I'd like to setup some network monitoring, but need some guidance.

I have a large physical area, but not a very advanced network. However we are getting more advanced, like adding VLANs and a branch in the not too distant future. Ideally I would like to create a "page" with a typographical layout of ISP > switches > switch node ect. Something at glance could help me see where issues are comming up.

Any suggestion on what would best allow me to monitor traffic and devices. Much of the network gear is merki, but some leftover netgear. For Pricing I like to stay away from recurring cost if at all possible. We are a nonprofit.

DDNS + ASA Outside

https://www.reddit.com/r/networking/comments/bbaqto/need_a_working_model/

I started with this, and things happened and I never got back to it.

​

I have a 5520 ASA, and I need to set the outside interface up as DDNS

I have reviewed the documentation here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/dhcp.html#wp1091527

​

And though those settings are not the problem, I have an issue with :

ping 8.8.8.8

no route to host 8.8.8.8

​

I'm about ready to chunk this thing out the window :)

​

Doing an ASA on a stick here, with a switch on the other end, trunked through L2 interfaces (which I have working, apparently).

​

​

!

hostname domain

domain-name domain.net

names

ddns update method ddns-2

ddns both

!

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.86

vlan 86

nameif outside

security-level 0

ddns update hostname ser.ver.com

ddns update ddns-2

ip address dhcp setroute

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.10

vlan 10

nameif Base

security-level 0

ip address 172.20.10.250 255.255.255.0

!

interface GigabitEthernet0/1.15

vlan 15

nameif Extra

security-level 0

ip address 172.20.15.250 255.255.255.0

!

interface GigabitEthernet0/1.20

vlan 20

nameif ManagementStuff

security-level 0

ip address 172.20.20.250 255.255.255.0

!

interface GigabitEthernet0/2

description future-use

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description guest-wireless-future

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa917-32-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.net

no pager

logging asdm informational

mtu outside 1500

mtu LOCAL 1500

mtu MGMT 1500

mtu Printer 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-781-150.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 0.0.0.0 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

​

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

​

: end

I created a free application that has some useful network tools.

I'm a network engineer by trade, but I created an application called Igloo to facilitate learning Python for SDN and whatnot. It has some granular commands for TCP settings on Windows boxes, as well as simplified IP route/address configs and a built-in TCP port scanner. There are also simple command sets available for configuring Windows client VPNs, creating/deleting local firewall rules, and lots of other neat things.

My upcoming additions for the app will be automated server configurations and more network-related tools, like automated crypto configurations for the ASA. I'm also working on SSH client capabilities.

Igloo definitely has kinks to work out, but I'm working on it continually to make it better. Feel free to lambast it or offer your suggestions. I hope that someone finds it useful.

Cannot send commands via PuTTY to Cisco 3750 Switch. Please Help!

Hi All

I am studying for my CCENT and am practicing with the C3750 switch and am using PuTTY 0.71 as my terminal emulator of choice. I am connected via serial; I am resetting the switch to factory settings by unplugging it and plugging it back in while holding the "MODE" button. I can't for the life of me figure out a way to send the command "flash_init" to the switch. Everytime I press the "enter" key on my keyboard, it just gives me a new line but never actually sends the command to the switch. Below are some screenshots of my settings for Putty and my issue. As you can see in the PuTTY, after I input the "flash_init" command and press "enter", it just jumps to a new line. Please help!

​

Thank you guys so much in advance. I've been googling this for the past few hours and absolutely cannot figure this out.

​

https://ibb.co/xGX81Rx

https://ibb.co/drX0rnV

https://ibb.co/J2X0YFz

https://ibb.co/jvkstYt

To those who've asked me how to prepare for networking interviews...

...and to those who've been blindsided by interviews in the past:

Every time someone asks me how to prepare for a networking interview, I'm at a loss for where to start. There are so many factors that can affect what you'd expect to see in an interview.

That said, there are some common bits, but giving people the same pieces of advice over and over again makes me feel like this. I decided to update my YouTube channel with actual content for the first time in...geez, six years? Wow. We've gone through two revisions of the CCNA since then, I think!

In any case, here's a video on networking interviews. It definitely doesn't cover everything, but it certainly covers the most common pieces of advice I give. This is the result of years of in-person interviews and phone screens, and from a slide deck assembled by /u/HoorayInternetDrama. (That's right, I didn't forget about that slideshow you sent me almost a year ago!)

I'm definitely open to feedback on the content (production quality sucks, I know, working on that). Feel free to chip in with other morsels you think you would be useful to the community, also!

Mods: I'm 99% sure this doesn't break Rule #5, but I don't want to break rule #3 either. My primary goal here is to have a post to reference when folks ask about networking interviews - not just at an entry level, because I see lots of engineers who should know better make the mistakes I mention. Hopefully the comment discussion can add more context than my video alone. That's the idea, anyway. :P

Asav+ anyconnect on AWS AGAIN!!!!!

I have asav running on AWS , nothing complex, standard interfaces (inside ,outside, management ). however when a user connects to the anyconnect client they cant reach my internal network btw( int network is connected to AWS over DXGW -direct connect. ) I can of course reach the internal network from the asav inside interface..just not from the anyconnect address pool. I figure its routing. I have an aws route-table associated to inside interface that points to vgw to get to internal network..(btw is already associated with dxgw) . I'm thinking the issue im running into is how does my network know where to reach my anyconnect address pool. My the anyconnect pool subnet is pulled from the supernet block of the vpc. So I can not add a more specific route than the default local route of the vpc. If I were to use a subnet outside of vpc supernet , that subnet isn't advertised over from our csp to our interna network( since it's only configured on the asav). I need to allow my anyconnect network to talk to my internal network. I feel like Ive worked through the basics (SG'asav static routes ,etc) but with no success. Any one ever done this? would greatly appreciate the help.

Whonix like system

Not sure If I'm on the correct sub. If not, sorry.

I'm trying as hobby create a system like whonix where the virtual machine [A] connect to the virtual machine [B] (using internal network) and the virtual machine [B] connect to the internet (like a router) using host.

I don't know what to search on Google to find a tutorial, any Idea?

Router on a stick (ASA) with dhcp pools on 3750 L3 Switch?

Happy that I have things running as far as I do...

​

ASA

interface gig 0/1

desc TRUNK

no nameif

no sec-level

no ip address

​

interface gig 0/1.10

vlan 10

nameif LOCAL

sec-lev 99

ip address 172.20.10.250 255.255.255.0

​

interface gig 0/1.20

vlan 20

nameif MGMT

sec-lev 100

ip address 172.20.20.250 255.255.255.0

​

interface gig 0/1.40

vlan 40

nameif Printer

sec-lev 99

ip address 172.20.40.250 255.255.255.0

​

​

Switch 3750

ip dhcp excluded-address 172.20.10.200 172.20.10.254

ip dhcp excluded-address 172.20.20.200 172.20.20.254

ip dhcp excluded-address 172.20.40.200 172.20.40.254

​

ip dhcp pool VLAN10

network 172.20.10.0 255.255.255.0

default-router 172.20.10.250

dns-server 1.1.1.1

domain-name Local.com

lease 30

​

ip dhcp pool VLAN20

network 172.20.20.0 255.255.255.0

default-router 172.20.20.250

dns-server 1.1.1.1

domain-name Local.com

lease 30

​

ip dhcp pool VLAN40

network 172.20.40.0 255.255.255.0

default-router 172.20.40.250

dns-server 1.1.1.1

domain-name Local.com

lease 30

​

I set up gig 1/0/1 as

​

switchport access vlan 10

switchport mode access

spanning-tree bpduguard enable

​

The connection between laptop & g1/0/1 is green.

​

the dhcp server is on, I have debugging on and not seeing anything.

The laptop connected to 1/0/1 is giving me an 169.254.x.x address

​

I know its a bad idea to set up an ASA as a dhcp server which is why I'm attempting this.

I'm wondering if I'm doing this all incorrectly. I'd rather not have to set up everything as static IP's. I do have an old server running 2008 but I don't want to fight it and get it running again, and there are not many devices to be concerned with.

Hub and Spoke w/dual WAN BGP Design Question

Hi all,

I'm not a BGP expert by any means, so I wanted to know if there's any BGP config I can use to solve my problem.

​

I have a Hub and Spoke IPSec network. Each spoke has two WAN ports, which has an IPSec tunnel to redundant hubs (two IPSec tunnels per WAN port). Traffic originating from the spoke is routing packets through its WAN1 IPSec tunnel, when the hub is has WAN2 in its route table. The hub is a firewall which, by default, denies asynchronous routing.

​

Is there any BGP setting (except changing the weight for specific interfaces) that can allow the Hub and spoke to negotiate a preferred interface, or tunnel, when they peer? Not sure if this is relevant but the Hub is seeing both of the spoke's interfaces as a BGP neighbor.

​

Thanks in advance

Help with Patch Panel Legend

I’m not sure if this is the right configuration for the patch panel wiring legend, anyone can verify?

Trying to set up B wiring configuration and asking if the picture seems right and if the next one up would be the same as the one I started ...

Thanks in advance!

patch panel draft picture

Fan Swap on a Noisy HP 1910-24-PoE+ Switch

I was given an HP 1910-24-PoE+ Switch that my work was tossing out after being replaced. Super excited to convert my IoT RPi's over to PoE, I rushed home and plugged it in, but to my dismay I could hear the switch's fans from two rooms over! After a quick Amazon search I found a couple Noctua NF-A4x20's that seemed like a perfect fit. Today I finally got around to swapping them out, and I decided to take some before/after decibel readings with an android app called "Sound Meter." I know it wasn't a super scientific test given that I was in a shed, with mild ambient noise levels, using a cellphone, but what the hell. I placed the phone parallel to the fan exhaust side of the switch, at a distance of two inches away, and averaged the reading over one minute. Despite being outdoors (in my shed) I compared the levels and the transformation was incredible to me. Before the swap I had an average reading of 59db, and after it averaged to 46.3db! Wow! RPi PoE, here I come!

TL;DR - I swapped the fans of my HP 1910-24-PoE+ Switch out with two Noctua NF-A4x20's and quieted the switch by almost 13db!

Looking to get a cabling certification

I am wondering which certification would be the best at the most affordable price. I have been looking at BICSI and obtaining a level 1 cert.

Weird network behavior when connecting hypervisor

So here's the deal. Yesterday, I transferred my ESXi host into another case that has more 3.5 inch bays. Everything worked great, network and all. I also have a Proxmox host, that was is connected exactly the way it was before the ESXi rebuild.

​

The weird thing is: when I connect my Proxmox host to my only HP switch, it now indicates a 100Mb/s link (instead of Gb) and my whole network becomes "spotty" when the Proxmox host is connected. By "spotty" I mean:

- I can SOMETIMES ping ESXi host. One minute I can, the other I can't. Seems totally random.

- Meaning that I can also access it via web GUI, SOMETIMES.

- Same behavior with other devices on the network, although it seems like my VMware VM VLAN (so the VLAN with all my VMs) on it, is accessible all the time and not affected by the problem.

- I'm by no means a network expert and I could be using the wrong terminology here, but doesn't this look like packets can't find their way to the right hosts? Like a broadcast storm or something?

- Can't ping Proxmox host, not even directly from my router.

- When I unplug Proxmox host from the switch, everything works like normal.

- Also I wanted to install a second NIC in the Proxmox host, did that, and that's when the problem began. Not sure if that's the cause though because now I'm just back to the one onboard NIC and the problem persists.

- Could be that the second NIC was not working because It's not configured on Proxmox and I can't get to the GUI since I can't access it via the network.

​

Can someone diagnose my problem? Did my onboard NIC die? Switch settings are the same as before, as far as I know.

Software to practice non-Cisco CLI?

First post here, I am currently pursuing a career in network administration. Right now I am hoping to get my CCENT Routing and Switching certification here soon, when my voucher comes in. Anyway, I've become very familiar with Cisco and it's CLI through the use of Packet Tracer and real equipment. Is there any other free software like Packet Tracer to practice/learn the CLI of any other network equipment vendor? Anything helps.

Confused about Mellanox switch?

I'm a bit confused about Mellanox line of switches when it comes to ethernet interoperability .

​

​

The Mellanox SX6036 switch is listed as a "InfiniBand/VPI Switch System". Since VPI = Virtual Port Interconnect and in regards NICs defines it supports both Infiniband and Ethernet, does that mean the Mellanox SX6036 switch can also be used to switch regular ethernet traffic?

Or does it only switch ethernet traffic if you buy some unaffordable license for switch?

​

If it matters, there's also a Mellanox SX6036G varriant which is a "Infiniband to Ethernet gateway'

​

Links to product Info:
Product Brief PDF: http://www.mellanox.com/page/products_dyn?product_family=132&mtag=sx6025_sx6036
General Info: http://www.mellanox.com/page/products_dyn?product_family=132&mtag=sx6025_sx6036

ZTP and initial setup dialog

Hey,

​

I'm playing around with ZTP on the CSR 1000v and it seems to only run when the initial setup dialog pops up.

The issue is I cant get the initial setup dialog to consistently pop up. It seems it only pops up the first time the router boots. Even with no startup configuration.

​

Any tips on how to factory reset? Is there more to it than just write erase?

​

Thanks :)

Site to Site VPN/ASA issue

I have a strange issue that I cannot seem to figure out. At work, we are deploying a site to site VPN with a Cisco ASA 5508 and a stack of two Cisco 9300s. Our point to point fiber circuit is not ready yet, so we need to use the existing connection. Before I connect the ASA to the demarc I can ping from the switch to the ASA without an issue. When connected the ASA builds the tunnel just fine. The ASA can ping anything at the main site, but pings between the switch and ASA fail about half of the time making the connection unusable.

We are just passing one subnet over the tunnel, and it does not appear anywhere else in our network. The firewall can still reach everything just fine on both the internet at at the main site, but anything on the switch cannot.

I will be back on site tomorrow to work on it further, as it is not a downtime tolerant site through the week. I was wondering if somebody had any suggestions? I have tried different ports and cables. Im not seeing any issues with the config, and NAT appears to be working as intended.

Thanks in advance!

Traffic Management for PLCs

The manufacturer I work for is on a path of connecting its production equipment/industrial controls to the network to start collecting data. Today, we have a VLAN dedicated to industrial controls and a variety of different PLCs and automation devices plug into it. Some of these devices plus right into our Cisco 3850 IDF and others are connected through Allen Bradley lightly managed switches that then hit the 3850. Many of these devices are older and can be sensitive to excess network broadcast traffic which can cause delays in the transmission, response or in some cases crash the equipment.

I am looking for ways to try to further shield these devices from the general network chatter. Would Storm Control be a viable option with a level of 1% of traffic? I would like to be able to add additional vLans to further segment the network/broadcast domain but our manufacturing equipment can get moved around the production floor to different lines so there isn’t an easy way to create more networks without the burden of needing to change IPs on the control equipment as it shifts lines.

Router for site to site VPN?

I am not sure if this is the place to ask or not, but I’ll give it a shot. I am tasked with setting up a site to site VPN for a medium-sized business. ~30 Users over 4 sites. The internet speed they have is 50 up, 50 down per site. I have not set up something like this before so I am looking for some guidance on what router(s) I should use? I am thinking a Cisco RV325 or Linksys LRT224 for each site. I want SMB share traffic to be sent over the VPN and regular internet traffic to be routed as normal.

Monitoring cascade ports on a Avaya switch

Been trying to check the operational status of the cascade ports of an Avaya Switch (Avaya 3549GTS-PWR+ using firmware 5.3.0.8) but even though I've been executing the SNMPWalk command on it, I cannot find such ports (50 and 51). It is a cascated switch (one master and five slaves) with a little over 290 ports (each has 48 ports, 1 to 49).

​

Only the master has an IP configured and we are able to monitor all but those two ports (50 and 51) in each switch. Unsure if there's a web interface we could configure an alert to be generated if one of those, or both, ports goes down.

​

Has anyone ever tried to monitor such thing? Here's the link the picture of the ports: IMGUR - Ports 50 and 51

Confusion about tagged and untagged vlans

Hi everyone, please I need the most simplistic explanation about tagged and untagged packets. Are all access ports untagged ? And all trunk ports tagged? I am so confused about this

RSPAN over VPN

I have two sites, and I want to be able to send my voice data from my second site back to a recording server at the main site. This requires spanning at the main site but I'm not sure how/if possible to do remotely. I've two dell 6248 switches (older I know) connected by a site to site vpn through two sonicwalls. From Dell's docs I'm supposed to create a new RSPAN vlan and send all traffic through that. Does anyone have any experience setting up RSPAN on Dell switches? I have a question in particular about the reflector port, can it be the same as the egress port? Can you send RSPAN traffic over a VPN, read some esoteric cisco blog where they set up a L2TP tunnel to make it work. Any input would help.

What jobs can you you get with just N+ and no experience?

No text found

Polycom cannot call some numbers

Not really a networking question but I cannot think of a better sub...

We have an office based in Canada and we have been having problems with the conference room phone there. It’s an old Polycom VTX1000.

It seems that some phone numbers based in the US cannot be dialed. Same numbers can be dialed from desk VOIP phones located in the same office.

The conference phone numbers in Canada do not seem to be an issue.

Any ideas?

Thanks

Cisco Live San Diego 2018 - Who's going?

We are days away from the commencement of CLUS'19 San Diego, and I haven't seen anything posted about a reddit meeting up. Who is going from r/networking and would you guys like to meet up? Also anyone from Cisco to donate a meet up space?

​

​

802.1X Fail Open

I'm working through an 802.1x PoC and so far everything looks good with the exception of one thing I'm stuck on. In the event the radius server goes down I would like the switch to fail open. The commands I found for my cisco switch look something like this

​

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize

​

However, my voice vlan is 200 and I'm not sure how I would configure the switch port to ensure my voice and data devices fall in the appropriate vlans. VLAN100 is my data vlan, and with the above config it would seem that my phone would be put in that vlan as well. Am I missing something?

Good set of Networking tools?

Hey guys, I'm looking for a good set of general crimper/punchdown/tester/etc stuff to replace my crappy Chinese stuff. I was thinking about getting one of Greenlee's kits but wanted to see if you guys had any recommendations first.

TCP Re-transmissions an Stalled File Downloads

Howdy,

For some reason, file downloads stop and don't complete when I go to a particular http website and I'm trying to figure out why. My palo alto firewall is allowing the traffic (although web application shows 'incomplete'). Only seems to happen when users are on vpn and not at all internal. I'm not a captures expert, but I'm seeing a lot of re-transmissions from server to client. Any suggestions on what I should be looking at in them to figure this out? Thanks

Firepower /w ASA Failover issue

Hello,

​

For two days now our failover lan interface has gone down/down. I fixed it yesterday by changing the interface from e1/12 to e1/10 on both members. Has anyone experienced this before? below is a partial output of my config:

​

Primary:

​

Test-Cluster# show run failover

failover

failover lan unit primary

failover lan interface LAN_Failover Ethernet1/10

failover key *****

failover replication http

failover link State_Failover Ethernet1/11

failover interface ip LAN_Failover 192.168.195.1 255.255.255.252 standby 192.168.195.2

failover interface ip State_Failover 192.168.195.5 255.255.255.252 standby 192.168.195.6

​

Test-Cluster# show failover

Failover On

Failover unit Primary

Failover LAN Interface: LAN_Failover Ethernet1/10 (Failed - No Switchover)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 1043 maximum

MAC Address Move Notification Interval not set

failover replication http

Version: Ours 9.8(4), Mate 9.8(4)

Last Failover at: 11:40:53 EDT May 30 2019

This host: Primary - Active

Active time: 83122 (sec)

slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Up Sys)

Interface TestASA (10.55.58.1): Normal (Waiting)

Interface outside (omitted): Normal (Waiting)

Interface inside (192.168.1.1): Link Down (Shutdown)

Interface management (192.168.45.1): Link Down (Shutdown)

Other host: Secondary - Failed

Active time: 2660 (sec)

slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Unknown/Unknown)

Interface TestASA (10.55.58.2): Unknown (Monitored)

Interface outside (omitted): Unknown (Monitored)

Interface inside (0.0.0.0): Unknown (Waiting)

Interface management (0.0.0.0): Unknown (Waiting)

​

Secondary:

​

Test-Cluster# show run failover

failover

failover lan unit secondary

failover lan interface LAN_Failover Ethernet1/10

failover key *****

failover replication http

failover link State_Failover Ethernet1/11

failover interface ip LAN_Failover 192.168.195.1 255.255.255.252 standby 192.168.195.2

failover interface ip State_Failover 192.168.195.5 255.255.255.252 standby 192.168.195.6

​

​

Test-Cluster# show failover

Failover On

Failover unit Secondary

Failover LAN Interface: LAN_Failover Ethernet1/10 (Failed - No Switchover)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 1043 maximum

MAC Address Move Notification Interval not set

failover replication http

Version: Ours 9.8(4), Mate 9.8(4)

Last Failover at: 09:56:15 EDT May 31 2019

This host: Secondary - Active

Active time: 335 (sec)

slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Up Sys)

Interface TestASA (10.55.58.1): Normal (Waiting)

Interface outside (omitted): Normal (Waiting)

Interface inside (192.168.1.1): Link Down (Shutdown)

Interface management (192.168.45.1): Link Down (Shutdown)

Other host: Primary - Standby Ready

Active time: 29152 (sec)

slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Unknown/Unknown)

Interface TestASA (10.55.58.2): Unknown (Monitored)

Interface outside (omitted): Unknown (Monitored)

Interface inside (0.0.0.0): Link Down (Shutdown)

Interface management (0.0.0.0): Link Down (Shutdown)

SNMP OID for the RAM usage and total of Stormshield SN3000

Hi everyone, I'm currently making some scripts to monitor my both firewall with Nagios but I can't find the right OID about RAM usage and total. Do you have any link or oid ?

Thank you in advance, best regard, ssoflashy

Datacenter edge router redundancy

For a customer I need to extend the current single edge-router setup to a redundant one. The router used is and will be a Cisco ASR 1001-X with 16GB memory. The customer does eBGP for transit and iBGP for DMVPN, running on the same router. VRFs and NAT is used as well.

The picture below represents the current setup (left) and the planned setup (right).

https://i.imgur.com/GptS6Ek.png

IMO i do have 3 options:

1) run iBGP (AS12) between the ASR's and both ASR's will open a eBGP session to AS10 and AS11. this is probably the most robust/vendor neutral setup

2) run iBGP (AS12) between the ASR's, while each router only holds one eBGP session to one transit AS. therefore the left ASR may open an eBGP session to AS10, while the right one will open an eBGP session to AS11. (i don't see any real benefit in this setup currently, listing just for the sake of completeness)

3) use cisco stateful switchover (SSO) [1] on both ASRs. configure only one to be 'active' while the other router keeps in hot-standby mode. tbh i don't have any experience with cisco SSO yet. however i expect this setup to be more robust to human failures (changing configuration only on just 1 router) since the configuration should be synchronized by cisco and are configurable (more or less) as 'one' device.

​

currently i'm testing option 3 in a lab environment. if the config of the router would be more simple i'd probably opt for option 1, however with a bunch of different VRFs, DMVPN and NAT rules option 3 human failure may be a larger threat than a proprietary HA protocol.

​

My question is: do i miss something? should cisco SSO be used for such a scenario?

​

[1] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ha/configuration/xe-2/ha-xe-book/Configuring_Stateful_Switchover.html

ssh'ing through a Citrix Receiver

Hey Folks,

Just wondering if anyone could help on something. I started in a new job this week and the engineers use windows with lots of GUI software including Citrix Receiver as a portal to get access to all of the network(switches/routers). I'm used to using the cli and this approach is very cumbersome and slow. I'm wondering if anyone has ever connected through a citrix receiver using the cli on a linux OS? I plan on doing some research but thought I would try here in case anyone has been successful already.

Thanks!

SNMP trap on single interface threshold bandwidth usage on ASA5555

Good morning all,

if there any way to configure a snmp trap for a single interface if the used bandwidth is xxx Mb or 60% ?

My ASA 5555 software is 9.8(3)21

Cat6a wall outlet with shallow depth

Hi folks

I'm installing cat6a but am having trouble with room wall outlets. Due to construction I am limited to 35mm back boxes. I am attempting to try to find a solution to allow a flush face install but not quite there yet and wanted some input to see if anyone has any ideas before giving up and having to settle for surface mounts.

The current plan is to use 35mm double gang back boxes with euromod style plates and I've two possible ideas so far:

Using a 270 degree keystone such as this one from metz connect https://www.metz-connect.com/en/products/130b12-e which fit nice and since cable bottom enters doesn't worry about curving downward 90deg when exiting the keystone. Trouble is I can't find euromod plates to finish them with, I've asked metzconnect about this but had no reply yet. I've tried other keystone plates but they don't fit. Any similar style in another brand anyone know of that does have flat euromod plates?

Second idea was to use IDC module like you have for unshielded cat. Connectix do one https://www.connectixcablingsystems.com/cat6a-modules-outlets/9163-cat6a-ftp-rj45-module-euromod-size-5056045700264.html However issue with this so far is it only seems to be Connectix doing this style instead of just straight up keystones and I am unfamiliar with the brand or its reliability. their bumf does say it's rated to standard and capable of 10gbaseT but I am dubious with no one else doing a similar module.

Any thoughts or suggestions greatly received!

Configure vendor specific LLDP on Cisco

I`m trying to configure a Cisco c3560 to send specific config to Avaya IPT phones.

​

I have found some information for Extreme Networks

https://gtacknowledge.extremenetworks.com/articles/Q_A/What-LLDP-commands-are-needed-for-an-Avaya-phone-configuration

​

But i think the Cisco is not supporting vendor specifics

Looking to get rid of my 3700 INE tokens for cheap

As per title , i don't need them anymore so happy to sell it for cheap. Please PM me if interested.

Conntrack timeout explanation

Background: I have a DNAT rule configured on a firewall which works fine until the source is turned off over night, and then the next morning the traffic does not seem to be matching to the rule. Running tcpdump shows packets with a [S] flag, but these are not forwarded on as they should be, until the firewall is restarted.

I have had the vendor looking into the issue, and they have come back to me saying that the conntrack timeout only being 3 hours is the cause of the issue. They have increased this timeout and are assuring me that this is the fix - this is not a fix in my eyes.

Question: Am I right in thinking that even when the timeout of that connection is reached, it should simply create a new connection when receiving traffic again? To my knowledge, increasing the timeout is putting a band-aid on the real issue.

redirecting specific url requests, via server or network?

i'm looking for a way to redirect traffic - to particular urls, at that - and to do so via POST requests. i thought i had an idea of how to do this, although now i think i've concluded my first attempt has failed and could use some help coming up with another.

​

scenario: url 1.2.3.4/modelA requests i want to redirect to 5.6.7.8/modelX

​

i thought i could turn off the webserver on 1.2.3.4 and run something else to do redirects, like a simply python webserver. however this has a couple of problems.

1. redirects are actually executed by the requestor; usually a browser will see the 301 then go to the new URL. i thought 1.2.3.4 would just forward the traffic on. however it does not; it just returns the code and the new address to go to.
2. a payload of data is sent to be worked on (with a result returned); all the 3xx codes turn into a GET. 307 retains the original type, so it can push through a POST. however if i use this, it still leaves problem #1; the requestor in this case doesn't care, as it is not a browser. it's just going to bork on a 307.

my initial hope is that i could construct something here which would not require any change on the requestor side. i'm having trouble even if i try to put something simple in front. ie. maybe i can spin up a load balancer 10.10.10.10 and have them update requests to go to it? however that would only route traffic among 1.2.3.4 and 5.6.7.8 and not do the additional path mapping i require.

i could do a load balancer and write something to live at 5.6.7.8/modelA - although i'm unclear exactly what to put at modelA - i need it to internally, on the server, pass that POST into 5.6.7.8/modelX. maybe that is kind of simply writing an api thing that does that? i'm not an api developer so i am unclear on that, and just trying to get away with redirecting request traffic at the moment.

i assume part of the reason i'm struggling to do this easily is that it would seem rather man in the middle attack like. in any case, i'm hoping you guys have some good ideas for a solution that will do what i would like.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Trying to setup 10G SFP From PC to Switch

Hi everyone.

​

I have a HP Z800 with an Intel X520-DA2 trying to connect to my Cisco 2960-S 10G with a 17-05405-01 direct attach copper cable. I am having some issues, firstly this SFP cable is only rated to 4G, which obviously is a limitation but I want to see if I can get this to work before I buy a 10G cable.

​

The cable is detected on windows in the Intel Drivers: https://i.gyazo.com/e2a71ea9b62ef9d321bccdf26132e531.png

​

But the issue seems to be the switch, I already did no shutdown on the Te1/0/1 but now I get:

Mar 30 01:28:36.573: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Te1/0/1 has bad crc Mar 30 01:28:36.578: %PHY-4-SFP_PLUS_NOT_SUPPORTED: The SFP PLUS in Te1/0/1 is not supported 

If anyone has any idea how to make the switch work with this setup please let me know! Thanks

Opinion on contract jobs

Maybe my search skills aren't the best but I was looking for the group's opinion on contract jobs. How do you view short term contracts or those with a finite end and their impact on your career? I tend to be a slow and steady person who prefers being a regular full time employee, but the ability to earn much more as a contractor is appealing.

I know IT/networking is in demand in my area but I am still concerned on how things would go in 11 months, how it would look on my resume, how it would affect my professional contacts.

Does anyone have insight they would like to share?

Connection Limiting - Automated IP Prioritization

We have 20 separate devices that have a concurrent user limit of 5 each. These devices do not have any type of administrative features that allow the management of incoming connections. Therefore the first 5 users to connect, get in and could stay logged in indefinitely. We have over 40 users that need access to each device at different times. Some with higher priority than others.

Our current solution: Implemented an ASA-5506 with separate rules/groups of IP's. One small group, say "Priority 1" contains a handful of high priority IP's. The rest of the users/IP's are in a second group "Priority 2". If at a given time a device is full with 5 connections and someone from Priority 1 needs access, the second rule is disabled and one unlucky IP from the lower priority group is manually disconnected via console command to make room.

Is it possible to automate this in any way? Such as automatically disconnecting and temporarily blocking IP(s) from Priority 2 to allow users from Priority 1 to connect. And then automatically unblocking them once Priority 1 disconnects?

PuTTY Excel List Suggestions

I'm just looking for suggestions or to see what other people use to manage/organize their PuTTY connection list.

What I Have: An excel file the contains all the switches and routers, contains their IP, Hostname, IOS version, Model number, Building location number, what distro pair it belongs to, if it's an access, distro, or core switch. It's easy to sort and filter based on my needs. I can double click the IP and it opens a putty session to that switches IP.

The only problem is sometimes excel is slow or it locks up/hard to open other excel files while that file is open. Just seeing if people do something similar but with something else. I really like to be able to see what model the switch, where it's located and what its running.

Malicious behaviour from our IP addresses used by a customer

We own a /21 and /22. Depending on the services a customer takes we will provide them with a slice to do with as they see fit.

Recently one of our addresses, assigned to a customer, has been the source of repeated login attempts to a couple of routers used by our other customers.

We've locked things down more by using ACL's, but I'm wondering who is ultimately responsible for this behaviour? Is it us as the legal owner of the address space, or the customer as we have given them those addresses?

We haven't assigned directly to the customer via RIPE, as to be honest the RIPE site kills me every time I log into it.

Would we have recourse to pull these addresses from the customer if the activity continued?

Little help requested about iptables

Had to repost here, the Linux forum apparently doesn't like you to ask for help ;)

​

So I'm changing a few things here, but here's my setup...I have a small embedded linux SBC, with two network interfaces. Neither are assigned an IP address, in fact they are bridged together. Here's where it gets funky...one side has a server on a subnet (these are changed from the real thing btw) 192.168.1.x/24. The other side has a router on a subnet 172.16.1.x/24. The iptables are setup to allow only snmp (161 and 162) and echo request/reply through - and is working fine. What I can't understand is how in the world the two subnets are talking to each other. Probably overlooking something easy, but I'm not that strong with iptables, and wondering if the FORWARDING in that table from chain to chain is performing the "routing" function for me.

I can't post the configuration, I know that would help. But other than creating a few user-defined chains, it seems pretty straight forward, just don't know how these two subnets are talking to each other on a bridged connection. TIA

Should the client use the same signature method for 301 redirects

We have a customer who is using one of our REST services. The resource they are requesting has moved to a new location. We are responding with a 301 redirect, but when the client attempts to access the new location provided in the redirect response, they get an invalid authorization error. It was root caused to be that the required signature method for the authorization is not being used when accessing the new location.

​

The customer is arguing that we need to change our service since the request for their original resource is failing. Is there any clear specification about how the httpclient is expected to respond to the 301 redirect? Should they be using the same signature method for accessing the newly provided URL in the 301 redirect?

​

I've been reading the specification, but it doesn't seem to be clear. Am I missing anything in the specification or is there a defined industry standard best practice on how this is handled?

How to control broadcast/unicast/multicast in datacenter?

Folks, I need some guidance about how and what people use in datacenter to control strom, let me give my example, we have almost 180 Cisco nexus 9K/3K/5K switches and all of the switch configured in vPC, at present i have ~2500 physical servers/Virtual servers in multiple VLANs ( not single L2 broadcast domain ). at present we don't have any specific configuration on switch to control any kind of storm ( I am not sure if they are default ON ), following common configuration i have on all switches connected hosts. you can see i don't have any kind of storm-control command on interface level. ( I am not sure what level i should use and what are the best practice)

interface port-channel121 description ### host www.foo.example.com ### switchport mode trunk switchport trunk native vlan 40 switchport trunk allowed vlan 10,20,30,40,50,60 spanning-tree port type edge trunk spanning-tree bpduguard enable speed 10000 vpc 121 

storm-control

# show int po121 counters storm-control [Action] S - Shut (Err Disable), T - Trap -------------------------------------------------------------------------------- Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards Action -------------------------------------------------------------------------------- Po121 100.00 100.00 100.00 0 [--] 

​

- What other folks using in datacenter to monitor any kind of storm or method to prevent or protect network?

- How big my L2 domain can be in best practice? ( example 1000 hosts in single L2 domain is safe or it can handle more than that?)

Troubleshooting layer 1 Cat5/Cat6 connectivity

Hello folks,

What are people using nowadays for equipment when testing layer 1 connectivity or certifying lines? Our team previously used this big honkin' Fluke DTX but it has seen better days. Looking to invest in something new, just not sure what people are doing since it has been 10 years since I've had to worry about this.

I'd prefer to not have to walk around with this massive suitcase that the DTX came in!

general load balancer protocol resources?

I have an interview coming up that may cover various load balancing approaches so I'm looking for resources on general load balancing approaches...

I don't need resources on proprietary protocols written by Cisco, et. al; I doubt any of that will come up.

But in the 5 years or so that I've been working fairly regularly with (at least application load balancers) I've only ever seen two protocols: round-robin and uh...one other one that I cannot remember right now (but I think AWS classic lb's offer it iirc).

Anyway if anyone has a link to a good primer on load balancing protocol _basics_ or load balancing best practices I'd appreciate it!

- imp

[Cisco] I wrote a script to easily convert DHCP leases to reservations

Hey, everyone!

As the title indicates, I wrote a Python script that allows you to easily convert a DHCP lease to a reservation on a Cisco IOS device.

I created this script because the manual process of having to create an entirely new DHCP pool for a single host a little inconvenient.

The script is available on my github page.

Here's how it works:

---

1. Open a command prompt/terminal and run cisco-dhcp-res.py

2. Enter the IP of the device hosting the DHCP pool and credentials to SSH to it.

Enter IP of device hosting DHCP: 10.6.1.1 Username: admin Password: ****** 

3. Select the existing DHCP pool of the target lease to be converted:

Current DHCP pools: Workstations Servers Access_Points Select the DHCP pool for the target lease to convert (case-sensitive): Servers 

Note: This step of selecting the existing DHCP pool is to obtain settings (default-router, domain-name, DHCP options) that will be applied to the reservation pool.

4. Select a lease to convert from a list of current leases.

IP address Client-ID/ Lease expiration Type Hardware address 10.1.1.16 0100.1234.ed33.c4 May 29 2019 05:32 PM Automatic 10.1.1.17 0100.1234.d620.de May 28 2019 09:16 PM Automatic 10.1.1.18 0100.1234.a67f.80 May 29 2019 04:38 PM Automatic Enter the IP of the lease to convert to reservation: 10.1.1.18 

The script will then confirm the creation of your DHCP reservation.

Your DHCP reservation has been created: 10.1.1.68 0140.017a.7072.e4 Infinite Manual 

---

Please let me know what you think. I hope this is useful to at least one person :)

Thanks!

Packet Tracer

I’m doing a Cisco Packet Tracer activity and when I click PC wireless, this appears “a wmp300n or wpc300n wireless interface is required to connect” What do I do?

SecureCRT Beta now has support for Windows Local Shell (CMD and PowerShell)

https://forums.vandyke.com/showthread.php?t=11039

SUP-720 mpls is disabled but using 2048 cef routes

We're using a couple of 7600 with sup-720 as border routers; I've noticed that mpls is using 2048 route entries from its cef table, mpls is unconfigured, no bgp vpn also.

all labels are marked as drop:

brd02#sh mls cef sum Total routes: 817065 IPv4 unicast routes: 747548 IPv4 Multicast routes: 4 MPLS routes: 2048 IPv6 unicast routes: 67465 IPv6 multicast routes: 3 EoM routes: 0 brd02#sh mls cef mpls Codes: + - Push label, - - Pop Label * - Swap Label, E - exp1 Index Local Label Out i/f Label Op 64 524288 drop 65 524289 drop 66 524290 drop 67 524291 drop 

I'v been looking how those entries were generated, and how to free them without luck.

How can I free that mpls routes?, how where added to the cef?

Confusion about F5 internal networking

Hi All,

​

I have some confusion around how the F5 Big-IP software is making routing decisions internally. I hope r/networking can help alleviate this frustration.

​

I have a Big-IP set up in HA - everything appeared to be working. I had created nodes, with health checks that passed, and pools with those nodes with health checks that passed.

​

I then created a virtual server referencing that pool and again the f5 health checks passed.

​

However, if I tried to navigate to the IP of the virtual server I wouldn't get a web page response.

​

I believe this is because I had no routes in "Network > Routes" and so it was taking mgmt interface by default for the health checks. After adding routes suddenly all the health checks fail (and I still cannot resolve the web page by virtual server IP).

​

Trying ping -I mgmt <node_address> works, but as soon as I try to use either of the other "vlans" it fails; ping -I internal <node_address>.

​

Curl-ing over management I get the correct html: curl <node_address> --interface mgmt

But again, I don't get the html if I try the internal interface: curl <node_address> --interface internal

​

I have both floating IPs and non-floating self-ips on "interface" and "external" vlans.

​

I have put a VM on the same subnet where the internal vlan exists (and tagged its traffic in VMWare) and from there I can ping/curl the web servers so I don't think it is a "real" networking problem - it seems to be me not understanding how to get the F5 working.

​

Of note, all the self-ips I created on external/internal are ping-able from my desktop so again I think it's not a reconfiguration of the "real" networking in VMware/switches.

​

I have followed documentation pretty closely but I think I must be not understand how the f5 handles itself internally...

​

Any help or pointers or links to enlightening documentation is very much welcome!

​

Cheers!

Microsoft Teams QOS Feedback

I created this QOS for teams and need some feedback.

​

ip access-list EXTENDED TEAMS-PORTS

20 permit udp any any range 50000 50059

30 permit tcp any any range 50000 50059

exit

class-map match-all TEAMS

Match access-group name TEAMS-PORTS

class-map match-all AUDIO

match ip dscp ef

class-map match-all INTERACTIVE-VIDEO

match ip dscp af41

class-map match-all APP-SHARE

match ip dscp af21

class-map match-all BEST-EFFORT

match ip dscp default

exit

policy-map PER-DEVICE-TEAMS

class TEAMS

trust dscp

exit

class AUDIO

set dscp ef

exit

class INTERACTIVE-VIDEO

set dscp af41

exit

class APP-SHARE

set dscp af21

exit

class BEST-EFFORT

set dscp default

Interface configuration:

service-policy input PER-DEVICE-TEAMS

ISE default authorization policy with DACL.

Hello, networking,

​

Hope I can get some insight from any ISE experts out there. Currently we're running DOT1X with EAP-TLS and AD integration and is working just fine.

​

One problem that we're having is with the last "default" rule under policy sets for authorization. For the default rule, with no condition, we configured a profile that has a DACL attached to it. The idea is that whenever there's a failure for any reason whatsoever, it'll hit the default rule and download the ACL. However, this isn't working.

​

When a computer fails, it just says unauth with no access to the network; however, we'd like for it to have access to certain resources. Kind of like if a machine fails, it'll get an DACL with access to certain services only, those services offer remediation so they can successfully pass authentication.

​

We're already running C3PL with an event to put an ACL on the machine if it fails authentication, however, the problem is is that we don't want to maintain ACLs scattered across hundreds of switches. If the systems team decides to add a new server or change an IP on an existing server (which they have before), then we'd have to go to every switch and update each ACL, this is why it's preferable to run it from ISE where it can be updated and deployed to every switch at once.

​

Any insight or help would be greatly appreciated.

What does a Layer 3 only network look like?

Is it just Layer 3 switches like Nexus and 65xxs that have IPs on every SVI all running an IGP? for instance?

​

What differs a "Layer 3 only" network from a Layer2/3 network when it comes to deployment, exactly?

​

To be clear, if I logged onto a random switch in a DC, what would be the giveaway that it's a layer 3 only network? I was having a meeting today and someone mentioned getting rid of STP and replacing it with MPLS to create a Layer 3 only network and it got me thinking what exactly that would look like. Since MAC addresses are clearly still in use for local node access.

Netgear switch w/ VLAN static route issues

Devices are:

• 192.168.1.1/24 - Windows Laptop #1
• 192.168.2.2/24 - Windows Laptop #2
• 192.168.2.3/24 - MacBook
• 192.168.2.4/24 - iPad

Windows Laptop #1 has 192.168.1.254 as its gateway while all other devices have 192.168.2.254.

Laptop #2, the MacBook and the iPad are all connected to a MikroTik OmniTik AP on VLAN 2. Laptop #1 is connected to VLAN 1. The switch is a Netgear GS724T with the two following static VLAN routes:

• VLAN 1 - 192.168.1.254/24
• VLAN 2 - 192.168.2.254/24

My issue is that Windows Laptop #2 can ping both 192.168.1.254 and 192.168.1.1 however the MacBook cannot ping either of these IP’s. The iPad can't access 192.168.1.254 or laptop 1 either. Laptop #1 can reach laptop #2.

Any ideas?

War scenario - Networking world.

How will the networking world e rocked if there will be a war between the US and China?

Let's take 3 scenarios:

1. Conventional war:
The US attacks China, China strikes back, mass DDoS attacks between both countries, they throw all the conventional weapons on. The USA wins by a large margin due to superior military power.

2. Mild Nuclear war.
The US attacks China, they both throw a nuke, they have peace after they see the damage done. China will lose more infrastructure due to American Superiority in terms of military power.

3. All-in annihilation.
Full nuclear war, both countries deplete the nuke stock. Both countries go into the stone age from an industrial point of view.

What are your predictions in terms of how the internet will behave, and the Networking world as a whole?

Content Filtering Options

Hey everybody.

Does anybody know of a good content filtering solutions for windows 10 laptops with inbuilt LTE? We've already got something in place for the corporate network however when accessing while using the LTE network we're a bit stuck....

We're already using Meraki Systems Manager for the mobile fleet however this doesn't seem to do too much for Windows 10 OS, neither does Microsoft Intune. All we're trying to do is stop streaming services to protect against excessive data usage.

Any ideas are welcome - cheers.

PSA: Viasat is aggressively blacklisting Digitalocean IP addresses

I just talked with the NOC at Viasat and confirmed that they block a huge amount of Digitalocean IP addresses due to malware. I don't think their normal support agents are even aware they have IP blacklists so requests for unblocks have to be escalated to their security team.

They seem to be blacklisting entire /24 subnets even if only some of the IP's are sending malicious traffic. I've found this to be the cause of many websites not working including some of my own.

The best way I've come up with to test if Viasat is blacklisting an IP from a non-Viasat connection is to try and ping one of the core routers such as 64.125.54.230.

Their blocking is also implemented in a very strange way, if you try and connect to a blocked IP address from a Viasat connection every TCP port will accept your connection but do nothing other than accept whatever you write to it and eventually time out after no activity(I assume some box on Viasat's network is intercepting and responding to all TCP connections going to blacklisted IP's).

I help you with networking, you help me with English

Hi! I have got 7 years of experience in several ISP and CCIE RS, but my English a little bit weird. I study it online with a teacher and I need more practice.

We could chat about any topic, I would like to help you with any networking/cisco/mikrotik/Juniper(a little) topic, but I'm waiting you point to my mistakes and typos during our conversations. I hope to see you soon!

My contacts:

https://t.me/infery

Skype: nemo77rus

Cisco Phone VPN

It has taken way too much effort to get 8800 series phones to connect to my new FTD based 2110 firewalls. Apparently the order of the SSL cipher list is important to the 8800, but not the 7900. Finally figured it out but now I have a dilemma.

If I allow any TLS cipher better than DHE-RSA-AES256-SHA, an SSL tunnel is established using that cipher, AES256-GCM-SHA384 to be exact, but no DTLS tunnel is established. If I restrict my TLS1.2 cipher list to AES256-SHA, both an SSL tunnel and DTLS tunnel are established using that cipher.

My question is does any one have recommendations on what to do? Limit the cipher list to get DTLS tunnel, or allow better ciphers to be used and sacrifice DTLS for it?

I am about to go to bed, sorry if I don't respond timely.

Automating the Data Center

Just wanting to know what is being used out there for specifically monitoring and automating their port density in the data centers. I want to know when a server is being unplugged and that switch port is no longer in use.

Secure CRT login_script with node import

I created a script to import multiple nodes in different locations and I see that I can add "login_script" at the end of the first line for the list following. Thing is, we use a set pass plus token code here and I'm wondering if it's possible to set this up to put my pass in automatically and await the token code? The password field would be "set pass+token".

​

If so, what would I use for the "login_script" please?

Help me to build an office network

Hi guys! Unfortunately, I don't have experience in networks stuff, but now I should build some robust system for my office :)

We have 4 rooms, approx 20 wireless clients and 20 servers. We need to restrict access to servers, only admin can log in/ use network resources (through samba), etc. Our servers should go to the internet using proxies (VPN servers) and we don't want to setup VPN clients on every server, it should be done on the router by static IP rules.

​

Now we have only one Linksys EA8500 router with OpenWRT on it. We're using Wireguard VPN and routing is done using vpn-policy-routing package (https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md). Anyway, there are no access restrictions for servers. Linksys on OpenWRT sometimes drops connections, restarts interfaces, it's a bit annoying.

​

So I'm asking for your advice how to build a robust network for our purposes? What devices do we need? Should we use some server as a router with Kerio or pfsense? Should we place another router between Linksys and servers?

​

Thanks and sorry for so fuzzy topic!

Any thoughts on gip.sh?

http://bit.ly/2Qu4ejc

K-12 large network set up help

Hi!

I'm a junior sysadmin and am still very much learning. I"m trying to set up a complex network and learn along the process.

​

Our network has the following topology:

​

- ISP Fiber comes into building A - symmetric 50/50 that is handed over to us over ethernet

​

- Microtik Routerboard that currently has the IP 10.0.1.1.

- From here the internet forks into a Ubiquiti Rocket that has three remote locations connected to it that all rely on my network for internet- their IPs are statically set to 10.0.1.x

​

School A has a dell Sonicwall and a Unifi Security Gateway that I'd like to set up.

Our DHCP server is currently the main Windows server (running Server 2012 R2) located at 10.1.1.1. Our switches are all Unifi 48 port switches.

We have 4 wifi networks:

Guest, Students, Faculty, and Admin. I'd like to set up VLANs and make it so students cannot access Admin and Faculty devices.

Issues:

1. We've had a recurrent issue for months where my Unifi Access Point Dashboard constantly tells me there are DHCP authentication errors. This is backed up by our chromebooks and other devices consistently being unable to connect to the Wifi

To resolve this issue I'd like to rebuild the network from scratch.

​

​

Questions:

1. I would like to use PFsense on an old windows server for content filtering. Should I ditch the Sonicwall?
2. Out of the devices we currently have, what is the best to use as a DHCP server?

​

I was hoping to set up the following ranges:

1. Admin - 10.1.10.1-254
2. Faculty - 10.1.20.1-254
3. Printers - 10.1.30.1-254
4. Students - 10.1.40.1-254
5. Guests - 10.1.50.1-254

Does this sound like the best way to do it? I have the ability to recreate everything from scratch and set it up in the most efficient way possible.

Cisco WAPs and Cellular modules

Let me preface, I know that these products are discontinued.

But.

Wifi calling sucks. In an environment where I have to support every model of cell phone ever made for both data and voice (for those that do wifi calling anyway), it is a lose-lose situation.

I have about 300 corporate issued phones that all work just fine on our specially tuned wireless network - set up just to support wifi calling on iphones. that's not the problem.

It's all the other models that are out there that I need to find a way to make work.

Cisco had a great idea - an AP that you could add cellular repeater modules right onto. And then discontinued it.

Does anyone have these? Have experience with them?

I'm starting to feel like it might be worth jumping on Ebay and buying a few to deal with my worst problem areas - rather than spending 8k per antenna to do specialty cell repeaters.

Thoughts?

subnet expansion without downtime

Because I haven't done this in a while, want to make sure I'm remembering correctly. In our datacenter, I have an ASA with a /29 on the outside interface that connects to a cisco 4508 that is it's default gateway. We need to expand our subnet to a /28. If I remember right, the DC should be able to change their switch SVI to a /28 first without interrupting traffic then I should be able to change the subnet on the ASA without interrupting traffic. Is this correct?

root DNS servers supporting DNS over TLS/HTTPS?

I'm not seeing anything like that yet, anyone aware of movement on this front?

NAT + SQL Server Instance

We've got a relatively simple web app hosted on an EC2 instance on AWS running on IIS/.NET that talks to an on-prem SQL Server. I realize it would be a lot better if the SQL database could be hosted on AWS, but it can't. Anyway, we've got the SQL Server NAT'd in our on-prem ASA with a public IP address that is restricted to only the EC2 instance's IP address.

​

If the database is on the default instance on SQL using port 1433, everything is great. If we move it to a non-default instance with a different port, it times out and never connects. It appears to be a problem with the NAT translation, but heck if we can find the problem. We installed SQL Management Studio on the EC2 VM and it does the same thing. Connects to the default instance, but not the named instance.

​

On-prem, you can connect to the SQL Server just fine with both a test install of the app as well as Management Studio on either SQL instance. The software vendor says "What's AWS?" and pretty stops there, never mind that as far as the application goes it's just a VM. It's [b]GOT[/b] to be the ASA. As it stands right now, it is configured as:

​

On-prem SQL ->NAT'd to the public IP with "any" port open for traffic to/from the EC2 IP.

The EC2 instance has an AWS firewall (not the Windows Firewall) that is configured to allow all traffic to/from the SQL Server's NAT'd public IP.

​

Still won't work. Logs from the ASA aren't helpful. Wireshark on the web server instance isn't helpful either. We opened up all ports for troubleshooting, it won't stay that once we get this issue resolved. Any ideas?

WAN circuit flapping / L1 errors incrementing. Carrier claims clean line and blames our hardware. What next?

Small rural school served by a single T1 circuit. Years of mostly-OK operation. Recently, link quality diminished. Monitoring shows input errors, CRC errors, and aborts on both sides of the circuit. Logs show link flaps several times a day.

Several intrusive tests by AT&T show a "clean" link and blame our CSU. Our gear is older Cisco ISRs, but show no sign of trouble that I can see.

Where do I go from here?

Nexus C6509 VXLAN Compatibility and Learning

I inherited an enterprise network and now I need to understand how to manage it. We have Nexus 9ks at a distribution layer with a C6509 as the core layer. It looks like we are utilizing VXLAN between the Nexus VTEPs but I haven't seen any documentation that says it is possible to do this but it must be possible or we have a connection that isn't documented and doesn't come up with I try to use CDP Neighbors. Is it possible to run VXLAN over a C6509?

I am leaning towards replacing the C6509 with two Nexus switches to form a spine and leaf topology but if I can use the C6509 as the core with VXLAN riding on top of it I will have trouble justifying it to management. I inherited the network in mid migration from having access layer switches moved from the core to the Nexus stacks and I am about to double my access switch count for another project. I want to make sure I have the proper core topology before I try to complete these projects.

My background is not in networking, I know more about virtualization and end devices, but I am moving more towards an enterprise architect role and the network is a major part of that so I am trying to learn more about the network. I have been learning a lot on the job and a bit from studying to get my CCNA, but what resources should I look at to learn more about this level of networking? I am doing my own research, but I want to make sure I am not missing critical knowledge. The CCNA doesn't really cover it, would resources for the CCNP teach me what I need to know or is there a better certification I can find resources to teach me?

Remote Desktop solution

Hey guys,

I am far from a networking pro, hence why I am asking here (you guys have always given me excellent advise) We are moving offices across town and will need to temporarily setup 3 offices while leaving the current offices where they are. These 3 new offices will need to access the 3 PCs at the original office through some sort of remote desktop software. The thing is we do lots of AutoCAD drawings and the license for the software we use is outrageously expensive. Ideally I would like to be able to remote in to the original office PC and be able to change or update drawings and print them at the new office. I was hoping you guys could point me in the direction of the best solution. There will be Gigabit Fiber internet at both locations so I don't think bandwidth will be an issue. Any suggestions on remote access software for 3-5 simultaneous users?

NSO in a container - help

Hi folks,

I know most people don't really do this, but I need some help with NSO:

Am running NSO in a container and it runs well on my local machine. However, when I deploy this on a server, it's not letting me login.

Below are the logs (which confirm am getting authenticated successfully):

​

2019-05-29T13:46:33.346556919Z <INFO> 29-May-2019::13:46:33.343 9d0650a7fccc ncs[31]: audit user: admin/0 logged in via webui from 172.16.4.1:47430 with http using local authentication

2019-05-29T13:46:33.346580619Z <INFO> 29-May-2019::13:46:33.343 9d0650a7fccc ncs[31]: audit user: admin/38 assigned to groups: admin

2019-05-29T13:46:34.390037550Z <DEBUG> 29-May-2019::13:46:34.389 9d0650a7fccc ncs[31]: devel webui_appmod_jsonrpc

2019-05-29T13:46:34.390065250Z REQUEST sessionid_80=sessJdQpNsilHi786gfUUe8nww==; path=/; HttpOnly: ?

2019-05-29T13:46:34.390079350Z RESPONSE sessionid_80=sessJdQpNsilHi786gfUUe8nww==; path=/; HttpOnly: {"jsonrpc":"2.0","result":{},"id":1}

2019-05-29T13:46:34.390085350Z

2019-05-29T13:51:45.170997747Z <INFO> 29-May-2019::13:51:45.170 9d0650a7fccc ncs[31]: - The NCS Smart Licensing Java VM terminated

2019-05-29T13:51:45.751884942Z <INFO> 29-May-2019::13:51:45.751 9d0650a7fccc ncs[31]: - Starting the NCS Smart Licensing Java VM

2019-05-29T13:51:46.369217525Z <INFO> 29-May-2019::13:51:46.368 9d0650a7fccc ncs[31]: - The NCS Smart Licensing Java VM failed starting - needs to be corrected!

​

Am thinking it's something to do with the licensing, but am not sure exactly what I need to install to get it going. Also, from other mac

Anyone been through this?

HP6120xg FCS rx drop increasing

I have two cisco nexus 3064PQ running in vPC domain for multi-chassis LAg, these switches connected to my HP6120XG (c7000 blade center), life was good last 1 week everything was working fine but today i have noticed vpc is down so when i started looking i noticed following.

​

​

​

LACP lost all partners and i am seeing FCS RX error, this is not in production yet so there is almost zero traffic but where this drops coming also i am seeing same behavior on both HP6120xG switch in c7000, how can both switch go bad same time?

​

Duplex are auto and i have many other blades running with same config and they all are happy.

​

# show lacp

​

LACP

​

PORT LACP TRUNK PORT LACP LACP

NUMB ENABLED GROUP STATUS PARTNER STATUS

---- ------- ------- ------- ------- -------

18 Active Trk1 Up No Success

19 Active Trk1 Up No Success

20 Active Trk1 Up No Success

21 Active Trk1 Up No Success

23 Active 23 Down No Success

24 Active 24 Down No Success

​

​

# sh interfaces

​

Status and Counters - Port Counters

​

Flow Bcast

Port Total Bytes Total Frames Errors Rx Drops Rx Ctrl Limit

------- -------------- -------------- ------------ ------------ ---- -----

1 0 0 0 0 off 0

2 0 0 0 0 off 0

3 0 0 0 0 off 0

4 0 0 0 0 off 0

5 0 0 0 0 off 0

6 0 0 0 0 off 0

7 0 0 0 0 off 0

8 1,326,944 2925 0 0 on 0

9 1,326,944 2925 0 0 on 0

10 1,327,200 2927 0 0 off 0

11 327,772,440 72,212,498 0 0 on 0

12 2,316,131,200 36,189,550 0 0 on 0

13 0 0 0 0 off 0

14 0 0 0 0 off 0

15 1,327,355 2929 0 0 on 0

16 0 0 0 0 off 0

17 0 0 0 0 off 0

18-Trk1 5,602,138 78,160 0 78,122 off 0

19-Trk1 449,983,864 4,448,422 0 4,447,415 off 0

20-Trk1 374,766,828 4,193,334 0 4,192,785 off 0

21-Trk1 455,331,402 4,298,985 0 4,298,115 off 0

22 0 0 0 0 off 0

23 0 0 0 0 off 0

24 0 0 0 0 off 0

Need Advice for a good VPN Client for my company (1000 users)

My company currently purchased Meraki across the board, for Switches, and Firewalls in every site (China, Australia, UK, US) . 6 Buildings in total across the world. They were using non-standard sub-par equipment until they standardized each building.

​

Now that we have Meraki's we are trying to upgrade our VPN clients for people to work remotely and still access resources into our main buildings. Each building that needs access to each other has a P2P Tunnel already, so inside our network there's no issues.

​

However, Outside the network it's still anybody's guess. We're using Pulse (a very old crappy version, no one likes it) to access the UK and US, and have nothing implemented for the rest of the networks.

​

Now when we went to setup the Meraki's for VPN client access we noticed that Meraki doesn't have a software client to create its own VPN adapter. You have to go to Windows or Mac and create a connection using the native OS settings. This brought up a very bad issue with our clients not split-tunneling traffic. While there IS technically a way around this and you can run a script to add these split tunnel fixes, my boss is looking for a piece of software that will work with the Meraki VPN settings.

​

The Software he wants should do the following.

​

Have multiple profiles that we can import in order to setup different building configs easily.

Allow Split-Tunneling (obviously, standard practice here)

Officially supports Meraki hardware.

Works and looks the same on both Mac and PC.

​

We are aware that Meraki supports ASA's. And while that is a solution, that will tend to be a very expensive solution, as you need to buy licenses for each user that will be connecting to each building. So if you have 1000 users and all of them are connection to each building (not realistic example, I know, but this is for sake of numbers). You will need 6000 licenses in total, which will get very expensive as you have to update your license support every year. So we're looking for alternatives.

​

If anyone has any suggestions I'm all ears. I've already been suggested PfSense, and am frankly turned off by the fact that it's freeware with the option to buy support. But if their support is good I would be open to that.

​

Thanks for everyone help and your time!!

Is a very high end switch a viable replacement to a low end (feature wise) router?

Hi All,

​

So - I have equipment in a DC and we offer various services to clients - The primary services are VDI/Hosted infrastructure and to a much lower extent, we offer colo.

​

This started as a side business ~7 years ago when I worked at an ISP (with a huge budget and proper core routers) and figured out "why am I not doing this myself" and grew rapidly, and, I'm struggling on the next steps.

​

At our core is an Ubiquiti Edgerouter Pro - and it has served us VERY well, but, with some specialist ISPs giving 1Gb/s links, we have had one occasion where we reached capacity and it has given us a few problems as you can imagine. We currently upgraded that link to 10Gb/s (but, using at 1Gb/s until we can find new equipment).

​

I know I can upgrade to a Ubiquiti Edgerouter Infinity, however, that can't LAG/aggregate, so, I feel like I'm just delaying the capacity problem. I really want to invest in more carrier grade equipment - what I don't like however is that whilst I am more than willing to spend a lot/have what I thought was a reasonable budget, the jump to anything above 10Gb isn't a little jump... it's mortgage worthy expensive!

​

It was always the plan to get multiple upstream providers - however, we are in the main hub of our current provider and we have had ~20 seconds of downtime in 7 years... They have also just offered us a second feed from a redundant router.

​

I have been doing a bit of research lately, and I have read some posts (e.g. https://www.reddit.com/r/networking/comments/bpag4v/whos_using_cumulus_on_an_onie_or_whitebox_switch/ ) that have actually made me question pretty much everything.

​

After reviewing our setup, we currently don't use BGP (other than for some of our clients that announce to us), and we have relatively simple firewall policies that I believe could be replicated with switch filter polices. We have numerous VLANs and various bandwidth policies - but again, nothing that a high end switch can't do.

​

I am hoping to get a second 10Gb/s feed (for redundancy, not LAG/capacity) shortly, and, we are just going through RIR registration to get our own ASN. The dream is to also get peering at an IX, however, whilst preferred this is not essential.

​

The cost of a ~40Gb+ Router is a minimum of ~40x the price of a 40Gb switch (with a few 100Gb ports) and I can't help but think I'm over thinking things.

​

I just wondered if I am being silly to think about dumping a router in favour of a very high end switch and/or has anyone done this? Am I asking for trouble, or, could this work?

What names or naming conventions do you use for your networking equipment ?

I have recently moved to an organisation where they seem to use wacky names for each device.

For instance small branch site (about 10 users) has a Cisco 2960x labeled and the site core switch.

So we apparently have like 300 core switches ranging from 2960x to 9Ks which seems stupid to me.

Personally I would like to just call them by vendor and item number and label the the device production or test.

Then rely on our network documentation to depict what roles each device play.

What do you guys use ?

SNMPv3

With using SNMPv3 with both authentication and encryption is there a huge need for ACLing it down as compared to v1/v2/v2c? Wanting to get some input from a security minded individual. Obviously the more security the better, but at least you have to have 3 pieces of info in SNMPv3.. Username, password, encryption key.

Thanks!

FIN sent immediately after 3-way handshake

We have a PulseSecure WebVPN appliance which uses rewriting to publish some internal web applications to the outside (WebVPN). When we secure the backend connection (from the VPN appliance to the internal application) using HTTPS, sometimes, randomly, an individual component of the website does not load (the HTML itself, or maybe only an image, a CSS file or a JS file...)

Looking at the packet capture of both the internal server as well as the VPN appliance, we see that the appliance sends a FIN immediately after the TCP handshake.

Now, support is getting on my nerves requesting packet captures from all intermediate devices (firewalls, routers) but they don't say why. Am I missing something here? Since we have already established at both endpoints that there is a FIN packet being sent by the appliance and that there is nothing else between the end of the handshake and FIN what is it that they would be looking for?

Are There Any CEF Differences Between Catalyst and Nexus?

We experienced an issue after migrating from a 3750 to an N9k where the ESXi hosts connected downstream were no longer able to reach their local gateway. The hosts were connected via access ports, and used Lo0 on the switch as their gateway. After the cutover to the N9K, the hosts were no longer able to ping Lo0. Nor was Lo0 able to ping the hosts. source-interface Vl100 needed to be specifically appended to the ping command in order for ICMP to work. After changing the hosts' DG from the loopback to the SVI, traffic started flowing.

Can anyone elaborate exactly why we experienced this behavior with Nexus, but not with Catalyst? My guess is that Nexus uses a different switching mechanism than CEF on Catalyst. Perhaps CEF on Nexus doesn't forward frames based on existing L2 adjacencies? It seems to me that the Nexus wasn't internally routing traffic from VLAN to loopback. But the Nexus is routing. It has RIB entries and running EIGRP.

First job in networking field

Dunno if im breaking the rules of the sub (i've read them but still dunno), hope im not

So, i got an offer for job in networking as tech support (doing some networking support for small/medium businesses), for minimum wage in my country (my country minimum wage, not minimum wage in the field).

I dont have prior expirience and i still dont have my CCNA, nor a collage degree. Im part of the study group thats on the third part of courses (theres 4 parts), with live and online courses over netacad. Im the best student in the group (got the job offer because of that).

My question is, would you accept that job offer for your country bare minimum if you are in my position (Would you value yourself more?) or would you wait for something better?

Just want to mention, i started learning Python (via Learn Python the Hard Way), and network automatisation in Python via free course that was offered few days ago here (dunno if its too early for me to learn that but yea Im all over the place). I started with learning CCNA VPN too with Chris Andersen free udemy course.

We're a small business and need a router upgrade - what should we look for?

Hi Reddit! I hope this is posted the correct place.

I'm from a small business and is the most tech-savvy guy there (which doesn't say a lot, we're an art book publishing company) and we need a router upgrade. Our router (or the ability to connect to it) has constant failure. Our ISP says their connection to the router works fine, so the problem is with our local connection. We called the router company and went through a length of fixes, none of them seeming to work. We've both moved physically around and done a bunch of technical attempts until they couldn't help us anymore. The problem, according to the company, seems to be the amount of traffic in our vicinity. I believe them, I can literally see 62 connections atm. They know our model and believe upgrading to something with a bit more power would work. (Our router is pretty cheap.) We need to keep the connection wireless as we constantly have guests, contacts, authors etc. passing by and we need that stuff to run as smoothly as possible.

(Also before you ask, our internet connection speed is not the problem, we're just 5 people in the office on a large day and it's 100 dollars a month)

So here's the problem. I don't know how router power works, so I'm not sure what I'm looking for. This seems to be a good list https://www.techradar.com/news/best-small-business-routers but I want to be sure whether any or all of these would be appropriate.

Best regards, some incidental IT guy :^)

(Also I'm Danish so if some sentences are nonsensical or unclear, don't be afraid to ask.)

Get VRF from reachable IP address (or MAC)

Hi,

I'm working on a Nexus 9K. I have a list of IP addresses and I need to find which VRF they are in. How could I do this? I can do this in two steps :

"show IP arp VRF all" to get the VLAN of an IP

"show run | sec 'interface vlanXX' | inc 'vrf'" to get the VRF.

Is there an easiest way to do this?

Thank you.

Meetup in Manchester UK, Cisco/Networking/Wifi workshop. Wed 29th May

Hi all, long time lurker here, if anyone is in the North West of England I am holding a meetup for Networking related discussions for Small Businesses and startups. It will be a non-sales event, an opportunity to meet some of your peers working in other small businesses and discuss all things networking and cloud related.

A bit about myself, I am a technical architect working for a Cisco partner, currently studying towards my CCIE Route Switch so I am happy to share my experiences regarding my studies. I will also be offering free advice around design and implementation of network infrastructure, netdevops, Cloud, Unified communications e.t.c. to those that need it, and happy to chew the fat with others in similar roles to myself.

It will be held at ziferblat in the northern quarter, starting at 6:30pm, more details below.

http://meetu.ps/e/GJ9Qm/GZVvh/f

Need help building a server to test 100Gb/s, 400Gb/s and a strech goal of 1000Gb/s

Hi there,

I've run out of things to google for and I'm looking for help/guidance. I need help building a server.

**Background**

I've been asked to help out with a university project (and I think it's because I know what IT stands for)

Effectively the bat s**t insane idea is to test a 1000Gb/s (1Tb/s) network. Fastest I've ever gotten is 10 Gb/s with a home lab.

Now they've agreed to start 'small' with 100Gb/s and push up to 400Gb/s either by 'NIC team' as soon as or buy the in currently in development 400Gb/s fibre when it releases in 3-4 years’ time.

(Hopefully I can get out of this place before they think of something else that's balls to the wall extreme).

Effectively, I've been asked to spec up the testing pc/server(s) to send test data and analyse the data throughput.

​

** My thinking **

Software:

I'm assuming Wireshark is laughable if I tried to use that to capture traffic. And I honestly can't think of a way to generate that insane amount of traffic other than copying my whole steam library (I've calculated it at about 19s).

I'm also going open to the idea of using linux over windows (I'll just have to run a training class I guess for everyone).

Hardware:

I'm hoping they won't want to store the data, just test the speed. Either a RAID or a RAMdisk will be suitable.
So maybe 10x1TB ssd/s in RAID 0 and As much DDR4-4800 RAM that I can fit in a motherboard. Prioritising a high clock speed CPU over cores/threads that I can find. Oh and ofcourse 2 x dual 100Gb/s Mellanox network cards.

​

** The question(s) **

Network speed is assumed at min 100Gb/s, pref 400Gb/s and total max of 1000Gb/s.

Software:

Packet/traffic generator, what would/could generate data for that network speed?
Packet capture, what software would beable to log/analyse that much data at that speed?
Operating system for this?

Hardware:

Let's pretend money grows on trees here...
What kinda hardware would I need to generate and capture this data through put?
Would a RAMdisk be better than a RAID 0 for serving data to a network?

Testing method:

I'm open to ideas on what the best way to test this network.

Any help or ideas or just things to google is a major help! Even if it's just a stop gap soultion, I.E. "This would be okay to about 400Gb/s for now".

GLBP with 3 routers but only 2 of them to be active and the 3rd as hot stanby

Hi Team,

​

I have been tasked with a project to implement a design to provide load balancing with 2 routers and once both of them are down then a 3rd one will take over the traffic.

​

I have tried a few scenarios and designs but it seems that I am not be able to have 3 routers on the same GLBP group but only the 2 of them to operate as active forwarders.

​

I think the key here is to play with the weighting but not sure what parameters to apply on the 3rd to take over the traffice when the other 2 are off.

​

Thanks in advance

Career advice

Hello folks! I just completed my Engineering in Electronics & Telecommunication and I have certification of redhat and comptia networking. I wanted a bit of carrer advice on and where I can go from here? Thanks in advance.

Why convergence time in Unidirectional Traffic & Bidirectional Traffic are different?

Hi everybody,

My question may be insufficient information.

I think that Unidirectional traffic can occur BUM traffic.

​

Traffics

1.UP_to_Down (Unidirectional, Bi-directional)

2.Down_to_UP (Unidirectional, Bi-directional)

​

When SW-3 is restarted,

Bi-directional -> 3s convergence time for both traffic

Uni-directional -> 1s for Down_to_UP & 5s for UP_to_Down

UP

SW-1______________SW-2

| |

SW-3______________SW-4

| |

SW-5______________SW-6

| _______SW-7______|

DOWN

OSPF Recommendation

I'm looking at setting up OSPF between two switches, and am thinking about putting the point-to-point OSPF link *inside* the /24 that is being advertised by the edge switch.

So:

192.168.1.0/24 is the range I want to advertise from the edge switch up to the "core".

I want to use 192.168.1.248/30 as the OSPF point-to-point link IPs. With 192.168.1.249 on the uplink switch, and .250 on the edge switch. 192.168.1.0/24 is VLAN 10, and I'm going to make 192.168.1.248/30 VLAN 15.

I can't find anything that would suggest this would be a bad idea, but does anyone see any problems with this? I'm trying to avoid dedicating another public IP range just for OSPF point-to-point links, and I want to keep the "core" switch out of the 192.168.1.0/24 VLAN / IP range.

SSH session logging on Linux

Hello guys,

​

I recently started to use Manjaro Linux. On Windows OS, I was using XShell for my SSH session to access network devices. Now, I'm trying to replace it by OpenSSH on my Linux. I've created several aliases for ssh access on bashrc. And it's working fine. Also I'm using "tee" command to save my session logs. But I've faced some issues with control character on my log files. There was too many control characters written on my log file such as backspace, space (Ctrl+W etc,.). And I couldn't find any solution for this issue.

Do you have any other suggestion for such kind of logging? or Is it possible to ignore control characters for the tee command?

​

Linux OS: Manjaro Linux with KDE

Kernel version: 5.1.4

Alias Command Format for ssh access: alias device1="ssh user[@](mailto:shagai@192.168.250.30)XXX.XXX.XXX.XXX' | tee -i DEVICE1_$(date '+%Y-%m-%d-%H:%M').log"

Port Forwarding on Two Routers

Today, a contractor told us that they need a specific port to be open for port forwarding. But we can't log in to our ISP router to set the port forwarding due to "Security Measures" of the ISP as stated on their support page. Right now we can't proceed with the implementation because we needed port forwarding. Is there any way to do port forwarding on the second router while we are trying to reach our ISP to configure their router into Bridge Mode so that we can use our Router which is the router two that is behind the ISP router.

Mitel 5624 DECT VoWifi No Audio

http://bit.ly/2wtoCrq

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!