IPv6 Proxies: 2019-01-13

Saturday, January 19, 2019

How could an EIGRP Stuck In Active event ever happen in real life?

So a route goes down, there's no feasible successor, and the router queries its neighbours, who in turn query their neighbours, and so on until it reaches every EIGRP router in the domain. During this time, the routers will be running timers counting down from 3 minutes, and if they don't hear a response in that time, they'll tear down their neighborships.

What I don't understand is... how could this ever happen in real life? I mean, in what world would it take more than 3 minutes for a query to reach the end of an EIGRP domain??? Is there some very important factor that I'm not taking into consideration here - something that could explain how this could ever be something to worry about?

Firewall - B2B VPN's

Hi guys, so evaluating some firewalls for B2B connections. Primarily Cisco ASA, Fortinet and Palo Alto. Are all of these firewalls equal in the capabilties of offering B2B connections? I'm not really interested in Next Gen features at this point in time. Thanks in advance.

Where is the Control plane located in SDN solution?

One of the key selling points of SDN is decoupling the management, control planes and data plane.

Just use the Cisco solutions (DNA and ACI) as example, the controllers (DNA Center and APIC) are where the policies defined and pushed out to devices. So the controller is mostly management plane and devices are doing the heavy lifting to compile the policies to forward traffic accordingly as the data plane... So where is the control plane? I think control plane is still on the device/fabric. If we think about OSPF, it is still the devices doing the ospf calculations and populates the RIB, not the DNA Center or APIC...(SD-WAN controller actually do control plane job though). So am I wrong?

Some of our company PC’s link speed limited at 10Mbps and 100 Mbps

Hello all , We are using HP and some Cisco switches for our company, we faced this problem , all switch ports are 1 Gbps speed and auto negotiation, all pc also auto negotiation but some times we faced this problem link sleep limited at 100 or 10 Mbps , what i already tried : 1-forcibly made all pc to run at 1Gbps (not worked) ,and some of them don’t even have 1Gbps option in their link speed ,i added by windows register but still not worked 2-try different cable (not worked) 3-try same port for another PC that had 1Gbps speed but still not worked

my question what should be the reason for that problem ??????!!!!!!

How is it that HPE switches are able to use CDP and PVST when those both are Cisco-proprietary protocols?

No text found

Help setting up an router as an access point

I dont even know if this is possible, but here is my situation, my main router is downstairs by the TV and the wifi doesnt work reliably in my bedroom upstairs, but it does work in my office upstairs. i have successfully in the past been able to share my wireless connection over ethernet from the back of my PC into another pc without wifi but never a router, my question is if i share my wireless connection over the wired connection on my pc can i connect that wired connection into an old router to turn it into another access point? hope this makes sense

if this isnt possible ill go get a powerline adapter and use that

Questions about FTTH and the PON light on the ONT

So, I've recently subscribed to a 500mb/s connection, and for a while, things worked just fine. Then, one day, for no apparent reason, the pon light that'd remained solid green for the last few weeks starts to blink, and I've suffered a constant cycle of disconnections as the light gains stability for a few moments before blinking again.

Now, what I'd like to know is, exactly what variety of issues could it be that'd cause something like this to occur?

Title change - going from senior to non-senior

At my current employer I was brought on as a Network Engineer 3. I'd say when I started I was mid-level and have certainly gained a lot of experience. In the time I was there, the Senior Network Engineer on our team left, so I was promoted. I feel it was mostly due to me being on the team the longest in tenure more than being a "Senior" level employee, though I am by far the most technical on the team right now.

Times have changed and I am now looking for a new company to work for. I've found a company that I really would like to transition to, however the title would be back to a normal old "Network Engineer". I'm fine with this, but I've seen others see this as a backslide.

Is this change in title a bad mark on a resume? Do titles really matter in the long run? Or do titles mean different things to different companies?

edit: I have about 6 years of networking experience I can put on a resume, if that helps at all.

Are public ip addresses in internal networks really bad? Is it a good reason to nuke a network?

So i got a call from a friend yesterday. He needed advice and here is the issue:

He is the network admin (new company) and someone used public ip space internally. They dont know who the ip addresses belong to and it does not affect how the network works. They used say : 192.20.x.x
The dhcp server available addresses are already exhausted so they are constantly using angry ip to identify dormant machines and delete them. The whole network is not in good shape.

I suggested starting over (slowly migrate everything to a new network), but i wanted to hear what others say about this whole situation.

Modem pair for Nighthawk r6700

I currently have a Netgear Nighthawk r6700, and the modem/router that came with cox. What modem should I get that won't bottleneck my router, and will stay under $120?

My ISP is Cox, not 100% sure on the plan, but with this setup i get at least 150 down and 32 up over wifi.

I have some concerns about Intel Puma Models, though I'm not completely brushed up on the subject.

Slow Internet From ISP

My ISP is a company called Manx Telecom, and I live on a smaller island so there is not much else I can do in terms of ISP. Manx Telecom is the main provider for the island and from what I've heard, own all the lines to provide people with broadband (I don't know much about it). I'm writing this because the internet they can provide us in the area is slower than 2Mbps, and is terrible. I want play online games, and I was wondering of 2Mbps is enough for doing that + Discord or any other program like it. Currently I have a 4G router they've provided us with (not free of course), but it does the job for general browsing or watching YouTube. The 4G router has speed no more than 15Mbps. The problem is, is the instability in games, or latency. I can get upwards of 400 ping in any game I play for over 5 minutes and then suddenly it'll go back down to around 30-40 ping, and we've tried different 4G routers, SIM cards etc. I know it's not the servers as I have friends also on Manx Telecom that live in a populated area who have 11-20 ping.

I was wondering if there was an alternative, or if 2Mbps is enough for gaming + Discord. I live on the Isle of Man and can't find any other solution that's not upwards of £25,000 just for setup fee's. I have also contacted Manx Telecom about an "upgrade package", and they said we live too far away for anything other than standard and cheapest ADSL2+ if you know what that means (I don't).

Any help would be amazing. Thanks.

How to do proper path selection with 3 route options?

Please let me know if I need more detail:

I have a network (let's call it 192.168.100.0/24).

I have a router with 3 possible paths to this network.

My preferred path is "eigrp fast route". Next choice would be an eBGP route. Third choice would be "eigrp slow route".

How do I make this happen, how can I configure the router to have it failover properly between these 3 routes in that order?

I'm open to changes. Right now the 2 eigrp routes are in the same AS, but that could change if needed.

Wireshark on Windows -remote capture from a Linux machine

Hi guys

Is anybody around here familiar with capturing packets from a remote Linux machine using Wireshark's sshdump on a Windows machine?

I have tried everything I could but no luckI am asking about this

https://www.wireshark.org/docs/man-pages/sshdump.html

Note: I am using npcap not winpcap locally on the windows 10 machine but I don't think it should matter

Not able to see a printer on the network unless...

I currently have a setup of 2 routers in my home.

One main router from my ISP that everything is connected to(Other computers,Wi-Fi printer,etc..) and TP-Link router that is connected via a Ethernet cable running from the main router into the second TP-Link router that I have my PC connected to. The second router is located in my room.

I own this setup just because the Wi-Fi signal in the house is quite bad and I wanted a Wi-Fi repeater but knew it would require a cable switch to split the Ethernet cable I have in my room for both the repeater and PC.

Looking back, maybe I should've invested in those two because my knowledge in networking is insufficient and handling 2 routers is not easy. It took me ages just to understand how to open ports because there is a process that needs to be done in both routers.

So back to the question... there is a printer in my home but I cannot access it when I'm connected through the second router, only if I unplug the Ethernet cable that is coming to my room from the main router into the second router and plug it directly into my PC it would find the printer (obviously)...

So what is the solution? Is there a way to combine those two routers? a process that might should've been done ages ago? Obviously I'm expecting a technical solution and not a physical one, I could've just gone to the store and bought a cable switch and a Wi-Fi repeater but this second router thingy is working just fine for me besides the connectivity between the two routers part.

How exactly does a VPN protect me from an ISP ? From what I know, all of my traffic passes through the ISP and into the VPN server. The ISP is in between us. Or have I understood incorrectly ?

From what I've read on the internet, a VPN creates a "tunnel". I don't really understand the tunnel analogy. Does it mean that the data is encrypted ? If it is encrypted, where does the encryption occur ? Is it locally done on my device ? Do the VPN apps perform this encryption ?

Also, what books would you recommend to a guy who wants to start learning about computer networks and how they work ? Are there any prerequisites to this topic ?

using SALT for Event Driven Network Automation

noob here with SALT and i am currently going through SALT documentation on Juniper Automation DAY ONE: AUTOMATING JUNOS WITH SALT outside of that literature is there anything someone could recommend?

Also for the purpose of this conversation i will also need to configure a SNMP trap collector ~can SALT meet that requirement as well or will i need to install a collector compatible with SALT?

Need help with cloud infrastructure

I've a school case study to be done and I am kinda stuck. http://imgur.com/iwJBiC9 (this is the set up given) I am supposed to revised the infrastructure with the following requirement: Recommend a high availability DAS that is capable of recovery in a very short amount of time. Recommend suitable links that are low cost and also allow mobile workers to login to US and HK office. Recommendation should cover the network, CPU processing power and storage requirements.

Currently it's using T1 lease lines which cost 50k per month. The routers are configured to static. Routers can be managed from any locations via telnet. Tape drive is used for daily backup. End users from the bank uses their laptop to access these applications over RDP through the internet.

These are my task to do: Task 1: identify underlying issues Task 2: design and propose improved architecture Task 3: justify proposed solution.

I've identify some of the issues like using of tape drive instead of hdd, RDP instead of VPN, lacking of firewalls. There's no high availability of DAS, thinking of adding NAS instead. Doesn't have AntiVirus. T1 lease line is too expensive, thinking of optic fiber. I wanna do a full mesh topology but I've no idea like how to set it up.

Friday, January 18, 2019

Palo Alto 3020 - aged out sessions when traffic is allowed all outbound. ISP failover with path monitoring.

I'm attempting Path Monitoring on a Virtual router's Static Route that goes out via ISP1. I can force the path monitoring setting to trigger and go to the next VR if I put in a phantom IP to ping which will fail.
However when my test computer then tries to get any traffic out, it's giving an "aged-out" session end reason. I see the From zone is the same and the To Zone is now the "backup external" zone.
This ISP2 I'm trying to failover to is an active, working connection as it is the active "Guest network" as well and works just fine. So I'm curious if anyone's implemented this and maybe I'm missing an important setting to make it work.

Home wifi router with good QOS settings, specifically setting upload & download speed limits per device?

Hey, looking for a decent home adsl2+ wifi router that offer QOS per connected device. Specifically need to limit upload & download bandwidth per device. Shitty one that was supplied by our ISP only allows download limiting but devices syncing with iCloud and other 3rd party services flood our upload bandwidth & we start dropping incoming packets like crazy.

Edit: I've found the Netgear XR500 which offers the QOS features I want but is way outside my budget

Industrial PoE Switch with port-based DHCP?

I need an industrial din rail switch with 4-8 PoE Ports that can do port-based IP addressing..

I would like a maintenance crew to be able to swap security cameras without needing to mess with IP Addressing. These cameras are used for hot-work, and when they die. I need to be able to just plug in a new camera (AXIS, works with DHCP) and immediately have it display on my RTSP stream.

I found this, but its a little more than I need

https://www.lantechcom.tw/global/eng/IPGS-5408DFT.html

I also found this, it says DHCP Server Port-based.. but it's not PoE

https://www.phoenixcontact.com/online/portal/us?uri=pxc-oc-itemdetail:pid=2702175&library=usen&tab=1

Anyone have any ideas?

Colour network cables?

I would like to use different colour network cables for such things as uplinks/ap/console cables etc but hate the idea of buying loads and loads of different cables.

I was wondering if there was a product like heat wrap sleeves for network cables, buy a reel and use on cables when I know the right length ?

Or what do people use instead of buying loads of different cables?

What's the deal with HPE routers?

I'm trying to plan out our network for a retail store and HP seems to check all the boxes on the their routers and switches, user feedback on their switches seems Okay, but I can't find any anecdotal stories with their routers (Actually having a hard time trying to find reference manuals for the OS). Can anyone shed some light on this? (I'm guessing maybe the HP routers are relabeled from an acquisition?)

New Cisco NCS 2006 shelf and CTC disconnects over and over

Hey guys,

Not sure what is going on here, trying to turn up a new NCS 2006 / TNCS cards, directly connected to the shelf with my laptop and I can’t get it to stay connected long enough to even put the XML config on. The chassis stays pingable but I keep getting the disconnected message, I can reseat the card and reboot and connect again for a short while and then disconnects, all the while still pingable from my machine. Thought it was my laptop so I brought another one in today and still doing the same thing after fresh OS and java 1.8 setup on that machine.

I’m missing something silly, but hoping you guys can give me a missing clue as it’s proving hard to troubleshoot when my only course of action is rebooting the chassis to get connectivity again.

AT&T Flexware SD-WAN

Hey everybody! Has anyone deployed any flexware appliances from AT&T? If so, can anyone tell me if these devices have or support dual power supplies? I can’t get straight answers from our rep, nor does anything meaningful appear in google/bing/duck duck go/searx/whatever.

Thanks in advance! Shout out to all those engineers on call this weekend

traceroute and ping related questions

i understand traceroute uses ICMP TTL field & ping generally uses echo-request and echo-reply.

i am wondering if traceroute and ping would still work if i did not permit 'icmp any any' rule or similar icmp related rule in access list but permitted 'ip any any' rule. Because i notice this happening in some devices though i can't understand the rationale for this.
I have been told traceroute & ping does not work when they are initiated from one interface of ASA firewall & packet crosses over & passes through another interface of firewall (even if 'permit icmp any any' rule is there in this case). What is the rationale behind this behaviour?

EnGenius ENS202EXT HELP!

Hey Geniuses of reddit,

I need help setting up an EnGenius ENS202EXT.

I followed the manual guide on setting it up, but I cannot seem to access the extender UI itself.

Things to note:

- PWR light is off

- Both LAN lights are off

- WLAN light is blinking

- Signal lights are all off

I have tried holding the reset button for 10 seconds doesn't seem to do anything.

I have set my IP address to 192.168.1.10 and subnet mask to 255.255.0.0 and tried to connect to the extender using chrome. 192.168.1.1 (default) doesnt work.

I have tried connecting it straight to my computer, still nothing.

Im not entirely sure what is going on with this extender, so maybe someone out there can help me!! Thanks!

Trying to configure Netflow on ASR 1001-x

I need some help,

I have been working away at this for far too long.

I'm setting it up so I can monitor all traffic coming into router and leaving router.

I'm Just trying to configure Netflow to export data to my Netscout sniffer.

this is my current config, did I miss something?

flow exporter NETFLOW_EXPORTER

destination (Netscout_Sniffer_IP-Address)

transport udp 2055

flow monitor NETFLOW_MONITOR

record netflow ipv4 original-input

exporter NETFLOW_EXPORTER

interface GigabitEthernet0/0/0.30 ----> MPLS

ip flow monitor NETFLOW_MONITOR input

ip flow monitor NETFLOW_MONITOR out

interface GigabitEthernet0/0/0.40 ----> MPLS

ip flow monitor NETFLOW_MONITOR input

ip flow monitor NETFLOW_MONITOR output

interface GigabitEthernet0/0/1-------> downstream switch

ip flow monitor NETFLOW_MONITOR input

ip flow monitor NETFLOW_MONITOR output

IP Addresses and VLANs

Is there any way I could see what IP Addresses are using a specific VLAN? I want to make a Database for our phones and we use a VLAN for each port a phone is plugged into.

(Still very new to networking)

Thanks in advanced.

what was your biggest IT mistake?

I once crashed an AD server which tombstoned and then replicated to the other DCs at all sites. No users could login and the enterprise was down before i realized what I did. it only took about 2 hours to get back up.... but 2 days worth of paperwork. haha.

Complete Network Failure When Cisco 3800 Series AP Joins Cisco 3500 Series WLC.

I have 2 WLC's on my network, a 3504, and a 2504 (for older AP's slowly being upgraded). Recently we purchased two new AIR-AP3802I-B-K9 AP's, and life has been swell. I unbox them, plug them into a switch in the proper VLAN and look at that... wireless. It's beautiful when it works. That said, we also ordered some spare AP's just in case (same model). I made sure these spare AP's could join the controller, and registered properly with the correct software version, they did. They were named SPARE-AP-01, and SPARE-AP-02 and placed back in their original box until they need to be called into service.

Fast forward, I go to install 2 new AP's as 2 new lines were recently pulled, tested, and certified, I install the first AP, and it joins as expected. I name it, etc... and move on to the next AP. I see the light's start flashing and then the blue beacon of happiness saying it's downloading the controller software, awesome. The light turns green, it associates... and I have no LAN communication. I can't ping out, I can't hit internal servers, nothing. I unplug the AP that just joined the network, and everything IMMEDIATELY comes back. I can ping out, hit servers, etc..

I proceeded to unplug the POE to other new AP just installed, and plug in the second one, it joins without problem, now I can configure it, name it etc.. cool. I plug in the AP that was previously JUST JOINED to the controller, and the same thing happens.. all LAN traffic ceases. I unplug the AP and traffic starts flowing again..

OK.. did we get 2 bad AP's? I plugged in SPARE-AP-01, it joined as expected, and then I plugged in SPARE-AP-02 and again.. all LAN traffic completely halts. I'm thoroughly at a loss for what could be causing this. I've tried different switch ports, made sure all connections are identical to functioning AP's, and everything matches.

I can provide some basic details below and provide more as needed (I don't want to dump out too much irrelevant info):

Hardware In Play:

3504 Controller: 10.0.1.249 (SW: 8.5.131.0)

Currently supporting 6 3802 AP's, and 6 2602 AP's
New AP's are configured to connect to this WLC first, and then join the older controller if this one is unavailable
Hands out 10.30.0.0-10.35.0.255 IP via internal DHCP server
Existing AP's DHCP leases converted to static

2504 Controller: 10.0.1.248 (SW: 8.3.143.0)

Currently Support 13 1261 AP's
Has supported the 3800 series AP's in the past
Hands out 10.30.0.0-10.35.0.255 IP via internal DHCP server
Existing AP's DHCP leases converted to static

Switches Powering AP's via PoE:

Juniper EX 3300-48p - powers all of our AP's without prior issues
All switches carrying AP's are configured identical, working AP's are configured the same way as the ones not working causing the LAN drop

Troubleshooting:

Replace 2 new AP's causing issues with 2 known good spares
Verify all physical connections
Verify switch configurations
Verify controller configurations
Verify DHCP/address leases
Try 1 new AP - Works (independent of one vs. the other, it's the same result)
Try both new AP's - Network Fail (if 2 new AP's are on the network fails, does not matter which one is up and which one is down)

Myself, as well as my escalation support are completely at a loss as none of this makes any sense (at least to us), and neither one of us have ever even heard of something like this. I'm hoping maybe one of you more seasons guys or gals can help out and think of something we might be missing.

Thanks to all!

Edit 0: Formatting.

Troubleshooting Windows Server 2016 RRAS: Clients not consistently able to hit resources on the network

I have a Server 2016 VM set up with RRAS and a handful of clients connecting to it via SSTP. What I've been seeing is that those clients cannot hit resources within the VPN consistently. Sometimes it can take four or five reconnections to the VPN before they can reach resources there. The VPN server is always reachable after they connect, but it then behaves like it cannot find things on the same subnet until the client disconnects/reconnects a few times. Not even sure where to begin troubleshooting it and would like some suggestions.

Network Admin Role transition

I submitted my notice to move on to another company. Being the lone network admin at my org has been very taxing for the last year. No vacation and lots of work during off time. I’ve asked numerous times for help/2nd admin. The new org seems much more laid back, smaller, pays more and will have a team of admins. A week after submitting my notice, my manager has been piling on work and requesting long term projects be completed in 4 days due to not having anyone to perform my duties. I’ve been working to make sure everything is documented as much as possible. I don’t want to leave a mess of unfinished projects but I can’t delay a good opportunity to finish them. I was curious as to how some of you in this community have handled this type of situation or have any advice?

I need to explain to other senior engineers why it's bad to cluster across data centers

Monday, I'm going to be asked to explain to 25 other network engineers, including 6 or 7 other senior engineers, why it is bad to create a cluster across data centers, as opposed to have a cluster at each DC and failover between. And if I cannot sufficiently explain why, then "the way it's always been" will take precedence over our 99.999% service availability SLA.

I really wish I could say that I'm joking. But I'm not. I'm sitting here right now, just... Stunned. I feel like I'm being asked to explain why it's painful to cut off your left foot with a hack saw. All I can think of is, "because it hurts like hell!"

One of the senior engineers is deploying a firewall cluster to upgrade his aging firewalls. For years, the way we've always done it has been to buy two firewalls (or storage nodes, or VPN termination points, or anchor controllers, etc etc etc) and put one at each of our data centers in an active-active or active-hot-standby type of design. Stretch those VLANs and call it a day. No, we do not bother reading vendor best practice design documents. When someone points out that such documents generally discourage this type of design, it is literally ignored. I gave up trying to intervene many years ago, but have recently been put in a position where the expectation is that I'm to intervene and to not give up.

What would you say in this situation? Any links to hard facts that I could maybe provide? I can't really give links and say "Go read this" because it will be ignored. But if I can throw out some facts and possibly even specific examples, I may have a chance.

Thoughts?

10Gbps Uplink Switches

We have a school of about 500 students and 36 staff. Internet speed is 400/25. Over all about 40 staff PCs, 20 VoIP phones, 50 lab PCs, 200 wireless computing devices. We have a separate wireless controller with Aruba stuff already and a new WatchGaurd firewall (10Gbps module upgradable), the need to segment security camera devices. We have 1x 1Gbps main switch and 5x 24 port HP 10/100 switches. We'd like to replace those with cost effective, but functional models so that we may have the option to go 10Gbps in the future. Obviously, budget is of concern here.

Over all, network traffic at the school is not that intensive. No one really file shares across to other devices, email is in cloud and local server backups, school mgmt. system in cloud. Basically, the majority of traffic going to PCs and devices is Windows Infrastructure Services and internet activity.

Someone said the support is best on the HPs, medium on the NetGears and not that great on Ubiquiti.

Ubiquiti 48 Port (1GB ethernet, 10Gbps Fiber Uplinks) $870

https://www.bhphotovideo.com/c/product/1267264-REG/ubiquiti_networks_us_48_48_port_unifi.html
https://www.ui.com/unifi-switching/unifi-switch-2448/

NetGear (1GB ethernet, 10Gbps Fiber Uplinks) $687

https://www.netgear.com/business/products/switches/smart/s3300-gigabit-stackable-smart-switch-10g-uplinks.aspx#tab-overview

https://www.amazon.com/NETGEAR-Stackable-10GBASE-T-Lifetime-Protection/dp/B00OZCFVVC/ref=sr_1_3?ie=UTF8&qid=1547834637&sr=8-3&keywords=S3300-28X

Networking Field Laptop Recommendation

Lenovo has just released the x280 but sadly they removed the on board nic anyone have a recommendation for a good field laptop that has on-board nic and ac wifi, ssd, and is under 12.5 inch? Few years back I posted this question got a great response and ended up getting the x260. Another team member needs a new system wanted to see what everyone else is using these days...

Best Linux Tools/Programs For Network Issues Diagnosis

A few months ago I permanently switch to Linux (Mint) and I'm using it for work as Network support.

I optimized my Linux set up so it will be easier for me to diagnose Network related issues,

but I want to check with the Network community what are the best Tools that you're using every day that work on Linux.

The programs that I'm using so far: MTR, TCPdump, Angry IP Scanner, Nmap, Wireshark, Ettercap, yEd Graph Editor, ntopng, netstat, nslookup, Nutty.

Global outage info source

Hello gentlemen,

Any good sources (www, mailing, /r) where global network outages are displayed?

Thnaks,

Slow Wi Fi and probably RF interference

Hi everyone We have 5 APs in our office (Aerohive AP122) that show high congestion on the 2.4 GHz band.

I tried to low the signal strength down to 1 DB without success. I also tried to change channels. They still show "high congestion".

I obtain ridiculously low transfer speed with high pings (like 2 MBps) between our laptops and our local NAS.

I don't know what else I can do. Maybe I can change them to a superior model? Like the ubiquiti ones?

What's the best way to check if there is any external interference?

Forward DHCP requests to iphelper when using local ip dhcp pool on Cisco Router

Wondering if anyone else has come across this: Deploying an OOB Nac solution and it's helpful to have the NAC receive DHCP requests (it doesn't respond), there can be some good info in there. Works fine for subnets where the DHCP server is reachable through the helper address ex:
ip helper-address ipofwindowsDHCPserver
ip helper-address ipofNAC
Both the DHCP server and the NAC receive the request, the DHCP server replies all is well in the world.

However on subnets that have a local "ip dhcp pool" configured I add the "ip helper-address ipofNAC" however the ipofNAC never receives the packet. The Cisco 6500 serves up the address itself from the local pool (as expected) but ignores the iphelper and won't forward the request on.

Question: Short of serving the IP from a different DHCP server, has anyone come up with a solution for this?

Anyone know how to enable SSH on a Sonus/Ribbon SBC1K?

Support documentation assumes SSH is already enabled with no mention on how to get it working.

Thanks in advance!

A10 Load Balancer - "Expert" Shell?

Hi guys,

I look after a bunch of A10 Load Balancers within our estate and I've got a particular issue with one of them - changed management IP address and there's a static route in the mgmt routing table we can't remove.

I'm told in the first instance I should reboot the thing, but the static route isn't affecting production, just management, so I'm not a fan of this approach. The other option is we've scheduled a WebEx with A10 next week where the engineer suggests they're going to use the "support shell" to remove the route for us.

Now I assume these A10's are just a Linux/BSD box with A10s proprietary shell over the top. The routing config on them feels exactly like Quagga/FRR so that's where most of my assumption is coming from.

On a lot of kit such as their biggest competitor, F5, you can just drop out of tmsh and into the Linux shell and I can break all the shit I want, but it's also widely advertised that you can do this.

Does anyone know of this "support shell" on A10's or if it's possible to drop into the base OS I assume it's built on?

Suggesting for Organizing a "Networking Shelf"

I've been brought into a small medical office to help set up a Mac fileserver. But you know, theres always little overlooked details. In this case, that would be "where is the server going to go?"

So this is the area where it need to go, and where I also need to clean things up a bit. ( https://i.imgur.com/16Q7Dsu.jpg )

The server is going to be a Mac mini with a Mediasonic 4 bay HDD enclosure. I'll most likely get some kind of stand for the mini so it can be vertical, to avoid things getting stacked on top of it.

Going down the list of items:

This is their PC server. I don't know what it does and I have nothing to do with it
Some piece of non-computer related electronics. I'm not sure if it's something we can remove or not.
This appears to be a DSL modem, which doesn't make sense because I don't think they are on DSL. It would take weeks for a single software update if that were the case.
This is a linksys router, they probably use it's wifi.
This appears to be a FIOS router, but it has no coax input, instead it has ethernet input that is connected to the DSL modem looking thing. Also I'm sure both of these routers are broadcasting wifi on the same channels right next to each other.

So in addition to adding a mini and a drive stack, all of the ethernet ports in both routers are full. There is talk of hardwiring many of the workstations in the office, since shared server and backups over wifi will be painfully slow. So given both of those facts, I'm just going to install a 24 port ethernet switch NOW even if we're only using 1/3 of the ports.

One thing I know very little about is IP based phone systems. If they are using one of those, will moving things to an unmanaged switch that is connected to the router (as opposed to being plugged directly into the router) cause any issues?

What I'm looking for suggestions for the most, though, is physically getting everything in here. In such a way that everything breathes and nothing overheats. So I don't want to stack things on top of the switch, and on top of the mini. Originally I was thinking of getting 2' zip ties and zipping the switch to the bottom of the shelf, but it has that weird bar in the middle that would interfere with that. So now I'm thinking, if I could find some kind of wire-rack mini shelf system i could stand up on these shelves, then I could stack all of the smaller stuff with even spacing and plenty of air flow.

I assume I can probably get rid of #5 but not anything else. In an ideal world, I'd have them put a big piece of plywood on an empty wall and I'd wall mount everything to that nice and clean.

As in the Circuit Image attached, I cannot access NAS from Parent Router

https://files.mycloud.com/home.php?seuuid=4105c8b4593fda5c308bc681f1d58268&name=IMG_1453

As in the circuit diagram, I cannot access NAS(2.1.1.210) which is connected to Asus Router(2.1.1.1) (DHCP mode) from CISCO(PPPOE ) (192.168.3.1) mode.

Requirement for connecting NAS from cisco is when I am not in range of ASUS(5Ghz) zone I connect to Cisco(2.4Ghz) and then the NAS becomes unreachable.

Surprising thing is I can access remotely via mycloud.com from same network diagram, but local reachability is issue.

Any guide to solve this?

Point-to-Point fiber connection - Can see CDP neighbor, but cannot ping across links

Disclaimer: I don't have console access to the remote side of this connect yet. Someone in transit now, so my visibility is limited.

Here's the deal. Setting up a new P2P L2 fiber between our office and a data center. We see the fiber links as green on both sides. I can see the remote switch via sh cdp neighbor, but I'm unable to ping it.

This is how it's setup: 4 x 3172 Cisco Nexus switches

172.16.222.1 - HSRP - Office

172.16.222.2 - Switch A - Office

172.16.222.3 - Switch B - Office

172.16.222.4 - HSRP - Data Center

172.16.222.5 - Switch A - Data Center

172.16.222.6 - Switch B - Data Center

I have static routes on the office side to route DC traffic to 172.16.222.4 and routes on the DC side to route office traffic to 172.16.222.1. (However, I'm just trying to get the 172.16.222.x network to ping across first)

Also, I had this working with both sets of switches connected via copper in the office before they were shipped out.

If I do a sh cdp neigh detail, I can see the detail of the remote switch, along with the correct VLAN (222) and the IP address of the switch that is directly connected to it.

Looking for ideas on what I might be missing....

This is the CDP output from the Switch B - Office (connected through fiber to Switch B - Data Center)

-----------------------------------------

Device ID:XXXXXXXXXXXXXXXXXXX

System Name: Switch-3172B

VTP Management Domain Name: XXXXXX

Interface address(es):

IPv4 Address: 172.16.220.6

Platform: N3K-C3172PQ-10GE, Capabilities: Router Switch IGMP Filtering Supports-STP-Dispute

Interface: Ethernet1/2, Port ID (outgoing port): Ethernet1/1

Holdtime: 177 sec

Version:

Cisco Nexus Operating System (NX-OS) Software, Version 7.0(3)I7(3)

Advertisement Version: 2

Native VLAN: 222

Duplex: full

MTU: 1500

Mgmt address(es):

IPv4 Address: 172.16.220.6

Win Server 2016, DNS/IP Trouble - Resolving public IPv6 Address - Destination Network unreachable

Hi,

I'm having a little trouble with my network here. I'm hosting 2 Windows Server 2016 instances, one at the HQ and one as a branch, some 60 km away from there. I have set up an Active Directory Domain, DHCP Servers and DNS Server successfully. Between the HQ and the branch office, I have set-up a persistent Dial-Up Connection with RRAS to connect the two networks. Communication via IPv4 works flawless, I can RemoteDesktop from HQ into the "offsite" Server.

Now I also wanted to set-up IPv6 Support on both sites. I have given out static IP-addresses to both Servers and created an IPv6 DHCP Scope on both servers and added Static Routes in RRAS. The DNS gets updated properly with both local and public IPv6 addresses.

Now to the problem: When pinging (for example) the branch server from the HQ, I get "Destination Network unreachable" - Tracert works fine for 7-8 hops before it aborts with the same error. DNS correctly resolves the FQDN to their public ipv6 addresses on both sides.

It looks to me as if every device knew where to go with the public IPv6 Adress, but can't reach the destination. Why do the devices even try to go via the public address? I'd rather have them use the tunnel from the dial-up connection.

Strange enough I just realized while writing this, that Remote Desktop works, using the FQDN. But things like AD Replication, DNS Managment Console, DHCP Managment Console, all don't work when using the FQDN.

Help? :)

Windows Server 2016 Direct Connect Connection Error Message

I am successfully able to implement Direct Connect for maybe a couple of minutes/hours when all of a sudden no one is able to connect. As I run through the configuration wizard as I am curious I receive the following error message on the Remote Access Server Setup part (Step 2).

"A connection cannot be established to server ..... Verify network connectivity."

What's strange about this error message is I simply close out of Remote Access Management and relaunch it and I am able to see all of the info I have put in.

Anyone seen this issue before? I'm thinking either this is a Microsoft Framework issue or somehow the Ethernet Adapter isn't being read correct. I have an image available if asked for.

Also going over the basics..

I have internet connection
Able to ping out anywhere connections established
Dashboard shows all green lights and configuration distributed successfully.

Source of shielded Cat6 without spline?

I know this exists, but I'm having a hard time finding a source. I've been looking for the past day. Hoping to get 1k feet in white, non-plenum. If anyone could point me in the right direction, I'd be grateful.

WAP selection

Which would be a better choice for wilress the EAP1750H or EWS330AP ? The EAP1750H is 3x3 and claims to have very long range. But I'm guessing it's wave 1 wireless? Then there's the EWS330AP (3 pack) for significantly cheaper. This one is wave 2 it claims to be 30% faster then 3x3 wave 1 devices. If that is true why does the EWS330AP cost less, as it provides a supposed faster speed?

Remote access (i.e. "client VPN"-like, vs "Citrix VDI"-like) - what are you using or planning to use?

We're at the point where our legacy Cisco AnyConnect version and supporting appliances are due for dismantling, and I'm looking for new options for what I would call a new "remote access solution".

The obvious needs are remote access for troubleshooting infrastructure and security, thus access to the lower tiers of the stack (vs. published apps or entire desktop a-la Citrix), security visibility for monitoring the usage (e.g. today the version of AnyConnect obfuscates the source MAC), and ability to accommodate the booming cloud hosting solutions (IaaS mostly, of course), be it Azure, AWS, Google, etc.

From the camp of traditional VPN client family I am planning to include in an evaluation some for which I already have platforms available to expand or knowledge to operate:

the incumbent - Cisco - with whatever they have new in the space
F5
Palo Alto
Citrix (for their VPN client)
the new Microsoft announced VPN solution (apparently comes with the level of licensing we presently have - this is a desktop group push for us to consider)

I am also planning to look at the zScaler ZPA, as a possible use case, but still not clear on whether it could address our needs (work in progress).

What is your remote access solutions nowadays? Care to share reasons, pros and cons?

MSS segement

doea mss means payload ? "mss = payload" ??

Are all three main LFA conditions are mandatory?

I've started reading about LFA, and I got the gist of it, but I can't quite get how strict the inequalities are. My understanding is that an implementation of LFA in the very least MUST consider Inequality 1, but it also MAY use other inequalities. Or maybe it's something configurable?

Network layout for two private networks on one Internet subnet

I have a subnet with 5 usable IP addresses. I would like to configure it so I have two private networks. One for home and one for business. The home network is for connecting the tv, playstation, etc. The business network will have a proxy for connecting to some of my applications.

My idea is that I should make NAT networks behind two of the IP addresses.

What is the best way to do this? How many routers would I need?

Do I need a router for the bridge? And two more for the two NAT networks? Or could one router do this?

Currently the setup has one router that functions as a bridge (authentication through PPPoE and one behind that doing NAT for the home network.

Thursday, January 17, 2019

Meraki proxy arp

While troubleshooting a remote Z1 that is losing connectivity to a specific host at consistent intervals (20 sec up then down for about 35, problem exclusive to this host/site - if anyone has any ideas there) I bumped into this pcap...

5363 297.110712 CiscoMer Broadcast ARP 60 Who has 8.8.8.8? Tell 1.1.1.1

It's spamming this broadcast.. I'm failing to understand why it's doing this. The Meraki isn't the edge router at the remote site, so I believe it should be set to IP tracking instead of MAC tracking, but if I'm understanding what's happening it's proxy ARPing on behalf of 1.1.1.1? Why would one DNS ARP for another DNS? And how is that even making it past the edge router into the local network? So confused..

FYI: It's probably a regular comcast router at that end, but I'm not sure

Edit: the Z1 is on a S2S vpn to a MX64 at our DC

Netbox in Azure

Hey guys,

Is it possible to run netbox in a linux machine in Azure?

I know the LAN Tamer has a guide but I was wondering if my sys admins could spin up a ubuntu VM and install netbox from that.

Connecting Dell S4048T-ON switch to cisco network

so i posted something about this to dell community, so far no reply. hope reddit can help me with this.

https://www.dell.com/community/Networking-General/Connecting-S4048T-ON-to-cisco-network/m-p/7188889

so we have these new dell switches for our vxrail cluster, separated from our current network. Everything worked fine after setting up the switches (as followed on the manual), the next thing I did was plugged a cable from our network so we can manage the servers we're going to setup in the vxrail cluster. A simple trunk cable, with specified allowed vlan, connecting to the dell switch, also configured as trunk with specified vlan. As a cisco guy, supposedly this will work just like that. But I'm not sure why I can't ping the other host in the dell network from our cisco network, perhaps there's something I'm missing to configure from both the devices. Hope that there's someone here who's familiar with dell networking.

The cisco device i'm using from cisco network is C2960

Help understanding L1 issues on new SMF

Turning up a new network segment on a newly installed/certified SMF plant, I had the option to either aggregate a couple switches at an intermediate switch, or home-run all of them directly to the site's core router. I opted for the latter.

One of the three switches home-runs directly to the core on a 24-strand SMF. No problems.

The other two, however, follow cabling paths that jump one or two intermediate fiber runs, before joining that same 24-strand back to the core.

Link lights came right up. CDP/LLDP shows neighbors. CAM tables populated. Looks normal so far.

Then ping gateway from switch: first 5 succeed, then intermittent failures, like this: !.!..! or !.... and finally ..... And, not just ping: snmp, ssh, etc. all fail as well.

ARP/CAM looks good on both ends. Links are stable--not flapping. No incrementing interface errors on either end. No errors in logs. sh int transceiver detail shows tx/rx power within spec, on both ends.

Finally I decide to aggregate the two problematic switches through the one that worked. This eliminated one fiber jump for both problematic switches. They came up without issue. Ping/ssh/snmp all succeed, everything's normal.

I'm calling the cable installer to re-certify the pairs in question. But I'm wondering if I missed something.

I know about insertion loss, and that for every fiber connection I lose some dB of signal. But I would have expected a problem like that to show up as a flapping interface, or low tx/rx power, or incrementing interface error counters, or something. I saw none of the usual suspects for a L1 problem. Is there a limit to the number of passive jumpers between active nodes?

This is on Cisco 3850/3650 kit with Cisco SMF-LR optics on both ends.

Why so much Invalid State traffic outside my firewall?

I'm trying to learn more about networking and watching the inbound traffic to my network. I know various villains are pounding on my router, but I'm curious what leads to so much Invalid State traffic from "reputable" sources. Specifically, companies like Apple, Google, Microsoft, Amazon. I see a lot of this dropped by my firewall rule for invalid state?

For example... these log excerpts include the above companies' IPs.

SRC=18.204.32.98 DST=69.143.98.96 LEN=291 TOS=0x00 PREC=0x20 TTL=236 ID=38022 DF PROTO=TCP SPT=443 DPT=61865 WINDOW=770 RES=0x00 ACK PSH FIN URGP=0

SRC=17.167.195.42 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=63083 DF PROTO=TCP SPT=443 DPT=65133 WINDOW=8201 RES=0x00 RST URGP=0 SRC=216.239.36.21 DST=69.143.98.96 LEN=115 TOS=0x00 PREC=0x20 TTL=120 ID=4214 PROTO=TCP SPT=443 DPT=65364 WINDOW=244 RES=0x00 ACK PSH FIN URGP=0 SRC=216.239.36.21 DST=69.143.98.96 LEN=115 TOS=0x00 PREC=0x20 TTL=120 ID=11769 PROTO=TCP SPT=443 DPT=65364 WINDOW=244 RES=0x00 ACK PSH FIN URGP=0 SRC=172.217.3.35 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=121 ID=62627 PROTO=TCP SPT=443 DPT=49675 WINDOW=0 RES=0x00 RST URGP=0 SRC=172.217.15.110 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=121 ID=26225 PROTO=TCP SPT=443 DPT=49669 WINDOW=0 RES=0x00 RST URGP=0 SRC=172.217.15.110 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=120 ID=52978 PROTO=TCP SPT=443 DPT=49670 WINDOW=0 RES=0x00 RST URGP=0 SRC=13.59.223.206 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=44 ID=52732 DF PROTO=TCP SPT=443 DPT=58190 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.3.34.252 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=238 ID=48058 DF PROTO=TCP SPT=443 DPT=62040 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.3.34.252 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=238 ID=48059 DF PROTO=TCP SPT=443 DPT=62040 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.200.223.135 DST=69.143.98.96 LEN=83 TOS=0x00 PREC=0x20 TTL=238 ID=18159 DF PROTO=TCP SPT=443 DPT=62065 WINDOW=123 RES=0x00 ACK PSH FIN URGP=0 SRC=40.97.124.194 DST=PUBLIC-IP LEN=40 TOS=0x00 PREC=0x20 TTL=113 ID=96 DF PROTO=TCP SPT=443 DPT=50271 WINDOW=0 RES=0x00 ACK RST URGP=0

Is it that a device on my LAN has already closed the connection, but answering packets are already on the way? Appreciate any help understanding this.

What happens when the TCP segment counter limit is reached.

I have three theories.

The connection just dies.
The counter resets and starts over again.
The 32 bit counter is just too big and nobody ever gets there.

These are all problematic so I don't think any are correct.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

How do/would you generate scripts for various network elements

Originally posted on /r/learnpython and was directed here, I have searched but couldnt really find an answer, any help much appreciated!

So in my role I am a faux developer with a bit of vba and a bit of python skill.

I support a team who has a function to generate scripts of different types for different platforms from routers to much more complex ne’s in the telco space. We have a variety of inputs that we take and post process into scripts that load into the gear and most of this data comes from excel spreadsheets.

Previous developers built a large number of excel tools with vba to perform data visualisation (checking data being imported with colours to show good or bad, asking user questions or filling in fields manually then generating the scripts.

This works well enough but I am hoping to move away from this to something hopefully with some python and some sort of ui.

Any suggestions on how you would tackle this or how we can do it better?

Thanks in advance!

CA Network QoS Net Flow Analysis API?

Does anyone here use Net QoS and have any ideas for working with the data programmatically? I have a database of our circuits and I'd like to throw up some charts on the database, even an iFrame would work, but I'm not sure how I could query by store number or circuit ID to get the appropriate URL. Any ideas?

Thomson TG588v2 16.2 firmware - cannot disable sip alg

Hi all,

I am trying to disable the sip alg on this unit - the previous method was to put /?debug=1 on the end of the URL, and then you'd see a "nat helper" panel onscreen.

However with the firmware update, adding the above to the URL doesn't give any more options.

Does anyone know how I might be able to achieve this please?

Thanks in advance!

Anybody interested in Check Point appliances? MA/RI

I have 2 1100's, a 4800, and a 1430 that we are no longer using since we switched to Palo Alto. I'm going to toss these, but if someone has good use for them, please take them off my hands. :)

The 1430 is brand new, it was purchased before the change was made to go to Palo Alto.

VLAN Config on a Cisco Catalyst

I'd like to preface this by saying I'm not an IT professional - I work in industrial automation. There is a lack of automation people who know networking and vice versa. It is a common problem in the industry.

Anyways:

I have a Catalyst switch that I'll be using to isolate a laboratory network from a corporate network. Underneath this switch, I have:

VLAN A that can communicate through the corporate network to the internet (needs port 443 access). Our IT department is responsible for anything "upstream" of the switch at the IDF/MDF, and setting up the site firewall.
VLAN B for equipment that need to communicate with each other but does NOT need access to the corporate network.

Now, in the future, equipment on VLAN B and VLAN A may need to speak with one another, but I still need to isolate VLAN B from the corporate network (security purposes). Can I do this as as described or do I need additional VLANs?

The equipment does not support dual NICs.

Thanks

Edit: this is more for my own understanding so I can inform myself prior to engaging IT further.

Could I get some advice with this intermittent drop? I'm banging my head on my desk and need a fresh opinion please.

Here's the scenario:

I am periodically losing WAN connection to a publicly routed device at random times, and it's always down for about 20 minutes.

We have a FirstComm Juniper ISP gateway that plugs into a 3750G switch. Off that switch, we have several devices (all in the same public IP block and on the same VLAN):

Our main ASA firewall, behind this is our main LAN
A third party ASA that connects to a server
A Juniper Oracle VPN device, which people in the LAN connect to and go send work over to a third party site.

Facts:

I work in a different location and monitor these devices remotely.
I never lose connection to the main ASA in either direction.
Periodically, we lose WAN connections to both the Oracle device and 3rd party secondary ASA, but never at the same time, and always in blocks of about 20 minutes. Sometimes closer to 15, sometimes 25, but always in that window.
When I lose connection to these devices from the WAN, the connection from the main LAN ASA never drops, and they are pinging the same public IP as we are from the LAN. I have a constant ICMP test to these devices from both the WAN and main LAN, and it drops from the WAN, but never from the LAN.

I have wireshark capturing the interfaces of two ports: the ISP port to FirstComm, and the Oracle device. When it drops, I see the ICMP traffic entering the ISP port on the 3750G, and I see it leaving the Oracle port. I see the Oracle device reply, but the ISP port never sees the reply. The ICMP reply gets lost after it enters the 3750 from the Oracle device.

I have verified that the MAC address isn't changing when I lose connection, and I know that The ISP ARP isn't getting hijacked because I never lose connection to the main LAN. And to state it again, when the Oracle device becomes unreachable from the WAN, the LAN cant ping the same public IP and it never drops.

My first inclination was to replace the switch, which i did. It's the same model, but a completely different version of the firmware (went from IOS 15 to stable 12) and it made no difference. My second was that something was taking over the ARP, but the MAC addresses aren't changing in Wireshark, and some devices can always reach them anyway.

I dont think it's the ISP, as the traffic is coming in from their gateway, and the Oracle device is replying. I'm seeing anything that correlates to the drops, like increased CPU, in creased traffic, etc.

I know there is a logical explanation, but maybe I've been staring at this for too long to see it. :(

High-reliability tunneling - any FECing idea?

I have a particular TCP application that is very low-bandwidth but sensitive to jitter and especially packet loss, which needs to run over great geographic distances; this seems like a perfect use case for Forward Error Correction, and I've just spent a few hours going down the rabbit hole of looking at media streaming protocols like SRT, UDT, and algorithms like Reed-Solomon and such...

As far as I can tell, some of the SD-WAN solutions I've looked at might use this for last-mile reliability, though some of them also mentioned a need for two ISPs and double-bandwidth which leads me to think they're doing something a lot more naive than like a RAID 5-style parity system on the data stream (like Reed-Solomon would do).

I found one random library, UDPSpeeder, which does precisely this and can be used with OpenVPN to compensate for large amounts of packet loss with minimal jitter. Pretty cool, but also a pretty niche hobbyist program from the looks of it - same developer also wrote a lightweight VPN with integrated UDPSpeeder, which again, very cool technically, but I'd hardly say 'enterprise ready'. NetMotion's Mobility product also apparently uses a form of FEC in their proprietary VPN implementation, as does Speedify, and I've seen offhand remarks that 'many WAN accelerators use FEC'.

What I'm asking is, have you ever seen this particular use case and found a product that uses an efficient FEC algorithm (turbo codes or LDPC code) for the sake of site-to-site reliable transport, generic enough to use non-media-streaming protocols over it (i.e. TCP)? Is it really just a handful of relatively niche vendors and hobbyists doing this, or do some high-end Cisco products support something like IKE/IPSEC over UDT with FEC enabled or SRTP or something? Most info I can find on the topic is just university research papers of people doing exactly what I'm looking for and having fantastic results, as far back as 2001, and this IETF draft: https://tools.ietf.org/html/draft-ietf-fecframe-framework-15.

Question regarding ASA Cryptomaps

We have an external company we have a S2S vpn with and they have announced they are changing over to a new ISP with a new public IP block assigned to them by ARIN. Because of this, I have been advised to add new peer addresse to our VPN configuration but keep the remaining peers in the configuration. Because of this, I thought it might be better to add a whole new connection profile with the new peer IP address and new cryptomaps for the new public ip addresses that will reference public facing servers.

My question is the following:

1. Can I add a new connection profile in the ASA and new cryptomaps for this profile without it interfering with the existing S2S connection that we are utilizing now?

The reason I ask this is to be prepared for the cut over but I don't want to add anything to the running config until I know for sure it won't interfere with our existing S2S connection.

EDIT: Sorry, I realize my title doesn't line up with my question.

Question about FTD upgrades.

I have a set of 5525-X running FTD via SFR that are on the 6.2.0 level of code and I'm looking to upgrade them to 6.2.3. I can't seem to find a road map telling me if I can just jump to 6.2.3 or if I should jump right up to 6.2.3.9. Calling Cisco up they would just tell me to go right to 6.2.3.9, but I'm not sure if I want to go right to that and I'm gun shy of going all the way to 6.3.x.

I know everyone hates FirePOWER (shit, I do), but I can't dodge this bullet. The powers that be want to upgrade the things while they are in our possession. They don't really want to spend money on anything beyond the 5525-X firewalls FTD is running on right now.

Cisco switch problem - port shuts down due to loopback.

I have a bizarre problem. I have a Cisco 2960X switch that started shutting its uplink port down due to loopbacks being received.

I can console into the switch and shut all 48 ports down, but when I bring the uplink port up, 10 seconds later I see a loopback error message and the port goes into err-disabled.

I have swapped uplink ports on both the affected switch and the upstream switch. I've swapped cables. Same thing.

If I do a "no loopback" on the 2960X uplink port, the problem goes away.

Last night I updated the 2960X and the 2960S to the latest starred IOS. The problem went away for a few hours but came back.

Here's the topology

S2 (2960X) <-> S1 (2960S) <-> S0 (2960G)

The S2 - S1 link is a singe 1000Base-T connection, and the S1 - S0 link is a single 1Gb MM fiber.

This setup has been in place, mostly untouched for about two years. The problem started yesterday and the local IT guy swears he made no topology changes or switch config changes. The local IT guy has verified there's no device between S2 and S1 - it is a cat6 patch cable.

If I understand this correctly, the loopback error message is telling me that S2 is sending S1 its own loopback packets back to it. What could make a switch do that?

The switch configs are pretty simple. Layer two only. A handful of VLANs. No QoS or inter-VLAN ACLs. One SVI for switch management.

Any ideas on how to troubleshoot this? Notions on what causes it?

Reseting SuperMicro BMC without BIOS access? (VGA failed)

I cannot tell if the motherboard I picked up is toast or not... and this might be the wrong place for this post but I suspect there are some SuperMicro people here...

VGA doesn't work. BMC loads and has a static IP (found through ARP requests) and appears to also have LDAP configured (found also through Wireshark).

Default login of ADMIN.ADMIN did not work; BIOS reset hasn't restored VGA. Jumpers for VGA disable/enable are set to enable. The JPRST jumper for supposedly reseting the BMC does nothing.

I'm at a loss for ideas on how to get this to work. I have even tested continuity on the VGA pins to see if something there broke but it was all clear.

[Edit] X8DTU-F is the model board.

Jack of all trades, but master of none. Why is there so much scope creep with my role at work?

Ok, longtime lurker here. Have some background:

I am in my early 30's and have been at my current job as a Network Admin for almost 2 years now. I got this job during my last semester of community college when I was working on finishing a Network Tech degree and a Programming Tech degree. Prior to my enrollment in community college, I worked as a music teacher and musician for many years. I studied music during my attempt at a bachelor degree in the mid 2000's. Throughout my life, I have always been interested in technology, web dev, programming, and networking to a lesser degree. I'm sharing this to let you know that I am new to the field but have always been an enthusiast.

To the meat of this post:

I was hired to fill a Network Admin role in a ~400 employee company with the understanding that I am very new to the IT professional world and would finish my CC degrees (I did btw, woot!) . As staff has turned-over since I began working here, my responsibilities have grown from networking/help desk to include administering the company websites, implementing a huge Service Desk Application (Ivanti/HEAT), and implementing a huge document management system (OnBase).

Folks, I am overwhelmed. Honestly, just the Network side of things involving maintenance, upgrades, implementing SD-WAN & WAN-OP, interfacing with our VOIP provider, automating fail-over, office remodels, company acquisition, etc. is enough to keep me more than busy. I'm overseeing the move/make-over of our websites from a crappy provider to a VPS setup, setting up dev environments to properly test content changes and upgrades, and troubleshooting issues with it as they arise. I am also stuck in Help Desk hell with password resets, answering calls about setting up email on smart phones, and the like. To top it all off, I made the mistake of staying awake during a training meeting and was tasked with taking over the document management software implementation for the whole company. The list seems to go on forever when I think about the upcoming EOL for my network gear and VOIP contracts (never ever going to work with our current VOIP provider after this contract, so migrating to a new one in a year or two).

I'm not only here to complain though, I am also looking for advice. I am drowning in a sea of stress, and I just can't imagine that everyone hired as a Network Admin branches out into so many different and varied roles in a company. Am I being taken advantage of? I don't make more than $40k annually, yet I feel like I have a big role or at least a hand in almost everything going on around here (with 8 other IT employees). Even if I made double that, I don't know if it would be worth it.

Should I be looking for another job with a more narrow scope? Am I likely to run into this same problem at another company?

TL;DR: Was hired in Community College to fill a Network Admin role. The scope of my work has greatly exceeded the role I was hired for, and I wonder if this is typical in the IT world. Am I being taken advantage of?

SMB L3 Switch Recommend

May have the task to overhaul another branch office that is actually made up of 4 buildings. Connections between the buildings are wireless P2MP. I'm task with the redesigning of the IP scheme and segmenting the buildings into 4. And house the L3 switch in the main building

I plan to implement vlans for each building, so I'm looking for a suitable L3 switch. So far, I'm bend towards Aruba 2930F, 2530 and Cisco 9300 and 3850s (48G).

Traffic are basically: * IP camera (video and some audio) * SQL database connectivity for multiple POS software. * Main building has 30 users, 15 printers and back machines and 55 cameras. Other 3 sites are primarily cameras with 5 to 6 users. * VNC to remotely access each individual host to close daily batches.

Of those 4 switches, can anyone recommend which is more suited? I've chosen those 4 based on cost and performance. I've worked with Cisco switches, but those Aruba seem to be similar in performance and quality.

Thanks!

Does anyone know how to locally access a CALIX ONT; serial console maybe; the Ethernet appears to be disabled and I need to get into it to enable

There is a local connection between two buildings; NO ISP; it appears that the Ethernet interfaces are disabled(no link lights); I would like to console in but have no clue how; the other end is connected and Ethernet works; maybe I can go in through the IP of that one and then to the fiber interface via ip on the other one; have no clue where to start and the manuals talk about all this software with no simple logical way of how to connect or where to get the software outside of logging in through their system ; this is an isolated system

Win16 LACP team to vPC on 9k dropping under SQL load

We have a few windows 2016 hosts (FX2s) clustered, runnning SQL 2016, and using Windows NIC Teaming to a pair of Nexus 9ks.

The severs are 16G fibre backends to the SAN on dedicated oob 9k fibre switches

When we run heavy SQL IO operations on the nodes, they are getting disconnects on the network IO according to the SQL logs, and this is causing cluster shuffle.

We tried with both CSV and non-CSV disks and experianced the same issue.

Windows Setup:

Team 10G NIC 1 and 10G NIC 2

LACP Timer: Fast (windows default)

Method: MAC ADDRESS

MTU: 9000

One virtual team per vLAN: 100 - LAN 200 - Private Heartbeat 210 - Private Heartbeat 220 - Private CSV Communication

Nexus vPC Setup example:

int po 531

desc SQL Node 1

switchport mode trunk

spanning-tree port type edge trunk

mtu 912

vpc 531

int e1/53/1

desc SQL Node 1 NIC 1

lacp rate fast

switchport mode trunk

spanning-tree port type edge trunk

mtu 9126

channel-group 531 mode active

This setup works well when testing as follows:

Allows full 20Gb/s throughput, both inbound and outbound.

Unplugging a link drops to 10Gb/s with no dropped traffic/pings in application.

Plugging a link back in to the port returns to 20Gb/s in/out within 10 to 15 seconds.

However when the SQL servers run reindexing jobs, which are a fairly heavy load, we are getting errors that the operation failed due to a TCP/IP error, the network name isn't reachable, and the nodes are moving to a new host.

We have also run this test after removing one nic on each system to eliminate the teaming and it still fails.

When we tried removing the vPC config and changing windows to use switch independant teaming and did not get this failure.

What coule be the cause of the issue we might be able to addrsss in the vPC setup?

We would prefer to use the vPC to have the full agregate bandwidth inbound and outbound if possible.

Thanks for any help on this!

Cisco IR829 question about wifi capabilities.

I was reading through the configuration guide for the 829 and it says that the router can become an access point via another piece thats integrated into the system. My question is can the 829 become a wifi CLIENT to where if it comes into range of an access point carrying the wifi it needs and connect to transmit data? Thanks.

Can you set up an autoritative DNS for subdomains if the domain uses DDNS?

Let's say I have a No-ip DDNS that's pointing to my computer with the URL of exampledomain.ddns.net. Can I set up Bind9 or another DNS server on my computer that will point to subdomains like subdomain1.exampledomain.ddns.net?

Learning JunOS - Juniper to Cisco S2S IPSec VPN

Hi all,

I've been given the task of setting up some SRX300's in multiple remote sites to replace Cisco 891's. I've only ever worked with Cisco gear before, and I've spent the last week reading the Day One books Juniper offers and experimenting with some EX2300's.

I'll be setting up S2S VPN's between every office in a mesh from SRX300's to an ASA5512-X. I've been bouncing between Juniper Day One material, KB's, and JWeb to learn the syntax and commands.

I'm a little stumped on the st0 (secure tunnel interfaces) that Juniper uses. They seem to be configured as a normal L3 logical interface and require an IP address. Traffic destined for the tunnel is then routed to this IP and interface.

In comparison, for Cisco you just map the VPN to the external interface/public IP, no special/separate VPN interface required. The tunnel is recognized as the destination when the route table is checked.

My question(s):

If I'm setting up multiple S2S VPN's with different destinations "address books" do I need to configure multiple st0.* interfaces each with their own IP address? Can I use the same interface ex. st0.0 to for all VPNs?

Lastly, any insight on why it's required to be this way? Why a separate L3 interface is required.

I'm brand new to Junos so I apologize ahead of time for any mistakes or misunderstanding on my part. Appreciate any insight!

High latency inbound to Azure

https://imgur.com/a/31FuSLe

Looking for some assistance in determining what the possible cause is of the linked picture.

These are 2 ATT MIS DIA circuits essentially about a mile away from each other. Both destined for the same Azure Virtual Network Gateway. Responses from the left MTR hop number 9 correspond with responses down the tunnel to local resources in our Azure tenant.

The right MTR has had no issues till this point and the tunnel is performing as expected the hop in question is hop 7 in the photo.

The only thing I can think of is Source Destination hash has us on a bad link in an etherchannel that is possibly taking errors or over saturated somewhere downstream? This has been occurring since yesterday around 9AM, we currently have the tunnel pointed to a Coax circuit that is performing adequately to get them by for now.

We currently have no Azure support, kind of messed up they dont even let you open a ticket with them.

Any ideas yall have would be most appreciated.

HPE FlexFabric ACLs

I've been reading through the Config Guide for our FlexFabric 5940's in order to start implementing some ACLs. I'm fairly new to these switches and the guide doesn't mention whether ACLs on them has an implicit "deny any" as Cisco ACLs do.

Would anyone be able to enlighten me on this?

HALP! < 3M reach with 25G on Cisco Nexus 9200

We're moving some servers to a rack further down and the SFP-H25GB-CU3M cables we use are too short.

The switch is a 92160YC-X. EDIT: The switch is not in ACI mode, the ports are just Ethernet trunk ports.

I assumed we would be able to use either SFP-25G-SR modules with fibres, or SFP-25G-AOC10M AOC cables, but Ciscos datasheet says that: The switch has FC-FEC enabled for 25Gbps, and supports upto 3m in DAC connectivity.

The compatibility matrix at https://tmgmatrix.cisco.com/ claims that the switch ONLY supports copper DACs up to three meters, AOCs also considered.

Have anyone been able to use a 25GB port for longer than 3M stretches on a Nexus 9200 switch?

ce L3 switch design question

I have a design question I need some guidance on.

Here's basically a quick diagram of what I want to achieve: https://imgur.com/a/89V47Cl

We provide internet service to a specialized market sector and I am in the process of adding a second customer edge switch. I want it to uplink to both of our cores, which uplink to a redundant chasis pe router.

I had designed it so that each ce would connect to each core over a 20gig LAG and then I connected the ce's together over a 40gig QSFP link. They are all on one publicy address /29 on a shared VLAN. When I added the second ce switch and tagged the communication VLAN between core-1 and ce switches, I believe it created a loop because I was seeing a ton of packet loss. When I disabled the QSFP link between the two CE's, the packet loss stopped. I didn't enable the link between the ce's and core-2 because I was afraid the same issue would happen.

I was thinking that the best way to achieve this redundancy and not have any loops is to enable spanning tree. it's currently not enabled (anywhere in the network... I inherited this).

Is enabling spanning tree the best way to solve this? Is there a better way? Maybe I need them to be on different VLANs, not all on a shared one? Maybe I only need ce-1 to connect to core-1 and ce-2 to connect to core-2?

How would you design this?

Thanks!

[Discussion] Opinions on 10gig switches from the Cisco SMB line (SG350 or SG550)

I normally only work with enterprise switching solutions (Cisco/Juniper/HP/Meraki/Dell) but I was asked to advise a small business customer with a network overhaul. They work with high-rez video so they're looking at 10gig solutions. I've not been on prem yet but I know they have a few Cisco SMB switches right now. So I'm anticipating the question about these.

I'm curious if anyone has any recent experience with 10gig SG-models. I know the old ones used to be Linksys and people don't like those, but I want to know about the new lineup anno 2019.

Are they any good?

What are the limitations? (specifically when it comes to performance)

How do you guys restrict / allow network traffic

Hi guys, I work at a medium office ~ 250 users and around 80 servers mix of physical / virtual. I am mainly a sys admin so I am looking for some advice on how people secure their networks.

We are currently planning a large project to migrate to a completely upgraded network, and as part of this I am looking to drastically increase the security on our VLANs etc.

I want to restrict access across the network on an as needed. So my two user subnets / vlans would need rules for things like AD, Printing, File access, Web Access, SQL, RDP etc.

Looking at the switches I have now (Dell N3000 series) I would need to create an access rule for each of these, as there is no way to add multiple ports to rules unless they are in the same range. Which none of them are.

So by the time I have added all the rules for my Users, Dev network, Front end / back end servers etc I could be looking at well over 120 different ACLs. Is this normal? It would be very secure but a pain to manage across 11+ switches that I don't plan on stacking.

We do have a UTM device to secure internet acess etc, which we could also use to route / secure traffic. But as this is directly connected to the internet I would presume it would not be recommended / as secure?

Would it be better to have a UTM to connect to the internet, that then routes to another UTM which performs routing / firewall for my internal network? However I would then be essentially doubling / tripling my network traffic, as my switches would have to send from my Access layer, to my communication layer, to the UTM to allow / deny traffic, then back down to the communication layer and back to an access layer switch instead of the traffic just moving across VLANs on the same switch.

Any info / pointing in the right direction would be greatly appreciated. I do have some money available to buy any extra hardware that may be required but not loads.

Multicast UDP sent to a regular MAC address

I'm investigating into networking issues on a Cisco Fabric where multicast traffic originating from an streaming server is being flooded on all ports and the mcast groups aren't listed in the igmp table. Investigating packet captures it turns out that the frames use the mac address of the host's gateway instead of the 'official' 01-00-5E mac-address. I'm a dev with streaming knowledge and not a network engineer so I'm a bit puzzled how this would exactly happen and why this happens. With a simple Python script from here on an Ubuntu 18 box I observe the same behaviour:

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 12:51:46.280081 00:50:56:89:ab:8e > 64:9e:f3:aa:16:7f, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 32, id 46040, offset 0, flags [DF], proto UDP (17), length 44) 10.15.254.133.36047 > 232.192.192.192.49410: [bad udp cksum 0xb23f -> 0x7d61!] UDP, length 1

so I would like to ask

Why does this occur? As far as I can find online it's mentioned that multicast de facto uses the 01-00-5E addresses. In reality it doesn't, at least not by default. Is this maybe deprecated?
How to fix this? Should this be fixed at the hosts, so somehow check the OS layer (the affected host uses Win 2k8 sadly enough)? Or, what I found so far, change the igmp lookup method to ip on the affected network nodes?

Why does the switch appear to be replying to my arp requests instead of the actual devices?

Recently I have been learning about networks and protocols such as ARP. The other day at school I sent arp requests to all the IP addresses on the Subnet (I was connected to the schools BYOD wireless AP) and the same device (which was what I assume to be a switch based on its MAC address) replied to the requests. Why would a network be set up to do this?

AWS: On-prem to cloud using Transit VPC or Transit Gateway, difference?

Hi!

I want to deep-dive into two products from AWS - coming from only using their regular Virtual Private Gateway with lots of IPSec VPN tunnels, per AWS region. With BGP routing.
I'm very familiar with Google Cloud's "Cloud Router" and what it can do, and their shared VPC (old name XPN) with the option of using Global Dynamic Routing.

In late november 2018, Amazon released a feature called "Transit Gateway":
https://aws.amazon.com/blogs/aws/new-use-an-aws-transit-gateway-to-simplify-your-network-architecture/

Which is currently not available in all regions, and it does not support Direct Connect at the moment.
The article does say "Direct Connect – We are working on support for AWS Direct Connect" though.

Then there's the "standard" way called "Transit VPC":
https://aws.amazon.com/answers/networking/aws-global-transit-network/

Which is available everywhere AFAIK, and does support Direct Connect.

This is my current understanding of the two:
- Transit Gateway is a new, easier option for smaller businesses who might want to connect a datacenter and a couple of branch offices. There may not be a dedicated network team in-house.
It has limitations such as 1.25 Gbit/s per VPN tunnel (scaled through ECMP, more tunnels) - but keep in mind that a single flow will always be limited to 1.25 Gbit/s. I'm wondering if this is dedicated capacity per Transit Gateway though, or shared with other customers?
Another limitation is 10 000 routes.

- Transit VPC is a more scalable and advanced option, involving Cisco CSR1000V (virtual) routers.
Multiple datacenters with production traffic between on-prem and cloud, multiple branch offices. Probably only dynamic routing. Definitely has a dedicated network team in-house.
In terms of limitations, the CSR1000V performance depends on what instance size you deploy it on.
For IPSec VPN, it for example mentions "c4.4xlarge for up to 4.5Gbps".
The instance is controlled, and dedicated to, the customer.
Not sure of route limits.

Do you think this is a good understanding?
When should a customer choose the new Transit Gateway over traditional Transit VPC? Or possibly even combine them?
Another thought is that Google Cloud has come much further in terms of connecting on-prem to their cloud.

For anyone reading this, I found that this existing thread is also interesting:
https://www.reddit.com/r/aws/comments/71nl8p/thoughts_on_transit_vpcs/

VRRP master doens't retake master after restarting interface

I have VRRP set up on two Centos servers in a vm, when I turn off the eth0 interface on server 1, server 2 becomes master. But when I turn the server 1 interface back on it doesn't become master even though server 2 becomes the backup.

Edit: Only when I fully restart server 1 does it become master again

How compare parallel packet captures?

I often have situations where I need to compare packet captures taken simultaneously from multiple interfaces. Suppose, for instance, you have a set up like this and you want to compare captures taken at A,B,C, and D:

[pc](A)----------(B)[router1](C)----------{internet}--------[router3]------------(D)[server]

The problem is that the captures were not started exactly at the same time (they were initiated by four different people) so the four capture files do not line up, and the packets that are supposed to match between the files are found at different locations in each file. So, for example, packet #1 at (A) might be found at #231 at (B) and #17 at (C) and #843 at (D), but I don't know these diff values in advance so the matching packets can be found pretty much anywhere. To make matters worse, there is a lot of traffic generated and the captures are unfiltered so there is a lot of data which makes it harder to try to find the matching packets.

What can I do to make it easier to find the matching packets in the files?

Google ReCapta Issue on my network

Hi everyone! Running a little problem on my network. So, basically from the past one week I'm observing Google ReCapta for all users in my network. Done a little research on google forum, seems like google has no informative solution. Have anybody faced this issue. This is very frustrating for users. Any feedback would be much appreciated. Thanks!

PS : We have internet connection from 2 ISPs.

Wednesday, January 16, 2019

Need router suggestions for ~100 simultaneous connections

We run a medium-sized business. Right now the entire thing is running off a relatively cheap router, and I'd like to upgrade. We have about 50 wired connections and about that many wireless connections (most of the wireless connections are coming from a wireless router that is chained to the main router). We have a Cisco switch that has 48 ports plugged into the router (that's where most of the wires are plugged in).

We don't need a VPN or advanced security. Can anyone recommend a router for our business?

Linking two Cisco SG300-10 switches

Hello,

Some back ground: This is my first foray into the world of Cisco networking gear and I've got a couple of questions. I purchased two Cisco SG300-10 switches and an SFP each and we have pre-existing fiber running to two buildings that works and I get a link on both sides according to the management console. It's just one pair, however, and we don't have a budget to run a second fiber cable right now nor purchase two more SFPs, so we won't be able to do LACP at the moment. That may change in the future.

First of all, I understand basic network concepts, but this Cisco gear is defeating me and seems much more challenging than other gear I've used. I really want to learn how to do it, though. I have managed to update the firmware to the most recent version and I've got three VLANs created, but I haven't yet successfully configured them the way I'd like (no DHCP based on port, I don't think I've got gateways configured either).

Second, on the two buildings I need to connect. Both buildings need internet access and I'd like to break up devices into separate VLANs so we can separate back office and personal devices. Ideally, I'd like three VLANs present in both buildings. Internet comes into building one and also has a wireless access point. Building two will just have copper connections but may get wireless in the future. On two VLANs, I'd like to have DHCP enabled. I'd like to keep a third VLAN separate to manage the switches, but it does not need DHCP. Figure VLAN 1 for management, VLAN 2 for back office, and VLAN 3 for wireless/personal devices. Would I need a fourth VLAN for network traffic between the two buildings? I think I need to have one switch set in layer 3 mode and set up the VLAN configurations there and the other switch in layer 2 mode, but I'm not sure where to go from there. I figure I need to have the internet connection in building 1 with the layer 3 switch that has all of the VLAN configurations. Where would I find a guide that could help me create this configuration?

I'd like to use the fiber connection to connect both switches. I'd like for devices on each side to see one another if they are on the same VLAN. I'd also like for all devices on the network to have internet no matter which VLAN they are on (except VLAN 1). How can I achieve this with what I have?

I greatly appreciate any help. Thank you!

Netflow Recommendations

Anyone have any good free netflow collectors? The Solarwinds one does not save any data. Its real-time watch or nothing.

Weird traffic coming from 127.0.0.2 on router

I was doing some debugging on an Adtran router and saw lots of ICMP traffic outbound to a lot of dodgy IPs in other countries (Russia, China etc.). The source is 127.0.0.2 which I presume is a local interface on the router. Debug shows the traffic is not being permitted but I'd like to figure out what is causing it. There may be other traffic that is getting out that I don't know about yet.

Any idea what might be going on? I'm wondering if the router is compromised.

How many customers can be on SFPs?

For example, can one 10 Gigabit SFP handle 32 customers that are paying for 1 Gbps internet speeds?

What's a good place to get 7' Cat 5e patch cables?

Looking for inexpensive, fully functional and preferably without the no-snag jackets. I'd rather my cables snag than have to deal with trying to remove those from various devices.

Anyone who can help a non Cisco speaking redditor?

Hey guys, anyone who is fluent in Cisco mind lending me a hand, im helping a friend set up a new office, budget is very limited so everything she has for networking has been gifts, and she got a couple of AIRONETS 2600 on autonomous mode.

Im trying to get AP to broadcast two SSIDs (public and private)on both radios, but i keep getting errors "SSID need to be assigned to specific vlan "

Can anyone help me out.....

Virtual Edge Devices for Branch Offices

Does anyone have any experience with Virtual Edge Devices that run virtual routers to connect to MPLS/Internet providers? Dell has a Virtual Edge Platform that looks like it might be worth a look? How about a Cisco CSR1000v in an ESXi host terminating an Ethernet handoff ckt?

Any other vendors you can recommend that may do this as well?

Edit: And, Cisco has the Enterprise Network Compute System (ENCS).

How to test signal degradation?

Not sure if this is the right place to post this, but it seems to be the closest to community for what I'm looking for.

For work I am testing the connectivity between 2 computers via ethernet cable. A guy on my team created a small circuit board (just a prototype) which splits the 4 pairs into 2 paths -- one path for 100Mb/s ethernet and the other to NULL. These have 2 RJ45 ports on them so they can be daisy chained together. I know that the max length of cat5 is 100 meters.

Is there a way to tell how good the quality of the signal is after n amount of circuit board? We want to know how many we could theoretically daisy chain together before needing a repeater.

We've played around with iPerf3, and while it seems like a neat little tool, I'm not sure it can accomplish what we're looking for.

SonicWall loses LAN when PC shutsdown

Hi All -

Weird issue. Customer called and said when a particular PC shuts down, the Internet goes out. Get on-site and see that SonicWall TZ300 is sitting on top of PC in question. PC is powered off, LAN LED on SonicWall goes out, power PC back on, LED lights up and network connectivity restored. I disconnected everything from PC but the power; no connection to the network. Power PC down, LAN LED goes out. I've never come across something like this. My next step is to try get another SonicWall out there and apply backup to see what happens. Anyone got any other ideas?

Port Activity

Currently I am going through switches to see what ports are active/inactive and what can be shutdown. Simple question, what do you use to best determine if a port is not being used. I've been using a combination of show interfaces status and show interfaces counters.

Cisco Switches, mostly 3750's running 12.2.

Anyone do anything different or more efficient?

Thank you!

[Question] CSMA/CD / CSMA/CA backoff algorithm question.

Hello there,
I'm a high school student studying networking and I'm finding it a little hard to get some (to me understandable) resources about CSMA/CA/CD.
What I can't understand from wikipedia (and other resouces) is how does a host behave based on the backoff algorithm when you have, in the "/CA" case, a timout after an RTS request and, in the "/CD" case, when there is a collision.

From what I understand in the first case the host waits a set amount of time based on the algorithm and then proeceeds to send an RTS (can't figure out how is this time calculated) and in the second case still don't get how is the time calculated and why is the jamming signal needed before waiting said time.

Thanks in advance to everyone!

Network cables over 130m long????

Ok so here's the deal: My employer wants us to connect two small offices with nine twisted pair cables that should be pulled trough a pipe running in the ground underneath the parking lot.

The length of the cables will be around 130-140m (from the patch panel to the wall network sockets)

My question is this - is there ANY way that I can make this happen so I can get at least 100Mb/s links on the PC's on the other end? As far as my knowledge and experience goes, this will NOT work...

And yes I know optical fiber would do the job perfectly but that is out of the question because reasons..

Open source tool for logging MAC addresses?

There was some tool someone posted here that looked promising. It was an open source tool that would log into all of your switches and record MAC addresses on ports. I can't think of the name right now, but I want to play with it. Any guesses?

WiFi’s on a Plane

What’s up Networking Crew?

I hope this is an ok place to post this.

Also Hope all is well for everyone on this fine Hump-Day!

I was just on a United Airlines flight which had WiFi available. You connect to their WiFi network and purchase a plan if you want.

I did not purchase a plan, however I was able to receive email notifications and messages from others on Facebook.

When I tried to open the emails I couldn’t though, and they didn’t show up in my inbox, but I could read snippets from the notification.

Also could not connect to my home OpenVPN, but the logs listed my domain as “resolved”. So it seems I partially made it out but not all the way. It seems like I was also able to receive and deliver iMessages.

Any idea why this is? Obviously it’s in the config of their equipment but I’m curious how anything could make it in to my device. Is this a tactic to encourage the purchase of a plan?

Also is signal to the plane provided via satellite?

How to check my office's ethernet bandwidth / speed?

I am in a WeWork office and I am trying to figure out how to verify my Ethernet speed. I have been googling unsuccessfully.

it is safe to buy used firewall appliance ?

i found out there is Checkpoint 730 with 3 year licence sell for 271$ when i call the local shop they ask for the same model and 3 year of licence 783$.

you think it is safe to buy used firewall appliance >?

my main concern is that they tamper with the hardware or software of the firewall appliance

what are the chances for that ?

or can i just reset the router and sleep good at night knowing for this kind of product it very hard to implant backdoor hardware and software alike, it is true ?

Basic Packetfence lab scenerio...Radius Enforcement + MAB + Role-based VLAN Assignment

I'm just getting my feet wet with Packetfence.

As a "first level", I would like to use Packetfence to assign VLANs based the role assigned to a particular node.

I have created several test roles.
On the switch definition, I have set a RADIUS secret and defined Role-based VLAN IDs.
The switch is configured for MAB on the access port with a "fallback" network and the other VLANs to be assigned are tagged on the port.

I have manually registered my nodes. So, do I need an authentication source?

Recommended firmware branch for ArubaOS switches

I first would like to warn anyone here running Aruba switches NOT to upgrade to the 16.08.zzzz branch with its first patch. We had a 2920 acting as a core switch dropping traffic randomly across the whole switch, 2530s with a consistent 25-30% Tx utilization obviously causing issues with dropped VoIP calls, etc.

Having said that, I'm wondering what branch of firmware the community here recommends staying on or a rule of thumb you follow. I see from their software download page that they're actively maintaining the last four major revisions (16.05.zzzz to 16.08.zzzz). For instance on the FortiGates we run, I usually wait until the third or fourth patch before moving to a new major revision.

Generally, I'm aware that older branches with more patches will be more stable and newer branches are going to have the latest and greatest features deployed to them. I guess I'm more fishing for arguments to use with my co-workers that just run around upgrading firmware because its the newest version with the highest numbers. Bonus points for official documentation from the manufacturer. :)