Cisco Meraki MS220-8P switch with a 3-year cloud management license. Please see meraki.cisco.com/freeswitch for eligibility details. "

and I don't work for Meraki, I did work for a large ISP as a contractor (installing APs, switches, firewalls, phones and more) -unemployed at this moment-

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Fibre/leased line from Boston USA to UK?

Our main data centre is in London and we have an office in Boston USA that needs a fibre connection back to our core, previously they have had plain internet connection but now they need connectivity to some hardware in London - management don't want to do this over VPN.

Anyone had a circuit of this length in the past and have an idea of cost? I've contacted our COLT contact but he's currently on holiday .

Ideally we would be able to buy this through one Of our existing UK suppliers who can deliver via an existing QinQ circuit we have in place

anyone know what could cause 10g link flapping between cisco 6807XL's

Got complaints from remote users that their SSH sessions were disconnecting mid jobs and I decided to investigate and noticed the 10g L3 link between our core switch (Te7/1) and our distribution switch (Te7/3) was flapping for a millisecond and OSPF adjacency between them as a result was flapping as well.

Both are cisco 6807XL, there is a tap between this link though.

looking at the logs on the link on the dist switch, it goes down and up for a millisecond.

Jan 3 08:47:42.661 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to down

Jan 3 08:47:43.797 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to up

Jan 3 08:52:45.627 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to down

Jan 3 08:52:46.703 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to up

Jan 3 09:04:58.480 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to down

Jan 3 09:04:59.588 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to up

but this millisecond is enough to bring down the OSPF adjancency between them, as shown in the logs from the core below...

Jan 3 08:47:45.805 pst: %OSPFv3-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

Jan 3 08:47:48.409 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

Jan 3 08:52:46.707 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

Jan 3 08:52:48.791 pst: %OSPFv3-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

Jan 3 09:04:59.592 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

Jan 3 09:05:01.592 pst: %OSPFv3-5-ADJCHG: Process 10343, Nbr 12.9.2.24 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done

I'm trying to figure out why it's flapping. I have checked the physical links and did a "sh int te7/1 transceiver" to see the optical Tx/Rx power and they are within normal range.

on the dist switch(Te7/3):

Temp (celsius) 34.8

Volt (v) N/A

Current (mA) 35.5

Optical Tx Power (dBm) -0.2

Optical Rx Power (dBm)-5.5

on the core(te7/1):

Temp (celsius) 29.4

Volt (v) 3.29

Current (mA) 34.4

Optical Tx Power (dBm) -0.6

Optical Rx Power (dBm)-3.6

or could this be caused by the tap that is in the middle?

thanks

(Cisco) L2 Multicast Traffic not being properly forwarded

We are experiencing an issue where video intercoms need to multicast information across a L2 network. The data is not getting end to end. We have two endpoints on the same network/subnet/gateway but on separated switches.

To my understanding this type of traffic should be forwarded without issue as long as it was L2.

Traffic flow is 3750x-->Nexus7000-->9300

When both endpoints are put on the same switch, it works. They are both still on the same VLAN as they were on when they were on two separate switches.

Any suggestions on what I should look at next?

Small office network - Database server

Hey guys!

We have around 4-5 Computers, so far they are accessing the internet through a Switch and a Router. The File exchange is done by sync.com.

I have written a small database which I would like to introduce, its tiny around 50Mb.
And from here I would like to hear your suggestions how to "connect everything together" in a professional way.

Thank you!

Cisco SD-WAN Experiences (Former Viptela Solution)

Is anyone running Cisco SD-WAN (Viptela) on newer versions of the platform 18.x+ and using the ISR 1K/4K routers successfully?

I have been working on staging a new environment for over 2 months with a mix of vEdge 2Ks and ISR 1Ks (specifically C1111-8PLTEEA). I have been through all the different 18.x software versions and am currently bleeding edge on 18.4.0 (wouldn't recommend it at the moment). I have been hitting constant bugs and quirks while working through this deployment and can't understand how this is release (not beta) software.

I'm just curious what other peoples experiences have been?

Now that Netscount sold off their network tester business - what are alternatives to LRAT-2000/OneTouch AT 10G?

I just found out (yes, sorry, I know I'm slow....lol) that Netscout apparently sold all their handheld tester portfolio to a private equity firm:

https://www.cablinginstall.com/articles/2018/09/stonecalibre-acquires-netscout-linkrunner-handheld-network-test.html

I have a Fluke LRAT-2000 (from before Fluke sold it to Netscout) - but it only takes SFP optics.

I'm getting into SFP+, and it might be nice to upgrade to something that can test our 10Gb networks.

What are some alternatives that people can recommend?

Can I run a Zyxel GS1920-24HP fanless?

Hi, I just got this switch, and even with the slow fan speed it's quite noisy. I've unplugged the 3 fans in the unit, temps so far are cool, not even warm to the touch. The use for it is just a PoE access point and 3-4 devices more, not much.

Can I leave it like this? Is it safe? Temps at the moment are under 50º at the MAC probe (room temp around 21º). What is the highest safe operating temperature?

Thanks!

Sonicwall NSA 2650 VPN (GVC) to LAN access

I have set up the Global VPN (IPSEC) on the Sonicwall 2650, the clients are given DHCP addresses from the DHCP server I configured under 'Networking' on the Sonicwall itself.

The clients are able to successfully connect via the VPN but they don't have access to any LAN resources, despite the users having access to 'LAN Subnets'. I am however, able to ping the LAN interface of the Sonicwall when connected via VPN. If I do a 'route print' on the client, I am able to see a route for the LAN subent.

I'm thinking that I'm possibly missing a NAT rule or something along those lines, although I couldn't find any mention of one in any of the guides I have looked at.

Former CCNA+S needs help with new IOS-XE (Cisco ISR 1111-9P-LTE)

Hi !

I used to be certified CCNA+S back in 2010. I was running the company I work for since then with gear that I was able to configure and troubleshoot but now I have introduced a new device running IOS-XE and I need to get back to the basics.

Can someone post a configuration template for a branch office directly connected to the internet.

The official configuration guide (cisco_1100_series_swcfg_xe_16_7_x.pdf) isn't helping a lot for now.

Thank you.

Eigrp over the top - opinions

were in the process of redesigning our routing between our 2 datacenters and our clients and im looking at eigrp over the top.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/ire-eigrp-over-the-top.html

has any one used this in production? does it cause issues or is it well supported?

a little background. we proved data center services as well as internet connectivity to about 100 clients around the US. each client is any where from 1-20 locations. a typical client will have either MPLS or Metro E between their branches and our 2 data centers, and then DMVPN back up over a separate internet connection to each DC as well. we also have a pair of DCI links between the 2 DCs that traffic can traverse for the client as a last ditch effort kind of thing if they connectivity directly to the particular DC goes down.

MPLS means we BGP peer with the carrier, and then currently do some redistribution into eigrp for the the rest of the network. this adds some obvious complexity. it also means some differences in configuration between clients who use MPLS and those that use metro E (where we run eigrp) or god forbid T1 lines (rare, but point to point metro E links to a head office with MPLS or other connectivity to branches off head office is not)

we exploring SD wan options later this year, but that probably wont be a thing untill at least 2020 for POC at the earliest. were also exploring just doing all this connectivity via BGP. but im curious in using an overlay of some sort so we dont have to do BGP beyond the carrier edge and came across EIGRP over the top.

tunnels is an option, but that would mean some new hardware as well to support something like DMVPN over the MPLS as well (we would want separate equipment for the hubs from the failover) and brings up some other questions about certain types of outages and its effect.

so, yeah, thoughts on eigrp over the top?

Where to find failed logins for Windows SSH server?

I just managed to get an SSH server running at home with Windows 10. I can already tell it's going to be different from Linux, but in trying to keep this server secure, where would I find the auth.log file (or any config files for that matter)?

Need an alternative wireless Mini-PCI card...

Currently using MikroTik R52HnD Mini-PCI cards in multiple outdoor locations. TX power/RX sensitivity drove us to this particular card (26dBm/-100).

Due to a few supply chain issues and I went looking for alternatives and was somewhat surprised with how few results I'm seeing.

Without changing the main router itself I cannot use Mini-PCIe or M2 (unless someone knows of a way to adapt those to the Mini-PCI bus). USB would be additional work but not impossible.

It must have external antenna capability. I'd prefer to stay on MMCX but beggars can't be choosers.

Management VLAN on a switch without a management VLAN setting

I have a Zyxel GS1200-5 with 3 VLANs configured, 1 (Used to undo stuff that locks me out of other ports), 5 (Management VLAN), and 10 (The one I want to use for ports 3-5, as access ports). FYI: Port 1 is a trunk port to a router. My current config:

PVID:	5	1	10	10	10

VLAN ID: PORT:	1	2	3	4	5
1	Tagged	Untagged	Non-member	Non-Member	Non-member
5	Tagged	Non-member	Non-member	Non-member	Non-member
10	Tagged	Non-member	Untagged	Untagged	Untagged

The switch (GUI) is showing up on VLAN 10, not 5, how can I make the switch use VLAN 5 without messing up ports 3-5? I thought you could just punch in a VLAN ID somewhere else, and regardless of the VLAN config, the switch would use that VLAN for management, but this setting isn't available on the switch. Any help is greatly appreciated, I'm still new to VLANs.

Mesh Network or Multiple PowerLINEs?

I have a client who owns and runs a Bed & Breakfast inside a house built in 1888. The structure consists of a restaurant of large open rooms downstairs, along with a centrally located modem and single access point. Downstairs WiFi is not really a concern, as it's an upscale restaurant so there aren't any users for it other than staff. Upstairs towards the front of the building has several bedrooms. At the top of the stairs (and central entry for virtually every bedroom) is a single Netgear EX6100 extender. A couple of the bedrooms have very thick walls between them (literally 6"-14" thick). Therefore, walking through the doorway of some bedrooms will near immediately lose ALL signal from the extender. Some rooms if even the slightest of signal, it's completely unusable.

Because of the age of the structure, running additional wiring is not an option. I don't have personal experience with mesh networking, but I also fear issues with trying a mesh system considering the thick walls in the building already causing issues. But, I also thought of using a few of Netgear's PowerLINE products that have WiFi output and setting up several of those in each of the bedrooms. Which of these options would be a more feasible solution, or is there another one I'm not aware of?

Extend Fax Line over LAN

I'm looking for a way to extend a single POTS line over IP to a remote site. ATT is unable to move the number to the destination site and I'd rather not use fax forwarding. The new faciliity has new POTS numbers, however the department that is moving is focused on tax preparation and they've already registered with the IRS and is pre-printed this number on thousands of forms. I need a way to bridge the gap through 2019 until they reregister and reprint 2019 forms next Winter with their new number.

I've seen some posts regarding ATA's; does anyone have experience forwarding a fax signal over IP to a remote receiver?

Thanks in advance

Pair of Nexus 9ks as core, VPC to Palo firewall, things break when 1/2 the VPC goes down

Hi y'all, I'm hoping someone here can sanity check me, cause I think I'm missing something pretty obvious and I'm going crazy after staring at all 50,000 of Cisco's diagrams of Nexus>VPC>Router/Firewall/L3 device configurations.

Here's a brief diagram of what I have setup. I can add more if I'm missing pieces. https://drive.google.com/file/d/17KCigIwe9pSAWCgQSHXkuWYYNlufsvSC/view

Diagram doesn't include any routing -- it's all static. There's a /29 shared between the 3 devices. .1 is fw, nexus hsrp locals are .4 and .5 with hsrp of .6. Default route on core 0.0.0.0/0 points to the .1. This svi is only used for routing traffic between firewall and core. Palo has a static route back pointing at the .6.

Expected International Performance

OK - I have a few years of networking experience, but I may have run into a fundamental "TIFU".

Months ago, we noticed poor performance downloading files from S3 (us-east-1) to our office (based overseas); we were getting just about 1-2 Mbps. After messing with MTU, MSS, and other knobs, I decided to take the big-hammer approach and we ordered a 50Mbps DirectConnect with a "Public" interface - Basically, AWS advertises all of their IP space (using BGP) down a 50Mbps L2 connection to my router. The L2 connection terminates inside an AWS rack.

...Well, I got it up-and-running, but we're still only seeing only 8Mbps on single HTTP requests. Our DirectConnect partner is telling me that 8Mbps is to be expected with 100Mbps (temporarily upgraded) and 130ms ping times.

Is he right? Is this the first time that "ping time" should have meant more to me than "time-to-first-packet"? Did I just send my company down an expensive rabbit hole that doesn't fix our problem?

EDIT:

I should add another "slow" use-case - We chose a "Public ViF" because we required increased performance of S3 traffic. As a side-effect, we though our AWS VPN connections would go faster, as those VPN endpoints are also advertised through the DirectConnect L2. Because these are IPSec VPN's, all traffic through the tunnel is effectively _one flow_ - As such, our VPNs are _also_ limited to the same ~8Mbps.

Yes, a Private ViF may perform better.

(Question) How does socks proxy chain works?

After looking up online for a little while on how to create a proxychain, I was disappointed with so little information. Does anyone understands it enough to explain how we could write a small script that chains socks5?

I have made some ssh reverse tunneling before and was able to chain proxies that way. What i'm looking for is automating the process (but not using shell commands)! Thanks

WiFi Bottleneck Issues

Hi Everyone --

We currently have this setup currently managed by a hospitality WiFi company:

1G Internet <-> Peplink Balance 305 (w/ Internet Failover) <-> HP ProCurve MSM760 <-> Ruckus ZoneDirector 3000 <-> Gigabit Switches (Aruba 2530s) <-> Ruckus R500/R600 APs

We have a ton of transient guests (as we operate like a hotel) with on average 150-200 devices on the entire network. However, I can barely stream YouTube TV on the device when the traffic is relatively light and it's driving me nuts.

I had a few other WiFi companies give RFPs but they are all over the place from no changes to a complete hardware overhaul. I personally don't think the coverage is an issue but I have a feeling there's a bottleneck somewhere (MSM?).

Does the sub have any thoughts?

Spirent vs. Ixia

New to networking, I am an investor.

Anyone here made a purchase decision between Ixia and Spirent? What went into the decision? If you are in telecom - will 5G change any of your reqs/purchases?

Aruba IAP Dynamic VLAN Assignment

Hello Networking Community

I'm trying to setup Dynamic VLAN Assignment on a Aruba IAP-215. My goal is one SSID and based on the User that connects to the SSID he sould get a VLAN assigned.

I'm using ClearPass with Local Users as a RADIUS Server.

From ClearPass im sending the Attribut "Aruba-User-Vlan".

In the SSID i've set the VLAN Assignment to dynamic and set a rule that:

Aruba-User-Vlan = vlan

My Problem is that the client alway gets the default vlan(1) and not the Aruba-User-Vlan.

https://imgur.com/a/kLFPy6K

Thanks for your help.

Ethernet MITM Security / IPSec on APs

While 802.1X is available in both wireless and wired networks, only wireless networks commonly use encryption.

Using WPA2-Enterprise the communication channel is encrypted with a per-client key¹, so no other clients (authenticated or not) can overtake the channel. With Ethernet on the other hand, the port is authenticated once and then traffic flows unencrypted and unsecured. This is also widely known). If you have untrusted parts of wiring this is bad.

Which leads to my problem: Wireless APs in an enterprise network will commonly be connected to a VLAN trunk port and assign VLAN tags to client packages via RADIUS / LDAP attributes. This is pretty much the most access a network device can have. Increasingly we see outdoor APs deployed on poles, in trees or whatever, on semi-open spaces like university campuses, so there is zero physical security involved. Yet i don't see IPSec on APs. So what am i missing? Are there other options i overlooked or hasn't this become a problem yet?

tl;dr: Why is there no support for IPSec on wireless APs?

¹ "If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server." Wikipedia

Strange connection stop

Hello guys,

First, happy New year to you all!

Now about the question, I would like to ask you.

I got some strange problem at the work. To be precise network connection problems. I'll try to explain the situation to you.

We have two infrastructures in the same city but different datacenters. Infrastructures consist of main router, switches, hypervisor and VMs. Let's say both of them are almost identical. There is a task to migrate VMs from one location to another without changing IPs.

For that reason, I have created the GRE tunnel from one router which is Juniper MX960 to another which is Juniper SRX3400. GRE tunnel purpose: The link for a BGP connection the link to transmit traffic from already migrated VMs

BGP connection is used for advertising already migrated IPs to the old location. In a graph below you can see that GRE tunnel is actually set between juniper routers routing instances (for isolation purposes).

So in short main route that we are interested in is VM 1 <--> Hypervisor A <--> MX960(VM-PUB routing instance) <--> SRX3400(RT-PUB2 routing instance) <--> Uplink C

Also, I should mention that GRE tunnel is established like this: MX960(VM-PUB routing instance <--> RT-PUB1 routing instance) <--> Uplink A <--> Uplink C <--> SRX3400(RT-PUB2 routing instance)

Now about the problem. At first, all seemed to be fine, but a few days ago we encountered a problem. When migrated VM (the one that goes via GRE) bigger amount of traffic its connection is stalled. Its example are SSH, HTTP, SCP and so on. With SCP test I see that it always stops at exactly 2112 KB. Meanwhile, when migrated VM sends receives data it's no problem - it could go for gigabytes and all is fine.

I've already checked the MTU and all seems good, on GRE tunnel it is 1476 on the hypervisor - router route it also matches.

I'm thinking that this may be some kind of limitation on SRX3400. We had already problems with it because of asymmetric connections before and had to do a workaround.

Maybe any of you guys have any idea why connection could work like that? Everything is working perfect but as soon as VM 1(migrated) send traffic outside, that connection stops working.

 Uplink A Uplink B Uplink C + + + | | | | | | | | | | | | | | | | | | | | | +----------------------------------+ +--------------------------------+ | MX 960 | | | | SRX 3400 | | | +--+----------+-----+ | | | | | |RT-PUB1 | | | +--------------+------+ | | | | | | |RT-PUB2 | | | +----+--------------+ | | | | | | | lt tunnel | | | | | | +-----------+---------------+ | GRE tunnel | | | | | |VM-PUB +-------------------+ | | | | | | | +--------+------------+ | | +--+------------------------+ | | | | | | | +--------------------------------+ | | | | +----------------------------------+ | | | | | | | | | | | +--------+--------------+ +--------+--------------+ |Hypervisor A | |Hypervisor B | | | | | | | | | | | | | | +--------------+ | | +-------------+ | | |VM 1(migrated)| | | |VM 2 | | | | | | | | | | | | | | | | | | | +--------------+ | | +-------------+ | +-----------------------+ +-----------------------+

Cisco SG300 Configure Inter VLAN Routing

I'm trying to configure inter vlan routing on my cisco sg300 switch which is set to layer 3 mode. Right now the only ports that are able to connect to the internet are those that are set to VLAN 20 as I set the default gateway ip to 192.168.20.254 which is my pfsense lan ip. How can I set VLAN 10 and 30's default gateway ip to the same LAN IP so all VLAN's are able to access the internet.

Currently my IPV4 Routes: https://i.imgur.com/6GHxHD7.png

My pfsense interfaces: https://i.imgur.com/ty7OfD8.png

Trace Route and Hop Count: Seeing multiple "CPE-...rr.com" devices in results- is this normal behavior? (re: "CPE")

Spectrum ISP giving me Dynamic public IP on 24.168.192.0/19 network. Now I know that CPE=Customer Premise Equipment and that my public interface would show up as "CPE-MY-IP.XX.res.rr.com." It's hops 2-3 that have me puzzled. The 2nd hop (default gateway) as well as 3rd hop show up as "CPE-IPaddress xx.res.rr.com."

Is it common to see other hops with the "CPE" prefix?

Wednesday, January 2, 2019

ASR920 help - Metro Ethernet and EVC

So I'm hoping someone on here can potentially help me with configuring an ASR920. The ASR920 does not have sub-interfaces. All dot1Q trunk features are implemented with service instances and BDIs.

Scenario:

I've got multiple links at an NNI coming in on a single port (different VLANS) and I'd like to route the traffic to either the next-hop/VRF/another port.

Right now, I can see the tagged packets show up at the port but nothing is being seen by the service instance / at the BDI.

Can't ping the BDI but get replies from a loopback.

Outputs

# sh run int eth0/0 interface Ethernet0/0 no ip address no keepalive service instance 10 ethernet encapsulation dot1q 10 bridge-domain 10 ! end # sh run int bdi10 interface BDI10 ip address 10.0.0.1 255.255.255.0 end # sh ethernet service instance id 10 interface eth0/0 Identifier Type Interface State CE-Vlans 10 Static Ethernet0/0 Up # sh ip int br | in up Interface IP-Address OK? Method Status Protocol Ethernet0/0 unassigned YES unset up up BDI10 10.0.0.1 YES manual up up Loopback0 10.255.0.1 YES manual up up # ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: .. Success rate is 0 percent (0/2) # ping 10.0.0.1 source bdi 10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 ... Success rate is 0 percent (0/3) # ping 10.255.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

Let me know if you have any ideas or if there is any more info I can provide to make this easier. I can also get eve-ng lab exports mocking this up if you want to test any scenarios.

CIR and CBS?

Hi,

I'm trying to setup bandwidth limitations for each port on a Cisco SG500X-24 switch. Each port needs to be locked down to 128MB up and down. Under QOS -> Bandwidth it's asking for CIR in Kbytes (which i set to 128000) and CBS in bytes (which I set to 2500000 based on googling some information about CIR/CBS).

Is this correct for a 128MB speed/bandwidth limit? If not, how do I get the correct numbers? I'm getting some weird traffic issues with those numbers, i.e. slow page loads, etc. If I turn the limitations off, pages load like normal. Any help would greatly be appreciated.

Thanks!

Help with Dell 3548P

So long story short our Network Admin quit half a month ago and we currently don't have a replacement and I just got an alert on SolarWinds that the switch is acting up. My boss now wants me to replace the device as we have spare Dell 3548s laying around, I also have the configs for the device but I have zero idea of what I'm doing. Could someone give me a crash course on it? Or a how to?

Considering a Cradlepoint IBR1100LP6 CAT6 with optional modem dock...

I have run around the world of 4G LTE failover solutions several times now, but I still cannot commit to a single solution.
Model: https://www.streakwave.com/itemdesc.asp?ic=IBR1100LP6-NA

This is the closest I have come to deciding, but my big hang up is with how much I see the words
"NetCloud Manager requires a subscription" + "Requires an Extended Enterprise License"

MY big question is, with this device - do I actually REQUIRE a subscription to operate all the features, aside from "remote access" and some web-interface features? I ask this because, we would be using it for very infrequent events for a pop-up network with 5-7 days of heavy use out of a month... and then maybe several months of no use. So these companies asking for hundreds of dollars a year for their services related to their appliances do not make sense.

Suffice it to say, I require multi-modem load balancing capabilities in a rugged format with all the antenna ports it can muster as well as 2.4ghz and 5ghz a/b/g/n/ac support with a CAT6 or greater modem throughput.

I would ask the company directly, but of course they're going to sell me on the subscription all day...

For my folks that use Cradlepoint, whatcha got?

3850 PoE issue

I have a vendor trying to install some Door Access Panels that for whatever reason are not able to get power from my 3850 stack. Plugging them into an old 3750 has no issue. The vendor contacted the manufacturer of the door panels and it is a known issue with the 3850s. Their recommendation is to set the switch to " Capacitance Mode for PoE handshake". I am not quite sure what they are referring to and I cant find any information for this mode for any switch. I was hoping someone has maybe come across this or knows of it.

I have tried forcing the port power to its recommended max (PoE+ 27.4w), disabled LLDP and CDP as well as enabled power inline port 2x-mode with no luck.

Fiber Optic test equipment for beginner - budget of $2000-2500?

I'm just getting into fiber optics for a small deployment, and however, I figured I should get some test equipment to make sure things are actually working.

(On the CAT6 side - I have a LRAT-2000 - and that device has been an absolute timesaver - so looking for something similar in the fiber optics world if possible).

I did read the awesome thread, but I'm still trying to wrap my head around VFL (Visual Fault Locators), Power Meter and Light Source, Fault Locator, Certifier, OTDR etc.

However, assuming I have $2000-2500 to spend - these are some options I've seen:

Fluke Simplifiber Pro + Fluke OneShot Pro - I've seen these floating around for USD 1000-1500 used.
OWL 7 - I spoke to OWL, and they recommended OWL7 test kit #9 - RRP is USD 2305 new.
Noyes OFL280 - I saw this mentioned elsewhere on r/networking - I can get second-hand versions of this for around USD 2500-3000. I'm not sure if it's this specific model I should get - so open to correction here.

For now, it will simply be testing short fiber optic patch cables (from the store starting with fs we're not meant to name), but later it maybe longer lengths run throughout a building.

How to login to a chunkhost.com cloud server without using Putty?

Is there anyway to login to a cloud server without using Putty?

I have the server ip, username and password.

Host is W10 and cloud is ubuntu.

Win10 machine wont access a network device after rebooting computer. Running ipconfig /release -> /renew makes it work again...need help, please.

So, this may be slightly convoluted but, I will do my best to be as concise as possible. There's a Win10 machine that is connected to the company network which should be connected to a USRP device, also connected to the network but, that connection doesn't work after the computer has been restarted. The work around we've found is, that if we connect the device to the computer via a gigabit to USB 2.0 adapter and run ipconfig /release and then /renew, the device works. It gets weirder...If the USRP is then unplugged and connected to the network again, it works. But, If I restart the computer back to square 1 we go. It is definitely not a device issue as it has been running on other computers for over a year and has been retested on them with no such issues. I have tried resetting the network settings in Windows. We've scoured the AV logs to see if it is getting blocked, and nothing. Another weird artifact that may be a clue is, in the IPv4 settings in the network adapter for the computer, even though the settings are set to configure automatically, the default gateway still has an address in it. I've tried deleting it, and running netsh winsock reset catalog to no avail. Any ideas what is happening? Thanks for your time!

A major shift in a production network, what am I missing?

I wrote a big a big story. Then I wrote an even longer TL;DR. You guys don't care. Here is an image of a Visio file. Thoughts?

Assume physical redundancy has been factored in. I'm shifting a production network from a /16 with a Cisco 5512X doing all the heavy lifting to the outside and internal traffic. The physical part is done and planned for, I'm looking for general advice on what I might have missed or could improve on logically.

This is a pretty small network, less than 500 users. However, for its size, I think there is a wide variety of needs. It's not a sales/marketing network with 90% of the users doing the same thing and R&D guys get to sit in a bubble.

Maybe some VLANs are overkill. Some of the vendors are competitors, and I actually worry they'll try to steal information from each other. It's easier to trust them if I limit their scope. Plus I figure Wireshark will be easier to manage when I'm troubleshooting. Yes/No? Am I dumb?

Also if the Visio File is dumb/bad, sorry it's my first time building a network map in Visio. I'm also pretty dyslexic and I didn't print this while proofreading so I am sorry about spelling/grammar in advance. I like to think I'm smart, so I don't really know what I'm asking for other than I think most of you are smarter than me. I don't want this network to fail or need another overhall in 3 years so please anything I might be missing. Obviously, a lot of information has been pared. If this is out of the scope of this sub (not enough detail w/e) I'm sorry. Happy New Year!

Can an AmpliFi Instant Router be used as a physical access point?

Currently have an Amplifi HD Mesh in the house, but new configuration means we need to find a way to get a physical connection upstairs (VPN through work gear requires it).

We either need to run 100ft of CAT-6 through the walls & attic or I can just set up an AP to plug into at the new location - I'm opting for the latter.

Normally the old routers I always set up could be repurposed into APs easily, so I'm hoping to do the same if I purchase a second AmpliFi unit (but the cheaper Instant version for $100). Can I still do this with the AmpliFi? Want to stick with Ubiquiti because I was planning on adding in some MeshPoints later on so might as well keep it all in the same ecosystem.

This is in my mother's house so I won't have physical access until this weekend to check, but was hoping I could grab one on Amazon in advance.

Thanks for the input.

QSFP+ 40GbE Switchport, QSFP28 Mellanox Card - Which DAC?

I have a Cisco switch with surplus 40GbE ports (QSFP+). I am planning on getting Mellanox ConnectX-5 cards for some servers due to MLX ConnectX-3 cards going EOL for VMware. Is a QSFP+ 40GbE DAC supported between these devices? How about a QSFP28 DAC so we can future-proof the interconnect? I know that optics are generally backwards compatible (QSFP+ transceiver in QSFP28 port), but there isn't a lot of documentation on using copper.

CCNA Certified, looking for good resources for next steps

Hello folks! I see an "educational" thread in the FAQ that hasn't been updated in 4 years.

I've been CCNA certified for 2 years, worked in the industry for a total of 6 as a Network Engineer.

I'm currently looking for a good resource to study CCNA Wireless and the CCNP exams. I've used the Cisco examination guides but they're far too "thick" and usually don't provide a good use-case scenario for most configurations and technologies they explain. The CCNA level SYBEX books have been a fairly good resource in that regard however they do not have a CCNA Wireless book.

Stupid question - creating a public interface on my core switch

I need to create a routing interface with a public IP for a backup ISP we have. My core switch is an HP5406zl running on newer firmware. This sounds horrific, but I'm asking in case my thinking is off. Should I create this routing interface on my core switch or should I get a small router to go between my core and this ISP? This will be passing traffic to a Cisco CUBE, so it won't really be doing any sort of traffic filtering.

Cisco 9300 Stacks and IP address

Good Afternoon,

I have two stacks ( one with 7 switches and one with 3 ) port channeled together. I have vlans with IPs on the 1st stack, and switchport access setup to workstations on the 2nd stack working. I have a Loopback ip address on the 2nd stack and I'm trying to figure out how to route to it so it'll connect through the port channel on the 1st stack for ssh vlan management of the 2nd stack. But it says I have to assign a L3 address as a route destination. Thoughts ?

MPLS users in 2019: Why have't you moved to SD-WAN?

My experience with MPLS has been that MPLS is expensive to install, expensive to operate, slow to install, and difficult to get high quality support from ISPs.

SD-WAN gives multi-site organizations the ability to take back control, use multiple connections, access direct tools, and deliver business agility. SD-WAN does this all at a much lower all-in cost.

My question for the larger community: what is holding you back?

Anybody using ML in network operations?

I keep reading more and more articles such as (https://www.networkworld.com/article/3320978/data-center/network-operations-a-new-role-for-ai-and-ml.html) about ML being used in network operations. I haven't actually found one that isn't fluff though. Does anyone have any specific use cases and how has it provided a benefit?

Looking for advice on adding headers

Hi all,

I find myself in a situation where I would like to add / remove a header for every packet that passes through me in a bridge mode. (much like a GRE tunnel with a sequence number). The thing is that my GRE header would need to be a multicast destination.

So I know that I could write my packet socket code that would open a socket and process every packet coming in. I'm wondering though if I could it with more advanced sysadmin tools/utilities vs. coding? Could I make this work with standard iptables, mangling, gre tunneling, etc modules?

I don't mind either approach really, just hoping I could get started on whichever path is the least cumbersome, if anyone has any thoughts having done something similar - would be most appreciated

Canada (Montreal) source for patch cables, etc

Hi guys,

I'm looking for a site or even a store (I'm in Montreal) in Canada that sells patch cables in whatever quantity you want, and other related networking accessory type items.

Also, what is the standard price for these cables (length dependant obviously) that you guys normally pay? I've seen varying prices on a few sites...

I saw primecables.ca, but they seem to stock a lot of slim only cables which seem to be quite expensive, and I really don't need slim ones.

Also, for such short distances (say under 24"), does it really matter if we use Cat5e or Cat6?

DNSApe - Simple, fast network tools

DNSApe has been released, a free network tool for anyone that deals with websites on a daily basis. We provide the following tools at launch.

DNS Records - list DNS records for a domain
DNS Traversal - show DNS records from root, TLD, and authoritative name servers
DNS Cache - show DNS records from popular DNS servers
HTTP Headers - get HTTP headers for a domain
Whois - Whois lookup (we never save any lookups)
IP Whois - just what is sounds like...
RBL - troubleshoot email deliver-ability by checking if domain is listed in email reverse block lists
Ping - a simple ping from our server

Future features include keyboard shortcuts, upload time calculator, subnet calculator, and other network-related tools. You can vote on features here.

We also released a large update to our primary srvAudit application. If you have a need to track logins and command history for Linux servers, check it out!

We're releasing this as open source under the MIT license here soon. We're looking for feedback and suggestions, and of course contributors are welcome!

Best Practices for Configuring Routes for a VPN Server with No Physical DMZ?

I work for a small company with no physical DMZ but we wanted to use a separate interface on our SonicWall connected directly to the VPN server as a sort of DMZ.

Everything appeared to work fine after configuring the rules except the VM can't route any traffic internally because the default gateway is the DMZ interface and that VLAN can't route any traffic internally. To fix this I manually added a route for our internal IP range to go out the internally facing interface using Route ADD. My Manager said he doesn't want it done that way, but also didn't say how it should be done.

I'm not a network admin, but my current understanding is that Windows only automatically adds routes for the networks that the NICs are on. So If I have 192.168.1.0, 192.168.2.0, 192.168.3.0, etc, networks internally, but my server has an externally facing default route as a DMZ, then it can't route to 192.168.2.0 or 192.168.3.0 without manually adding routes. If I ping 192.168.2.1 it will go out the DMZ interface unless I manually add a route.

Is there some other way Windows is supposed to identify what your internal networks? Maybe from ADSS? Is using Route ADD bad practice?

H.323 vs. SIP calls?

Hi I’m an AV/Videoconference tech trying to get a deeper understanding of networking and how to manage backend stuff. I’ve been reading a lot about H.323 and SIP and am wondering why one would be preferable over the other. Our LifeSize systems allow you to make both types of calls (and ISDN) and we currently default to H.323. Can somebody simplify this in as lay terms as possible and help me understand the reasons one would be used over the other? Thanks!

VPN Monitoring CISCO ASA

Hey guys I'm new to Cisco ASA and vpn Monitoring. Right now we have a simple Perl script scraping the ASA data on our vpn access. But I feel like I could get way more comprehensive data out of the ASA reporting features or free tools that are out there.

Does the ASA provide features and reports such as login attempts , bandwidth used by users?

Thank you

QoS testing

I'm after a bit of help / advise, though I realise that QoS is one hell of a rabbit hole to fall down and I might be a bit out of my depth...!

I'm testing the QoS values on a local switch are being trusted, so running a ping -v 184 from one PC to another. If I run wireshark from a desktop & look at the pings from that PC, I can see the dscp vlaue set to EF as I expected. However is I look at the pings from a different PC to mine with the same -v 184 value set I see a DSCP of CS, i.e. nothing set 0x00

The switch has mls qos turned on and all the ports on it are set to mls qost trust dscp.

If I set an extended ping going with the ToS value set to 160 / 184 etc then I can see on the local desktop running wireshark that the DSCP vlaue is set correctly.

I don't understand why the dscp value is being stripped out from the other desktop device though if the ports are set to trust dscp?

I was hoping that once I confirmed it's working locally I can start sending the pings from further afield and test the end to end QoS connectivity of all our sites.

QoS with multiple static IPs

Hello all,

I have been working away at this off and on and am not getting anywhere fast.

Overview:
We have 5 usable static IPs from Comcast. These come in to a Comcast BWG modem/router. We then have two different sonicwall firewalls connected and each is assigned one of the 5 static IPs from comcast. In this config, the comcast is transparent and all is well.

Then we introduced VoIP for external calls via flowroute. I assigned a third static IP for the PBX behind one of the sonicwalls. Then I found I needed to do some QoS work for the VoIP traffic. Since the comcast BWG does not expose QoS settings to me, I had to move all traffic through one of the sonicwalls and manage it there. I did that, and it works great. We now have all traffic coming to the BWG, then to one sonicwall (assigned 3 of the static IPs). From there, it is a 1-1 NAT to the other sonicwall (it has a ton of port forward rules that I didn't want to move to this main sonicwall). Then another 1-1 NAT for the PBX. Got this all done, and it works, but I don't like it. I am now having some issues with trying to get extensions outside the network to connect to the (asterisk based) PBX. My first intuition is that the NAT in the sonicwall is FUBAR'ing the SIP traffic. I also don't like the layout of the network.

I have tried finding a way to transparently assign the PBX a static IP from Comcast, but would still like a firewall appliance in front of it for reasons of sleeping better at night.

So I guess my question is this: Is there a way to transparently firewall 5 static IPs from comcast and still assign the public IP to an end device? Can this be done with a sonicwall (TZ 400)? If another box is required, what recommendations do you have?

I wrote an Ansible lookup plugin to listify vlan and interface ranges

Strings like "101-120,201-220,1021-1040" and "Te3/1-4,Gi3/1-48" are used often in networking, and I thought a lookup plugin that parses these strings would be useful in networking playbooks.

So I wrote csrange (for "comma separated ranges"), and it's on github. Usage, examples and legal/illegal syntax are documented in the repository.

Feedback/comments solicited.

EDIT: typo

Vulnerability in C-Data Technologies EPON CPE-WiFi devices firmware v2.0.4-x000

I recently signed up to receive emails from shadowserver regarding activity in my /19 and /20. Starting December 12, I started getting a lot of emails about IPs showing miria-like activity. After consolidating all of the reports and filtering for unique IPs I was able to take a closer look at the devices. I noticed that all of the affected IPs were using our AdNet (branded) CPE-WiFi EPON units, manufacturer is C-Data Technologies LTD.

I ran nessus against the devices to see if there were any current vulnerabilities, and none were reported back. I took a closer look at the devices myself and noticed that the login cookie was not unique to the device/login.

I was able to use Google Chrome developer console to send the following cookies on an un-logged in device:

document.cookie="cooLogin=1; path=/; expires=2018-12-28T12:03:02.000Z";

document.cookie="cooUser=admin; path=/; expires=2018-12-28T12:03:02.000Z";

document.cookie="timestamp=-1; path=/; expires=2018-12-28T12:03:02.000Z";

I then refreshed the login page and I was greeted with the Admin UI of the device.

I reached out to C-Data and AdNet but have yet to hear back from them since discovering the issue. I also requested a CVE for the issue, and it is currently reserved: CVE-2018-20512

I've never requested a CVE before, so not sure the process to move that out of "RESERVED".

Any who, just wanted to pass this bug along to /r/networking

My temp fix was just to ACL port 80 at our core going to the affected customers.

SNMP reachability monitoring

Hello,

i am setting up librenms. About 40 devices so far, Huawei/HPE mix.

About half of them got big gaps in graphs - > librenms gives me snmp reading problem.

When device is snmp down from librenms point of view, i can ping it on snmp port, but snmpwalk is not working (connection timeout). After few minutes, it works again.

Is there some way/script how to check snmp reachibility? I dont want to read whole snmp information, just to check that it responds to snmpwalk.

I would like to run this against all devices in my network from various places, so i have more info what is working, what not and troubleshoot it further.

My google-fu fails me for this one, i dont want to setup another big tool for this, just some script/small tool where i could see statistics of reachability

Thanks!

Best practices - site power down

Hello All,

My Company is doing a site power down (my first) in the next couple of weeks.

I have done some google searches for checklists and best practices for the networking side of things, Eg start from the outside and work inwards (firewall > router > switches > wifi)

Does have one have any tips, things to look out for, checklists, websites (or threads) that I should read?

Thanks in advance

What important linux commands do you find yourselves using regularly on the job

Sorry if I'm posting this in the wrong place.

Just got a software engineering job that will be heavy in networking and was told to "Refresh linux commands (networking related such as ipaddress config, netstat, interface up/down/config)"

Well, I've done little linux networking. Of course I've used ifconfig, and netstat, but I've never used interface up/down/config. Also, this sentence is super broad, and clearly infers that there are many more commands to "refresh" myself on.

That being said, what commands do you guys deem as the most important on the job? Things like ifconfig, telnet, netstat are obviously important, but there must be more. Also, if you have a favorite resource for linux commands I'd love to see it!

Thanks!

Tuesday, January 1, 2019

Multiple Public Static IPs for 1 Linux Server

Hello All,

We have a CentOS-7 linux box that is running a piece of web hosting software. We have three different ISPs and public static IP blocks from each of them. My linux box has 3 separate NICs. My goal is to be able to access the linux server from any of the 3 unique public static IP addresses (should one of the ISPs go down or fail).

I've gone ahead and assigned a Public Static IP from each ISP to a unique NIC port on the linux server. (NIC1 = Verizon, NIC2 = Crown Castle, NIC3= Cogent)

I'm having a problem getting connectivity working properly on NIC2/NIC3 and I believe this has something to do with routing tables not being configured correctly on the linux server.

Anyone have experience setting up something like this?

Apologies if this is trivial, I'm not very familiar with routing tables.

Thanks so much

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Twinax DAC vs Fiber for bend-radius and durability?

We're connecting up some servers (Mellanox ConnectX-3) and switches (Arista, Ubiquiti) for 10GbE (Proxmox and Ceph HA cluster). So this is all within a single rack - I've read the latency of DAC is slightly better, but probably not noticeable for us.

What are the pros/cons of Twinax DAC SFP+ vs Fiber (single-mode) in terms of durability?

I haven't worked much with fiber before - how delicate is it (in terms of say, snapping inside the sheath).

How tight of a bend-radius can you get for fiber versus DAC cables? For cable management, I'm worried about damaging fiber.

What exactly does a DNS show?

I've been trying to figure out what exactly happens when I use something like Google to search for anything.

Like if I search for "12345" on the search engine I know my ISP can see that I'm doing a search on Google and that Google itself tracks me but because of HTTPS it can't see that I am searching for "12345" (or can it? Correct me if I'm wrong).

But what does the DNS requests or whatever show exactly? Does it reveal anything more to the DNS provider aside from I'm using Google's search engine? I can't really find an answer that I understand enough to make sense of.

Advice for a Search and Rescue Command Center

A little bit about what i'm doing: Im working on setting up the network system for a new mobile command unit for a local search and rescue team. Basically it's an enclosed trailer built out with computers and fancy equipment to act as a base for any search or rescue missions. I have some computer experience (building home computers and just tinkering) like most people on here, but never set up a network system.

So here is what I kinda have drawn up in my head. They will have a few ways of getting internet in the trailer. The first way will be via a mobile hotspot (either tethering off a phone or one of those Verizon hot spot devices). The second will be via another trailer. Basically it will just feed an ethernet cable to this trailer and receive internet this way. The third will be just picking up basic wifi while the trailer is in its storage location. My first question, is there a way to easily switch where the router in the trailer is picking up internet from? Can a normal "ethernet switch" accomplish this? Or will i have a hell of a time setting it up this way? Basically i want to use one central router that can be fed multiple ways if this makes any sense at all.

After it comes to a router it will just kind of act like a normal home system then. Being able to then access via the wifi and ethernet cable, have a storage system attached to it, and printers etc. Im trying to keep it kind of basic for these guys, most of them are on the older side, and tech isn't necessarily their forte. They wont need super high speed efficiency, the only real thing would be accessing google earth for some of their topographical. Also looking for recommendations for routers that are available now.

Is it ok to buy HPE/Aruba switches off of Amazon.com?

I've seen may people on here recommend against buying Cisco switches on Amazon because of gray market or counterfeit hardware concern as well as lifetime warranty possibly not being honored, but what about HPE/Aruba? Should this also be a concern? I'm looking to buy a single 2930F and they are significantly cheaper than the last quote I got from our current HPE switch provider (like 1/2 price). HPE warranty has been great for me. They have even exchanged dead 3Com switches that we bought in 2010. So I have no fears about Aruba/HPE warranty coverage.

MTU vs Packet size

I am new in networking stuff and been learning most of it at the job. Recently I came across an issue where an MTU is set to 1500 bytes while the packet size is around 7000 bytes, and when the ping test is performed, 0 packets are received.
I did some research on my mine but have a few queries: does MTU set the upper limit for how big the packet size should be? So setting MTU to 1500 would mean packet size of <=1500 would work and anything more than that may result in packet loss. Is this correct reasoning? I am trying to create an image of how MTU and packet size are related

ANNOUNCEMENT: FS.COM / Fiberstore Auto-Removal in effect

The r/networking ModTeam is seeing another uptick in focused, intentional mass-marketing efforts from Fiberstore Social Media Marketing representatives.

We've had this problem with them in the past, warned them extensively, banished a dozen or more accounts and here they are, back again for more.

As a result of the actions of the FS.COM marketing team, (or their contracted representatives) we are auto-removing any ~~thread~~ comment that makes reference to FS.COM in text or URL.

Fiberstore makes a good product.
Many members of the ModTeam use or advocate for their products.
This is not an attack on their company or their products.

This is a defensive action in response to their offensive and unwelcomed marketing tactics.

It's a new calendar year.
Lots of us are about to crack open major project efforts which require the "big checkbook".

Please feel free to make a mention to Fiberstore sales if you are making purchases from them about their social media marketing tactics or to advise them that whoever they are contracting to handle reddit.com on their behalf may be damaging their brand more than they are helping.

VPNs instead of segmentation with VLANs/VRFs

I've been hearing recently that some people have built their networks as a sort of "visitor network only", where you don't have access to anything else than the internet + VPN gateway. Then they'd install VPN clients to every PC in the network and have them create VPN tunnels to firewall, and do segmentation/rules towards internal services there. If you don't have company PC all you get is internet access. With this you wouldn't have to do for example VRFs at every distribution switch, just configure the "visitor network" everywhere and have company PCs do VPN if they need access to something else than just the internet. Also you wouldn't need 802.1x if you're doing open visitor network anyways.

Have you seen/built this kind of networks? How did you handle printers/surveillance cameras/APs/"IoT"/etc?

What is the first class of router hardware past SOHO?

Hi,

I've really been struggling to understand how a network is designed beyond the classical home office network. The typical model seems to very commonly include an IPv4/IPv6 capable router, which always performs NAT on packets received from the LAN interface destined for the Internet, and IPv6 of some sort. Lately it seems routers are working very well with doing an IA_NA and IA_PD for a /64 residential size, single IPv6 prefix to distribute amongst the LAN segment.

I have had a few people ask me if I am segretating my network into multiple LAN segments, to disclude IOT devices from snooping on the laptops/NAS, or to more fully segregate guest traffic into its own area.

My networking skills rather stop fully at the residential. The model above must be roughly identical to a local branch router with a few distinct office departments - let's instead of calling it LAN/IOT/Guest, simply as Finance/Sales/Engineering. With this in mind, what type of gear do you folks typically go for? Is there a "tried and true" way to design a small network with multiple L2 networks?

I don't know much about Cisco IOS, but it seems reasonable that it can provide NAT across multiple networks onto a single WAN address, and we have seen plainly it supports IPv6 in almost all of its various permutations so far. I would guess that other vendors compete in this space with Cisco.

So my question is hopefully not technical, but vague enough for a small discussion - what is the next form of router after the SOHO class is inadequate, for the smallest of business networks?

Thanks for any insights! This is obviously a thing I want to (eventually) do but I'm happy to keep the conversation high level so that it is more interesting.

Technical debt in networking?

Hello, I work on the image analysis side of remote sensing.

I got tasked with setting up a simple queueing messaging system. As such, in reading up and deepening my knowledge I started thinking about what technical debt there is accumulated in networking as a discipline. Such as IPv4 addresses running short. Most learning sources seem to show very graceful transition from early implementations (e.g. CSMA - CSMA/CD et.c.). What do you foresee will be the biggest issues in the near future in terms of limiting current implementations?

Is it possible to write an arpccess list cisco ios-xe?

There’s a customer owned device (Cisco isr Router) connected to one of our 3850’s that’s constantly answering arp requests for other devices on the same lan segment and stealing their arp both from other hosts and our firewall.

The customer will not turn proxy arp off and will not tell us what subnet mask they have configured on the interface. Basically they’re being a rude tenant.

This has caused a lot of outages for us over the past 20 days, the worst one got me called in on Holliday just this week that at least 3/4th the hosts on that segment had the tenants MAC address for almost every arp entry in their table WTF!

So we put a layer 2 pacl on the port to block arp. Now this broke the tenant because our firewall somehow lost arp for their router and didn’t get it back, so I got called New Year’s Eve last night just before midnight to work a priority one for the tenant being down!

So my question is there a way to write a better pacl that allows their router to arp reply for itself but not for anyone else? Call it... an arpccess list?

I know DAI is a commonly used solution but my understanding is that DAI requires dhcp snooping to work. Well we don’t use dhcp on that particular segment, so no dhcp snooping.

Thanks all!

Cisco ASA with egress and ingress netflow

I have an ASA5510 running version 8.2.5 and has netflow configured. It only captures outbound traffic netflows, i.e. egress on the outside interface.

In newer versions of say 8.3 or 9.X does netflow support both egress and ingress?

I know that's the case for older versions of IOS of core routers, earlier versions only did ingress, then later versions supported both egress and ingress. Unlike the IOS on routers, the netflow on the ASA is not configured to a specific interface, its global.

Thanks

John

3750g-24t-8 replacement?

My Cisco home lab switch that has served it purpose went belly up in the new year. As this is for my home lab instead of enterprise I will need to find another budget friendly replacement. Looking on eBay I’m leaning towards the same model. I need the routing capabilities and gig. Is there another model I should look at?

Source IP Address on DNS Forwarding Servers

Design: LAN -> Router -> Public DNS Forwarder -> Public DNS Resolver/Recursive

On this design, there’s no internal DNS service. Apparently when a client from the LAN asks for DNS response, it will be sourced by a public address from the Router via NAT/PAT.

My question: When our Public DNS Forwarder forwards the recursive queries to the public DNS Recursive servers, what will the source IP Address be? I suppose it would be the public IP Address of our Public Forwarder?

If it’ll help, Unbound will be the choice of DNS server software in this project.

If yes, to those who know, can I confirm that the traffic will be something like below: 1. Private Client to Public Forwarder Source IP: PAT Address of Router; Destination IP: Public Forwarder

Public Forwarder to Public Recursive Source IP: Public IP Address of Forwarder; Destination IP: Public Recursive
Public Recursive to Public Forwarder
Public Forwarder to PAT’ed Address Source: Public Forwarder; Destination: Router Public Address
Router PAT traffic to internal DNS client on LAN

Would just like to confirm the traffic esp. the addressing portions.

TIA!

Monday, December 31, 2018

Understanding how a wireless bridge works help.

I get what it dose... but I am a bit confused.

When we have a wireless bridge is everything on the same network. for example 192.168.1.0 /24?

or is this more like some kind of wireless routing? ie both routers would have be a separate networks

ie 192.168.1.0 and 192.168.2.0 with information being routing between them?

Rural ISP's robbing customers blind.

So I live in a very rural part of CA and only have access to satellite or point to point wireless. We all know the data limited story with satellite and I am grateful that I have the point to point as a second option but the cost these ISP's charge for the throughput speeds you get is just outrageous. I pay $300 a month for an unlimited point to point 30Mb/s down and 10Mb/s up connection when people are able to get gigabit for around $100 a month 30-45 min away. Now I get that living in a lovely rural area like I am comes at a cost and I should not expect city luxuries in a rural environment. But 3x the cost of a gigabit connection 30 min away at 3% of the speeds is just driving me insane. Even if I lived right in town and had Comcast business I could get 80-100Mb/s for around $150 a month. Is there something I am missing that justifies wireless ISP's charging these outrageous prices for such slow speeds? I hate the thought of moving for internet but it is starting to come to that point. I work in IT, am a heavy gamer and I'm tired of having a car payment for slow internet. Unless something major changes in the rural wireless internet game I don't think the situation out here is going to get any better any time soon. I apologize if this isn't the right place for this but I wanted others opinions and thought I might find some insight here.

IPSec vs IKEv2

Hello,

I am a high school junior working on my submission for a network design competition (don't have any significant certs yet only an MTA-hopefully I will have my CCNA by the end of high school as I have been self teaching myself networking). Instead of going for an Ethernet Private Line or leased line to connect up sites for this project, I figured using IPSec would be much more practical, cost efficient, and scalable. When I was doing some research, I stumbled upon something called IKEv2. Could someone clarify how IKEv2 is different from IPSec and when to use one over the other?

Thanks!