Passwordless SSH

Anyone doing it?

I'm sick of typing passwords. Even with "remember my password" features of SecureCRT, putty, etc. (which I refuse to use because I'm over-paranoid), it would still be a pain to update that thing.

I want to build a mini PKI environment, just for this purpose. I would put the root CA cert on all network devices, and issue my teammates and I a signed certificate from this CA. Then bam, passwordless!

I'm only curious from those already doing it -- is it worth the trouble? I intend to allow fallback to passwords in case someone dicks the PKI setup.

LTE Connection VPN Help

Hello all, I'm hoping to get some pointers.

​

I am trying to route a location that uses LTE as its only provider through a VPN. The devices I'm using is a Mofi4500 (AT&T)
which is obviously nat'd. I'm bridging that to a Ubiquiti Sec Gateway. I'm also using OpenVPN.

Essentially I will need a static Public IP to access devices on this network (ie. portforward, remote access etc..). I was able to get the connection going on my USG device and am able to ping through the VPN. My problem is my IP is still showing as the ATT provided IP. Even if I use the OpenVPN Client and route through that it simply does not change. I can see the bandwidth of the server throttle meaning a connection is established but the IP does not change. Iv'e used digitalocean droplet to set it up but i've also tried astrill vpn with no luck.

I'm really new when it comes to VPN's as I'm studying for my CCNA now. Any help or guidance is appreciated.

Will This Work? Site to Site + Reverse Proxying

Hi All,

So I want to go ahead and forward some subdomains to my homelab services so I can access things on the go.

The reason why I have this convoluted setup pretty much boils down to two reasons:

• My ISP (because I have a consumer grade connection at home) disapproves hosting things from home.

• My school employs DPI, so VPNing into my home network would require having to wrap traffic using SSL (I found the documentation for sTunnel to be sorely lacking though, and I'd rather not violate a school network use policy from a moral standpoint)

A picture is worth a thousand words, so here is what I have in mind: https://imgur.com/a/jfeJsA3

Will this work? I believe this should work on a fundamental/theoretical level, but I want to get a sanity check from some of the more seasoned experts on here before I dive into NGINX configuration. I have the site to site set up already, and the NGINX webserver can see all the VMs on the 10.2.0.0/16 network. Thanks in advance!

Remote desktop into co-working building

I recently set up our office router to Port forward 5900, and my PC running Ubuntu to enable desktop sharing. It's accessible on the same network, but not externally.

What do I do next to access it outside the office? Should I ask the co-working space managers to port forward and pray they know what the hell I'm talking about?

Python & CISCO

I didn't want to ever go into programming because I just couldn't sit there looking at code all day. I know Cisco is doing python because of network automation. Can anyone give some examples of the things you can do with Python to automate tasks? Can you set Python to monitor network benchmark to redirect traffic when it starts to bottle-neck?

Cisco ASA - VTI IPSec Assistance

Hello,

I'm trying to setup an IPSec tunnel between two Cisco ASA's in a lab using VTI interfaces. I cannot however seem the get the tunnel interfaces to come up on the ASA's or the IPSec tunnel to work...

This is so that I can run dynamic routing protocols across the VTI interfaces.

The VTI interfaces just show as down/down and I cannot figure out why...

Any assistance would be greatly appreciated.

Here is the configuration:

Site A:

crypto ikev2 policy 10

encryption aes-256

integrity sha512

group 14

prf sha512

lifetime seconds 86400

!

crypto ikev2 enable OUTSIDE

!

crypto ipsec ikev2 ipsec-proposal PROPOSAL

protocol esp encryption aes-256

protocol esp integrity sha512

!

crypto ipsec profile IPSECPROFILE

set ikev2 ipsec-proposal PROPOSAL

!

group-policy 192.168.1.2 internal

group-policy 192.168.1.2 attributes

vpn-tunnel-protocol ikev2

!

tunnel-group 192.168.1.2 type ipsec-l2l

tunnel-group 192.168.1.2 general-attributes

default-group-policy 192.168.1.2

tunnel-group 192.186.1.2 ipsec-attributes

ikev2 local-authentication pre-shared-key CISCO123

ikev2 remote-authentication pre-shared-key CISCO456

!

interface tunnel 10

nameif VTI

ip address 172.16.2.1 255.255.255.0

tunnel source interface OUTSIDE

tunnel destination 192.168.1.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSECPROFILE

!

​

Site B:

crypto ikev2 policy 10

encryption aes-256

integrity sha512

group 14

prf sha512

lifetime seconds 86400

!

crypto ikev2 enable OUTSIDE

!

crypto ipsec ikev2 ipsec-proposal PROPOSAL

protocol esp encryption aes-256

protocol esp integrity sha512

!

crypto ipsec profile IPSECPROFILE

set ikev2 ipsec-proposal PROPOSAL

!

group-policy 192.168.1.1 internal

group-policy 192.168.1.1 attributes

vpn-tunnel-protocol ikev2

!

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 general-attributes

default-group-policy 192.168.1.1

tunnel-group 192.186.1.1 ipsec-attributes

ikev2 local-authentication pre-shared-key CISCO123

ikev2 remote-authentication pre-shared-key CISCO456

!

interface tunnel 10

nameif VTI

ip address 172.16.2.2 255.255.255.0

tunnel source interface OUTSIDE

tunnel destination 192.168.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSECPROFILE

!

​

There is then a static route on both ASA's for the VTI interface to route from LAN subnet A <--> LAN subnet B.

SDN & Virtualisation - Proposal

Hello all,

Im sitting a Msc in cloud computing, and currently trying to put a proposal together for my thesis. It started with security in multi tenant (MT) virtualised cloud environments, and through reading related papers, lead me onto software defined networking (SDN) as a potential solution to some of the current security issues with (MT) public cloud.

So basically im trying to get my head around FlowVisor and OpenFlow, probably using Openstack, to see how using SDN can enhance security posture in MT (by means of isolation). This is purely theoretical, and needs to be fleshed out.

This stuff is way above my head, so i have a steep learning curve ahead :( But im open to the challenge.

Are there any SDN gurus out there that can advise if my approach and methodology is actually achievable?

Secondly, are there any good tutorials / LABs for setting something like this up?

Any steer would be very welcome.

Cheers, Dave.

How do applications receive and send data specific to their application?

Sorry if I've asked this before but I don't think it's getting across.

Ok, so ports are used to specify what application level protocol should be used when TCP data packets are sent to - but say if you made a P2P game where both players had there own map loaded, and all they needed to know to play with one other player was there position relative to the map and update it, what would a programmer need to code in order to send his position on the map to the IP address of the other player, and receive the position of the other player - let's say in an integer list (x, y, z).

I really have no idea how this would be done, protocols are just concepts so would you have to code literally each protocol from scratch, and how would once the packets be received, the computer know what to do with it (application layer protocol) - there is no port to specify immediately how the computer should deal with it, so how would you specify in the packet once received send the data to this application - and how would you code that; like position = TCP.receive(x,y,z); or something?

The struggle of a color blind Network Admin

I am (mostly) red and green color blind. I had no idea i was color blind till a friend in college noticed that i kept mixing up the color red for green and vice versa so i took the color blind test and apparently i failed miserably.

Fast forward a few years later, i became a network admin and i had to terminate ethernet cables. Its fair to say i almost never get the cables right the first time, especially the stripped ones (brown/green?). I am very grateful for the cable testers, they are pretty good at telling you which cables are off and you can easily fix it. For me, i either try to guess or i ask someone to verify the colors for me. The struggle is real.

For the most part, its just frustrating to me that i cannot get the colors right the first time and i waste time trying to make it work or i have to bother someone to verify it for me. However, i have never thought that being color blind makes me less of a network admin. I find comfort in the fact that i am not a chemist and if i mess the colors, i will always know. And with the new influx of "the cloud", i might not have to terminate cables as often as i used to.

What are your thoughts?

What application layer protocol do multiplayer games use?

Say in pseudo code if I wrote the code "packet.send(5)", where the data was 5, to a game server which at the same time is collecting this information from other players connected to it - and say 5 is the position of the player. What application layer protocol is being used here to send the request to TCP, and when the server get's it - identify what to do with the data? And how would my computer identify the data being sent to me was for my game - what protocol?

I don't fully understand the application layer on TCP/IP model.

Hello, this is my first post on here - I need some help on understanding the application layer of the TCP/IP model, I understand the process of how data is sent from one system to another, but I don't understand what happens then. The TCP protocol splits the data into packets - IP is used for routing and Ethernet or whatever other physical method for sending the data. It seems that covers how data is sent between two systems - I don't understand the purpose of the application layer because of this - or why an application is required to send/receive data on a network. Help please, thanks.

SSH setup on old Cisco3560 Switch

So this is a super noob question, sorry. I’ve hardly worked on Cisco switches but we have a few dated switches at work and boss asked me to setup SSH on this 3560, I’ve searched different sights and I get mixed instructions. I was wondering if any of you kind Reddit folks would be able to point me in the right direction for this? I just need to be able to putty into the switch. Currently, it already has a hostname and IP address. Thanks in advance! :)

Getting continuous NBNS broadcast msg..

my laptop windows 7 when I open wireshark getting continuous NBNS broadcast msg with different name query's from ip but that ip didn't use in my company.. how to identify nbns packages transmitted system..

How Resolve..?

Do Intel x520 cards work with Cisco SFP-H10GB DAC cables?

Hoping to connect two computers via SFP NIC to NIC on Windows 10 OS

Internet down every morning

Just got a new modem installed at my work. (Small restaurant) Every day since then the internet is down when I come in in the morning. Reset the modem and all is good. Works fine all day but somehow loses connection during the night. Any tips before I call my ISP?

How to copy detailed version information from Cisco switch to remote server?

Hello! r/networking!

Let's say I want to copy detailed version information from Cisco switch to remote server via tftp. And I can only use the "copy" command.

​

What should I do?

​

Currently I am able to copy the " system:running-config" to my tftp server. However the information I can get is just a fuzzy firmware version like “12.2” not ‘’12.2(25)SE1”.

​

I have some ideas:

1. Find if some file preserves the version information so that "show version" command can print it. But I just can't find it. Maybe it was read from the running firmware and saved in memory?
2. Can I execute multiple commands in one line? Is there some terminator in command shell?

​

Thank you!

ISP Throttling Internet Speeds Past 12?

Hey all!

I've just replaced a faulty AirPort Extreme with a Linksys AC1750 in my long chain of a Wi-Fi network I have (Airport >> Airport >> AC1750)

Because I've been up so late configuring everything, I started to notice after running speed tests every 30 mins or so, the down/up speeds get slower and slower, to the point where I get less than 1.5mbps download... Though, when I set it up around 10pm, I was getting an easy 30mbps. I know that the late hours usually have a high influx of Netflix streamers which causes ISPs to get overwhelmed, but I mean less than TWO mbps??? It's pretty much unusable after 12. On Xbox I get 1.09 download.

Earthlink is my ISP, and I hate it but my parents haven't gotten around to changing anything (I'm college student). Honestly, I'm looking for some hard-evidence to why this issue is happening and if Earthlink is to blame. Because if so, I might look into comparing prices of other ISPs.

Between Spectrum and Earthlink, my parents pay over $200/mo and if we are getting shortchanged, maybe it's time for a switch.

I know that some routers have "nighttimes" where they pretty much shut off during certain nighttime frames, but I don't think Apple AirPorts have that, nor did I find that with the AC1750.

Fiber capable of 1G but not 10G

I've encountered into a strange issue with a fiber run. I was seeing CRC receive errors on one side, so I scheduled in downtime and swapped patch leads/cleaned/etc - The fiber never came back up. It was running on 10G SFPs, the only compatible spares I had were 1G so I swapped at both ends and it came up straight away. Zero CRC errors too.

With limited spares I'm pretty certain the issue is a faulty SFP and have a replacement on the way, however my question is; Is it possible that there's a small amount of fiber damage (attenuation, whatever) that is enough to stop 10G working, but not enough to stop 1G working?

[Shitpost] When do we get Network Engineer Day?

Today was SysAdmin Day. NE Day could be... January 27... or, or.. 30? (get it?)

Anyway. Happy SysAdmin Day to those of you who do both. toasts glass of bourbon to you

SmartConsole R80.20 help needed with scripts and how to use them

Hey, I'm a junior FW admin and so far I've been doing FW rules in R80.20 and R77 due to some areas running on legacy walls and I would like to get into scripting because I would like to make my life easier.

​

I tried doing some research on my own but I've gotten nothing great out of it (info overload).

So I'm going to test my luck here and see if anyone can give a rather short, straight forward yet in-depth answer to how scripts can be used in R80.20, what languages can be used and some basic commands for collecting info to make a file that can be used for presenting reports or even creating or editing present rules.

​

Thank you in advanced for taking the time to explain.

Any good ACI Network Centric Overview videos?

I saw the one from the ACI marketing department that was made by Cisco but due to all of the questions they really only got to the contracts and filters between epg's. I didn't hear anything about the fabric access policies , l2 or l3 out...

Video I am referencing: https://www.youtube.com/watch?v=_iQvoC9zQ_A

Port Forwarding. What am i doing wrong?

Any and all help is appreciated. I am literally being driven insane. Ports i am trying to open up are 27015 27016 7777 and 7778. I have a pass thru cable modem with a router. Pass thru cable modem is completely open by design and i use a plume super pods for my router/ ethernet distrubution. I assigned a static lease/dhcp ip for my one device which is 192.168.40.85. I added both the incoming and outbound rules to windows firewall and port forward reservation for the ip stated above, 27015 inbound and out bound, same thing for 27016 7777 and 7778. The ports are timing out. So i completely turned off windows firewall and now the ports are now sayong connection refused. What am i missing here? I called the isp and they say they are not blocking the ports and the pass thru modem is completely open.

2 separate power line networks

I have one house and one router.

Would speeds be faster for each power line node if I separated the network into 2?

So there would be 2 power line nodes at the router directly connected by Ethernet and each power line node uses its own encryption.

Unified firewall policies - Do you use them?

As my organization grows and we're adding more sites, more complicated data center networking, and more data center firewalls, I sometimes find myself wondering whether I should look towards unifying firewall policies either at the geographic level or just for like-purpose sites globally, rather than have site-specific firewall policies. My firewall vendor (Check Point) always demos a single unified policy with inline layers for branch offices, and that approach seems to nicely abstract the underlying networking, but some consultants warn me against it due to complexity which I'm not sure I understand.

How do you folks handle unified firewall policies? Do you do it? If you do, how have you chosen to unify them? If you don't unify sites, why not?

Has anyone had any experience using fujitsu vSure for monitoring?

Just as the title says, sorry if this is the wrong place to ask this question. Just trying to get some insight.

Thanks.

Branch Office 2900 Router - QoS config example

I'm getting started on QoS configs for my branch office sites. These sites use Cisco 2900 series routers with 15.x software, and a downstream 2960x that is marking DSCP values and policing on 1Gbps user access ports. Assume the trunk between the switch and router is a 1Gbps link and DSCP values are trusted The example below is for a site with 30 Mbps WAN connected to a 1Gbps interface on my router. My ISP will honor 4 DSCP values.

With the 2960x access switch I've previously configured, I was able to map certain DSCP values to certain drop thresholds within each queue. I'm believe the "bandwidth percent" commands allocate a portion of the interface's bandwidth to be reserved for a particular class, but should I also try to map specific DSCP values to certain drop thresholds like I did for my switch? Or are there any other best practices I should be looking at implementing? I know there are a ton of options and I'm trying to keep the QoS config simple but effective. I've found some command references and basic config examples that look like the one I posted below.

class-map match-any QOS-REALTIME-CLASS

match ip dscp ef

match ip dscp af41

match ip dscp af42

match ip dscp af43

!

class-map match-any QOS-SIGNALING-AND-CRITICAL-DATA-CLASS

match ip dscp cs6

match ip dscp cs3

match ip dscp cs7

match ip dscp af31

match ip dscp af32

match ip dscp af33

!

Class-map match-any QOS-DEFAULT-CLASS

match ip dscp default

match ip dscp af11

match ip dscp af12

match ip dscp af13

match ip dscp af21

match ip dscp af22

match ip dscp af23

!

Class-map match-any QOS-SCAVENGER-CLASS

match ip dscp cs1

!

policy-map QOS-WAN-OUTPUT-POLICY

class QOS-REALTIME-CLASS

priority percent 15

class QOS-SIGNALING-AND-CRITICAL-DATA-CLASS

bandwidth percent 30

class QOS-DEFAULT-CLASS

bandwidth percent 50

class QOS-SCAVENGER-CLASS

bandwidth percent 5

!

policy-map WAN-OUTPUT-SHAPING

class class-default

shape average 30000000

service-policy QOS-WAN-OUTPUT-POLICY

!

interface Gi0/0

description 30-Mbps-WAN

ip address 1.1.1.1 255.255.255.255

service-policy output WAN-OUTPUT-SHAPING

QoS Excel Sheet

Hi All,

I am about to install a new site and part of this work is redoing all the QoS across the other sites. I was wondering how do you guys keep a record of the current QoS settings?

I was thinking Excel but before I try and make one from scratch, I was wondering if anyone has a good template as a basis?

Thanks,

Need some guidance on AIR-CHNL-ADAPTER

Anyone ever used these before? We have a new building where these are required. I can figure out how they come apart to get onto the rail, but how do you attach the grid clip to it? The Cisco Access point mounting guide just shows the finished picture, with no instructions.

Am I missing something obvious here?

Cisco SD-WAN (Viptela)- Explain Like I'm 5

Hello!

Recently watched the Cisco Live SD WAN 1.5 hour talk. Still a little lost. I understand vManage is how you manage all of your devices and how they use their circuits but what happens in between there is just a blur. Could someone explain how SD-WAN works? We are doing a proof of concept within a month or so and I will have a little bit to do with that.

ELI5 Route Relectors

ROUTE REFLECTORS*

Having a tough time understanding how these are used for reasons other than routing between VRF's?

Can anyone help?

What's you're data centre disaster?

As many of European people will know, we're experiencing some serious heat at the moment.

Yesterday two of our data centre air con units gave up causing our data centre to go from a reasonable 18-22 Degrees C to 60+ in just a couple of hours. The argon suppression units "exploded" causing much confusion, leaving people thinking something had literally blown up. "The floor lifted" I was told by some office workers. I, putting two and two together figured the smell of burning plasting (actually the smell of argon) and the "explosion" was enough to evacuate the surrounding offices. Lives are far more important.

Eventually I learned there wasn't a fire or an explosion, in fact the suppression units literally blast out the good stuff and the smell is a bit like burning plastic.

Anyway this resulted in an attempt to gracefully shut down as many servers as possible then failing devices to an alternate data centre where required.

At this point I'd like to add, Nexus 7ks literally just chill in that kind of temp. They reported "minor" temp alarms and happily continued to forward traffic. In fact, all of our networking equipment continued without a sweat. Some fortigates hitting near 80c. My part here was to shut down any slave devices with the hope of preserving a unit or two and reduce the contribution to "global warming".

We had electricians and engineers bringing all kinds of industrial fans to channel the hot air out. That helped drop 10 degrees or so.

Eventually the air con engineers turned up and sorted it promptly. The temperature was back to normal in 30 mins or so. A day later systems are almost back to normal. Some databases kicking off about something or other. ..Sensitive things ay?

Oh and sadly we lost a fortianalyzer. God rest it's connectionless body.

All in all, not something you'd expect, so it poses a couple of questions, how resilient is your network and how would you respond to such an event?

Finally, my dear networking redditors, what is your data centre disaster?

Trying to troubleshoot printer connectivity issue

How to troubleshoot a printer remotely. They gave me ip address (private ip btw), can I get mac address from it? I tried pinging the ip, it was not reachable before. But now I can ping it. Any help appreciated, noob here.

Open vSwitch is looped

Good morning,

I try to set up a connection between OpenDayLight controller and a router with an Open vSwitch switch between them. The switch connects successfully to the ODL, but the problem is that the two interfaces of the switch are looped, so I can't ping the switch with my router.

I seemed to find a solution for this here: http://docs.openvswitch.org/en/latest/faq/issues/ , but I wasn't able to solve the problem.

Any kind of help is well appreciated.

Thank you in advance,

Davide

Questions on external warehouse and netowrk connection

Dear all, we need to connect an external warehouse to our main building and we'll probably be able to do that with a dedicated fiber connection. My main concern is about security: the warehouse is not managed by us and i would like to prevent any potential issue that could arise from that.

In the warehouse external people will use our devices with cabled lan connection (we'll probably provide a dedicated switch for that) and with wireless connection (the APs are provided and managet by the supplier's IT department), in our main building instead lan, wlan and wan are managed by a Sonicwall cluster that has many free interfaces available.

The number of devices will be <10 and my idea was to set up a dedicated /24 network for that, but what's the best way to connect this to our system? What kind of devices we will need?

Thank you

Managing an ASA from an interface not facing you

topology:

​

me - (asa gi1/1 172.16.1.1) ASA (asa gi1/2 172.17.1.1) - OUTSIDE

​

In the above i can only ever access an ASA from the interface IP facing me. If i am on LAN then i can only access via 172.16.1.1. If i am on the outside then i can only ever access via 172.17.1.1. If im on the outside i cant even ping the inside interface, and if im on the inside i cant ping the outside interface.

We dont use the dedicated managment interface.

Can i resolve this without using the mgmt interface?

FTOS 9: Show VLANs by port?

This seems like it should be such a simple question (or Google search), but I'm unable to find this information anywhere. All I want to do is show the VLANs to which a port is assigned by port. It's simple to show the ports assigned to a VLAN, but there has to be a way to do the reverse, right?

(Dell S3048-ON running FTOS 9.)

Need reading material to start a project

We are starting a project to redesign our network infrastructure moving from DMVPN to a SD-WAN solution and connecting our network to Azure with Express Route.

The network people I work with (I am a sysengineer) have sent me a lot of documentation (mostly diagrams) and there a lot of network protocols and concepts I have heard of but I need to understand so I can understand the design decision.

Terms I mostly see all-around: ELAN, VPLS, ANY-2-ANY, MPLS, peering, BGP, EIGRP, NAT, sNAT,...

Could you recommend some material to train myself, I would prefer something that gives the big picture rather than 800 pages about BGP alone, any recommendations are much appreciated.

Cisco 2960c + ISE 2.4 - 802.1X authentication won't work

Trying to configure a 2960c switch to do port-based 802.1X for wired clients. Switch has the so-called 'lan lite' license.

Global configuration commands include:

aaa new-model dot1x system-auth-control radius server CiscoISE24 address ipv4 10.X.XX.XX auth-port 1812 acct-port 1813 key 0 XXXXXXXX aaa group server radius 802.1X_Auth server name CiscoISE24 aaa authentication dot1x default group 802.1X_Auth 

My ISE instance is configured to deliver a VLAN assignment if authentication succeeds. Test AAA group indicates a successful authentication from 2960c to ISE:

cisco2960c#test aaa group radius vpnuser@int.mydomian.net XXXXX new-code User successfully authenticated USER ATTRIBUTES username 0 "vpnuser@int.mydomain.net" tunnel-type 1 13 [vlan] tunnel-medium-type 1 6 [ALL_802] tunnel-private-group 1 "102" security-group-tag 0 "0004-00" 

And I can see the successful authentications in the ISE RADIUS Live Logs and the proper/desired Policy Set on ISE is triggering.

However, when trying to configure the interface on the 2960c something is going sideways. Here's the config:

interface FastEthernet0/3 description 802.1XclientAccessToVLAN102 switchport mode access access-session port-control auto dot1x pae authenticator 

The switch is running SW Version 15.2(7)E. I'm trying to authenticate a macOS client via configuration profile for 'any ethernet' interface on the MacBook testing client.

dot1x all + radius + aaa authentication debugging tells me the following when I connect the cable to the port and then attempt to authenticate:

*Jan 23 13:13:41.832: dot1x-ev:[Fa0/3] Interface state changed to UP *Jan 23 13:13:41.840: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/3 *Jan 23 13:13:43.828: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up *Jan 23 13:13:44.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up *Jan 23 13:13:55.958: dot1x-packet:[d0a6.37e4.9581, Fa0/3] queuing an EAPOL pkt on Auth Q *Jan 23 13:13:55.958: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1 *Jan 23 13:13:55.958: dot1x-packet: length: 0x0000 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Dequeued pkt: Int Fa0/3 CODE= 0,TYPE= 0,LEN= 0 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Received pkt saddr =d0a6.37e4.9581 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Couldn't find the supplicant in the list *Jan 23 13:13:55.958: dot1x-ev:[d0a6.37e4.9581, Fa0/3] New client detected, sending session start event for d0a6.37e4.9581 *Jan 23 13:14:00.958: dot1x-packet:[d0a6.37e4.9581, Fa0/3] queuing an EAPOL pkt on Auth Q *Jan 23 13:14:00.966: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1 *Jan 23 13:14:00.966: dot1x-packet: length: 0x0000 *Jan 23 13:14:00.966: dot1x-ev:[Fa0/3] Dequeued pkt: Int Fa0/3 CODE= 0,TYPE= 0,LEN= 0 

Been scouring all the Cisco forums, trying to figure out the error of my ways. No minor config tweak seems to make a difference.

Q1) Am I limited by the license on the 2960c and therefore unable to do dot1x?

Q2) Or have I just configured the 2960c incorrectly?

Q3) Do I have to do additional config to get the switch to handle the returned VLAN ID from ISE?

I've tried explicitly assigning 'switchport vlan 102' on the interface as well. But the client obtains a DHCP address, can route traffic, and essentially doesn't appear to need the 802.1X authentication.

Thanks for having a look.

Where did I fuck up?

Ok this is driving me nuts

I wanted to set up a basic 2 subnetworks connection.

first sub: 192.168.1.0/29

second: 192.168.1.8/29

gave my router's interfaces 192.168.1.1/29 and 192.168.1.9 based on what subnetwork its facing

​

PCs withing a sub can ping each other fine but no machine can make it to the router and thus can't ping machines from other subnetwork!

Screenshot of topology

​

am sure its simple and am just being retarded xD

​

EDIT: there is a typo in the topology, its 192.168.1.8/29

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Replaced a switch, uplink doesn't seem to be working now

I help manage a small testing environment, and we replaced an aging Cisco Catalyst 3750 with a Catalyst 2960-X today. This was a direct replacement, and we copied over the config as best we could on the upgraded firmware/ port reduction. However, I am unable to communicate from connected devices or even ping from the switch when the uplink (port 24) is connected. When I return the uplink cable to the old switch, I am able to ping from the switch outside. I am using 8.8.8.8 as my sample ping for both examples.

​

This is used as part of a training environment, and we have some new hires that are planning to access it soon. Ports are showing as active, and when I run a show interface. I do not have access to the uplink switch, but if I could point to something specific could probably find someone that does.

​

Am I missing something that is new since 12.2? Any ideas as to what might be going on?

​

Old Switch Config - https://pastebin.com/xnYUa063
Old Switch Show Interface - https://pastebin.com/xx6Q8LFr

New Switch Config - https://pastebin.com/eBG2U9ZC
New Switch Config - https://pastebin.com/yNwKBsJ3

The network off switch

We keep hearing about crypto-malware spreading and one of the last ones I heard, the report was that IT staff was actively shutting down devices and unplugging cables.

Obviously this is not a great strategy for preventing the spread of crypto-malware, but...what if we had an elegant mechanism for doing this?

I've got scripts that automatically walk through switches and figure out neighborships, I could write something that could figure out if a port is: a) an access port, b) not a trunk port, c) not a port with 3+ MAC addresses on it and likely a switch, d) a VMware MAC in which case it is shutdown, e) lldp or cdp info shows if it is a switch or router, f) not the port facing the default gateway etc etc.

Assuming all those conditions are met, we might be able to have a network OFF switch. This is far more elegant than running around shutting down switches and pulling cables, and it allows admins to slowly restore service to the network as they proceed with cleaning systems.

​

So I can do this. But maybe someone else has done something already? Or maybe it is just a stupid idea and it isn't worth looking into.

Redirect console traffic via PC through router

Hey guys,

just a basic networker here, so apologies if I get some terms wrong. By now, some of you must have heard of the region restriction on GTA, so I've been looking into that.

I'm currently leaning towards buying a new router and flashing DDWRT on it, and running a VPN.

but I was thinking maybe there is a (cheaper) way, one where I would run Xbox traffic to the PC and then from the PC to the router.

However, the tricky part here is that both devices are directly connected to the router.

So is it technically feasible to get the Xbox to run the traffic through the router to the PC and then have the PC running a VPN and send that traffic back to the router and out to the nets?

or am I just better off buying a router and flashing it with custom firmware, and use that as a gateway between the Xbox and the router?

Thanks for your help!

Is this switch setup creating a network loop?

One of the sites we manage has a network that was setup by a contractor some time before I started here, and we haven't made a whole lot of changes to the network itself. I've been tasked with troubleshooting an issue that effects primarily the WiFi.

Our documentation for this site was very incomplete, and its a remote site that we don't get to often. What we had done was upgrade the SonicWall with a more-or-less 1-to-1 swap on the configuration. After that switch over we started to get more complaints about the WiFi - I don't know if thats because for a while they saw more of us or if they had an uptick in incidents, but I was going off of the idea that there must be a problem with the SonicWall.

Until today. I've realized that there seems to be a loop of some sort and my background knowledge with this setup and different switchport modes is causing me to use extra caution. Here's the basics:

There's 3 Cisco switches, two (Switch1 and Switch2) are set up as Access switches with STP running and have interconnected DAC cables between them, the last one has every port set to Trunk. Switch 2 and 3 are connected together via an ethernet cable. Switch2 is supposed to have the only uplink to the WiFi APs. We have a Ubiquiti Toughswitch that has all the WiFi APs plugged into it. I can see the MAC addresses for the WiFi APs off of separate ports on Switch 2 and Switch 3, neither port being the uplink port between the two of them.

So, it appears that we have a access port with STP facing the Touchswitch, and a trunk port facing the touchswitch, on two different switches that are otherwise themselves connected.

Outages last 1-2 minutes on average, come seeming at random, and only seem to effect WiFi users. Are these the types of conditions that would create a loop?

GNS3 without paying money and still run e.g. Cisco simulations?

Hi,

I was trying to do some network simulations with GNS3, but there seems to be a dead end where I have to download these images. Which as far as I know requires a Cisco Virtual Internet Routing Lab Personal Edition (VIRL PE) subscription of 200 dollars.

Is there a way to use GNS3 in a way where it's still authentic to 'real' network hardware (Cisco/Juniper) but without spending any money?

Cisco ASA 55XX - Two Interfaces on same subnet/L2 Interfaces

Hello,

I have a situation where I would possibly have the following setup:

VLAN 1(192.168.1.0) <—> Cisco ASA <—> Cisco Router (192.168.1,254)

The ASA will be the gateway for VLAN 1 and then route via the Cisco router to the internet.

Is it possible to have: A) The two interfaces on the ASA within the same subnet?

O

B) Have one of the interfaces act as an access port L2 interface?

I cannot think of a way to get the above working? Is there there a solution to get the above working without re-IPing either VLAN 1 or the router?

Force10 S55 Firmware

Hello all,

I recently got a dell Force10 s55 switch off of ebay for a budget job, however I didn't realize that dell only gives out firmware to those with a dell account. Can anyone help?

Assistance with OSPF failover

Good afternoon, we are updating our core soon. We are currently relying on static routes on the core to push traffic bound for AWS to an ISR that handles the AWS Direct Connect circuit. We have vpn's on our firewall that stay inactive, however, in the event of a disaster we can manually turn the VPN's on and change the static route for the AWS network to the firewall instead of the ISR. This honestly sucks for failover. We have discussed rolling out OSPF when we do our refresh\update. I am just now dipping my toes into dynamic routing. Is it possible to configure OSPF to forward traffic out the VPN link instead of the ISR in the event of an outage? From my understanding, this can be done with BFD along with OSPF. In you all's opinion, what would be the preferred way of handling this?

Mobile Command Station Ideas

Hi All, my company is looking for me to build out a mobile command station, costs aside. Can you give some recommendations on how what to throw out there? What type of wireless (this will need to connect to corporate). What type of power, racks, routers, etc? Any other network/infrastructure ideas for redundancy, again costs aside.

​

Thanks !

What's the difference between an IE3000 and an IE4000 switch?

Articles perhaps? Or general thoughts?

Thanks!

Stacked Dell Powerconnect firmware upgrade

I'm not sure if this is the right sub for this or not but I'm trying to get a question answered before I dive in to this.

We have two PowerConnect 6224's that are stacked and are redundant. We need to update the firmware on the stack. From the documentation I can find, It just says to upgrade the master and it will upgrade the stack. What I can't find an answer to is if it will failover to the non-master switch while the master is upgrading and then back once the 2nd one starts upgrading.

I figure it should since the redundancy is why these are configured that way but this will kill the connection to our production SAN if both switches are down.

Best way to connect a server to 2 layer 3 switches?

I have servers with 4 NICs each, and 2 L3 switches, that's the entirety of my current network. What would be the best way to connect these?

Currently running 2 NICs to each switch (duh) with SVIs for all VLANs on each, running VRRP and a trunk btwn the 2 switches.

I haven't noticed any issues as of yet, just wondering if there's a better (more best practice-y way) to do it.

Help - Need to block port 389 - bandwidth is getting destroyed (W2016 Server & Sonicwall)

https://ift.tt/2YhtXOf

VOIP POE Phone brings down Data network

Hi All, Long time lurker here

I am a jack of all trades sysadmin and use contractors to implement any projects as required

I have a POE Stack (VOIP POE Telephone system ) and Data Stack (PCs/Servers) which are connected to use a "one line to desk" option if required. This has been fine and working for years. On Wednesday i came into work and had to deal with "nothing is working!"

Looking at the network all PC / Servers connections are intermittent or have high performance. I started at the Windows end looking at DNS , DHCP, Domain controllers , AV etc..... but when nothing resolved the issues. I looked further into the switch/networking end.

I confirmed that nothing out of the normal was happening on the switch stacks CPU's or Logs but finally disconnected the LAG from the POE stack for the VOIP system to the Data stack. This resolved the issue instantly and reconnecting replicated the performance issue.

When i finally was able to chat to the network VOIP contractor that setup the system he was able to confirm that all the PCs and Servers wanted to connect to the network via what appears to be a single VOIP handset on a single port of a POE switch. When i disconnected the Phone and reconnected the LAG between the stacks the performance was no longer an issue. When i tried to reconnect the Phone in question to replicate the problem, it did not cause any performance issues at least for the 5 mins it was connected

The Phone is question was being used in to connect a PC to the data network which is now connected to main Data network without issue. The PC is completely locked down for a non admin users, so there should be no viral or malicious software

I hope this makes sense

I am still confused on how a single VOIP Phone can bring down an entire Data network

Any advice would be welcomed.

Question about Ekahau Pro/Sidekick

I've recently taken on the mantle of WiFi architect on top of my already toppling pile of responsibilities, and part of that is choosing what to buy for our site surveying/predictive surveys.

I've been told to go Ekahau, but am unsure about whether or not I need the sidekick. Ekahau Pro comes with a USB adapter that can do surveys, so having a sidekick seems a bit redundant.

Am I missing something? Should we be getting the Sidekick? If so, why?

Where is the industry going? What do you think?

As an interested observer of the industry I read claims of imminent convergence of routing and switching like https://www.nextplatform.com/2019/07/23/the-switch-router-war-is-over-and-hyperscalers-won/ and can't fail to notice the recent rise of bare-metal switches and open source network operating systems vs proprietary vendors -- but obviously lack the experience of professionals working in such environments to understand what is really going on.

Where do you think the industry is moving to in the next years? As far as a whole decade? What of this will trickle down to lower end environments, if at all?

Wireless AP Signal Survey Tool or Wireless AP Calculator Tool

I would like to find out is there any Wireless AP Calculator Tool to calculate/survey the following:

- How many AP we need to buy vs the area coverage in a Warehouse

- Interference check

- Frequency check

- and etc...

Thank You

L3 congestion and inter-VLAN performance with layer 2 switching

Disclaimer: I’m not an expert. I do networking on the side, so please correct me if I’m wrong about anything. I’ve also done quite some research but couldn’t find what I’m looking for other than the advice to get an L3 switch instead.

We have a small network containing a R210 II pfSense router/firewall, a UniFi switch, and UniFi APs feeding internet to both home and business.

The guest network has its own VLAN. However, VoIP, IPTV, game consoles, IP cams, IoT devices, etc reside on the very same untagged VLAN. This has always made me incredibly uneasy. Ideally, I’d add VLANs, isolate where possible, configure mDNS, and make everything tagged, but with our switches being layer 2, I’m afraid it will hurt inter-VLAN performance and unnecessarily congest the entire network on layer 3 (since the R210 II will be doing all the routing).

We’ve encountered serious bottleneck issues before which ultimately had us upgrade to the R210 II with pfSense. Our network has never been this stable, but I may be asking too much regarding VLANs. I can’t really test things freely as everything’s in production, so I’m here to ask for advice from the pros!

(I realise the layer 2 switch was a mistake. We could’ve got a layer 3 switch which cost just as much as the UniFi, but it is as it is now.)

To VLAN or not to VLAN?

Another printer story

I think printers are universally hated by IT, this is one of the weirder things I've seen.

​

A business with 9 HP printers, same model, all had them stop responding to the printer server over VPN today. The printers were locally accessible, PC's on the same network had no VPN issues. If I shut/no shut the printer port they would become accessible again over VPN, If I went to the printers network setup page and simply clicked "apply" the printer would start responding again. I dropped the tunnel, bounced the switch/firewall, printers would come back up for a few minutes then go dark across VPN. Tonight, everything seems to be working perfectly fine across VPN. At this point we're pointing to a solar flare, completely clueless.

Can NBASE-T-capable SFPs work in older 10G SFP+ Ports?

Right now my home server is a HPE ProLiant ML110 Gen10, and the onboard Broadcom NICs aren't working for my use case (I'm on FreeBSD and FBSD's Broadcom driver sucks). I am considering getting a 10G NIC.

On eBay, open box Mellanox NICs are going for $50-60 whereas new NBASE-T-capable Aquantia AQtion NICs are $80-100, so why not save the extra money for a server-grade NIC?

However, I am asking if a NBASE-T-capable SFP would work on the Mellanox SFP+ cards made pre-NBASE-T standardization. Would they?

Currently, my LAN operates at a Gigabit and I'm not upgrading in the short term. However, if I'm looking at a new NIC anyways why not prepare for a 2.5/5/10 Gigabit LAN in the long term instead of just staying with Gigabit?

Forced to spend eternity encased in ISE

Just had an awful day. My company bought ISE before I was hired and the vendors really oversold them. The vendor actually gave them a two week plan to get to enforcement mode. No really.

Now they have decided that I "have to make it work" and everything is on hold until some random aspects of ISE are put in place to satisfy management.

I was too technical in describing ISE and was scolded for this. I agree. Simultaneously, I'm forced to walk a thin line when management says "we were told we would have visibility into the whole network, so why aren't there alerts? " how to explain that to them when they were never told about actually profiling devices or even setting up dot1x? They think it was finished when the vendor went home.

I'm probably not the only person here who feels like management can't be trusted to make a decision for the company before their own careers. But the way this meeting went today, I feel like I need to learn how to communicate about the network better. My point never gets across.

I'm willing to do pretty much anything to change. Advice, books to read, anything productive is very welcome. Currently studying to pass CCNP exam before Feb. Feel like pure technical isn't the issue.

Cellular router

I'm looking for a low budget cellular router that works from a SIM, meaning, not a USB modem. In my day to day job we use hardened Digi routers for some of our mobile/remote installs and they work great, but I'm working a side job where the budget isn't all that high AND the primary connection doesn't always fail, but when it does, a backup cellular router would be great.

The two features I am looking for are:

• SIM card slot not USB modem
• IP Passthrough, where it sends the WAN IP to the downstream device's WAN interface (avoiding double NAT). Digi calls it IP passthrough, others will know it as Bridge Mode. This isn't a must have, but it would be nice.

I do plan on contacting my Digi distributor and asking them for pricing on their lower models, but just in case those are still up there in price, I'd like some recommendations.

I know about cradlepoint, but not sure if they are similar to Digi in terms of needing to deal with a distributor. I've used proxicast, but last time I used proxicast, they didn't have built in SIM slots, their routers had USB slots for USB modems.

I've already spoken to the customer about a second internet connection, I've explained to them that the cost of downtime/their guests being inconvenienced and leaving/etc will cost more than the second ISP connection, while they do agree, they are also not able to get cable, at this time (they are currently running uverse). I know there are small business fiber packages I can get from AT&T (which is different from enterprise fiber), but those costs were a bit too high, at this time, for their budget.

Thanks.

Before submitting this post, I did a quick search for Digi on amazon just to see what is available...I'm going to look into this model a bit more, but this is very affordable especially if it has the same/similar functionality as my current Digi routers (IP Passthrough).

https://www.amazon.com/Digi-TransPort-WR11-XT-Cellular/dp/B07D436YXK/ref=sr_1_3?keywords=digi+gateway&qid=1564023947&s=gateway&sr=8-3

SMB router upgrade: do we need the security package subscription

hi all, our local shop is suggesting a sonic wall tz 300 upgrade for our small business router & vpn solution. We got a quote that includes a security suite 2 yr package. Is this package really needed? It's $300 or $400 per year, depending on the length of subscription. We are a small team, without an IT department, and rely on this outside seller/shop to provide us with solutions--that being said, we also don't want to be up-sold on something we don't need. Thanks for your tips.

Azure Site-to-Site VPN to SonicWALL - Working at one site and not another with exact same config

This is driving me nuts so I hope someone can help...

We have a SonicWALL device at a remote location that has a site-to-site VPN connection to Azure. This works perfect locally at the remote location and over SSLVPN. The connection has been up and running for almost 2 years now with little to no downtime. That remote location has asked us to setup a DR SonicWALL so that if their internet goes out in their office, they can connect to the SonicWALL in our office via SSLVPN and access all of their Azure resources.

I took a backup of the configuration on their SonicWALL and imported it into the new SonicWALL. All settings are the same aside from the LAN subnet which we changed to have an IP address on our local network for management purposes. I successfully added the new Local Network Gateway in Azure and added it to the same Virtual Network Gateway that the original Local Network Gateway uses. Since I used a backup file for the new SonicWALL, the VPN connection came alive instantly and I can see the connection is established in Azure on the Virtual Network Gateway and on the SonicWALL.

When I connect to the newly configured SSLVPN, I cannot access any of the Azure resources. We run a file share up there which I cannot access and there are servers with RDP configured which I cannot connect to. There has been 2 or 3 times today where the RDP connection was successful the second I connect to the SSLVPN and then every attempt after that fails.

VPN Configuration on both SonicWALLs = One gives access to an Address Group (local and SSLVPN subnets) and new SonicWALL just gives access to SSLVPN IP range

Firewall rules = Same

NAT Policies = None

Routing = Same

Azure NSG and Source IP Ranges configured properly in Azure

::Found this while making this post:: Found these logs being logged over and over and over. Every 2 seconds. I know this is the problem but how do I go about resolving this?

IKEv2 Send Dead Peer Detection Response IKEv2 Received Dead Peer Detection Request

Any help would be appreciated!

(Another thing I noticed is the protocol being used for the VPN to Azure is UDP port 500. Could my ISP be blocking UDP traffic?

Technical Interview at Cisco - Part 4

So Cisco called me today and told me that I didn't get the job. I asked why and they said even though I did good on the technical interview they think I don't have enough datacenter experience.

She said the transition from enterprise to datacenter is steep and they hired someone with more experience.

She also advised me to try to work for the enterprise TAC and then transition to datacenter later if that's what I want to do.

They are right though, I have no real datacenter experience at all. Almost all of my experience is in enterprise and even then it's smaller ones. Maybe around 1k people, so really just larger smb I guess. The only datacenter experience I have is using colo's :) But I was still hoping they would make me a 1st line datacenter guy at least. I was really hoping to get into larger, more complex networks.

Cheap SSL certs?

Hi. I'm looking for some cheap SSL certs. The cheapest I could find was around $200 per year. Is that about the best I can do?

Aruba 2930F vlan Issues

Hi,

I have a pretty simple problem... I did this dozens of times and it just worked but for now i fucked up somewhere and I really can't see the issue.

So this is the config:

vlan 82 name "vlan82" untagged 3 tagged 48 ip address 192.168.13.254 255.255.255.0 exit 

Port 48 is tagged because all the vLANs come in from that port and get distributed further. I just wanted to test this part, so I untagged the vlan on interface 3, plugged my notebook in interface 3, set the ip address 192.168.13.10/24 with the gateway 254 and tried to ping the gateway...

timeout.

I really don't get what I did wrong, after almost 50h straight looking into Aruba and H3C interfaces, the cisco guy in me just gave up... -.-

Outside->In with commercial connections

Hi All,

Trying to understand how to set up a site that has redundant commercial connections, like a comcast router and a fios router in front of a cisco router. If we have services that rely on using a public IP to connect outside->in on a few specific ports from a few specific sources those sources would have to use a public ip from one of those two carriers. I don't think we have the ability here to advertise IP space to the carriers, so how can we make the site reachable when we fail from the IP of one provider to the IP of the other? Do we just give the provider both IPs? Is there a more elegant way to solve this? Some sort of VPN from the provider to a central point on the network? Any info on how that would be set up? How would we do this for multiple sites?

Thanks

DNS64 and dual stack hosts interaction

Good morning all,

I'm working on a plan for beginning to support IPv6 within our enterprise network. I know for sure that we will at some point have IPv6 only clients, and large base of IPv4 only servers / clients. So I will need to utilize translation for some flows, using DNS64 to point to a NAT64 router. My concern is preventing the dual stack clients from using the NAT64 router for unnecessary traffic. From what I have researched - for most operating systems if there is an IPv6 interface available, when attempting to resolve a hostname the client will send both a AAAA request and an A request. Depending on the application - it may use the fastest connection (RFC Happy eyes), but I'm more worried about our in house software that likely does not have that capability and will prefer the NAT64 prefixed IPv6 IP, forcing traffic to the NAT64 router.

I am not the most well versed in DNS, but one potential option I have seen is to use "filter-aaaa-on-v4" which would filter AAAA resolution for IPv4 sourced requests - but at that point I am locking those dual stack hosts out of IPv6 entirely until they transition off of IPv4. What would be ideal I think is to prevent DNS64 from creating a synthesized NAT64 prefix AAAA record for DNS requests sourced from IPv4 transport, but not block valid AAAA records from being returned. I'm not sure if this possible or exactly how to do it - any assistance would be appreciated!

Also if anyone has run into any gotchas with a mixed environment of IPv6 only / dual stack clients, this will be my first production environment running IPv6 so I am trying to figure out all the entanglements ahead of time - any tips would be appreciated.

WPA2-enterprise certificate settings / GPO configuration that will help filter out unwanted certs ?

Hi Everyone,

I have an annoyance issue with our WPA2-enterprise Wifi setup. we have configured it with User Certificate Authentication which checking that the user has a required PKI cert in order to authenticate.

​

The issue is when an end-user has more than 1 enrolled certificate (iTunes, MS Access, Duplicates) - Windows will ask the end-user to choose between the enrolled certs for the authentication instead of taking the PKI one automatically.

​

does anyone knows seen this before or knows how to approach it?

BGP Fast External Failover & BGP Timers

I'm currently planning on reconfiguring some eBGP sessions in our network from using loopbacks to being directly connected.

One of the main drivers for this is to take advantage of 'BGP Fast External Failover' so that the BGP session will be terminated without waiting for the hold timer to expire. We currently have timers set to 30 keepalive and 90 hold time. This causes a blackhole during link failure until the hold time is reached and routes learned via another neighbor can be chosen as best path.

Another bonus is that we get to remove OSPF from the neighboring routers which is currently used to advertise loopbacks.

In a nutshell, I was wondering why the default for BGP timers is 60 180 anyway? 3 minutes seems a long time to wait in this day and age!

Authentication on the network with FreeRADIUS and LDAP

Hi everyone,

So in my company we are trying to restrict the access to the network (Ethernet only) to only known computers. The configuration is pretty simple, n clients and 1 server which acts as a DHCP server and a LDAP server.

My plan so far is to setup FreeRADIUS to act as a DHCP server and assign an IP to a newly connected device only if it has the appropriate certificate.

What I'm wondering is, in the LDAP, should I put the certificate for each device, against which each device certificate will be compared. Or should I just publish the CA certificate, and then FreeRADIUS will check if the client certificate has been signed by the CA?

Also, is there any particular configuration to do aside from configuring the connection between FreeRADIUS and LDAP and setting up the certificates?

Thanks for your help.

Cisco ASA - from Standalone to HA

Does anyone know if adding an HA config to a standalone ASA cause any outage? Currently I have single 5545 and I want to add another to create an HA pair. I have all the config ready to go on both units to setup a pair and kick off the config replication, but I wonder if this will generate a new MAC address for the pair or will it use the hardware MAC from the Primary unit?

What is this Juniper SYSLOG entry?

one of my juniper switches is throwing the below syslog messages:

​

dc-pfe: tvp_bcm84756_eeprom_read(1156): SFP 53, bus is busy:0. Going to reset the i2c master and slave reg_addr = 0x18000 fpc0 tvp_bcm84756_eeprom_read(1156): SFP 53, bus is busy:0. Going to reset the i2c master and slave reg_addr = 0x18000 

I have of course googled this, but have come up with nothing.

​

Anyone able to advise?

Question about Aruba Mobility Controller Clustering?

Hi,

I am researching Aruba vMC 8.5 at the moment and I am getting a little confusion on how failover works.

I was considering to run Active-Active and load balanced with roughly 22xAP-315 across the two of them using two VRRP instances.

The part that is not really clear to me is do the mobility controllers cluster to share configurations and allow the MCs to know which one has which APs? Or are they stand-lone and you need to configure each one as independent devices?

I guess the configuration state clustering can only be achieved by having a MC Masters but I thought this was more suited for multiple site deployments are we are currently a single site.

Any insight or experiences would be high appreciated.

Thank you.

Best tools to perform mobile network testing

Hey, I'm planning on doing some in depth cellular network tests soon and I'm looking for the best tools to do so. I need to get some performance results across multiple mediums. I'm mainly going to be testing the new 5g network and I'm looking to see how in depth the performance testing I can do and what are the best networking tools/apps/software to do so. Any recommendations? Cheers

how do i enable poe on ar1200 ?

I have an AR1220V router, I want to start POE function, how to open it?

[Just a doubt] Subject for a thesis in security or network ?

I am doing a masters degree in computer and always worked with firewalls and network, and I have one year to decide a subject to choose a topic for a thesis,but I would like to pick one that allow me to apply for a doctor in future.

Any sugestions ? maybe something related with security or network or both... or something that I could develop in python... I dont know I am confused . thanks for any ideas.

Cisco Mobility Express Setup?

Hello

I have few AP1832I-S-K9 AP's, i can setup the Mobility Controller in one of the AP but i can't get the AP to actually join the controller which is odd. The Controller is hosted on the ap so why can't it join? i don't get it. My Controller is configured with 192.168.1.150 address,

​

Console Logs:

[*10/13/2015 00:54:08.5130] Capwap restart.

[*10/13/2015 00:54:08.5130] CAPWAP State: DTLS Teardown.

[*10/13/2015 00:54:08.5130]

[*10/13/2015 00:54:08.5230] [DP] Deleting capwap datapath

[*10/13/2015 00:54:08.5230] CAPWAP data tunnel delete from forwarding succeeded

[*10/13/2015 00:54:13.2615] DTLS session cleanup completed. Restarting capwap state machine.

[*10/13/2015 00:54:13.2615] Starting Discovery.

[*10/13/2015 00:54:13.2615] CAPWAP State: Discovery.

[*10/13/2015 00:54:13.2615]

[*10/13/2015 00:54:13.2615] Did not get log server settings from DHCP.

[*10/13/2015 00:54:13.2615] DNS Option IpAddr 192.168.1.1 SwitchName CISCO-CAPWAP-CONTROLLER.

[*10/13/2015 00:54:13.3015] DNS resolved CISCO-CAPWAP-CONTROLLER.

[*10/13/2015 00:54:13.3015] DNS discover addr: 23.217.138.107

[*10/13/2015 00:54:13.3015] DNS discover addr: 23.202.231.166

[*10/13/2015 00:54:13.3215] Discovery Request sent to 192.168.1.1 with discovery type set to 1

[*10/13/2015 00:54:13.3614] Discovery Request sent to 192.168.1.150 with discovery type set to 1

[*10/13/2015 00:54:13.3714] Discovery Request sent to 192.168.1.150 with discovery type set to 1

[*10/13/2015 00:54:13.3714]

[*10/13/2015 00:54:13.3714] SENDING DISCOVERY REQUEST wtpStartAcDiscovery:1433, Controller Suleman: IP Address 192.168.1.150

[*10/13/2015 00:54:13.3914] Discovery Request sent to 23.217.138.107 with discovery type set to 3

[*10/13/2015 00:54:13.4014] Discovery Request sent to 23.202.231.166 with discovery type set to 3

[*10/13/2015 00:54:13.4214] Discovery Request sent to 255.255.255.255 with discovery type set to 0

[*10/13/2015 00:54:13.4214] Discovery Response from 192.168.1.150

[*10/13/2015 00:54:13.4214] Discovery Response from 192.168.1.150

[*10/13/2015 00:54:22.7585] Selected MWAR 'sushahid' 192.168.1.150 (index 0).

[*10/13/2015 00:54:22.7585] Ap mgr count=1

[*10/13/2015 00:54:22.7585] Go join a capwap controller.

[*10/13/2015 00:54:22.7585] Choosing AP Mgr with index 0, IP = 192.168.1.150, load = 0..

[*10/13/2015 00:54:22.7585] CAPWAP State: DTLS Setup.

[*10/13/2015 00:54:22.7585]

[*10/13/2015 00:54:22.8185] Dtls Session Established with the AC 192.168.1.150, port= 5246

[*10/13/2015 00:54:22.8185] CAPWAP State: Join.

[*10/13/2015 00:54:22.8185]

[*10/13/2015 00:54:22.8285] PATH_MTU_PAYLOAD: encodelen = 273

[*10/13/2015 00:54:22.8285] PATH_MTU_PAYLOAD: slotId = 0

[*10/13/2015 00:54:22.8285] PATH_MTU_PAYLOAD: slotId = 0 pktlen 1485 capwap_size 1360 met->encodeLen 273 pmtu_size 1066 pktlen 1485 localLength 1071

[*10/13/2015 00:54:22.8285] PATH_MTU_PAYLOAD: slotId = 0 len 1485(1071)

[*10/13/2015 00:54:22.8285] Sending Join Request Path MTU payload, Length 1360

[*10/13/2015 00:54:22.8285]

[*10/13/2015 00:54:22.8285] Join Response from 192.168.1.150

[*10/13/2015 00:54:22.8285] AC accepted join request with result code: 0

[*10/13/2015 00:54:22.8285]

[*10/13/2015 00:54:22.8285] PMTU : Setting MTU to : 1485

[*10/13/2015 00:54:22.8285]

[*10/13/2015 00:54:22.8285] Starting Post Join timer

[*10/13/2015 00:54:22.8285] CAPWAP State: Image Data.

[*10/13/2015 00:54:22.8285]

[*10/13/2015 00:54:22.8385] AP current image version 8.1.122.0

[*10/13/2015 00:54:22.8385] Controller current image version 8.1.122.0

[*10/13/2015 00:54:22.8385] AP running image version 8.1.122.0

[*10/13/2015 00:54:22.8385] Version is the same, do not need update.

[*10/13/2015 00:54:22.8385] CAPWAP State: Configure.

[*10/13/2015 00:54:22.8385]

[*10/13/2015 00:54:22.8885] ethtool wired0

[*10/13/2015 00:54:22.8985] ethtool wired0

[*10/13/2015 00:54:22.9285] PATH_MTU_PAYLOAD: encodelen = 2586

[*10/13/2015 00:54:22.9285] PATH_MTU_PAYLOAD: slotId = 0

[*10/13/2015 00:54:22.9285] PATH_MTU_PAYLOAD: slotId = 0 len 1485(5)

[*10/13/2015 00:54:22.9385] Configuration Status sent to 192.168.1.150

[*10/13/2015 00:54:22.9485] Ignoring callback message Close alert received..

[*10/13/2015 00:54:22.9485] DTLS: Received packet caused DTLS to close connection

[*10/13/2015 00:54:22.9485]

[*10/13/2015 00:54:22.9485] Lost connection to the controller, going to restart CAPWAP...

[*10/13/2015 00:54:22.9485]

[*10/13/2015 00:54:22.9485] Capwap restart

Weird ssh errors using putty

Ok so I’ve never seen this issue before and I’m a little stumped so I’m hoping maybe someone else has either seen this happen before or knows what could cause this.

I’m on My laptop which is dhcp lets just say it’s .65 and I’m using putty to ssh into my brocade switch which is .5 I log in no problem and just check some things out. No issues, I’m running lots of commands and when I’m done I log out.

Here’s where it gets weird, I set my laptop to a static ip. .3 is what I set it to. I ssh back into the switch and within 15seconds of being logged in putty freezes up and drops the connection to the switch. I tested this 5 times and had persistent pings going to both 8.8.8.8 and .5 and each time my pings never failed to either google or the switch. I set my laptop back to dhcp, ssh back into the switch and it works just normal and I don’t get kicked after 15 seconds.

I’m kinda scratching my head on this one as I don’t see what is causing this.

Looking for Help with Setting Up VLANs on TP-Link Smart Switch

Hi.

I've never set up VLANS before and I'm hoping to get some assistance with it. I think I'm good with the set up on the ERX, but how to set up the TP-Link TL-SG10214DE is confusing me.

Here's how I'd like to set things up:

EdgeRouter X VLAN setup:

192.168.1.1 VLAN 1 - Management 192.168.10.1 VLAN 10 - Home 192.168.20.1 VLAN 20 - Guest 192.168.30.1 VLAN 30 - IoT

So the SG1024DE smart switch is 802.1 capable and I currently have port 1 connected to eth1 on the ERX, and I'd like to set up the ports as follows:

1 eth1 on ERX 2-13 Home 14-15 Guest 16-20 IoT 21-23 Unused 24 Management

I also have a Ubiquity UniFi AP AC Pro that I'd like to provide wireless access on the Home, Guest, and IoT VLANs. I'm also not sure exactly which port I should use for that. Maybe one of the planned unused ports?

Basically, I'm baffled by the tagged/untagged/not a member stuff. Hopefully, I've provided all the necessary info. Any help is greatly appreciated.

Is there a PCPartPicker equivalent for networking?

Something which you can pick parts and stuff, and it gives the total price, compatibility and power usage etc.

Is is possible to confuse Straight Talk's system if you switch phones constantly throughout the day between 5 phones?

Is is possible to confuse Straight Talk's system if you switch phones constantly throughout the day between 5 phones?

NetDevOps Test Environment Approaches

Wondering what people's thoughts are on how to go about building a test environment as part of a NetDevOps CICD pipeline? The real big player here of course is Cisco VIRL but are there any open source ways to do it? I was thinking potentially a Kubernetes/Docker/vrnetlab combo but it seems like it would be difficult to dynamically determine the topology needed between the pods/containers. Any thoughts on the area specifically in the test/emulation environment would be great.

Cable packaging and how do we save the earth from single use plastic?

Consultant here, I do a lot of network refresh projects so I'm involved in the plugging in of cables quite a bit.

​

Every cable comes held down by a couple wire ties, in its own little plastic bag, and then ten of those are in bigger plastic bags. Sure maybe these bags have a little recycling symbol on them, but we all know that our municipalities are just shipping this shit to 3rd world countries for them to burn it or chop it into bits and feed it to the turtles. Whatever it takes to make us feel better about ourselves - yay we're recycling!

​

So what options do we have to order network patch cables that aren't over packaged? Are any suppliers providing anything like this? Personally I think I'd be okay if my network cables we NOT hermetically sealed at the factory, it isn't like they're going to get cable-herpes just from touching another cable.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Host VPN server for friends.

Just discovered this thread and learned a lot already. I have a small project I'd like to try out, but not sure how to go about it. I'd like to host a VPN service for some of my online friends who live in Brazil, so they can connect to NA servers in games whenever they like. I know how to setup a VPN to my network, but I obviously would not like anyone to have access to my internal network or my router. I have a Asus router right now, (waiting on RMA for netgate pfsense)

Im planning on running a VPN host on a VM on my server but the networking part to block it from my internal network I'm a bit lost on.

Thanks!

how much to charge

network engineer here, someone contacting me because another guy installed a big rack in the middle of a room, so they want to eliminate the rack and buy another, but this time smaller, also they have some kind of horrible backup system with windows, they basically copy everything into a portable hdd and then copy to the server(WTF!!!), basically:

- need to install a new rack, in the same place, just a little higher, and off course move the wires, connect again to the server.

- use a better backup service, im planning configuring nextcloud.

- optional offer the chance to configure a raid.

​

how much can charge for that?, its my first job of this kind and im little lost.

DHCP/dns

I have two unconnected/non-routable networks on the same switch. One is a management vlan, one is data traffic. For the management network I plan to use the switch as my dns/DHCP for sure.

Should I also use the switch and dns/DHCP server for the data network or should I setup a VM to handle that network

I'm not sure if I'm supposed to post this here or where.If anyone knows please point me in the right direction.

So I am 1st year university student, I just started networking monday. We got a project to do but I have absolutely no idea where to start. Not asking for the answers just some assistants or some advice.

The project aims to design a network for a casino. The casino has 10 floors including the ground floor. The ground floor has a lobby area. Each floor also has a lobby area. There are 40 rooms in each floor, each of which has a network point to which the guest PC is connected. The casino network has two servers which are used by the staff. A high speed internet connection is available which is to be shared by the guest and staff network. There is a total of 25 staff in the casino based at the ground floor. 1. Network Topology diagram. 2. Identify the hardware required such as routers, switches, access points 3. The network has to be segregated into guest and staff 4. The guest network should not have access to the staff network.

4G LTE Router With External Antenna Setup

I need to buy a 4G directional antenna(with range up to 2.7 GHz), and also buy a modem that will receive the antenna's signal via a coaxial cable, and that modem has to have a sim card slot in it. I can buy the items from Amazon.com or AliExpress only.

How can I do it ?

The antenna looks like this

SilverPeak SD-WAN Tunnels

After about six months of meetings, decision matrices, PoCs, etc. we have narrowed down our SD-WAN choice to SilverPeak or VeloCloud. One factor that may make the final determination is how the tunnels are created (WANOP is considered a nice-to-have, but not a determining factor).

For Velocloud, tunnels are dynamic and most of our sites would have an appliance that supports 25 or 50 tunnels.

For SilverPeak, the tunnels are static, but most of their units support 2000 tunnels.

We have caught wind of a potential concern with the SilverPeak tunnels in that, the more sites that are deployed, the longer the SilverPeak units take to build all the tunnels.

My main question is - has anyone had any SilverPeak experience with 100+ sites? Do the turn-ups become unbearably long at any point (like, over 20 minutes)? Have any performance issues been encountered as more sites get added? Any limitations reached?

Mac flapping with wireless clients

Hi All,

I've noticed some logs on one of my switches related to mac flap notifications, this looks to be caused by wifi devices (we use sonicwall firewall and soincpoint AP's) roaming between AP's on different switches, causing the MAC to appear on different trunk ports at the core. Is there a known solution to this issue, or is it even a cause of concern?

Financial Firm Network Setup

So I've been put in charge of setting up the network /IT systems in my new office. My company is a private financial firm that will need to deal with confidential client data. We have around 20 staff. Office Space ~1,800 square feet. Personal Background: Not primarily IT based, but have dealt with home networking and computer stuff in general.

I've came up with a list of networking equipment that I think should be decent for my company, but before I painstakingly explain to my management why I recommend this setup, I thought I'd go through you guys before for some comments. My boss hasn't indicated to me what my budget is (definitely not unlimited), so I will need to convince him why I will need to use more expensive equipments if any. Setup as follows:

​

ISP: 1000M UP/DOWN

Router/Firewall: Fortinet 60E (with 360 /Enterprise subscription) - I considered going with a USG Pro 4 since my setup revolves around Ubiquiti (see below), but I've heard that the protection offered by the USG Pro 4 is not comprehensive as the Fortinet 60E.

Switch: Ubiquiti UniFi US-48

Wireless AP: UniFi AP HD x 1 + PoE injector

Management Interface: UniFi Cloud Key Gen2 Plus

Surveillance Cameras: UniFi G3 Flex x 3

Network Storage Drive: Synology Diskstation DS218 (2 Bays) x 2 - Need two for seperate departments.

​

Would appreicate any feedback!

​

Sidenote: I've been put in touch with a couple of guys from Cisco. They've been recommneding their Cloud Security Bundle to me, which includes Umbrealla (DNS filtering), AMP for Endpoints (cloud-based SAAS endpoint security solution) & Email Security (since we are currently using Office 365 for emails). This offering sounds pretty comprehensive, but I have yet to hear back from them on their pricing (I've heard that its very expensive so not sure if my boss would be sold on that). Would love to hear some expereince from those who have use this solution before.

Help clustering two ISE servers

So i'd say I'm novice at best with ISE. I've done some management with it but nothing major. We're working on moving our physical ISE cluster to Virtual. I've got them both installed, both with an FQDN that is reachable by both of them. They are in the same subnet, and not firewalled.

I've setup one as primary, and imported the default signed server certificate from the secondary (saw some guides mention to do this).

When I go to register the secondary node I get a warning that the node i'm registering has a self signed certificate. I click to import and proceed and simply get "Unable to authenticate ISE NME-ISEVIRTU-02.NETMAN.DEV. Please check certificate configuration. Make sure from "Primary Admin node", system certificate chain of registering node is present in the "Trusted certificates" and is enabled with "Trust for authentication with in ISE" option selected.

I'm not finding much in answers as to what to do with this. I've seen suggested to import all my cisco services trusted certificates to the secondary (which I tried) but that's about it aside from it being an FQDN issue which doesn't appear to be happening.

Anyone have some insight on what might be wrong?

Can I use APA-1X10GE-L-VS module on ASR 1001 with base licence?

Hi gang,

​

My team needs to upgrade edge ASR routers to 10GB as our circuits will soon be upgraded from 1gb to 10gb hence the need.

​

We are currently running Cisco ASR 1001(non X) with License Level: advipservices.

I'm planning to purchase SPA-1x10GE-L-V2 10GB modules to use with ASR 1001.

Will I be required any license for the existing ASR1001 or module it self will allow 10Gbps throughput ?

Completely unable to figure this out

Hi all

I have come to this subreddit because I am at my wits end. I feel like everything I know is wrong all because of one little 8 person network.

This is a new client of ours. The router is a Mikrotik hAP Lite (v6.45.1), primary WAN is fibre with a PPPoE dial-up.

Router is DHCP & DNS server, 8.8.8.8 is set as the secondary DNS server by DHCP. Mikrotik has static DNS servers (8.8.8.8 & 1.1.1.1) and responds to remote queries.

Wifi is provided by UBNT Unifi AP AC LR, the network cable goes from the injector into the Mikrotik (to rule out issues with the switch). AP is running the latest firmware, and is given a static IP.

​

Clients get DHCP address, they can ping the router but cannot get out to the internet. If they are on cable they can.

Previous WiFi setup used two TP-Link Extenders setup as APs and plugged into ethernet cable.

​

Clients will stay connected for a few hours before they are unable to get DNS queries resolved.

​

At first I thought it was the WiFi, so we installed the Unifi AP, then I thought it was the switch so we plugged in the AP into a port on the Mikrotik. Earlier today I was battling with a users laptop - disabled Windows firewall, and it started working again. 2 hours later... client phones and no one on the WiFi can get internet access. I even completely wiped and reconfigured the Mikrotik today thinking I didn't do something correctly.

I honestly do not know what I have missed so I have come to this subreddit in the hopes that you might see something I don't.

VLAN translation on originating switch?

Good morning all. Possible stupid question incoming, but I've never used VLAN translation (mapping) before.

So I've got a Nexus switch, with devices in VLANs 10 and 78 connecting to an Arista (which I don't control or have access to), which connects to the internet. The link btwn the Arista and my Nexus only allows VLAN 78 across it. Can I translate VLANs on my end from 10 to 78 as it goes through my switch?

Reading, it sounds like VLAN translation works on ingress at trunk ports, which leads me to think it wouldn't work if I set mapping on my Nexus trunk port? But maybe (hopefully) I'm reading incorrectly?

L2 or L3 switching for 300 device network

Should I bother with L3 switching if I only have 300 devices? 50 are statically assigned.

My switches support it.

This is a data only LAN. VOIP is on it's own set of switches.

For research purpose (simulation), which random graph model should I use?

Can you suggest me a random graph generation model for shortest path problem simulation ? A model that I can use for research purpose.

I tried Waxman model, but I have a lot of problems with it, many times my device hanging .

Thank you very much.

Websmart switch and mac address table

Hello genius networkers of reddit. I am a sysadmin in need of assistance.

I have been given a job to document the entire network of one of our clients. It is a site where there are multiple cooks in the kitchen. One of those cooks used Websmart switches to connect security cameras to the network (PoE cameras). I need to match the camera mac addresses to the switch port that they are connected to. Unfortunately these switches do not show the mac address or arp tables with the web ui. They /might/ have a remote span function I could leverage. But I only learnt about remote span last night during ccna studies. Switch model I'm currently viewing is Allied Telesis AT-GS950/16PS, but there are a bit of a collection of others.

Does anyone know of an easier way I can match mac addresses of connected clients to their switch port in this situation?

My best option right now seems to go back onsite, take a cisco switch along, and move plugs so I can use the cisco to document the mac addresses before moving the plugs back to the smart switch. I'd rather not cause that level of disruption if I can help it.

isolate single vlan from other vlans and internet but allow only single server/domain controller access

Here is the setup, cisco 3750 intervlan routing enable and functioning with 3 vlans and svi's. Everything can get to everything as of right now.

​

vlan 10 - 10.0.10.1/24 - Managment/ servers (Domain controller lives here)

vlan 20 - 10.0.20.1/24 - Opertaions pc's

vlan 30 - 10.0.30.1/24 - R&D PC's

​

I need to isolate vlan 30 from EVERYTHING (internet, vlan 10 and vlan 20 etc ) EXCEPT the domain controller 10.0.10.50 on vlan 10 so i can manage domain joined workstations on vlan 30.

​

I've been reading that my options are actually very limited in this scenario if not impossible due to lack of reflexive acl capabilities on these siwtche and stateless acl rules that would allow me to permit traffic initiation on one side but then prevent the return. The other option i read about was introducing a router into the mix.

​

I understand the need and use case scenarios for vlan segmentation but what am i missing here?

​

How else is this being used in environments where departments are vlan'ed for security reasons (HR, FInance, sales users/pc's ) but still allow critical infrastructure servers/services (file shares, print servers, domain controllers, dns/dhcp etc.) to be accessible across all vlans?

​

I feel like im missing a key piece to all this to make it click for me.

STP Issue between DELL and CISCO

Hi Team,

​

I came across to an issue that the STP increases the CPU on a cisco switch which is connected to a DELL EMC core switch. To give more details about the topology, I have to DELL EMC Core switches using VLT between them and and a stack of 2 cisco switches with port channels uplinks to to Cores. The cisco switches are running rpvst but the DELL switches are running pvst. Now my question now is if the cisco switches downgrade the verstion from rapid to normal pvstp in order to be compatible with the Dell ones and if so, could spanning tree could cause high CPU because it is being used between 2 different vendors?

​

PS. Topology is 2 Dell Core switches with VLT between them and the cisco ones are the access layers switches pointing to Dell. Root bridges are the DELL

​

Many thanks in advance

Different Intel X520 cards

Im trying to switch from standard 1Gbe to 10Gbe (using SFP+ cards and switch) and im looking at the Intel X520 cards as they seem to be a good price and still have recent drivers.

​

My question is 'What is the difference between all the X520 cards'. Im seeing X520-SR1, X520-DA1, X520-DA2 and the list goes on.

​

If anyone has a simple explanation (or chart) that would be great. Im going to be using either the 5 or 8 port Mikotik switch and various server/workstations running a combination of pfSense, freeNAS, Win10, Win Server 2016/2019.

From my own investigation it seems that the one i want is the X520-DA1?

​

Thanks for any help.

I just cant figure out what to do w/ this VPN

I know I shouldent beg, but I sorta ran out of options.
I am working to get a VPN up. The edge on the network is a velocloud, I am not too experienced with preparing the service. I am more of a Meraki / sonicwall kind of guy.
Anyways, long story short, My boss told me to get this working, and I am stumped.
Regardless of what I do, the client will not connect to the server via windows VPN. I just get a GRE error.
The server is receiving the connections (nat tells us we have incoming connections), but I never get any outbound connections.
At this point neither server, edge , personal computer, personal router have their firewalls enabled.
I just want to ask for some help, someone who understands what is going on here.
Thank you in advanced.

whitebox switch os help

Hey, I was talking with someone earlier today and they were telling me about a specific whitebox switch OS however I can't seem to recall the name and I didn't write it down. I remember they said it was like e- or evn or env and I remember it had a dash in it. I also remember they said it was linux based but I believe most or all of them are.

Is anyone here really familiar with whitebox switch OS' and could help me find it? I would really appreciate it!

My boss has been reading Gartner reports again...

OK, what do I do? A Gartner report came out—one of the “Magic Quuadrant” thingies. And now my boss, the “Senior Director of Enterprise Infrastructure,” is asking questions. My goal: keep doing what we’re doing because it mostly works and I know how to fix it when it breaks (which is rare).

Multiple routers off of one cable modem.

Cox business account. 5 static IP's. The current setup is: Cable modem to the router and then to a switch. Client needs to utilize a second static IP for a webserver.

Can I place a network switch after the cable modem and plug two separate routers into the switch and give the routers the correct static IP?

​

Thank You.

Windows open source application for monitoring packet loss/downtime?

Can you recommend an open source Windows application that can monitor packet loss and internet down time?

Particularly if it can compile it into a report over a period of time.

How do I create a local non-internet wireless network for connecting three wifi devices?

Looking to build a WiFi network for my camper that will do two things..

1- boost WiFi signal when parked in a campground

2- use this system when no internet is available and “off grid”.

Static Routing Question

I am running a TP Link WR840N router and have set up port forwarding for xbox live however I was advised to also set up static routing as well. The problem is the router doesn't like the IP addy of my xbox and won't do it. Any advice here?

Moving away from Cisco

Hay all, any thought on moving away from Cisco switch’s and routers. Recommendation? Arista cores? HPE end switch’s? White box? I thought about White box but it really doesn’t seem like there is any savings. For me I don’t like this forced licensing from Cisco, so I am looking at moving, but I do not want to lose my uptime/reliability. Any experience would be helpful.

Google Cloud VPN to Meraki MX

Hi,

​

I am trying to set up a GCP VPN to ur internal Meraki MX network. I have created a Cloud VPN Gateway and assigned a static Public IP address to it.

​

I then created a IKEv1 tunnel in GCP to the Meraki MX. I have created the configuration on the Meraki side as well and used the following settings as per https://cloud.google.com/vpn/docs/concepts/supported-ike-ciphers

​

IKEv1

Phase 1 - AES128, SHA1, DH 2, Lifetime 36000

Phase 2 - AES128, SHA1, PFS 2, Lifetime 10800

​

The VPN tunnel turns to established on the GCP side, but the event logs on the Meraki show:

​

msg: failed to pre-process ph2 packet (side: 1, status: 1)

msg: failed to get sainfo.

​

The VPN tunnel on GCP then turns to First Handshake: Handshake with peer broken for unknown reason. Trying again soon.

​

I am a bit lost with this now, so wondered if anyone would have any guidance.

​

Has anyone managed to get Meraki talking to GCP VPN?

Sonicwall Blocking VPN traffic from firewall due to unknown Ether type.

I am currently facing an issue were a sonicwall device is blocking traffic that is coming into the network through an anyconnect VPN session to a Cisco Firepower system. After a bit of digging it looks like the Sonic wall is dropping the Traffic due to it not knowing what to do with the Cisco Metadata Ethernet type (0x8909) but I cant seem to figure out where the rule in the sonicwall would be. If anyone knows where we can set the sonicwalll to allow unknown ethertypes or how to permit this specific type through it would be much appreciated.

​

Rough visualization of desired topology:

|VPN User | -> | FirePower | -> | SonicWall | -> | Target LAN |

Outdoor 4G routers

Afternoon all, looking for an outdoor 4G route to take with me to events. Budget of £300 or under, what recommendations do you have?

What are the best Mesh WiFi systems to buy?

No text found

H3C Cloud Labs Query (Comware Emulator)

I have successfully got H3C Cloud Labs 2.1.1.1 working with VirtualBox 5.2.x, but I haven't been able to get it running with VirtualBox 6.0.x. Specifically I get an error from HCL on startup stating "Please check your installation of Virtualbox api".

​

Has anyone got this combination working successfully?

​

FZ.

Does anyone has problems with Cisco PnP with APIC-EM?

We are facing some strange problems at our wireless infrastructure. We are trying to achieve zero-touch-deployment with Cisco APs (1852, 1532 and 2802 models) and APIC-EM. However we have some strange problems.

​

Some APs (like 40-50%) fail to contact the APIC-EM while booting. It says PNP Timout meanwhile some APs get the connection to the APIC-EM.

We've already contacted Cisco six months ago, still no real answer.

​

All APs are brand new.

​

Does anyone of you has these kind of problems?

Refurb Cisco 3650 vs Ubiquiti US-48-750W for remote sales office

I've held a variety of jobs in IT over the past several years. Currently I run support and deployment operations for a startup. My team and I also play internal IT on the side.

I'm looking to set up a remote sales office. The topology isn't that complex, just a few VLANs with inter-VLAN routing handled on the PFSense stack. They will have 10-15 employees, using softphones, connecting cell phones, etc.

I've always personally been a fan of refurb Cisco gear. Cisco gear runs like a tank. I've seen those switches running over ten years without reboots or problems. My theory with a refurb Cisco 3650 is I can get them for $150. God forbid if it blows up I can just have a hot spare on standby ready to go with a process describing how to swap over.

The other alternative is a Ubiquiti US-48-750W. I'm not the biggest fan of "cloud managed" switches (yes I get it's local). Also for what I need (VLANs and that's it) it's overkill. I think the benefit of the hot spare is more beneficial vs a new switch.

My question is performance given a ten year old switch. I mean as far as I'm aware the Cisco is overkill even for today's standards. Remember this is just switching and maybe L3 down the road.

I've covered all my bases as far as "what if shit hits the fan". I already got a racked PC spec'd which will hold a public IP connected to the consoles. In the event of a catastrophic failure I can have them turn on the PC.

Would like your take!

Edit: The Cisco is a WS-C3560G-48PS-S not a 3650. Typo...

How difficult is the Palo Alto PCNSE exam?

I've currently watched all of the CBT Nuggets videos for Palo alto and im about to book a more in-depth training course; I'm a CCNP Security and am used to firepower and ASAs but my company is starting to support Palo alto.

The videos give me the impression that the certification is quite simple. Is it really that easy? Everything seems to be gui driven and pretty well laid out. All the concepts of NGFWs are similar but Palo alto just seems to be it better.

ISR or Normal Router for Gaming Cafe

Dear all,

I would like to ask, can a normal high-end (home router) work for a gaming cafe with (75mbit - connection - Fiber Optic) connection?

or we should consider ISR?

if ISR, any recommendations?

ISR4331 or ISR1100?

​

No. of PCs: ~60 computers.

​

Thanks!

EdgeRouter - Redirect All traffic to Private IP

Hello,

I want to redirect all incoming traffic on my EdgeRouter-A interface with a public IP address to another EdgeRouter-B that has a private IP address assigned via DHCP from EdgeRouter-A

I tried to add a static route but it is not selected

I tried to add a rule of DNAT but it does not work either

Thanks for your help,