IPv6 Proxies: 2019-04-21

Saturday, April 27, 2019

What happens if a RIP update packet is lost?

Hello,

i am currently learning for an exam. One topic is the routing protocol RIP.

This is my question:

Suppose a RIP router wants to advertise 30 routes. Two datagrams are required for transmission: one datagram with 25 routes and a second datagram with the remaining 5 routes. Assume that the first datagram does not reach its destination. What happens?

Well my understanding is that the network is wrong advertised to the next router until the next periodic update comes in after 30 seconds. So that means the network is inconsistent for a short time. Is that correct or am i missing something?

ELAN/EPLAN Latency

So we have several sites with Spectrum/Charter using their EPLAN product, basically any to any WAN product. Not that it necessarily matters, but it is VPLS/Bridge Domain on the back end from my understanding.

Our choice in using them is primarily based on the bulk of our branch office locations being in their service area, the most amount being the midwest.

We have a DR site in the Phoenix area, where they happen to have a POP at 120 E Van Buren. They were able to offer us a 5gbps circuit there, and it finally went live 2 weeks ago.

I started doing some testing and noticed latency around 103ms to 110ms, depending on which site on our ELAN i tested from. For some comparison, via internet/transit routes between these sites, we are in the 60ms-65ms range.

I started looking for comparison points, i check out he.net transpoort mapping tool, and it lists the path being at 35ms. I check the AT&T Latency POP tool and it lists 36ms.

I have been working with the NOC and my account team, and have not made any progress in 2 weeks. First the NOC blames the design ,which they send me. It is very inefficient, actually goes west to LA before heading back east (you would think it would go straight from PHX to Dallas like everyone else), which obviously adds on some latency. It does have a primary and backup path, but even mapping both routes, i cant come up with more than mid 60's ms. Given that it almost seems like some sort of configuration issue than a problem with the design itself. I have asked multiple times if anyone has taken the time to map the circuit as configured and test POP to POP latency to see if there are any discrepancies, and ive never gotten a clear answer if this has been done or not.

Certainly i am not in need of some super low latency route like im doing HFT or anything, and even the latency itself is not my largest concern, its where the hell this circuit is bouncing around their network for the end result to be this sort of latency, hell coast to coast isnt more than 70ms!

I have provided all of this information and they have not disputed anything and have not provided really anything for counter discussion. It really is pretty frustrating and disappointing. Obviously in hindsight i should have asked for the full design and expected latency upfront.

Has anyone had any experience with anything like this?

Wifi signal into local network ?

How can I get 802.1 b/g/n wifi signal from a device into my local network though my router, or by a Network address translation ?

Cisco WLC 3504 recommended firmware

Hello guys,

I'm designing the network for an event where about 300 ppl are going to use my wifi through a captive portal.

I have a couple of brand new 3504 in sso. They are not going to do anything fancy, but which version would you recommend? There are so much firmware available on cisco.com i'm a bit confused...

Thanks !

Edit: i have 25 3700e AP ;)

vyos/vyatta/edgeos inverse-mask matching

I'm messing around with some routing policies in VyOS. My goal is to have OSPF only originate a default route if a certain route is present in the routing table. The use case for this would be failover if a link upstream dies. Something similar to this: https://community.cisco.com/t5/networking-documents/conditional-default-route-advertisement-in-ospf/ta-p/3145600

However of course it's not working quite as expected, I suppose that is typical when learning new things. :)

Here's the relevant parts of the config:

access-list 1 { rule 1 { action permit source { inverse-mask 0.0.0.255 network 33.33.33.0 } } } route-map conditional { rule 1 { action permit match { ip { address { access-list 1 } } } } } ospf { area 0 { network 10.10.10.0/30 } default-information { originate { always metric 10 metric-type 2 route-map conditional } } log-adjacency-changes { } parameters { abr-type cisco router-id 10.10.10.2 } } static { route 33.33.33.0/24 { blackhole { } } }

Here's the routing table, which shows that 33.33.33.0/24 is present:

10.10.10.0/30 dev eth1 proto kernel scope link src 10.10.10.2 blackhole 33.33.33.0/24 proto static metric 20 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.61

I would expect this to match 33.33.33.0/24 but it does not appear to

inverse-mask 0.0.0.0 network 33.33.33.0

Nor does this:

inverse-mask 0.0.0.255 network 33.33.33.0

... And the neighbor doesn't receive the default route:

(Neighbor) 10.10.10.0/30 dev eth1 proto kernel scope link src 10.10.10.1 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.28

Strangely, the inverse-mask 63.63.63.255 does match 33.33.33.0/24:

inverse-mask 63.63.63.255 network 33.33.33.0

And the neighbor receives the default route:

(Neighbor) default via 10.10.10.2 dev eth1 proto ospf metric 20 10.10.10.0/30 dev eth1 proto kernel scope link src 10.10.10.1 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.28

That could be the result of some funky bitmath, but I'm still stumped on it.

Am I missing something on how inverse masks work in this situation? Ideally, I want to learn how to match a single entry, 33.33.33.0/24.

ASA asymmetry problem

Hi all,

I've encountered an interesting issue during setting up a new site today, maybe someone can point me to some solution.

Topology is like this: https://pastebin.com/iPM89YNS

Problem:

There is an ASA that peers with the core switch(SW1), also has an interface in a vlan where unknown* devices are. If I try to ping from this subnet using the core switch as the def. gw. the pings fail.

My initial idea was that the issue is caused by the fact that the ASA has an interface in the source subnet but packet is coming in on a different interface, so I checked packet tracer: https://pastebin.com/XGs7htKV

There is also a debug icmp output that says my packet is translated in both directions, but packets don't get back to the test device. Based on this, I've shut the questionable interface on the ASA and as expected, it started working. I also changed the def. gw. to the ASA, again, it started working.

Setup:

There are more subnets and devices in the topology but I don't think they are relevant for now. The ASA acts as a default gw. for the core, they are peering through a subnet, running EIGRP. ASA is natting out the local subnets to it's external interface, there is a "permit ip any" access-list applied to the interfaces to avoid filtering problems as well as "icmp permit any...". Other subnets which are not present directly on the ASA are working fine.

*Background:

If anyone is wondering, why does that interface exist that faces clients when the ASA is not their default gateway: an old office is moved, this interface was present and is migrated to the new setup. There are devices in this subnet which are not managed by us(possibly not managed by anyone) and we are not even sure what those are, changing anything on them is practically impossible.

Possible solutions:

1, One workaround that comes to my mind is moving the IP from the ASA to the core and shutting that interface, therefore forcing every device on that subnet to use the core to go anywhere, independently from their individual def. gw. setting. Not sure what issues this would cause, can't think of any right now.

2, Reconfigure devices on the subnet to use the ASA as def. gw. This is not really possible as we don't have access, also this would possibly introduce other routing issues.

3,??

Question:

Does anyone know what exactly causes the issue? I still think the problem is asymmetry, but packet-tracer tells me otherwise. Is there a third, more easy way to solve this that I didn't think of?

How heavily are scripts utilized in your enviroment

What are the most complicated scripts that you had to write or modify at work? I work as a tier 1 network engineer at a power company. I proactively address network issues found in SolarWinds and Cisco BCI , and assist upper tier network engineers. I made some slight modification to one of David Bombal's scripts that configures multiple devices and runs the commands from a text file .

The modification I made to it, added the ability to save a list of devices that it couldn't connect and the reasons, e.g. timeouts, authentication failure, or SSH not being enabled. It saved me days of work when I ran one command on 1000+ devices. Only a handful of the networking a people at my employer use Python scripts, I'm surprised that only a few tier 3 engineers use scripts (they configure APICs only using the GUI). Does anyone here work for an employer where scripts are rarely used? If so, what industry is it? The company just hired someone that has an extensive background in scripting that will teach other engineers scripting (they'll start next week). Is there a high is the possibility of down sizing? Lastly, is being able to create scripts only slightly more complicated to those in David Bombal's course sufficient for most network jobs that require scripting?

a good network programming project?

hey does anyone have an idea for a new and fun networking graduation project with coding involved?

Netscout firmware/software on Fluke Devices?

Just came across an older Fluke LRAT 2000 and picked it up based on a lot of praise on the 'net. The only concern I have is that the fw/sw version on it is very old - 1.0.6 - and it looks like Netscout is currently at 2.5.4. I have no idea what Fluke Networks' last fw/sw update release was prior to selling to Netscout. And now with the recent news of Netscout selling to another company, I have no idea how long the 2.5.4 download will remain available should I choose to purchase Gold Support, which will likely be ending in the near future anyway... Is there any way to download the non-latest and greatest firmware for free? Thanks.

tl;dr Is it possible to flash Netscout fw/sw on older Fluke devices (Netscout LRAT2000 fw/sw to Fluke LRAT2000?)

ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

There's a proposal to make BGP hijacking a policy violation. The real question is whether a "policy violation" has teeth and is more than a slap on the wrist. Looking at the Arin Agreement, it looks like this might fall under 2(d), Prohibited Conduct By Holder.

What exactly could happen that would stump "multiple engineering firms"?

https://www.heraldmailmedia.com/news/local/antietam-still-reporting-internet-phone-trouble/article_31ff8e00-3306-520b-83e4-e9fbba407005.html

Antietam still reporting internet, phone trouble

External influences have been confirmed as the reason behind the disruption of Antietam Broadband internet and phone services, according to Brian Lynch, president of Antietam Cable.

Lynch declined to specify the number of customers, but said that as of of 5 p.m. Friday, Antietam Broadband was still reporting that 18 percent of its customers were affected. The outage started at about 7:30 p.m. Wednesday. Cable TV service has not seen any disruption.

"There's no common pattern at all" to the outages, Lynch said Friday morning. In some instances, for example, one customer might have service while another nearby does not. Residential and business customers have been affected, he said, as have multiple types of devices.

"If it was a normal outage, it would have been fixed yesterday. ... There's a lot of redundancies built into our system, but all of those are affected," he said.

Redundancies are put in place so companies like Antietam can continue service when part of the system is disrupted.

Multiple engineering firms have been called in to work on the problem, Lynch said.

"They've never seen anything like this, either," he said.

At 7:52 a.m., Antietam posted another update to its website at https://myactv.net/network-status/.

That update reported, "We continue to experience an outage with Internet and Phone services. This outage is still creating an overload of our phones and other response systems, so you may not be able to get through or may experience long wait times.

"Our Engineering team along with other Engineers from around the country continue to work on this issue. This has obviously proven to be a very complex and difficult issue to resolve, but all involved are working around the clock to resolve (it)."

The company said it will offer credit to affected customers once the situation has been resolved. On Thursday, the company said some customers found that a local reset of their modem and a power cycle temporarily may bring their service back.

Test new config in IOS - timer to revert changes

I have inherited a couple of routers but I am a sysadmin and I have a very basic knowledge of configs.

I have to stop spam calls reaching our PABX system so I have been given a bunch of IPs to allow and block everything else.

I have the ACLs ready but before I paste them in conf mode I was wondering if I could set a kind of timer on the router to revert to startup-config so what I set in the running-config can be tested. I am asking because I think I saw a colleague do that once.

Friday, April 26, 2019

Fair price for laying conduit for fiber install in Canada?

http://bit.ly/2L3YmOJ

Cisco CCDP

Anyone here hold CCDP? If so how did you study for it?

I'm booked into a 5 day residential course for the beginning of may paid for by my employer but I want to get started with my studies now to make the most of it.

I have CBT Nuggets and the official cert guide. Will that suffice in conjunction with the course? I hold ccnp r&s, so it's just the ARCH exam to take.

I don't have CCDA yet but the plan is to double back on the cert path and take that on my own dime.

How do you downgrade firmware on a Ruckus 7150 switch?

I have several Ruckus ICX-7150-C12P switches, and I'm having some issues with ports disappearing, or general stability:

https://www.reddit.com/r/networking/comments/bfxsd6/ruckus_7150_port_always_goes_down_2_minutes_after/

It's currently running 08.0.90a - but somebody pointed out the recommended current release is 08.0.70d - so I thought perhaps downgrading to that version might help.

However, I can't seem to downgrade via USB. Copying over the primary flash works:

ICX7150-C12 Router#copy disk0 flash SPR08070d.bin primary

ICX7150-C12 Router#Load to buffer (8192 bytes per dot) ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ SYNCING IMAGE TO FLASH. DO NOT SWITCH OVER OR POWER DOWN THE UNIT(65536 bytes per dot)... .................................................................................................................................................................................................................................................................................................................................................................................................................................................................. Copy Done.

However, when I then try to copy the bootloader, I get an error:

ICX7150-C12 Router#copy disk0 flash mnz10114.bin bootrom

Invalid input -> bootrom Type ? for a list

It would seem bootrom is no longer a valid option?

ICX7150-C12 Router#copy disk0 flash mnz10114.bin

client-certificate client RSA certificate client-private-key client RSA private key file Copy file to flash fips-primary-sig Primary signature file fips-secondary-sig Secondary signature file fips-ufi-primary-sig Primary ufi signature file fips-ufi-secondary-sig Secondary ufi signature file local-pri Primary code image on the local unit local-sec Secondary code image on the local unit primary Primary code image secondary Secondary code image trust-certificate SSL Trust certificate

Is this related to my moving to a UFI firmware image?

If so, how can I safely downgrade to 08.0.70d?

What's your opinion of people who are only in it for the money, after a certain point in their career?

Like some people IRL i've talked too keep saying "the only people who are making the big bucks are the ones who are really passionate. If they didn't love IT they wouldn't be that far and wouldn't be making that much."

What do you all think of this? Is passion really that important for your experience? How many of your supervisors and managers (I'm talking about the ones who are competent and not morons) do you think got their position because of passion and love?

Are you a person who says "Fuck passion, this is a job that pays the bills, and I'm reasonably competent, all that other stuff is just extra."

Whats Your Backup Plan for Automation?

I was curious. All you guys doing network automation for entire sites, what do you have in place to recover from a bad configuration and taking down your WAN access to that site. Are you using out of band connection to push these configs?

Currently all of our sites dont have a true OOBM network . We do have a console server that connects to all of our devices , but if the WAN router at that site lost connection then we wouldnt be able to access it.

EEM script to execute on switch reload NX-OS

Hi All

I was wondering whether anyone has some information on how to execute an EEM script on a switch reload before the ports can start forwarding. Effectively the problem is the host ports start forwarding before the bgp session is established and I would like the script to shut down the ports immediately before then can start forwarding. Only when the BGP session is established the host ports can be unshut.

Any advise on this please?

event manager applet interface_Shutdown

event syslog pattern " VDC_MGR-2-VDC_ONLINE: vdc 1 has come online"

action 1.0 cli command "config t"

action 2.0 cli command "interface eth1/1-10"

action 3.0 cli command "shutdown"

action 4.0 cli command "end"

I don't know how EEM will be able to execute this in time before the reload is completed.

Any help would be much appreciated.

Anyone work with FS.com?

I recently ordered some 7M Customized LC/SC/FC/ST/LSH 4-24 Fibers OM4 Multimode Fiber Optic Pigtail #21236 in a cable type of bunch, fiber count 24 fibers, LC connector UPC, LSZH cable jacket, and 2.0mm diameter. I just received half of them today and one end has LC connectors on it and the other end looks like someone just cut the end off the cable (no jacks or anything). Surely this isn't right, is it? I was pretty sure I was ordering a cable with 24 LC connectors on both ends to hook up to a 12x LC Duplex 24-fibers OM4 Multimode FHD Fiber Adapter #41998 in two different racks landed in a fiber patch panel.

https://www.fs.com/products/21236.html

https://www.fs.com/products/41998.html

https://www.fs.com/products/34684.html

Why can I connect to other clients of my ISP's routers?

So i recently discovered that i can connect to other people's routers that use my isp. I could login like i can login to mine and change passwords etc. This was not possible with my old ISP. How does something like this happen? I could also connect to a freeacs server, a monitoring server, the staff's printer and some security cameras.

Implementing QOS for a particular protocol

Hi all,

I'm looking at implementing QOS on a medium sized network comprised of around 10 switches. All switches are Cisco and there are a pair of L3 switches that handle the routing using VRRP.

My plan was hopefuly quite simple, there is just a particular protocol (CIP for industrial network traffic) that i want to give maximum priority to, the rest of the traffic on the network I would just want to be processed using the standard queue.

What is the best way for me to achieve this? It's worth noting that this type of traffic (CIP) could come from any of the switches and from various ports, it's not really feasable for me to try to determine which ports are connected to industrial devices that utilise CIP so i was hoping to configure something globally that would be relevant for any switch port.

Have I missed anything? Am I going about this completely the wrong way? I'd welcome any guidance and advice at all.

Thanks in advance

A Bit Over-My-Head Creating a Bridge

Apologies up front if this is painfully 100-level, but I'm at a point where I need to toss to folks with more experience.

I'm a mostly-not-network-focused IT / AV / webdev guy working for a high school. Most networking stuff is handled by a dedicated team, but they're a) overstretched and b) partly created the mess I'm trying to fix, so I'm trying to handle this myself.

Here's the scenario: we have an HVAC-type device that has remote-monitoring capability through a wired Ethernet connection. It's in a very inaccessible location with no Ethernet ports. We contacted our Network team, and they installed a wifi repeated instead of an Ethernet jack in the room. The device does NOT have wifi capability.

So, trying to be clever, I am trying to use an OpenWRT-loaded router to bridge the connection. I have the first steps working: the router connects to our WiFi, and if I plug a PC into the router, I have internet access and can ping local static IP devices on the wired network.

What I need is to assign a static IP that another PC on the network can use to reach the HVAC controller. I can't figure out quite how I manage that. The router itself is receiving an IP from DHCP, and I can ping that from a computer on our main network. But I can't communicate to the PC behind the router.

I'm at the point, obviously, where my knowledge of even the terms to search for is running dry. Any help would be appreciated.

Looking for help with Radius on HPE Comware

Hey All

We have a challenge where we need to setup Radius backed authentication on our HPE FF 5940. It's just so drastically different than Cisco and even their other HP Aruba devices we are facing a challenge. We need to have local auth as the failback if radius is not available.

Does anybody have experience doing this, that can assist?

Software Version

HPE Comware Software, Version 7.1.070, Release 2508

HPE FF 5940

CISCO SW temperature

Please shed a little light on this problem i'm having. We have some cisco switches that get this reading for: sh env temp

Switch 1: SYSTEM TEMPERATURE is OK

Inlet Temperature Value: 51 Degree Celsius

Temperature State: YELLOW

Yellow Threshold : 46 Degree Celsius

Red Threshold : 56 Degree Celsius

Hotspot Temperature Value: 69 Degree Celsius

Temperature State: GREEN

Yellow Threshold : 105 Degree Celsius

Red Threshold : 125 Degree Celsius

The inlet is halfway in YELLOW territory but hotspot value is not near the YELLOW threshold. Should I be worried ?

I do not get SNMP traps, although they are configured.

CISCO data sheet has this:

Operating temperature

Normal operating temperature* and altitudes:

● -5°C to +45°C, up to 5000 feet (1500m

)● -5°C to +40°C, up to 10,000 feet (3000m)

Anyone have experience with this ? Thanks

HLD's and LLD's Documentation Templates/Examples

Hey all!

I've been asked to created a HLD and LLD documentation but does anyone know of any good templates or examples giving ideas of what should be in each and how they should be formatted? This is a completely new thing for me!

Am I crazy to think this should work?

First the disclaimer: I am a software (Linux, OpenStack, etc.) person not a networking person. Perhaps that's causing me to miss something that's incredibly obvious to folks that are more immersed in this field.

Anyway, I have recently taken over responsibility for my team's small lab - 2 blade chassis with 16 blades, 2 pizza-box servers, and 3 switches. To date, we've used the classic lab "security" technique of a single, shared root/admin password. Changing this is my current project.

I've set up LDAP authentication for our servers, CMCs, and BMCs, and I've also got the switches authenticating SSH logins via FreeRADIUS. One of the switches is a Juniper EX4600, and I've been able to set the "class" of RADIUS-authenticated users by configuring FreeRADIUS to send an appropriate Juniper-Local-User-Name VSA.

The other two switches are stacked Dell S3048-ONs. According to Dell's documentation, I should be able to set the privilege level of a RADIUS-authenticated user by sending a Force10-avpair VSA. Note however, that the numeric ID of that VSA is not documented anywhere. I've tried using 1, which is used for both Cisco-avpair and DellEMC-avpair (the latter according to Wireshark); using ID 1, the VSA has no effect.

Dell support has thus far proven to be utterly clueless. They've tried to pawn me off by claiming that they don't support FreeRADIUS (what RADIUS server do they support?), and they've referred me to documentation for an ancient Powerconnect switch that uses a totally different NOS. (The Service-Type RADIUS attribute in that document didn't work either.)

This whole situation leads me back to my original question - Am I just crazy to expect this to work?

And some corollaries:

Is centralized authentication not normally used in the networking world?
Does anyone actually use Dell/Force 10 gear? (I know it's not the most common brand out there, but they keep making it, so someone must be buying it, right?)
Is Dell/Force 10 gear really just hot garbage?

Thoughts, rants, shared pain, etc. all appreciated ...

WiFi site survey company in NYC

Anyone know of a good company that will come to our office in lower Manhattan to run proper WiFi scans and site surveys and do it right? I’m talking true analysis of the spectrum over multiple days, etc. We have TONS of issues where we are. Very densely packed area with lots of radar interference from nearby heliport and boats. Fun times overall. We’ve tried different manufacturers for WAPs even and still really inconsistent and spotty results. It’s day by day.

Thanks

Getting IPv6 address with an IPv4 address?

Hi. I am working on an application that pulls the client IP address, and checks Wi-Fi RF health against our wireless controllers based on the client. I am able to get the client's IPv4 address, but the issue is that sometimes only an IPv6 address shows up in the controller, so I am having a bit of trouble searching the controller for the client since I only know the IPv4 address. I am able to ping the IP and get the MAC address via arp, but haven't been able to figure out how to go from IPv4/MAC to discover their IPv6 address. Could anyone point me in the right direction for that? I've tried a few tools like ping/fping, arp/ndp, dig, nslookup, etc, but nothing seems to give the info I need. Thanks in advance for any assistance!!

Linux Networking Tutorial?

Does anyone have like a good Linux Networking Tutorial that I could read through? Currently in a possition where a lot of linux networking is being applied via Redhat and it is getting me so much time to tshoot problems that are quite simple once you know the right commands

Encoding information in IPv6 addresses (I did it)

Just wanted to follow up on a post that submitted a few months back.

I ended up doing it, because I couldn't really see a reason not to. So I wanted to get something visible out there in case anybody else has a similar question in the future.

Now, I want to clarify a few things that people brought up in the last thread.

1) I did this to ease automation. Basically to create a unique host portion of the address. So, essentially the same idea as EUI-64. Why not just use EUI-64? Well, because I would have had to program the command to assign an EUI-64 address and segment prefix anyway, and putting the logic in there to create a unique static address with a bit of meaning encoded in it was just a tiny bit more work. And also the addresses are shorter, not that that matters much.

2) I didn't mess with subnet length or anything like that. The only portion of the address I used was the host portion. All subnets stayed /64s.

3) I didn't do this as some weird way of getting around using meaningful DNS. I still have the addresses in DNS and I rely on DNS for virtually everything.

4) I only did this for network devices. Hosts and servers still use SLAAC.

I ended up encoding the information into the last field of the host portion of the address instead of the first one like I had initially planned. What I got out of this is simply a way of automating IP assignment for network devices without having to make arbitrary decisions like which device takes the first address on a point-to-point segment. It also avoids the issue of having to keep track of incrementing numbers for things like access switches.

We use a naming scheme like [site_code][zone][device_type][number] for our network devices. Zone describes whether it's internal, external, transport, WAN-facing, etc. Device type is basically rtr, sw, or fw. So I picked a hex digit for each zone type and another hex digit for each device type and then kept the number as the final two digits of the last hextet. So a device like sfo3wrtr02 (WAN router #2 at a site called SFO3) would get an address like 2001:db8:3::2302. Another device, zrh1isw14 (internal switch #14 at a site called ZRH1), would get an address like 2001:db8:2a::1214. The zone mappings I used are pretty much arbitrary, but the device types are 2 and 3 for layer two and layer three devices, respectively. You could use whatever fits with your naming scheme though.

So anyway, it seems to work just fine, and I have the added (very marginal) benefit of knowing what sort of device it is in the (rare) situations where I only have an IP address to work with. It's also kind of nice that every interface of a single device has the same last hextet.

Can't connect to device on another subnet

I have a device on one subnet / VLAN that is reachable by everything on its own local network, but not by computers on another subnet / VLAN. Even though these computers can reach everything else on the other subnet / VLAN, just not this one thing.

I was able to connect to the problem device and change the default gateway, which was wrong, so I thought that would fix it - but it did not fix the issue. I can't even ping the device from another network (but can from local).

Is there something obvious I'm missing? At this point I'm wondering if the gateway changes saved like they should have. This device is pretty simple (and ancient) so it wouldn't have a firewall or IP restrictions or anything, I wouldn't think.

Thanks for any insight you might have.

Providing Wifi as a service - Design and configuration understanding

Hello /r/networking people, I really Need your opinion !

while preparing to realize a wifi Multi-tenant platform ( of a service provider), I would like to understand well the configuration and design aspect before getting into all the advanced steps,hope you guys help me to understand this very well.

as you may know guys, managing such service is a nightmare if not well designed, so, as far as I know we can respect the following logic :
each client (restaurant, a shop etc ...) asking for a Wifi as a service, can have multiple APs grouped in the same AP group at the Controller level, those Aps only need the Public IP addresse of the controller to reach it, this controller will identify each AP based on its mac address and AP group to send the appropriate configuration of the client

in my opinion we can use the same DHCP scoop for all the clients ( or make it larger if client count is really high)

WLAN interfaces will be used to idetify clients locally (controller side) and include the AP group and SSID dedicated for that client

We cisco platforms so the controller used in this solution may be for example 5840

Well, I know all of this may look simplistic for the most of you, just sharing my thoughts and want to be corrected and put in the right path

Sorry for my bad wording

Thanks guys

OOB Management gear for remote sites

So I'm looking for a way to centralize OOB management, and am looking at gear. We've got some very remote sites and I don't want to have someone fly out there if the connection goes down. These sites belong to multiple different customers, so ideally I'd want some kind of centrally managed multitenant capable environment.

I've been looking at OpenGear, which looks nice, but I was wondering if anyone here has any suggestions as to alternatives and/or share some experiences.

tnx

Read only Friday: Some love to AppDevs. What's your fav app-tool & WHY?

No text found

ASA PCAP and Voip woes

we have an office which has intermittent outbound voice issues. User within the office make a call and randomly the ecternal recipient cannot hear the internal user - will be ok, then drop, then come back, during the call.

I carried out a capture on the firewall on the inside and outside leg. Internal was fine, but external capture showed the momentary silence from the inside user.

Does this mean its not leaving the firewall ? or is there another explanation? Can it leave the firewall but not get caught in the packet capture?

Setting up viptela lab, issues with vbond

Ive been working at this for a while now, and I can not get the vbond device to work. I've been following this guide: https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/04Deploy_the_vBond_Orchestrator/04Add_Additional_vBond_Orchestrators

I go to devices>controllers and add the vonbd. That part seems to work, its obviously able to contact it since it can pull the UUID. I also see via cli on the vBond that it has configured an organization name. So I go on to attaching a template to it, i get to the end of that process and just get "scheduled, device is offline". vManage and vBond can ping each other, but I can't figure out why vManage thinks vBond is offline.
The guide ive been following seems a bit out of date so Ive gotta be missing something. Any ideas?

List of IPs for a domain

Question: (How) can I find out a full up to date list of IP addresses for a particular domain?

Detail: I know about ASNs and how they translate to a list of IPs. But for example the published ASNs for Ebay which are here https://bgp.he.net/search?search%5Bsearch%5D=ebay&commit=Search don't provide a comprehensive list. For example I can do an nslookup on ebay and get the first 2 hits of: 66.135.209.52 & 66.211.185.25, neither of which are covered by the ASNs. So I'd really like an up to date list of Ebay's (or anyone's) IPs.

If you're interested, this is for firewall blocking.

NetBox and Napalm Integration

I've been trying to get my NetBox deployment up and running with the intent of using the device features (status, lldp neighbors, etc..). Everytime I attempt to use them I get an error message saying device cannot be reached.

I made sure to include the Napalm arguments in the netbox config - napalm_username, napalm_password, allow_agent, and secret.

I've read over documentation for both Napalm and NetBox multiple times, but I'm still missing something. Does anyone here have any insight or pointers?

Please help with VLAN and modem issue

Hi guys,

I am a bit stuck with the set up and wondering if you could point out where did I get wrong in this.

Basically, I have Linksys Switch split into two VLANS, two VLANS are connected to one router but only one VLAN 1 is working. VLAN 2 is absolutely not seeing modem at all. I can not even ping the modem from the VLAN 2.

Cable is working just fine.

This network layout is for temporary only. Usually Each VLAN has it owner modem/router so it does not share the same modem. It was working fine until two modems fail today so I switch it to Backup modem.

I know it's not the best set up but that's how my boss wants it. No argument to that. :/

You can see the diagram in the link.

https://imgur.com/s8TTMWJ

Thanks a lot for your help guys

Thursday, April 25, 2019

I really want to love Pockethernet

It seems so damn cool, I like innovative techy shit like this. Same reason I like Unifi so much. But the whole idea is based around using an app, and the app looks like it's from Web 1.0 and even gives an error message that it was built for an older version of Android. It hasn't been updated since 2017.

I know the point of network troubleshooting isn't to have pretty UIs but I just wish they put a little more effort into UX and keeping the app updated.

Routing for Satellite constellations

So has anyone seen any good papers on any new routing protocols for constellation networks. With all the movement it seems standard routing protocols won’t cut it anymore and something new may need to be developed.

VLAn tagging / untagging

I’m trying to setup a VLAN but am confused on the whole tagging / untagging. The endpoints seem easy - it’s middle I’m confused with.

At the furthest edge of my network I have an Ubiquiti AP which will tag packets from a specific SSID as VLAN 3 and the other SSIDs will be VLAN1.

The other end is an Ubiquiti router with a VLAN 3 interface with different firewall rules from VLAN1.

The middle is where I get confused. The router is plugged into Switch A port 1 which is uplinked from port 2 to Switch B port 3 which connects to the AP on port 4. Both switches are TP-Links which support VLAN / 802.1Q VLAN.

So basically:
Router to A1 to A2 - uplink - B3 to B4 to AP

I want VLAN3 to only work on the ports above - but how to do I allow VLAN3 and VLAN1 traffic to arrive and leave with the same VLAN# - tag/untag make no sense here. What am I missing?

I just want all the other ports to reject VLAN3 traffic... Here’s the tplink doc on this.

Thanks!

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Power/SCADA Eng here looking for HSR mesh ring advice.

Feel free to delete if this is a bad forum for this.
Our client has a large substation, +60 devices, 50 of which are protection IEDs. They want to do HSR mesh rings. I've heard only about 10 devices on a single ring (100MB ports). Can I use Quadboxes to create two independent LANs. For example, two QB, QB-A, QB-B, on each IED ring and then ring the A and B Quadboxes into separate LANs?

Juniper link lights on the computer but down on the switch

So it's a fiber NIC. Fiber looks good and passing light. I have link lights on the device but it's not showing on the switch. I'm a Cisco guy working a Juniper switch and I'm utterly stumped. It shows physical link down. The link lights will disappear after about 5 mins. Thoughts?

ACLs with fragments

How does traffic get filtered in regards to fragmented packets? Since the SRC and DST tcp/udp port is only a part of one of the packets that are fragmented, how are the others allowed? Do firewalls with inspection deal with this differently than standard ACLs on a router?

Business Network Project Inquiry

I was asked to extend the network of my company so we can get access to our wifi network. We are small and only have 1 wireless AP currently. After some research I believe that we could add another access point with the same SSID and security settings as the fist AP, then it should look like one network as a whole, switching from one AP to the other seemlessly.

My question is: Am I understanding the above correctly? Does it matter if the network is hidden? (Not broadcasting SSID) Does it also matter if the security is WAP2-Enterprise?

Just trying to learn on the fly and confirm what I suspect to be correct. Any advice would be awesome. Thank you!

DNS U-Turn Issues

Greetings,

I have two data centers with different public ip blocks. When users in DCA try accessing public resources in DCB (public ip static nats to private dmz servers) there are no issues. When users in DCA try accessing public resources hosted in DCA, connectivity fails. The reason we want DCA resources accessed publicly instead of internally is a long story, but security-related.

To me, it sounds like I have a DNS U-Turn problem. Is DNS doctoring the right solution? Also, will I need to allow my access policies to access the private address or the public?

Thanks!

MPLS over DSL on Cisco C1117

I was recently tasked to upgrade 14 CPE routers from old C800 series to C1117s as the older devices could no longer keep up with circuit bandwidth upgrades.

Me being naive thought it was going well after the first 5 circuits, till I came across upgrading the first of the FTTC circuit that is.

The setup we have for this particular client is using multi vrf on the CPE with MPLS integrated into our core using iBGP as a routing protocol.

The first thing I noticed after the upgrade was that the router was not learning BGP routes. After lots of staring, swearing and playing around, my colleague realised that the only way to bring up BGP and LDP on the CPE was to remove the static /32 to the MPLS first hop.

Once removed routes and labels were learnt as normal. However, without the route, MPLS cannot be forwarded to the first hop.

This brings me to a chicken and egg scenario I just cannot get my head around.

The only difference we can actually see is a dialler layer 2 MTU reduction of 8 bytes between the models that can not me increased.

The router config is almost a direct port from the C880 to the C1117 and has worked perfectly for all the EAD circuits.

Does anyone have any ideas what may be happening here that would affect the newer routers? Are we just blind missing something?

This has effectively brought all our upgrade projects to a halt as the new devices are not fit for purpose till we can fix whatever is happening here.

I know I have probably not explained this very well but I am more than happy to answer questions.

Thanks all!

Virtual router options

Need to virtualize OpenWRT to support SQM for 250/250 Mbit connection - here´s more info about how to run OpenWrt on x86 hardware: https://openwrt.org/docs/guide-user/installation/openwrt_x86

Gadgets at my disposal:

1x Intel I219V as part of Asus Z390-F (virtualization host)
Intel E139761 D33025 Dual Port PCI E Network Card
Netgear Prosafe GS105 (dumb switch)
Ubiquiti ER-X (router / ?)

Software:

Proxmox /w KVM virtualization

Option #1 - Pass-through of Dual Port PCI E Network card to VM

Connect the cable from internet to one of the ports of the pass-throughed nic. Other passed-thoughed port connected to netgear GS105 switch, which also is connected to Intel I219V and rest of the LAN.

Pass-through is tagges as "experiemental" in Proxmox even though there´s GUI support. How reliable is it?

Option #2 Bridge w/ virtio-net drivers

Don´t know if OpenWRT supports this option since it puts requirements on the kernel in the guest, or if this even is an option at all, but the idea is something like connect Internet to one of the nics, and use a virtual bridge for the other two nics to connect the nic used for the LAN VLAN in the virtual router with the last nic.

Option #3 - physical install

I actually have access to a physical server as well. A quad core L5440 with 6 GB of DDR2 RAM. Should I simply install the router in this setup instead?

Better options?

Virtual Router General Do´s n Don´ts

The host will boot faster than the virtual router and to prevent a dependence of DHCP assignments, good practice is to use static IP:s for important hosts - such as the virtualization host
More..?

EDIT #1: Added physical option

Which link does a frame/packet go on link aggeregation (extreme/enterasys)

Is it possible to see which link a frame traverses in a link aggregation? I have an Enterasys S8 that has two aggregated links that lead to two extreme X670-G2 stacks. They are interconnected and the links to the S8 are an MLAG on the extreme side.

It seems that I loose packets that traverse via the LAGG between the S8 and the extreme x670-g2. To further pinpoint the problem it would be helpful to understand which physical way the frames take.

If that isn’t possible i would have to deactivate ports in the lagg. I try to avoid that as it could be interruptive.

Cisco from online marketplaces.

If I buy Cisco refurbished devices online for training purpose and build my lab, is that O.K. or not?

I mean will be an issue with Cisco Service Team because I did not register the devices or what is the deal?

I do not want to invest with the equipment and all of the sudden Cisco blocked the IOS or something might happen?

Please advice!

TextFSM and Netmiko outputing to CSV file

Hey guys,

First bear in mind as I'm still learning python and by no means I'm in my confort zone, but I'm hoping to learn and move forward.

I've decide to work on some of need by having a script that perform various check, one of them is to report the "show cdp neigh detail" and document the IP + MAC + type of device connected to it ( mainly AP, running on Aruba and HP devices) I've got my TextFSM template working

I already have a python script that would read the output on a file and run TextFSM on it and return a CSV file, pretty handy however I'm aiming to get a all in one script and I'm aiming to eliminate the need of parsing the output of the switch on a .txt file

so far I have this def () created, however I'm unable to get it working so far

def cdp(): out = conn.send_command("show cdp neighbors detail", use_textfsm=True) print(out) input_file = out raw_text_data = input_file template = open("/root/ntc-templates/templates/hp_procurve_show_cdp_multiple.template") re_table = textfsm.TextFSM(template) fsm_results = re_table.ParseText(raw_text_data) outfile_name = open("outfile.csv", "w+") outfile = outfile_name print(re_table.header) for s in re_table.header: outfile.write("%s;" % s) outfile.write("\n") counter = 0 for row in fsm_results: print(row) for s in row: outfile.write("%s;" % s) outfile.write("\n") counter += 1 print("Write %d records" % counter)

but the script return:

[{'plateform': 'Cisco IOS', 'hostname': '', 'ipaddress': '172.27.254.210', 'port': '48', 'address': ''}, {'plateform': 'Cisco IOS', 'hostname': '', 'ipaddress': '172.27.254.210', 'port': '48', 'address': '24 e9 b3 a0 c8 80'}] [{'plateform': 'Cisco IOS', 'hostname': '', 'ipaddress': '172.27.254.210', 'port': '48', 'address': ''}, {'plateform': 'Cisco IOS', 'hostname': '', 'ipaddress': '172.27.254.210', 'port': '48', 'address': '24 e9 b3 a0 c8 80'}] Traceback (most recent call last): File "netpy.py", line 209, in <module> cdp() File "netpy.py", line 80, in cdp fsm_results = re_table.ParseText(raw_text_data) File "/usr/local/lib/python2.7/site-packages/textfsm.py", line 882, in ParseText lines = text.splitlines() AttributeError: 'list' object has no attribute 'splitlines'

Notice at the top netmiko return the text formated using my TextFSM template but fail on the fsm_results it seems

not sure if anyone could help me figuring out what could be wrong

thanks guys

What do people use traceroute/tracert for a regular basis?

I attended an academic research workshop where a lot of talks used traceroute as part of their investigations. I don't use traceroute that much, mostly relying on other tools.

It got me thinking that maybe I could do more with traceroute help diagnose problems either inside or outside of our network. Anyone who uses traceroute regularly, what types of things do you use it for?

Intermittent network issues reported

I have a client who is reporting intermittent network slowness on a metro ethernet connection and I'm at a loss as to what the issue may be. They have 2 satellite offices that primarily send traffic into their central office they both sites report slowness at the same time so my guess is whatever is going on is affecting the central office. The ISP says they're not seeing any issues. I don't see any issues. Interface details all look good there are no dropped packets, no fragments, no errors. Wireshark between nodes during testing doesn't show anything that stands out but we haven't been able to test during times the issues are present. There were a couple things I noticed while testing that I don't think would cause an issue but I'm not sure.

1) we're running Jumbo frames at the central site, it was originally configured for the iSCSI VLAN and due to some issues with our fiber SFPs, we swapped ports between VLANs and thus everything eventually ended up with jumbo frames enabled - and stayed that way. My question with this is, since the metro ethernet connection doesn't have jumbo frames enabled could that cause intermittent speed/latency issues? I assume if there are fragmented packets causing problems it would not be intermittent.

2) Sort of related to #1, while using iperf to test nodes across the metro ethernet connection TCP traffic on a single connection was limited to 100mbps but running parallel connections would get up to their advertised 300mbps. Any ideas as to why this would be? UDP testing showed significant jitter >1200ms and I was unable to run parallel UDP connections - I presume it was just timing out because the test just never started despite letting it sit for 10+ minutes. Ideas as to why?

3) I ran an extended iperf (5 minutes) and saw that connections would average around 25mbps but would randomly drop to single digits for short periods of time. I assume this is due to other traffic on the connection but it isn't what I would expect across a dedicated circuit.

Are there any troubleshooting steps I have overlooked? My next step is to setup PRTG to monitor the switch port metro ethernet is connected to and see if we can capture data from times there are issues.

TP Link archer c1200 c5 v1 can't change channel width

As title says i got no option to change channel width on my router, i would want to change to channel higher than 48 as all neighbors routers are within 36-48 channel range.

For some strange reason i can only select small channel range...

Im attaching screenshots of wifi setup page and advanced settings.

https://imgur.com/a/svHLGMw

Time of Day Bandwidth Shaping

Trying to sort out how (or if) I can do something.

Basically at my ISP Peering Router I want to shape the traffic for various public NAT's at my firewall which sits one hop behind this device. Each NAT would get a percentage of bandwidth during the office hours, but then change those values at night.

I could go through route of swapping policies on the interfaces using configuration management but wanted to know if I could achieve this at the device itself. Trying to work through using time-range ACL's with policies but cannot find a way to achieve this.

Wondering if anyone could nudge me in the right direction with some pointers?

[Help] Troubleshooting wireless slowness -- interference problem?

I'm trying to troubleshoot poor wireless performance in an office area. I have a copy of Metageek Chanalyzer and captured some data. Clients are really struggling on the 5ghz channel (on which Chanalyzer appears to be showing really high utilization), but also on 2.4 I thought perhaps we had too much signal in the area so I disabled a nearby WAP but still having issues (multiple client platforms).

I have over 1000 of these devices (Aruba AP-225s) and this is the only place showing an issue with connectivity. We've tried replacing the AP as well as checking the switch interface and cable.

I'm somewhat new to troubleshooting density/interference issues so would love some assistance (I've watched all the Metageek videos but still could use some help).

Here's a link to the .wsx I captured

Thanks in advance, everyone!

Display firewall rule name that is allowing traffic on port

I can't figure this out for the life of me. I'm trying to figure out which firewall rule is allowing traffic on a certain port. Is there something I can run or a tool I could use that would display any firewall rules allowing traffic through a specific port?

End of Day/Week/Month Routines

Hi all,

I'm looking to improve my workflow, as currently I'm just juggling lots of tasks and doing a poor job of staying on top of everything. I'm curious, what routines you have at the end of each day, week, and or month to assist with your overall productivity, and organization?

Paramiko double SSH

I'm writing a python script that goes through our various networks and logs their information. I've been using paramiko so far and haven't had any trouble ssh'ing into most of our networks, but there's one network that has been a pain (network B). It hangs directly off of network A, so you can only SSH into B after SSH'ing into A. Pinging B is simple enough doing something like:

ssh.connect('aa.aaa.aa.aa', port=22, username='usr', password='pass')

stdin, stdout, stderr = ssh.exec_command("ping bb.bbb.bb.bb")

but doing a straight

ssh.connect('bb.bbb.bb.bb', port=22, username='usr', password='pass') to get into B doesn't work and after doing something like...

stdin, stdout, stderr = ssh.exec_command("ssh [usr@bb.bbb.bb.bb](mailto:usr@bb.bbb.bb.bb)")

requires me to later enter the password. I've been trying to find sources, like the client API http://docs.paramiko.org/en/2.4/api/client.html , but so far have been a bit stuck. Any help would be greatly appreciated. Thank you!

Meraki IDS/IPS

I am curious what people think about Meraki MX for IDS / IPS. We have their APs and we generally like them. The L4/L7 app identification seems to work pretty well for our purposes. I know it's no Palo Alto, but I'm curious to hear if people think the data is actually useful?

ASA Woes - NAT

This is an extension of the post yesterday, here:

https://www.reddit.com/r/networking/comments/bgirkd/vpn_site_to_site_tunnel_acl_woes/

While the tunnel itself is up, I found another fun problem. The remote network can ping my device, but there is zero response.

Here is a map with fake ip's:

<Host [10.10.10.1](https://10.10.10.1)\>--[Switch]--(CORE)--[Switch]--{ASA 10.20.1.0}--&Cloud&--{RemoteFirewall 10.30.1.0}--[Remote Network 172.16.1.0]

The portion that is currently functioning is marked bold. I think that what I am missing is a route from the host ip address to the ASA. I resolved the reverse. There is a route on the ASA to the host, and since there is a route on the core to the host, it works.

Problem: The remote network that I need to route to, exists on the local network. I am at a total loss as to what to do. I know that I need a route from the core to the ASA for my host to reach back, but that has nothing to do with my host.

The remote network, we'll call it 172.16.1.0, since it is on my network as well, I need a dummy. I assumed that meant using NAT somehow....?

On a fortigate, you put a range, and the the mapped IP. I'm not sure how that carries over if you're trying to set it on the inside interface and not the outside.

USG Pro with Untangle passthrough

http://bit.ly/2PtheVS

Will an Ethernet surge protector do anything if it's not grounded?

Usually a behind the desk kinda network guy bud doing my first full build out for a friend's new business. Running cable outside for cameras. I got a few ubiquiti Ethernet surge protectors but didn't ground them yet.

Another dumb question, I mounted the protectors in the ceiling near their respective wall penetrations, should they be mounted closer to the switch?

Set a bad default gateway--how hosed am I?

I also posted this in r/Azure but thought you all might have some input as well.

I was rushing through configuring one of my Azure VMs and set the default gateway to an invalid IP address. Here's the config I set:

IP address: 10.0.0.5

Subnet mask: 255.255.255.0

Default gateway: 192.168.1.1

My intention was to set the DNS server to 192.168.1.1, not the default gateway. Now I can't connect to the VM through RDP or SSH, likely because the networking is all messed up. Is there any way to fix this? I've tried a reboot to see if that would magically reconfigure things, but no luck. I've reached out to Microsoft support but they haven't gotten back to me yet. Any thoughts on how to access this VM? Thanks in advance.

BGP peering with multiple ISPs and routing preference best practices questions.

Hello all.

We currently have BGP peering setup with an Internet provider and we are advertising a couple of networks we own. We recently procured a second Internet circuit and are working to setup peering with them for redundancy and I have some best practice questions about how to handle ISP preference and failover.

We are only getting a default route from both ISPs. My question is how should I setup peering and advertisement to always prefer ISP1 unless there is a BGP peering issue or routing issue further upstream?

It's my understanding that I would want to advertise my networks to both ISPs at the same time and use local preference to prefer the BGP peers for our default route, but what about the ISPs routing back to my advertised networks? How do I ensure that ISP1 will always be chosen unless that is not an option and then routing through ISP2? Would AS path prepend be best for that or specify certain meds with ISP2 which is part of the BGP form I'm being asked to complete (Level3/CenturyLink if it matters)?

I also plan to implement an SLA tracker for ISP1 to test Internet routing in case the BGP peers remain up, but there is a routing failure which could then fail over to ISP2.

Thank you.

Sample configs and diagram

RTR router bgp 65555 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as YYYY #ISP2 neighbor 2.2.2.2 timers 15 45 neighbor 1.1.1.1 remote-as XXXX #ISP1 neighbor 1.1.1.1 timers 15 45 neighbor 1.1.1.2 remote-as XXXX #ISP1 neighbor 1.1.1.2 timers 15 45 ! address-family ipv4 network x.x.x.x #My network1 network y.y.y.y #My network2 neighbor 2.2.2.2 activate neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-map SET-LOCAL-PREF-300 in neighbor 1.1.1.2 activate neighbor 1.1.1.2 route-map SET-LOCAL-PREF-200 in exit-address-family ! route-map SET-LOCAL-PREF-300 permit 10 set local-preference 300 ! route-map SET-LOCAL-PREF-200 permit 10 set local-preference 200 ! ISP1-BGP1 router bgp XXXX bgp log-neighbor-changes neighbor 1.1.1.3 remote-as 65555 neighbor 1.1.1.3 default-originate ISP1-BGP2 router bgp XXXX bgp log-neighbor-changes neighbor 1.1.1.3 remote-as 65555 neighbor 1.1.1.3 default-originate ISP2-BGP1 router bgp YYYY bgp log-neighbor-changes neighbor 2.2.2.1 remote-as 65555 neighbor 2.2.2.1 default-originate

Question About Patch Cables

Hi everyone! I had a couple of simple questions regarding patch cables and if the ones I'm looking at are any good. I'm installing brand new Meraki MR53s for a new school we're building, and having installed plenty of Meraki APs in the past, I know that the position of the port on the AP along with the back plate mount make for a sharp, awkward turn for the patch cable. As these new APs are MR53s, there will now be two patch cables connected to them; one cat6, the other cat6a. The area behind the AP is going to be quite crowded, so I was looking at these cat6 and cat6a patch cables. They are quite small and would fit very well in that cramped space behind the AP. Have you guys had any experience with these cables? Are they reliable, both in carrying data at cat6a standards, and at PoE? I'd really love for these cables to work, but I'm not married to them, so any suggestions are welcome. Thank you all in advance!

Question about 2960-L switches

Hi all, we have a new customer that has a bunch of these throughout their network. After going through the cisco website and google, I still cant figure out if these are full on enterprise grade switches or some kind of hybrid with the small business line. Anybody using these, how are they? Client currently has a flat layer 2 accross 7 buidings in a town. Looking to see if these are capable of supporting and handling multiple vlans, snmp and cli access.

Router passing traffic, but unpingable and sometimes not passing ICMP

I have an odd situation, that so far I haven't been able to find a solution to. Perhaps I am googling the wrong terms?

I have two campuses linked by an inter-office bridge, using a Cisco RV130 VPN/Firewall. In this example, the bridge is 192.168.2.253 on one side and 192.168.1.253 on the other. I've been having inter-office connectivity issues, manifesting in two weird behaviors:

1) ICMP packets, for the most part (see behavior 2) seem to pass over the bridge just fine. Tracert from 192.168.2.11 -> 192.168.1.15 shows packets hopping at 192.168.2.253 and complete as normal. If I try to ping 192.168.2.253, it times out. This behavior is seen on multiple devices on the 192.168.2.0 subnet. Pinging 192.168.1.253 from the 192.168.1.0 subnet completes without issue.

2) When passing over the bridge, I am not able to ping some devices, but I am able to access the device's web interface. Ping requests for as expected on all other devices within the same subnet as the target. So for example, from 192.168.2.1 I can ping 192.168.1.1, 192.168.1.10, but not 192.168.1.20. From I AM able to ping 192.168.1.20 from 192.168.1.10 so I know that the host is responsive to ICMP

Checking the router, there are no ACLs that should be affecting ICMP packets.

Has anyone ever seen similar behavior?

Sonicwall TZ400 throughput

Hi All,

I'm seeing an issues with some of our Sonicwall TZ400's. Based on the spec sheet they should have no troubles with throughput off 100+mpbs with security features turned on but we're lucky to get 50mbps out of a 200mbps circuit. I've disabled every security feature, turned off DPI and verified all interfaces are 1000/full. Testing from the modem I get 240, soon as I plug the firewall in and go behind it I'm around 50 max. We have other locations that seem to get 100mbps with no problem, running an identical firewall config with security services turned on.

Anyone have experience with Sonicwalls?

Getting Cisco SmartNet to help me with vlans/layer 3 config

Does anyone know if I can use smartnet this way, to get design and configuration help?

I plan to learn and do as much as I can on my own, but when I get stuck or possibly before I actually start, I'd like to know if I can call them and have them assist me.

thanks

How can I troubleshoot or monitor for network congestion or excessive broadcasts? Also seeing lots of TCP retransmissions.

I am seeing some general slowness when transferring to or from our NAS at our core. A wireshark capture shows a lot of tcp retransmissions and duplicate acks. I sometimes run into little things like this and I am looking for a way to rule out the network. Is there anything that captures like wireshark but does an analysis of the data and can point out potential issues? I have played around with the graphing in wireshark and I do see some broadcasts, but nothing that ever hinders a connected user. A speed test out to the internet will come back with its expected speed. It seems like data transfers between two different points on the network are just not at the speed we would expect.

For this exact issue, it could be the cause is the NAS. But other than digging through wireshark and looking for an issue, what other tools could I utilize to insure my network is running optimally?

Useful techniques for NAC testing?

I'm looking to add to my toolkit for NAC testing. Right now, it's basically limited to crafting RADIUS requests via text files and piping them to radclient, but that only works for simple authentications. We sometimes ship a small kit to the end location with a server which normally just runs a Linux distro or ESXI. I see some folks additionally doing iPad wireless testing on some of the videos I've looked at. Do you have a test harness for this that you really like and can you share what you use for 802.1X testing or in your home ISE lab? The key thing for us is that harness needs to be entirely remote - no local intervention other than initial cabling.

Cisco Nexus 9K - vPC Peer KeepAlive link won't come up

Good Morning, everyone -

Hoping to get some insight on some weird behavior I'm seeing on a couple of virtual Nexus 9K switches I am configuring in VIRL.

I have configured the vPC domain (and associated interfaces) with the same config I use on my production N9K's. The only difference is my production switches are on NXOS 7 and these virtual switches are on NXOS 9.

Unfortunetly, I can't seem to get the KeepAlive link to come online. It is showing suspended, and both switches show peer unreachable. I've included some configs and outputs below for reference.

If anyone has a suggestion or idea, it would be much appreciated!

Switch#1 -

Switch #2 -

Edit #1 - Added VPC domain configs

Edit #2 - Post getting too long, moving configs/statuses to pastebin

How to measure UDP and HTTP package loss?

My internet isn't working as expected and even though I sent My ISP proof of 50% package loss, they sent me th eanswer theier provider gave them: they say that even though there is a 95% package loss, its because internet routers do not prioritize ICMP packages, thus they timeout and that is why I see 50-95% package loss.

So, i'm no network expert, but I know HTTP is for webpages(guaranteed response), UDP for streaming and games(speed is prioritized over getting al the packges), and UDP for getting information of the network.

Can anyone tell me how can I measure UDP and HTTP package loss??? My speed is good if I measure with speedtest, but sometimes I have to refresh the page a couple of times until it gets working. This seems to me as a problem on packages being lost, but It seems regular pingplotter test are not enough to provide enough evidence to my ISP.

Is there a way to test HTTP and UDP % of packages lost?

pfSense VLAN Configuration

Hi peeps, looking for some guidance with my pfSense setup at work please. The problem I'm facing is that I cannot get a device onto the correct VLAN, presumably because of the way the network switch ports are configured. server1 is only getting an IP from 10.0.0.0/24 whereas I'd like it to get an IP on VLAN 10 (10.0.10.0/24). Here's the configuration:

pfSense SG-3100

VLANs PUBLIC (wan) -> mvneta2 -> v4/DHCP4: 1.2.3.4/21 MGMT (opt1) -> mvneta0 -> v4: 5.6.7.8/21 LAB (lan) -> mvneta1 -> v4: 10.0.0.1/24 V10SERVERS (opt2) -> mvneta1.10 -> v4: 10.0.10.1/24 V20DESKTOPS (opt3) -> mvneta1.20 -> v4: 10.0.20.1/24

Dell N1524

VLANs on running-config: configure vlan 10 name "10.0.10.0-pfsense" exit interface vlan 10 exit

Interfaces status: Gi1/0/21 server1 Full 1000 Auto Up On A 10 [..] Gi1/0/23 pfsense-lan1 Full 1000 Auto Up Off T (10),1-9,11-4096

I have tried numerous combinations of Access/Trunk/General modes with the native VLAN or PVID set as 10. Example: interface Gi1/0/23 description "pfsense-lan1" spanning-tree portfast switchport mode trunk switchport trunk native vlan 10 switchport trunk allowed vlan all

Any ideas? Thanks in advance.

High CPU spikes on HP 2920(J9728A) stack

We've been having some trouble with our HP 2920 switch stack throwing up high CPU utilization throughout the day, so I'm hoping someone here can help. CPU on the Commander spikes up to 70-80% consistently, then falls back down to 4-10%.

show cpu displays the following results:

% CPU | Description

-------+--------------------------

27.0 | Idle

4.3 | Sessions & I/O

3.5 | Hardware Mgmt

1.4 | System Services

36.2 | HTTP

27.0 | IPsec

0.5 | TFTP

Firmware is WB 16.08.0002 which is the latest from HP's website. I've tried updating the firmware, rolling back the firmware to 15.11, and removing SNMP. Any assistance would be appreciated, thanks.

Trying to gently approach my Network Admins and tell them that the DMZ has quite a lot of problems. Any advice on how to argue?

Hey folks, I discovered that many of your VoIP Problems might be related to the timeouts and latency in our voice DMZ.The network admins already had to fix some firewall rules and disable features that caused similar problems, so they are naturally defensive.

I now analyzed the pings to certain devices in the DMZ and to one IP on the web to use as a reference.https://plot.ly/~perskes/22/#/

One of the devices makes incredible trouble (SBC01, most timeouts), tracert shows that the hop that takes the longest to respond is the firewall, behind the firewall the response time drops to normal levels.

Besides the timouts we also have a lot of delay in the ping (or latency) and I was wondering how to approach the team (as I said, they are defensive as hell right now). I am trying take as little of their time as possible and give them as much info as possible as well. What else can I check before I jump to conclusions?

Edit to clarify: Timouts are marked with a 1000ms ping, a timout does not response with a time, so I took a high value to show the spikes.

IOT router 4G failover ideas

Developing our own IOT router based on Linux. Will use wlan0 as primary with a 4G/LTE (wwan0) interface as secondary. We want 4G to takeover in the event of low wireless signal and/or loss of internet over wlan0.

I’m interested to see the different methods or suggestions the folks here may have on how to handle the failover mechanism. We can watch ping results to a destination (8.8.8.8/1.1.1.1) and failover when a number of pings fail. We also look at RSSI of currently associated AP and if it falls below a certain level for a few seconds, initiate failover. To initiate failover, we change route metric to favor 4G.

What other methods are folks using to do something similar?

NX-OS 9.2(3) and vPC Fabric Peering feature

Anybody try NX-OS 9.2(3) and vPC Fabric Peering feature?

Any issues?

Hiding 12 Port Network Faceplate

I'm getting ready to install a 12 port faceplate, and I'm trying to figure out how to hide it to improve the aesthetics. Currently, I have this type of faceplate, but I have been asked to hide it or somehow make it look better. My only other option is to run a bundle of 12 cords into the wall straight to the patch panel (really trying to avoid it).

Any suggestions would be greatly appreciated.

TIA!

Where to put a VPN gateway

I've installed a Sophos XG firewall (VM) that unfortunately does not support to connect to OpenVPN servers, so I've additionally installed pfSense (VM) that I use to connect to a couple of VPN servers.

Where should I put the pfSense? WAN or LAN?

Same subnet or different for wifi devices roaming between offices

I have an office with 4 floors and 4 separate networks, all running their own separate DCHP servers.

All of these networks have the same Guest Wifi SSID allowing people to move up and down as needed.

Does it make any difference if they are all on the same subnet or should I do a different subnet per network?

Thanks for any tips, I have the wifi working well but want to check I have the networks setup correctly.

Hey guys, Facebook reports that they are in the process of turning IPv4 off within their data centers. Can anyone explain me the possible reasons behind this decision?

Other companies also like this idea and are probably going to do this soon as well.

The source of information: https://nfware.com/blog-migration-to-ipv6

For example, Comcast IPv6 deployment is at approximately 66%. British Sky Broadcasting IPv6 deployment is above 86%, Deutsche Telekom has 56%, XS4ALL has 71%, VOO has 73% and Telenet has 63%.

In terms of mobile wireless, Reliance Jio and Verizon Wireless report that about 90% of its traffic uses IPv6. The percent of smartphones in the US on the major cellular network operators (AT&T, Sprint, T-Mobile and Verizon) that use IPv6 has increased from 40% to 80% within the past three years. Furthermore, T-Mobile is going to turn IPv4 off and use only IPv6 within their mobile network. Other major wireless providers are intending to do the same thing as T-Mobile.

Cisco CLI - weird issue with character being added to end of line

I have seen this a few times in the past on several different Cisco switch models and versions, both old and new, and I cannot for the life of me figure out what I am doing wrong.

A good example of this is the below command, which I was running on a few switches yesterday:

snmp-server group example v3 priv access ACL_EX_SNMPv3

When I enter this, in bulk with a few other commands such as creating ACLs, adding ACEs, and removing old redundant SNMPv2 config and SNMP traps, the below always happens and therefore doesn't create the group, meaning the following SNMP user creation and association to the group doesn't work:

switch(config)#snmp-server group example v3 priv access ACL_EX_SNMPv3b^@

When I then press the up arrow on my keyboard, I see the below:

switch(config)#snmp-server group example v3 priv access ACL_EX_SNMPv3b

I am copying my config from Notepad++, so there aren't any weird characters at the end that would be causing this (no spaces, or anything else weird). It has also done the above with the following config:

no ip access-list standard 10

Does anyone have any ideas why this is happening?

DNA Licensing and SmartNet - Catalyst 9000

So I just learned that support for some features that lies in the "Network Advantage" or "Network Essentials" perpetual license that comes with your switch when you purchase either a -A or -E SKU Catalyst 9000 switch lies within DNA

Say you pay for SmartNet on your newly acquired Catalyst 9300 switch and your 3 year mandatory DNA license has expired. You want support for OSPF not behaving as expected. You are now on your own... You now have to have both DNA licensing AND SmartNet to get support....

How does this make you feel?

Weird Issue between Ubiquiti Nanobridge M5 wireless bridging from building to security gate

So I have a strange issue and I was able to get it working again but the reason why doesn't make sense to me. Basically we have it setup so an interface on the firewall which is directly plugged in to a POE injector that goes to the Nanobridge M5 and is bridge tto another NanoBridge which goes in to a switch. It stopped working one day without any changes made, I plugged in to a switch on the far end of the bridge and I was not getting an IP address, When I set the IP manually on my laptop I could reach both of the dishes but not the default gatetway. The strange thing is back on the near side with the firewall, I added a switch so that it goes fireweall > switch > POE injector instead of just straight to the POE injector. When I did this both sides becan working appropriately again without any changes. I thought maybe it was fixed so I removed the switch and went back to straight to the POE injector and then it stopped working again. Tested this multiple times to verify I am not crazy. I'm definitely not as smart as some of you guys, but I cannot think of a logical reason why this would be and its left me pretty confused. Can anyone shed some light on this maybe? I probably left out important details so just ask me if you want any other information.

Wireless LAN Simulator

I am looking to build my technical hands-on experience, and I need your advice for a simulator (affordable) to start doing some basic Cisco wireless configuration and troubleshooting.

Jeff Rensink from Network Dojo is an awesome person who does have different videos on YouTube, but I would like to find something small and as a startup to begin with and by the time I can expand/build till I reach with a full setup on my lab physically.
Right now, I need a simulator for Wireless solutions/scenarios.

Wednesday, April 24, 2019

Best way to learn Layer 2

Hello Networking,

As a learning network engineer who likes to dig deep into everything I’m learning.. I’m trying to find the best way to learn layer 2 concepts / protocols at a very complex level. When I’m learning any Layer 3 protocol I always start with the RFC and read it cover to cover until I feel I have a strong grasp on exactly what is going on at a packet level. What’s the best RFC equivalent, or strategy you have used, to learn layer 2 at this level. My understanding currently is that you must pay for the IEEE paperwork and their site is also far more difficult to navigate / find data than the RFC structure.

Pretty good videos on net automation for free from Cisco

https://developer.cisco.com/video/net-prog-basics/

Wireless LAN Absorption.

For Wireless Access Point installation - WAP I noticed when you put the WAP on top of the celling you might lose some of the signals, and this is we call it (Wireless Signal Absorption). The recommendation is to put the WAP after the ceiling, and in this case, it will be visible for everyone in the site (for example hospital)

For me I do not like the access point or the antennas be visible for the public and security point of view I would prefer to be on top of the ceiling (i.e., hidden), but absorption issue will come up?

What is the solution do you think?

Visible to the public -> more questions either from the people or from the employees -> more time wastage

Industry Trends and Research

Hi I'm completing a research project on the cybersecurity industry and more specifically on Palo Alto Networks, CheckPoint, and Cisco. Wall St. research analysts who have no idea what they are talking about throw around market share projections and lines like "best in class product portfolio" all the time, so I'd like to bypass that and ask you all for insight on the industry and where you think it's headed. Apologies in advance if this isn't the best place to post this.

My main questions are:

1) Is there a significant difference between the comprehensiveness and quality of product lines between Palo Alto, CheckPoint and Cisco?

2) When dealing with salespeople from these companies does anyone stand out in a good or bad way?

3) Has your enterprise recently switched from one of these companies to the other and if so why?

4) What are better questions I should be asking to compare these companies?

Thanks for your help in advance and if you'd be willing to be a source for my project (anonymous or otherwise) please message me!

Windows 10 Issues Moving to New AP Vendor

Hello all,

We are recently making the switch from Cisco to Aruba access points after a year of success with their Clearpass product. But I recently have run into an issue with our managed Windows devices being able to connect to the Aruba APs that are broadcasting the same SSID as the Cisco APs were.

I chose a single isolated building to serve as the “pilot” of sorts for this project. Long story short. When I turn off the Cisco access points in this building and have just the Aruba APs running (broadcasting all the same SSIDs as the Cisco APs), Windows will not connect. We do have a wireless profile pushed out via GPO that is set to connect to that SSID, and it will only connect when a signal from the Cisco APs are present. It completely fails to connect otherwise.

Unmanaged devices are able to connect just fine, as long as I forget the network and rejoin it. But since I’m using a GPO on the managed assets, I can not just forget the network.

So far I have tried to:

Push out a new network profile. Verified the SSIDs are using the same encryption and auth methods. Certs are handled by Clearpass, so there are no issues there Tried to collect packets with Wireshark but it doesn’t collect anything. It’s almost as Windows just flat out refuses.

I really don’t want to have to remove the auto connect to SSID feature for users. Im starting to get desperate.

Has anyone ran into issues like this before?

Other notes:

Aruba APs are the new 515 models Clearpass 8.7 Aruba 7200 Series Controller running 8.4

Sanity Check. DNS Delegation and NS Records? Who is querying who?

Let's say we have a hypothetical DNS server (at 10.10.10.1) with these records and is authoritative for bar.com.

foo.bar.com. IN NS ns1.foo.bar.com. ns1.foo.bar.com. IN A 10.20.20.1

We have the other server (at 10.20.20.1) with these records and is authoritative for foo.bar.com

myhost.foo.bar.com IN A 10.20.20.5

If a client queries 10.10.10.1 for myhost.foo.bar.com, does the DNS server 10.10.10.1 query 10.20.20.1 or does the client have to perform two queries...once to get the NS record for foo.bar.com and then a second query to 10.20.20.1 to get the A record for myhost.foo.bar.com?

PaloAlto Remote Access VPN - X-Auth Windows 10

Hello guys !

Today I finished the configuration for PaloAlto VPN remote access (WITHOUT GlobalProtect Subscription).

Now I'm in a kind of awkward situation because I can't connect to the VPN using the based Windows 10 VPN client because that doesn't let me input the Group name from X-Auth, only the pre-shared key.

Do you guys use any client on Windows 10 that can bypass that ??

Thanks !!

Image

Help with troubleshooting overlapping Subnets - The bane of Ipsec VPNS

Hey everyone, I have an issue and Im kinda stuck finding the solution.

The scenario is the following, I have a router (Cisco 2811) who has two IPSec VPNs established with SiteA and SiteB.

The thing is, the network address of SiteA overlaps with SiteB. I got 172.16.0.0/12 on SiteA and 172.21.226.0./23 on SiteB. The problem is that none of the remote sites is willing to make any change on their devices, therefore my router has to manage everything.

Im using the following configuration:

Crypto Maps:

crypto map rtp 2 ipsec-isakmp

set peer B.B.B.B (SITE B)

set transform-set TSASA

match address CISCO_TO_ASA

crypto map rtp 4 ipsec-isakmp

set peer A.A.A.A (SITE A)

set transform-set 3des-sha

match address LAN-UOL-vpn

ACLs for interesting traffic:

Used by site A:

ip access-list extended LAN-UOL-vpn

permit ip 10.233.0.0 0.0.255.255 172.16.0.0 0.15.255.255

Used by site B:

ip access-list extended CISCO_TO_ASA

permit ip 10.233.18.0 0.0.1.255 172.21.226.0 0.0.1.255

permit ip 10.233.22.0 0.0.0.255 172.21.226.0 0.0.1.255

Both VPN are using the same Crypto Map, I tried changing the sequence number in order to use first the site B address (Since its smaller than Site A) and then use Site A. However, when I try to send traffic meant for siteB its routed to site A because of the network address is overlapping both segments.

Any suggestions are appreciated. Let me know If you would like any other information that might be relevant to fulfill the objective.

Company Acquisition - New Network Approach

Howdy!

The company I work for recently acquired another company of equal size. I've been spending time on their network over the past few weeks and have been in awe with just how scattered and cobblestoned together their network is. They are a small office with 150 employees.

For equipment they've got a Fortigate firewall, C3650 for a core, and a handful of SG-300s for access. After seeing some spanning tree issues I requested some new network gear to replace theirs, and while my firewall suggestion was shot down, I got everything else I requested, so I feel good about that; FTD 2100s for firewall, Silver Peak Edge Connects for SD-WAN, 2 Catalyst 9500s for cores, and catalyst 3850s for access.

Looking through some of cisco's validated designs I felt this set us up in a pretty good spot for future expansion. Is there a deeper look at the device configs that they are referencing in the CVD guides? I see a lot of big picture things, and a few interface settings, but would really like a little more meat with these potatoes.

Lastly, my plan is to setup all the new network gear in parallel and establish connectivity through their current network, and migrate 1 system at a time over to the new gear while re-addressing and physically cabling (I'm also having their IP scheme re-done as it is all over the map currently). This is the part that has me stressed the most. I haven't done a cutover like this before, so I wanted some input from anyone who has and could provide guidance. My systems guys seem pretty confident on their part, but this is the only part of my plan that I'm not nearly as confident about.

Thanks in advance!

Applying for a new postion. What are some ways that you prepare for interviews?

Looking to be prepared to the best of my ability while applying for a Director position. What are some preparations that you recommend?

Recommended sub-ms HSRP timers?

Are there any recommendations on how long to go with hsrp timers?

We have two ASR's connected to same switch being used as the gateway for a VoIP solution which needs to have as fast gateway failover as possible to prevent audio loss during a service event.

EDIT:: I've just read that you can now enable bfd with hsrp - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-bfd.html

Anyone done that? How low can I go with BFD in this situation? I currently use 3x300ms on my wan links with bgp so surely I can go much lower on a directly connected Lan setup?

Quad Sup VSS 4507 Upgrade

I'll be upgrading our pair of 4507R+E running Sup7L-E for the first time. These guys are running as a VSS pair with Quad sups. I'm going from 3.4 to 3.8.7. I'm looking to stay away from ISSU cause frankly I'm too scared of it. I convinced management that I need a window and thankfully I got it. Does anyone have any procedures for this type of upgrade? Is it as simple as setting my bootvariables and reloading? I found a document on cisco but they mention the use of RPR which is not something we are running. Anyone have any good docs for this?

10 Gig Cisco Catalyst Switch Recommendation

I have a client who needs their back-end storage segregated from their main network, and we'd like to accomplish this by implementing two redundant switches that have 10x 10gb ports per switch. I looked at the Cisco SG350XG-2F10, but my higher-ups want to recommend Catalyst switches, as that's the line our client currently has.

What would be comparable to the SG350XG's in the Catalyst line?

Testing fiber optic media converter

I know this set up is dumb but i'm giving you the TLDR. I'm trying to send data in a loop via media converter. I have a media converter hooked into my computer via RJ45 and then a single mode fiber optic cable in both the RX and TX (just loops back into itself). It doesn't seem like the converter has its own MAC or IP address, so is there a way I can ping my own computer so it just sends that data to the converter, though the fiber and back?

Difference between Enterprise vs Consumer router and their routing capabilities.

I'm really trying to learn this stuff so sorry if this question is essentially basic 101 stuff. Here are 2 scenarios:

At work, we use a Cisco ASA with multiple interfaces, each connected to different VLANs. Essentially, each VLAN has their own DHCP server (combo of Linux and Windows). I even had to rebuild the DHCP on one of the networks and got it working with no issues. The Cisco router is able to easily route traffic from one network to another. For example, I can ssh to a machine on 192.168.100.0/24 from a machine on 100.0.100.0/24 or any of the other networks. I can also edit rules to forward ports from the WAN to any of the IP addresses.

At home, I have an EdgerouterX. If I were to set up two different networks, each with their own DHCP (not being done by the ERX) then the traffic will not route to each other. I can not ssh from one network to another because of what I understand as double NAT issues. For example, I used the EdgerRouter's DHCP for one interface and on the other, a WiFi Router using its DHCP, creating a Double NAT issue. I was able to create masquerade rules to allow the WiFi network to ping anything on the ERX's network, but not the other way around. I also could not forward ports from the WAN to anything behind the WiFi router.

Conceptually to me, these two scenarios are the same but obviously the Cisco Router has no issues routing the networks. Yes, one is a >$1000 and the other is $50, but what word should I be Googling to understand this black magic?

Intro to WAN Technologies

I have a new job where I'm dealing more with WAN technologies which I previous was not exposed to: VPNs, BGP, MPLS, CoS, etc...

Anyone have any good book or video tutorials on general knowledge in those topics?

Doesn't have to be specific to any vendor since its a multi vendor environment.

Wireless Networking Recommendation - Grandstream vs. Ubiquity

Good Morning!

I work in a rather large public library that has 4 floors and is about half a block long. Most of the building is concrete and there is a lot of metal due to the bookshelves. We currently use Open-Mesh products, but lately been having issues, mainly because we have more users than the AP can handle(60+ on each AP). We also use Asterisk PBX and Grandstream phones. With our current Open-Mesh setup, the Wi-Fi phones refuse to roam and end up disconnecting each time they leave an AP range. We currently have 16 AP in our building for coverage. Our coverage itself is good, just phones refuse to roam between AP and just loses connection, even if you are directly under an AP.

Because of this, we are looking into getting a new access point system. Currently, we are testing out Grandstreams access points as well as Ubiquity's AP systems. Has anyone ever used Grandstream in a large deployment before? They seem to be good access points and work well with their other equipment, but I know they are newer to the market and are trying to directly compete with Ubiquity. I like their interface and its easy to use and has some advanced features, such as 802.11r,k, and v. I have used Ubiquity products in the past and enjoy them as well. Grandstream just has a really good price point for similar products to Ubiquity.

Does anyone have any recommendations that would work well in our setup? Ability to successfully roam is a must as well as statistics on usage. We also do not have a super large budget, so products like Cisco are out of our range.

Any recommendations would be greatly appreciated.

Thanks for your time!