DHCP relay on Juniper EX4300 not sending response back to client

Juniper EX4300 - DHCP relay response dropped by switch

Hi,

I have a simple topology with Juniper EX4300 as the access-switch and DHCP server running on a VM connected thru an L3-interface (ge-0/0/12). A host connected to ge-0/0/0 is trying to get IP using DHCP. I see(log at the end) that the request is being relayed to the server, getting a response back, juniper stack is processing it, and then dropping it with the following reason:

Aug 10 19:51:47.218568 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] jdhcpd_packet_handle: *** routing packet ***

Aug 10 19:51:47.218636 [NOTE] jdhcpd_io_route_packet: Failed to route packet, No route to host

Can you please have a look at the config, state, and logs, and comment on what config is wrong from my side?

Regards,

Ramesh

root> show version

fpc0:

--------------------------------------------------------------------------

Model: ex4300-48p

JUNOS EX Software Suite [13.2X51-D35.3]

JUNOS FIPS mode utilities [13.2X51-D35.3]

JUNOS Online Documentation [13.2X51-D35.3]

JUNOS EX 4300 Software Suite [13.2X51-D35.3]

JUNOS Web Management [13.2X51-D35.3]

JUNOS py-base-powerpc [13.2X51-D35.3]

##DHCP Relay configuration

root> show configuration forwarding-options

storm-control-profiles default {

all;

}

dhcp-relay {

server-group {

ws-dhcp {

10.10.5.0;

}

}

active-server-group ws-dhcp;

group all {

interface irb.10;

}

}

## Host interface

root> show configuration interfaces ge-0/0/0

unit 0 {

family ethernet-switching {

vlan {

members VLAN0010;

}

storm-control default;

}

}

## L3 uplink to connect to DHCP server

root> show configuration interfaces ge-0/0/12

unit 0 {

family inet {

address 10.10.2.3/24;

}

}

## Static route to DHCP server towards uplink

root> show configuration routing-options

static {

route 10.10.5.0/24 next-hop 10.10.2.2;

}

## SVI/BVI/IRB interface for VLAN 10

root> show configuration interfaces irb.10

family inet {

address 10.10.30.1/24;

}

## VLAN 10 configuration

root> show configuration vlans VLAN0010

vlan-id 10;

l3-interface irb.10;

root> show vlans

Routing instance VLAN name Tag Interfaces

default-switch VLAN0010 10

ge-0/0/0.0*

root> show dhcp relay binding

IP address Session Id Hardware address Expires State Interface

0.0.0.0 1 00:e0:4c:68:08:bc 0 SELECTING irb.10

root> show ethernet-switching table brief

Ethernet switching table : 1 entries, 1 learned

Routing instance : default-switch

Vlan MAC MAC Age Logical

name address flags interface

VLAN0010 00:e0:4c:68:08:bc D - ge-0/0/0.0

root> show log dhcp_logfile | last 100

Aug 10 19:51:47.214000 [INFO] [default:default-switch][RLY][INET][ge-0/0/0.0] --[ OPTION code 12, len 12, data 4d 61 64 68 61 76 61 73 2d 4d 42 50 ]--

Aug 10 19:51:47.214032 [INFO] [default:default-switch][RLY][INET][ge-0/0/0.0] --[ OPTION code 255, len 0 ]--

Aug 10 19:51:47.214058 security-packet-handle input bd VLAN0010

Aug 10 19:51:47.214091 [DEBUG] jdhcpd_security_client_key_compose: mac 0 e0 4c 68 8 bc subnet 0 key_type CK_TYPE_SECURITY_V4 8

Aug 10 19:51:47.214124 [INFO] jdhcpd_security_packet_handle: security-packet-handle client entry not found from client pdu

Aug 10 19:51:47.214162 [INFO] [default:default][RLY][INET][ge-0/0/0.0][SID=1] jdhcpd_packet_relay: *** relaying packet ***

Aug 10 19:51:47.214200 [DEBUG][default:default][RLY][INET][ge-0/0/0.0][SID=1] jdhcpd_packet_relay: Setting giaddr for non L3-wholesale client, interface ge-0/0/0.0, flags 2050, address 10.10.30.1

Aug 10 19:51:47.214236 [INFO] [default:default][RLY][INET][ge-0/0/0.0][SID=1] jdhcpd_packet_relay: added giaddr 10.10.30.1

Aug 10 19:51:47.214276 [INFO] [default:default][RLY][INET][ge-0/0/0.0][SID=1] jdhcpd_packet_relay: Using server group ws-dhcp, with 1 DHCP server(s)

Aug 10 19:51:47.214791 [INFO] [default:default][RLY][INET][ge-0/0/0.0] jdhcpd_io_send_packet: DHCP PDU from 10.10.30.1 to 10.10.5.0 port 67 out interface 568 len 300

Aug 10 19:51:47.216353 [INFO] jdhcpd_io_l2ng_pfe_reader: jdhcpd_pfe_pkt_hdr_t: len 328 L3ifindex = 602, L2ifindex = 0, dpi_rtbl=0

Aug 10 19:51:47.216420 rc_entry_sus_find_ipaddr: TYPE 0 for IP ADDR 10.10.30.1 in routing context LR default/RI default-switch

Aug 10 19:51:47.216467 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] jdhcpd_io_pfe_packet: SNOOP : recv sa 10.10.30.1 da 10.10.30.1, src_port 67, dst_port 67 if name ge-0/0/12.0 len 300

Aug 10 19:51:47.216507 [INFO] --[ DHCP/BOOTP from == 10.10.5.0, port == 67 ]--

Aug 10 19:51:47.216536 [INFO] --[ DHCP/BOOTP size == 300, op == 2 ]--

Aug 10 19:51:47.216563 [INFO] --[ DHCP/BOOTP flags == 0 ]--

Aug 10 19:51:47.216590 [INFO] --[ DHCP/BOOTP htype == 1, hlen == 6 ]--

Aug 10 19:51:47.216617 [INFO] --[ DHCP/BOOTP hops == 1, xid == 84d6e0b0 ]--

Aug 10 19:51:47.216644 [INFO] --[ DHCP/BOOTP secs == 4, flags == 0000 ]--

Aug 10 19:51:47.216672 [INFO] --[ DHCP/BOOTP ciaddr == 0.0.0.0 ]--

Aug 10 19:51:47.216700 [INFO] --[ DHCP/BOOTP yiaddr == 10.10.30.10 ]--

Aug 10 19:51:47.216729 [INFO] --[ DHCP/BOOTP siaddr == 10.10.5.0 ]--

Aug 10 19:51:47.216757 [INFO] --[ DHCP/BOOTP giaddr == 10.10.30.1 ]--

Aug 10 19:51:47.217117 [INFO] --[ DHCP/BOOTP chaddr == 00 e0 4c 68 08 bc 00 00 00 00 00 00 00 00 00 00 ]--

Aug 10 19:51:47.217151 [INFO] --[ DHCP/BOOTP sname == ]--

Aug 10 19:51:47.217178 [INFO] --[ DHCP/BOOTP file == ]--

Aug 10 19:51:47.217211 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 53, len 1, data DHCP-OFFER ]--

Aug 10 19:51:47.217246 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 54, len 4, data 0a 0a 05 00 ]--

Aug 10 19:51:47.217290 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 51, len 4, data 00 00 1c 20 ]--

Aug 10 19:51:47.217324 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 1, len 4, data ff ff ff 00 ]--

Aug 10 19:51:47.217359 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 3, len 4, data 0a 0a 1e 01 ]--

Aug 10 19:51:47.217397 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 15, len 11, data 65 78 61 6d 70 6c 65 2e 6f 72 67 ]--

Aug 10 19:51:47.217429 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 255, len 0 ]--

Aug 10 19:51:47.217481 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP from == 10.10.5.0, port == 67 ]--

Aug 10 19:51:47.217831 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP size == 300, op == 2 ]--

Aug 10 19:51:47.217869 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP flags == 0 ]--

Aug 10 19:51:47.217901 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP htype == 1, hlen == 6 ]--

Aug 10 19:51:47.217932 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP hops == 1, xid == 84d6e0b0 ]--

Aug 10 19:51:47.217963 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP secs == 4, flags == 0000 ]--

Aug 10 19:51:47.217997 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP ciaddr == 0.0.0.0 ]--

Aug 10 19:51:47.218030 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP yiaddr == 10.10.30.10 ]--

Aug 10 19:51:47.218136 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP siaddr == 10.10.5.0 ]--

Aug 10 19:51:47.218176 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP giaddr == 10.10.30.1 ]--

Aug 10 19:51:47.218220 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP chaddr == 00 e0 4c 68 08 bc 00 00 00 00 00 00 00 00 00 00 ]--

Aug 10 19:51:47.218251 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP sname == ]--

Aug 10 19:51:47.218290 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ DHCP/BOOTP file == ]--

Aug 10 19:51:47.218322 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 53, len 1, data DHCP-OFFER ]--

Aug 10 19:51:47.218360 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 54, len 4, data 0a 0a 05 00 ]--

Aug 10 19:51:47.218396 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 51, len 4, data 00 00 1c 20 ]--

Aug 10 19:51:47.218431 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 1, len 4, data ff ff ff 00 ]--

Aug 10 19:51:47.218465 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 3, len 4, data 0a 0a 1e 01 ]--

Aug 10 19:51:47.218503 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 15, len 11, data 65 78 61 6d 70 6c 65 2e 6f 72 67 ]--

Aug 10 19:51:47.218535 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] --[ OPTION code 255, len 0 ]--

Aug 10 19:51:47.218568 [INFO] [default:default-switch][RLY][INET][ge-0/0/12.0] jdhcpd_packet_handle: *** routing packet **\*

Aug 10 19:51:47.218636 [NOTE] jdhcpd_io_route_packet: Failed to route packet, No route to host

{master:0}

root>

Used Cisco update

It looks like buying used cisco stuff is going to get a ton harder to get.

https://www.ifixit.com/News/cisco-is-making-it-more-difficult-to-use-pre-owned-hardware

PoE help

Hey everybody,

Been lurking for a while now. Finally making my first post. Anyway, I need some clarification on how exactly I'd use PoE on a device that supports it. For reference, this is the device I'm considering. It has a dc power input and PoE-in on the internet port.

What I'm wondering is will it provide PoE out ports 2-5 regardless of how I power it? (eg. dc input vs PoE-in port)

And just to be clear, I'm more asking this in general, not just in the context of the mikrotik device. That just happens to be the device that sparked this question.

Thanks in advance for your help everybody.

VPN with lowest latency

Hi guys, between the following options:

• remote L2TP user
• site-to-site vpn
• wireguard

which offers the lowest latency? why?

i am trying to create smoothest connections for users in site B to access resources in site A (both have 1000/1000 ISP).

Thanks for your time!

DMVPN - first config, hub doesn't learn EIGRP routes

Hi.

I'm making DMVPN config for customer for the first time and have some issues with EIGRP. Spoke (for now there's only one) learns EIGRP routes advertised by Hub, but not the other way around.

DMVPN is formed correctly (Hub sits in DMZ, hence "DN" status in "show dmvpn - not sure if that's important), same for EIGRP neighborship.

Hub (3945): Gi0/0 (LAN), Gi0/3 (WAN)

Spoke (3925): Gi0/0 (LAN), Gi0/2 (WAN)

Configs below:

***HUB*** interface Tunnel1 description DMVPN-HUB ip address 10.255.141.254 255.255.255.0 no ip redirects ip mtu 1400 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP-KEY no ip split-horizon eigrp 1 ip nhrp authentication NHRP_PASSWORD ip nhrp network-id 100 ip nhrp redirect ip tcp adjust-mss 1360 qos pre-classify keepalive 10 3 tunnel source GigabitEthernet0/3 tunnel mode gre multipoint tunnel key 111111111111111 tunnel protection ipsec profile DMVPN_IPSEC_PROFILE shared router eigrp 1 network 10.255.141.0 0.0.0.255 network 192.168.0.0 passive-interface default no passive-interface Tunnel1 eigrp router-id 10.255.141.254 ***SPOKE*** interface Tunnel1 ip address 10.255.141.77 255.255.255.0 no ip redirects ip mtu 1400 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP-KEY ip nhrp authentication NHRP_PASSWORD ip nhrp map multicast PUBLIC_IP_REDACTED ip nhrp map 10.255.141.254 PUBLIC_IP_REDACTED ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp nhs 10.255.141.254 ip nhrp shortcut ip tcp adjust-mss 1360 if-state nhrp qos pre-classify keepalive 10 3 tunnel source GigabitEthernet0/2 tunnel mode gre multipoint tunnel key 111111111111111 tunnel protection ipsec profile DMVPN_IPSEC_PROFILE shared router eigrp 1 network 10.255.141.0 0.0.0.255 network 192.168.77.0 passive-interface default no passive-interface Tunnel1 eigrp router-id 192.168.254.77 eigrp stub connected summary 

Any ideas what's happening?

EDIT: IOS versions (I'm hesitant to update it because I had sooo many problems with AnyConnect on hub killing it...):

• HUB: 15.7(3)M2

• Spoke: 15.1(4)M4

Upgrade to 802.11ax (WiFi 6) via firmware possible?

I want to upgrade my network equipment (because I want PoE for a Raspberry Pi cluster), with that upgrade I would like to include WiFi 6 and WPA3. MikroTik seems to be a brand that offers enterprise level software (includes network features such as QoS, VLAN, OpenVPN, but also MPLS) on decent hardware.

So I'm wondering, if I would buy this router, or any router that supports 802.11ac, would such a router be able to get an upgrade to support 802.11ax? Or are there special hardware requirements for 1024-QAM and the antennas? I really don't want to delay this purchase, so I'm interested if an upgrade to WiFi would be possible through a firmware upgrade rather than a hardware upgrade. Most of the stuff I came across on the web point out that WiFi 6 routers are available and soon there will be more... But no details on existing routers.

I'm also open to other suggestions in terms of a fancy router with PoE, VLAN, QoS, and CLI. With preferably an open-source OS and active community that supports and helps develop it. MikroTik seems to be the one though...

Why is my upload so much slower than what it should be and how can i fix this?

I go to https://www.speedtest.net and it says my upload speed is 20 MBps but when I go to upload files to Google Drive and look in task manager it's only uploading 1.5 MBps. I tested with both the client and browser and both are the same upload speed.

I don't know anything at all how upload works so I'm in hopes to find out a way to increase the speed. I need to upload 800 GB of data ASAP but that is taking forever.

UDP packets dropped, ressources to help a noob

Hello Guys,

Not sure if it the right section : I work on a C# application (but language is irrelevant here), and we happen to have a huge issue of dropped UDP packets recently.

I'm not an expert in networking, but I'm starting to get a grasp on this kind of issue (each time we got a network issue, I got to learn a bit more, or each time I discuss it with knowledgeable people).

But this time I want to have a more complete grasp on what is happening. Could you advise me on ressources : Books, blogs, YouTubers, to help me have a complete understanding on this kind of subject ?

For example, how UDP packets are handle by the network card, what are the parameters (and windows parameters) that can have an effect on it, or on the internal buffer of the card, how it interacts with Windows native sockets and internal buffers, what parameters can I use at this level. How to identify if the dropped packets comes from my app or the network ....

You get the idea (I hope)

What is the best home network management/ security suite?

Wondering if there's something free/opensource that will fit my needs. I have Linux VMs available but my host systems are Macs so I'm looking for something that will run on a Mac preferably. Any ideas?

Updating relevant bodies of IP range geo-location

We have a /21 and a /22 that we currently announce out of the UK. We are opening a new data centre in a different country in a few months time and want to trim what we announce in the UK and announce a /24 out of our new DC.

Who do we need to notify about the change of geo-location for this range so that users in that country who will come from behind those addresses are correctly geo-located by the relevant content providers?

What do you use for gathering Netflow data?

Hello,

We use Solarwinds to monitor our network equipment and Netflow data. We are 99% Cisco and our IT Director and Manager no longer like Solarwinds as they cost to much. I kind of agree and can see they are lots of open source products out there. I was just wondering what you use to monitor?

We also monitor our servers and Azure metrics.

Thanks

Cabling the office, router and switch are 1GB, same for ethernet ports on computer but speed is 100-200 at best

I have got a new office,(one room dedicated to servers, 4 rooms for employees. I have got 1 switch for each room, with 4 Gb ports each, and one router with 4 GB ports, which act as both wifi router and LAN, connected to a cable modem.

The issue is that I am getting pretty low speed all over the network. The person that sold me the place, told me that they cabled the office with Cat6 cables few years ago; although they are in the wall, so I have no way to check them.

Is there an easy way to verify the speed of each element on the network, to figure out if the problem is the cables in the wall? I am using the wall cabling from the modem to the router, and from the router to the wall plugs, which connect to the switches; I checked the cables that are not in the wall, and they are CAT6, so should support gigabit ethernet like the rest of the hardware.

Extending a domestic network

i have a the router inside my property and i have ran a CAT5e to an out building where i want to have wifi. my question is what peice of equipment do i need to give us wifi acceses / coverage in the out building? i have seen no end of wifi extenders but i want nore of a wired acces point?

5g will change life of those who will find it

It often hits over 1 gigabit per second in speed tests — an incredible feat for a piece of technology that fits in your pocket. 4G LTE in the United States averages about 35 megabits per second. 5G, the fifth generation of cellular network technology, is nearly 30 times faster — and about 10 times faster than the average American home broadband speed.

5e termination problem

Yes, I’m the guy that just joined to ask a question... I am stumped by a simple 5e termination problem that I cannot solve and I have no one else to turn to..... so here goes.

My house has prewired Cat5e into a couple of locations and I have AT&T fiber professionally installed into one of those. I wanted to move the connection from the wall where it was to a different wall, so I cut the cable, pulled it out of the wall and ran it down into my new box. Nothing I do, though, will give me a connection. I’ve tried four different ways of connecting—RJ-45, Cat5e female connection, Cat6, and the original connector. Everything reports as a short on the tester I have. I’m an amateur at this but I’m pretty certain I’m punching down the connectors properly. I took pictures of the original termination and I’m certain I’ve replicated it properly.

I’m at a loss. Help???

Mikrotik LTE router setup - complete beginner

​

I, for some reason, have been tasked with the setup of a Mikrotik LTE router and I'm having some trouble (I have little to no networking exp. at all).

I've got an activated Verizon sim card entered in the device, I've visited the http://192.168.88.1 - set the country as US (as instructed) and applied the settings. I'm still unable to connect to any other webpages.

Roast me all you want! But some help would be GREATLY appreciated.

Bridging ethernet connections

Rookie network guy here

Could anyone tell me if bridging two 1g Ethernet ports on the server will be beneficial to the users on the network? I seam to get alot better performance just using one cable without a bridge.

Gigabit LAN ports on server to gigabit Poe switch to gigabit port on dreytek router.

Anyone who can clear this up would be appreciated.

Main reason the idea was brought up was improving network load on the rdp server.

Many thanks

Cheers

What OS 4 Python

I am a windows guys and starting to look into python. I was wondering what you guys use for python. I was thinking of some lightweight linux in a VM.. Wanted to know what you guys use.

Also is there a python script with will read a csv file and build access ports?

Multiple Untagged /24s within one VXLAN VNI?

I have an interesting situation I've never seen before-

Client has two sets of four EX2200s daisy chained, all ports are untagged. However they have three /24s in use on the hosts connected to these switches, and to make things interesting they are not contiguous.

There are devices in 192.168.1.x, 192.168.3.x, and 192.168.4.x subnets with KVM virtual machines that have untagged sub interfaces across all three of those subnets.

They did it a second time but with 10.1.1.x, 10.1.3.x, and 10.1.4.x networks, pretty much the exact same setup.

Before I got involved, they were looking to buy some EX4300s and just swap the 2200s one-for-one.

So obvious VLAN tagging nightmare aside, is my thinking correct that I could employ EVPN VXLAN to virtualize those untagged VLANs into VNIs and emulate their current physical infrastructure? essentially something like VNI 1000 will be an L2 domain including 192.168.1, .3, .4 and VNI 2000 will be a separate L2 domain including 10.1.1, 10.1.3, and 10.1.4

Obviously I would like to move them away from daisy chained switches and nearly pegged out inter-switch 1G links. So my thinking is EX4300-MP top-of-rack switches and two EX4600s to act as spines. I know the QFX line is better suited for EVPN VXLAN but I doubt they'll be using the more elegant features.

Cisco TrustSec?

Anyone here deploying TrustSec or currently running TrustSec? We are currently in the thick of it and shocker, it's a pain in the a$$. Currently attempting enforce on the existing tags we have with about 40K+ users. Any advice is welcome. What not to do, what you should be doing, etc.

From what we have gathered from Cisco, we are one of the largest and most aggressive companies when it comes to deployment strategy so if you need me, I'll be on the phone with TAC discussing what bug we are currently hitting :)

​

Edit: Please tell me someone else is implementing TrustSec and we aren't the only ones dumb enough...

E911 calling wireless

So we’re switching from hardphones to Jabber softphones. We just learned that for e911 calling with Jabber, it can only differentiate location using different subnets as opposed to CDP with our other phones used.

For wired devices, we can just create a different subnet per floor, so not a big deal. However, how are we supposed to do this with wireless? If we break each floor into its own subnet, we’ll have handoff issues and bleed through issues witch I’m sure will cause all kinds of fun as folks walk around and between floors with their laptops.

How are you all solving these issues?

Wanted: Apple IOS ping app that does continuous ping and has audible alert for timeouts

I'm troubleshooting an issue on our network where devices seem to randomly disconnect.

Does anyone know of a good Apple IOS app (paid or free) that can do a continuous ping each second (instead of sending pings as fast as the network can handle), and has audible alerts when timeouts happen?

I'm thinking when I hear the alarm I can check the debugs to see what is going on.

Decent Softphone App for iOS/Android

So I used to use Bria and Softphone and neither are great. I really need to be able to send and receive calls from our 3 park lines and preferably see the BLFs so I can see who is on the phone or free. I am not cost sensitive unless its going to be triple digits plus.

Need guidance as to where to start to advance my knowledge.

Sorry if this isnt the correct sub but I'm not sure where to get help.

I work for a telecom company in Canada and recently obtained a position with more networking involved. They deal with Cisco and meraki switches, APs, Secruity appliances etc etc.

All the fun internet stuff, static and dynamic IPs. DNS, Subnet masks etc. All they have been teaching me is basically where to input the information but not necessarily LEARNING what I'm doing. This is my first time really having to know this stuff in order to do my job.

I've been trying to find courses online to try and help me better understand what I'm doing but I'm having a hard time figuring out where to essentially start looking. I guess what looking for help with is somewhere to start. Is there any place you guys could recommend to go to to give me a better understanding how this stuff works?

Again I apologize if this isnt the correct place yo ask this question, I'm just lost.

Papers on ML techniques applied on honeypot data ?

Can anyone post/link some latest research papers on the application of machine learning on data collected through various honeypots. I searched on IEEE website but could find the required papers ?

Also, I am not sure if this should be posted here. So please pardon my negligence.

Filter Based Forwarding Load Balancing across multiple NextHops

Do Juniper EX4200/4300 series switches support PBR ECMP (Or Filter Based Forwarding across multiple nexthops with load-balancing ??)

Can I still connect to office VPN if I am already using personal VPN?

Here is my question, if I subscribe to a VPN service, they seem to require usage of their own software, or 3rd party VPN software, such as privateinternetaccess.com, how can I connect to our office VPN over these VPNs?

We use OpenVPN to connect to our office network so we can access our file directory, and in-house software, but if I am on privateinternetaccess.com VPN, how do I connect via OpenVPN?

Or do I have to disconnect one, and connect to other when I need to access office network?

Troubleshooting IP routing of connected interfaces when ACLs and NAT is in use - need debug and/or command guidance.

I have a router with 2 ISPs, one primary ISP and if it goes down using IPSLA / Tracking, the route changes over to the backup (satelite). There's a bunch of NAT statements on the primary ISP that map ports on outside to inside server but when it fails over, I just want outbound internet to work until the primary ISP comes back up.

That function above works but now I have added some dot1Q sub-interfaces on the inside, one for Guest WIFI which is ACL blocked from the other network (allowing the DNS servers only), one for security cameras, a testing subnet for misc future needs, a VoIP subnet, etc... these new sub-interface setup seems to be working in that all sub-interface networks can get out via NAT - but aren't reliably talking internally between each other. E.g. 192.168.18.x/24 works but if I try to get to a security camera subnet 192.168.2.x/24, I'm getting limited traffic through - about 1-4% of PINGs work, but not 96+% of them... on all of them, some with no ACLs on the sub-interface.

So, not wanting to have to clean up a whole config of specific info and post it for help, I do want to learn to troubleshoot this myself... I am looking for debug assistance.

I have found that the way IOS handles routing with NAT is that: "Q. Does NAT occur before or after routing? A. The order in which the transactions are processed using NAT is based on whether a packet is going from the inside network to the outside network or from the outside network to the inside network. Inside to outside translation occurs after routing, and outside to inside translation occurs before routing. Refer to NAT Order of Operation for more information." (Source: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html)

So I expect that my locally connected networks should route before looking at NAT statements, right? With the presumption that my statement is correct, and realizing that "show ip route" shows me locally connected routes that should be routing traffic, I am thinking that it's probably NAT that is muddying the waters here - is there a command that can show me not just the whole routing table but what decisions, including NAT and ACLs, the router will make to take from subnet X to reach destination Y? What debug commands can I use to help here? "debug ip routing" didn't help as I expect that is about routing protocols, not routing decisions... showing NAT translations is a HUGE table, and not sure it helps compare NAT to routing and leaves out ACLs... right?

Thanks in advance and to clarify - I'm basically looking for guidance on what to look at to understand how to fix my own issue... I don't want to be one of those "here's my whole config, what did I miss" types... :-)

PSA: Found solution to POAP deleting system image

I just wanted to post this solution here in case there is some other poor soul out there trying to get POAP to work on a cisco nexus switch and finding that the switch keeps deleting it's own nxos .bin file.

A while back I posted here asking if anyone else had encountered this, nobody had, which is not surprising since I don't think POAP gets used that much, and cisco even now recommends not using it for security reasons. Nonetheless, here is the solution:

If you are using this poap script from github look at lines 393 - 396 under the function init_globals().

 # confirm image deletion del_system_image = True # confirm image deletion del_kickstart_image = True 

This is causing the deletion.

When POAP starts, it looks for a switch configuration file on the server specified in the DHCP lease. If it does not find the configuration file, POAP fails and loops again. When it fails, it runs some cleanup and in this process deletes its own system image.

Solution: set these values to False

We ran into this issue while setting up a workflow to allow our engineers to rack and stack switches, turn them on, and then later push config. The problem is, until the switch config exists, POAP fails, loops, then deletes its own system image unless you alter this bit of code in the poap.py script.

Hope this saves someone else some headache if they're also playing around with POAP

EAP-TLS - No Authentication

First and foremost, sorry for repost.
I seem to not be able to post to my original post.

Anyway, I've done some extensive investigation and find that the RADIUS packets are dropped over IPSEC.
The MTU for these packets are to big for the VPN.

I've verified that "ping -l 1400" is the maximum packet size i can send from the AP to the NPS server. (Over the VPN)

The Framed MTU is set to 1300 on the NPS, but this does not seem have an affect, as RADIUS packets are still dropped.
Anyone got any idea to why Framed MTU is still being sent with 1400 MTU?

Need advice for a free NMS

Hi /r/networking

Anyone caring to share any free NMS software with me. I am more interested in Monitoring rather than Managing, although that's a welcoming feature too.

My key needs are:

• Topological Availability - Basically a MAP/Topology showing me the device's health signs/availability. Crucial as the MAP will represent the physical connectivity.
• SNMP - Something that'll give me information for the node objects.
• Basic "health signs" in case where a device does not have SNMP, something that polls/pings the device through IP in a regular basis.

​

So far, my research uncovered more "Application Monitoring" systems, which have way too many features that i dont need and unfortunately all the monitoring solutions seem to dedicate a lot of UI in that direction.

Last monitoring software i used was WhatsUp Gold, but it seems to have changed drastically. I remember using v14, which looks completely different to the current ones. I know it's not a free option, but anything that looks similar to that functionality would be fantastic.

I've looked at solutions like Nagios, Zenoss, Zabbix, but it looks like something none of my workers would dare to go for due to the complexity of adding a single node to an existing group.

​

EDIT: forgot to mention that the network consists of various brands.

Cisco 2960X ARP table issue - bad entry from remote network

I have (2) 2960X switches out of 47, all identical configs (version/model/subnet,etc).

Switches are on VLAN1, Cisco Prime server on VLAN2.

The switches are recording an ARP entry for the server, which is preventing the two from communicating properly.

Has anyone else experience this before? I can't find any solid info on a bug report, but clearing the ARP cache fixed the problem for awhile until the arp table repopulates.

I don't even know why the switch is recording an ARP entry for a remote network....?

Sincererly,

Baffled in the Midwest

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C2960X-48FPD-L 15.2(2)E3 C2960X-UNIVERSALK9-M

DDoS on AXTEL Mexico

I'm putting the name of the ISP just in case anyone knows the actual ISP and has more insight into it.

So, TL;DR; I was DDoSed on my small bussiness and have no internet access, trying to find if there's a permanent solution that doesn't involve tunneling my traffic trough other ISP.

If mods think this doesn't belong in /r/networking i would appreciate if you could help me find it's correct location, purpose of the post: Get Advice or a Solution.

Here's the long story:

So, my setup: Small bussiness network, with approximately 80~90 Network Nodes, with a HP DL 380 G6 server acting up as a Router with pfSense installed on it, Two incoming ISP providers, both with Fiber Optic, first, AXTEL, working with the ONT in Layer 2 so the server gets provisoned with DHCP IP directly, second, TELMEX, working with the ONT as a Router so server is on a 2-ip-private network with the router and with DMZ pointing towards the server.

A couple of weeks back i got DDoS'ed on the main Connection (AXTEL) and for some reason the ISP's reaction for all the incoming traffic is to blacklist my ip in their network, so, i get provisoned with an ip still but i can't connect with the internet past what i'm assuming is one of the main gateways on my zone, but i can still connect with local ip's (like, up to 8km in radious from my location if i have a neighbor who uses the same ISP and i ping his IP i have connectivity to it), but nothing on the "real" internet

I Use the secondary ISP to actually have internet on the site, but the second one has no fixed ip and it keeps changing so reconfiguring DNS and cPanel and other stuff in our network every 10 or so hours that the ip changes is very unpractical.

The attack i received was a flood of i'm assuming was only network headers data (like ACK or something like that) that used up all my 200mbps of internet, so, yeah firewall was ok dropping all of that stuff but it still blocked my internet.

My first solution was to create a VPN Tunnel to another server i have on the US and pass all my network traffic trough that server, so the incoming DDoS was mitigated by the datacenter's infrastructure and that server's firewall and never reached me., problem with this is that my latency of 15~30ms with the internet goes to trash all the way up to 95ms.

So, people from Networking, is there a way to protect myself against theese attacks that doesn't require me to ask my isp for help (since they have made it clear that they won't help) and preferibly doesn't make me use a Tunnel to some other host on the internet.

Do you use DNS as a control plane?

I'm currently following the discussion on DNS over HTTPS and its potential to make it harder for operators to block traffic to known C&C's or to implement local response policies. Based on this I was wondering how common these mechanisms are in your networks? Would DNS over HTTPS cause problems?

SonicWall FW & Edge Router for Home Network Question

I've been using an Edge Router as my DHCP server and have an Ethernet cable in the WAN port from my ONT. I've recently got a SonicWall TZ400 from work. I'm still new to the FW concept and what not so I've decided to utilize the TZ400 in my house to learn it.

Here's where I'm stuck and can't seem to figure out. I can't decide which device to use as the DNS and DHCP server. Since I can unplug the Ethernet cable from the Edge Router and plug it into the FW's WAN, I'm also not sure what I should have the Internet go into. Should I continue to use the Edge Router as a DHCP/DNS Server to not bog down the FW's CPU? Should I take the Edge Router out of the equation or I can just turn it into a switch. If I were to use both devices (if it benefits the network), Should I have the Internet go into the Edge Router first or the FW? If anyone can provide some insight or your thought process, it'd be appreciated. Thanks in advance!

Confirm my understanding of VLANS / TRUNKING / PVID

Hey all,

Been in the field for ~5 years for all of which I have been a Sysadmin for an MSP. Studied and passed CCNA R&S, but all of my professional experience has been with any vendor that isn't Cisco. Ubiquiti Unifi, EnGenius, Netgear, Ubiquiti Edgeswitch, and HP/Aruba.

Every once in a while I find myself in a situation where I think "Do I truly understand EVERYTHING about VLANs?" and im hoping you all can confirm my understanding or give me some guidance.

​

​

Untagged VLAN - This is the VLAN that traffic will get tagged with, if the traffic is not already tagged with a VLAN.

For example I have cameras that should be in video VLAN 200, and I can't spec VLAN200 on the camera so I untag VLAN 200 on the switch port which connects to the cameras. In my understanding, this is the same as an Access port in the Cisco world. "switch access vlan 200" is the same as untagged on 200.

​

​

Tagged VLAN - In my head, tagged is almost interchangeable with "allowed". Meaning frames tagged with this vlan are allowed to pass through the switch interface.

Example:

I have an access point which is on a management VLAN 99, and the trusted wifi is on VLAN 75. The switch is tagging it's own management traffic, and the AP is tagging it's frames for the trusted wifi, so on the switch interface I tag both VLAN99 and VLAN75.

​

​

Trunks in Cisco - All VLANs are tagged by default, but you can scope down which VLANs you want by using "allowed" and only adding those. No VLANs are untagged on the switch port unless you spec a native VLAN. Example... All uplinks and downlinks between networking devices. What is the point of the native vlan on a trunk anyway? To tag the management traffic of the downstream device if it's not managed on the VLAN you want? Any other good examples?

​

​

PVID - I don't have a clear understanding here at all. Was told to just think of PVID and untagged as outbound and inbound, but in doing some research and lab earlier today, it seems that PVID is close to how I looked at untagged vlan. As in PVID is the vlan that gets assigned to traffic which is not tagging it's own frames? How would you put PVID in lay mens terms?

​

​

I decided to make this post after a misunderstanding earlier. Management decided we are going to change our "stack" to be EnGenius switches and access points so I took a few switches into lab to make sure I knew how everything was done. I tried to get a phone on the voice VLAN by selecting UNTAGGED on that interface, but it did not get a voice VLAN IP. After changing the PVID to the voice VLAN, it got the correct address assigned.

I then was playing around with tagged/untagged for it's switchport while keeping the PVID assigned to voice VLAN, and those settings did not appear to matter. If the PVID was set to voice VLAN, the phone would get dhcp in the voice VLAN regardless of the voice VLAN being tagged/untagged.

Thanks!

Can’t figure out why Cisco switch keeps rebooting.

We have an SG300-52MP Cisco switch that keeps rebooting and I can’t seem to figure out why. Fans are not reporting any issues. Is there anything else I should be looking for? I am not seeing any errors that would signify an overload or power issue.

Dell N4000 route-map issues

I have 45 vlans with the same route map while I cut over a network. The issue is, on the 46th VLAN, the switch had issues applying the route map. It just said “can’t apply route map to this interface”. The vlan is configured exactly the same as all the other ones. I was able to get the route map to apply after taking off the IP address. Then I added the ip back. But the route map shows no hits.

Is this just dell hell?? I’ve never had these issues!!

What kind of network setup would do this

A customer uploads data daily via SFTP and I noticed their IP changes every couple of minutes or so. It seems like they use dozens of different IPs in the time it takes them to upload their data. They are all over the place in an x.x.50.1 - x.x.52.254 range although they are uploading from just one machine. They are having problems with flaky uploads so I wondered if that could be part of the problem. They obviously have a nat pool but I don't know if it's normal for it to bounce around so much.

Looking for advice on transition from operations to project work

Hi /r/networking,

I hope this doesn't violate the rules re career advice, as I consider this a close-to-senior-level (more intermediate) career question.

I have been in networking for about 4 years now, IT in general for about 6 years, working for an MSP in an exclusively operations-focused role.

I've been lucky to get some great experience and mentoring in my time at my current company, but for many reasons I think it's time for a change.

I am being offered a job at a much smaller (think more than 10x smaller), more focused (no VAR, slowly building managed services practice, lots of project/design/implementation work) consulting company. They are offering an appropriate pay bump that reflects the increase in the complexity of the day-to-day work.

Most people on their team of network consultants have much more experience (closer to 20 years just in networking), but they are all friendly and approachable people and from visiting with them it is clear they have a good culture going.

I guess my question is; at what point did you make the jump from operational 'keep the lights on' work to a design/implementation-centric role? What was the transition like? I see no opportunities to sharpen my skills in design and implementation in my current role, so I figure the best way to enter the next chapter of my career is to make the leap with this new company.

Any and all advice is appreciated.

PXE booting from a different network. Option issues, I think.

Picture this.

WDS Server = Windows, VM, 192.168.1.32 255.255.248.0

DHCP Server 1 = Windows, VM, 192.168.1.15 255.255.248.0, pool for the 192.168.0.0 network only

DHCP Server 2 = Cisco 4510, dhcp pool for a second network: 192.168.16.0 255.255.252.0

​

PXE booting on the 192.168.0.0 network is fine. But if I try it on the 192.168.16.0 network, its a no go.

​

DHCP server 2 config (I'm running off memory here as I am at home now)

ip dhcp pool new-network network 192.168.16.0 /22 domain-name ourdomain.com dns server 192.168.1.2 192.168.1.3 default-router 192.168.16.1 option 66 ip 192.168.1.32 option 67 ascii path/to/file.efi 

No go. PC PXE boots, gets a dhcp address in the 16 network, and then says TFTP.....

I've tried changinging option 66 to ascii with the fqdm. Quotes, no quotes. Still nothing.

Before I get wireshark on this, is there something I am missing here?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Second level domain forwarding with a FortiGate 60D

First of all I have no idea what I'm doing.

I want to forward every connection received at git.*.com to a local raspberry pi for my own GitLabs server. Idk what vocab terms to google or what questions to ask, how do I go about doing this.

Terminal Screen Color Change on Reboot via Console

This might be a easy question to answer, but was basic google did not yield an answer but Why does my screen color change in SecureCrt / Opengear when I reboot Cisco boxes via Console?

Please share :-)

Virtualizing an Entire Enterprise Network

Was recommended I post here from r/virtualization

I'm a recently hired network technician at a university that has 8 different campuses across the state and I belong to a team of two: myself and my boss, the school network engineer. I'm pretty new to the field, so most of my tasks have involved troubleshooting/setting up IP phones and occasionally helping to troubleshoot a network issue. I plan to take my CCNA exam in the next couple of weeks and once I pass, I want to buckle down and become much more familiar with the entire network that we manage. I'm starting to already by drawing it up in Visio with the limited access I have, but I thought a really interesting project would be to virtualize/emulate the entire network in GNS3. This would allow me to not only learn a lot more about our network, but the end product could potentially be used as a test environment for any future changes we make in the future once up and running. I also plan to learn SDN with Python in this environment.

What hardware would be best for a project like this? Would I need something like a server with a hypervisor to run 8 different instances of GNS3, one for each campus? Or would I be a be better off clustering 8 Raspberry Pi's with one instance of GNS3 each? We have around 180 total switches we manage and the most one campus has is 51 devices. If I'm posting this in the wrong subreddit, please let me know and I'll ask my question elsewhere.

Thanks!

Mpls P/PE alternatives to juniper mx5/80?

Our current mpls/wan network is pure juniper mx80's. Last year we bought a bunch of mx5's, applied an upgrade to mx80 license to one of them and put it into production.

We are expanding our network and wanted to upgrade 2 spare mx5's we had to mx80's and deploy them, but it seems the price of the upgrade license has rocketed. The quote I received today was £32k for two upgrade licenses. We paid around £5k for an upgrade license last year..

I'm looking for alternatives to paying this upgrade license. The Mx range is appealing due to the number of 1g ports once fully populated, and the 4x10g ports.

Any recommendations for a product which will come in at less than £16k each (£32k for two)?

Ideally we would keep juniper throughout, but I don't think that's going to happen unless we bite the bullet and pay.

Anyone bought "used" but with reseller warranty/support?

Riverbed asymmetric routes detected

I have a riverbed question regarding asymmetric routes. First off, I do have a support contract with riverbed, but I'd like to talk this out, first, before calling them. This is probably a good learning opportunity.

For starters, this site connects to the internet through at&t enterprise fiber. We lease IP addresses from at&t, our electrical hand-off plugs directly into our firewall. We use sonicwalls (High Availability, please don't turn this into a sonicwall sucks discussion, for us it does what we need it to do).

Since there are two sonicwalls (HA) our hand-off from at&t plugs into an L2 'WAN Switch' (yes, single point of failure) and each sonicwall plugs into the WAN switch, respectively. Here is where riverbed comes into the picture.

X0 on our sonicwalls are LAN. Before the LAN connection hits the network switch, it plugs into the riverbed appliance. The riverbed appliance has 4 ports, WAN 0, WAN 1 and LAN 0, LAN 1.

WAN 0 (riverbed) plugs into sonicwall 1 X0 WAN 1 (riverbed) plugs into sonicwall 2 X0 LAN 0 (riverbed) plugs into network switch1 port 1 LAN 1 (riverbed) plugs into network switch1 port 2 

STP is enabled on the switch (this environment has a single switch) and shuts down port 1 or port 2, depending on which sonicwall is active.

At this point, everything works fine. The riverbed is passing the traffic and optimizing traffic based on rule that were set.

My question....

When the 'primary' sonicwall is running, it seems that every day I'll see several 'Asymmetric Routes Detected' immediately followed with a 'Asymmetric Routes Cleared'. I can manually change the sonicwall to operate from primary to secondary or if something causes the primary unit to go off-line the secondary will immediately take over. About 6 months ago there was a power outage and the UPS that was connected to the primary sonicwall didn't have as much battery as the UPS that the secondary sonicwall was connected to, which means the primary sonicwall shut off and the secondary took over. When power was restored (shorltly after it went out) the secondary unit continued to function as the 'main' unit. When the secondary unit is running as primary I notice that I never (haven't yet) see the 'Asymmetric Routes Detected' immediately followed with a 'Asymmetric Routes Cleared' alerts.

I realize that the details of the alert email may be critical to help with my question, but before I get that much in depth, I'd like to see if others who use riverbed may be able to give some feedback based on what I've typed, above. From an infrastructure/connectivity perspective, I'm not sure why running on the primary sonicwall causes these alerts and when running on the secondary sonicwall I don't see these same alerts (at least, not yet).

I will say this, the WAN IP that was in this last routing alert received was '35.193.89.47' which appears to be Google Cloud.

Thanks.

NPS server for Radius with WLC

I'm in the process of setting up an NPS to do authentication for wireless, if we already have a CA on the network does the NPS server also need to be a CA?

Is anyone using Sophos XG?

I am looking for a simple to use but effective and powerful firewall. How is Sophos XG? We need to monitor usage and dummy-proof our network so users don't even see the phishing or virus emails. Or for that do we need sophos email protection as well?

Cisco WLC; Can connect to Guest network but no internet

Hi everyone,

Forgive the ignorance here, super new to networking, but I have been getting reports from users that our guest network is able to connect but with no internet. I logged into the web portal and the only thing I can see that looks weird is that no APs are listed...

There was maintenance done a couple of weeks back and it appeared as though some machines got flipped to a different VLAN, but I would think that within the last couple of weeks, someone would have complained that the guest network was down, so I'm not sure that's the issue. Thanks everyone!

Buying a Chassis switch vs a Stacking vs MLAG

We have an relatively fixed budget and need ~24x SFP+ ports

The two tech's I work with only know HPE Procurve/Aruba when it comes to switching so there would have to be a great reason to not use it.

The minimums are:

6x for iSCSI storage

8x for servers iSCSI connections

8x for servers LAN connectivity

2x for connecting the LAN to the rest of the network

My main concern is whether to get:

Opt A. 1x chassis with 2x management modules and 4x line cards (5406r zl2)

Opt B. 2x fixed switches configured for backplane stacking (3810m)

Opt C. 2x fixed switches configured for MLAG with QSFP+ as cross connects (3810m)

My gut feeling is going with Option C followed by A with B just being a bad idea.

Coworker 1 wants A.

Coworker 2 wants B.

I am wanting C but am having a bad time articulating why.

Longer term we would be relegating the hardware to either just LAN or just SAN and buying another solution for whats left.

​

Anyone have some input on leaning one way or the other?

​

Thanks

LAN | ANY | ANY

What are the risks of a Firewall rule like such?

Source|Port|Destination

LAN | ANY | ANY

Setting up new office with Cisco wireless using flexconnect

I've done this kind of Deployment a few times now, and I am never sure that I'm doing it the right way. I tend to copy the setup of an existing office and amend interfaces/wlans/flexconnect groups etc in the wlc to make it work.

Then you have the whole thing of having to set a native vlan on the trunk in the office etc.

What I've been searching for using my google-fu is an idiot's guide on doing this from scratch, but I came up short.

Has anyone got a link to some guides or tutorials on how this SHOULD be done?

F5 APM and RSA Authentification Server for SMS OTP

Hello,

We are using a cluster of F5 BIG-IP version 13.1.1.4 with LTM + APM enabled as a SAML IdP role.

We have also installed a cluster of RSA Authentication Manager 8.4 (On premise) along with a cluster of SMS Eagle gateways.

​

Is it possible to do an APM policy that allows the user to request a SMS password and then log into the requested resource ?

It looks like you can do it with the RSA Auth available as SaaS but not with the OnPrem version

​

Any thoughts ?

Thanks.

Best Python script you've implemented

All,

I'm trying to do more with less. I've got a backlog of work that keeps growing by the day, so it's time to automate as much as I can! I've been using David Bombal's courses (LinkedIn Learning, INE, Udemy) to get some practical stuff under my belt without being too bogged down in terminology just yet. I've also tried Learn Python the Hard Way (lost interest so fast). I need to see tangible results, I'm drowning at work and I need to see something come to fruition that I can set up and not have to tweak constantly. Some of my day to day are adding IP's into Palo address groups, building F5 configs (VS, pools, iRules, etc) and moving switchports to different VLAN's (Cat 4507RE, a few other XE devices). All this to ask, what's been your best script you've implemented that's saved you the most time? What were some of the resources you used to get the scripts perfected? Are there any Python networking related groups that have supported you? Has it opened any doors for you career wise? I know it's going to be worth it, I suppose this is just a reaffirming post for myself and others.

Need help!

I did all the steps right, but WiFi still seems a step away for me. Here is what I did. 1. Connected router to the Fiber Optic to Ethernet Converter module 2. Set up router (ssid and password). 3. Connected to the new ssid. Connected, secured, no internet.

Checked all adapter settings and even did a network reset. Also did a router reset, twice, but alas, haven't found a way to make it work. I'm wasting mobile data without any reason. Can anyone help?

Btw, my laptop works fine with my mobile hotspot.

Question about home routing and DOCSIS 3.0/3.1

Hi All,

Hoping someone can answer a question I have. I currently have an ARRIS SBG6900-AC that is a DOCSIS 3.0 modem/router combo. I just upgrade my Comcast (only option available. I know...it hurts me, too) to their Gig speed of 1000/35, up from 150/5. Prior to the upgrade, my upload capped right at about 5 and download about 150-200. After the upgrade, I'm getting about 350-400 down, but only 6 up. I'm fairly certain part of the issue, at the very least, is my DOCSIS 3.0 gateway.

​

My question is, if I were to grab a DOCSIS 3.1 modem and then put the SBG6900 into bridge mode to use it strictly as a router, will the 6900 continue to bottleneck speeds or will that then allow me to take advantage of the new connection? Common sense would dictate that a bottleneck is still a bottleneck, but I'm uncertain as to whether or not the bottleneck is limited to getting the outside WAN connectivity, or if that extends to it being used strictly as a LAN device inside of the modem.

I could use some wireless point to point hardware advice

Hi all,

​

I am looking to upgrade our network with Unify devices and would appreciate your help on what is best to go for.

​

I inherited this setup and its having all kinds of issues.

​

I want to upgrade to 5Ghz so was thinking of upgrading the main 200 Meter link with:

​

Ubiquiti NBE-5AC-Gen2 NanoBeam

​

I am not sure that the N Router is required and possibly slowing down the throughput. Maybe replace with an unmanaged L2 switch.

​

I wasn't sure what to replace the CPE210s with? We dont have a huge budget but figure Ubiquiti is the way to go.

​

The final piece is i think the travel routers are unnecessary and was thinking maybe upgrading to UAP AC Pro so there is just an access point without the router features we currently have but don't need.

​

Here is the current network topology:

​

https://imgur.com/ZorhwS1

Cisco ASA | Access-List Logging | Does it punt to the CPU?

Hi,

I am aware on a Cisco router if you use the keyword "log" at the end of an access list, any traffic passing through that access list is punted up to the CPU for processing which understandably can cause throughput issues if you're pushing enough traffic.

Is this the case with Cisco ASA's too?

I want to log my access list hits and export them to a syslog server, but I am also conscious if this behaves the same way as a Cisco router would this could be an issue.

Thank You

Dell and ubiquity CLI backup script.

Hello guys,

We use some Cisco switches and we use the following script for backup purposes:

alias exec backsc sh run | redirect ftp://x.y.z.w/cisco/name_and IP ! ip ftp username random ip ftp password xyzxyz ! kron occurrence backupSchedule at 5:00 Sun recurring policy-list backup ! kron policy-list backup cli backsc 

We also use Dell and Ubiquity switches. Is it possible to use the same syntax in the Dell or Ubiquity CLI? If not, how would you write the same script for Dell or Ubiquity?

How to keep IP from ISP

So I run a game server on an extra computer in my house, I was wondering if I move out of this house how can I keep my current IP at the new Location

Network Discovery /Inventory using Ansible

Is Ansible suitable for querying the network elements (as opposed to configuring it). For example, if a discovery service needs to crawl the network using the output of LLDP neighbors, does Ansible provide equally powerful modules ? Also, to have flexible steering thru various tasks, is it better to use python based ansible APIs instead of using ansible cli commands ?

Deploy ASAv in the cloud

I am attempting to deploy an ASAv in a VPC using the C4large EC2 Instance. I am using 3 interfaces on the instance Eth0, Eth1, and Eth2. I have assigned the elastic ip to Eth2 (ethernet 0/1 on ASA) but Instead an ip from my inside managment ip get's assigned when I configure it for DHCP. Is there a way to assign a public IP to the the outside interface (ethernet 0/1 on ASA) in this case, and have my traffic be controlled by the ASAv using it in routed mode instead of using the amazon router (IGW) to route out to the internet as well as use it as a VPN concentrator,

LLDP Client for Android/iOS

I purchased a USB OtG adapter that successfully powers an Ethernet adapter. I was able to test it on my iPad Pro and a Samsung 10, got IP address and was able to detect devices on the network. Seeing this function, it would be an amazing tool for on the go field work when working on networks. Is there an LLDP client for either OS that can be used to see the VLAN, Switch, Port ID, etc. on the network, similar to Hanewin LLDP client for Windows?

What exactly does a Signal Refresh do on a cable modem?

So I'm having this weird issue with spectrum where my modem start dropping like 5% packets. This is not enough to really show up if I you have a single ping -t going, but if I get 4 of them going at the same time I can see them getting dropped every now and then.

This is a huge problem because I'm usually playing a game and using discord voice chat. In game this will cause me to rubberband every once in a while and also distort discord voice chat for a split second, enough to make me ask someone to repeat themselves.

What's weird is that power-cycling the modem doesn't help. But the two times that I called spectrum they did a "signal refresh" and it fixes the issue for the night (but it comes back the next day when I get off work). They said it's different than just power-cycling your modem. Neither tech was able to explain to me exactly what this is doing, so I am wondering if anyone knows. They also said I can do this if I get the phone app or something.

Cant ping static IP from core

I have a Juniper ex4600 for our core. I have had issues, where I cant ping a static IP from the core but I can from the switches on the subnet. This has happened with more than 1 device at more than 1 location. I can ping the IP from any client machine on the subnet but not from any other subnet. The netmask has always been correct when looking into it. If I put the device on DHCP it pings fine. If I move it back to static it will ping fine for a few days maybe. Then it will stop responding to ping from any other subnet or the core. Do you have any ideas what the problem might be?

SRX Firewall NAT rule with multiple route instances or zones in "from".

https://ift.tt/2GNLeJ1

Cumulus VRR to good to be true?

TL;DR: Cumulus Linux's VRR just seams so simple and easy? What am I missing? Why don't all networks work like this? Why bother with VRRP/HSRP/GLBP? What are it's gotchas or limitations?

From my reading, instead of a protocol with dead timers, a master, etc, like VRRP or HSRP; VRR works on the anycast principal like this:

• Both switches respond to every ARP request with an identical response
• The host accepts either the first or second response (doesn't matter since they are identical)
• The host (or downstream switch) sends traffic to either gateway depend on the L2 network (MLAG hashing, STP, etc.)
• Whichever switch receives the traffic first accepts it and routes it on

​

My environment: I just got 2 new EdgeCore switches + Cumulus Linux, and am installing them as the core switches for my manufacturing campus and datacenter. I'm planning to do MLAG to each server (12 servers), MLAG to our Checkpoint firewall cluster, and MLAG to several of the IDF switches. Some other IDF switches will just have single uplinks for now.

The Cumulus switches will terminate L3 for all server and LAN vlans and will route traffic onward to the firewalls (I'm using VRF-Lite for segmentation). Any issues with using VRR like this? Being a manufacturing plant we do have random flaky devices out there and it makes me wonder whether we'll have issues with devices chocking on 2 ARP replies?

Juniper EX vs MX - why do they use MX as their core

Hello,

I see many people using MX series as their core switch instead of high-end EX switches, for example, EX9200 which is a modular solution as well.

why is that?

Looking for some ideas on a switch install location.

We have a building outside that has no air conditioning. They want about 6 cameras around and wifi in building. I am tasked with putting a switch, cameras and new fiber. Cameras and fiber should not be a problem, however no ac for the switch. All open area. Switches are juniper ex3300 poe models.

Looking for options. Thanks

OPC UA

Hi,

I'm currently learning how to use the OPC UA protocol. I decided to learn the protocol by using wireshark. I'm trying to find wireshark captures since wireshark has the opcua filter. So far I've got nothing. Could any of you recommend a wireshark capture file with opcua in it?

Thanks in advance.

Meraki MS425 flexible stack over two devices in two seperate locations.

Hi All,

Trying to establish if anyone has used the flexible stacking feature to connect 2 MS425 or similar Meraki switches together to form a core switch stack, but have the hardware in separate buildings.

The logic behind it is cause we need a full Meraki solution, and the requirement is to have a Primary switch and a DR switch in two separate buildings, as well as ensuring we can use port-channels and not have to have two separate uplinks with STP blocked links. To make matters more complicated, we need to have layer 2 between these two switches, so having them as two standalones with a layer 3 link is unfortunately not an option.

Essentially I was thinking of using the 40Gb on the front and forming a flexible stack by connecting the switches via a MM/SM fiber run. Realistically, I can't see why it shouldn't work, it just means a lot of cores to run 80Gb of SM/MM fibre.

I'm more concerned if it's a suitable design and if there are any potential gotchas with doing this. I for one think that it's added an element of risk to the switch backplane but having it run over fibre, should this fibre be cut. What would occur in this case, a split-brain type scenario?

I'm really seeing the limitations Meraki has, especially in a campus core environment.

Be interested to hear peoples thoughts / suggestions.

Cheers.

Cisco WLC 802.11v and Management Frame Protection (MFP)

Ciscos documentation recommends following

When 802.11v feature is in use, it is recommended to disable the MFP infrastructure feature, as the combination can cause interoperability problems with some devices.

And right after this recommendation there is this restriction

This should be used in most scenarios, unless the interoperability for the devices present in the network is tested.

Referring to this restriction, should Infrastructure MFP be used in most scenarios or 802.11v? Instructions Unclear

If I disable Infrastructure MFP (Security -> Wireless Protection Policies -> AP Authentication ) what AP Authentication Policy should I be using? Options are None or AP authentication. Documentation is not clear what these option do.

Using NAPALM for heterogenous device configuration

Hi,

I am new to NAPALM and I just started looking at it.

From what I understand the show/get has lot of features but for configuration can NAPALM be extended ?

Also any specific reason its not done (is it because its tough to abstract it across heterogenous devices?).

​

Thanks,

Ramesh

If I have a modem/router combo from my ISP, if I plug in a new/better router to the modem, will the router portion of the modem be disabled to allow the new router to take over?

No text found

Sdwan

So with all this talk of sdwan, how do some of these vendors address controlling the download at a branch?

If a branch has an appliance running tunnels to other sites I get being able to qos or prioritize traffic in the tunnels, but what if the issue is at the dia download from the internet at the branch That's going to kill quality of service?

I know some carriers will backhaul all traffic back to their data center, but that isn't efficient and adds latency, why take an extra 10 hops if your dia provider can get to same in 5

Is dual circuits at the branch with packet duplication the answer?

How show log about who/IP address login (include a timestamp, failed or successful) to Cisco Prime Infrastructure by GUI or CLI?

I want to know who (from what IP address) has login to Cisco Prime Infrastructure appliance.

Please guide me how show log about who/IP address login (include a timestamp, failed or successful) to Cisco Prime Infrastructure by GUI or CLI?

Oracle/TNS Failures long after TCP handshake post firewall migration (ASA->PAN)

I am throwing some questions out into the wind on this one before we tap the paid experts...

We’re migrating away from Cisco ASA towards PAN... the ruleset is migrated closely to like for like, aka, we’re not allowing Apps, but rather service ports.

TCP/1521 has become an obstacle. This is an oracle database connection. Everything has worked except this.

We can ping the server, the full TCP handshake occurs, yet there’s a late failure in higher level transactions that results in a server side reset...

We actually see several higher level communications back and forth.

Flowing across the ASA this does not occur - everything is happy.

I am unfortunately ignorant of the specifics of Oracle/TNS - and Wireshark doesn’t provide much guidance either...

Unfortunately at the end of the day the connection works across the ASA, but does not across the PAN - even though we see no drops against the PAN...

We have a PAN engineer already engaged.

I am just wondering if others have had issues with Oracle DB across PAN firewalls so we can steer the conversation.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

rsyslog server (debian) for cisco catalyst

Has anyone done a setup for rsyslog server (debian) for cisco catalyst running IOS-XE? Cisco side config seems easy, any pointers for linux server side config? Should be recent, interwebs show quite dated info.

Mbps vs MBps

Today at work there was an arguement about why bandwidth was measured in bits and not bytes. I suggested that it was measured in bits because each electrical signal sent over a cable is either a 1 or a 0, hence being measured in bits. My coworker suggested that its a clever marketing scheme to make data rates seem faster. What are your opinions on this?

Verizon Samsung phones can't place/receive calls when on WiFi.

Weird problem that I can't seem to find an answer for. My work uses Version for company cell phones. All the iPhones work great of WiFi and with WiFi calling. Same goes for Pixel phones. Samsung Galaxy S8/S9/S10 have a problems with WiFi calling and a few S8/S9s also have an issue where when they are on WiFi they can't receive or place a phone call. As soon as WiFi is shut off the call comes though. Is there something I should look for on our Cisco WLC or something I should open up on our firewall? I kind of think it could be a Samsung issue since the Verizon iPhones work fine.

What's a Wyebot?

My CFO has been getting emails about a Wyebot and keeps asking me if we should use one to diagnose our network. I shrugged it off last year, but she's brought it back up again and I need to figure out if it's worth expending any effort on.

Has anyone here has any experience with the company or the device? Supposedly it conducts a wireless site survey and makes recommendations. We use Tamograph (not the best) for this already.

Any advice or general wireless analysis discussion would be awesome.

Local Network, Users work off VPN < Printer

I have some users who work through a VPN in our office.

these are terminals, basic dell. issue is, they cant access the printer on our network due to them being on the VPN

if they need to pring they have to disconnect. and reconnecting takes a bit.

im about to set up a print station - before i go that route any suggestions?

Question about Cisco Nexus vPC domain IDs

Hello

​

We have a Nexus core pair in vPC Domain 1 and will be adding multiple pairs of downstream Nexus access switches. I know that the vPC Domain ID needs to be different for the downstream pairs but do the downstream pairs also need to be in different Domain IDs to each other? For example should we put one pair in vPC Domain 2, another pair in vPC Domain 3....etc, or can we put all of the pairs in vPC Domain 2? We're planning on setting up double-sided vPC topology between the core pair and the access switch pairs so all four links in a connection will be in a single vPC and port-channel ID.

​

Thanks

AK

Troubleshooting cable infrastructure issues

Tried asking this question earlier and got downvoted to oblivion so I guess I’ll rephrase and try again. We’re experiencing multiple simultaneous link failures on ethernet links that are physically in proximity to each other but in no way connected to each other. These are separate, basically air-gapped networks, that share the same rack, but we are experiencing the same symptom across all networks. Haven’t checked the links with a cable certifier but my Fluke microscanner says the links are physically good and within length limits. Cable infrastructure is about 2 years old and we haven’t had any issues until recently. We tried swapping out the equipment on either end of the link and the links stay down. Even tried just plugging in a pair of known-good laptops on either end of the cable and the laptops don’t detect that a cable is plugged in. What I can’t figure out is that all the cable testers I have access to say the links are good.

Viptela WAN underlay recommendation

Hi All,

The organisation I work for is in the process of designing a new WAN using Cisco SD-WAN/Viptela. We currently have a microwave WAN which uses BGP. Hoping to get some recommendations for/against using BGP or OSPF for the underlay.

My preference would be to stick to BGP but OSPF would be simpler. If OSPF was to be used, I would imagine we would have a number of area's to reduce recalculations etc.

What are your experiences ?

TCP question

I have an application that is communication cross language (through localhost) via a TCP protocol. Is it bad practice for the server to build up a queue of requests in a background thread while the main thread dequeues and handles the leading request?

Open Server Root Servers, OpenNIC and ICANN

Please someone should further explain the working of Open Source Root Servers like OpenNIC, and how it's different from ICANN Root. What are the benefits and disadvantages of using Open Source Root Servers eg OpenNIC over ICANN? Why don't they stand the test of time? I also noticed you need to use different DNS from ICANN DNS to access domain names of OpenNIC eg: .oz, .neo, .o etc.

Layer 1 Head Scratcher

I've got a bit of a head scratcher on my hands. We have a portable equipment rack with a few network devices in it. Each device connects directly to a corresponding device, which are each located in other racks, so there's 6 racks about 100 feet apart and about a dozen device-to-device "crossover" connections between devices in different racks. There is no connectivity within the racks between devices. The only network connections are the device-to-device connections running between racks. We've never had any issues with this setup until yesterday, when not a single network connection would come up. No link lights, nothing. A dozen simultaneous failures, with no single point of failure. They aren't running the same OS, so we can rule out driver issues. I'm having trouble coming up with an explanation for how this could have happened. The only theory I have is that it could be power-related, maybe a ground loop? We set it up again today and it's all working again.

HP 1910-8G DHCP: Am I missing something or will this switch not work as a DHCP server?

We've been banging our heads. It looks like the only DHCP options are DHCP relay or DHCP Snooping. Does this mean that I can not set this up with different VLANs and have the VLANs provide a DHCP IPs?

Nexus logs

Trying to find a way to limit the number of logs we keep on our Nexus devices and I can not find it. When I do show logging i get about two years worth of logs. If I remember on the Catalyst you could set a limit for logs but Nexus I am not having the same luck.

Anyone have commands that are good outside of self truncating the logs when viewing?

Is my new career becoming obsolete?

27/M - I started off as a network engineer for a service provider in the UK after graduating Uni (usual Cisco/juniper/mpls/bgp relating projects) before being offered a new role which came with a very good pay rise.

Still within a service provider, I’m currently a tech lead overseeing changes on a transmission level. So now I’m basically specialising on a L1/L2 level, things like metro Ethernet/DWDM/fibre etc... however I’ve come to learn that my company may be shifting away from this in favour of Juniper/MPLS entirely.

Did I make a mistake shifting to this new role? Or are these transmission skills still sought after anywhere?

What is the difference between Rapid-PVST+ and RSTP?

Hoping some one here can explain it better or point me to better documentation than what I have found online.

​

Thanks!

Forcing Cisco Switches to use 3rd Party SFPs

We have an older Dell Powerconnect on its last leg so I wanted to swap in a spare Cisco 2960S and in preparation to do that I realize that Cisco does not like 3rd party SFP's (Dell in this case). We are going to order a few cisco SFP's today but it'll be a few days before they come in so I wanted to have the 2960S ready and working if the Powerconnect dies.

I found a few commands to stop the errdisable but they don't seem to be taking, it accepts the command but still downs the port with errdisable. I did 'end' and 'write' after the command but no dice. The other end of this is a Cisco 3570, there is an uplink/SFP setup already that is live to the powerconnect but in the mindset of testing before I swapped the switch I used an free SFP port on the 3750 and popped another Dell SFP in so that I can test the switch before swapping it and ran into the same issue with 2960 and the Dell SFP (errdisable even with the commands run).

​

SW1(config)#service unsupported-transceiver

Warning: When Cisco determines that a fault or defect can be traced to

the use of third-party transceivers installed by a customer or reseller,

then, at Cisco's discretion, Cisco may withhold support under warranty or

a Cisco support program. In the course of providing support for a Cisco

networking product Cisco may require that the end user install Cisco

transceivers if Cisco determines that removing third-party parts will

assist Cisco in diagnosing the cause of a support issue.

​

SW1(config)#no errdisable detect cause gbic-invalid

SW1(config)#

​

​

**\*Yes I know this is not an ideal situation and one that I'd rather not implement but if it's either an unsupported configuration or downtime for a handful of uses I'll take the unsupported config (temporarily, until the new SFPs arrive). Ultimately I will swap in the Cisco SFPs in a downtime window once they arrive, but need a way to keep my users online.

802.1X MAC auth : Dell N2048 switch reject EAP Accept

Hello everyone,

I'm trying to set up MAC authorization (yes I know it's not ideal but it's a test) with 802.1X using FreeRADIUS, a Dell N2048 (DN OS6.3.3.9) switch as the authenticator and a Ubuntu machine as the supplicant. I've followed this guide for configuring FreeRADIUS : https://wiki.freeradius.org/guide/Mac-Auth#plain-mac-auth

My FreeRADIUS config files looks like this (MAC addresses have been replaced) :

$ sudo cat /etc/freeradius/3.0/sites-available/default listen { type = auth ipaddr = 10.0.180.100 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } authorize { preprocess rewrite_calling_station_id authorized_macs if (!ok) { reject } else { update control { Cleartext-Password := &Calling-Station-ID Auth-Type = Accept } } } $ sudo cat /etc/freeradius/3.0/mods-available/files files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs } $ sudo cat /etc/freeradius/3.0/authorized_macs AA-BB-CC-DD-EE-FF Cleartext-Password := "AA-BB-CC-DD-EE-FF", User-Name := "AA-BB-CC-DD-EE-FF", Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-id = 150, Reply-Message = "Device %{Calling-Station-ID} authorized" 

The wpa_supplicant.conf on the Ubuntu client :

ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 ap_scan=0 network={ key_mgmt=IEEE8021X eap=MD5 identity="AA-BB-CC-DD-EE-FF" password="AA-BB-CC-DD-EE-FF" eapol_flags=0 } 

The switch dot1x config :

! dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius radius-server host auth 10.0.180.100 primary name "Default-RADIUS-Server" usage 802.1x key 7 "..." exit ! interface Gi1/0/1 switchport mode general dot1x port-control mac-based dot1x mac-auth-bypass exit ! 

With this configuration everything is processed correctly, since the freeradius -X command is displaying that an Access-Accept message has been sent. The RADIUS server is authorizing the supplicant based on its MAC address. However, the switch refuse the EAP Access-Accept from the server. And I'm lost here. The only clue the switch gives me is that the EAP packet cannot be transmitted :

<189> Aug 2 10:28:08 dell-n2048p-users-1-1 DOT1X[dot1xTask]: dot1x_radius.c(654) 58882 %% EAP message not received from server.RADIUS server did not send required EAP message. <189> Aug 2 10:27:08 dell-n2048p-users-1-1 DOT1X[dot1xTask]: dot1x_radius.c(654) 58879 %% EAP message not received from server.RADIUS server did not send required EAP message. <190> Aug 2 10:27:08 dell-n2048p-users-1-1 RADIUS[dot1xTask]: radius_api.c(1002) 58878 %% RADIUS: radiusAccessRequestMsgSend(): Updated Global radius server entry with ipaddr 10.0.180.100' 

On the supplicant (Ubuntu machine), Wireshark is showing a "Request, Notification[Malformed Packet]" where the correct "Reply-Message" attribute is present. So I deducted it's actually the EAP Access-Accpet sent by the RADIUS server.

I've tried using the supplicant MAC address as username and password, and making it a Framed-User but it doesn't change anything. I've added the MAC address as a Cleartext-Password into the EAP response message (Cleartext-Password := &Calling-Station-ID) in case this would be accepted but it doesn't change anything either. Enabling MAB doesn't seem to do anything, even by tweaking the dot1x timeouts.

Am I missing something in the config ? What could make the EAP response being rejected by the switch ?

Thanks

​

Note : This is a repost of my topic at NetworkEngineering Stack Exchange.

DHCP through MPLS problem and solution

Greetings,

There is MPLS provided by our ISP. We only manage and service CPE routers on endpoints. There are cable and NDSL connections and certain NDSL connection end points have problem with getting DHCP packets. We confirmed DHCP packets entering and leaving CPE router at HQ, where the DHCP server is located, from/to that certain endpoint. We communicated this with the ISP and they told us it's their problem but won't do anything because it is some kind of new technology and they can't solve it.
We came up with 3 ideas to solve this:

1. Blame ISP, throw this problem on their shoulders and make them figure it out. (We don't like this idea)
2. Make the end point CPE routers local DHCP servers. We need agreement with the ISP and customer but that isn't a problem. (We like this idea and are currently working on it)
   
3. Make GRE Tunnels between the CPE router at HQ and the CPE routers of endpoints to encapsulate the DHCP packet. (We also don't like this idea since it is a hassle with all the DSL endpoints and possible change in future)

Do you guys have different ideas or solutions?

Need some help with my Network

I need some help with my network on my pc , I've been getting under 1MB/S on my computer but my phone id getting a solid 100MB/S , same network . i already tried reinstalling and updating my network driver and I'm starting to feel its the router problem cause its still giving me about the same speed on my pc and i can easily get 100MB/S on my computer on other networks

Management port / IP on a Cisco switch stack?

How does the management port and management IP work on a stack of switches?

This is the first time I've deployed a stack with the opportunity to use the management ports, usually we have a management vlan / svi.

In a stack of 3 switches, would each switch share the IP? Or is it a Mgmt IP per switch?

Translating HP Private-VLANing to Cisco Nexus

https://ift.tt/2M0d9cR

IDS python callback

Do you know any IDS (open source) that supports python code execution as callback to some rules? I want parse the packets myself and return some value to the IDS that will indicate what to do with this packet.

Upgrade HPE 5130

Hi all,

I inherited a stack of 4 HP 5130 which are running quite old software.
HPE 5130-48G-4SFP+, running HPE Comware Software, Version 7.1.045, Release 3109P14

I downloaded the latest software CMW710-R3506 and saved the config. Is it safe to upgrade the software using the web dashboard or do I need to install intermediate updates because the running software is almost four years old? Anything else I shoud consider? Thanks!

Cisco ISE - replacing Portal certificate

We have a two node ISE deployment running 2.2. I’ve looked at the Cisco documentation for replacing certificates, and it leaves a lot to be desired. We currently use a internal certificate and this means our guest portal doesn’t work properly because clients without our internal root certificate cannot trust it, so need to use a publicly signed certificate.

Has anyone done this before, and if so what SANs did you use, and what was the process for replacing the certificates on the ISE nodes?

Posted This Elsewhere But Didn't get Much in the Way of a Response

I posted this to both r/ITCareerQuestions and r/CompTIA, but no one answered my question. I was hoping that someone here might be able to. I'm currently studying for the Network+ exam, and I realized that I'm severely deficient in network security functions and protocols. I'd like to learn more about the various forms of cryptography, key pairs, general security standards and authentication (PPP, CHAP, RADIUS, Kerberos, TACACS+, etc.), and encryption procedures and methodologies. I'd prefer web sites that are interactive in the learning process, but books work well, too. Any suggestions and recommendations would be greatly appreciated. Thank you!

Do you Have 1Gbps Network?

I created a docker image for testing Network Bandwidth!

Install Docker and run the following commands!

1) docker pull openspeedtest/latest:speedtest 2) docker run --restart=unless-stopped --name=openspeedtest -d -p 80:8080 openspeedtest/latest:speedtest 

Please run few test and send feedback!

Thanks

HPE Layer 3 Switches - Slow Routing?

I’m stumped. I’ve had two separate instances of this happening on two separate models of HP equipment.

My organization is a small business with 500-700 devices on premise, both Ethernet and wireless. We have four main Ethernet access VLANs, two voice VLANs, and separate VLANs for our secure wireless SSID and guest wireless SSID. We often have professional development sessions or conferences which can bring hundreds of guests on premise with their devices.

Previously, we had a single appliance serving as the gateway device for each VLAN, with two ROAS trunk links to it from our switches. This device is also our firewall/NAT device. We have two large layer 3 switches serving as the distribution switches for each side of our campus whose layer 3 functionality was not being utilized at all. So, I moved the gateway interfaces for each of our VLANs to the layer 3 switches and configured OSPF for learning routes. I have the firewall appliance serving as the core, routing between the two layer 3 switches. Seems like a more efficient architecture to me, rather than bridging VLANs across to the firewall, and hopefully reduces load on that device (we have more printers than staff members, which is insane, and some can be rather chatty on the network; I like the idea of limiting our broadcast domains as much as possible.)

As soon as this configuration change was made, users started complaining about web pages loading slowly. I have seen it myself. Web pages not cached take about 10 seconds loading, error out in the browser, then connect. They then respond totally normally for that client after the initial connection has been established. This behavior is only present when using the HP L3 switches as gateways. It totally disappears when using the firewall appliance.

Our department provides managed services for other organizations as well. In an organization of a similar size and with similar design and equipment (HP Aruba L3 switches), I have observed this exact same phenomenon. Using the switches for routing results in this latent web TCP connectivity. This organization has been suffering from this for some time (we started providing service only this year and “web pages sometimes loading slowly” was and still is the number one user complaint.)

Here is what I have ruled out: - DNS - name resolution works normally; some sites even move to a redirected URL or a CNAME alias BEFORE having the connection latency issue - Routing - the routing design is very simple - OSPF for internal subnets, then default routes on the L3 switches to the firewall appliance - ICMP shows no such latency, so why just web TCP? - Switching - nothing abnormal in the broadcast domains; we use rapid PVST+ in both networks and don’t suffer from excess broadcast traffic (plus we have multiple VLANs for such a small client group) - Browsers - this is happening on multiple browsers; the issue does not appear to be related to browser caches as it is happening on uncached sites upon first connection attempt - clearing the browser cache and reconnecting does NOT suffer the same latency - Switch firmware/software - I have upgraded software on all the L3 switches involved without any change - QoS - I do not have a single shaping or policing policy or other QoS tool running on these switches at the moment

I don’t get why this is happening ONLY when using these L3 switches. The whole point of this change was to enhance routing performance by lessening the layer 2 load on the firewall. Has anyone experienced this with HPE and have any insight? What else can I check for? It’s difficult to get a good packet capture because the problem is so sporadic.

Comcast p2p WAN

I'm starting to see this more and more, but it is still new to me. We opened a new office and signed with Comcast for fiber metro-e and a static IP block. Instead of just giving us a /28, they gave us a /30 and a /28. The /30 goes on the outside interface of my firewall and I can NAT the /28 however I want but it has to be behind my firewall? I'd like to put some other devices on my WAN but connected to my external switch, so they are in the edge.... But I cant. The gateway for the /28 and /30 are the same but not in contiguous subnets.

Comcast documentation says that the traffic had to exit my network at the interface that had the p2p link (/30)... Why do they do this? I want to have my lab not behind NAT and in the edge. Can this be accomplished?

ACI without hypervisor integration

Been given a project for which the design has already been done and hardware purchased. We've committed to Cisco ACI and a virtualisation platform that is not VMware, Hyper-V, Red Hat KVM or any of the other supported ones.

I'm having a little bit of difficulty comprehending the documentation, at least on my first read through and am wondering what's lost without a supported hypervisor.

What is the recommended clearance between the SFP/GBIC and the inside of the door?

I can't find a good answer to this. TIA

Best way of getting full throughput on a bonded interface?

So I have a NAS I'm trying to move some data from. It's connected via 10G fiber. The server I'm moving it to has 4x 1g ethernet. I thought by bonding them I could maybe get 3-4g coming in from the NAS, but apparently since it's only one connection, it only uses 1 NIC to capacity and I get ~1g speeds.

It's configured in mode 4 with LCAP configured on the switch. I tried issuing two separate rsync sessions, but it just splits the 1g. How can I get this to use the full bond speed?

I've tried changing the hash transmit layers to 2, 2+3, 3+4 and get the same results. I tried mode 0(maybe I didn't configure it right) but the performance was abysmal and I went back.

If I add additional IP(s) to the NAS, then mount the same NFS share via different IPs, will that accomplish what I'm trying to do?

Netgear GS728TXS, CentOS 7

** Also, I have ordered a fiber card for the server, but as a learning experience I'm curious how this would work.

Major Internet speed degregation over wavelength circuit.

Hello all,

First time posting on this sub-reddit (actually, posting on reddit at all). I've been banging my head on a bandwidth issue that we've been experiencing over a wavelength circuit here in the Seattle region. We're going on about 1.5 months of troubleshooting at this point (with our provider involved heavily and they're starting to get stumped). Here's our situation and a brief overview: we have rack-space at a colocation provider in the Lynnwood area (location A). At this rack, we are delivered a 1Gb/s symmetrical IP Transit circuit over 1310nm fiber going into our Juniper EX3400-48T with a fiber store optic (coded for Juniper). Local speedtests from this point, plugged into an RJ-45 port on the Juniper, to various servers show 750-940Mb/s down and almost always 940Mb/s-1000Mb/s up (on-net with ISP and off-net with other servers / providers peered with ISP). Seattle server latency is around 1-2ms. Also plugged into the Juniper's SPF+ slots is a 1310nm 10Gb optic (also fiber store, coded for Juniper) which is one end of our 10Gb wavelength circuit. This wavelength circuit is basically dormant at this point and is dedicated to the IP Transit, so theoretically, we have 9Gb/s of available headroom. This 1310nm fiber heads to the Westin in Seattle (Location B - approx. 17 miles South of location A) where it goes into the ISP DWDM equipment. From there, their DWDM bundle comes back up (~45 miles) to their other DWDM equipment which is about 13 miles from our HQ (Location C). This last leg of the wavelength circuit to our HQ is fed over 1550nm to another Juniper EX3400-48T. Plugging into that Juniper EX3400-48T at the HQ yields speedtests of approximately 200-400Mb/s down but occasionally, depending on server, reaching the max 940Mb/s of the IP Transit feed. Typical latency here is 4-5ms to Seattle servers. However, this gig speed is uncommon at HQ. Known facts and diagram for visual interpretation is below. I've looked up the bandwidth-delay product but I'm hesitant if that's what is playing a role in this situation since we are seeing conflicting results (some speeds are accurate at both locations despite latency). The ISP has been VERY helpful in helping us troubleshoot this but they're getting to their last straw of ideas. Any ideas or helpful points are GREATLY appreciated.

• MTU on wavelength circuit is set to 9000 (have tried 1518).
• Pings from HQ to the Juniper in our rack at colo is a steady 2ms.
• We've completely swapped the Juniper switches at each end with Dell's (just for testing) with the same results.
• We have NOT swapped the 1550nm optic at HQ but I'm hesitant that is the issue, still going to order one to test.
• No framing errors on the switches for the corresponding ports in play.
• The switches are doing pure layer 2 at this point. Very basic config, no QoS or anything. Two VLANs are involved but we removed them as being a possibility when we tested using the Dell switches (no VLANs on the Dell switch test).
• Installed IIS (web server) on a server in our rack and tested downloads at HQ and consistently got ~90MB/s (720Mb/s).
• ISP has validated the wavelength for 10Gb with an RFC test with various framing sizes.

Diagram:

https://imgur.com/hQ3pckc