IPv6 Proxies: 2019-03-03

Saturday, March 9, 2019

Back Again with more investment with Cisco and Networking Certifications.

I left IT solutions and networking since 2014 due to the immigration to the U.S. and you know you would need to find any job once you landed here and this is what happened.

In Q4-2014, I started with an employer in the eCommerce business, and now I ended up to be the sales and marketing director.

Today and during the weekend I do not know just I had a feeling that I need to reinvest more in my time and money to get my expired Cisco certifications, and honestly still I have that nostalgia to be that Presales Engineer who managed more than $53M IT complex projects in Wireless, LAN, WAN, IPT, and Data Centers.

I do not like to start studying again lonely, but I would love if there is a sort of group or online education (I hope to be free :-) ) to get in back to Cisco, networking and IT back-end system world.

I love to do Indoor and Outdoor Wireless solutions and designs for Small-Medium Networks up-to complex level.

Do you recommend to do the startup from Wireless path or no just start with something generic!

Thanks!

Understanding DHCP

Trying to understand how DHCP works

First case:

I had static IP assigned to two host machines (172.x.x.x), with one being the AP and the other station. Once the AP starts as a hotspot, it creates its virtual interface, and sometimes it assigns a dynamic IP (192.x.x.x) to it (overrides the static IP), and sometimes it wouldn't. Perhaps has more to do with how windows drivers are written (I suspect our drivers team may have modified the source code) but I'd been under the assumption that static IP can't get overriden.

Second case:
AP is running linux and a static IP is assigned to it (172.x.x.x). DHCP client is set on the STA, and I see a dynamic IP (172.x.x.x) is assigned to it. In a case where both machines were running windows, AP was assigned 192.x.x.x and when DHCP client was set on the STA, 192.x.x.x was assigned to it -- same subnet. Is it expected? How do both the IPs happen to be in the same subnet?

2M Optics too hot?

We recently started to swap out our 1gb copper for 10gb optic SFP's for our uplinks and I am worried they may be running to hot. The cables we are using are a 2m OM1 MM Jumpers paired with SFP-10G-SR. The current looks alright running at around 8, but both the TX and RX are at 0.55/0.58. I have never ran cables this short or used SR optics before but I know with the LR optics I have used in the past that was definitely a bit to hot.

Having said all that my questions are: Will these levels be problematic, and if so, how long of a cable do you think I would need to lower that to a better level?

Crash Course In Configuring Layer 2, 3 Switches (HPE 1920 JG926A)?

Hi, I got a Hewlett Packard 1920 JG926A switch running version 1120 of the Comware firmware for a great price, but have very little knowledge of what I can do with it. I have an HP J8177C RJ45 SFP module I can use in it, but I was hoping someone would be able to help me figure out why it can't resolve DNS on say, pings to www.google.com, and why I can't seem to designate an uplink port.

The sole routing device upstream, and gateway, is a TP Link wireless router I'm using as a VPN server, and providing 2.4, 5ghz wireless access. All endpoints are currently uplinking to this via LAN port 1, using a 16 port 1000BASE-T switch. The HP switch is uplinking on the 16 port switch as well.

Topology is:

DMARC - Linksys CM3024 Cable Modem eth port 1 - TP-Link AD7200 port WAN

TP-Link AD7200 port LAN1 - 16 port Switch - HP 1920 port 24

IP's:

Cable Modem:

192.168.100.1

TP-Link Router:

192.168.1.1

HP Switch:

192.168.1.2

Endpoints:

All addressing on 192.168.1.x

HP SWITCH CONFIGURATION:

IPv4 Routes:Destination Mask Protocol Priority Next Hop Interface

127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0

127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

192.168.1.0 255.255.255.0 Direct 0 192.168.1.2 Vlan-interface1

192.168.1.2 255.255.255.255 Direct 0 127.0.0.1InLoopBack0

Endpoints can access the HTTP UI of the switch, but without more knowledge, I'm at a loss if I'm on the LAN or WAN side, as I don't feel like I understand the wording and layout of the UI. If there's some better place for me to ask these "Wave a magic wand and make me great at this" questions, I'd appreciate advice. My goal is simply to configure a or a range of aggregated uplink ports, and pass traffic from the remaining ports through these uplinks. All this with zero experience using an HP switch. I was also told to buy a serial to RJ45 cable, and warned that I would thank them later, if I ended up configuring myself out of access to the device.

PXE Boot and DHCP

Hello,

In my SOHO lab I have a UniFi USG that handles DHCP allocation and is used as Gateway.

Still, I would like to PXE boot - which requires DHCP as well.

I can't have two DHCP servers on the same net. At the same time I need to access the USG because it provides Internet access.

What's the best scenario/solution?

Thank you!

Running IPv4 and IPv6 on the same network - performance impacts

As the title says, are there any performance impacts running lets say dual stack or 6to4, compared to just standalone ipv4 or ipv6? I can't seem to find any tests or any evidence on the internet on this. Thanks

Any way to get unlicensed Meraki equipment working again?

I want to use a Meraki switch in my homelab and I don’t need it to pass any outside network traffic but I don’t believe it will work without a connection to Meraki’s cloud and a valid license. Is there any way to get around that?

aaxads.com is on my blocked domains but i still get their ads

Self-explanatory title. I put that as well as many other variances of that domain in my block sites but it isn't stopping the ads from showing on websites. Is there something specific that I have to do for this domain or are they just that sneaky and get around it somehow?

Using UniFi - two PPPOE providers on the same USG?

Hello,

My SOHO is "fully UniFi". I have a USG (3 ports), switches and APs.

Right now I have two providers, both offering PPPoE access.

I'm trying to use one WAN port for one ISP, the second WAN/LAN port for the other ISP, and the third LAN port to connect the switch.

The problem is that I couldn't find any way to achieve this. When setting up the second WAN, the only option is Failover or LoadBalancing. There's no option/selector to use it as a "normal WAN", or at least I couldn't find one.

What I'm trying to achieve is simple: route some equipment through ISP1/WAN1 and some other equipment through ISP2/WAN2.

Can you give me some hints?

Thanks!

MAC address exist but unable to resolve it on ARP?

Hi, I would like to ask? What is the reason why im able to learn the mac address from the interface but unable to resolve it on ARP?

Topology:

1.1.1.1/30 SW(SVI 10) ---------TRUNK-------RTR(sub int 10). 1.1.1.2/30

SW# show mac address dynamic vlan 10

aaaa.aaaa.aaaa (SVI)

bbbb.bbbb.bbbb(from Trunk link)

SW#show arp vlan 10

Protocol Address Age (min) Hardware Addr Type Interface

Internet 1.1.1.1 - aaaa.aaaa.aaa ARPA Vlan10

Internet 1.1.1.2 0 Incomplete ARPA

Thank you

Cisco to HP/Aruba

Title is basically what I am asking.

We have all Cisco switches currently and looking to replace a few aging ones in edge closets. (Mostly 3750X's and 2960S's)

Some of the vendors I have spoken with have pushed HP/Aruba. Personally, I haven't worked with them before but have heard good things. I have worked with Extreme and like their products and support.

I am OK with Cisco, however the price difference is significant. We are working on establishing a cycle of renew and replace roughly every 4-5 years. Thinking about replacing 25% of our switches every year to keep them all up to date. The cost savings over the years add up pretty fast.

For what it's worth, we're a K12 institute, and we have a pretty simple network. Voice VLAN, Guest SSID VLAN, a couple other VLAN's for security/HVAC, etc.

Anyone have thoughts on going HP/Aruba instead of Cisco? Any reason I should stay with Cisco? Any potential compatibility issues over the next 3-4 years as we phase out the Cisco hardware?

Thanks in advance for any and all advice!

Sysadmin student with Networking problem.

Hello! I just want some enlightenment and knowledge with networking. We are given 1 switch (netgear) 1 router (realtek) both with 4 ports. We need to have 4 different sites under 4 different subnets. And so we have configure our switch with 4 diff subnets E.g: 192.168.0.10 192.168.32.11 192.168.65.12

Our problem is we cannot ping computers. Because we do not know how to setup/point out our addresses.

I hope I made sense....

Cisco ASA aaa-server, and ssl ciphers

I have a Cisco FP9300 running on code 9.1.7.4. I am having some issues getting ldap over ssl working to my aaa-servers. I've verified certain ciphers work in my lab, but I'm not sure what is best practice as far as what should be used. If I just set all cipher levels to medium it will not negotiate ssl with the aaa-server, and test authentications fail. I have to use custom ciphers to get it to work.

Below is the ssl config, and this currently works. I feel it's secure based on reading, but I'd like to also make sure I'm offering compatibility. There are other combos that work as well. I've found the default cipher setting causes auth to fail if that's not configured to something that the aaa-server supports.

show run ssl ssl server-version tlsv1.2 ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256" ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256" ssl dh-group group24 ssl ecdh-group group20 show ssl Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater Start connections using TLSv1 and negotiate to TLSv1 or greater SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS) SSL ECDH Group: group20 (384-bit EC) show ssl ciphers Current cipher configuration: default (custom): ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 tlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA tlsv1.1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 dtlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA

Can I see my mobile's network traffic using Wireshark on my PC, if both are connected to same WiFi network? Why/Why not?

If wireshark can capture all packets on the network, can it capture data being sent from my mobile to the router?

How am I able to connect without VPN?

I have a server in my lab which I can only connect to using VPN (I use FortiClient for the connection, if that's important). I am on MacOS. I used to SSH using Terminal and used FileZilla for SFTP. Everything used to work as expected, i.e., I was only able to connect to the server (on both Terminal and FileZilla) while I was using the VPN. Now, I installed termius today. I connected to the VPN, SSHed to the server using termius, logged out after some time and then disconnected the VPN. Here's where the weird behavior starts. Now, I am able to log-in into the server without connecting to the VPN (both on termius and MacOS terminal). FileZilla, however, performs as expected -- it does not connect without VPN.

I don't understand how terminal and termius are now able to connect without the VPN. How do I go back to the old behavior?

Aruba Beacons

Hi!

Can you use Aruba Beacons as iBeacons/Altbeacons?

I'm learning about Subnets. Please help me with an answer.

I want to get broadcast address of 26.220.145.227 /19 . I know that answer is 26.220.159.255 .

From what courses I read until now I know how to calculate masks and host for /32 - 24 , using formula: Mask nr. - 32 = x results that 2^x = hosts nr.

I also read a tutorial about transforming all in bits 10111001, but I want to know if is there a method to get that answer (26.220.159.255) using formula that I already use.

Thank you.

Roll out of Unifi full portfolio

Hi I am a network guy who usually deals with PA,Cisco and HP. Right now I have been asked to roll out Unifi (60+ sites). From their AP’s to Switches to the USG series routers.

I have honestly said I might not be the right guy as I am more effective with other gear. But I got the job anyway as I am already familiar with the environment. In this case I don’t have to do any BGP or OSPF. Some IGMP, QoS at most and a ton of VPN’s or preferably VTI’s.

My question is what are the biggest do’s and don’ts with Unifi AP’s, Switches and firewalls. My WAN connections are all fiber from 100 to 1G.

I have some on-prem stuff not exceeding 10G. We are in the process to private cloud that anyway by end of the year.

Any help is welcome.

Reverse Proxy and egress traffic

I have a Nextcloud server running at my home. My ISP blocks port 80 and 443. So I'm planning to use a VPS to reverse proxy to my Nextcloud. So, if I download files from my Nextcloud, will the download consume the egress traffic of the VPS? I should also mention that I'm would be using tinc vpn to connect my VPS and my home server

I would like to learn more about the Internet

Specifically, how ISPs handle data, and how they connect with other ISPs, how they physically transmit data, etc. I know Google is my friend but I was hoping you fine folks could point me in the right direction with some keywords at least.

802.11r - who decides if the client roams?

Hello everybody! Just a short question with 802.11r (roaming). Who decides if the client will roam and to wich ap? Is it the client itself or the AccessPoints?

Getting different results when looking it up on the internet... The guys at /r/wireless seem to be just for consumer-grade questions, so I'd be happy if you could help me out here. Thank you!

L2TP/IPSec: Linux can not connect to Cisco ASA (but Windows can)

Our partner provides a service that is available only through the L2TP/IPSec tunnel. We successfully connect to it from Windows, but the connection hangs dead a couple of times a week. Therefore, I decided to set up L2TP/IPSec connection from Linux. But after weeks of trying, I never managed to do it. The connection establishes, but once it breaks: on the side of Cisco there appears an error "IKE lost contact with remote peer, deleting connection", and on the side of the client "received DELETE for ESP CHILD_SA with SPI".

I tried CentOS and FreeBSD, StrongSwan, LibreSwan and Racoon, XL2TPD and MPD5 - the same result! I tried to set up a connection on a machine with a public IP-address without firewalls and NATs - the same result! I asked in different forums, even in Cisco community, but they could not help.

Interestingly, the rupture of an IPsec connection occurs only after the establishment of an L2TP connection. If L2TP is not launched, then the IPSec connection remains valid (this can be seen from the "setkey -D" command).

The Windows machine with which we successfully connect is on the same network, which means our Internet provider is not to blame. Please help! The service provider has Cisco ASA 5550.

Setting up Link Failover SG250X-24

I am trying to setup a failover link on a SG250X-24 so if they 10G Up-Link goes down it will failover to Linkagg 1. I am not entirely sure how to set that up on this device. Would anybody be able to help me set that up?

Friday, March 8, 2019

Linux 6rd Relay Software

Hey all,

I'm the network manager for a small ISP. I was trying to lab out a 6rd deployment, but I can't track down any linux software that will do the stateless encapsulation and decapsulation of 6rd traffic as it receives traffic from our customers and from the internet. We have juniper gear, but the MS-MICs we have don't appear to support the 6rd relay function. If someone has code to implement a legacy 6to4 (RFC 3056) relay on linux, I'd be very happy since I know I could hack that to add the 6rd changes.

Ciena 3904 Bank Status not validated?

I just upgraded a 3904 and it shows the new version correctly, but now the Bank status shows Not Validated when before it was validated. Does anyone know if I am missing a command after running the update to validate it?

ASA 5520 with SSM-20, module visible, but cannot configure?

Device shows up as Module 1, a 5500 Series Security Services Module-20 ASA-SSM-20

HW Vs 1.0 Fw Vs 1.0(11)2 Sw vs7.1(7)E4

Module 1 Application Name IPS, Status UP

Yet...

According to the cisco guides, I should be able to

a) Create a virtual sensor using "virtual-sensor name" command

in configuration mode, I only have the option to do a virtual http hostname or ip while in enable mode virtual anything is not an option in show ?

b) After creating this virtual sensor, I should be able to do a conf t, then service analysis-engine then virtual-sensor vs1 and then set up the options from there.

Is this a good way to plan a server move?

The Dungeons and Dragons online MMORPG had to do a server move from one room to another in the same data center due to a change of contract (apparently the new contract required that the machines be in a different room).

The server machines are owned by them, so they had to use their own guys to move the machines as the data center wouldn't touch them. Their tech team obviously does not do server moves on any regular basis as thats way outside their job scope.

They have no backup machines, so their website, game servers and everything had to go offline for the duration of the move, which was estimated to take 22 hours.

Something went wrong during the move and now the downtime has been extended to at least 70 hours for unspecified "hardware issues" which they wont elaborate on.

(You can see their downtime extensions on their official twitter : https://twitter.com/DDOUnlimited)

So to recap :

-Have to use your own tech team to do this as the server machines are owned by your company

-Said tech team does not do this on any regular basis

-There are no backup machines available so the website and everything has to go offline for the duration of the move

What would be the typical way to handle a situation like this to avoid extended downtime? Im pretty sure the "cross your fingers and hope nothing goes wrong" plan isnt standard in any industry...

Cisco 3850-12XS unable to see uplink

Calling all my Cisco heros,

I recently implemented a Cisco 3850-12XS to be our core switch in our environment. We receive our uplink from another department in the building over fiber and currently the configuration is working on our 2960x switches.

Tonight I attempted to switch over to our 3850 switch which should have been straight forward. Unplug fiber from 2960x and plug into port 1 on 3850. However whenever I do that the 3850 is not seeing any connection. It does recognize the sfp module and I confirmed that the port is not in an err-disabled state.

I then attempted to plug the 3850 directly into the 2960 using the exact same sfp module, port and fiber patch cable. It recognizes the connection and I am then able to access the 3850 anywhere on my network. Plug the 2960x back into the uplink port and it immediately sees the uplink and I have my full network again.

Move the uplink back into the 3850 gi1/0/1 again. However it does not recognize the connection at all. I verified that the fiber tx and rx are not interfering and even intentionally crossed them to attempt a err-disabled message on that port but no avail. I replaced the sfp module and fiber cable. At this point I'm a little confused on what would even cause this. The configuration is working on the 2960 in the exact same room. However the 3850 is acting like it can't see anything coming from the uplink at all. It acts like the fiber is not connected but as soon as I plug into the 2960 it communicates as it should.

Advantages of NX-API over SSH (use with Ansible)

I'm starting to get into working with Nexus 9k devices and managing them via Ansible and I'm trying to understand what the advantage of using the NX-API over purely issuing commands over SSH.

In about every case I can accomplish the same thing by just using the ios_command module and sending a cli command over ssh.

The only advantage I can immediately see is that I can get the results of API calls back in JSON. That makes it easier working with key/value pairs if I'm then going to process the data further. (But even then, I've accomplished parsing the results of SSH with regex or conditional searching with python.

Am I missing something obvious? I just don't see the allure of the NX-API as opposed to programmatically sending SSH CLI commands.

Looking for a Huawei Switch expert. SOS

We recently acquired some Huawei S5352C switches from a liquidation (K-mart).

I've successfully factory reset 3 of them, however the final 2 have both system-view and bootrom passwords (none of the defaults work).

Anyone out there know of a trick to force a factory reset? I've read about 100 articles now and they all just run in circles "log into system-view to reset bootrom" log into bootrom to reset system-view"

SOS.

FEX vs Dedicated Switches

We currently operate a multi-tenant datacenter network and are looking at options to expand our 1G TOR switching. Currently, we are using Nexus 93180YC-FX's as 10G aggregation and have a few 2248TP-E FEXes for current 1G needs. Most devices will be CPEs (firewalls, SD-WAN devices, etc) and most of their traffic will be to/from devices hanging off the host 9ks. The FEXes we have now are single homed as the downstream devices are generally HA and have cluster members split between the FEXes.

We're at a point where we can easily change paths, so we've looked at other options and came up with the Nexus 9348GC-FXP as a possibility. It gives us some additional design options (ie. VXLAN) that we don't currently have and is potentially more flexible. A downside is that we lose our current "single pane of glass" for management from the host switch.

So... I come to the hive mind for an opinion. If you had a choice, would you prefer the simplicity and single management plane of the FEX, or implement independent switches in this situation?

Help me out of SIP ALG hell

See below for a TL:DR.

Some time back, we acquired a business that uses a cloud hosted PBX and Polycom VVX handsets. Those handsets don't support STUN, making NAT more challenging. The business previously used an Edgemarc 4550 as their edge device / SIP ALG which worked well. Through the infinite wisdom of management, the decision was made to standardize the network without touching their voice solution. So, standard, but not. We don't support any other sites with a cloud PBX.

The network edge device is now a Cisco 4331 with two DMVPN WAN tunnels and two GRE tunnels to ZScaler for Internet access. The transport interfaces are in separate front door VRFs. We do not NAT Internet traffic on the way to ZScaler. They handle NAT and have some sort of SIP ALG that appears to function.

TL:DR: We are having problems with jitter and poor voice quality for a site using a cloud hosted PBX. I've narrowed the jitter down to ZScaler, so I've started testing a ZScaler bypass for voice using PBR + ZBF + NAT + SIP ALG on the 4331. The router is currently running 03.16.07b.S.155-3.S7b which will get updated soon. I can get one phone to boot, provision from the cloud ftp server and register with the cloud PBX, but subsequent test phones fail to register. I can place and take calls on the registered phone, but not from any others. I'm not sure if my issue is configuration, a bug, general SIP ALG shittiness, or some combination of those. Any help or suggestions appreciated.

Here's a sanitized configuration:

vrf definition INET1 ! address-family ipv4 exit-address-family class-map type inspect match-any outside-to-self-class match access-group name outside-self-acl class-map type inspect match-any self-to-outside-class match access-group name outside-self-acl class-map type inspect match-any fw-class match protocol sip match protocol ftp match protocol udp match protocol tcp match protocol icmp policy-map type inspect inside-to-outside-policy class type inspect fw-class inspect class class-default drop log policy-map type inspect self-to-outside-policy class type inspect self-to-outside-class pass class class-default drop log policy-map type inspect outside-to-self-policy class type inspect outside-to-self-class pass class class-default drop log zone-pair security inside-to-outside source inside destination outside service-policy type inspect inside-to-outside-policy zone-pair security outside-to-self source outside destination self service-policy type inspect outside-to-self-policy zone-pair security self-to-outside source self destination outside service-policy type inspect self-to-outside-policy interface GigabitEthernet0/0/0 description LAN ip address 10.4.0.1 255.255.255.0 ip nat inside zone-member security inside ip policy route-map voice-test interface GigabitEthernet0/0/1 description ISP1 vrf forwarding INET1 ip address 1.1.1.2 255.255.255.248 ip nat outside zone-member security outside interface Tunnel100 description ZScaler DC1 ip address 172.16.2.2 255.255.255.252 zone-member security inside ip tcp adjust-mss 1300 tunnel source GigabitEthernet0/0/1 tunnel destination 1.2.3.4 tunnel vrf INET1 ip nat inside source list voice-test-acl interface GigabitEthernet0/0/1 overload ip access-list extended voice-test-acl remark Deny to Internal deny ip 10.4.0.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 10.4.0.0 0.0.0.255 172.16.0.0 0.15.255.255 remark Test Phones permit ip host 10.4.0.131 any permit ip host 10.4.0.17 any ip access-list extended outside-self-acl remark Permit IPSEC permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp remark Permit GRE permit gre any any remark Permit ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any ttl-exceeded route-map voice-test permit 5 match ip address voice-test-acl set vrf INET1

Citrix discloses security breach of internal network

Ouch that one is gonna hurt.

AWS NAT loopback

Can an internal host in an AWS VPC send and receive a packet destined to its public IP from itself?

FTD Static NAT Question

Does anyone know how to create multiple static PAT entries in a firepower appliance? I am unable to make multiple of the entries below in FMC.

nat (LAN-Side,ISP-Side) static interface service tcp ssh ssh

Network Refresh

So we are just beginning the process of reviewing and looking at solutions for a host of network refreshes for about 30 locations. I'm fairly green to the networking world and am trying to get myself acclimated as quickly as possible.

SD-WAN vs traditional firewall/IPSec tunnel configuration:

I understand SD-WAN is an evolution of the traditional IPsec tunnel setup many businesses use today. We do not have any MPLS circuits in play and likely wont' be going back that route for cost reasons. Most of our locations are 50M DIA connections.

What I'm trying to get some more insight into is exactly where does SD-WAN fit in the network infrastructure of the building. Can I drop in an appliance on the edge (connecting to the ISP modem) and setup my tunnel to any other device on our WAN? Are their solutions that play nice with switches in the infrastructure to give a single pane of glass for management?

With a traditional setup we are looking at something like Cisco ISR4431 units with an IPSec tunnel back to our datacenter. We would replace switches with something like a Catalyst 2960. We generally have 6-8 switches per location and would have two routers for redundancy and failover. Does it make sense to get a firewall license or appliance in this setup?

Goals:

One of the goals is to refresh with relevant hardware. Most of our equipment is years out of date but still trucking along. Think Catalyst 2901 for IPSec tunnel and traffic routing. Our individual locations do not have a firewall, but have a router sending traffic over an IPSec tunnel to our datacenter.

We would also like to enhance security around the facility. Some of that pertains to physical network security (guest internet for physical devices not approved or ports being disabled) and some of it is for traffic segmentation and QoS. I would like to be able to go into one interface or use a single tool to push out updates to multiple routers or switches at the same time. Today I have to log in to each switch when a change is made. This is extremely tedious and time consuming. We don't have a massive network, but as we grow these tasks take longer and longer.

So I am asking what some of the differences are, what is standard practice for remote locations and what are some peoples experiences. I've been doing some reading and there is so much data out there that my eyes are starting to roll back. For reference most remote locations are 150-200 devices.

Experience with ultra low latency low-latency switch / network ?

Hello all,

trying to learn regarding low-latency switches - we have need for specific setup, but seems not many people have know-how - or day to day experience on this type of hardware.

We mostly use Arista hardware (in range of 350ns - 380ns latency) but seems there is specific switches that can do way less, in ranges of 4-5ns (This is not a typo)

Arista have 7130 series with this specification, but seems this is hardware they got by buying metamako.com company few months back (Links bellow).

I would welcome any feedback (bugs, issues, problems) on this type of hardware as well any alternative that you guys maybe know from other Vendors (Cisco, Juniper etc).

CPE Options for Carrier Services

Hey, what's the current favorites for various carrier services? I hate having a box for every type of service and speed. Would like to narrow the choices.

Enterprise guys.. what do you expect to pay for this type of gear when you order a service? Carrier guys--what are you charging for the equipment?

Need something for:

transparent L2 services

-to be terminated on PE router into VPLS/martini circuit

-customer should be able to pass multiple tagged/labeled traffic.. no restrictions

-being able to loop/reflect a customer port would be nice for RFC2544 testing

-one box for all speeds from 10M to 1G

-nice CLI

-I see lots of NIDs for sub $1000. Should fit this price range

L3VPN CE equipment:

-seamless MPLS would be nice (and be cheap? hah, doubt it)

-has to be "name-brand", Cisco, Juniper (preferred), etc

-something that can do 1G at wirespeed and maybe a different box for 100M and less

-what a reasonable cost for the CE router?

Fortigate/Arista VRRP Question. Looking to get information from anyone who's implemented this before.

We are currently migrating our datacenter to two separate datacenters for DR reasons. We are going to stretch multiple VLANs across a Layer 2 connection provided by the datacenter and will implement VRRP on the Arista L3 switches and Fortigate Firewalls for failover. One VLAN terminates on the Arista switches and the rest terminate on the Fortigates. I'm not sure where to implement VRRP virtual routers... would I turn that on for each VLAN Interface on the Fortigates and the Arista? If anyone could provide any info or suggestions as to how you have implemented this, it would be greatly appreciated. Just trying to get as much info as I can before we test the cutover. Please see Visio with changed IPs and VLANs. Thank you.
https://imgur.com/a/IWF6Nl4

Edit: Allow me to clarify. Traffic would only be routed to one datacenter at a time. We plan to failover MPLS and Internet traffic by setting community preferences on the BGP AS community. So if one site goes down, we'll use rapid-dr to move the VMs over to the DR site and VRRP will allow the DR site's equipment become primary.

Found 3 raspberry pi 0 devices uploading something on our network (large family entertainment center) is there any way to pin them down/ physically find them?

We have located the AP these devices are connected to, and looked around, but can't find a thing. How can I figure out where these devices are, if there even is a way to do so, and if not, what can I do besides block their access to our network?

How to identify IP's in use that don't respond to Ping?

Is there a utility out there like Angry IP Scanner that will do a ping sweep, then report if a MAC address is bound to that IP, indicating it is behind a software firewall? Right now do a ping sweep, then run "ARP -A" from the command prompt to see if any MAC addresses are bound to IP's that are not responding to PING.

EDIT: Obviously only scanning local subnet as the router will respond with its MAC for all addresses on remote networks.

Aruba IAP-305 vs OfficeConnect OC20

Hi guys, Which AP would you prefer of the two in the title?

Thanks!

IPv6 Hop by hop option

Investigating why some computer on network could ping and tracert over IPv6, and not other computers on the same network, I discovered that any packets sent with the hop by hop options was discarded by ISP router.
Is this normal?

One-way or two-way redistribution?

I was told by my tutor that one-way is generally the better way of doing things and that two-way is not so good. Could anyone explain to me why? I can't find any information about this on the web.

Cheers

100MBps Internet Over Cat-3 Cable, Can I Do It, What Are The Drawbacks.

Hello All,

Im not sure if this is the correct place to ask this, if not can you point me in the right direction.

Now i know Cat-5e is the current "standard" for high speed internet so the only reason i ask this is because.....

Im building a Office/Studio in one of my spare bed rooms on the 2nd floor, i would like to move my PC into this space, my current internet speed is around 150MBps. My home was built in 2004 and all the rooms are wired with a phone jack. I would like to keep the clean appearance of these wall jacks so I have 2 options i think, the wire within the wall is CAT-3 (4 twisted pairs) i have checked at the wall outlet and in the basement. Im have read that i can take the RJ11 and cut it off and install the RJ45 and use the wire Cat-3 for high speed internet.

Option 2 would be to try and pull CAT5e through the wall into the basement by attaching to the end of the cat-3 which may work but i only get one shot.

Option 1 is preferred however Im not a networking expert so can someone more knowledgeable let me know if this will or wont work and and any possible issues that may come up.

Unable to ssh into cisco router

So a colleague of mine is unable to SSH via putty into a cisco router from his PC. Everyone else is able to login though.
We were able to narrow it down to his PC IP address. If he uses my IP on his PC nic he is able to login, if i use his IP i can't login.

Error is : Connection is reset by peer

Dumb question just want to confirm if im correct

If I have a Cisco 5506 ASA with an Aruba 2930 L3 switch

Network: 172.25.43.0/24

Firewall IP: 172.25.43.1

Switch: 172.25.43.254

If get the switch to DHCP/routing instead of the firewall and I want it to be just a FLAT network and created a VLAN of 172.25.43.0 in the switch.

On the firewall I don't have to do any routing for 172.25.43.0 correct?

Like if I created VLAN 20 in the switch 172.25.20.0/24

On the firewall I would have to route 172.25.20.0 255.255.255.0 172.25.43.254

Or would I have to put the firewall and switch into a different network? IE firewall: 172.25.44.1 Switch 172.25.44.254 and then create the VLAN of 172.25.43.0 and then set the route on the firewall 172.25.43.0 255.255.255.0 to 172.25.43.254

Sorry (not a networking expert) (I would just test it myself but not in the office today and this question is eating at me haha)

Out of band SMS hardware

Over the past 12 years, we've used Nagios to monitor our small ISP network and some hosted datacenter services. We have a single physical CentOS box (that's monitored via a separate cloud-based service) running the Nagios instance. Notifications are primarily sent via Slack webhooks via our production IP network, but we also have a Sierra Wireless 340U USB 4G dongle attached via USB to the Nagios host. This sends SMS to phones using Gammu, which is integrated with Nagios. Slack is the easy/convenient notification system, SMS is the "works when things are really bad" system. Since we're an ISP with our own AS and physical network facilities, I value the direct-to-SMS hardware attached straight to the monitoring host. The backing carrier is AT&T, which also provides our corporate wireless service, so these messages should theoretically never touch the Internet or have any transport outside of AT&T's network.

Problem is, the 340U hardware has begun to misbehave and require a reset every now and then. I'm not entirely sure whether it's bad hardware, a carrier firmware update, or something else. What is everyone else using for sending SMS out of band these days? I like the current architecture but don't really like this consumer-grade modem.

TIL : you need GRE to have dynamic routing over IPSECv1/2 VPN

It might sound dumb to a lot of redditer on this community, but today i learn something and i want to share it with you.

A bit of context : a colleague tell me me yesterday that some network team plan to use GRE tunnel between two LAN of the company. I already used GRE in the past, but i was not aware it was still used in 2019. We were both surprised and we try to understand the need of a GRE tunnel in our case.

After a short digging in the docs/google, i managed to understand the true reason :

- Routing protocols like OSPF or EIGRP use multicast address to discover each other (example : address of all OSPF router is 224.0.0.5)

- IPsec is, by design, unicast only, it does not support multicast nor broadcast. (see RFC 4301 : " The SPD [Security policy database] does not include support for multicast address entries. ")

- GRE mean "Generic Rounting Encapsulation" (pretty clear isn't it ?) and is aimed to encapsulate multicast in unicast header.

That's why you need GRE over IPsecv1 and v2. :)

Since 2011, however, it seem that IPsecv3 introduce some evolutions that allow multicast :

- " More detailed descriptions of IPsec processing, both unicast and multicast, and the interactions among the various IPsec databases"

- " More flexible SPD (Security Policy Database) selectors, including ranges of values and ICMP message types as selectors"

Source : https://tools.ietf.org/html/rfc6071

One question left : did anyone here already try OSPF/EIGRP over IPsec and can share some feedback on performances?

Hope this was useful. ;)

Palo Alto - Q1)default trusted certificate authorities? Q2)ssl decryption broker...

Hi Guys,

Long time lurker here... just wanted to ask a couple of questions.

1) Palo Alto's list of trusted certificate authorities on the firewalls. so a client has asked me how often they "update" but from my own googling if i read the articles correctly this is only updated manually when you upadate the OS. i would like this confirmed please. anyone actually know if they update automatically? or is it only whats contained within the OS updates?

2) Im going to configure the SSL decryption broker on the PA to hand off all the SSL decrypted data off to another system. but can this then be used to control what is allowed to pass through? how would it come back to the PA? the way id imagine this working (ive never configured this before) would be that it decrypts the SSL traffic on PA, hands it off to this other system, then somehow comes back to the PA (or the PA communicates with this system somehow) and decides if its allowed through or not? im just a bit lost. only got my PCNSE recently and think im in over my head to be honest. im the only PA guy in my firm and would really appreciate any help you could offer.

3) client has said theyre using something called Csico Eye??? which is apparently some kind of IPS system on the network. they would like the traffic passed from the firewall back to this system to do its IPS then back to the PA as the final gateway.... i dont actually get this one or why they would want to do this but wondering if its possible? they said the same with URL filtering... they dont want to use the PA URL filter but instead want to use this Cisco Eye (what ever that is) and cisco's umbrealla. anyone know if this would cause any issues with PA?

please feel free to call me an idiot or clueless cos that how i feel after being in front of this client for half an hour!! i have tried to read up on all this but starting to get lost in it all and not sure i fully understand it. I have a PCNSE which i obtained recently and have about 2 years of troubleshooting, and 1.5 years of implementation experience. any help would be greatly appreciated!!! thank you in advance. am i just a crap engineer!? or is this actually quite complicated?

New firewall/router

I am volunteer system administrator at my University Computer Science Labs. Currently we are using a old pc as Gateway/Router/Firewall , DHCP , DNS all of this is deployed on Debian. Because we want to change the local network we have to reconstruct the above server and update it. So i read about Pfsense that is a complete solution and i have installed for tests but is not yet on production but i am not yet convinced that is better than having that we already have.Can anyone suggest why i should use Debian or pfsense

How long it will take me to pass Cisco CCNA exam?

for someone with basic networking background and two hours to dedicate to studying how many days would i need to pass CCNA exam comfortably?

SIP E-SRST Configuration Help !

Hello Networking buddies,

I'm overwhelmed with the amount of information i'm gathering when looking for E-SRST configurations examples, and still not sure about what's mandatory and what's optional to make a solid working configuration

My goal is to make an SRST router retrieve in real time information from CUCM, and use it when the the WAN link is down between the main site and branch site

based on what's said in a Ciscopress article http://www.ciscopress.com/articles/article.asp?p=2492950&seqNum=4

the mandatory configuration should include for example

# voice register global

# mode srst

# source-address X.X.X.X port 5060

# max-dn 6

# max-pool 10

# system message SRST Mode

There 's no Voice Register pool included there, So I thought that once the wan is down, SRST router will use the same adresses used when the WAN link was UP. at the same time I see other people in cisco forums using the same configuration with voice register pool and saying is a mandatory command, I'MCONFUSED

My goal is : make every phone work with CUCM when WAN is UP, once down, use the same settings when it was up and use pots in the SRST router

Can someone enlights that for me please ?

Thank you guys

Question about Ethernet cables?

Is rollover, cross over and straight through still a relevant thing? In my 2 years of working in tech I have never heard anyone mention one or the other, they just say ethernet cable. So im curious, is this still a thing or are all ethernet cables compatible with anything now?

Sorry if this is a silly question, but its always confused me.

Small 10G switch for storage

Hello everyone,

We'll moving our office to a fresh new location later this year, which means new "datacenter" (very small one) and opportunity to renew most of the network equipment. Servers will have 1GB access links but we thought of having 10GB ones for the storage since we're dealing with pretty big amount of storage load (datascience). We're looking for a 10GB switch with both copper and SFP+ ports. We currently have two NASes (mirrored) and we aren't planning to expand in the short term (maybe a proper SAN one day) so a max 16 port switch would be fine. The budget is constrained at maximum 2k€, it would be easier to justify the need in front of the management.

We found these switches for now :

Cisco SG550XG-8F8T-K9 : 8 RJ45 + 8 SFP+, seems to be a cheap version of the Catalyst series with doubtful reliability (based on other people reviews)
HPE Officeconnect 1950 12XGT : 12 RJ45 + 4 SFP+, cut-down 2xxx series OS but looks like a pretty solid switch
Ubiquiti US-16-XG : 12 RJ45 + 4 SFP+, cheapest of all but we're satisfied with our Ubnt APs, so we're confident about reliability

I must add that we don't need advanced L3 capabilities.

I know the budget is probably too tight for what we want, that's why I'm asking you your opinion.

Thank you in advance :)

What Do You Do ? POETS Day Boredom in the NOC

Hi, little thread around what we do within the networking world...

I'm a network engineer, work for a company called Switchshop based near Luton airport, we are project based engineers so move from site to site helping network managers and the like out with new deployments and config issues with their current kit.

I specialise in routing and switching, firewalls, wireless and voice with accreditations and certification in all those categories.

Happy Friday people!

CCL

BGP Route Filtering

Hi everyone,

We're using Juniper, but I doubt that matters at all for this question. And I will add both ISPs only offer default or full table, neither offers customer routes.We currently have two connections one is BIG-ISP one is SMALL-ISP. Very self explanatory. Small-isp we've had for a year and was the first connection we enabled BGP on and we took full route.Some weeks later we turned up big-isp and took default. Our static route is primary the big-isp and second small-isp.

We're mostly inbound so really it doesn't matter very much, but if I am going to do this I want to do it right. We're also running 90% full on memory with 1 full table so taking 2 full tables is out of the question without buying hardware.

My plan was to look up all prefixes from small-isp and create a route filter that allows all those prefixes, then drop everything else. This means we will use small-isp for their routes (which essentially is this country which they have very well covered), and then everything else will use big-isp. If either go down we still have internet connection.

Does this sound sane? My only problem with this is it obviously won't auto-update. This led to to think there is a better way of doing this to only accept customer routes from small-isp, however my knowledge of BGP breaks down at this point.

Thanks

*re-posted due to title typo*

Export two static routes - one with higher local pref

Hi I currently have one server with dual connections to two PE routers. Each server is using a loopback address which is reachable via a static route on PE1 using default metric 5 (primary route) and via PE2 using metric 254 (backup route). My intention is to export these static routes to all other PE routers (MPBGP) with the PE1 originated route tagged with local pref 150 and the backup via PE2 tagged with 100. Problem is I don't see the backup route via PE2 on any other devices and only see the primary route via PE1. Anybody know any reason for this? (note all of these routes are contained inside their own VRF) \#BGP \#MPLS

replacing our old network

we have a bunch of cisco switches (3560, 2960) all are more than 10 yrs old in the office. no PoE, majority running in 100mb which is fine with me, until our core switch broke. good thing we still have an extra switch with the same model and a backup config saved somewhere else.

I requested a C9300-48P Q4 last year to replace our core, which is surprisingly they ordered and on its way by next month. so i'm thinking of ~~breaking all our old switches~~ proposing for replacement of all our old switches, for "upgrading reasons" obviously lol.

any recommended L2 switch to partner our C9300 core?

Thursday, March 7, 2019

Licensing Question | Cisco ASR

We have a Cisco router that was installed that we left a boot-level license statement in the config. We needed it to have a lower license level, but due to the statement, it went into eval mode for the higher level license that it doesn't need. We missed it until after our outage.

We seem to have two options:

Take another outage & reboot the router to put it into the correct license level, since it doesn't need the higher level license.
Purchase the existing license that is in eval mode, so we can avoid any reboots. This would come at a pretty signficant cost & would throw away the reason we planned to put the router in (we wanted to get a similar router out of the premises that was overkill in licensing with one that had a lower license).

We are curious & haven't been able to find an answer on whether or not we could just let the evaluation period expire and the license would revert back to the lower level. We are nervous that it would disable the router all together instead of just reverting back to the lower license.

Any thoughts?

Let me know if you need any more info to help out!

Research on security practices on ships

Are there any policies, standards, or implementations in the 6 security areas (Confidentiality, Integrity, Availability, Authentication, Authorization, Non-repudiation) for marine communication? I'm currently working on a project, so I'm curious to see any mechanism or training/guide book that has been officially documented (with references). All helps are appreciated.

Bulk shielded Cat6 without filler... does this exist?

I'm trying to make shielded patch cables, but want the cable to be flexible. Is there a bulk roll of solid copper cables under $200?

Any danger in touching damaged fiber optic internet cable

The fiber cable that runs from a house to the utility pole has been cut somehow leaving the cable on the ground. Is there any danger in touching the cable to move it out of the way until the ISP can come fix it?

Collapsed Core or Layer 3 to the Access Layer?

There's a bit of backstory to this, so bear with me. I work in a small IT department where we are in the process of replacing all of our network hardware (due to it being 10 years older or more). We have a hub and spoke topology with one central building and 13 outlying buildings, with fiber running between from each outlying building back to the central building. We have a mix of SFP's and converter boxes.

Currently, we have a flat layer 2 network across the entire network. Before anyone decries this, the network was put in close to 15-20 years ago, and hasn't seen any significant changes in topology or significant increase in users since then. We only have about a hundred users in the largest building, with only 5-20 users in each of the outlying building. Obviously, networking best practices have changed a lot in the last decade, but for now we have what we have. I started working there about two years ago, and with us needing to replace our network hardware, I suggested to my boss that we look into moving away from a flat topology and VLAN out the network. He liked the idea, and assigned me to spearhead the project since I am in school, working through my CCNA, and have the most recent networking knowledge.

I have two ideas floating around my head. First is a collapsed core design with layer 2 access switches at each of the outlying buildings going back to a layer 3 core switch (fiber uplinks go directly from access switch to core switch using SFP+s) in the central building, with the core switch handling all of the routing between VLANs. My second option is to put layer 3 access switches at the outlying buildings, let them handle the inter-vlan routing, and have layer 3 between the outlying buildings and the core switch at the central building. I've endeavored to do as much research as I can on the subject, and I'm still actively looking, but I am having a tough time finding what the current best practice is. I've searched the subreddit extensively, and found a lot of relevant but older threads with various opinions on the subject. One of the resources that I have been studying is the Cisco CVD Campus LAN design guide, and as best I can tell either of these two options that I'm thinking about are feasible. I'm leaning towards the second option with the layer 3 access switches, but can anyone give me some feedback on this and what current best practice is? We are actually going to be completely redoing our subnetting scheme from scratch (for multiple reasons, too long to get into), so the current IP addressing scheme doesn't really play a factor in the design process.

The equipment I currently have in mind is a HPE Aruba 5406R for the core switch, and either Aruba 2540's (layer 2 access) or Aruba 2930F's (layer 3 access). These are pretty much set due to budget limits, but if anyone has comparable alternatives I'm certainly willing to listen.

Thanks and I appreciate any feedback that anyone might have!

Brute force from these IP Addresses...

I'm under a barrage of brute force SMTP auth attempts from these IPs. Is there anything I should do about it besides just add them to the blacklist?

Certifying new service provider circuits using netbeez?

Ran into Netbeez today and heard some other service providers were using it to provide unofficial certifications to customers on new circuits.

I’m looking for input from other SPs on how, if at all, you’re certifying new circuits.

Corporate Network Speeds Slow

Hey guys,

I am looking for some direction on nailing down a slow network connection for users. We have 150Mbps incoming line and Gig switches throughout. Occasionally I'll get asked why the network is so slow which I know is always something users complain about. I don't have too much networking experience and have been overseeing our outsourced MSP. They claim they need more information which would obviously be helpful but all I can provide is that a speed test showed 60Mbps, connection to external sites was slow to load, and the exact time. The network is all new hardware (all good stuff) and the building is new so its only about 20% occupied. In a few months we will be going live and be adding more cloud apps.

I need to know how I can put a stress test/load on the network and pinpoint the issue once and for all. I have been back and forth with our MSP and they suggested putting in wireless policies that prevent streaming which I know needs done but without identifying the real problem now, its like shooting in the dark. They have only told me that the connection has been steady at 80-100Mbps all afternoon and Microsoft had a very high download size over a few hours.

That is great but without knowing what machine is doing the downloads, it doesn't help. What are some ways to put a load on the network and perform other tests to get this resolved before we go live. Any suggestions on where to start or what I can tell them they need to do to get more details?

Kid Passes CCIE at age 16

10 years ago when he was 16! Soon to be CCIE Emeritus!

http://ageekfromafrica.com/index.php/2015/09/28/finally-a-list-of-the-youngest-ever-cisco-certified-internetwork-experts-ccie/

Well, it's me actually lol... I was 16.45 years old to be precise. I just did it for fun lmao I was just annoyed to see other self-claimed 'youngest CCIE' duahhhh. Like this: https://learningnetwork.cisco.com/blogs/certifications/2015/05/22/ccna-age-13-ccnp-age-14-ccie-age-19-bam or like this from India: https://www.youtube.com/watch?v=NPFPkxtIf-Q

It looks like both of them got way later than me and when they were older than me. So, I found them annoying lol

Network setup / router problems

Alright so I pay for a gigabit download speed with comcast over copper.

Directly connected through my Arris docsis 3.0 surfboard modem, I get about that speed, minus usual overhead. However when I add in my tp-link c1200 wifi router (just because I want wifi), I end up getting only about 500mbps down. I've spoken to tplink support and they swear that this router's gigabit ethernet ports should be able to handle the speed without issue, but that's looking like not the case.

What I want to do is this; put a managed switch on my modem, then have my desktop connected to that switch. Also have the c1200 connected to the switch as an ap.

My question; which type of managed switch would work for this? Obviously an unmanaged switch wouldn't work, but there are multiple types of "managed" switches so I'm not really sure which one is necessary. Do I just need one that can tag vlans? Does it need to be able to handle dhcp leasing?

Someone help me please.

Dell Networking X1000 Stack features

I am looking into the datasheet and I dont see any comments regarding a stack feature.

I am reading the user guide and Still I dont see any procedure to make a stack using these models?

So can you confirm that these feature is available in these switches or I shall move to the N1100 series for the stack option?

Guest captive portal

I have an issue with guests hitting our guest WiFi captive portal. We use clearpass as the guest auth server and we also use clearpass guest sponsor feature where an employee must accept a Guest WiFi request so we can garentee “safer or restricted access”. I tested this portal on my personal laptop/ work laptop/ bunch of phones / other random pc and it work perfectly. However our visitors keep finding ways to break the drop down list that contains approved sponsors that is populated by ad group membership. I know IE works 50% of the time and since Microsoft called quits on IE and edge I been telling users to use chrome or Firefox and that now becoming an issue. Does anyone know if dropdown list in clearpass guest self registration are reliable or is this just policies on other company assists breaking the dropdown list? I don’t think I have enough experience to say it our guest pc configuration fault or it ours because clearpass has a bug or something.

Anyone on here do any peering with Limelight?

Does anyone else on here do any peering with Limelight Networks? If so what has been your experience with them?

Can you fly with server equipment as checked bag from Africa into the US? I am a US citizen.

No text found

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Pulse Secure > SAML > HTML5 RDP Client SSO - HALP!

Hello Sub!

Question: Does anyone have Pulse Secure and utilize the HTML5 RDP Resources and pass authentication via SSO? I'm having an issue where users sign in via SAML through our IdP to Pulse Secure, then when they go to login to the resource, I cannot get it to pass a password other than via plaintext passing it from the IdP. Obviously this isn't secure and would prefer not to do it this way. I would like to do it in a more secure way. Any ideas or pointers? Any help would be greatly appreciated. Thanks!

NAT Question - One to multiple inbound

Would there be any issue if you have an external IP translate to multiple inside hosts? (for example a published website or mail server) We typically do static NAT for our systems we publish outside of the firewall, but we have a request to have a new server that is built with the same public address NATed as the old server. They want this turned on before the old server is turned off meaning they want this public address to translate to two different internal IPs.

Is this possible or would it break something? I know for outbound traffic you can use PAT, but I am unsure how something ingress would understand which host to go to.

Avaya Firmware Nightmare 4850

I’ve recently purchased a used Avanya Ethernet Routing Switch 4850GTS-PWR+ to upgrade a current network setup. I was looking to upgrade the firmware to the latest version however the firmware must be upgraded in steps. There is no access to the Avaya website to download any images. As you may know extreme networks bought out Avaya. Extreme networks provide updates to the said switch however the firmware offered by them starts with version 5.9 and above. The problem is to get to 5.9 you have to be running 5.65 or 5.7. The switch I purchased comes with version 5.63. The old Avaya site said you should have downloaded all the old copies and kept them safe but its now too late for me. Extreme Networks won’t allow me access to 5.65 or 5.7. What do I do or has anyone updated there's higher from 5.63

I’m currently running HW:12 FW:5.6.0.18 SW:v5.6.3.024 BN:24

And to get to 5.9 would need software image 5.6.5 or 5.7 and diagnostic image 5.8.0.01 or 5.8.0.03. Been looking for a solution for days but may have to look at another switch.

Ideas for SolarWinds map usability for large networks?

So I'm currently working on getting solarwinds designed for a network I work on. We've got upwards of a couple hundred separate sites we're going to be monitoring from it. Looking at the map section though sticking all the sites separately on there doesn't seem feasible considering the size of the map background they give (or any alternatives) even then it would be a terrible time to place all of those.

Along with that, there are usually a few sites that will be down at times for one reason or another, so large groups would most likely just result in everything being yellow at some point.

Is the best idea for something like this to just avoid the map all together or is there maybe a way to design it that I might now know about?

Layer-1 Services Appliance

So I'm looking for an appliance that acts as a layer-1 services box, basically allowing you to plug a bunch of network appliances into it, and it acts just like a virtual conduit to connect all the devices together. The application I'm looking at is basically setting up some lab gear. We plug everything into this appliance and would thus allow people to remotely configure the topology they want for the lab. This definitely needs to act at layer-1 so we don't run into errata doing experiments with things like MAC-SEC and MPLS.

I know these boxes exist because I've seen them before, but I can't for the life of me remember what they're called or who makes them.

Brain fart, I'm stuck over a dumb item

This will probably take the cake for the dumbest question that you have read all day. But I'm just at a blank at the moment.

I'm trying to console into a Cisco SG500 that I lost the PW to so I can't access it via SSH or through GUI.

on the back of the SG500 there isn't your standard console port. It has the serial end of the cable NOT the RJ-45 we're accustomed to seeing.

I have both a serial to USB adapter that I normally use when the RJ-45 jack is on the cisco equiptment side.

But do I have to get a serial cable with RS232 on both ends then have two adapters? Or is there a way I can run the RJ-45 into my laptop and connect to it that way?

I don't know why I'm stuck on this. But I am. Anything helps.

First time using fiber - Having problems

We're trying to setup some IP cameras at my work, and we have some that 500 to 1500 feet away so we are running fiber out to them. I've got everything setup but I can't see anything on the network that is connected via fiber. Was wondering if anyone had any pointers. Not sure if the switch requires any special setup or if it should be all plug and play.

I attached a NETGEAR GS728TP-100NAS to my existing network. I have a CAT6 cord running into port 1.

I'm using Cisco GLC-LH-SM 1000BASE-LX/LH SFP transceiver modules

I'm running this singlemode fiber: https://www.fs.com/products/29608.html 167meters, SC UPC Simplex connectors

I'm running these adapters to hook the fiber to the transceiver modules: 1ft Fiber Optic Adapter Cable LC (Male) to SC (Female) Singlemode 9/125 Duplex https://www.amazon.com/gp/product/B004W8B906/ref=oh_aui_search_asin_title?ie=UTF8&psc=1

At the other end, I'm running this switch: Amcrest Gigabit Uplink 9-Port POE+ Ethernet Switch with Metal Housing, 8-Ports POE+ (Plus) 802.3at 96w SFP Optical (AGPS9E8P-AT-96) https://www.amazon.com/gp/product/B073V4QRXQ/ref=oh_aui_search_asin_title?ie=UTF8&psc=1

And after that switch, I have my POE IP Cameras hooked up

The LED for the SFP port on the netgear is not lighting up when I plug anything into it. The LEDs on the front left of the switch are not lighting up either (Power, Fan, POE etc) but the #1 Port LED lights up and shows activity.

I can also login to the webmanger for the Netgear switch but it also shows the SFP port as being Link Down like nothing is connected to it.

I've tried swapping different fiber pairs on the fiber cable and swapping transceiver modules and trying different SFP ports on the switch with no difference.

I'm not running anything fancy on my network. I just have standard Windows 10 PCs on it with a couple POE switches running IP Cameras, all using 192.168.1.x IP addresses.

Any help would be greatly appreciated.

********EDIT************

Thanks to the fast replies below, we got it up and running!

AWS VPN IPSEC to aws vs Third party software VPN appliance in cloud

Hey just wondering what most are doing too connect there network too AWS. do you run a VM in your VPC and then tunnel that way or do you just do the bgp ipsec too aws? thanks!

Let's say all you have is an IP address for something on your network - how do you figure out where the device is and what it's for

Have to narrow down info for a few devices, and all I have to go on is the IP address.
What do you do in this situation?

Switchport dark, cabling is good... what is going on?

So we are trying to connect a dumb/unmanaged switch (TrendNet) to our 2960x (for reasons), and the port flashes green briefly then goes dark, and stays dark. The interface says down/down (notconnect).

No indication in the logs that the interface is even coming up at all. If we take the Trendnet switch out of the equation the network device comes up right away.

The only configuration is 'switchport mode access' and a description. I've tried trunking, I've tried turning off mdix auto, I've tried turning off PoE, all sorts of stuff.

I've checked port security, spanning tree, using a crossover cable, not using a crossover cable... no blocked or err-disabled ports, just nothing.

Tested the run end to end, no cabling errors. You can plug a laptop in and get local connectivity. I think the port lights up on a spare Cisco 3750 that we tested that's out of production so we can't just throw it online.

Do you have any idea what is going on? It's frustrating and I feel like I'm missing something really stupid. Is there something with the 2960x's that does not want an unmanaged switch attached?

nslookup returning an odd result for an AD/DND server

I have an AD server on my network that returns two addresses with nslookup. One is correct, the other is google's dns(8.8.8.8).

I am help desk, and have brought this up with management a couple of times and they don't seem to care. We have been using LMHost files to point to most servers as well. I am guessing because the DNS is returning incorrect results.

Is this correct/fine as management says?
What should I do next?

High Availability with Aggregation Implementation

In an effort to better understand high availability I have a question. It's clear that high availability, specifically high availability clustering is a means to ensure the capable devices in question are always available with virtually no down time ever being noticed.

With that being said, what about at the port level or the WAN level? I am aware of port aggregation and link aggregation.. but I guess the real question here is it seems High Availability is mostly geared towards the specific availability of the hardware at whole, not necessarily the specific availability of say a port or a routing protocol.

If this is indeed the case. Theoretically speaking what would be the "most available" configuration possible? Most Likely it would include some type of: clustering, load balancing, port and link aggregation, cloud/hybrid environments, multiple sites/data centers, etc. What am I missing? Trying to get the overall concept correctly. Thanks.

Solarwinds replacement options?

So, pretty simple question. I opened a support case yesterday, about this time, and after the initial auto response email from support my ticket is still not assigned to anyone. I have also received about 10 marketing emails. I'm a little irked.

So I need to replace:

Network Performance Monitor

Network Configuration Manager

IPAM

Network Traffic Analyzer

User Device Tracker

I'm pretty sure that one tool wont do it all, but give me some options to explore please!

Recommendations on network TAP

I’m interested in getting a TAP for experimenting and learning a bit, plus it would be useful for troubleshooting etc.

I’ve seen this one: https://shop.hak5.org/collections/sale/products/bug

However it is only 100Mbps, and it’s from the US (I’m based in the U.K.).

Does anyone have any recommendations on 1Gbps TAPs that are around the £100 mark?

Cat2960xr vs Cat9200?

Anyone made the switch? Looking for L3/switch w/48 ports + POE for smaller remote offices. Would need to do EIGRP and prefer one without a lot of bugs. Have been using the 2960s but was pointed to the 9200s as an alternative.

MRTG replacement for our agency

Hello All

I have been ~~forced~~ volunteered to find a replacement for MRTG. I have been going through multiple recommendations and researching it and now I find I am in analysis paralysis. Some of the limits I have been constrained to are:
1. Windows based (there goes nagios/cacti). My agency is bucking the trend and moving from open source to Microsoft.
2. No cloud based NMS. The upper level management doesn't believe it is secure enough.
3. Should be free or low cost.

Should be relatively easy to implement and configure.

Of course as soon as I find options they are shot down. Currently I am looking at the following:
1. Solarwinds: expensive, and a tad overkill since I am dealing with less than 1000 core network devices

PRTG
ManageEngine OpManager
Observium
Whatsup Gold
Entuity Network Analytics

Honorable mentions:

LibreNMS - Opensource so had to ditch

Zabbix - See above

LogicMonitor - Cloud Based so it's a no go.

I was hoping to pick the collective hind mind and see people's thoughts about their options and experiences about any of the above or what solution they went with. Thank you in advance for reading this.

Anyone here upgraded CPPM?

We're currently running 6.6.2.86786. Need to upgrade to 6.7 and frankly, I'm fucking terrified. We just have two servers in a cluster. CP-HW-25K, one pub and one subscriber.

We have custom footers and headers with PHP in our Guest module for a customized captive portal and obviously a shitton of configuration in CPPM. I'm going to backup everything we have in Guest in terms of customized code first and foremost but other than that, I've never done a CPPM upgrade. Any tips from those of you that have done it?

Is there a good rollback mechanism if things go pear shaped?

Thoughts and prayers?

What would you do (seeking opinions)

I have a sysadmin/pc repair shop/end user support background. Very hands on, busy all day etc...

Last year I landed my first network support role. (I've got CCNA R&S and Security).

Its a 3rd line network support role for a newly created "MSP"

We rarely get any calls (very slow paced), We don't manage the customer's networks directly nor we have documentation. and when an issue arises, they can be ANYTHING from a BGP peer down , to firepower configurations, Licensing issues (we're a cisco goldpartner), Nexus switches, WLAN controllers, IPT, etc... And the customer asking you to figure out an immediate solution for a network you don't even know on a device you're not familiar with.

I'm trying to do experience here, but I don't get enough hands on one particular field or set of devices to be effective at it when a P1 call comes through.

What sort of role would you recommend for a 22 year old that wants to do as much hands on as possible, have a solid understanding of networks from a practical point of view, and become very good at it?

Thanks in advance for any inputs.

AVI Network Experience?

Hi /networking, it has been about 6 months since the last AVI thread so I figured I would try to get a discussion going.

As AVI will be quick to tell you they are developed from the group up to support a modern, DevOps model with cloud support built on a fully API driven platform. They run on pretty much anything with an Intel chipset and aim to be flexible enough to do pretty much anything.

That is the marketing hype at least. I cut my teeth on F5 and a lot of what AVI mentioned is "you don't have an appliance refresh cycle" any longer, which I call BS on because on-prem it still runs on someone's compute. I am not blind to F5 though and AVI's offerings of being able to scale intelligently is interesting from a consumption perspective.

My other hangup, because I know less about ASICs than I should, is AVI's statement that ASICs have stagnated horribly while Intel chipsets have been catching up. The short is that if you are doing heavy SSL encrypt/decrypt that the cost of throwing more cores at the AVI box still comes out under the F5 price because 1) a UCS/CSP/server is cheaper than an F5 appliance, and 2)You can scale the AVI intelligently to reduce waste while the F5 A/P method means at most 50% utilization.

AVI aims to be a disruptor and there isn't a lot out there regarding them. I am hoping to get other's input. We aren't a particularly DevOps/automated shop and have a very diverse skill set in the networking field. Supportability is a key factor and AVI is so small, with such interest from Cisco, that I would hate to pull the trigger on them, Cisco acquire them, and Cisco quickly ruin whatever we would love about them.

Outside access point?

My WI-FI isn't reaching my driveway with a strong enough signal and I need an outside access point.

Can folks recommend good ones and what are they called and where can I get one?

Is UTM really needed for a small (ecommerce) business?

We're have an office with ~17 employees. We all use pc's (mainly web browsing to our CMS, ticket system and some personal stuff) and VOiP-telephones. The telephones are key because sales/support is our main business (at any given moment at least 5 people are in a call). There are also some other devices plugged into the network, such as printers, a camera system, a pin for visiting customers and a Wi-Fi access point so people can connect their smartphones.

Right now we use a Sonicwall TZ 215, but it's dying and we need to replace it. I'm not an IT guy, but I do am the most technical person in the company (I'm a web developer) so it is my task to find a replacement. Since we've had many trouble with VOiP call quality in the past, I'm looking for a router that handles VOiP well. Our VOiP-provider swears by MikroTik (and can give me some tips to optimally configure it for their service), so I'm looking at something among the lines of https://mikrotik.com/product/CCR1016-12G. As I'd rather have an over-powered router than deal with network dificulties when we grow, my budget is around 1500 EUR.

Now somebody mentioned me to ditch the MikroTik idea and that I should stick to Sonicwall or Fortinet because it's much more secure because of UTM. I've looked into this UTM and it doesn't sound like this will improve our VOiP call quality. Is UTM really needed for our business? Isn't the normal firewall in the MikroTik + virus scans on our computers enough? What real risk do we face when we go with the MikroTik?

Multicast Troubleshooting

Hi, I am completely new to Multicast troubleshooting, I am aware of what Multicast is and how it works but I am having an issue troubleshooting multicast. I have 2 windows machines on VLAN 95, that communicate over the 239.0.38.0/24 multicast range. Their non multicast IPs are 10.99.1.56 (Transmitter) and 10.99.1.44 (Receiver). I have a L3 address on the VLAN 95 SVI on both L3 switches closest to the Transmitter (Arista) and Receiver (Cisco). I am using Sparse Mode. I also have a RP address setup on the L3 switch closest to the Transmitter and I have told the L3 switch closest to the Receiver what the RP address is. I am happy to provide more information if needed.

Help with designing a network please!

So, I've been tasked with expanding from our flat network at work to one that is segmented. Right now we have right around 150 hosts in a single /24 with a single vlan at our datacenter which encompasses literally every device and VM. Then at the office everything is on a second /24 and vlan and connected to the datacenter via s2s vpn. We are looking into standing up a Colo2 on the opposite coast and I'm trying to get our network in order before doing that. Here is my plan:

Supernet 10.<Site ID>.<VLAN##>.X /8

Datacenter 1 - 10.10.0.0/16

Production Servers - 10.10.10.0/24 VLAN 110

Test Servers - 10.10.20.0/24 VLAN 120

Network Devices - 10.10.30.0/24 VLAN 130

DMZ - 10.10.40.0/24 VLAN 140

Datacenter 2 - 10.20.0.0/16

Production Servers - 10.20.10.0/24 VLAN 210

Test Servers - 10.20.20.0/24 VLAN 220

Network devices - 10.20.30.0/24 VLAN 230

DMZ - 10.20.40.0/24 VLAN 240

Office - 10.30.0.0/16

LAN -10.30.10.0/24 VLAN 10

WiFi -10.30.20.0/24 VLAN 20

Does this look right? I cant imagine I'll ever need more then 250 IPs for each VLAN. Also each site will have two stacked 5515-x Cisco ASA's to do all the routing.

SDN in use

I studied SDN briefly as part of my literature review, I understand the concept and how it can enable a new frontier for networking in general.

However this is where the learning stops, all I ever fucking see is videos explaining the concept, never any videos showing how to implement in reality beyond a sales pitch. Can anyone post some videos showing SDN in use or someone setting them up?

21-year old Silicon Valley chapter of Cisco Users Group shuts down

I received the following email:

Hello SVCUG Members,

In case you haven't kept track of time, or are relatively new to the group, the SVCUG has been around for nearly 21 years. Over these 21 years, it's been an honor watching and helping many of you achieve your learning and certification goals. Beyond that, we've also had some amazing presentations by leaders in the networking industry, both inside and outside of Cisco.

That said, it's with great sorrow to tell you that we've decided that the time has come to shut down the SVCUG. It has truly been one heck of a ride, and I thank you for being a part of the journey. By no means have I done this alone, so I'd like to thank my co-founder David Powers, along with Dan Segovia, Lorin Thompson, Akil Taylor, Chris Donovan, Chris Verges, Gary Sanders, David Dai, Ray Brewer, and of course, Martin Winter, to name just a few. It's been so rewarding seeing many of you grow in not only your knowledge, but also professional careers.

As for the www.svcug.net website, we have some great recorded TechTalks on the site, so I encourage you to watch them while they are still there. The current plan is to keep the website operational into 2020, until the current hosting plan expires. We are still looking at various options regarding the SVCUG List Server, and I will send out an e-mail update about that in the future.

As for the biweekly Saturday labs, they will also cease. I'll be updating the SVCUG website Events Calendar in the near future to reflect that.

Finally, I just want to say thank you to all of you for being a part of this group for so many years. I've made many friends through this group, and I look forward to crossing paths with many of you in the years to come.

Sincerely,

Luis Chanu

Co-Founder

Silicon Valley Cisco Users Group (SVCUG)

Like many of you I'm sure, some of my earliest and most developmental exposure to this industry was via a local Cisco users group. At that time, they seemed to receive a lot of support from Cisco but over time, it seems to have declined. I am very surprised to see the chapter local to Cisco's headquarters shutting down.

Is this because Cisco sees these groups as competition for its own paid educational products?

My old group, the Colorado Springs Cisco Users Group was absorbed into the RMCUG https://www.meetup.com/RockyMountainCiscoUsersGroup/events/ but it doesn't seem so active these days either.

Are conferences and online forums the only options nowadays?

I enjoyed some of the Palo Alto FUEL meetups in the Bay Area - They reminded me of the heyday of the Cisco groups.

When will IPv4 die?

and we will end up with a clean IPv6 stack?

OLT Wireless Bridge/Small OLT Unit for Dead Zones

I have seen the issue many times where there is a cluster of apartment buildings and it is not possible to feed them via fiber as a trunk is not placed between two sides of a street or the trunk has since been destroyed by road works or similar. Getting permission to fix the trunk is near impossible and this becomes a dead zone.

I am currently thinking of two solutions:

Place a radio/laser point to point from one side of the street to the other. In the opposite side put an OLT and cable off from here to the other buildings, the downside being that OLTs are not the cheapest and it would be severely underutilised. If we imagine 5 building with 20 flats in each ie 100 connections, we don't need anything too powerful.
Place a radio/laser bridge between the two premises and continue cabling from here so that all traffic flows back to the OLT in the DC.

I would certainly prefer the second option as I would not have to manage mutliple OLT's and it seems a lot cleaner.

Does anyone know any equipment that can be used to bridge a fiber cable wirelessly so that you can continue splitting the cable on the opposite side of the road and would not interrupt the general data flow and allow the ONU info to flow back to the OLT for authentication. Alternatively does any know of a small OLT, if we consider 100 connection and that an OLT GPON port can be split approx 64 connections per port, it would only need to be a two port device.

I have heard talk of fiber bridges using a laser link but other than this site I don't find a great deal of info. Ideally I just want to keep things simple and use a simple bridging device. Any thoughts, advice or links would be greatly appreciated.

Job Application Advice

Hey guys, not sure if this is the correct subreddit, but I thought I’ll give it a shot.

I work for a large ISP as a tier3 data engineer. One of my colleagues I’ve gotten friendly with lately has requested that I apply for his teams open position as a Core Level data engineer.

Now this is a huge milestone, but I am super realistic and know my knowledge isn’t near theirs.

In terms of troubleshooting and basic config on a customer equipment level I’m one of the best on the team. On our core equipment I’m a total noob wrt configs.

One thing I do have going is I learn super fast.

What should I expect here when applying and should I make the interview?

Slim Cat6A Cables

https://www.primecables.ca/en/p-362780-pc-s950-c6aslim-allbk-slim-cat6a-28awg-utp-ethernet-network-cable-goslim-black-primecables

Any experience with these cables? They’ll just be used in single cabinets between servers and 10GBASE-T switches. Longest run would be 6ft.

Wednesday, March 6, 2019

[Request] Looking for a good RJ45 connector with color coded strain reliefs.

I'm not sure if this is the appropriate subreddit as most of the content seems to be above the physical layer. Feel free to point me to a more appropriate subreddit.

tl;dr - I'm trying to find an EZ RJ45 connector and strain relief system with as many colors for strain reliefs as possible (CAT6 UTP).

Background: I implement a product/service that lives down on a lower layer, below a typical layer 3 or 4, with multiple subnets and various nodes. Usually we provide one or two cabinets and I do all of the internal cabinet cabling and tipping myself. I like the cables to be laid out in a specific manner and organized a specific way. I have used white CAT6 UTP and EZ RJ45 connector and strain relief (both clear) in the past and differentiated the cabling for the subnets with a little color coded shrink wrap at the ends, along with labels.

Next project: My architecture for the next project is nearly identical to every other one I've done prior, but it is for a mission critical facility. I want the cabling to look a little more professional, but I'd still like to do it myself. I'll still be using CAT6 UTP and EZ RJ45 connectors, but I would like to get color coded strain reliefs.

I do not want standard boots for a couple reasons: they look and feel cheap, they are impossible to unlatch when the boot gets under the latch or the NIC is too close to server housing, and they never stay on the connector. I've been many places where the cabling is too taught and the boot isn't providing strain relief because it's fallen down the cable 4-6". Having to use a key or screwdriver to unlatch a stuck connector due to the boot is the other common problem I come across. I like the security of the EZ RJ45 connectors and strain reliefs, where the strain reliefs get crimped into the connector itself.

Problem: I count at least eight subnets for this next implementation (still in the planning and design phase). I expect to realistically need ten color combinations after the design is approved and everything is accounted for. The only 'system' I can find with color strain reliefs is the EZ RJ45 line from Platinum Tools (Connectors and Strain Reliefs). That only leaves me seven colors when you include 'clear.'

Does anybody have suggestions for another color coded tipping system with more variety and preferably still pass-thru?

My other thought was to buy another spool of CAT6 UTP in a different color, which would allow me 14 variations. I like having all the cable the same color though, but that may be my only option. I'm not overly concerned about the budget and a spool of UTP is relatively inexpensive, but bear in mind I'm typically using 250ft or less for each project since it's all within the same cabinet.

Thanks

Proper Orientation for Racking Routers

I need a reality check folks, because apparently I'm racking my networking wrong according to my employers CTO and CEO.

A pair of switches are in each server cabinet, on the hot row side, in the middle of the rack for neat even wiring. This is only approved for the sake of neater wiring apparently.

The network cab has a Juniper MX240 (with a set of Gruber rails underneath as a failsafe), Juniper EX4500 (four post racked), Mikrotik CCR (for flexible tunneling, wasn't my choice). These are all racked at the top, with the front/ports facing into the hot row like our switches. There are also client servers racked in the same cabinet (also not my choice).

I feel that the hot/cold side doesn't matter temperature wise as long as the fans are pointing in the right direction, and for the fans on the sides like the MX240, it won't matter either way. As for cabling, as long it's managed properly, I don't see any issue with that.

Please let me know your thoughts. Thanks!

WatchGuard, Fortinet, and Zyxel, which one provides the best SD-WAN solution?

I'm a tech guy for my mid-sized company and we're thinking about trying to replace our traditional MPLS setup with SD-WAN. I have these 3 options to choose from, and with limited time and budget, which one is the best choice?

Slowness after moving to Port-Channel?

The setup was, internet line-> router<>switch<>firewall<>proxy.

Earlier, there was only a single interface between the router and switch and this had sub-interfaces.

I used 2 new interfaces to create a port-channel and recreated the sub-interfaces here. (Basically moved everything from the single interface to new Po)

Both old and new interfaces are Gigabit interfaces.

This happened some weeks ago, Now I have users complaining of slowness when connecting to internet and they say it started around the same time after the move. I checked the port-channel and individual interfaces and don't see any errors or drops.

Any clue as to what else I need to check?

Job Change After Promotion

I know this could be submitted under Careers however I feel this group better grasps the situation given relatable experiences.

Long story short, joined current company in 2010. Been promoted along the way from network administrator, to engineer, to security manager, earned CISSP, left the company in 2015 for a contractor position, hated it and returned as security manager 9 months later. (This company and and I really enjoy working together). 3 years in the same position and then transitioned network security director 4 months ago with an understanding I’d be around another 2-4 years.

Now comes the fun. I wasn’t actively looking for a job but I kept my ear to the ground in case something I would really love to do comes around. I get a call from a company seeking employment as a security director but paying 30k more. It’s close by, great benefits, national company, and with good work life balance.

The pay would be a game changer for me, my family, our finances etc...

Do I make the bold risky move knowing there is no turning back? I like what I do. I like the people. I like where I am for now and just like all of us faced with career decisions, I’m in the middle of a dozen projects that I care about. One being a datacenter build.

The current company would be crushed and I’m morally torn about my 2-4 year commitment I offered when taking this last promotion. No contracts or non-compete were signed about length of employment.

All responses and shared experiences are appreciated!

What are some easy to understand TCP protocols that I can experiment with?

Hi, I'm a software developer and am taking on a project that communicates over a custom TCP protocol. So far there's not much to it and I'm not having too much trouble communicating over the protocol.

I'd like to experiment with others like VNC but I certainly don't want to get in over my head right off the bat. What are some protocols that I can dive into that aren't too complicated?

Thanks!

Project ideas

I’m graduating this semester, and I need some ideas for my graduation project. Unfortunately, my instructor refused almost every single idea I came up with. And wants the project to have a hardware component to it. I suggested I monitor the lab for him, my idea was: card readers to know who got in, a security camera to count how many got in and how many left, and finally a web access point to perform couple more tasks. And then use API to pull data from all I mentioned, and show it on my own webpage. He didn’t go for it. He says, “ it needs more meat”!!! Any ideas, folk?

Is it possible/advisable to announce a prefix from two different AS', or one prefix from two ebgp speakers that aren't connected together?

My organization is expanding to a new DC with a new, independent transit connection to ISP "C" (for the sake of argument). They've also offered to give us a /24 that we could do with as we please. I don't know if it's portable (if they'd allow us to announce it from our own AS) or not at this point, but initially, they said they'd announce it via their AS and just give us a single static route to get the machines at the new DC on the net.

During the build-out and eventual linking of this new DC to our existing DC (where we announce our three existing prefixes via ISPs "A" and "B" with our own ASN), we plan to run a metro-ether link between the two locations and start announcing all our old and newly-assigned prefixes out through both locations. Would it be desirable to let ISP "C" at the new DC announce the prefix they're giving us from the start, and then plan to migrate it to our AS when we get the DC-to-DC link up? Or better to set up our own edge router at the new DC to announce the new prefix from our own AS? Would this even be possible from a BGP routing perspective, to have one router announce a prefix from our AS in one location, and another router announce our other prefixes (mutually exclusive of the prefix announced at the new DC) at another location, and not have those two locations linked internally?

What are the limitations of announcing one prefix via two AS's and having two EBGP speakers (that aren't connected via an IGP) using the same AS announce different sets of prefixes?