Nexus 9000v VXLAN EVPN Multi-Site - Duplicate + Looped Packets

Hi All

Has anyone labbed VXLAN EVPN multi-site with on the Nexus 9000v?

I have a test topology in EVE-NG, with two sites. One site has two BGWs (also acting as a spine), the other has one. Each site has a VTEP leaf.

When sending unicast layer 2 traffic from the single BGW site to the multi-BGW site, in a capture on the DCI interface of the source BGW I see...

1 packet to the VIP
1 packet to the designated forwarder PIP
1 packet looped back from the designated forwarder PIP

All the packets make it down to the host on the multi-BGW site.

The l2fwder output from the single BGW site's BGW indicates that the unicast traffic should be tunnelled to the VIP of the other, multi-BGW site, but for some reason this is ignored and it also seems to be forwarded as BUM traffic too.

NXOS9# show system internal l2fwder mac Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ * 10 000c.291a.cfcf static - F F nve-peer1 192.168.101.3 G 101 5000.0009.0007 static - F F sup-eth1(R) G 20 5000.0009.0007 static - F F sup-eth1(R) G 10 5000.0009.0007 static - F F sup-eth1(R) * 10 b862.1f11.5641 static - F F nve-peer1 192.168.101.3 * 10 000c.29ec.ccd2 static - F F nve-peer3 192.168.88.1 <-- other site VIP G - 0200:c0a8:5802 static - F F sup-eth1(R) 1 1 -00:01:00:01:00:10 - 1 

Does anyone else get the same duplicate traffic? I just want to check if this is a limitation of the l2fwder module of the VM (like maybe it's not storing the learned MACs correctly, causing the BUM treatment and split horizon being ignored), rather than an error in my config.

Is it possible to combine Dante, HiQnet, Art-Net, and Video over IP with a Multilayer Switch?

The concept would be applied to temporary AV event setups. Essentially I would like to try to combine all AV signals (audio, lighting, video, and component control) with their respective protocols over fiber so that a single line can be run up to an MLS on the truss hanging from the ceiling and then split off to projectors, speakers, and lights using their various receivers/adapters.

I'm familiar with the networking involved within each discipline but I've never seen anyone attempt to combine it all under one massive managed network, and as a result I can't find a definitive answer as to whether or not it can technically be done on this scale. Most of my research has brought me to sites talking about permanent AV installations for offices and campuses, however in my opinion this is a whole different kind of AV.

I'm hoping that this kind of query fits in with this sub, if not then I'll remove it and post it elsewhere. Any advice that people can give would be greatly appreciated!

Best Layer 7 WAF for Reverse Proxy? Automatic string modeling and analytics?

Looking for recommendations for a Layer 7 filter that I can run as a reverse proxy, that actually makes it easy to exclude patterns without writing regexes. I want to go to some sort of graphical interface, select a pattern with a mouse, and then just choose exclude or rewrite. Even better, I really want to run analytics on data such as sentiment analysis, so that I can rewrite or block packets based on a model, rather than the exact string.

Any suggestions? It doesn't need to be entirely on premise. If I could use an ipsec tunnel to a service and then manipulate egress, that would be ok (perhaps even ideal).

​

Only needing to handle about 10 MBps.

​

#Edit:
I have used Palo Alto and Juniper boxes to accomplish this and they're not very smart. They're still essentially regex pattern matching. If they don't provide then signature then I spend a lot of time building the string patterns. They take a lot of continuous work. I'm hoping to find something more automated or intelligent that can learn my traffic and develop new patterns on its own.

Nornir Python Automation framework Introduction with Cisco and Arista Device examples

I have created a video explaining Nornir automation framework with Cisco device configuration in Python Learning Series for Network Engineers. Please have a look and share the feedback

https://www.youtube.com/watch?v=5sW1xpNoju8&list=PLOocymQm7YWakdZkBfCRIC06fv7xQE85N&index=37

I am in process of adding more videos about Nornir

Thank you

A subnetting rant

I've gone over it twice now. I have yet to memorize the math, because I'm still grappling with the concept.

Why do we need to subnet like this? Why? Why?!

If our Domain Host is whatever.whatever.whatever.0, and we know that it broadcasts through that and unicasts direct to machines with matching MAC addies and IPs on that, what is the point of the /whatever system?!?!

Why is it insufficient to just assign IPs from .2 - .255 and just keep a chart? In most SOHO situations you have like 4 or 5 things connected...Why do we need all this headache of subnetting? Just give printer .2, dhcp the phone and the ipad, and you've got from .5 to .255 to assign to anything you want.

Firewalls - Need your input

Good afternoon/evening,

I am currently looking at multiple Firewalls for the district I work for (K-12 education) and was wanting some input from you guys! Basically looking to see what your experience is using or what you have sold to a school/business similar to my size and I am looking for pros and cons of each. We currently have a content filter (iBoss physical appliance) but if the Firewall can be granular enough to take its spot that is a plus. It would have to support offsite filtering somehow if that is the case. I have heard it being done with a Palo Alto but have not seen how granular it gets.

These are the current Firewalls that are being spec'd for us by the companies engineer. This would be for a small 5A school with 5-6,000 users. Basically, I just want to hear your input on what firewall you are using and why/how has it been since you owned it.
Currently, have 2 ISPs both are providing 1Gbps each. We would like to future proof for 10Gbps even tho the max we will ever use will be 2Gbps. Also only have about 5-10 VPN users total. We are also an iPad school 1:1.

• Barracuda F900 (I like barracuda but have not heard of a school using it)
• Fortinet 1100E (Heard several schools use Fortinet, but no experience with it)
• SonicWall 6650 (Heard some schools using it, but no experience with it)
• Watchguard M5600 (Can't find a K-12 school using it, I liked the stats/interface but very little K12 programs using it)
• Palo Alto (Has not been spec'd this but was looking at 5220 but also very pricey)

Question regarding ISP and Ubiquiti

Hi Guys! Sorry for the noob question, yes I tried googling and didn't really find the information I was looking for. If you're gonna say "google it" then I don't really understand why even take the time to respond this question, just move on! Haha.

Anyways, for my internet purposes, I really need high speed internet (fiber most likely). I'm trying to sign up for these 1,000 Mbps down and up internet. My bill went up to 70 bucks a month for 150 Mbps. I saw several offers for 60 bucks a month (internet only) for 1,000 Mbps down, but after calling, don't have any more room for customers to use that fiber service in my area (only 10 Mbps was available). Does Ubiquiti allow me to bypass this bandwidth limit, or am I still at the mercy of Charter and SOL? If not, are there anyways around this, or any internet only companies that are more lowkey that would offer these speeds? I'm afraid only charter and ATT might be in my area and it doesn't seem I can obtain the speeds I need.

​

Also wondering if I speak to charter and mention other providers are offering Gigabit internet for less than I'm paying them, if it's technically possible for them to offer a Gigabit internet package, even if it costs a little more, to keep a customer or if it doesn't work that way.

Thank you in advance!, and I really do appreciate your help, especially on this type question. And excuse the noobness!

TIL about MS Office Protocol Discovery

I was looking at some logs, when I found some HEAD requests to an internal server, with User-Agent "Microsoft Office Excel". I was like: WTF?

Turns out, when you click on a hyperlink in a spreadsheet, Excel first sends 2/3 HEAD requests in order to... find out stuff.

Didn't know that.

What other weird, obscure protocols have you accidentally discovered?

Connecting PA Subnet between data center

Hello

Currently, I have a Server in a Data Center with an associated PA Subnet. I would now like to create a Tunnel to another Data Center to use the same PA Subnet. I already tried to do this with a OpenVPN Point-to-Point configuration with TAP interfaces. This seems to work quite well.

So did I already find the perfect way to solve this issue? Or is there maybe a better solution to this problem?

Wanna learn networking

I work as the tech guy at our local cinema - not a very hard job - also it's volunteraily. I wanna learn more about networking in general, and was wondering if you guys knew some good sources of how to go about this?

Hit me up! Cheers

PS. I know the very basics of how it works, but not why it works or what more advanced stuff to do.

Buying some items for my toolkit. Need guidance.

Ordering another USB serial adapter and want to make sure I have the right type of DB9 cables to go with it.

Do I need a straight through cable or null modem (crossover) to connect to a switch? (I.e. mikrotik, Dell, Cisco SG)

I have the Cisco db9 to rj45 already for switches that use that type of console.

Edit: looks like it's a mixed bag depending on manufacturer. Sobim thinking a M/F and F/F straight through and a null M/F adapter. That should cover all 4 possible combos.

Is anyone using SolarWinds with single-subnet HA?

I am having one hell of a time getting NCM to connect to Cisco switches via SSh for config backup. It's not a problem with the credentials I entered in NCM. It's not a problem with the Cisco switches - I can access them via SSH (SecureCRT) with no issues.

I've been running packet captures on our 3850 switches and using the NCM connection to that comes with SolarWinds. I'm stumped by the problems with ssh connecting to switches. SNMP polling of those switches seems to work fine.

I'm starting to suspect our SolarWinds HA setup is the root cause for the issues. When I read the SolarWinds article that describes how the poller chooses which IP address to use (own physical IP vs. a VIP), I almost soiled myself. I've never seen a software use "which of my IP addresses are closer to the address for the gwen of the subnet I'm on? I'll use the closer IP as the source for traffic leaving the poller." How much ganja was consumed when that Solarwinds code was written?

Anyway, SolarWinds folks running single-subnet HA for pollers, throw me a line. How did you get it to work reliability?

My website is under DOS attack, what to do?

Hi there so for the past 3 days my website is heavily attacked. My hosting company are not doing much 😔 I have Cloudflare activated I have activated I am under attack, Waf, firewall rules applied but this is most likely not enough... How to proceed as this cannot continue. According to the attack it is around 150gb/s. Any ideas or recommendation would be great.

Procurve 3800 "show run" from operator role

We still have a few of these Procurve 3800s and I'm trying to see if it's possible to show the config from an operator role. We have a read only user configured via RADIUS for config backups, and I'd like for it be able to issue the "show run" command as a non-manager user but I can't seem to figure out how. The switch software version is KA.16.04.0016, and it doesn't appear to support the command-privilege command. Anybody have any ideas?

Proxy to alter web content?

Hey everyone, I am not a networker but I need to create a NON-TRANSPARENT proxy that will alter web content. How do I go about learning this? Any online resources that someone like me can understand? I know python and some JavaScript as well as html and css if that helps. Thanks!

Help me understand why this worked

I'm an IT generalist in a medium sized business. Networking is not my strong point. I was Network+ certified some years ago, but our infrastructure is really small so my skill has atrophied somewhat.

Recently we started allowing a number of our employees to work remotely. They quickly started opening helpdesk tickets about VPN issues trying to connect to resources in Azure.

While connected to the VPN, web browsing (80/443) would work. But any services that used a non-web port (RDP/3389, SQL/1433) would fail if they were connecting to a resource on the internet. Accessing Azure resources while directly connected in the office was working.

The VPN is hosted on our firewall/gateway in the office. It's a Sophos SG310 UTM.

Ultimately I fixed the problem by enabling NAT masquerading for the SSL VPN subnet to the WAN. It was already enabled for the directly connected subnets.

My question is - why did web traffic work even if NAT was not configured? I would have expected that all return traffic from the internet, regardless of the port, should not have had a route to the clients.

Routing VLANs over different WAN connections?

This is the scenario... https://imgur.com/a/erdNSyQ

Forgive my crazy Visio, I tried to get what was in my brain, out of my brain...if I am totally headed in the wrong direction please let me know. But this is how I envision this working simplistically.

A branch office needs both public and private wifi access. I want to have one access point with both public and private VLANs, but the public should route out the local Comcast connection and the private should route out the main WAN connection like the rest of the branch.

The branch router doesn't have any available ports, so I would create a sub-interface and a VLAN on the switch connected to it.

Anyway, would this be policy based routing? Does anyone know a good resource that I could start with to get this working? I don't have any experience with pbr. I think it is a fairly common scenario, but we are moving from physically separated public/private wifi to this. It's cumbersome having two AP's at every location. (it was an auditor thing)

Really weird request to my LOCAL development server

So basically I'm running a simple local development server (started with the command python3 -m http.server), only serving one single index.html file. It is a compiled Elm app, if it matters.

Whenever a client makes a request, I see in the terminal a message of the following sort:
127.0.0.1 - - [16/Aug/2019 19:17:27] "GET / HTTP/1.1" 304 -

I'm expecting I'd be the only one making requests, but then I see this: 51.38.36.213 - - [16/Aug/2019 18:53:00] code 400, message Bad HTTP/0.9 request type ('\x00\x00\x00') 51.38.36.213 - - [16/Aug/2019 18:53:00] " c" 400 -

What does it mean? How can I be seeing this message if it's on localhost? Should I be concerned?

VPN cuts off local LAN

We have a lot of businesses we work with that utilize VPNs (like Cisco AnyConnect or Palo Alto, for example) where they have disabled local LAN functionality. This is a bummer because we have a ton of local server data over SMB that is needed to be accessed while on these VPNs. Is there any way I can implement a work-around? I've tried forcing routable paths on my workstation but that doesn't work.

Current work-around I have is that I created a VM that I connect to the VPN with a Remote https service(like Teamviewer, screenconnect, etc) then after establishing a connection I can open the Virtual console to "directly connect" to the VM as I cannot RDP to it since it cuts off all local traffic.

Being on the client-side of course I cannot tweak the VPN to my liking.

Thanks for any suggestions.

Troubleshooting best practice literature

Networking folks!

What websites or literature can you recommend for best practices in troubleshooting? Like different troubleshooting approaches/philosophies, things to consider, biases, fallacies, etc.

Thx

WatchGuard vs Fortigate

We are getting quotes to replace a old Cisco ASA firewall

Our preferred vendor has proposed an Fortigate 500E or Watchguard M570. They are kinda pushing the watchguard as a better fit for us but I have seen some negative comments out here about that brand - wondering about specifics?

Good remote user vpn, reporting/logging, web filtering, app blocking are things important to us. Thanks

How to store switch/router details?

Hi,

Is there any open source software to store network device details. Currently we are using Excel file, secured with commonly known password (yup, secure as ...)

each row is filled with:

• Device Name,IP, localization
• Vendor/Model
• Type (switch, router, access device, console, etc.)
• Local account ( with enable credentials )
• snmp communities
• console/OOB connectivity

I'm aware that best option is to use some DCIM software (eg. netbox). My company is working on it, but it will take some time to decide which DCIM software we are going to use.

Using Anyconnect Client Failover

I have two Cisco ASA firewalls in disparate locations across my campus. They were purchased before I started and do not have SFP interfaces. I am trying to get some sort of HA established for VPN.

Here are my thoughts thus far:

1. I could use media converters(but kind of a failure point in my view).
2. I could do HA interfaces over a switch(concern is a switch failure in the middle) causing a split brain scenario.
3. I did some reading and saw you could have two firewalls in the any connect client config. I was thinking that could be a good way to perform a software fail over. I was curious if anyone has deployed a setup in this manner and if they have had good experience with it?

Past ICND1 but feels like I still need to study?

I passed my ICND1 yesterday with a ~893 score.

But I feel like I had a lot of questions on the exam which i couldn,t anwser and had to guess.

Is this normal?

How does identitity based web filtering work with multiple users on a machine

How do technologies like Fortigate FSSO, Checkpoint Identity Awareness and even BlueCOAT's BCAAA work in general steps, when using a multiuser server (like TS or Citrix)?

​

In case of one user/server I find that easy, user signs in to server, agent identifies the user is logges in relays this info to the firewall, and now the firewall will apply the specific policy for traffic sourced from that IP.

​

However in the case of multiple users, there has to be more granularity, as the users may have different access privileges so you can't apply a policy to an IP, that just won't work. So how does it actually work?

​

My general idea is that when the agent would match each users applications by their PID, and then (through something like a netstat command) see the source ports used by those applications, and with that info (userid, AD group membership, source IP, destination IP, source port, destination port, and maybe URL) then the firewall can identify the connections and decide whether or not to allow them. However this seems like a lot of work. I'm doing some tests with a VM and I'm trying some websites and seeing that each takes a few tens of TCP connections each, granted these are probably very short lived. But given a few dozen users on the server, and each of them have a few websites open in different tabs/browsers I feel these would add up quite fast and be very dynamic. Seems a lot for the agent to relay and the firewall to go through.

windows port mapping/forwarding

I write a port mapping/forwarding software for windows. hope it's helpful :)

https://github.com/xitongsys/wpt

Cisco 9800 WLC VM

I'm looking at the 9800-CL as a replacement for our existing 2504 controllers.

As I understand it the vm is free but each AP needs a DNA essentials license at a minimum. Is this correct?

Has anyone here deployed the 9800 wlc's?

Can someone ELI5 SIP ALG?

I recently had a site that was basically a test environment for a specific type of business. They were testing out the phone install process and actual service from different VOIP providers so they had a few different systems running on their equipment. This wasn’t a typical site, I had to mdf access, just a switch where I was to do my work. Other providers were provided with the same, a Cisco 2960-X with an uplink to their network. The topology was explained to me as Centurylink fiber with different broadband providers feeding to a Cisco router to a Cisco 2960-X switch which then fed to our test install switches. They did not share much more information about the network setup and upon connecting to the switch I had dhcp IP but no internet connection, could ping gateway but no outside traffic. They made some changes and proceeded to provide me internet access.

Now before the phone installation a readiness test is ran to make sure the network is good, specifics of this is not available to me but I know it checks bandwidth as well as possible network incompatibilities. SIP ALG came up but support was unsure how it’d affect our install, the readiness test just flagged it. The phones were obihai VOIP phones and almost everything worked properly, except for call parking and transferring. Configurations were checked and working configs were used to no success. SIP ALG could not be disabled due to another provider requiring it but it was determined that was most likely causing the issues we experienced. My question is what exactly is SIP ALG and does anyone have similar experiences? I’ve done my basic read up on it and I understand the big picture of it but I’ve never encountered it in the field and am not enough network knowledged to understand why this might’ve only caused issues with these features. There was no other equipment installed, the VoIP phones were wired directly to the switch and were PoE if that makes any difference. No device in between and afaik it went from switch to switch to router though from my experience there would usually be a firewall somewhere along the line. I know this is a rather broad question with little info but this case piqued my interests

Can Auto MDI-X swap each pin individually or pairs only?

I always wondered if modern devices can fix cables with random wiring on each end. Or is there another protocol in case someone messes the wiring up? I know about EMI on mixed twisted pairs but on short distances that could work fine I guess.

How do you provide network access to external consultants?

We currently provide our own laptops to external consultants and connect to our network.

However, this is unique case cause the consultant has few tools and softwares which can't be installed in our laptop (licensing issue) and he needs to access our internal network. So is VPN the only option?

How else would you recommend segregating network access?

10G internet router for multi-homed colo site - maybe not Cisco.

Looking for a pair of routers that can support a full public BGP table and 10G throughput. For similar projects in the past, I've usually gone with Cisco ASRs but the costs are pretty steep compared to some of the alternatives.

I'm thinking about trying Huawei or Juniper this time. Any thoughts about these or other brands? I'd appreciate any recommendations for models.

Transparent firewalls

Are firewalls commonly used in transparent mode in large networks? In which scenarios? Would a transparent firewall between a site router and the various networks (a typical corporate LAN and a plant/production network) at a small branch office be a normal deployment? I have a coworker that is very much against firewalls doing any routing and it feels like a bad idea to me but I wouldn't be able to articulate why that is.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Looking for a Network Tech/NOC Tech

Any ideas on finding a qualified Network Technician in rural Illinois? Trying to find someone with Calix/Adtran experience in the middle of nowhere seems impossible.

SSL Decrypt; to tell users or not, that is the question

Hey everyone, currently in the middle of an SSL decrypt project for our enterprise. Executives and management do not believe it is necessary to inform the users and would rather keep it quiet.

Have you deployed SSL decrypt in your organization? If so, did you circulate information to existing users and update your computer usage policy for future employees?

eBGP Manipulation

Hey everyone,Have a BGP related question. Lets say, Site A (me) has two EBGP links with Site B, two different ISP providers (ISP 1 and 2). The same prefixes are advertised out of both links from the client (Site B). Traffic will be initiated from my side, Site A to Site B. I'm looking to manipulate the traffic outbound to prefer ISP 1 over 2 (primary and secondary).

1. Plan is to set a higher local preference on the primary ISP link. Create a route map/prefix list and apply the RM on the BGP neighbour, "IN" direction so it's received by our site.
2. Here is my question. Is it advisable to also create a route map/prefix list and applied it to the "OUT" direction on the same BGP neighbour to ensure the return traffic also follows via the primary ISP 1 link, for eg, I can prepend the neighbourship link on ISP 2 to make it longer so ISP 1 appears shorter and more desirable. Is this advisable or not at all required?

Any other feedback is more than welcome, besides my question

Thanks!

Anybody know how to "break" a long-running command (e.g. ping with high repeat count) on Cisco Small Business switches?

Title says most of it...

I have a bunch of Cisco SG300, SG500, and SG350X all over the place. I know that on "real" Ciscos, Ctrl + Shift + 6 is usually the break sequence, e.g. to terminate a long-running ping command.

Ctrl+shift+6 does nothing on the Small Business series CLIs.

I've also tried:

• ctrl + break
• shift + break
• ctrl + shift + break
• ctrl + alt + shift + break
• sending "break" from the telnet client itself (and before anyone starts with "reeee telnet isn't secure," I'm fully aware, and I only use telnet if I know the network itself is secure e.g. I'm plugged straight into the switch with nothing else between. The way these switches handle SSH sucks [they ignore whatever username you send over SSH and make you manually input it again], so telnet is mildly more convenient.)

Anybody have a clue?

Is configuring LACP server side only a thing?

Is there any legit reason for a linux server admin to configure LACP on their NICs without getting the network team to put complimentary LACP config on their side?

Cisco config verification: VLAN settings for ESXi management/vMotion

I've got some new ESXi hosts coming in and I'm prepping the network config. Admittedly networking is one of my weaker points, but I'm working on it!

Can someone take a look at my config and tell me if I'm on the right track?

Most of this is copying from pre-existing configs elsewhere on our network, but I have no idea if the people who set it up did it right either. It just happens to work.

General Info.

• ESXi Mangement and vMotion on VLAN 101.
  • We don't use vMotion much (because we're on vCenter Essentials and don't get live migration...) so I'm OK with it sharing the Management network.
• Data VLANS: 1 (hardwire), 17 (wireless)
• Cisco Catalyst 4948, IOS v12.2(52)

Switch config:

interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface Vlan101 ip address 192.168.101.1 255.255.255.0 ip helper-address 192.168.11.2 

Current Status

• Two dummy hosts connected: one on g1/38, the other on g1/41
• Both hosts get a DHCP address from 192.168.11.2 (during prod each hosts will have a static non-DHCP address).
• Both hosts can ping 192.168.101.1 and each other.
• Neither host can ping anything outside the 101.0/24 subnet.
• No host outside the 101.0/24 subnet can see or ping these hosts.

Questions

1. Is the above config sufficient?

I believe that this config is sufficient for when the ESXi hosts arrive, since it ticks all the boxes (inter-VLAN communication, no external communication). Would people agree?

Or do I need to provide more information?

2. Ping one of the dummy hosts from a PC on VLAN 1 or 17?

For testing, I want to be able to ping the one of the dummy hosts from a PC on VLAN 1 or 17. How would I enable that?

My initial thought was putting switchport trunk allowed vlan 1,17,101 on the interfaces, but that doesn't make sense to me. My understanding is that:

1. trunk is used for switch-to-switch connections, and access is used for a single host (Source)
2. setting switchport trunk <foo> and switchport mode access at the same time seems... wrong. With mode access, won't the trunk settings have no effect? Eg: trunk settings only apply with mode trunk?

Basically I'd end up with:

interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast 

3. What best practices, if any, am I missing?

Any tips?

Bulk Patch Cables

Where does everyone order their bulk CAT6 patch cables? I need to order cables by the thousands and would like them not to be individually bagged and twist tied.

Updating IP, DNS, and Subnet through Service Account

Is it possible to update the IP address, DNS and Subnet through a Service account without elevated the access of a user or an administrative account? 

Background:

The reason why we would have to be able to do it this way(instead of doing it one of many easier ways) is our leadership says they do not want to elevate users with any administrative access because of security requirements. One of the ways he said he would allow would be if we could change this information through a "System Account". Our normal users only have to do one thing, update the IP address, DNS, and Subnet Mask to be able to talk to their PLC's. 

I was reading up about things that were possible, such as putting them in a network group and removing that group from the administrator group. They then would be able to update the networking information while also limiting their rights to do other administrative things. They seemed opposed to this idea since they are no longer considered a "normal user". 

Other ways would be through netsh, however, that would also have to be in an elevated command prompt. 

I use WSUS daily, as was using it as a comparision since that creates a temporary administrator account (or service account) to push/install the updates. 

Are you purchasing SDA or DNA Center type of products? Trying to gauge the market. I don't think there is one.

Post sales consultant here. I've been knee deep in ACI for the past few years and here lately have seen quite a push for DNA center and SDA products in the access layer. However I continue to feel like it won't take off for a few different reasons.

1. Licensing. I deal with a lot of K-12 customers who really ride their gear off into the sunsets as they only get budget money for refreshes during bond elections every 5-10 years. So paying for yearly renewals just to keep things running does not seem to align with their current budgeting practices. I previously watched them purchase smartnet contracts on only the most high priority equipment. (core/distro switches, voice gateways, edge routers).

2. The learning curve required for those who typically work in the access layer is too steep for what is typically being paid in this arena.

3. With SDA, are we solving a problem that cannot be solved today with the current sets of gear and tools available? Is this not just locking you into a complicated design that's incompatible with other vendors? It feels mainframe like when everything I purchase needs to be of the same vendor and phone home to the mothership for instructions.

Network Meltdown

Alright guys, I need some help understanding what on earth went wrong with my network last night.

The school I work at is about to do a full upgrade to its network so after hours I plugged various objects into the network (Meraki mx64 firewall, ubiquity cloudkey, ubiquity 500W 48 port switch, ubiquity AP) but then when I disconnected all of these objects I was unable to get the network back online.

the network configuration is as follows: Cox internet comes into the modem, the modem then has a single wire that runs to the router which connects the clients to wireless, attaches to the switches, runs the printer, etc. I thought I would be safe if I disconnected the router from the modem and then connected the new equipment. This isolates the new equipment from all of the equipment on the network, except for the modem. However, after disconnecting all new equipment and plugging the router back in I was dismayed to find that only the direct connection to the modem provided connectivity. I rebooted both the modem and the router multiple times with no result, finally I attached the router to the modem and direct connected into the router at which point the router acted as though it had never been on the network. There was no configuration on the device whatsoever, the password and username were both defaults and I had to completely rebuild the network. Is this device failure or did I have a massive oversight?

If anyone requires any further detail I am happy to provide it, I am incredibly annoyed that things went so poorly and am very interested in better understanding what happened.

Problem to run gns3 in linux mint 19.2

Hello guys,

I am trying to use gns3, I instaled now, but when I tried to open I get the error bellow.

"CRITICAL setup_wizard.py:319 Could not find local server gns3server"

Print of the error

​

I check the port , but is not in use, I checked firewall of my linux it is disable, and I tried to run as root without success .Also tried to use "Host binding" for my localhost ip...

​

Any idea what I can do to solve this ? 

Thanks a lot

RFC 6598 - Carrier Grade NAT. How to Automate?

I'm in the process of building out a project for work and need some input since I've never worked on this type of level. We connect customers to different services and the IPs assigned from those services are all over the 10.0.0.0/8 subnet and almost randomly assigned to us. Using the 10.0.0.0/8 space has proven difficult with conflicts on our customers end and we need a fix. We plan to use the 100.64.0.0/10 identified in RFC6598 to allow our customers to use a more friendly 100.64.0.0 IP address which is NAT'd to a 10.0.0.0/8 with NAT44 or even possibly NAT46 in the future. This needs to scale to about 500,000 translations.

I've built this out in a PoC and know that, technically, it works but I need to figure out how to automate the process 100%. There are several triggers from our business processes that would require appends, drops, and edits to the IPtables.

I'm asking here to see if there are any CGN tools that help manage this level of NAT on this type of scale? I know it has to exist for some of the big providers but I'm not able to find anything. Anyone able to identify some tools that could help with this?

10 Gbps Ethernet/Coax Internet

I just moved into my dorm room for uni in Mexico and being on the fourth floor of a concrete building, I can't connect to the Wi-Fi, period.

There are however two hardline connections in the room: one is coaxial and the other is straight up ethernet. My roommate, being a fourth-year, knew to take the ethernet the first day leaving me with the inconvenient coax connection.

I'm trying to connect my laptop (MacBook Air, mid-2011) directly to the coax to achieve gigabit speeds. I've done a lot of research and I know that this is possible through the lightning port (up to 10 Gbps) but I can't find the right Coax-to-ethernet adapter, Cat 6 ethernet cable, or coaxial cable (at least one that handles this speed for sure.

I don't need and probably can't use MoCa because the coax line is already dedicated to ethernet.

Anyone know where I can find any of the above?

SMF/MMF optics modules

As a general rule, should it be possible to use 10Gbase-LRM transceiver modules with single mode fiber? I see some vendors listing these modules as compatible with both SMF and MMF, while others only mention use with MMF.

Are there any downsides to using these modules with SMF?

PIM operation with unicast

Im fairly new to multicast apart from some music-on-hold configurations ages ago so could use a bit of guidance.

I have a multicast source connected to a router (BGP peer) and I have a client which is connected to another internal router several hops away. Each router is configured with pim rp settings to link the multicast group to the IP of the source via next hops.

Do I need to have end-to-end unicast connectivity between the client and source to allow multicast to operate properly?

How does application layer identify communication partners ,quality of service,etc in the OSI model?

Almost every book describes the application layer in the OSI model and says "identifies communication partners,identifies quality of service,considers user authentication and privacy and determines if adequate resources are present."

And they mention a couple of protocols in this layer like FTP,SMB ,etc.

How does the application layer identify communication partners?consider user authentication and privacy?determine if adequate sources are present? How does this exactly happen? If someone would elaborate I would appreciate this a lot.

Is networking engineering getting kinda old.

I'm not calling you guys old, just experienced. This isn't intended to be discriminatory in anyway

​

I feel like I started in IT rather early (20) and for the past 7 years I've consistently been the youngest person on any of my network teams, the majority of my seniors are usually 38+ and I've scarcely run into any younger folks getting into networking, everyone is devops, programming and virtualization/cloud.

Like i've heard of age discrimination in programming and software dev, but never once in Neteng. I feel like because networking is such a slow moving piece of IT infrastructure(older protocols, manual input, limited autonomy etc) it doesn't really attract alot of youth since it isn't "sexy" per se. I kinda see us as civil engineers or road construction, building the bridges/roads that keep everything running smoothly but that takes months to complete.

Sometimes I wonder how this will affect the field in the future, will we see a mass retiring of Neteng in 10-20 years and companies having trouble because everyone knows abstraction but not the fundamentals.

Once again this is an observation I've personally made and I'd like to see if anyone else has similar experiences, This could also be related to my employers.

Cisco Switching Question

We are moving one of our servers to another branch in order to do this, we need to know the bandwidth consumed by this server. The server is connected to one of our switches to a Fast Ethernet port, is there a command where I can get the full details of the bandwidth being consumed by the server on that switch-port? We need to do this as, we need to decide whether we will need to go for a bandwidth upgrade when moving the server to the other branch or not.

What causes ping abruption?

I need some brainstorming for my network issue. I have like 10 perfect pings, than 1 timeout, again 13 perfect pings, than 1 timeout, etc etc.

What could be the problem?

Bypassing Wifi.

My college WiFi has blocked some websites like Netflix and Hotstar. Even the apps don't work. I senior of my college managed to bypass the college WiFi using his router to unblock sites. He used this - https://github.com/Netis/packet-agent

He already left the college for his job. I don't know how to use this software. I installed it on my Ubuntu.

Sanity check for looking at jobs requiring certs.

Just need a small sanity check. I’ve been working in IT for about 10 years now. No formal education, have a bachelor in something else. Was lucky enough to move from help desk out of college to a better job via a recommendation(sysadmin of a state university, 5000+ people). Was recommended by a friend after that to a start up (great timing, great series C funding, 100 mil+ and now as things go, slowly tanking) and have been there for four years as a network engineer. Watched it grow from 20 employees to 160.

Looking to finally jump ship by my own free will (before I’m laid off and forced to) and find a stable career path that could support a future family if I were to have one. I’m very happy with my current salary (~100k) but wonder if the general nature of a start up has inflated this. My stock is vested and very cheap if we were to get bought out.. so not worried on missing on that.. just looking for stability in the future.

All the jobs I’ve been looking at have required at the bare minimum a CCNA. I’ve been so busy working I’ve never thought to go down the cert path but it seems it’s time I might need to do that. I’m very comfortable with routing protocols, managing multi site VPNs, automation (python) etc. Great with Juniper stuff. Physically I’ve built out / designed server rooms / data closets etc (don’t want to give away too much what I do to coworkers that lurk this subreddit). My only fear is that I don’t have the time to study before the layoffs will happen. I’m digging in now just to get started regardless and it’s all going fast, but it does take a few months to get the memorization of all the rote stuff down again.

I only ask because I’ve never gone into a job search not already having networked myself in there. A lot of my coworkers seem to have ideas about jumping as well, but it’s hard to work with them for connections as it’s very sensitive with our current work culture to talk about it.. don’t want to show my hand and risk getting let go early.

I'm totally ready to start at the bottom again.. but have gotten spoiled by a salary that has always felt too much to me. Probably fakers syndrome.. but can't shake the worry.

I assume job experience and recommendations will get me over the hurtle, but is it commonly cut and dry.. if you don’t have the certs you’re passed over? I’m 30 now but don’t have the experience of the actual dreaded “job search” to call on.

This might need to go to another sub but I’ve always had good luck with advice given by you guys.

Hotel WiFi Recommendations

Hello,

I have an opportunity with a customer who needs to overhaul 30 access points. Normally, we use Ubiquiti APs or when they budget allows, Cisco.

In this scenario, the customer already has a program with Oviss. Upon further research, it appears that with Oviss they pay only $3/mo per room and the customer had approximately 130 rooms.

I believe there is a currently 30 access points.

This seems like a decent system, and even boasts about compliance.

What systems would be an alternative?

Ideally it would be nice to have WiFi passwords change automatically for room number on check in if the cost is not too much more than the alternative: manually changing a Guest WiFi password on a frequent basis.

Here is some info on Oviss: https://oviss.co/public-wifi/

Discord or chat for troubleshooting

Is there a discord or chat for troubleshooting with fellow network engineers?

Ruckus T610 and T710 Flush Mount Options

Hey All,

First time using these external Ruckus APs and it looks like the mounting options are totally different than the internal units.

Does anyone have suggestions for mounting these directly to a wall\ceiling flush like you would with the R510\710\720 and the security bracket?

I am only seeing the official option as a big arm bracket.

Thanks

Shadowserver - good intentions ?

Hello,

I just noticed that my L2TP config was tested by shadowserver dor org ( The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have services running that should not be exposed because they are trivial to exploit or abuse. The goal of this project is to identify hosts that have these types of services exposed and report them back to the network owners for remediation. )

​

Has anyone encountered this before? Have they true good intentions ?

​

Thanks

Which is better: large app image or small app image?

I am on a team working on a hybrid cloud platform for networking apps. This platform is based on k8s and it's purpose is to provide the foundation for customer facing apps which provide various network management functions.

One of the issues I am looking into is how to distribute this platform. The idea is a user downloads it and installs it on a Linux systems(s). Now there are basically two ways to support this - 1) a single large image containing all container images, apps, etc that will be needed to complete an install. 2) a smaller download which acts as a seed, which then gets installed. This seed app will download all the other container images and resources needed for an install.

We will support offline install via #1.

My question is which is preferred by an end user for online installs - a large single image (2-20GB range) or a smaller seed image (few MBs) which will download the rest (2-20GB)?

My boss seems to think the smaller seed image #2 is best. I see advantages here, but I also think there are advantages with a single large image - namely getting things upfront and not worrying about download issues during install, and/or corruptions.

The size range is large because what the platform ends up being is up in the air.

Thoughts??

Why would a modem/router have blocked Ethernet ports?

Ran into this today and have never seen that before. Why would it come from the isp with the ports blocked?

Is StealthWatch useful?

Do any of you have StealthWatch in production? If so do you actually use it and/or get any value from it?

I've seen it in production in two places and in both instances it just sat there collecting dust.

Research Project: An Analysis of SDN.

Hey everyone,

As part of my final year of University, I am working on a project based on the implementation and security in SDN and would like to carry out a questionnaire. About 17 open-based questions, if you have a little time and could help me out that would be amazing.

Here's the link: https://www.esurveycreator.com/s/ad88d0b

If you can't be bothered doing that but would like to share it to colleagues, feel free. Also any questions would be welcome.

Thanks in advance guys.

for tl;dr Need help for research project on SDN , filling out questionnaire would help a bunch. https://www.esurveycreator.com/s/ad88d0b

Cisco SD-access with 9200L?

Wondering if you can use / get anything like extra monitoring from Cisco DNA Center with just 9200L switches? Can you configure "VLANs" when in fabric mode, or is the security tag thingie same as VLAN in a fabric installation?

We're looking to upgrade 500 switches and if we decide the full SD-access isn't worth the 9200L -> 9300L price difference, is there a reason to use DNA center still. DNA center doesn't really cost anything and nowadays you're forced to get the DNA licenses anyway for the switches.

Quick super amateur DHCP question.

So, a quickie here. I am a sys admin, but have rarely touched anything networking related in past.

We are decommissioning the servers that have our existing DHCP services.

I have backed up and imported into a new DHCP server, but have not yet authorized it.

Is it safe to authorize the second DHCP server assuming I do not point my ip helpers at both active DHCP servers at the same time, and replace the ip helpers as I am ready to migrate?

I know that if I add the IP helpers I'll get conflicts galore, but Im not sure of anything else I may be neglecting.

Thanks!

Juniper mx960 port 111

Hi

Port scan shows that port 111 is open. I am trying to identify what service/application is using this port.

I have tried the below netstat and fstat but no joy.

% netstat -Aa | grep 111
cbfd9000 tcp4 0 0 ge-0-0-8-51..111 <*** deleted ***> ESTABLISHED
c8b5e000 tcp4 0 0 *.111 *.* LISTEN
!
% fstat | grep cbfd9000
fstat: kinfo_getfile(): No such process

Hope someone can help.

Thanks

Determine BGP Peers of a Specific IP at a Specific Location?

Is there a way to determine direct peers for an IP at a specific location, rather than at the ASN level?

For example, I'd like to determine who Cloudflare directly peers with in a specific datacenter, but tools like bgp.he.net give me a listing of all peers for their entire ASN.

static ARP entry on Dell OS10E with VLT

Hi, has anyone managed to configure static ARP entries on Dell OS10 Enterprise while also utilising VLT?

I have two switches that run VLT and a web server cluster, i am trying to add a static entry for the web server cluster MAC to the VLAN to allow routing from other subnets, however the command runs but doesnt shut in the route table.

I will run this code

config t

interface vlan 200

ip arp xx.xx.xx.xx 00:00:00:00:00:00

command takes fine, then i run a show ip arp inteface vlan 200 however the ip address / mac address is not present.

I presume its because of VLT, as this is quite a common scenario. Any help is appreciated!

Is Cisco's EIGRP proprietary or not?

Hi folks,

short question, is EIGRP propritary or not?

FRRouting has implemented EIGRP: http://docs.frrouting.org/en/latest/eigrpd.html

RFC7868 descripes EIGRP: https://tools.ietf.org/html/rfc7868

Where is the difference between FFRouting EIGRP and EIGRP implemented in Ciscos hard-/software.

Have anyone experience with that?

BG

Dynamic Routing between Palo Alto and WatchGuard?

Hello networking!

Does anyone have any practical experience with multiple IPsec tunnels between a Palo Alto cluster and WatchGuard cluster with ospf over the redundant tunnels for ECMP? Going to be a hub and spoke design with the several WatchGaurd sites connecting back to the datacenter Palos.

Need to connect two segmented parts of a client's network (they purchased a company), and do not have the means to try this in a lab environment. Would rather not POC this in production, and spending money to re-architect their WAN/rip out the WatchGuard for Palo Alto does not appear like an option right now.

Thanks!

automated provider maintenance email parsing

Hey /r/networking, I'm open sourcing a flask app I wrote called janitor that automatically parses incoming emails from providers, organizes them all in a single website, and notifies you via slack at the start and end of each maintenance window. You can also extend it to take other actions like drain/undrain traffic, etc.

Right now the supported providers are NTT, PacketFabric, EUNetworks, Zayo, and GTT (special thanks to /u/Osiris_S13 - whose regex I used for the GTT parser when he made this post here. The only supported email server is gmail, though it can be extended to support Outlook and others. Here's a few screencaps

Let me know your feedback and/or if you need help setting it up.

Does anyone actually use ACLs over firewalls in the real world?

I recently set up an L3 switch to handle interVLAN routing but, after doing so, am really beginning to question my choice. I had originally chosen to go the L3 route because I assumed that the stateless nature (and minimal inspection) of ACLs would reduce latency whenever traffic needed to cross VLANs. I had also read that routing locally on the switch was just plain faster and that in general, routing closest to the traffic was preferred (though no exact reason was given). First of all, is this actually true?

Second, I originally failed to account for the return traffic that can’t make it back through the ACL without additional configuration. I can think of very few situations where I would ever want to reach out to one VLAN from another but not be interested in the response. It seems Cisco has even abandoned traditional ACLs in favor of Context-Based Access Controls (CBAC) which essentially turn the stateless ACL behavior into a stateful one. So with that, in all but the most extreme situations where ACLs are set up to totally isolate VLANs, are ACLs commonly used any more or is it more common/preferred to use a router-on-a-stick configuration in conjunction with a stateful firewall? The maintenance seems to be far more easily managed that way.

What are some considerations for one over the other? I imagine that if you don’t anticipate a high level of interVLAN routing, then that’s another vote in favor of the router-on-a-stick/firewall route.

Radio based networking devices, input needed

Hey everyone,

​

I am helping at a small non-profit association with all things IT, including their network. They got a very basic setup that was implemented by a number of people. Documentation was never written and even passwords are mostly lost. I need some input / ideas / suggestions for this problem:

They got two offices, about 30m apart across a courtyard. There is no clear line of sight between the offices due to a smaller building structure in the courtyard. Both offices are on street level or thereabouts. The obstructing structure is two storeys high with a flat roof.

Currently they use TP-Link Pharos devices to connect the networks of the offices which works OK, but network connection issues are frequent. The NAS is situated in one office and needs to be accessed by both offices. I would normally setup a VPN between the LAN of the offices, but connection speeds make this solution not feasible (at least not preferable). The simplest solution of this may be pulling a cable or fibre across, but I understand this to be not possible.

I lack experience with radio based networking devices and need your help. I understand devices like Ubiquiti airFibre require an unobstructed view between two connected devices. Are there solutions able to provide reliable connections across this relatively short distance but with an obstructed view via radio or anything else? Obliviously the price of the solution needs to be affordable, but I would be happy to invest in some reliable gear.

​

Any suggestion would be greatly appreciated. Thanks everyone.

Cheers

Traffic generator - how complex do they get on the high-end?

Hi guys, pleb here: Can high-end traffic generators create packets in multiple protocols and applications? I don't know anything about packet generators but I thought most of them are pretty basic in what they can deliver - maybe a few different protocols, maybe initiate and tear down a TCP session - but application layer would be dummy data.

Anyone have a good high-level resource that breaks it down?

24 dsl modems in 1ru

Hello I'm looking for device which is basically 24 adsl modems with output with Ethernet trunk ( each vlan is pvc/pvi circuit)

It's small building and I know I can run dsl over pair of cables But I need to deliver Ethernet

Of course it can be lower number of modems

Any idea of such device

directly connected links - one side not learning MAC Address, wireshark shows "malformed packets"

ive installed a L3 switch (c9300), with two uplinks into different routers (juniper mx80). One link has come up fine, and i can ping across, the other link is behaving strange. It shows as "up", but i am unable to ping across. These are tenG interfaces both sides, with multimode fibre

Show ARP on the cisco switch lists the MAC address of the Juniper device, but show arp on the juniper side does not show the MAC of the Cisco device.

​

On top of that, i have carried out a wireshark capture, when pinging from the mx80, i can see the juniper arp request, and the cisco device responds to it with no issues. when pinging from the cisco switch i just see echo requests, as obviously it has the MAC but i dont get a response (not even an ARP request from the juniper side)

On top of that. If i clear the arp entries on the cisco side, and then ping across, i do not get a response from the Juniper side, so i dont get an arp entry. If i then ping from the juniper side i get an arp entry in the cisco switch

Any tips on fault finding this issue?

Network diagram automation

Hi!

I'm looking for a way to automatically generate network diagrams. Right now we do it all manually but this can take quite a lot of time. I work for a company that builds and manages networks for clients. Some of these networks are up to 300 networking devices. These devices are routers, switches, access points, wireless bridges,...

All these devices are routed to a central datacenter. For IPAM we use netbox.

​

Do any of you use a tool to automatically generate network diagrams?

Are Puma 6 based modems still flawed?

I recently (ignorantly) purchased a Netgear CM700 about 7 days ago from best buy, as the sales rep explained the specs and it seemed sufficient for my needs (I didn't think I needed DOCSIS 3.1 and this one was the cheapest one offering 32x8 channels). Well just today I finally got a real router setup which performs much better than my laptop running as a hotspot but was curious about whether the modem has a built in NAT and whether it can be disabled.

The very first reply to that thread mentioned that I should return the unit because the Intel Puma 6 SoC ASIC has well-known problems. Sure enough I looked into it more and I see that it the chipset has some DoS vulnerabilities and latency spikes, and there were even rumors that a class action lawsuit would be filed against Arris a couple years back...

Personally I have not noticed any problems other than the modem getting very warm during operation. I had 2 terminals open for several minutes pinging the DNS servers 1.1.1.1 and 8.8.8.8 and latency was well within tolerable limits (about 9 to 13 milliseconds) I didn't notice any problems playing slither.io for extended periods either (besides poor graphical performance and frame drops on my old desktop)

I have not found definitive sources explaining the exact issue although one site mentioned that it may be due to an under-powered x86 CPU that is running some (RTOS presumably) which has too many higher priority processes/daemons running on it causing occasional latency spikes (?) Have their finally been patches released for this architecture that have addressed and hopefully fixed the latency issue?

​

TL;DR:

I recently purchased a Netgear CM700. The very first reply to that thread mentioned that I should return the unit because the Intel Puma 6 SoC ASIC has well-known problems. Have their finally been patches released for this architecture that have addressed and hopefully fixed the latency issue?

Layer 7 Inspection to sniff DNS traffic

I work for a dedicated server hosting company and we have a number of customers who lease dedicated machines from us and some of them run DNS servers. I have a goal to provide with my employer as complete a list as possible of domains we are hosting and I know I am missing a large portion of them because we cannot access the records stored on these private DNS servers.

My idea was to sniff traffic on port 53 and capture the domains that are being resolved then finally compare that with the list of IP addresses that are ours. Is this something I can actually accomplish using some sort of layer seven inspections? If yes, I'd love to hear some suggested techniques. If no, maybe an alternative idea?

​

thanks!

Business case example

Double post delete

Multi Locale Access Points into a single controller?

I will try to make this short. We use Ruckus. We are deploying Access points at remote locations in Europe and the Middle East (Kuwait), and management is wondering if we can manage them all with a single controller? I have no experience in this regard, but I know wireless certifications for the EU, and North America are different. I have reached out to Ruckus, and am awaiting a call back...but I am always suspicious of front line sales people.

Does anyone have any experience with such a scenario under any wireless vendor? I am wondering if we should just have two separate controllers to properly manage the different bands and frequencies. Thanks in advance!

Could someone explain Cisco RTU licensing method or Honor system?

My company only uses Cisco for Wireless Controllers, we have been using 2504s which are now EOS.

As you know 2504s came with 5 AP licenses (pre-loaded) and then you purchase and upload additional AP licenses as needed.

We are moving to 3504 and can't seem to understand this RTU licensing method.

I still need to still buy licenses and upload them, correct?

It seems there is a way to add APs without actually buying licenses? (Honor System), but what is stopping unhonorable people from never buying licenses ?

Please ELI5 if needed.

Thanks

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Is it legal to decrypt signals that are passively receivable?

First I'd like to point out I'm not certain if this is the right place for this question, I couldn't find a better place to ask.

My question is - if Alice were to send an encrypted message to Bob over the air (lets just say using WiFi), would MaliciousMan be breaking any U.S. laws by also receiving the data and decrypting it? MaliciousMan would have absolutely no active involvement, simply receive the message and use something locally to decrypt it. (of course we are being theoretical, assuming MaliciousMan has somehow managed to procure the ability to decrypt within a reasonable time frame AES, SSL and/or whatever else.) Imagining Alice and Bob to be, for example, your grandma logging into her online banking.

Disappointed about new Checkpoint 23900 Firewalls HPP

We bought new CheckPoint 23900 FWs are already had two big problems.

1. We were not able to receive the actual R80.20 GA take. Neither online or offline were successful. We just received an strange error massage.

We contacted the CheckPoint Support and they told us "yeah this bug has already happend for other customer, please just reinstall R80.20 with isomorphic and you are fine." -> Nothing was documented about this known bug

Problem was solved with this "workaround"

1. During our migration period we had to shutdown one of our bond interfaces. A shutdown caused a core dump / crash and rebooted the systems. After two reboots our RAID1 was corrupted and we had to wait to re-establish the RAID.

Currenty I am rully frustrated about this new 23900 model. Also the lack of documentation and bugs with the Firewall is really frustrating, if you think about the 6-digit price tag. I expected a much more stable and less buggy system to be honest.

Has somebody same experiences with this model or with Checkpoint overall ?

My experiences with Fortigate the last two years were much more positiv.

ASA v SRX

Looking for a good LAN firewall no FWNG crap, need redundancy, need to be able to direct terminate VPNs.

Network Design - help needed!!

Hello,

​

I hope you're all doing well!

I'd like to ask you guys for a favour.

I have been given a synoptic project for my Network Engineer apprenticeship, which I need to complete within next few days.

​

Any help would be much appreciated. I've only started it this afternoon and got a bit stuck.. To be honest, I don't have enough on-job experience to complete this without throughout research.

​

They're asking for additional 60 servers, but not sure if they mean physical devices or VMs..

Should I include the setup of DHCP and DNS as well? 

I assume I need to consider the airflow and power output for the new racks/devices?

​

I wonder what steps would you take in this scenario?

​

If anyone wouldn't mind to have a quick look and  give me some clues that would be much appreciated.

Please see below the provided details. I also have 3 PDFs with the images of existing data centre layout, which unfortunately I'm unable to attach here.

Thank you so much in advance! :)

A.

​

Project Overview and Objectives

Your company, Magenta Inc, provides hosted IT services from its own data centres to clients over a network available 24/7 and you are the Network Engineer responsible for one of the data centres. You are required to design, configure, test and implement a connectivity network to allow for the expansion of services provided by the company into their SME client base.

You will need to:

• Design, specify and implement a hosting and connectivity network for the expansion • Expand the data center by adding 60 new servers

• Ensuring compatibility with virtualised servers. To complete this project, you will need to review all the information specified in the appendices. This will support you to deliver the key outputs and deliverables for this project detailed in the tasks.

• Background information

• Business requirements

• Key diagrams - data hall diagram, rackface layout template, main and zone schematic and Acme equipment data sheet extracts

• Test template Note: To provide evidence on network connectivity between devices within your virtual environment, you will not be required to connect them to the internet at any stage.

Appendix A - Background Information

• The business was originally built to deliver a mix of high-end and volume broad spectrum business applications, for instance, Customer Relationship Management (CRM). Our growth strategy has been to steadily expand the range of specialist services we offer to include services for human resources and credit card payments.

• Your existing data hall contains data cabinets aligned in six rows containing servers, switches, and a storage area network.

• The company is expanding the range of services it offers from your data centre and the services will be offered using virtualised servers.

• It has been estimated that the expansion will initially require 60 additional servers and that demand is expected to increase by 100% in the first two years.

• Many of the legacy services operate like traditional client-server applications, which require individual customer servers and storage. Some of the services are web enabled and accessed via a browser but others require client software to be installed on the users’ PCs. This has led to a review of strategy because there have been some issues including:

1. lack of scalability to customers.

2. lack of data aggregation.

3. support is difficult because of too much customisation between different customers.

4. performance data for the data centre is difficult to collect and analyse.

5. difficult to grow revenue per server.

• Magenta Inc. has now developed a software suite of its own, which will provide a range of business applications including office and messaging, accounting and invoicing, Human Resource Management (HRM) and CRM using a SaaS model multi-tenancy architecture allowing the use of shared resources and infrastructure.

• It has been decided that, due to the mix of applications, the high levels of availability required by the customers and our relative inexperience to initially limit the virtualisation ratio to four virtual machines per server host.

• The estimated demand for services is expected to increase by 100%in the first two years

Appendix B - Acme Equipment Datasheets.

Acme Series 2016 Server Dimensions - 87.5 H x 445 W x 610 D (mm) Weight - 17kg Power supply - 230V, 550W Operating Temperature - 10C min, 35C max Operating humidity - 8 - 90% (non-condensing) Noise 39dBA Ethernet ports - 2 x Gigabit Acme 48 port non-blocking managed switch Dimensions - 43 H x 445 W x 260 D (mm) Weight - 3.5kg Power supply - 230V, 300W Operating Temperature - 0C min, 40C max Operating humidity - 10 - 90% (non-condensing) Ports - 48 x 10/100/1000 + 2 Gigabit SFP

Acme 16Gb, 24 channel Fibre Channel managed switch Dimensions - 43 H x 445 W x 260 D (mm) Weight - 4.5kg Power supply - 230V, 60W Operating Temperature - 0C min, 40C max Operating humidity - 10 - 85% (non condensing) Ports - 24 x universal (E, F, M, FL)

Acme series 3000 tape libraries Dimensions - 220 H x 445 W x 8000 D (mm) Weight - 40kg Power supply - 230V, 500W Operating Temperature - 10C min, 35C max Operating humidity - 10 - 80% (non condensing) Ports - 1 x 8Gb FC (expansion slot for second interface card)

Acme series 6000 disk arrays Dimensions - 87 H x 445 W x 560 D (mm) Weight - 13kg Power supply - 230V, 350W Operating Temperature - 10C min, 35C max Operating humidity - 20 - 80% (non-condensing) Ports - 4 x 8Gb FC, 2 x 1000Base-T Ethernet (management)

4 x Acme Integrated Services firewall routers Dimensions - 89 H x 440 W x 450 D (mm) Weight - 14kg Power supply - 230V, 650W Operating Temperature -0C min, 40C max Operating humidity - 5 - 80% (non-condensing) Ports - 3 x 10/100/1000 Ethernet WAN ports, 24 x 10/100/1000 Ethernet LAN ports

Acme 42U, 600x1000mm cabinets. Dimensions 2050 H x 600 W x 1000 D (mm) Loading - up to 500kg static load

​

Task 1 Evidence:

• Design a hosting and connectivity network for an additional 60 servers. Use the below box to

Task 2 Evidence:

• Demonstrate how you might install and configure a Rack layout for cabinets with new servers. Use the below box to capture the file name and type of file that you intend to submit as evidence of completion of this task

Task 3 Evidence:

• Demonstrate virtualisation running on test network by testing the connectivity of the 4 virtual machines to the server. Use the below box to capture the file name and type of file that you intend to submit as evidence of completion of this task.

Task 4 Evidence:

Provide a:

• Updated connectivity plan for the data hall.

• Virtualisation plan for new servers.

Any thoughts on HPE Aruba??

Hello guys!

I'm a Looong time Cisco Classic user who is now in the process of upgrading. I've heard allot about HPE Aruba but not looked much into it.

Anyone here have any general experience with them?

Cabling an office without a raised floor

Our last office had a raised floor so we could run all the cabling under the floor and have it pop out in a box under the desk.

Our latest office has cabling run all the walls in trunking, and rows of wall ports near the desks.

This has worked, but obviously means all desks need to be touching the walls otherwise you have cabling running over the carpet.

We have another office build due in October and I want to look at other options such as running cabling down poles or something.

What are you all doing in an office space without raised flooring?

Why does some telecoms equipment we install, use -48Vdc? What’s the relevance for the negative voltage?

No text found

tshark.dev: Capture Lifecycle on the CLI

tshark.dev is your complete guide to working with packet captures on the CLI. I made this site for the networking community. Let me know what you think.

[0] easter eggs have been found.

WIFI Heatmap/Planning Software?

What is everyone using to do WIFI planning/heatmapping?

HP5130 console ports dead?

Hi,

a few days ago you guys were very helpful regarding my question about upgrading my HP5310 stack. I wanted to make sure everything is ready for the scheduled downtime on thursday but I'm unable to access the console ports of any of the stacked switches.

I used the original cable (ethernet to serial) and a serial to usb dongle and used the following parameters in putty:

Serial line to connect to: COM1 (this is correct)
Speed: 9600
Data bits: 8
Stop bits: 1
Parity: none
Flow control: none
Putty then tries to connect but nothing happens, window stays blank. Same thing happens when I try to connect directly with another server which has an onboard serial port.

The indicator lights of the console ports are off the whole time. The dashboard in webgui doesn't even show the console ports.

I tried to enable ssh in the web gui which seemed to work but if I connect, I get "Server unexpectedly closed network connection" after entering the password.

I was planning to upgrade the software with the web gui but am a bit concerned now because without console or ssh access there is no second option in case of failure. Any thoughts? Thanks in advance!

Hey! Does anybody knows what QUIC over tcp means in context of graphs? Does it mean that QUIC was running over TCP overlay or something? Or just that it is result of a/b test of QUIC over TCP . https://ift.tt/30UWJ8W

Does it mean that QUIC was running over TCP overlay or something? Or just that it is result of a/b test of QUIC over TCP . https://eng.uber.com/employing-quic-protocol/

ASR1004 VS ASR1006

Hello everyone,

Since i recently started my first job as (co)infrastructure engineer i want to make a good first desiscion.

I'm looking at ASR1004, ASR1006 and ASR1006-X for my company backbone. We are a B2B internet provider.

And I would like to know pros and cons of these routers, and understand the difference between 1006 and 1006-X.

​

I have been looking at 9000 series too and I'd like someone to give personal feedback.

Thank you in advance!!

Novice/silly question - Need a hub but only have a Cisco switch

Working on a home project and not a network guy so sorry for the dumb question.

Typically I'd use a hub for what I want to do. I want to sniff packets then interogate a device for open ports.
Now I know how to do all this with a nice dumb hub but I only have a cisco switch (2960) to hand.

​

I was about to setup a monitor port on my cisco switch to have a look at traffic going between two units using wireshark but then I realised that I can only listen (thus not beable to inerogate). I've started googling about and my guessing is leading me towards bridging but I thought that it knows who and what it's sending to (like a switch). Am I on the right track here or should I be looking at something else?

Pinging from router works, but not from the client under the same router

Good morning,

I have a problem with this topology:

https://imgur.com/a/k4PqASj (Upper part and lower part attached).

Basically, I if i ping from CE1A (172.16.0.1/32) to CE2A (172.16.0.2/32) everything's ok, but if I ping CE2A from Ubuntu-1 it stops at LER1 (10.0.1.1/30).

​

• Ping from CE1A to CE2A:

​

CE1A#traceroute 172.16.0.2 Tracing the route to 172.16.0.2 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.1.1 11 msec 4 msec 5 msec 2 10.0.9.5 [MPLS: Labels 18/22 Exp 0] 12 msec 9 msec 10 msec 3 10.0.9.2 [MPLS: Labels 18/22 Exp 0] 8 msec 10 msec 8 msec 4 10.0.2.1 [MPLS: Label 22 Exp 0] 9 msec 8 msec 9 msec 5 10.0.2.2 13 msec 8 msec 9 msec 

• Ping from Ubuntu-1 to CE2A:

​

root@Ubuntu-1:~# traceroute 172.16.0.2 traceroute to 172.16.0.2 (172.16.0.2), 30 hops max, 60 byte packets 1 193.246.121.33 (193.246.121.33) 16.047 ms 26.029 ms 27.279 ms 2 10.0.1.1 (10.0.1.1) 31.465 ms 32.350 ms 37.331 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 *^C root@Ubuntu-1:~# 

• LER1 configuration:

​

LER1#sh run Building configuration... IOMEM size set to 53477376 bytes. Current configuration : 4370 bytes ! ! Last configuration change at 09:24:44 UTC Tue Aug 13 2019 ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname LER1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! no process cpu autoprofile hog memory-size iomem 5 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ip vrf Customer_A rd 65000:1 route-target export 65000:1 route-target import 65000:1 ! ip vrf Customer_B rd 65000:2 route-target export 65000:2 route-target import 65000:2 ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! archive log config hidekeys ! redundancy ! no cdp log mismatch duplex no cdp run ! ip tcp synwait-time 5 ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.0.0.3 255.255.255.255 ip ospf network point-to-point ip ospf 1 area 0 ! interface GigabitEthernet0/0 ip address 10.0.9.6 255.255.255.252 ip ospf 1 area 0 duplex auto speed auto media-type rj45 mpls ip no cdp enable ! interface GigabitEthernet0/1 ip vrf forwarding Customer_A ip address 10.0.1.1 255.255.255.252 ip ospf 2 area 0 duplex auto speed auto media-type rj45 no cdp enable ! interface GigabitEthernet0/2 ip vrf forwarding Customer_B ip address 10.0.1.5 255.255.255.252 ip ospf 3 area 0 duplex auto speed auto media-type rj45 no cdp enable ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 no cdp enable ! router ospf 2 vrf Customer_A router-id 10.0.1.1 redistribute bgp 65000 subnets ! router ospf 3 vrf Customer_B router-id 10.0.1.5 redistribute bgp 65000 subnets ! router ospf 1 router-id 10.0.0.3 ! router bgp 65000 bgp log-neighbor-changes neighbor 10.0.0.4 remote-as 65000 neighbor 10.0.0.4 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.4 activate neighbor 10.0.0.4 send-community extended exit-address-family ! address-family ipv4 vrf Customer_A redistribute ospf 2 exit-address-family ! address-family ipv4 vrf Customer_B redistribute ospf 3 exit-address-family ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! ! ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous escape-character 3 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end 

I don't understand why this happens. I set the default gateway of the Ubuntu-1 client to 193.246.121.33, so is it correct to say that the packet which arrives at LER1 comes from CE1A? Why the ping from Ubuntu-1 isn't it treated as if it started from CE1A?

Thank you in advance.

David

​

EDIT: The final goal would be to ping Ubuntu-2 from Ubuntu-1, using the MPLS network I already built. The packet must enter into CE1A and exit from CE2A. If anyone has any ideas that would be awesome. In particular I don't know if I'm using the right approach to do so (creating VLANs for example).

Thank you.

Multiple Providers out in my area. What is up?

Was in office doing a server upgrade when Comcast Business went out about 1:15am and went home and my Armstrong internet is also out. My Verizon Wireless hotspot is working. Something is going on across providers.

BT Homehub 5, flashing OpenWrt using Arduino as USB->Serial?

I recently got a BT Smart Hub as part of my new BT package and was looking into replacing it right away, as it has heehaw control over DNS, DHCP and no matter what I do, there always some issue with OpenVPN.

​

I'm broke as hell this month, so I can't afford to buy a £20-30 USB->Serial cable. What I do have though, is a dozen or so Arduinos in various flavours and this older hub I can maybe repurpose.

​

Is it possible to flash OpenWrt using the Arduino as a USB->Serial converter? I quickly Googled it and getting mixed results and frankly, I'm not up to scratch enough to know what to look for, keywords to type from issues that my arise. Basically I have no idea how on earth serial connections work :).

Asking for an advice between Linksys MR8300 vs EA8300

Hello,

I am trying to buy new router for my home.

Looks like mr8300 and ea8300 are similar.

I don't know what is the difference.

I believe those are both gigabit for wired and wireless, correct me if I am wrong.

MR8300 seems newer with better feature, but price is lower than EA8300.

Looking for a help to decide which one to go with..

​

Thanks

Cisco ISE allow certain internal web access and block .......

We have ISE v2.2 for wireless authentication tied in with AD LDAP - Our goal is to allow only certain individuals (Wirelessly) to internal confidential websites and block the rest. Not too familiar with ISE, What is the easiest way to approach this? is there a way using the tied up LDAP and ISE? I had ACL's in mind on the routers and switches, but certain machines are DHCP clients and seem to be a bigger task.

A handful of sites are not accessible but only when accessed via IPv6 (or possibly IPv6 + SSL)

I came across an issue the other day with updating a Raspberry Pi. No matter what I fiddled with on my network, that specific node could not hit the Raspbian download mirrors. Eventually I was able to make it work by disabling IPv6.

Meanwhile, just for the past week or so, a handful of other sites don’t load on my Mac, but inconsistently. None of them have really been important, so I’ve just closed the tab and moved on. In the one case where it mattered, my phone was able to connect when the Mac could not. (My phone also appears to have an IPv6 address.)

Finally, this evening, I was once again fiddling with a Pi and attempted to download an OS image on my laptop. The browser connection either gave me an SSL error or a Timed Out error. OpenSSL’s s_client was able to connect just fine but wget hung the same as the browser. Eventually I discovered that disabling IPv6 at the WiFi configuration level allowed that laptop access to those sites.

The Raspberry Pi / Raspbian sites appear to be the primary affected endpoints but as I said, there are others that I haven’t been as affected by so haven’t kept track of...

What am I missing here? Is this my network? My ISP? It’s driving me crazy.

ASA - natting multiple non consecutive VLANs - Am I doing it right?

I need to nat multiple non consecutive VLANs to a public IP address.

I am currently planning on doing it this way:

object network VLAN200-network nat (inside,outside) dynamic 1.2.3.4 object network VLAN202-network nat (inside,outside) dynamic 1.2.3.4 object network VLAN200-network subnet 10.1.1.0 255.255.255.0 object network VLAN202-network subnet 10.1.6.0 255.255.255.0 

But I am getting this warning:

WARNING: Pool (1.2.3.4) overlap with existing pool.

Will this work as planned or will there be a conflit?

Critique my networking workshop outline?

I've been asked to conduct a networking workshop to teach basic networking to some members of our IT department. They also wanted some hands on stuff, so I dug out an old 8-port Cisco switch and a smaller router (1900 series) from storage.

I've been thinking of how to structure the class, and I think I've come up with a rough lesson outline, but I wanted to bounce some ideas off all of you.

Anyway, here goes...

• First part of the class starts with some slides, before we jump right into labbing.

• Start by showing the OSI Model and confirming that everyone's seen this and knows what it is.

• Tell them to forget that and then bring in the TCP/IP model (which I feel better represents what you actually see in real life.)

• Work up from the bottom of the stack

• Physical layer stuff explaining basic concepts like sending pulses on the line in a specific timing window to create "symbols". (Make obvious reference to telegraphs, and explain how it's like that only faster and machines read the symbols instead of humans.) (Spend no more than 5 minutes on this part, this isn't electrical engineering it's basic networking)

• Explain concepts like half vs full duplex, Auto-Negotiate and a few standards like 100base-T, 1000base-T, 1000base-sx, etc. (Again spend no more than 3-5 minutes on this part maybe just 1 slide to show a few basic pinouts and connectors.)

• Delve into layer 2 and give an explanation on the Ethernet standard and the structure of a frame. Explain about MAC Addresses, and broadcast vs unicast.

• Explain about how switches build a layer 2 forwarding table, explain mac learning, and Broadcast & Unknown Unicast flooding.

• First lab, everyone plugs a laptop into the switch and I have them all IP their machines based on seat number, and ping each other with no default gateway configured. I run wireshark on my machine, and show off all the ARP broadcasts as their machines seek out which layer 2 address they should send these packets to. (I'm hoping this part blows them away.)

• Taking a short break, we'll be moving on to layer 3 when return.

• More slides when they come back. I'll explain about layer 3 and how the layer 2 frames carry layer 3 packets in them when it needs to be written on the wire. I'll show them the IPv4 Packet Header and explain some of the basic concepts.

• I'll load a new configuration on the switch that puts every 2 ports in a separate VLAN. I'll have the class re-IP their laptop based on flipping their index card over and seeing their new address, subnet mask, and gateway.

• Confirm that they can still ping eachother in the same VLAN but they can't ping the laptops in the other VLAN's any more.

• Ill introduce the concept of routing and how it's used to get between different networks. At this point I'll hook up the 1900 to the switch and make them watch while I configure a basic Router on a Stick configuration. I'll then make them watch while I put together a quick trunk port on the switch.

• Everyone will set their default gateway based on the previous configuration.

• Everyone will confirm they can now ping each other. The Router is routing their packets between the different VLAN's.

• Now at this point I'll ask various people around the room questions and toss them a piece of candy if they get it right. Review questions like "what does a switch do if you send it a frame to a destination MAC Address that isn't in its forwarding table?" and "how do hosts determine where they should send their layer 2 frames when they want to talk to a specific IP Address?)

• After the section we finish up with Transport Layer and Application layer. Briefly explain about source port, destination port, show a TCP header and a UDP headers.

• Obligatory explanation of "TCP vs UDP" lol (every networking class should always mention this, right?)

• Show a wireshark capture of me SSH'ing to the switch from my laptop or something so we can see the ports in the packets, and sequence numbers and ACK's etc, also they can see the crypto handshake

• By then it will probably be around lunch time, so class dismissed.

What do you all think? I know it sounds kinda lame right now, I've been thinking of ways to make it more interactive like making them "be a switch" and write out "frames" on index cards and build a mac table, but some of that could possibly take up too much time or be a little difficult to orchestrate.

Also I'm kinda not happy with not having at least a 2-hop routing scenario. I was originally wanting to make a 3-router network and have everyone taking via static routes, and show how many static routes they need, and then configure like a super basic "router ospf 1, network 10.0.0.0" configuration to show how easy that made it, or heck even just "router rip" and done... but I think it would take too much time and the fan noise from the 3 routers would make it difficult for people to stay focused.

EDIT: Another big concern is that it doesn't touch subnetting or binary, which seem staples in all beginner level courses. Do I dare skip this?

Any thoughts?

Access speed vs Port Speed.

Hi all, apology if this is a dumb question. I don't have any background in network engineering. I am a business analyst who had been handed a big collection of circuit contracts for analysis. I don't understand why there are so many contracts with Access speed significantly higher than the port speed. For example, if you are buying a port at 50MB, why are you paying for a 1Gbps access to go with it? Isn't your overall speed limited by your port speed in this case, so buying a 50MB for both access and port makes more sense?

How much Layer 2 traffic is there on an average subnet?

Many years ago I worked for an ISP where we learned a lot more MAC addresses than you'd expect from a non-insignifigant number of our commercial customers. In the office we'd chuckle amongst ourselves that these companies clearly didn't know routing from switching.

I know in some odd cases you might need to have a subnet stretch across a private line, but we saw some extreme cases. There were internet circuits where we were learning two thousand MACs from a school district. There were private VPLS networks with hundreds of MACs. Etc.

I always wondered how much money these companies were probably wasting each month by needing a larger bandwidth pipe for all that L2 traffic. At $1k/mo even a 10% reduction could save a company $1,200 a year.

This question has been bugging me for years. I really need to set up Wireshark to do a test on my own subnet at work but I keep forgetting to. Maybe the responses from this post will remind me to. Even then, I'm not sure the traffic on our subnet will be average compared to other companies.

What's your experience with these things been?

IPv4 Public Address Space

Hey, I work for a company that back in 1991, bought 13 /24 public IPv4 addresses. Just recently, I've had to update all or information with ARIN and update the ownership of our ASN. (Legal name changes, buyout, etc....)

Our company has no reason to have 3,302 public IPv4 addresses. So my question is, how do we go about selling the /24 networks? Is it worth it?

Thanks in advance.

Not sure if this is the right sub to post this in, but does anyone here have experience with Adva fibre switches?

We've had Openreach (BT in the UK) rock up and install a fibre line that terminates in a adva fsp150cp fibre access switch, which apparently is one built specifically for Openreach so I'm struggling to get a manual for it.

It looks like we've got the option to use either ethernet or fibre to go from this to our router, but according to our provider only the fibre will work "because the connection is too fast" for ethernet. This is only a 100mb line and lets just say the provider hasn't been 100% accurate with their advice so far.

Anyone here run into this kit before and if so did you get it running using ethernet?

edit: It's one of these - https://www.itinstock.com/adva-fsp150cp-optical-fibre-access-switch-f150bt-cpgig2ac-0078993005-42179-p.asp - nice to see British Telecom sparing no expense :)

standard BGP has faster convergence than OSPF??

I am currently performing convergence tests, and just found out that BGP convergence time is around 2 seconds, which is way less than expected. My OSPF times are 8 seconds. I am not modifying the protocol in any way. This seems ridicilous, would anyone have an explanation as to why BGP is so fast just like EIGRP? I hesitate to continue the testing because fo this. Any advice or reasining welcome, thanks!

File Server Vs Web Server

I was just wondering what the main difference is between a File Server and Web Server.

Talking with some friends they describe the difference being one having access to more features (Web Server) and being to host for example a website. But does that mean you can use a web server as a file server over the internet for remote access. Sorry this may seem like a very dumb question.

Network monitor without backdating?

Are there any network monitor tools out there that don't practice backdating on support renewals?

We are currently a few years behind on support and would like to renew with our current vendor, however, they want to backdate our support contract to the day our support ended. This means we would be essentially be paying the full cost of the product we originally paid a perpetual license for.

I understand paying for the software update portion, however, it seems rather unfair to pay for the time when we had no access to support. I have spoken to two other companies and it seems they also follow in this vile practice.

Essentially they bundle software updates in with support in order to extort software update pricing to the tune of 25% per year. It seems that while this practice may be widespread, it should be illegal.

TIA

RADIUS questions

Cisco radius questions...
1) How do I enable that all radius over ssh authenticated users have level 15 enable privileges? Even better if it directly drops them into the exec shell? We use freeradius with LDAP.

2) I have used aaa authentication login default group radius local on vty 0 4 or aaa authentication login default local group radius on the same vty 0 4. But I have never been able to login as local or vice versa as radius on the same vty via SSH. My idea was in case that I ever forgot my radius users password I can use a local user as a fallback. So Imagine I have applied aaa authentication login default radius local to the vty 0 4 where ssh is, but I have forgot my radius password and now I want to ssh with ssh localuser@ciscodevice? I mean, I tried that but for some reason it did never fallback to the local database, am I missing something?

Is it possible to redirect a user's folder navigation from IP address to FQDN?

We have some older corporate software with IP address hardcoded (e.g., software checks files on share \192.168.0.100\files) however our newer security software requires users to use the server FQDN for file shares (e.g., \fileserver\files) and this is breaking some of the software reports.

Unfortunately the software is no longer supported so getting the hardcoding updated is not an option.

What I'm trying to find is a way (such as Windows hosts file) to redirect the IP address to the FQDN so software share lookup will function as needed.

Is this possible?

Cisco FMC / FTD Remote management over Internet

Hey! Has anyone done this before?

I have purchased three Cisco FTD 1010 for a customer and a 10 license FMC appliance.

They have three sites.

Site A (Main site, FMC and one FTD here)

Site B: Another Country

Site C: Yet another Country.

​

So what I want to do is add site B & C in the FMC via Internet.

AFAIK there's no official solution to this from Cisco.

But I talked to colleague and he said that it would be possible to do.

So what I'm thinking is.

*Publish FMC on site A on Internet

Set the MGNT-interface on site B & C on a public adress, and then do some form of NAT.

Has anyone tried this successfully?