IPv6 Proxies: 2019-08-25

Saturday, August 31, 2019

SPAN port on a N9K within a vPC domain

Hi all,

I am having a project which involves sending local SPAN traffic to a security system. The Nexus are all NX-OS. The customer's current system looks like:

N9K01 ---(SPAN dst)--- FireEye APT

| ||

N9K02

The peer link allows all VLANs on the trunk.

As per my understanding, let's say if the traffic coming from a vPC, forwarded to another vPC is being mirrored:

Are they losing the visibility of theoretically 50% of the traffic coming from the said vPC?
If the traffic is sent through the peer link, it would not be forwarded out the other vPC member (loop avoidance). So does the the traffic get mirrored first or does it get dropped immediately on ingress of the peer link? Is it ever actually forwarded across the peer link?

The questions above have the assumption that the system is under normal operation, and no orphan ports are involved. I also have no direct configuration of the devices, only giving thoughts and advises.

Thanks in advance.

Online student needs help!

Hey guys I joined this sub today and am looking for help. I’m pretty tech savvy and know enough to be confident with networking. Anyways, I recently moved to canada to play junior hockey, and I’m living in a dorm with terrible internet. We’re talking 500 kB/s and the wifi kicks me off every hour or so. I’m doing online high school and need some better stuff. I’ve looked into portable wifi/hot spot devices you can buy? I’m willing to spend a little money if it means I’ll get better connection.

Basically I’m here to ask what my options are for getting a faster more reliable wifi with my current situation.

Thank you in advance.

OpenVPN for Android - cant reach local servers when "nlock connections without VPN enabled"

Hi,

I hope this is the right place for this.
I have created a VPN server on my pfsense couple days ago. It all worked fine on my gf phone but on mine there was some problems when connected to mobile network.
So I decided to tinker around and found that enabling the option "block connections without VPN" in android disables me from reaching my private servers.
I have a local DNS - pihole - and that DNS server is picked in the OpenVPN server settings. It did actually work couple days ago. But now since tinkering around it stopped working for both me and my gf nomatther what I try.
There is not really any logs on either firewall or openvpn on pfsense. Neither is logs saying anything that I can pick up on the android client..

ANyone have any advice to why this is happening?

Mikrotik POE-Out to power an IP phone

Hey, I'm wondering if it is possible to make my Routerboard's POE-Out (passive POE output) power an IP phone which only supports a normal DC input and 802.3af.

I searched a bit and found an adapter but I'm not sure if it supports Mikrotik's way of doing it, as they seem to be able to support 1Gbps along with power on one cable: https://www.amazon.fr/Injecteur-Adaptateur-Alimentation-Synth%C3%A9tiseur-S%C3%A9parateur/dp/B07TWL9F3H/ref=mp_s_a_1_1

Also seen Ubiquiti's 802.3af to passive POE converter, but it unfortunately only seems to support that direction.

Thanks in advance (and sorry if this is the wrong sub for this, please point me out to a better one if you know any!)

Need advice: I want to set up my own firewall and SEIM.

I want to set up my own firewall and SIEM. I am relatively young and almost all of my networking knowledge has come from working at a very large enterprise out of college so I could use some help with home networking. I came into work and showed some coworkers a sketch network with 2 firewalls and they laughed at me. Iv been at it for a few days and I really just need some advice.

Firewall:

My friends tell me to just use an old SFF dell optiplex or something for the firewall. [Pfsense or ipFire]

However, my research has led me down the path of ubiquity products. The Edgerouter X and Lite are very popular. Why would I use those instead, just because I would have to get more NICs in the PC to use it as a router?

SEIM:

This should be separate and behind the router. I am looking at a used HP DL360 G7 or a Dell R710. 1 or 2u. 48gb x2 X5650 6 CORE 2.66GHz

Is this a good understanding of the hardware requirements I would need to set up this network? And as I understand it, the flow of traffic would be the fallowing:

Internet -> Modem -> FW/Router [Optiplex] -> lan/wifi/SIEM

New to multicast

I'm currently running streams via an in house utility that streams h.264 and I'm using that with unicast and this is a giant pain.

Here are my questions.

Do I need to configure the ubuntu server ethernet port that I intend to stream the multicast from to enable multicast?

Do I need to configure the other ubuntu servers receiving the multicast?

Can I just use an arbitrary multicast address for my streams ? E.g., 239.255.37.1

Do I need to make any changes to my switches? 4 aruba switches connected via one cat5 between each switch. Port is set to auto.

IGMP snooping/ IGMP querier?

Newb here — I have a question about the differences between 5GHz and 2.4GHz

Is it true that A 5GHz router will provide faster data rates at a shorter distance while 2.4 GHz routers may improve coverage for farther distances at slower speeds?

Friday, August 30, 2019

Cisco ASR fail-over for multiple subinterfaces?

Hi All,

I'm setting up a network with 2 Cisco ASR's (2 for failover reasons).

I'm looking to find a way where I can have a primary and secondary router (configured with the exact same config), so if the primary goes down, the secondary takes over.

I've been looking into HSRP, however this looks like I will need to configure this on every sub-interface and use up a lot of IP address space.

Is there a better way to do this?

warranty tracking software recommendation

I have a whole bunch of network devices. 1000+. I'm looking for recommendations for warranty tracking software. It can be open source or paid. The spreadsheet this company uses is ridiculous. It's outdated and cumbersome. A nice little interface with reminder emails would be nice. What do you use?

Port question about VLANs

Are there commands to show what port numbers are open in a particular VLAN?

Probably an easy Question, need help as beginner

So in my homelab i have following setup:

WAN goes into EdgeRouterX on Physical Port(eth0):

On (eth1) it Creates the LAN 192.168.1.0/24.

The router gets the IP Adress 192.168.1.1 in this network. Also on this net there is my PC, with a DHCP on the same network (192.168.1.38).

On one Physical Port on the Switch (eth3) is a IPMI device (NAS - Supermicro Board) 192.168.11.79

My goal is it to connect from My PC to the IPMI Device on the other Network. What are ways to achive this.

Static Routes?, IP Aliases ?.

Any help is very appreciated. If more info is needed, just comment :)

Main Reason is for WakeOnLan (My NAS has a LAGG interface, where i can't WOL for some reason, i haven't found out yet)

Cisco DNA opt-out?

I think the whole DNA thing is BS and a way for Cisco to make more MRR. I saw some opt-out sku's for the 3800 series. Looks like they don't work in ccw though. Is there any way to opt out? (specifically for the Cat 9k line) I work at an MSP where a lot of the smaller clients only need layer 3 routing as far as licensing goes.

Time to train for CWDP cert

Im about to start training for CWDP cert. Anybody have advice on the easiest way to study/train?

I'm not real worried about passing since I've been very WiFi focused for about 10 years now, but I would love any advice you guys have. How does it compare to CWNA?

+10Gbps Speedtest

Hello everyone!

My current server configuration has 40Gbps connection but as most of the high quality speedtest servers on Oakla only support 10Gbps, I am not able to fully test it. The highest speed I get is 10/10. Do you have any advice about how to test it? I am not able to find any server that supports +10Gbps. Looking for you advices.

Python script to circumvent .tar file upgrades via ZTP of 2960S/X/XR switches

I made a script to circumvent .tar file upgrades while provisioning IOS switches that don't support .bin upgrades via autoinstall/poap/etc.

https://github.com/derek-shnosh/ztp-watcher

Ref: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Plug-and-Play/release/notes/pnp-release-notes16.html#pgfId-206873

For the Cisco Catalyst 2960X/2960XR/2960S Series switches, only image upgrade with tar file and configuration upgrade are supported.

This is my first python project using classes and functions, constructive feedback is welcomed as I am still learning. I do realize that it has a bit of a specific use-case, as I wrote it to supplement FreeZTP which has a custom logging feature that logs switch configurations to a directory with custom variables as the file name (look for "custom logging" in FreeZTP's readme).

AS Prepend based on ip address match?

Working at a large community college ... We currently use a single router with two 1GB ISPs. We're using BGP to balance traffic, in an active-active ISP setup.

For a while, we were HEAVILY weighted to where most INCOMING traffic was coming in ISP1 and barely a hint of traffic was incoming via ISP2. After doing some looking glass lookups, noticed most AS Paths were favoring ISP1. So, in an attempt to balance the traffic a bit more, we did an AS Prepend on ISP1.

However, this has shifted much inbound traffic to ISP 2 now. Around lunch time, ISP 2 caps at the 1GB limit, while ISP 1 sits around 200-300 meg in. Many students on netflix , youtube, etc.

So the question is ... can I do an AS Prepend using a route policy where I match for certain IP blocks? (Maybe some of the big data hogs, like Netflix and Akamai servers). I don't want to split the traffic to where i deny certain IP's from coming in one ISP, because we have to maintain a failover environment

maybe something like this, to where I prepend the AS # ONCE to ISP 2 if the IP matches a prefix list where i enter a various range of IP's, to attempt to influence their INBOUND route to come in ISP 1

! -- Preflix List (Match Netflix IP block)-- ip prefix-list Netflix index 5 permit 108.175.32.0 20 less-equal 32 ! -- Route Policy -- route-policy Netflix_Pref permit node 10 if-match ip address prefix-list Netflix apply as-path <AS # here> !--BGP Setup -- address-family ipv4 unicast import-route static route-policy LOCAL-IMPORT network <our network> peer <ISP2 peer here> route-policy Netflix_Pref export

Thanks!

Closest Autonomous AP to Cisco that can be configured 100% in CLI

Hi All,

I have used Cisco Aironet exclusively for the past 12 years. I have a network of 413 AP's spread across the globe, all in Autonomous mode. You may or may not know, but with the latest line of Cisco AP's (1832/2802), Cisco has abandoned autonomous/standalone IOS. Now your only options are CAPWAP or Mobility Express, which causes headaches with existing networks. It seems Cisco has forgotten that not all of us manage a 3 building school district that can swap out their entire wireless infrastructure in a weekend, or that those of us managing large scale hub-n-spoke networks don't all do things properly and spare no expense when the budget or time is a problem.

So, at this point, I'm looking to abandon Cisco Aironet going forward, but I want to replace it with something that works/is configured almost identically to how Aironet autonomous/standalone IOS is configured on the CLI. Let me stress that last part - I HATE the GUI. Looking for something CLI based. I need to broadcast a staff wifi on vlan 1 and a guest wifi on vlan 22, so the radio and gigE interface needs to be capable of sub-interfacing.

Suggestions?

Help with 10Gb Switch Performance

I manage IT for a SMB company. Most of my background is Systems. I inherited the current setup and I have been cleaning it up slowly. I have two 10Gb switches being used for our Dell/EMC VxRail cluster (3 node). A few VLANs setup for vsan, vmotion.

What I am trying to figure out is why if two machines (not part of the cluster) with 10Gb NICs only get 115MB/s throughput when copying files. Backups to a NAS with a 10Gb NIC max out at 200MB/s. The two 10Gb switches do have uplinks to the existing 1Gb switches where workstations/printers/etc are connected. It almost seems as if the path of the data is leaving the 10Gb switch and going through the 1Gb switches and back. Any ideas would be appreciated. Thanks!

Correlating command formats with Cisco OSes and versions

Specifically, the format of the 'ip sla' commands have changed nearly as often as Cisco's OS feature trains. Anyone know of a tool that can either provide a lookup for when a particular command showed up in their OSes (general use), or just a nice summary of the various incarnations of the 'ip sla' formats per OS versions?

DNS Help needed

Assume:

- my WAN IP is xx.xx.xx.xx

- I have bought a domain mydomain.com

I have so far successfully set up dyndns on my home pfsense.

On pfsense I have got port forwarding configured for my plex server to be able to be reached over web at xx.xx.xx.xx:32400 and this is working fine when being accessed with PublicIP:port

Now I want to have a record added as plex.mydomain.com which should automatically point to port 32400 (probably it should automatically redirect to plex.mydomain.com:32400)

How to do that?

P.S. - DNS is being managed in Cloudlfare.

Did just Verizon injected a bogus prefix?

Checking my logs I saw this:

003456: Aug 30 09:04:00.153: %BGP-6-MSGDUMP_LIMIT: unsupported or mal-formatted message received from *.*.*.*

FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0121 0200 0001 0340 0101 0240 02DE 0237

0000 **** 0000 **** 0000 **** 0000 **** 0000 **** 0000 **** 0000 577A 0000 577A

0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A

0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A

0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A

0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000 577A

0000 577A 0000 577A 0000 577A 0000 577A 0000 577A 0000**MSG 00003 TRUNCATED**

**MSG 00003 CONTINUATION #01** 577A 0000 577A 0000 577A

003457: Aug 30 09:04:00.273: %BGP-6-ASPATH: Long AS path **** **** **** **** **** **** 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 22394 received from *.*.*.*: BGP(0) Prefixes: 72.105.136.0/21 174.215.0.0/16

More info:

https://imgur.com/a/yoFes7v

https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml

VMWare Network Connectivity Issues in vSphere connected to Cisco ACI lab Environment (Stuck)

I was creating a VM in my company's non production lab environment, but the device was unable to get a DHCP address from the scope. So I checked the vSwitch's VMKernal port and the ip address associated with vmk1 was not pingable. Okay simple enough, I find a different static address for that VMK and I should be good right..... well not exactly.

I changed the IP address to the vmk1 and refreshed to hopefully allow my vm the ability to communicate the outside world/DORA for a DHCP address, and I instantly knew something was wrong. As of currently, I have a constantly pingable ESXI environment that host's the VM, but SSH (Which is turned on) and the Web GUI are unable to be reached (aka no login prompt). The vlan associated with the vmkernal port is being allowed across the trunk and is not being pruned, I insured that.

I would think that the login page to get access to the ESXI host environment, would be available if the ESXI host device is pingable. Also with our Lab ACI environment, we currently are not enforcing contracts, but I think that ACI is where the issue may be. The configuration to the best of my knowledge goes like this, ESXI on Server-> 3750X -> N9K Leaf (There is no firewall). The login page can't be hosted on a sub VM inside ESXI connected to a vswitch, otherwise you would never be able to initially setup the environment in the first place, and just overall that makes no sense.

Anybody ever run into this?

How to get around WiFi throttling ?

I live in a student resident, and there is an open WIFI with a limited bandwidth of 5/5 Mbyte Up & down per connection .

I used two phones and my laptop, each with their own connection to the wifi. Then I shared my phones' connection with the laptop using bluetooth/USB Tethering. then merged all 3 of them using https://speedify.com. It worked fine, and managed to get 15/15 up & down.

Being a broke college student, and having access to free VPS on google cloud / amazon. I was wondering if I could set up my own VPN and do the vpn bonding speedify does on my own to save some money. I currently have no idea how to do so, I didn't find anything on the internet.

However, i've read that using a VPN through port 53 might bypass any restrictions, is that true?

Thank you <3

Help with VLANs

Hello fellow redditors

Until two days ago I thought I was fairly ok with network but I realize I am still big noob. Mostly I work with cisco router and cisco switch.

Two days ago, I have assigned to create a network for a client with the VoIP server on it.

His network is simple, however because I didn’t work before with Cisco router and HPE switch it drives me crazy.

Somehow, I manage (easily) to create his network with telephony but the only problem is that the two VLANs cannot speak with each other.

His network is:

Modem for Internet --> Cisco RV130W and from port 1 of Cisco it goes to port 1 of HPE 1820 Switch

Modem for Telephony --> UCM 6204 Grandstream server (configured as router) --> port 23 HPE 1820 Switch

I have two VLANs in Cisco Router:

VLAN 1 which has untagged the port 1 and VLAN 102 which has tagged the port 1

I have enable the interVLAN routing

The VLAN 1 is on 192.168.1.1/24 with DHCP enabled

The VLAN 102 is on 192.168.2.254/24 with DHCP disabled

I can ping from VLAN 1 to 192.168.2.254

I have two VLANs and one trunk? in HPE switch

VLAN 1 which has untagged the port 2-22

VLAN 102 which has untagged the port 23 and 24 and tagged the remaining ports

TRK1 (port 1) has untagged the VLAN 1 and tagged the VLAN 102

The Grandstream server has ip address 192.168.2.1/24 with DHCP enabled and default gateway 192.168.2.1

I configure the Grandstream telephones with VLAN tag 102 and they are working fine. Computers are on VLAN1 and are working fine as well. However I can not ping from computer to Grandstream server or to any telephone (192.168.2.x)

The only way to connect to 192.168.2.x network is to take my laptop and connect it to port 24 which again I can not ping to computers at VLAN 1.

I break my head how to correct this.

I have tried to change the default gateway of Grandstream server to 192.168.2.254 but it didn’t work.

I have tried to make other trunk from HPE to port 4 of Cisco with both of VLANs tagged this time but NO

Any ideas what to change?

I think the problem is the trunk. Should I try to change and make tagged the VLAN 1 and VLAN 102?

Thursday, August 29, 2019

TFTP Server Not Transferring Data

I am trying to flash firmware to a Yealink SIP-T46G IP phone using TFTPD32 which I’ve used a lot for Cisco phone and it’s worked well. So I point the phone to the IP of the TFTP server, and it starts trying to pull the first file. However, the progress bar on the window that pops up on TFTPD32 usually starts moving and doesn’t stay at “O bytes”. I’ve tried rebooting the computer and stuff and wiresharking it. It’s obviously communicating with the TFTP server trying to pull files, but it’s like it can’t make and progress. It just keeps trying with new ones over and over again. Here’s what the wire shark says:

TFTP 81 Read Request, File: T46.rom, Transfer type: octet, timeout=5, blksize=1468 TFTP 67 Option Acknowledgement, timeout=5, blksize=1468 TFTP 67 Option Acknowledgement, timeout=5, blksize=1468

Some time passes

TFTP 67 Error Code, Code: Not defined, Message: Undefined error code TFTP 67 Error Code, Code: Not defined, Message: Undefined error code

And this repeats infinitely. Thoughts? Thanks!

MSR 2003 JG411A End of Life/End of Support

I tried to find this on Google but their official site did not have any documents.

Accessing web servers with public IPs via S2S VPN

https://ift.tt/2ZAhANG

Is network engineering tougher and more stressful or software engineering?

No text found

DHCP Static Connection Question

Hello guys,

I want to ask you guys about setting a static IP for a NAS device.

I've read that getting a static IP cost you more money but I've seen people saying that you can have a static IP and not pay for it using the DHCP connection settings in your router client and just setting a static one for your config.

I'm not enjoying the fact that my NAS changes it's IP ever few days or so.

I also don't want to play extra just for a static IP.

Would that DHCP method work while not costing any money?

I would appreciate any help guys!

Thank You!

SFP+ is Only fiber?

A few days back I was talking to a network engineer and he asked for a L3 Switch with all ports being SFP+ and 10 units gbic together, he wanted to borrow for a few days.

I replied asking if if he wanted fiber or copper he said again SFP+, after I insisted he told me he wanted all in fiber.

In my head SFP+ is the type of medium that supports 10 gigabit and can be fiber or copper.

Am I wrong?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Trouble Understanding ACI Switch Selector and Interface Selectors and how they are used?

Can anyone explain how these are used, my coworker was explaining a codependency between the two, but it didn't make a whole lot of sense. Is there any simple way of explaining it, I may just be getting too caught up in the details of things and getting confused.

HFC vs. FTTH

Hello - I'm trying to figure out whether there are significant operating expenses associated with HFC networks that are either insignificant or non-existent in FTTH networks. One major cable company, Altice, is overbuilding its own HFC network with FTTH. They expect to be break even on the overbuild within three years due to the significant cost saves. I'm wondering if this could be the early mark of a new trend. For those familiar with networks - what are the significant cost inputs between the two networks?

After the install process is a fiber network cheaper to operate? And if so what are the key line items?

Second, what to people think about the possibility of reaching "DOCSIS Escape Velocity," whereby general data consumption growth, powered by forces like Neilsen's Law, increases at a rate that DOCSIS innovations simply cannot keep pace with. In this instance, FTTH is a clear cut winner (forget about fixed 5G the sake of the discussion) and legacy HFC networks begin to look more like the Copper networks of the past when cable became the clear cut winner with differentiated technology.

How does your org maintain the local user db on routers/switches when using RADIUS for auth?

I'm a network analyst at a small-ish telco co-op. We've recently grown to the point that we're looking at using RADIUS for authentication management. RADIUS itself is easy enough to implement - we already use it for wireless authentication in the office, but a question my manager and I were pondering is maintaining the local database. Obviously everyone will no longer have a local login - that would defeat the point of RADIUS. It seems like there should probably be one local account, but then who knows it? Should the network analysts/engineers know it in case there's an emergency and the RADIUS server can't be contacted? Should it be restricted to the managers on the network team? Just interested in hearing what other orgs have done.

Is there a single thread limit on 40Gbps networking?

Hi there,

I just wanne quickly pick your brain guys. I recently started doing some 40Gbps testing with some HP QSFP+ 544 (based on the ConnectX3 chip from Mellanox).

Is there a reason or limitation on a single TCP thread or am I doing something wrong (maybe some optimitation missing), since I can not get more than 20-22Gbps on a single iperf2 tcp thread. I am able to achive 39.8 Gbps on 4 threads. But on a single thread it maxes out at 20-22Gbps.

I saw that (https://community.mellanox.com/servlet/rtaImage?eid=ka21T000000k9yq&feoid=00N5000000AYucA&refid=0EM1T000000uNJf) on the Mellanox site, which seams that Mellanox itself says something about 25Gbps per second in a single thread

Thanks for your advice guys

Regards Yves

Hard of Hearing Network Engineers

Hi Guys, Thanks for the great sub

TLDR; I am a hard of hearing network engineer, trying to look for jobs that don't require meetings and speaking with others over the phone. Any suggestions?

So I believe I am doing good in my SP company as an associate engineer. But one thing bothering me is meetings especially when people are joining remotely via speakers that make the sound quality worse. To an extent that I could not decipher anything even after multiple repetitions. I feel like I am cheating my employer although I can call after the meetings and get things straight. But I am looking for something more isolated. I wear hearing aids that cost two times my salary. Although they helped me with one to one conversations and local meeting. Still having problem with remote meetings and phone calls.

Although my current job is more toward network project managements but I am more into operation technical jobs. I have 2 year experience and that is why I am aiming toward starting my technical careers at jobs that requires strong configurational skills and less human interaction skills

Any idea or technical fields like this?

Nexus 3604 - iSCSI Host

Hello Guys,

I've been tasked to check a peculiar setup.

So the client has 2 Cisco Nexus 3604 who pose as their Storage Switching. They are connected to a SAN server via ISCSI.

The connection itself is fully on Ethernet ports, I do not see any special type of configuration for the ISCSI, I haven't really touched ISCSI all that often so I'm guessing it's normal that they just connect to Ethernet ports.

So the 2 Cisco Nexus have a vPC domain configured between them, but the connections to the ISCSI servers are all orphan-ports, again in a normal setup you would tell them to look at this. The ports are just access ports in a single VLAN with no port-channel configuration (hence the orphan port).

Now my simple idea of the server access would be to hook both ISCSI1 and ISCSI2 into an LACP port-channel so we can have full vPC down to the host, but I'm not sure if the host will take this and if this how it should be. I've always remembered that SAN should be Path A and Path B and there should be no interferences, no idea if this is the same with ISCSI?

Problem Scenario:

Nexus 3K2 has been damaged in the front and is showing weird behaviour, spontane reboots. (I can't see the logs as they are flushed each time the chassis reboots). In the below setup the ISCSI hosts should survive as the 3K1 has never rebooted. But they have to perform manual actions sometimes on their DB to set things correct.

I would propose to replace the faulty switch as well, just to avoid the reboots. But they are also asking if the below setup is ok, I would say no because having a vPC domain with orphan ports is just missing the point, but it's an ISCSI server and I have no experience with that.

So the setup is a follows (simple drawing):

NEXUS 3K1. ---------------------- vPC Domain 100: VLAN Trunked: 100 ----------------------------- Nexus 3K2

DB03 ------------------------------------------------------------------------------------------------------------------DB04

So DB03 is connected to Port 1 on 3K1 and 3K2

So DB04 is connected to Port 2 on 3K1 and 3K2

Ports 1 and 2 on 3K1 are marked as ISCSI1

Ports 1 and 2 on 3K2 are marked as ISCSI2 (Something I don't fully understand)

All ports are configured in access plan 100 and are orphan ports, there is no logical port-channel configuration anywhere. Only the vPC domain is configured and the ports.

Zonefirewall only with DNS Objects

Hi all,

Im wondering if there are any disadvantages or recommendations against using only FQDN Firewall Objects on Common Firewalls like Fortigate/PaloAlto instead of static IP Address Objects. Especially also for LAN objects like internal firewall zone objects (servers etc.)

The advantages are clear. Much less effort, more dynamic handling etc.

But im wondering if there are some good reasons or maybe best practices against it?

Search for Network Management Tool

Hi,

For our little company we are searching for a network management tool which we can use to manage our switches, manage our IP's (like IPAM), make a topology of our network + something like racktables. At this moment were using all different kind of applications but we want this to be one application. Maybe there's someone on this subreddit who know's a application like this.

Cisco alternatives for ISE and Stealthwatch

TL;DR: Is there an enterprise-grade network vendor who can provide a good alternative to Cisco's quality of wired and wireless networking along with ISE and Stealthwatch? And is it as well integrated?

We're a medium sized business (1-200 employees) based in the UK, and we're looking to do a complete refresh of wired and wireless networking at our head office. (We have branch offices but all users use VPN.)

One of our main concerns moving forward with this network refresh is security, and I've used ISE at previous employers with great success for securing the wired and wireless networks, and I'd like to deploy that again along with StealthWatch. DNA is also on our radar but is $$$$ and so we probably won't do it. We're working with a great Cisco partner on the proposal who have a proven track record of good ISE implementations, so I'm not worried that we'll end up with an expensive brick of a solution.

One of the things I'm conscious of is that I see a lot of posts on here discussing the great alternatives to Cisco, particularly in light of Cisco's relatively recent changes to the licensing models that means you are pretty much a slave to their licenses. I don't see this as necessarily being a bad thing for our business use case, but it has given me pause to think about other possible vendors, and I know that we'll be asked about it as part of due diligence anyway.

Security is the big requirement here, but we are also wanting to pass 10GbE iSCSI traffic for our servers and storage. There will be no FC or FCoE, so no need (necessarily) for Nexus. Ease of management is also an important thing for us.

So, with that in mind - is there an enterprise-grade network vendor who can provide a good alternative to Cisco's quality of wired and wireless networking along with ISE and Stealthwatch? And is it as well integrated?

DMVPN router crashed, trying to restore the config to a new one

So we inherited a couple of DMVPN routers in regional sites, one of them crashed, we received a replacement from Cisco and we have been restoring a config but it doesn't take the crypto isakmp key and we cant find a plain text version of it.

Any ideas?

Thanks

IPV6_ND-6-DUPLICATE_INFO for switches' own SVIs in the same VLAN

I'm getting strange log warnings on most of my Catalysts, both C3650 (16.3.6), C2960S (15.0.2) and one C4500-sup7l (03.06.08). vl50 is the Management-Interface.

The log entries show up exactly 5 minutes apart. Its almost as if the switches are detecting their own ND

Aug 29 07:03:02.454: %IPV6_ND-6-DUPLICATE_INFO: DAD attempt detected for FC00:0:0:1::29 on Vlan50 Aug 29 07:03:31.667: %IPV6_ND-6-DUPLICATE_INFO: DAD attempt detected for FE80::1A80:90FF:FE97:1A68 on Vlan50

This is a ipv6 interface of a SVI:

Vlan50 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1A80:90FF:FE97:1A68 No Virtual link-local address(es): Description: MGMT Global unicast address(es): FC00:0:0:1::29, subnet is FC00:0:0:1::/64 Joined group address(es): FF02::1 FF02::1:FF00:29 FF02::1:FF97:1A68 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND NS retransmit interval is 1000 milliseconds

i tried to SPAN on various points in the network but couldnt find anything weird.

Am i hitting some sort of bug and can discriminate that log entry?

Can anyone identify this cable?

Hello,

Apologies if this does not fit the purpose of the subreddit, but I could not think of a better place to ask.

I found a few of these in one of our very/overdue-to-be-tidied comms cabs, installed before my time. As far as I can tell they’re Cat.6 T568/B, but why do they have a different pair on ‘display’ either end? The pic is of one cable.

Help sate my curiosity!

Cisco: Low Optical Transmit Power

Does this point to an issue with an SFP?

We have a 4500-x vss stack, through which runs the heartbeat for a bunch of vrrp groups upstream, both routers have been going active due to loss of heartbeat.

One of the switch uplinks has a tx power of -10db on the switch, but router upstream is showing healthy rx signal of -5db

Arista Switch configuration, subinterfaces + trunk?

Hi all,

I have an arista 7050QX-32 configured to trunk up to our router via a port channel, and have got a few vlans passing through. However, I'm trying to add a l3 subinterface to the existing (switchport mode trunk) port channel, but it seems that a prerequisite of doing so requires no switchport. I've been pouring through the documentation but I can't seem to figure out a way of going about my specific problem.

Is there any better way to go about this, or am I missing something?

PVST from trunk to accessport

We are migrating to a new networksetup. If i enable port 41 (port from Arista to Dell switch) on the Arista switch we get the following errors @ the Cisco switch:

*Dec 11 13:26:58.742: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/1 on VLAN0001. Port consistency restored.

*Dec 11 13:34:53.722: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk GigabitEthernet1/0/1 VLAN1.

Is it not possible to trunk with PVST over the network and convert the trunk to a vlan access port?

Or is the reason that we use RSTP on the Dell switch and the Dell switch don't sees the PVST-packets and forward it dumb to the access port?

Setup:

Arista switch <----> Dell switch <----> Cisco switch

Configs:

Arista switch:

spanning-tree mode rapid-pvst

spanning-tree mst 0 priority 8192

vlan 134

interface Ethernet41

description linktoDellSwitch

switchport mode trunk

Dell Switch:

vlan 134

(RSTP configured, IEEE 802.1w)

spanning-tree priority 4096

interface Te1/0/2

description "linktoArista"

switchport mode general

switchport general allowed vlan add 134 tagged

interface Te1/0/21

description "linktoCisco"

switchport access vlan 134

Cisco switch:

spanning-tree mode pvst

spanning-tree extend system-id

interface GigabitEthernet1/0/1

description linktoDell

* Default VLAN1 configurerd all ports.

Wednesday, August 28, 2019

Hi, I am new to networking and I am seeking some tips to get into the industry.

Yea, I am perusing my career to be an IT and I am looking for some tips to get into it. My brother, who has a CCNP, suggested GNS3 for a virtual network to work on.

I am 18 and I am trying to get some more tips and tricks from people whose been doing this for a long time.

I am also currently perusing my CCNA for a start. Any help would be awesome :)

I could never break the 300mbps barrier on the 5GHz band even though I have a 500mbps subscription.

I have an Asus RT-AC1200G+ router that is capable of 867mbps on 802.11ac. I could only achieve 500mbps using a lan cable attached to my laptop.

I've tried running speed tests on multiple devices but all of them give out the same results. Why is that?

Switch Security Best Practice

Any good links for best security practice for Dell Networking N1548P?

How do I get out of my Helpdesk job and grow if my company doesn’t let me touch anything?

I work for a company who basically keeps me at Helpdesk even though I am supposed to be configuring firewalls and networking equipment. I’ve worked on some of it before so I know what I am doing and can figure it out but I’ve been doing Helpdesk for a year and a half with a total of two years of experience from my old job as well. I want to be a network engineer and I am studying for my CCNA but I don’t have anything at my work to practice on and I don’t have a lot of time after work to learn either. Should I look for another job?

How do I go from Helpdesk to Network Engineer in 3 years?

I want to be a network engineer working with Cisco equipment but I work for a small MSP doing Helpdesk with no room for growth. What would be my next steps to reach that goal of becoming a Network Engineer in 3 years?

Long mesh wifi network

Hi. I'm working on a project to give connectivity to farmers in rural areas. Each ranch is 1-2 kms separated each one. I want to create a mesh topology, but I'm not sure what equipment should I use. Any advice? TIA

Anyone heard of Blue Hexagon?

I had a customer call in using Blue Hexagon (seems to be an ai threat monitoring/mitigation platform) and was wondering if anyone had any exposure to it. This particular customer had mirrored all switch interfaces to a singular interface connected to Blue Hexagon (not sure if it's an appliance, a vm or something else). I was wondering if that is what they recommend or if this was as wrong as it felt to me.

So please, if you know about Blue Hexagon (beyond a google search) please share what you know.

Thanks

Coworker got fired, not going to back-fill. Ask for a raise?

So I've been at my company for just about 4 months. Two months into my job the other other Network Engineer (had a senior title) got fired for some undisclosed reason. For the last two months I've been doing the job alone, and apparently well enough that management decided that there isn't a reason to back-fill the old position.

My initial thought was to bust my ass for the rest of the year and then at the year end review ask for the senior title and a raise. My other coworkers (not network) and my wife seem to think I'd be an idiot if I didn't immediately ask for a raise since I now found out I'm going to be flying solo permanently.

How would you handle the situation? I want to keep in good graces because the company compensates well, I genuinely like the job and they have a pretty impressive end of year bonus structure. On the other hand, I probably have a lot of leverage if I want to push the issue.

WiFi positioning system?

Does WiFi positioning system work if the laptop has WiFi turned off?

Any recommendations for Active/Standby ASAs with a single provider ONT

Hi Guys,

First time poster, long time lurker, looking to see if anyone can provide a better idea or some advice for an upcoming network uplift.

For employee recreational WiFi we have a 100Mb BTNET circuit in each of our sites (16 in the UK) hanging off a single ASA 5506 or 5508. I've been asked to increase the resilience of this service by implementing a standby for each ASA to allow maintenance and fault tolerance etc.

However, the line terminates on a single 21CN ONT which we can only have one copper presented connection from (as far as I'm aware anyway). Currently I've budgeted for a number of 8 port 2960CX compact switches. This will also be a single point of failure, but at least we can get site-hands to pull the cable from the switch and direct patch to the active ASA should it fail.

Does anyone have a better suggestion, as weird as it sounds I've thought about those 2 into 1 RJ45 Y splitters that I've seen people use to turn a 1Gig switchport into two 100Meg switchports. But I'm not sure if the ONT will be completely confused by this...

Note, this is recreational WiFi for employees, so a second link is out of the question, we have SecurePlus lines for our MPLS but WiFi is not permitted to use this as it's non-critical traffic, seeing if anyone else has some low cost ingenious suggestions.

Thanks in advance Guys -Ludo

Code execution and admin login bypass in Cisco UCS Director and Cisco IMC

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt

These guys found it: https://www.agileinfosec.co.uk/

Windstream ISP FYI

Just an FYI to all those using Windstream as your ISP, one of their techs was just at my office and told me I could not have access ot the Cisco router of theirs because THEY ALL HAVE THE SAME PASSWORD

I hope this was just an excuse to not give me access to it and not true but just an FYI in case it is

Nyansa Voyance Experience

We're a large(5000 devices/60000 clients) Cisco customer looking to get actionable feedback about the performance and user experience on our network. After walking the floor at Cisco Live, Voyance was the one product that really stood out to me. If you have positive or negative feedback about the product, it would be greatly appreciated. I know Cisco DNA Assurance has some similar features, but unfortunately we can't print our own money yet.

Hosting a Fortnite Tournament at my college. Worried about the network being able to handle the load of 20 consoles on the internet together.

So I was put in charge of figuring out the network requirements and equipment we may need. Of course, I know nothing about the topic so I am turning to trusty Reddit community for help.

The internet has a GIG down but about 35-40 up at the location.

My concern extends also to routers and switches. What would an ideal setup look like for a network to accommodate 20 consoles online together all at once?

SPAN configuration

Hello everyone,

Currently i am about to install a network management software to capture network traffic and to create a network map of the network at work. There are two core switches one for servers vlan and one for users. Both of them are connected to firewall. How do I connect one workstation to both core switches and configure span in order to catch traffic from both core switches?

Is it possible to do that?

Was wondering, with the PLUME MESH(XFi) system of ComCast. Is it possible to USE IT with a different router than the Xfinity Gateway ?

Is so, HOW ?

Does NAT really work with all applications, such as Youtube, Torrent, FTP, Skype, WhatsApp, Viber, Facebook Messenger, Slack, Facebook Web, VPN?

I tried to find information about how CGNAT impacts various applications. Found 2 sources. One of them published in 2019 https://nfware.com/blog/nat-applications, and the another one is old (2003) https://tools.ietf.org/html/rfc7021.

Based on the table data from a new source (2019) and information from the old one (2003) everything works well. What do you think?

Zeros trust browsing : How government entities can combat cyber threats

https://ift.tt/344j0nf

Meraki to UniFi

I need to replace my small Meraki network and UniFi seems like a good option. Just looking for feedback on the proposed UniFi devices. I'll host the controller myself on a Linux VM.

Current (Meraki): ISP - MX64 - MS220-8P - MR33 and MR16 (don't actually need two APs)
Proposed (UniFi): ISP - USG - 8-60W - UAP-AC-PRO or UAP-nanoHD

The requirements are pretty basic:

- Internet connection is 100/20 (PPPoE).

- Currently everything on the Merakis is on one VLAN and I use OPNsense on a VM to segragate some lab traffic. Ideally, I'd like to remove OPNSense and just use the USG.

- Don't need QoS but will need sub-interfaces/NAT/firewall rules on the USG.

- I've looked at EdgeRouter/EdgeSwitch and can't see any features which I need or would be worth sacrificing the single pane of glass for.

Cheers.

WAN link sizing

Hello,

I will start soon to renegotiate our MPLS contract (approx 20 sites all around the world).

I got the actual statistics of the bandwidth usage (with the usual drawback of that monitoring tool: precise date only for the last few days, sample rate from 1 minute...). Do you have engineering rules to determine the required bandwidth using the statistics?

I used to take the average bandwidth in business hour and to order a link 5 times bigger (for example: 10Mbps average bandwidth => 50Mbps MPLS link). Anyway, that's only by experience. I would be curious if they are some engineering rules to calculate that.

Tuesday, August 27, 2019

How to decide when you need a network engineer?

Hi all,

Have a question for everyone here. The short version is: How would you decide whether or not a company needs a network engineer?

The longer version:

We're a small finance company, ~200 users, ~20 offices, 3 datacenters (2 physical, 1 in Azure), ~500 endpoints including servers. IT team is currently 4 technical people + management, but we're in discussions on expanding that and trying to figure out which role would be best to hire for. We currently have:

1 analyst

1 help desk

1 systems/network admin who is much stronger on the systems side

1 systems/network/security engineer who is primarily security

None of our technical staff are what I'd call strong in networking (we understand subnetting/VLANs/ACLs and etc. But not OSPF, BGP, or other higher-level networking concepts). We're currently on an MPLS network for all of our locations managed by our ISP, and looking at moving to SDWAN for better bandwidth/cost savings/availability.

If you were in this position, what metrics/infrastructure/etc would you be looking at when deciding if a network engineer is the best use of budget vs outsourcing that function?

I'm sorry if the question is vague, or if I'm leaving out what would be considered key details in that conversation. I'm happy to answer questions or add details that would be useful.

How do you guys/gals visualize packets as they're flowing through the network?

This is kind of a random question I had come to mind as I was studying for my last CCNP test. What do you all visualize when someone is explaining a problem or new environment to you? Do you imagine layer 3 links a certain way in your head vs layer 2 links? Do you actually see the MAC when you visualize the ethernet frame or maybe you represent different concepts as different colors. Perhaps an OSPF process is green in your head vs EIGRP which is blue... things like that. Thinking about this while studying made me realize that one could probably accelerate their own understanding of how all of the layers of networking function correctly by defining these things explicitly in their head. What do you all think?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Best way for per second BW monitoring?

We have a provider claiming that they are getting ingress policer hits at 2Gb on their ingress from us. Both their and our BW monitoring does not show us going outbound above 800 Mbps. So they are adamant that in between our 30 second poll interval we are getting 1.2 Gbps spikes triggering their policers. They really aren't adept at understanding how ridiculous this is from our viewpoint as our services are broken up into 32 Mbps max individual flows. Typical is 8Mbps. Basically we would need dozens of people standing by and triggering dozens of errant flows with several Mbps each in order to over utilize this circuit at 1.2 Gbps more... making sure they detuned these errant flows within that 30 seconds as well. It's highly unlikely. So my goal is to capture per second BW utilization to debunk their explanation. What is the best method? I'm aware of packet capture options (cisco asr 1000). Not sure how viable that is. Any other solutions?

Edit: Router is at a data center.

Fiber to ethernet converters

Looking for a brand recommendation for gigabit fiber to ethernet converters.

I’ve run into a situation where we have to use some. I’ve used several in the past but had numerous problems with speed/duplex settings I’d like to avoid

Getting Parse Errors/Failures with my VPN/Radius config on Cisco Router

Hi All,

I keep receiving these error messages, I can confirm that radius is authenticating correctly but then fails due to these parse errors.

Please see error messages below:

*Aug 28 00:53:53.630: VPDN Received L2TUN socket message <xCRQ - Session Incoming>

*Aug 28 00:53:53.634: AAA/BIND(0000B854): Bind i/f

*Aug 28 00:53:53.634: VPDN uid:96 L2TUN socket session accept requested

*Aug 28 00:53:53.634: VPDN uid:96 Setting up dataplane for L2-L2, no idb

*Aug 28 00:53:53.638: VPDN Received L2TUN socket message <xCCN - Session Connected>

*Aug 28 00:53:53.642: AAA/BIND(0000B854): Bind i/f Virtual-Template1

*Aug 28 00:53:53.642: VPDN uid:96 VPDN session up

*Aug 28 00:53:54.518: AAA/AUTHEN/PPP (0000B854): Pick method list 'default'

*Aug 28 00:53:54.522: RADIUS/ENCODE(0000B854):Orig. component type = VPDN

*Aug 28 00:53:54.522: RADIUS: AAA Unsupported Attr: interface [210] 14

*Aug 28 00:53:54.522: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 [ Uniq-Sess-ID]

*Aug 28 00:53:54.522: RADIUS(0000B854): Config NAS IP: 0.0.0.0

*Aug 28 00:53:54.522: RADIUS(0000B854): Config NAS IPv6: ::

*Aug 28 00:53:54.522: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included

*Aug 28 00:53:54.522: RADIUS/ENCODE(0000B854): acct_session_id: 47096

*Aug 28 00:53:54.522: RADIUS(0000B854): sending

*Aug 28 00:53:54.522: RADIUS/ENCODE: Best Local IP-Address 10.10.10.2 for Radius-Server 10.10.10.50

*Aug 28 00:53:54.522: RADIUS(0000B854): Send Access-Request to 10.10.10.50:1812 id 1645/126, len 91

*Aug 28 00:53:54.522: RADIUS: authenticator 7A 78 B4 3E BF 2A 8B BB - CD C2 A0 B0 6A D5 DC 63

*Aug 28 00:53:54.522: RADIUS: Framed-Protocol [7] 6 PPP [1]

*Aug 28 00:53:54.522: RADIUS: User-Name [1] 6 "Test"

*Aug 28 00:53:54.522: RADIUS: CHAP-Password [3] 19 *

*Aug 28 00:53:54.526: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Aug 28 00:53:54.526: RADIUS: NAS-Port [5] 6 96

*Aug 28 00:53:54.526: RADIUS: NAS-Port-Id [87] 16 "Uniq-Sess-ID96"

*Aug 28 00:53:54.526: RADIUS: Service-Type [6] 6 Framed [2]

*Aug 28 00:53:54.526: RADIUS: NAS-IP-Address [4] 6 10.10.10.2

*Aug 28 00:53:54.526: RADIUS(0000B854): Sending a IPv4 Radius Packet

*Aug 28 00:53:54.526: RADIUS(0000B854): Started 5 sec timeout

*Aug 28 00:53:54.530: RADIUS: Received from id 1645/126 10.10.10.50:1812, Access-Accept, len 117

*Aug 28 00:53:54.530: RADIUS: authenticator F9 47 7F B3 B0 AB F5 76 - 75 54 58 C8 CB CD A9 F0

*Aug 28 00:53:54.530: RADIUS: Framed-Protocol [7] 6 PPP [1]

*Aug 28 00:53:54.530: RADIUS: Service-Type [6] 6 Framed [2]

*Aug 28 00:53:54.530: RADIUS: Framed-IP-Address [8] 6 10.10.10.10

*Aug 28 00:53:54.530: RADIUS: Class [25] 46

*Aug 28 00:53:54.530: RADIUS: 85 BD 07 B9 00 00 01 37 00 01 02 00 0A 0A 0A 32 00 00 00 00 BD 95 4C B8 5F 37 23 3C 01 D5 5D 39 64 F2 47 BC 00 00 00 00 00 00 00 1D [ 72L_7#<]9dG]

*Aug 28 00:53:54.530: RADIUS: Vendor, Cisco [26] 9

*Aug 28 00:53:54.530: RADIUS: Cisco AVpair [1] 3 "8"

*Aug 28 00:53:54.530: RADIUS: Vendor, Microsoft [26] 12

*Aug 28 00:53:54.530: RADIUS: MS-Link-Util-Thresh[14] 6

*Aug 28 00:53:54.530: RADIUS: 00 00 00 32 [ 2]

Core1.DC1(config)#

*Aug 28 00:53:54.530: RADIUS: Vendor, Microsoft [26] 12

*Aug 28 00:53:54.530: RADIUS: MS-Link-Drop-Time-L[15] 6

*Aug 28 00:53:54.530: RADIUS: 00 00 00 78 [ x]

*Aug 28 00:53:54.534: RADIUS(0000B854): Received from id 1645/126

*Aug 28 00:53:54.534: RADIUS/DECODE: parse VSA parts error

*Aug 28 00:53:54.534: RADIUS/DECODE: convert VSA string; FAIL

*Aug 28 00:53:54.534: RADIUS/DECODE: cisco VSA type 1; FAIL

*Aug 28 00:53:54.534: RADIUS/DECODE: VSA; FAIL

*Aug 28 00:53:54.534: RADIUS/DECODE: decoder; FAIL

*Aug 28 00:53:54.534: RADIUS/DECODE: attribute Vendor-Specific; FAIL

*Aug 28 00:53:54.534: RADIUS/DECODE: parse response op decode; FAIL

Core1.DC1(config)#

*Aug 28 00:53:56.534: VPDN uid:96 disconnect (AAA) IETF: 17/user-error Ascend: 26/PPP CHAP Fail

*Aug 28 00:53:56.534: VPDN uid:96 vpdn shutdown session, result=2, error=6, vendor_err=0, syslog_error_code=8, syslog_key_type=1

*Aug 28 00:53:56.534: VPDN uid:96 VPDN/AAA: accounting stop sent

*Aug 28 00:53:56.542: VPDN Received L2TUN socket message <CDN - Session Disconnected>

How do you do HA for network switches?

We're building a small cluster of VM servers (Proxmox KVM cluster).

On the switch side, we're using Arista DCS-7050SX-64 to connect all the servers, via 10Gbase-LR.

If the switch goes down, or we need to reboot it, that takes out all our network connectivity.

My question - what are some ways we can do HA at the switch level here?

I'm reading up about stacking and MLAG at the moment, and trying to understand how it'd be used.

So you can join N switches, and they appear as a single switch, right?

Can you use it for HA?

How does that work in terms of connections to servers?

We're using LACP at the moment for some servers, for more bandwidth - but would you span LACP across two stacked switches?

School PA system

Hi I was wondering whether anyone would know how to patch in a remote access point into a intercom system. More specifically through a speaker contained in the system

Need to add multiple ACLs to over 200 Nexus 3Ks but ACLs are duplicating.

Relatively new to the enterprise world but I have a large DC full of devices that require mgmt, ssh, and snmp ACLs but the devices aren't consistent and some have a few of the ACLs and some don't. Management doesn't want duplicating ACLs and I don't want to manually go through each existing ACL to determine which i should add and which I shouldn't.

Is there a command I can use to just add the ACLs and if the device has it it will ignore the line and if it doesn't it will add it? I feel like there should be an easy solution to this but can't seem to find one, thanks!

example of commands:

ip access-list snmp-only

permit udp 10.29.101.0/20 any eq snmp

permit udp 10.213.92.0/21 any eq snmp

ip access-list ssh-only

permit tcp 10.39.112.0/20 any eq 22

permit tcp 10.201.96.0/21 any eq 22

ip access-list mgmt-only

permit tcp 10.90.112.0/20 any eq 22

permit tcp 10.191.96.0/21 any eq 22

permit tcp 10.87.128.0/19 any eq 22

Hardware:

cisco Nexus 3132 Chassis ("32x40G Supervisor")

Intel(R) Pentium(R) CPU @ 2.00GHz with 3793764 kB of memory.

Reason: Disruptive upgrade

System version: 6.0(2)U6(5c)

Learning curve for networking is strange nowadays...

I never liked it

In college I had some basics of networking (DHCP, Gateway configuration, many terminal commands etc.), but as I was totally dev-oriented and the only thing I could ask for when hearing about routing tables was "Can I break them?", I kind of forgot everything.

Long time ago I used a Vagrant as dev environment and it was just about one-click VM environment so I had nothing to configure about networking - it just worked, at this stage I already forgot what the hell a gateway is. Notice that even if its a one-click dumb thing (in dev usage), it still has an "environment" word about it.

After that I touched some fancy stuff on AWS, on premise instances etc; etc; and everything in network tabs were like "DON'T DARE TO TOUCH IT OR THE WORLD WILL BURN!!!" according to any web tutorial. Well, this worked for me as I still had less and less about networking in my head.

My next meeting with a "HELLO I AM A NETWORK THINGY THAT YOU ARE AWARE OF" was when I first met with Docker. I love docker, but I thought I could ignore the network aspect of it as many things were made automatically. This was a half-way truth, but the entry level was quite low so I could adapt to how it works and have some general understanding.

It helped me a little to configure things like Docker in Docker Jenkins agents, which I really like so I put more effort to learn about the whole concepts.

So then I picked to configure own Kubernetes from scratch (yeah like, who ever heard of GKE etc.). Most of things were quite clear as long as I didn't reach the section about picking a Network Driver and I didn't even touch a shared storage, didn't know what etcd replicas are, I gave up on Kubernetes as its quickly shot in my face. Still don't know how to configure something called a gateway

https://i.imgflip.com/391g21.jpg

I tookt a step back to smaller tools like Docker Swarm and it was bit easier, but I noticed that this product is loosing support (right now as I type this its more of a gossip) so lately I started to use Hashicorp Nomad. I simply could not connect 2 VPS each other because they were not in private network (this is what I think tho).

Right now I am playing with configuring public cloud on similar provider to AWS, stacking some servers that are paid per hour and creating virtual private networks. Its another attempt at Hashicorp Nomad and all that High Availiblity thingies

Still do not understand the gateway.

The point is, that I still feel like I know nothing about raw networking, but I know that I am closer to create some fancy things like automatic environment provisioning in a datacenter once somebody buy a service on a web page which itself does not sound that bad, and I am aiming for that.

Somehow this branch of networking (cloud, orchestration, contenerization... ) comes to be easier and easier to understand, the one cool part is when there comes something new to the market like GKE, Kubernetes, or CoreOS bought by RedHat, it really means something.

In typical developer life a new language is "Yeah, whatever." unless made by Google (hype) like GO which will be overriden by Rust once Rust will get better at async operations and networking (because of architecture decisions GO cannot get better, Rust can, and will be). Blahblah language wars mumbling...

Do I learn all of this in a wrong way or its like a normal?

Hosted VoIP Implementation Issues - In Need of Suggestions

Had a site switch out an on-prem ShoreTel system for a cloud managed VoIP solution from 8x8. Since the cut-over there have been constant problems, from random phones showing "Line Unregistered", to very poor audio quality. The site isn't large, one router, two switches in a router-on-a-stick setup. I have the ACL configured to allow the phones access out to the IPs and ports I received from 8x8 all working, so I believe the router is good (Cisco 2911 on IOS 15.7).

The switch stack is two Cisco SG500-52P (ugh, I know). I updated these to the latest firmware to try and alleviate the errors. The auto voice VLAN is configured and uses the router as a DHCP server. This auto voice VLAN also triggers whichever port to run a macro to assign an ip phone to the voice VLAN and also pass the data VLAN to a PC connected to the phones LAN port on the back. I was getting eee multiple LLDP neighbour errors on the switch, so I tried disabling auto smart port and entering the port configuration manually , but that didn't help. I also disabled EEE (energy efficient ethernet) LLDP, but still got the errors.

I have a feeling that if the problem does lie in my configuration somewhere, then it is on these switches. The vendor, 8x8, suggested turning off SRTP on the phones, but apparently the portal they can access is a few versions behind and can't get that setting. I guess my question is, has anyone run into anything like this and what did they end up doing to resolve? I realize it could be a multitude of root causes, but I'm open for any suggestions. Thank You!

Network health dashboard - any good tools for it?

Hello,

I am being asked to create a dashboard that could relatively quickly identify whether there are any noticeable issues with the network. It could look something like this: https://i.paste.pics/00c549d150a718d5ea2b3b8a1dd0edbb.png

The data would come from all kind of different places (which is another huge problem, but it's a completely different conversation) and I will be collecting it with some kind of scripts, so the format and type of data received is 100% customizable.

Current idea is that data center icon would be displaying the health status of physical gear in the DC, individual services (like VPN, Infoblox, etc) will be showing health of those services - i.e. whether I can get DHCP address and resolve DNS or not, RTT and throughput will be figured out from netflow data, showing red/yellow/green depending on deviation from normal condition and external services like AWS or Office365 would be monitored by some other tools like Thousand Eyes.

So my question is - what would be the best tool to display all of this data in a format that's easy for non-technical people (read - managers) to understand? Doesn't have to look exactly like the mock up I made, but I definitely don't want it to be any more complicated than that.

We do have PowerBI which I believe I can make show things with streaming data, but I am not sure if it will be flexible enough. I could write something of my own, but that will be most likely replicating somebody else's work. Any suggestions for tools/projects that could help me create this kind of dashboard?

Thanks!

Question about unique IP ranges that are not showing up on what's my IP address

Hello! I recently ran into a situation where someone believes he is being hacked.... long story short, I found ssh connection and pinging records to IPs from these ranges: 192.168.27.xx, 192.168.17.xx, 192.168.123.xx, 192.168.66.xx and 192.168.77.xx. I am not a network expert by any means but I'm inclined to believe any IP with 168 is just a local network range that is just not as common as 192.168.1.xx. Can I get some answers and direction with sources if possible please?

MPLS to ASA Fragmentation - MTU issue and where to place the blame

We have a client that manages their own MPLS network with many sites, one of which terminates at a Cisco router in our data center (owned/managed by client). From there it connects to our ASA and then into a server environment. A few weeks ago we started receiving ICMP packets from one of their routers with message text "Dest Unreach - Fragmentation Needed". They have stated that their MTU is set to 1400 all the way through; this interface on our ASA is (and always has been) configured to 1500 for MTU. The router that is sending the ICMP to us is the one at their site, not the LSR or LER. My assumption is that if we are receiving the fragmentation request at our edge than the issue has to be with the LSR or LER... is that correct or could we be missing something in our infrastructure?

Help identifying this physical jack

I work IT for a county and we have these all over our courthouse, they all run back to a huge wall panel with the same connectors all arranged in rows. I was in that closet helping another department with something else so didn't have a chance to ask about them. I've seen them with RJ45 adapters connected to them at the end points. I had forgot about them until I saw this one while out in a department store and snapped this picture. Always wondered what they were called. Both buildings were built in the 90s

https://i.imgur.com/nqvWLl0.jpg

Cisco ACI concerns

I work at a typical place that got pitched ACI. One high up non technical manager started saying how much he loved it and the SDN buzzwords started trickling down to middle managers.

They want to convert sites consisting of modern Catalyst switches to 9K/ACI. Each site is 100-250 IP's with < 12 vlan's each. Very little changes are ever made to l2/l3.

They already bought the 9k's and the APIC's that have been sitting idle for years. The Cisco sales pitch included phrases like "it's so cheap to add ACI, even if you don't use it it's worth it for the option."

No one involved can state what exactly is so great about ACI, yet they claim it's great and "the future". Reading real life deployments from non Cisco employees have me thinking otherwise.

I went through the on-site Cisco technical sales meeting and was unimpressed with the entire thing. As an example, Cisco TSE's deflected for 5 minutes on whether the switch firewall capabilities were stateful or stateless.

None of my coworkers asked a critical question about the product.

All VM and network engineers have no ACI experience and plan to roll it out to production in 3 months without the help of Cisco or anyone else. They are talking application-centric at the start.

What can I do to make them see this is a horrible idea?

BGP AS PATH Distance Graph from Full Tables

I thought you all might be interested in some data visualization I'm working on. The graph is inspired by the heatmap created by bgpdump2, although the implementation is completely rewritten in python instead of C. I grabbed a copy of one of the RouteViews dumps, parsed out the BGP announcements for NTT, then plotted the AS PATH distance of each /24 on a Hilbert Curve. My company wants to pick up a new transit provider and this code will be the base of one way to compare the different options.

https://www.reddit.com/r/dataisbeautiful/comments/cvzmgv/oc_bgp_as_path_distance_to_every_24_via_as2914/

L3 Ubiquity Switch vs pfSense Router on a Stick

Small business of 45 employees and roughly 10 servers. I'm using 3 Ubiquity EdgeSwitches for internal switching an old I3 Dell workstation running pfsense for firewall / vpn. Current setup includes 3 vlans to isolate VoIP from internal LAN using one of the edgeswitches for intervlan routing. I'd like to add another 3 vlans for internal wifi, guest wifi and servers and considering trunking all the vlans to the pfSense for routing. I realize the main disadvantage is all traffic would go through a single gig interface, and even worse local traffic would traverse twice in/out. How can I establish my requirements and compare if I should keep using the Edgeswitch with L3 routing (using limited access control lists) or setup the pfsense as a router on a stick. I want ease of management but I don't want to introduce a performance bottle neck. Does the EdgeSwitch do L3 at wirespeed? pfSense is running on a i3-2120 3.3Ghz 4GB RAM with a 2 Port Intel EXPI9402PT PRO/1000 PT.

Network Canary

Ok, so I dont know if this is the best sub for this, or the best name for this.

What my problem is: I have an office with around 15-100 people using it at a time. We have a bunch of APs around, and a controller (all UniFi). sometimes people tell me they're having problems with reception (like 2-3 people have complained, but nobody else has). managing the network is what we (devops) do whenever something comes up, so no fulltime network ops.

What I want: some sort of dashboard that will show network health. I'm thinking some kind of Raspberry PI device I can just put in the network, with a publicly available dashboard that will show network quality.

I'd like to show basic stuff like dns health, ping health to specific internal services, stuff like that.

That way when somebody complains, I can just make sure they check the Canary and they know maybe its them. I'm even willing to make the Pi battery powered, so they can move it around the office to check spots.

anybody do something like this?

Firewall TAC Team - Cisco

Hi all,

I am considering a role in Cisco TAC for the firewall team, and I wanted to ask if anyone has experience working there which they can share? It would be great to know about how it is working specifically in the Firewall team, with ASA/Firepower.

Thanks very much!

Best team event/outing - bonding/team building

Hey /r/networking friends and family!

My IT/Network team is growing along with our company. Because of new faces and just because it's awesome to spend time together outside the 4 walls of the office (not to mention our remote folks!) we are planning a Q3 team event.

Previously we have gone to the movies (nice theater, /w gift cards for concessions, etc) to see Avengers films (start at the bar ofc for mandatory scotch), we have gone to pickleball/bar locations, we have gone to escape rooms, fancy dinners with guest, etc.

Looking for a few fresh ideas on what we can do as a team in 2-3ish hours, preferably with adult beverages nearby.

Any personal favorites from your history or ideas you wish your team would consider?

Who hangs the plywood for the demarc?

In a commercial office building space, leased with an empty closet...

As the business owner do I hang the plywood or does the carrier?

Default IRB interface in SRX Role?

The SRX comes by default with two interfaces (fxp0 and Irb0) as shown below:

--------------------------------

fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
irb {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}

----------------------------------------------

The fxp0 is the OOB management port but what is the use of the irb0. I really don't get it.

Network automation in Enterprise

I have a doubt in POAP(Power on auto provisioning) and ZTP(Zero touch provisioning), both were implemented for auto provisioning, so why should one choose one over the other? and what are the requirements for basic lab setup to test the environment?

Next, I also want to know about Cisco IOS xe, NX-os, IOS XR what are the difference and where it needed to be deployed

Top Six Best Cat 6 Ethernet Cables in 2019

A high performing cable is what you need to be owning or planning to buy as at now. This is because if the faster generation or newer technology that needs faster communication between offices. You don’t have to take a risk job of lagging behind because that will mean that your business will also lag behind. Push ahead and plan on replacing all your cables with any of the ones that we have brought for you below and start a life of success and profits. You can share files faster and even do your printing in just a matter of seconds. Picking out a good Ethernet cable is actually fairly easy once you know what you need. Plenty of network cables offer high-speed data transmission across decent lengths, so you’ll be easily able to get an affordable cable that will get the job done, whether you plan to wire up your home for future Internet speeds or just need to get a cable from your router to a device situated a couple of feet away.

Industrial Networking

Hoping to get some recommendations from the group. I'm looking for an industrial/rugged 4G Wifi Router such as this, this one is only a 4G ethernet option. https://imly.co/DoOyJ

I need it for a food truck to connect 2 ipads through ethernet and then for the wifi to be able to connect to an Android KDS tablet for orders. It needs to be an industrial option to take into account when the food truck is parked in the open outdoor carpark where it gets pretty hot in summer and when the kitchen is running.

Monday, August 26, 2019

NBNS Flooding

Have a peculiar issue with NBNS (NetBIOS) flooding (X.X.X.255;ff:ff:ff:ff:ff:ff:ff) which causes drastic performance issues in our network. We found that if we failover our LTMs to a different Viprion chassis, the NBNS flooding stops. We've been able to replicate the same symptoms on our LAB LTM as well. On the "GREEN" chassis, its about 20-30pps. On the "BLUE" chassis it is about 2000pps. These numbers are from our LAB not from PROD, but I assume it is significantly higher in PROD. We saw significant increases in traffic (3-5Gbps) after failing the LTM over in PROD. We weren't tracking NBNS prior and can't really fail back to get that data if its going to cause impact. Looking a pcap from a device initiating some flooding, it looks like the only thing that happened before the flooding began was the device did an nslookup to which it got a "no such name" reply for, then tried to do LLMNR resolution, then started flooding NBNS. One thing that I notice is that the TTL of the NBNS packet starts at 128 and keeps flooding til it hits TTL 0 then rinse and repeat. This capture was done during a failover where the pps jumped significantly so we tried to catch the beginning of the event. Our LTMs are the gateways for of the affected VLANs. This occurs on every VLAN from what we can tell. The obvious things to look for are what are the differences between chassis, switching, etc etc. We haven't found anything yet. Wondering if anyone has seen similar behavior in their networks? I can't share the capture. It doesn't feel like looping behavior because literally the only thing that jumps in the graph is NBNS.

https://ibb.co/LZdnZjk

Large environment and implementing printer vlan

Hi,

General environment is 30+ sites, each site has anywhere between 25-100+ printers. Currently setup on main data vlan 1.

Currently setup by a VM print/dhcp server on each site. Plan is to centralize and possibly make a printer vlan/centralized print server.

Coworker mentioned this isn’t necessary and a dhcp reserve pool would work fine for printers without causing a massive change, because in the future each site is going have a separate data vlan which the printers can share.(spending on the site it’s like 30-100 printers)

I’m new at this level of networking, I know the general idea of setting up a device vlan, pointed only to the print server would be better security and segmentation of network, but at this scale I’m not sure who is right.

Any opinions?

Thanks

Brocade 6610 -Different default route for one IP?

Hey all,

Core switch doing the routing is a Brocade 6610. Is there a way to have one host be routed to a different next hop other then default?

Thanks for any suggestions :)

Question Regarding FreeRADIUS and Simultaneous-Use With Meraki (Help)

Hello all,

I have a hell of a question for you, and hopefully this fits here (I might be pushing the line a bit). Has anyone here been able to get Meraki working with FreeRADIUS (+ DaloRADIUS) and been able to get Simultaneous-Use working?

What I have done:

FreeRADIUS

I imported the DB schemas provided by FreeRADIUS and DaloRADIUS
- I later saw when running radiusd -X that the unix timestamp was too long for the sql column. So I modified the table and corrected that error.
I made sure to set mysql in the default config
- PasteBin
I set in mods-enabled all the needed sql settings. I can confirm all the tables listed in the config below exist.
- PasteBin
I have set the queries.conf file (I opted for the queries to use BINARY so usernames were caps sensitive)
- PasteBin

MySQL/DaloRADIUS

I created a user (Test1)
- The user is only set with a password and a profile (Single Login)
I created a profile (Single Login)
- Fall-Through = 1
- Simultaneous-Use := 1 (For testing I set it to one but will need to change that to two)
- And a reply attribute Filter-Id = "Single Login"
I created a NAS group in DaloRADIUS
- I confirmed they can all authenticate with FreeRADIUS

Conclusion

First, here's a radiusd -x PasteBin I redacted IPs but other than that its basically all there. What I find most interesting is you can see FreeRADIUS corectly finds the users group and the attributes. Yet it never sends an access reject. However you can force an access reject by simply typing in a bad password, and packet captures on the AP confirm the Filter-Id attribute makes it to the AP. I would really appreciate some guidance or discussion

Anyone else find that Comcast Business is throttling ESP traffic?

I have a site with 150/20 service from comcast business. When setup initially, IPSEC throughput over this link was ~120/~15. Performance loss for IPSEC was minimal, and acceptable. Recently, this slowed to ~3-5Mbps over IPSEC. Turn off IPSEC and NAT out the gateway resulted in full 150/20. Then came time for experiments. Multiple time, switching between IPSEC, OpenVPN, and just plain NAT, the results are ESP/IPSEC is 3-5Mbps, OpenVPN over UDP1194 is 130-145Mbps, and plain NAT is 140-150Mbps.

Has anyone else found Comcast throttling ESP/IPSEC traffic? I mean, this is comcast business, we pay specifically for unmolested traffic.

edit: The other side of this link has 1G/1G service in a DC, and other IPSEC connections that remain fast.

Need advice from network guys: iSCSI vs FCoE vs FC

Hi guys, From a network management side, what is the easiest and the best best to implement, from your point of view, for a SAN fabric ?

Do you even manage FC fabric ? Or FCoE fabric ? How does it impact your LAN & WAN

Pretty wild question I know but I'm looking to open my chakra, as a computer/storage guy.

Thank you !

best practice for selling public IPv4 space.

we've been tasked with selling some of our public IP blocks. What are some best practices or even gotchas when it comes with selling IPv4 space?

Tricky NAT statement on Cisco ASA FW

Hello, I'm trying to figure out how to write a tricky NAT statement on my ASA firewall. This NAT statement muster alter the source and destination of the packet and should work in both directions.

This NAT statement must look at specifically where the traffic is coming from and where it must go before it can make a decision to alter the packet with NAT. so it's source&destination specific..

Before entering firewall:

let's say a packet with an ip address from the network 10.1.1.0/24 wants to go to destination ip address of 192.168.1.50(website behind firewall):

Once inside the Firewall:

I need this packet to have it's source address turned into 10.50.0.50 and the destination to be turned into 1.1.1.1 (public ip of the website)

to recap:

Source is 10.1.1.0/24 before the firewall and must be turned into 10.50.0.50 once in the firewall and headed to its dest website.

Destination is 192.168.1.50 before the firewall and must be turned into 1.1.1.1 on the firewall headed to its des website.

I need this NAT rule to work in both directions...so the return traffic must make sure it's back to how it is once it passes the firewall and re-enters our network.

Running 9.6 ASA

Help greatly appreciated.

Azure VNET 2 OnPrem with or without Firewall

I have a feeling my company is going to be dipping their toe in Azure within the next 12 - 24 months. I'm trying to get ahead of what I don't know by doing some beginner research. I'm also betting that on-prem will be connected to the VNET out in Azure in some sort of capacity. I have seen a few network diagrams and tutorials on how to build a VPN tunnel using an Azure gateway but nowhere do I ever see a firewall between the gateway and the VNET within these diagrams. Am I to treat these gateways as security devices as well?

Edit: Specifically I'm talking about a firewall between the Azure Gateway and the Azure VNET

VPN Connectivity problems

Greetings! This is my first post here, so I apologize if this isn't in the spirit of the community, but I'm looking for some assistance, as I'm not too experienced in VPNs. My apologies if this isn't the place for this sort of inquiry.

About two weeks ago, all the VPN users for one of my clients stopped being able to connect. This is a new client so I'm still getting up to speed with their environment. They have a Cisco ASA and appear to be using IPSec/L2TP with local authentication.

Most of the users try to connect and get a spinning wheel (Windows 10). Some try and are told their username/password don't work.

I've been working on it and been getting weird results. I tried connecting with my phone and was able to connect to a network server and see the resources. It worked just fine. But Windows is giving me nothing but problems for all users.

I tried a registry tweak I found somewhere that adds a DWORD value to the PolicyAgent key. That let my laptop connect successfully, I think, but when I try to connect to anything on the local network Windows acts like it can't even find it, whether through host name or IP.

What's going on? Why on earth does everything work fine on iOS but not Windows?

Thanks for any help.

PVID on avaya switches

Hey everyone

I'm working on converting some avaya switches to juniper, and I'm trying to wrap my head around the various PVID tags, and figure out what PVID is. I'm not clear if it's a native vlan, or just tags frames outbound.

Does anyone here with any background on this have any helpful insight?

Untagpvidall, tagpvidall, etc... I've tried researching but getting conflicting information

Edit: thanks for down voting someone who's trying to ask a question, much appreciated! 🙂

Cisco FPR1010

Has anyone had the opportunity to interact with one of the new Cisco FPR1010 next gen firewalls? My rep is trying to sell me on these over the ASA 5506 but they kind of sound like Meraki where it's all cloud controlled. I'm not sure I'm ok with that.

Did you know Linux can do static routing out of the box?

You have to enable it first, but it works! It can even pass tagged VLANs if you connect it to a trunk port!

I'm reading through Network Programmability and Automation: Skills for the Next-Generation Network Engineer and it's blowing my mind thinking about networking in these new ways.

Any other out there network concepts you can think of?

Isolating wireless access from trusted network on Watchguard T35-W

I am testing a T35-W that we want to replace our existing Sonicwall TZ unit with. I've gotten pretty much everything else figured out but the built in wifi. While I had no problem getting Access Point 1 working within our trusted network as well as the internet, I am hitting a wall getting Access Point 2 configured for guests so as to block access to the trusted network while still giving it internet access. I enabled its DHCP server and assigned it an IP range on a different subnet than the wired trusted network. I left the default gateway setting as Use the interface IP Address. I created a policy that denies access from Guest Wifi to Trusted on all ports. In the end I am able to get internet access to work fine but I am unable to block it from the trusted network, even the IP to the Fireware login screen is still accessible. What am I missing?

Random sites, randomly trying to push POS traffic to our firewall

Scenario: we have a site that has a POS computer. It uses a program to complete transactions and sends it to a server internally in our network. We obviously use this for keeping track of sales and reporting, etc.

Randomly, the program goes down. Looking at our logs, our firewall is blocking the conversation between the POS and the server. The problem is that the conversation between the two should never be hitting the firewall to begin with.

This has happened 5 or 6 times in the last few months, and the only solution we’ve been able to remedy it with has been to change the IP address of the POS computer.

We’ve spoken to the people who make the program multiple times as well, and they’ve said repeatedly they don’t see anything wrong with the server as far as they can tell.

I’m just wondering if there’s something I’m missing here on a networking side of things. I can’t think of a reason for why seemingly random POS computers are trying to route through our firewall for an internal conversation.

Unable To Telnet/SSH Into ESXi Host/File Is Being Locked By a consumer on host.

I am unable to SSH or Telnet (Port 23). I can ping my ESXi host from my computer. The host is up and running. From Putty I am connecting to 192.168.125.xx using SSH. Port is set at 22. I get the error message: "Network Error: Connection Refused".

On the other question, I had an issue where I moved a VM from one datastore to another yesterday now I am not able to power it on. I get the error message: An error was received from the ESX host while powering on VM XXXX.

Failed to start the virtual machine.

Cannot open the disk '/vmfs/volumes/902099b8-c6eb93ef/ls3-odtdb02_1/ls3-odtdb02_3-000001.vmdk' or one of the snapshot disks it depends on.

Failed to lock the file

Cannot open the disk '/vmfs/volumes/902099b8-c6eb93ef/ls3-odtdb02_1/ls3-odtdb02_2-000001.vmdk' or one of the snapshot disks it depends on.

Failed to lock the file

File is being locked by a consumer on host _____________ with exclusive lock.

Any suggestions?

Thanks,

SD-WAN Scenario: One head-end with multiple "customers" connecting?

I'm trying to mentally process the feasibility of this scenario: One SD-WAN Head-end with multiple "customers" connecting to it.
(capacity may come into play such that I have multiple head-end devices, but there would still be multiple customers per head-end, so we'll keep the scenario one-to-many)

Hypothetical Backstory Context: I'm a device/service provider and my customers have their own networks but have to route my device/sensor data back to me from remote sites to be aggregated/processed. Currently all incoming customer data is whitelisted by IP (keeping it to only a few IPs per customer), meaning their multiple external-site data sources must be routed back to a central point before being sent my way.

Question at issue: Can I host a master head-end SD-WAN device(s) and have multiple customers' edge SD-WAN devices establish automagic dynamic VPN links back to it for the sensor data?
ie: Customers have the option to deploy edge devices of the same type as my selected head-end so they can talk directly to my head-end (for just the desired data) instead of having to route all that back through their own networks.

Security Concern: This must obviously not allow intra-customer traffic, but ACLs should cover that.

(Urgent) What is the job scope of a NTD-Wireless engineer?

Hey guys, I got an interview invitation for this position and honestly I can’t find any info regarding what is NTD actually. Does any of you gusy know what is the job scope and perhaps tips to ace this interview? Your help is much appreciated!

Tp-link CPE210 configuration

Hi, quick question: I've got a tp-link cpe210 wifi antenna, and I'm trying to decide between two configurations; bridge and repeater. My question is, is it's set up as a bridge, can I access a server on my home local network by typing in its local ip (192.168...)?

Courses / certs that are SDN related?

exploring things such as controllers, SD-WAN etc.

How does one go about obtaining this knoweldge / skills, and what are the prereq?

Assigning Broadcast as a DNS address

Hey Guys,

Sorry if I should not be posting this here. Just a query (my networking skills are very rusty). A work collegue of mine was tasked with updating the address of the DNS servers. He accidently put 255 of the 4th octet of the IP address instead of 225.

I made him change them all there and then. However i was told by other collegues that I was over reacting and it could of waited.

What effect would this of had on a Production network, if 50 servers were using a broadcast address to resolve dns queries?

For clarification, its the DNS server setting when you configure IPv4 in Windows.

Bad quality peering from US to Netherlands?

A customer of ours is running Windows DFS and Veeam backups (Baremetal with the Veeam Agent) from five locations around the globe to our datacenter in the Netherlands.

DFS is used to synchronize company-wide information with every branch, the DFS namespace is only 14GB in size.

Every branch location has a Read-Only Domain Controller which is also the local Fileserver (DFS), there is a business-type Internet connection with usually 100Mbps up/down speeds. We use ASA 5506-X's to setup a full-mesh IPsec overlay over each location. In addition each location has a IPsec tunnel to our datacenter in the Netherlands which houses their central off-site backup server.

The data that is sent in day-to-day operations over the Branch to Branch IPsec overlay is Active Directory related traffic, and the DFS delta's, there doesn't need to be a lot of bandwidth available for this purpose.

The most important thing however is the IPsec tunnel for the Veeam Backup. The job contains the entire local filesystem that is differentially backed up over night and fully backed up every month.

The size of the dataset is around 1.5TB per location.

We are currently experiencing issues with the backup from a branch location in Portland, Oregon. Previously the branch had a Comcast Business connection (I believe Starter Internet with only 50/5Mbps bandwidth). Since they have upgraded to a Allstream Business Fiber 100/100Mbps connection.

The full backup isn't able to finish in time before the 180 hour job runtime limit passes. The max bandwidth that we are able to achieve from the US to the Netherlands is about 500kB/s which equates to about 4Mbps, at this rate the backup would need 834 hours (1.5TB / 500kB / 3600sec = 833.333333333 hr) to finish. The minimum amount of average bandwidth we would need is around (1.5TB / 180hr / 3600sec * 8bits = 18.5185185 Mbps) 20Mb/s, we would think this is way less than should be available over the 100Mbps up/down Fiber Internet connection and thus should be achievable.

The datacenter upstream ISP has a full 1Gbps connection available and has more than enough bandwidth available when the backup runs.

Other branches (they are all in Europe) have no problems running the same type of backup job.

We have run multiple tests over the IPsec overlays and we are not able to achieve more than 25Mbps throughput from Portland, OR to Amsterdam, NL. Withouth the IPsec overlay we are not able to achieve more than 27Mbps throughput over the same path.

We have checked the traceroutes and the carrier's BGP Looking glass and can't see a uneccessary long path end-to-end. Our upstream ISP also cannot find an issue with the BGP path.

Could this be a bad peering issue? Are there other tests/things we could try?, we have contacted Allstream but their support is useless and the techs we spoke to are only able to troubleshoot last-mile issues (ISP handoff port issues).

TL;DR:

Customer has branches around the world connected with business ISP's. There is a off-site backup server in the Netherlands. The North-American branch connected via Allstream Business Fiber 100/100Mbps is experiencing end-to-end bandwidth issues that compromises their backup operations (nightly differential, monthly full (1.5TB). Other European branches have no issue running the backup job. Could this be a bad peering issue?

Protocol Authentication

Edit: SOLVED. Protocol authentication uses HMAC, not the plain hash function. HMAC-MD5 will of course be less secure then HMAC-SHA3 but to this date has no known attacks.

I'm a total beginner so please excuse my ignorance.

I'm currently participating in a basic LAN networking course and have a security question. It seams that network protocols like VTP and HSRP have a password option that is hashed with the message to authenticate that the sender is part of the VTP domain or HSRP group. Everywhere I've read that these authentications use MD5 or SHA1, including on Cisco's site last updated in 2018; https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp-md5.html MD5 and SHA1 have been declared unsuitable for cryptographic use since 2012 and 2010 respectively. I couldn't find change-logs to the protocol that updated the hash function to an up to date cartographic protocol. Are we still using these outdated hashing protocols? Is there a way to manually upgrade the protocol on my own private network?

Sunday, August 25, 2019

Keeping up

Hi all,

New to actually being in a network engineering position and was wondering if the subreddit might be able to help out. What are some good resources, blogs, YouTube channels, or other things that you all use to try and stay current? Any advise on keeping up with the ever expanding technology?

Anycast IP plugin

Hi all,

I have been wondering for a while about the practicality of a software-solution I've developed - would appreciate your opinion and level of interest in this.

The issue is such - Active/Active load balancing is hard. Even if your service is a nice stateless UDP app, if you're using VRRP or similar solutions for high availability you're pretty limited as it requires L2 adjacency between all participating servers. Distributing an anycast IP is not fun, as it mixes underlay (for added static routes or directing the network to point at some servers for the same address) and overlay (the usual configuration of loopbacks and configuring non-local bind, routing and a bunch of other stuff).

What I'm suggesting is a nice Ansible playbook (or installable software, it's really the same) which configures the following:

The anycast address on the servers, some LB software plus its configuration towards backend servers
EXAbgp/BIRD used to peer with the ToR switch/Default gateway/Whatever BGP capable switch you choose (possible to use other routing protocols as well)
An ACL/prefix-list on the switch which prevents the specific BGP peering from learning any IP address which is not the anycast address
Keepalived used to monitor processes, status or whatever custom logic you want to apply and stop advertising the anycast IP as soon as the service is marked as down
Basic monitoring showing the distribution of load across all servers, the status of BGP/LB/Keepalived services, configuration compliance etc.

What do you think? I've been looking for a solution which will do this all together, the closest I've found is Calico, MetalLB but of course that those are a partial match and are sort of an overkill.

Cheers.