10G home lab experiment - iperf3 how many retries is of concern

I've been learning on my home lab for awhile, and use iperf to try to make sure the network is functioning properly and never really noticed the "retr" column as long as the speeds looked good, but someone recently told me that "with that many retries you should check your cables". Does anyone have a rule of thumb? If I move a 10G file at 9.4 Gbps is 2,737 retries of concern, for example?

I've tried looking in Google for an answer or rule of thumb but haven't found anything seemed well-reasoned.

root@svr-03:~# iperf3 -c 192.168.100.11 Connecting to host 192.168.100.11, port 5201 [ 5] local 192.168.100.13 port 41870 connected to 192.168.100.11 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.10 GBytes 9.43 Gbits/sec 0 1.39 MBytes [ 5] 1.00-2.00 sec 1.09 GBytes 9.40 Gbits/sec 548 1.20 MBytes [ 5] 2.00-3.00 sec 1.09 GBytes 9.39 Gbits/sec 628 576 KBytes [ 5] 3.00-4.00 sec 1.09 GBytes 9.39 Gbits/sec 1201 1.16 MBytes [ 5] 4.00-5.00 sec 1.09 GBytes 9.40 Gbits/sec 360 1.17 MBytes [ 5] 5.00-6.00 sec 1.10 GBytes 9.42 Gbits/sec 0 1.20 MBytes [ 5] 6.00-7.00 sec 1.10 GBytes 9.41 Gbits/sec 0 1.24 MBytes [ 5] 7.00-8.00 sec 1.09 GBytes 9.41 Gbits/sec 0 1.26 MBytes [ 5] 8.00-9.00 sec 1.10 GBytes 9.42 Gbits/sec 0 1.27 MBytes [ 5] 9.00-10.00 sec 1.10 GBytes 9.42 Gbits/sec 0 1.28 MBytes

---

[ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 11.0 GBytes 9.41 Gbits/sec 2737 sender [ 5] 0.00-10.04 sec 10.9 GBytes 9.37 Gbits/sec receiver

Looking to get a high-level, vendor-neutral overview of UCC. What books/resources would you recommend?

I'm a pre-sales engineer looking to gain a high-level understanding of UCC/Voice, but I'm not really sure how best to proceed here. I know there are a ton of resources out there, but they all seem really low level & vendor specific. Are there any vendor-neutral books/resources that you'd recommend? Some resource that dives into the general principles of designing & operating UCC environments without going too far into the weeds.

Security camera and browser won’t connect but all apps do ?

This happens too often every time I lose power at the business cameras won’t connect . When I’m physically at the business on its WiFi everything work all apps the cameras work except the internet browser.

Localhost, Docker, addresses and VPN

Hey there,

Recently I've started using VPN on my private computer. Meanwhile I've found few issues that I didn't encounter while working on my work's pc with also VPN enabled:

• No longer localhost is working
• I cannot start Docker

I googled a little about it, but I still can't figure out how does it work. I'm not good in networking, even basics like this are a problem for me. Could you guys try to explain me how does VPN affect localhost? What may be differ in configuration on my private's PC (where neither localhost or Docker work) and company's pc with VPN where everything works just fine?

​

Thanks in advance!

Transparent Failure NICs

So I think I have seen these before, but I can't seem to find them now.

I'm looking to build a traffic shaping box with ntopng. We use a traffic shaper in monitor only mode 90% of the time, but we sometimes get situations on across our internet peering circuits where we need to throttle specific applications. We've used packetshapers from bluecoat before, but they are asking for north of $80k each for the upgraded models we need in the performance band we need.

So ntopng looks like it will do what we need. I've done some lab work with it and the proof of concept tests are good so far. What I'm looking for though is a dual NIC that I can put in the server which will run ntopng and when/if the application or box fails that it would fail through to a passive wire.

Does anyone have a good lead for me? I think I just don't know what the right search terms are.

Packet loss over GRE tunnels

I am messing about with GNS3, and what i've done is built a topology with four routers running IPv6 with OSPFv3, two routers are connected to all.

On one of the routers connected to two of the IPv6 routers, i've connected another router running IPv4 with OSPF, and the other IPv6 router with 2 connections, i've connected another router running IPv4 with OSPF. It effectively looks like a diamond.

I've then built two tunnels on these routers, one on each of the interfaces, and used an IPv4 address as the IP address on the tunnel. OSPF formed adjacencies between the two tunnel interfaces, and the routers just running IPv4 and OSPF can successfuly ping eachother. However, every fourth packet is dropped.

I guess some of you may turn around to me and ask "what on earth are you doing", but honestly, i'm just playing around and seeing if I could achieve what I created in my mind. What I would like to know, is what is causing every fourth packet to be dropped? Where should my efforts focus?

I have pasted one of the tunnel interfaces configs below, along with a show interface of the same tunnel:

interface Tunnel1 ip address 172.20.10.10 255.255.255.252 tunnel source Ethernet0/2 tunnel mode ipv6 tunnel destination 2001:AA00:FB01:3DA1:A8BB:CCFF:FE00:C00 end Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 172.20.10.10/30 MTU 1460 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 2001:EEEE:1A5D:CE56:A8BB:CCFF:FE00:1020 (Ethernet0/2), destination 2001:AA00:FB01:3DA1:A8BB:CCFF:FE00:C00 Tunnel Subblocks: src-track: Tunnel1 source tracking subblock associated with Ethernet0/2 Set of tunnels with source Ethernet0/2, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport IPv6 Tunnel TTL 255 Tunnel transport MTU 1460 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:00, output 00:00:04, output hang never Last clearing of "show interface" counters 00:41:07 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1382 packets input, 184164 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 326 packets output, 40748 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 

If I do a ping from the router with the tunnel to a router beyond the tunnel, no packets are dropped. If I do a ping from a router beyond the tunnel to a router beyond the tunnel, I get packet loss on what appears to be Tunnel1 above:

R8#traceroute 172.20.10.1 Type escape sequence to abort. Tracing the route to 172.20.10.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.50.1.1 5 msec 4 msec 5 msec 2 10.30.1.1 9 msec 10 msec 9 msec 3 10.10.1.18 10 msec 9 msec 10 msec 4 * 172.20.10.10 10 msec * 5 172.20.10.1 16 msec 15 msec 15 msec 

What's really confusing is the Tunnel says there are no drops or any other errors.

Security difference between connecting to a public wifi, private hotspot and VPN?

Sorry but I can't wrap my head around this. I do understand that in some instances even just letting your ISP record a piracy website might be a problem, while other times it'd be a malicious access point forcing HTTP over HTTPS, however I can't understand who can see what assuming a non-compromised device.

For example, would a VPN hide visited websites and content to ISP? Would a mobile data hotspot hide only content?

Thank you

Social Wi-Fi

Hi! I wanted to make a social wifi with tp link wr741nd router. When i imported update file it said file not compatible or somthing like that. Btw i used hotspotsystem website for this. Can anyone help me with this? David

How problematic are small cat6 cables?

What is the smallest length a cat6 ethernet cable can be? I see some on ebay that are as low as 12cm.

I have heard that even at 1m, you have connectivity problems. In the event of a connectivity problem, would packets get re-sent until they reach the other end successfully? Is there a risk of any data corruption if you are performing backups from a server and you start having connectivity issues?

Setting up a router to run off another router

Hello all,

I’m in a bit of a pickle. I tried running a router off of another router last night and got internet for all of 30 minutes until it ultimately stopped receiving internet. The second router is run from a 300 ft. Cat 6 cable going from the first router. I gave the 2nd router a new IP and disabled DHCP in order to prevent IP conflicts in case they crossed paths. I need some help to determine if it’s an issue with the length of the cat 6 cable and that it just ultimately won’t send the internet speeds I need or is there some settings with the 1st and/or 2nd router I can change in order to keep a constant connection on the 2nd router. Any help would be greatly appreciated. Sorry, kinda noob at this stuff.

What do I need to do to get my first job.

Hey guys, I’m new here and I was wondering if you could give me any tips to get me started. I’m sophomore in a college and decided to change my major to it. I recently took introduction to networking course and was interested. Would love your advise.

Setting Up a Second DHCP Scope (Windows Server 2012)

When all of the IPs in the initial scope gets taken up, how would you go about setting up a second scope under a super scope? We have a 192.168.100.X Scope and we want to setup a 192.168.200.X Scope. Are the subnets allowed to be the same?

Netmiko Threading assistance requested

I am getting started with Python in general and trying to use netmiko. My first project with it is grabbing configurations automatically from our various switches and saving them to files for upload into a git repo for version control.

So far I have that all working but am looking to speed script as it takes 5mins for about 20 switches and I will be adding many more. My first thought was to try and use threading based off of this gist https://gist.github.com/ktbyers/8005564c5d3711a0e5476dbfd18d8acf

unfortunately, while my script still works and runs, it still seems to be running in series and I am a bit lost as to why currently. Any thoughts would be very much appreciated.

import os import threading import logging from netmiko import Netmiko from netmiko import ConnectHandler from queue import Queue from devices import * logging.basicConfig(filename='/SwitchConfigs/config.log', level=logging.DEBUG) logger = logging.getLogger("netmiko") configpath = '/SwitchConfigs' def ssh_session (key,value): if value['model'] == 'hp1920': #print("running on {}".format(value['name'])) net_conn = Netmiko(**value['device']) net_conn.send_command("_cmdline-mode on\nY\nJinhua1920unauthorized\nscreen-length disable") output = net_conn.send_command("display current-configuration") net_conn.disconnect() filename = os.path.join(configpath,"{}.config".format(value['name'])) f = open(filename,"w") f.write(output) f.close() if value['model'] == 'hp2930': #print("running on {}".format(value['name'])) net_conn = Netmiko(**value['device']) net_conn.send_command("screen-length 1000") output = net_conn.send_command("display current-configuration") net_conn.disconnect() filename = os.path.join(configpath,"{}.config".format(value['name'])) f = open(filename,"w") f.write(output) f.close() if __name__ == "__main__": output_q = Queue() for key,value in switches.items(): my_thread = threading.Thread(target=ssh_session(key, value)) my_thread.start() main_thread = threading.currentThread() for some_thread in threading.enumerate(): if some_thread != main_thread: some_thread.join() while not output_q.empty(): my_dict = output_q.get() for k, val in my_dict.iteritems(): print(k) print(val) 

Cisco Topology Icons for Visio

I guess this is probably asked a lot so sorry in advance, but are there any up to date Cisco icons out there? The ones on the Cisco website were last updated in 2011. I need ones for newer technologies & devices like ISE, DNA, Stealthwatch, Firepower etc.

local area service discovery with SSDP or mDNS

I am trying to write a mobile installation app for a networking device. To find the devices I was planning to use SSDP however I am told that SSDP may not be suitable but to use mDNS. Having checked I could not assure that both iOS and Android versions in the field support it.

Technically and practically is mDNS a better solution compared to SSDP? any feedback is greatly appreciated.

RSPAN setup help

Hello my company is testing out Darktrace packet inspection tool. I have been trying to get Cisco SPAN up and running to allow for testing. 

Our home office we have two c2960s setup with SPAN and RSPAN respectively 

 monitor session 1 source vlan  x , y , z
 monitor session 1 destination interface g1/0/1

 monitor session 1 source vlan  x , y
 monitor session 1 destination remote vlan z 

this configuration works for our home office. My issue is setting up RSPAN on our remote offices. I initially setup RSPAN at a remote site and immediately lost management access to the remote switch. All devices behind the switch were still up and active, we only lost management access of the switch, rebooting the switch resolved the issue. 

So I now have a test environment setup in my office to see what went wrong. My current test bench is:
 c2960 -> SonicWall TZ 205 <> SonicWall TZ 205 <- c2960

The problems I'm having:

1. RSPAN traffic does not appear to be passing across my firewalls. Since this is a test environment I a policy set on both firewalls to allow WAN to LAN any any, and in reverse LAN to WAN any any. And I can ping between my switches.

2. I have RSPAN setup on SWITCH2 connected to SW2. When I add the remote vlan to SW2, x0:901, I lose management access to the SonicWall, disabling vlan 901 resolves the issue. 

I have rebuilt this setup from scratch a few times in the past 2 days and I still get the same results. RSPAN from switch to switch works like it is supposed to but not across L3.

Does any one have any experience in setting this up? Could I get some pointers as where to go from here? Since RSPAN is only vlan tagged traffic and no real destination am I just missing something in the setup to allow for vlan 901 traffic to be forwarded correctly? 

We only have c2960s in use so we cannot use ERSPAN. 

Turn Internet Access QoS On with Dlink?

Turn Internet Access QoS On with Dlink? I went to 192.168.1.1 but couldnt find the option to turn it on

Getting Public IPs for a Project?

Hello all. I am currently working on a project that will need a few public IP addresses. I am wanting to get them via ARIN under a free request. Is there any way I can get them without having to be an ISP or a ORG?

Simple IPAM for quickly see reserved/available IP blocks

Hello guys,

At my current client, we are using a simple Excel spreadsheet to see our used/unused subnets. We started with a single line, our /8, that we split into 2 lines of /9, etc, etc... We just split what we need, and put the rest in grey color, to indicate unused blocks. We have a tab for each VRF.

Now, even thought this is pretty rare, we do make mistakes. Splitting let's say a /22 into /25 might ends up with a disappearing subnet, or miscalculated and overlapping subnets...

I've looked at multiple IPAM solutions. It looks like they do a thousand things, but not what I want. I don't want a 100K$/y clusterf*ck solution that I will use at 5%. I don't want to link it to my DHCP, nor my DNS, nor whatever. I just want multiple tabs for each of my VRFs with what I've used so far from my /8, and what is free.

If my Excel could pop an error for overlapping networks or do the splitting for me, that would be enough for me.

Do you guys have good solutions for that ?

Thanks !

Windows 10 LAN/WLAN Auto switching

Hello r/Networking.

I’m running into an issue with Windows 10 (1903) and auto Lan/WLAN switching.

I have a group of non-domain laptops that I’m upgrading to Windows 10 that require both a wired and wireless connection (two separate networks). This was working fine with Windows 7. LAN / WLAN switching was disable in BIOS.

I migrated to Windows 10 and as soon as I insert the Ethernet cable, it disables the Wireless.

I went into Group Policy, enabled ‘Minimize Network Connections’ and set it to 0, rebooted and it is still disabling it.

The network adapter (Intel AC-7290) does not have a configuration option to disable switching.

I’m kind of at a loss here.

Does anyone have any idea if there is some other configuration option to disable this?

Thanks.

10G SFP+ Copper SFP transceiver compatibility

Hello All,

I've recently purchased a number of Aruba 2930F series switches, specifically the JL254A, with the intent of using the SFP+ ports in order to allow me to have some 10G links in my network. My plan was to connect my network edge (i.e. servers) to these switches using ethernet cables by purchasing copper SFP+ transceivers. However, according to the HP/Aruba switch transceiver compatibility guide [1] the 2930F series does not offer support for 10G SFP+ copper transceivers, instead it only supports 10G SFP+ optical transceivers.

Is anyone aware of a reason why the 2930F series does not offer support for 10G SFP+ copper transceivers? And is there a way to circumvent the lack of official HP/Aruba support? (i.e. purchasing generic or third party copper SFP+ transceivers)

Any insight is appreciated.

References

[1] https://support.hpe.com/hpsc/doc/public/display?docId=a00028947en_us

Best Open Source Network Bandwidth Analyzer?

As the title states, I am looking for an open source network bandwidth analyzer to be able to actively see what devices are consuming the most bandwidth. I have looked at a few but found them to either be too cluttered with crap or just didn't even do a job of getting real measurements.

​

Was wondering what some of you use out there. I am preferring to stay with Open Source programs unless you can suggest a paid one that is fantastic.

QoS for Layer 3 switch?

This is a question coming from someone who isn't an engineer. But I do have a CCNA though so I know some stuff. But basically I'm working on a project for work where we're creating a network backbone using L3 switches to create the ring for the backbone, there are multiple stub networks attached to the backbone, and I'd like to know if there's a way that traffic can be prioritized on the L3 switch depending on the subnet/VLAN its coming from? The switches are industrial grade, Stratix 8300 made by Allen-Bradley, but they use Cisco IOS.

L3 lite , L3 native , L2

Hello,

I have a confusion about this terms .Is it really worth to have a L3 full layer or native vs a L3 lite. Also what it is the difference between them.

I hope someone could help me.

Regards,

GNS3 Frame-Relay switch

Dumb question, but I had set up a frame relay switch with mapping 1:102 2:201 1:103 3:301 R1 at 1, R2 at 2 and R3 at 3 of FRS.

Why can I not ping between the spokes R2 and R3? Even after adding 2:203 3:302 to FRS All interfaces are at same subnet

Passing one vlan traffic through another vlan

I am looking for a way that would allow users on vlan 3 (10.88.3.0/24) to look like they are in vlan 4 (10.88.4.0/24) when connecting to a remote site hosting a web server with the IP 10.34.45.1 .

The reason being that the remote site has a firewall rule that only allows access to their web server IP from traffic coming from vlan 4 and refuses to open traffic to it coming from vlan 3 because of a certain security policy. All network devices are Cisco based.

I tried routing vlan 3 traffic through vlan 4, but it’s getting blocked by the firewall since the source IP still shows up as being from vlan 3.

Any help would be greatly appreciated.

VRRP priority question

Hi,

I had some issues after installing new switches behind a firewall cluster recently. Previously the site had 1 main fiber router and 1 backup 4G router connected to an unmanaged switch talking VRRP.

For some reason I seemed to get loops in my mclag topology after connecting cables from both switches, and after this I simply connected the devices in a more simple manner - with cables connected from only 1 switch to the 2 routers (no LAGs involved). Still internet seemed flaky, and I checked packet captures for VRRP which seem to show both routers are advertising a priority of 100. I read from some juniper KB article that the higher device IP address should take precedence after this. I disconnected the backup router and everything has worked fine since.

I think maybe the ISP that installed these maybe forgot to save a priority change on the master fiber router, causing the 4G router to become active (and that router probably has a crappy internet connection from the basement). Or is equal VRRP priorities normal for such an ISP ha router setup? The routers on the site are huawei. Any ideas?

Assign Public-IPs to Customers

Hi fellow networkers, what's your take on the following scenario
We're running our own bgp-routers/as-number with our own IP-space

Requirements

• Customers in our datacenter have their own firewalls and need 1-n public IPs
• Customers may need more public IPs in the future
• Customers may control/configure their own firewalls and change IP-configuration
• Customers are connected directly to our Core-Switches by 1G/10G Ethernet (Access-Port)
• CustomerA should not be able to interfere with CustomerB (e.g. duplicate IP)
• CustomerA should not be able to bring up default-gw and mess with ARP
• Waste as little IPs as possible by subnetting

Idea 1: Create one Subnet/Vlan per Customer

• Pro: Each customer is isolated properly
• Con: Waste IPs by subnetting, does not scale if customer needs more IPs

Idea 2: Create bigger Subnets with multiple Customers

• Pro: Most IPs can be used, less problems if a customer need more IPs
• Con: Multiple customers in same layer2/layer3 network, config-mistakes could impact other customers

Any other Ideas to properly set this up? Port-Security?

Juniper MX150 IPsec

Hello!

​

Our company recently bought an MX150 for testing and I've been fiddling with it since then. Despite reading all the way through official guides I can't seem to find an answer to one question:

Does MX150 support IPsec tunnels?

It seems we need to have MX150-R license (or model) to do so, and we bought exactly that. Still, I can't find how to do the tunnels properly, every online tech guide suggests using es-0/0/0 tunnel interfaces, which seems to imply using ES PICs, but MX150 doesn't even have a slot for it. Official datasheets list IPsec support, so I'm kinda confused...

Any experience with configuring those, anyone?

Tips are greatly appreciated!

Has any one passed the Open Network foundation Software defined networking associate exam?

After CCIE i want to learn new stuff which will help me in building a career in consulting .

https://www.opennetworking.org/certification/sdn-skills-certification-associate/

i thought this course will help, however i couldn't find a clear path or source to pursue this course.

Any guidance will be highly appreciated.

thank in advance.

Do fiber "plugs" exists?

Hello all,

Title is kind of misleading but I don't know how to call what I'm looking for. Imagine that I have to run a 10km fiber. 9.9km of this fiber is super safe and dandy, but the last 100m may be subject to fiber cuts as it's in an a more exposed place. Do termination "plugs" exists (without any apparatus needed) to just plug/unplug the last part of the fiber?

The goal is .. if someone cuts the last 100m, to be able to just unplug the 100m piece and plug a new one, instead of laying again the whole 10km fiber. I supposed it could be possible to patch it, but the idea was just to waste no time and simply take of of the closet a spare 100m and substitute it.

Just imagine a kind of extension cord..

Do such termination exists and how are they called if they do? Or what would be the correct approach to tackle this?

Thanks!

Need to delete 4 /16 nets to any FW rules. Best way to generate new rules?

The platform where this needs to be done is NSX if it matters. I know about the "Application Rule Manager", but I think it's not powerful enough for the number of flows we have.

I suppose I'm not the first one who has to do this, so I am asking you, how did you do it? My first thought is ELK because of its engine, but I couldn't yet find anything like this on Google, I might ask on their forum. I could also just send the logs to a syslog server and hope to find a script that generates the rules, is there is script for this?

Any piece of advice is really welcomed.

Need advice for HPE Switch for testing

Hello all, I'd like to get more familiar with HPE switches. Company is using 5130's with firmware v07-1309 ( I believe it's comware flavor) . I'm curious what is the cheapest/smallest HPE model switch I can buy that would run the same firmware? Kind of difficult to search for this kind of info online so very much appreciate any input. Thank you!

Zscaler proxy service conundrum

So guys and girls and folks and people. The company I work with uses Zscaler's proxy service, with just a PAC file. The thing is, I noticed that whenever going to any microsoft related website there's always a big of latency, on most first loads you'd error out with a dns error and then have to reload once or twice before it loads, typically after that it's good.

I recently (today) after months of troubleshooting realized that most computers (laptops/desktops) that left out were not configured for this and only some, mine included. So I pushed out the proxy address via gpo.

The question I really have though is, we are using Meraki AP's with their cloud service and logging into any Microsoft site is a no go for us, it will let you open up outlook but once you get to the sign in stage you will always get an error after clicking the sign in button.

​

Has this happened to anyone? Is this something that can be fixed? Is this something I am not doing correctly? Are there things I am not including in this post?

CloudGenix ION deployments

Short: Has anyone ever worked with CloudGenix ION gear? I could use a design review from someone experienced with the product line, because I think I have a vendor trying to blow smoke up my ass.

Long answer: Since our team lead was laid off, I've been taking over one of our clients' CloudGenix deployments. There's some caveats to our DC environment and knowledge that he took with him that make this a little rougher than normal.

Connections from remote sites are hitting these boxes in our DC via Internet and our own MPLS network. It's a bog standard deployment on the face of it.

For the DC ION pair, they have two sets of uplinks. One to our chassis switch fronting our MPLS network and peered with the client VRF further down stream, as well as a dedicated pair to an ASA HA pair for public internet access. The connection to the ASA is using private IP space on the uplink, with all the NAT/egress routing handled by the ASA themselves.

They're telling me that "The IONs are not a transit device and we need to route through the core." I think that's bullshit, because there were a brief few moments where that was functioning fine before they changed things. I'm convinced they have their internal routing rules wrong.

All I suppose I'm looking for is an answer to this: can those uplinks to the ASA be used for egressing to the Internet under those circumstances? They're trying to tell me it's exclusively for VPN traffic, which seems like uninformed bullshit.

I can make a sanitized document available upon request.

Cisco ASA denying SSH connection but Allowing Ping

I add a new network object to the DMZ so users can connect to the service from VPN it's being blocked over VPN.

But on the LAN I can access the host from any network.

I have a packet-tracer below I'm not sure what I have conf wrong.

Thanks!

​

wpnetfw02# packet-tracer input vlan6 tcp 10.251.250.1 22 10.200.6.15 22 detailed Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada9538a0, priority=1, domain=permit, deny=false hits=22087, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Vlan6, output_ifc=any Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.200.6.15 using egress ifc Vlan6 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group DMZ_access_in in interface Vlan6 access-list DMZ_access_in extended permit ip object-group VPNCorpPool object net-dmz object-group network VPNCorpPool network-object 10.251.250.0 255.255.255.0 network-object 10.251.252.0 255.255.255.0 Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadb36cc60, priority=13, domain=permit, deny=false hits=0, user_data=0x2aaace355200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (Vlan6,any) source static net-dmz net-dmz destination static Natexception Natexception no-proxy-arp route-lookup Additional Information: Static translate 10.251.250.1/22 to 10.251.250.1/22 Forward Flow based lookup yields rule: in id=0x2aaadb27bac0, priority=6, domain=nat, deny=false hits=0, user_data=0x2aaadb272370, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Vlan6 Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada919240, priority=1, domain=nat-per-session, deny=false hits=26065, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada95c8a0, priority=0, domain=inspect-ip-options, deny=true hits=4411, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 7 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadaf038e0, priority=20, domain=lu, deny=false hits=1749, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (Vlan6,any) source static net-dmz net-dmz destination static Natexception Natexception no-proxy-arp route-lookup Additional Information: Forward Flow based lookup yields rule: out id=0x2aaadb27bea0, priority=6, domain=nat-reverse, deny=false hits=1, user_data=0x2aaadb272260, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Vlan6 Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x2aaada919240, priority=1, domain=nat-per-session, deny=false hits=26067, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x2aaada95c8a0, priority=0, domain=inspect-ip-options, deny=true hits=4413, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 35592, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Phase: 12 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.200.6.15 using egress ifc Vlan6 Phase: 13 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 000c.294f.df54 hits 1 reference 2 Result: input-interface: Vlan6 input-status: up input-line-status: up output-interface: Vlan6 output-status: up output-line-status: up 

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Submarine Cable Maps 2013-2019

Hi,

Each year Telegeography makes some awesome submarine cable maps. They've been doing this for some time now, and the versions for year 2013 through 2019 is available here;

• 2013
• 2014
• 2015
• 2016
• 2017
• 2018
• 2019

During the last few years, I've stitched these together as high resolution pictures (.png). The initial method was provided by /u/mcgroarty (thanks!). They are listed below in cut versions (letterboxes in top and bottom removed), but uncut versions is also available at the bottom.

My personal favourite is the 2015-version. I made a custom version of it, that has some minor edits to be better suited for print -- I removed the year ("2015") so that it won't be "obsolete", and also made the "sponsored by" logo less intrusive (made it greyscale + removed the ®).

• 2013 (cut) (80MB)
• 2014 (cut) (27MB)
• 2015 (cut) (126MB)
• 2015 custom: PNG-version for print (144MB)
• 2015 custom: JPEG-version for preview (27MB).
• 2016 (cut) (13MB)
• 2017 (cut) (178MB)
• 2018 (cut) (49MB)
• 2019 (cut) (49MB)

Uncut versions;

• 2013 (uncut) (90MB)
• 2014 (uncut) (28MB)
• 2015 (uncut) (130MB)
• 2016 (uncut) (14MB)
• 2017 (uncut) (184MB)
• 2018 (uncut) (53MB)
• 2019 (uncut) (49MB)

How does a router know which client to route an incoming packet to when it it performing NAT?

I’m an IT professional with a working knowledge of networks, but I just realized that I don’t fully understand NAT. Here’s a purely hypothetical question.

If two devices on a multi-client LAN with one WAN IP send out a request for reddit.com and both currently have open TCP connections with the same IP address, how do they accurately receive different responses? Would the Reddit server somehow include the client’s internal IP in the response for the router to read when it decapsulates the packet?

Network Engineer Interview Questions

I have to imagine this has been asked before, but we have a couple positions opening up in the near future and I was curious to hear what everyone's "go to" interview question(s) is for Network Engineer positions...

Questions on redistribution (eigrp)

I'm mainly a voip guy but have been getting thrown more and more into R&S things lately.

Inside a router eigrp section, I find this:

1> > router eigrp 25 2> > ! 3> > address-family ipv4 vrf GOOFY autonomous-system 25 4> > ... 5> > redistribute eigrp 12 route-map MICKEY 6> > redistribute connected route-map DAFFY 7> > network ... 8> > ! 

Names changed to protect the innocent.

Google-fu is giving me conflicting results so I wanted to ask humans -

Does line 5 mean it's taking the routes from eigrp 12 and injecting them into eigrp 25, filtered by the route-map, or the other way around?

Does line 6 mean it's redistributing it's own routes that are "Connected", filtered through the route-map?

Is there a way to see exactly which routes I am advertising from a router?

Routing inbound network from both authenticated and open networks to the same VLAN? (HP Switches)

https://ift.tt/2LnTAti

BGP questions. Have statements under BGP xxx and neighbor family.

Hi, I have to stop some advertising of routes to a bgp neighbor and was wondering the best method when considering the following config, given I want to stop advertising to neighbor 169.254.255.1, what should I do?

Remove both the statements in router bgp 65005 and the address-family ipv4, or just one, or? Could I keep the BGP state established and then edit the ccc2aws prefix list to have a deny any at the top? Just looking for some ideas. thanks.

router bgp 65005

bgp log-neighbor-changes

neighbor 10.2.20.102 remote-as 65005

neighbor 169.254.255.1 remote-as 7224

neighbor 169.254.255.1 timers 10 30 30

neighbor 169.254.255.5 remote-as 7224

neighbor 169.254.255.5 timers 10 30 30

!

address-family ipv4

network 0.0.0.0

network 10.0.2.0 mask 255.255.255.0

network 10.0.20.0 mask 255.255.255.0

network 10.1.0.0 mask 255.255.0.0

network 10.2.0.0 mask 255.255.0.0

network 10.2.52.0 mask 255.255.252.0

network 10.4.0.0 mask 255.255.0.0

network 10.6.0.0 mask 255.255.0.0

network 10.20.0.0 mask 255.255.0.0

network 10.23.0.0 mask 255.255.0.0

network 10.30.0.0 mask 255.255.0.0

network 10.101.2.0 mask 255.255.255.0

network 10.102.2.0 mask 255.255.255.0

network 10.103.0.0 mask 255.255.0.0

network 10.104.0.0 mask 255.255.0.0

neighbor 10.2.20.102 activate

neighbor 10.2.20.102 next-hop-self

neighbor 169.254.255.1 activate

neighbor 169.254.255.1 default-originate

neighbor 169.254.255.1 soft-reconfiguration inbound

neighbor 169.254.255.1 prefix-list aws2ccc in

neighbor 169.254.255.1 prefix-list ccc2aws out

neighbor 169.254.255.5 activate

neighbor 169.254.255.5 default-originate

neighbor 169.254.255.5 soft-reconfiguration inbound

neighbor 169.254.255.5 prefix-list aws2ccc in

neighbor 169.254.255.5 prefix-list ccc2aws out

exit-address-family

Cost effective firewall solution for small hotel.

Small hotel - 37 Rooms.

Looking for a new firewall solution due to P2P infringement notices. Have considered PFSense, Zyxel, Ubiquiti. Currently the hotel is utilizing the following hardware:

TP-Link TL-ER6020 Router

Rosewill RGS-108P POE Switch (Guest PC+Conference/Meeting Room+AP)

4 x Zyxel NWA1123-NI AP

TP-Link TL-SG1016 Switch (Handles Office PC+Printers)

Am looking for an effective yet cost effective solution to the problem. Was looking for recommendations. Am leaning toward Ubiquiti and PFSense as Zyxel, Sophos, etc. require subscription services moving forward.

Testing a layer 2 change to Layer 3

Hi fellow networking colleagues

I have a question.

Our interconnect of the Data centers is currently layer2. But the new design tels us to change it to Layer 3.
fortunately there are only 3 IC`s traveling over this line. So this is fairly simple to rebuild. Before i`m gonna write this Implementation plan.
I want to test this in GNS3. So I have created 2 Core switches (HP VSR1000) and build the configuration as close
as our production environment.

Config on site A:
#
interface Route-Aggregation1
description To-->SiteB
link-aggregation mode dynamic
#
interface Route-Aggregation1.50
description Production-CustA
ip binding vpn-instance Customer-A
ip address xx.xx.xx.xx xx.xx.xx.xx
#
interface Route-Aggregation1.60
description Production-CustB
ip binding vpn-instance Customer-B
ip address xx.xx.xx.xx xx.xx.xx.xx
#
interface Ten-GigabitEthernet1/0/1
port link-mode route
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/2
port link-mode route
port link-aggregation group 1
#

Config on site B:
#
interface Route-Aggregation2
description To-->SiteB
link-aggregation mode dynamic
#
interface Route-Aggregation2.50
description Production-CustA
ip binding vpn-instance Customer-A
ip address xx.xx.xx.xx xx.xx.xx.xx
#
interface Route-Aggregation2.60
description Production-CustB
ip binding vpn-instance Customer-B
ip address xx.xx.xx.xx xx.xx.xx.xx
#
interface Ten-GigabitEthernet1/0/2
port link-mode route
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/3
port link-mode route
port link-aggregation group 1
#

​

The Ragg 1, 1.50, and 1.60 are all in the upstate. But i cannot ping the other side
I`f read all the documentation on this software But i could not find the restriction of this software.
Am i doing something wrong?

I hope someone can help me.

Greetings

Palermo

Interesting Routing Issue I've Noticed on IOS-XR

Hey All.

This is the second time i've seen this, and i'm not sure why it's happening so i'm hoping someone else came across this. And I don't know if it's specific to just IOS-XR (9010 platform for what it's worth); i'm sure it's not.

In short, I have a prefix that when you do a show route ipv6 <prefix> it says the proper exiting interface along with where it's learning it from. When you do a traceroute though, it goes out a completely different interface...like, that interface is a totally different environment. That prefix or even the agg it belongs to has no bearing within this segregated network. The way we fixed it before was we shut down that interface, brought it back up, and routing was fine after that (about 3 months ago).

This is happening on a different router so the first issue is still resolved, but i'd like to know HOW to fix this properly and WHY it's happening. I suspect something in the FIB, but I don't know how to look that up currently in the ASR. I will google that right now, but if anyone has any info, by all means please share.

Thanks.

WAN QoS - Cisco IOS Question

Morning all,

Without going into too much detail, I have (2) Cisco IOS devices with an Site-to-Site IPSec tunnel between them. At HQ I have a PBX, at the S/O I have a handful of IP phones.

All traffic traverses the IPSec tunnel -- web, WSUS, Citrix, and phones. Needless to say, when the users start hammering Citrix/YouTube/etc. the phones begin to sound robotic.

I'm not familiar enough with Cisco IOS QoS, but inbound QoS doesn't make sense to me which leaves outbound.

Is there a way for me to say:

1. Where would I need to apply a policy? HQ external interface? S/O external interface?

2. Do I need to specify the entire available bandwidth of each link for QoS to function, or could I just say "if the following source/destination IP addresses generate traffic -- give them X kb/s" using the "priority" command?

3. How would this policy apply given it's traversing a VPN -- does anything special need to happen so IOS can actually read the packet prior to encapsulation?

Thanks!

EDIT: This was the walk-through I used to build the IPSec tunnel in the first place - http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Visio Connector Default Style

It frustrates me to no end that the default connector for a network diagram in Visio has an arrow on one end. I know how to turn this off in the document stencil but that process is cumbersome. Is there a way to turn that off as a default? I'm surprised this isn't a hotter topic on the 'net because I can't be the only one frustrated with this... OR it's a super easy thing to change and I'm just a dummkopf!

TIA

Wireless recommendation

We have a small area that has no cable drops. Looking for recommended hardware to help with below scenario.

Existing wireless Cisco 3802 Need a device that can provide up to 5 ethernet ports that can do vlans. This device should act as a wireless client/bridge that connects to existing wireless network.

Restarting network switch to solve network issues

Just to share my personal experiences here, I am a systems integrator focusing heavily in transportation industry. I consider myself as pretty proficient with networking knowledge and cross vendor network integration.

I will try to troubleshoot networking design issues, sudden network failure, etc with proper procedures. Checking logs, seeing port/cpu utilisation, study routing table, show mac-address table, etc.

However, restarting switches of there the network fault is reported on seems to solve most of the problems throughout my networking career. Which is pretty weird! Sometimes I find it difficult to explain it to my clients as well, simply because the root causes are not found. But the network runs fine until today.

Share your experiences here as well!

What after CCNP R&S?

I got my CCNP R&S certification about a year ago. Now, I want to study something else, but I don't know what to study tbh. There are a lot of things and I don't know what to choose. Security, Service Provider, Data Center, Cloud, Virtualization, VMWare, AWS, etc.

Can anyone help me with any suggestions?

Vlans vs router on small network

Hi guys

I am designing a network for fictional IT college in packet tracer as part of my assignment. I have most of the design done and functional however I'm hesitant on one thing - routers vs vlans.

I have a router connected to the main core switch which distributes the network across the LAN and other switches in each department. I have created vlans with the idea of securing the network based on user access such as staff, student, guest and IT management, however, I'm wondering if those 4 vlans is enough or should I also add routers in each department?

Vlans do the job for my already as I'm able to route specific traffic where I want to. What would be the benefit if I also added a router in each department?

Is there a point in doing this?

Open vSwitch NATed bridge

Hi, I’m trying to recreate the default Libvirt/kvm switch (usually called vribr0) using OVS.

I run Open Nebula for hardware management and I’d like to have a “private LAN” for each client VMs if that makes sense.

I managed to get NAT but no idea how to get internet connection through it like the Linux bridge does.

Any help or resource appreciated

CISCO: Allow show running in Privilege 1?

Hi, We do have router which currently authenticated to TACACS server but the issue is one of the acct. can execute the show running (limited output) and other acct. is not allowed to run/execute the command. Here's the configuration and result:

Config:

aaa authentication login default group AUTH local aaa authorization exec default group AUTH if-authenticated aaa authorization commands 1 default group AUTH if-authenticated aaa authorization commands 15 default group AUTH local if-authenticated aaa accounting commands 15 default stop-only group AUTH ROUTER#sh run | i privi privilege exec level 1 show spanning-tree privilege exec level 1 show logging privilege exec level 1 show startup-config privilege exec level 1 show running-config 

Acct 1 - Successful but limited output

ROUTER>sh pri Current privilege level is 1 ROUTER>sh running-config Building configuration... Current configuration : 195 bytes ! ! Last configuration change at 07:17:43 GMT Thu Sep 5 2019 by robelar ! NVRAM config last updated at 07:18:23 GMT Thu Sep 5 2019 by robelar ! boot-start-marker boot-end-marker ! ! ! ! ! ! end 

Question:

1. For limited output from show run command is this because of the current priv. level which is 1?

A: This is by design and is part of the command security mechanisms in IOS. Even though you lower the required privilege level for the show running-config command, the output will never include commands that are above the user's privilege level. Since configuration commands are level 15 by default, the output will appear blank. If you lower specific commands to level 7, these will appear in the running-config when the command is issued by the privilege level 7 user.

​

Acct 2 - Not successful, Authorization failed

ROUTER>sh running-config Command authorization failed. 

Question:

1. For this, why Acct 2 can't even execute this "show run" command?

Thanks

Help with subnetting question

I am trying to understand on how to subnet better, as well as learning on how to do it all in my head. I ran into these two questions, and I did the parts in red, but I was confused on something. For number 4, it says what's the 3rd subnet after this and question 4 says which subnet is that IP address in. Could someone explain to me what this means.

Also, I know that these questions did not ask me to write all that down, I did it so I can get more used to knowing these things by heart.

Cheap but good Cisco switch for practice

Hi! I’m studying my ccna go to take the next step and learn networking. With that being said does anyone recommend a cheap but good Cisco switch to practice with? I don’t want to spend more than $200 if that’s possible. Thanks for any insight!

Constant Network Packets age'ing out. User's lose internet access.

I am a bit confused by this one. For about a month now users at a remote site complaining that at various times of the day they cannot connect to the internet. It's honestly incredibly frustrating to work through.

To start, this issue never hits everyone at once. It's a group of users here, an hour later it's an access point, then an execs computer. It's been frustrating to troubleshoot.

What has been verified so far:

• My lead network engineer verified the firewall was working properly. And I have to agree with his assessment.

• Worked with Cisco Tac to troubleshoot our network switches. They were unable to find any issues with switch ports or the switch itself.

• Users are still connected to the network on the network on the lan side. When the issue crops up I can ping the user's machine from the firewall/switches lan side.

• DHCP pool is on the firewall. And it has no issues giving out leases to users. We're nowhere near capacity with our IP Address leases. And even when the users have internet issues the firewall will still assign a DHCP address to them.

• Access points are Meraki cloud-managed. They also lose access to the cloud and are usually reported they are down. Should mention that they aren't actually down. And users can connect to the LAN side. Users just cannot access the internet.

• During the time these issues are reported I can still log into the switches to manage them. And from the switch, I can ping our local DNS/AD server.

At this point the only thing I haven't done is speak with the ISP (which is next). But I was hoping I could get some insight from /r/networking. This one is slightly driving me up a wall.

Thank you for your help/advice.

Python for networking online training course?

Hi, I would like to ask if there's any recommend python training for networking course tried using udemy and had a python training but not really related to network. Though started creating script for our network almost a year now.. but I want to enhance my skill so that why im asking.

​

I'm interested topics with building ssh tunnel, CGI (web), and other stuff/method for network.

​

Thanks

Need an advice with mesh wifi for my company small office

Hi everyone,

The story is my boss wanted to replace all the wifi system in the office with the newer ones. They're using the old Linksys WTR54G for this purpose for a long time (I just worked here recently), and they're slow and becoming unstable now, plus just a small office but we have like 5 different SSID, it's annoying when you have to go up stair and then down stair then had to manually reconnect the wifi. So I recommended my boss using the mesh wifi system and he agreed. The problem is I do know about this system but never really had a chance to build a network system with it, and I kind of lost between a lot of manufacturers and brand Unifi AP, Linksys Velop, Netgear Obi,... so I need you guys advice.

My company office has two plans (two floor?), about 405 square meters (27m x15 m) (about 4300 square feet). 20 cm brick wall, 3.5m (11.5ft) from the floor to the ceiling. And the blueprint of the plans are below. I'm thinking about using 4 Linksys Velop, 2 in the ground and two in the 1st floor. Is it enough to cover all the office?

ground floor blueprint: https://imgur.com/nX3MdSh

1st floor floor blueprint: https://imgur.com/EjtxWyj

I'm appreciate any advice, thanks.

p/s: english is not my native language so sorry for any mistake :D

Zscaler + Velocloud + Managed Services

I am looking for an partner in the US (preferably Chicago area) that provides implementation and managed services for Zscaler + Velocloud. The ole Google got me no where.

This doesnt seem right

Pfsense ip (routing mode): 192.168.1.1

Cable Modem : 192.168.100.1

Will this cause problems?

WAN QoS: Shape vs. Police

DC-A is replicating storage traffic to DC-B over a 1 Gbps WAN link. Latency is about 30ms. The nature of the traffic is VMware/Zerto, which appears to be using TCP.

The goal is to limit traffic to 650 Mbps. Is it best to shape or police? I think police is better, so as to let the server-side TCP take care of control. But maybe shaping is better, I dunno without trial and error. The result in either case should be maximum speed and performance for the replication traffic @650M.

For the sake of focusing on this particular type of traffic, I left out other stuff like voice, video, Internet, etc.

Network latency monitoring

Has anyone come across network latency monitoring as a hosted service, something along the lines of Pingdom I guess but not for monitoring outages but to alert if latency goes outside of acceptable limits.

I’ve been looking for something like a hosted smokeping but with alerting capability, and whilst I could fire up a VM somewhere and run a copy, I just wasn’t sure if I’m overlooking an obvious service that’s already out there.

Any thoughts?

Need recommendations for multi-site AD and file sharing

I've been out of the IT game for a few years, but recent layoffs have me taking on some private clients.

A new one has multiple offices that share many SaaS resources and needs user management and basic file sharing/data backups.

What's best practice in this case. A single domain with a DC in each office and a single file storage location? Is there a simpler and more cost effective solution than buying a server for each office?

Also, to get the servers to connect to each other, does one have to be running web services or public DNS services?

Port Forward Question /?

I'm trying to connect to a remote desktop session on network two from network one. There is no problem connecting to the remote desktop from the internet. Only time I can't connect is when laptop is on network One.

​

ISP has issued me two WAN addresses. ISP is saying the two IP's are on the same Vlan.

One is wan network(x.x.42.30). (fake numbers). To Router One.

Two is wan network(x.x.42.37).We have a port open on x.x.42.37:3558). To Router Two.

Sites are a couple miles apart.

​

I can ping both the IP and the port from remote and it works perfectly.

I can ping Two from One, But I can't ping the port 3558.

Am I missing something?

Trouble with Nomanclature of ACI

Edit: Sorry for the incorrect title spelling (Spelling was never my strongsuit.)

I am looking at an INE diagram describing the object workflow of ACI. A logical construct called the switch selector is referenced under the switch profile. I have found this concept confusing so I tried to google it and found nothing by that name.

I finnally put 2 and 2 together (derp) to assimilate official nomenclature of "leaf selector" with the switch selector logical construct being referenced in the object workflow.

Can someone please confirm that their simplification of terminology is what is confusing me here.

Or am I just completely lost at sea?

https://images.app.goo.gl/8d6fkGYopQDcyjGS6

Clientless VPN ASA - .jsp not working

I've googled quite a bit and can't find anything definite. Trying to get Oracle access working through the ASA clientless VPN. It's a java web page. Users can log in. I have the home page of the clientless VPN as the Oracle web page they need to access. They can log in fine and get to the right Oracle webpage. However, none of the buttons on the Oracle page which is .jsp work. Like the login button for example. I opened up the http debugger in IE and can't see that the webpage is doing anything. Any ideas?

Has anyone gotten solarwinds saml authentication to work with keycloak? Is it even possible?

I've been trying to get it to work for the past couple of days, keycloak seems pretty straight forward and intuitive, but I keep running into problems.

For example solarwinds doesn't sign it's saml request forcing you to disable client signature required.

When I use the test button from sw the error I'm getting now is quite cryptic: "an item with the same key has already been added."

TL;DR: I would like to know if it actually can work with keycloak before I invest any more time.

adding network module to stacked 3850?

Hey guys, quick question. I'm going to add a 10g network module to one of my stacked 3850s for an additional uplink trunk. Should i just pull the power from the switch, install the card and power it back up. I know you can reload a stack member but I don't want it coming right back up obviously. (not worried about outage on affected switch ports)

edit: *Sweet, thanks guys. I will just hot swap them then. I thought i remembered trying this before on another 3850 and it didn't show up till after a power cycle. I'm definitely in favor of not taking an outage!

C9300 - Can't Get Into WebUI

I have tried accessing the webUI on a fresh out-of-the-box C9300-48T-A, with no luck -- not getting addresses from on-board DHCP. Per Cisco's (and everyone else's) instructions, you have to:

• Set your PC to receive DHCP - done
• Boot up the switch with nothing connected - done
• Don't enter anything at initial config prompt - done (connected via console to ensure the prompt is still there)
• Connect your PC to any port on the active supervisor (used straight-through and cross-over cable, just to verify) - done (tried multiple interfaces)
• Wait 3 minutes - done
• DHCP should assign an IP of 192.168.1.1 to your PC - This is where it fails. I'm just getting a 169 APIPA every time. I've also tried on a MacBook and different PCs, just in case.

I've tried setting the port as a static 192.168.1.1, in case DHCP isn't doing it's thing for whatever reason, but no such luck.

I've tried entering https://192.168.1.1 into many different browsers, cleared cache, but no luck.

Only extras we have on this switch, is it shipped with a 4X module, and 2 PSUs -- don't think any of that should matter.

EDIT: We went ahead with the base config, and after configuring our management VLAN IP, we're able to get into the WebUI via that IP -- so it seems the out-of-the-box DHCP just wasn't configured, not assigning the IP to the host. Not really a solution, since this was "supposed" to be automatically assigned without any CLI config, but oh well, it's a result. Will test the WebUI on the remaining 4 we have just to see if they behave any differently.

3COMM 4226T Replacement Fan

As the topic says, I need to replace the fans on a clients 3COMM Switch Model 4226T. I have no experience with this switch, so I was hoping for some insight. Anyone here know what kind of fan I would need to replace it with? Will any old 60mm fan do? Or would 40mm fit better.

I can't seem to find much info online....

Blocking/Kill-Switch internet if Openvpn-UDP drops?

Hiya :)

​

​

Q1) I'm looking for a script that can be applied to DD-WRT router with the latest firmware(v3.0), that can Blocking/Kill-Switch internet if Openvpn-UDP drops? I found this but I'm not sure if I need to enable below settings as enabling the SPI firewall or not?

{DD-WRT}>Security>Firewall>Security>SPI Firewall [ Enable x Disable]

I mean I'm not sure for this that I applied on the below address:

{DD-WRT}>Administration>Commands> Firewall:

iptables -I FORWARD -i br0 -o eth1 -j DROP

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

-----------------------------------------------------

Q2) Can someone tell me what this line does:

iptables -I FORWARD -i br0 -o eth1 -j DROP

​

Tnx and best of luck <3

Why can SSTP get though firewall?

My university has recently deployed a firewall with DPI that filters OpenVPN TCP traffic over port 443. I then tried connecting to a VPN server using SSTP, and for some reason the SSTP traffic is not filtered by the firewall.

Who are they able to filter OpenVPN traffic, and not SSTP traffic?

How do you automate in your business?

Hi -

We are looking to automate some elements relating to the provision of new services into our data centre. currently it is very very manual.

I have been experimenting with the UCS XML API on the UCS-PE and seem to have a pretty good grasp on it now, I cant see myself having any issues with problematically deploying elements into UCS for new services - however my question relates to end to end workflow of the overall process.

Let take a new vlan deployment for example...

We plan to have a service portal in service now (our ticketing system) for something like "new DC vlan/service" this takes the mandatory fields from the user (server team) required to create the vlan (name, tag etc) - this creates a request for service...

I was then thinking we wait until the service request is manually sanity checked by a network engineer - the engineer runs the relevant script from an automation host (probably some linux distro) and references the service request ID to populate the required templates (via interrogating the service now API) and the vlan is the programmatically created on the UCS platforms.

To me the manual running of scripts seems a bit clunky - This is our first run at automating elements of network service provision and we dont really have any / or have seen the inner workings of any reference deployments to take inspiration from.

Are there any other components in terms of overall process workflow we could look at ?

​

Thanks guys :)

IBM Proventia detecting traffic from a blocked IP

A SOC nobody trying to get some insight into a network architecture.

So one of our clients have IBM Proventia as their IDS and Checkpoint as their Perimeter FW.

So we have blocked an IP due to an offense triggered. Post that, the traffic even though getting dropped on the firewall is getting detected at the IDS.

Does CP send or perform a behavior something akin to SPAN ?

What are the possible architectures that could be causing this behavior?

Netlyzer alternative?

Netlyzer was a powerful tool for identifying problems with network connections. Run by a research team at Berkeley. Earlier this year the project (and the server) got shut down without the release of source code.

As far as I can tell there's nothing even a quarter as effective around, what has everyone else been using?

Finding owned & forgotten IP addresses

Just investigating how a person would verify if back in the day the company they are working for would have bought a block of IP addresses. Found out that sister companies do own several /24 addresses, and it seems likely that this organization would have as well… but there are no records onsite that I can find? Anyone know where to start looking for this? Thanks!

Any ISP DSL PPPoE experts?

I am just looking for someone to help me put this issue to an ISP.

Basically I see an issue all the time with an ISP where the line is DSL using PPPoE.

Topology is this ISP -> bridged dsl/vdsl isp modem -> edge fw pppoe client

The issue arises when the PPPoE goes down and needs to be rebuilt, a reboot with the FW mostly.

When the FW comes back online and the PPPoE client on the WAN interface comes up, internet connectivity is restored but site to site IPsec VPN tunnels frequently do not.

I have narrowed the issue down to the frames coming into the FW pppoe interface via the bridged modem, from the VPN peer, having the wrong PPPoE session ID and are getting dropped by the FW.

All other frames have the correct PPPoE session ID and connectivity is good.

I can get things back working by rebooting the ISP bridged dsl modem, leaving it powered off for a minute or so.

I am guessing the issue is probably related to some PPPoE server load balancing on the ISP end, but in order to ease the pain explaining this to the ISP... does anyone with experience on the ISP end or indeed with a better understanding of PPPoE than me have any suggestions?

The issue only effects VPNs which were established before the PPPoE session goes down (and to UDP traffic in general I am pretty sure). I can successfully build a new VPN to a new peer (which was not established before the PPPoE session died) when the issue is present.

​

Cheers

Filtering ICMP on cisco ASR acl.

So I have IN and OUT acl on the WAN interface of a cisco ASR.

I want to allow an IP from the internet to ping and traceroute to an IP inside my network (public IP, no NAT).

Will the below configuration work?

Internet to my network

permit icmp host A host B echo

Network to Internet

permit icmp host B host A

When I checked in the router, it does not allow me to set like

permit icmp host A echo-reply host B , but allows

permit icmp host A host B echo-reply , will this allow the reply back for ping from A to B ?

Can I just use icmp command ? I just don't want to use the echo-reply, time-exceeded , unreachable etc...

Junos SRX software not validating

Hi,

I'm unable to validate the latest JunOS image, the SHA and MD5 hashes are valid and working. But I'm unable to validate any recent versions of the software.

> request system software validate /var/tmp/junos-srxsme-15.1X49-D180.2-domestic.tgz

Sep 04 10:47:42

Checking compatibility with configuration

Initializing...

Using /var/tmp/junos-srxsme-15.1X49-D180.2-domestic.tgz chroot: /bin/sh: No such file or directory

ERROR: validate-config: junos/+REQUIRE fails

ERROR: Configuration validation failed with /var/tmp/junos-srxsme-15.1X49-D180.2-domestic.tgz

using three different IP's for ASAv C4.large instance?

Hello all, just a question that is probably easy for you guys to answer but not so clear to me. I am running an ASAv, we are currently in a testing phase and at the moment I am using the ASAv C4.large instance from the amazon market place, Now at the moment I am using two ENI's that are assigned to two different subnets (using this as an inside and an outside address) I can see that the ASA v can have up the 3 ENI's on the c4.large image however when I add the additional interface it just pulls an IP from the inside interface subnet (which is the default subnet it was created in) Is this and expected function or am I doing something wrong, I thought I could assign this 3rd ENI (the management eNI) to it's own subnet? It let me do this with the outside interface when the instance was created? Am I missing something?

Would you use 4506-E w/7E supervisor as a distribution switch?

I know these are meant for access layer, however after closing down a small campus these are sitting around and I'd like to get some use out of them. I have a pair of 6509-E w/Sup720-3B supervisors (not using DFC line cards) that I'd like to replace. Budget is small so unfortunately I can't replace the 6509s with cat9K right now, and I'm just wondering if using the 4506s is the wrong idea. This would be the aggregation point for 6 access stacks, 3-4 esxi hosts, a wireless controller, and a few misc. servers. Let's say around 1000 users primarily on wifi and mostly web traffic. Any input is appreciated, thanks.

Virtual machines unable to ping host server

I recently replaced my small business's old Cisco switch with a managed FortiSwitch. I did the requisite rejigging of network interfaces on our gateway (FortiGate) to set things up as "one big switch" - as was the case with the Cisco.

All physical hosts can talk to each other without issue, including communicating with a number of virtual machines I have hosted on our Primary and Secondary (Windows Server 2016) domain controllers. My issue is that the (Hyper-V) VMs themselves can't ping their host servers (they can ping each other though). Interestingly, one VM on one host can ping the other host (of the other vm's).

I feel like this would have to do with how the Virtual Switch is configured, however, I haven't changed it from default external setup.

Windows firewall has been turned off on host servers and virtual machines.

What am I missing here? Any help would be massively appreciated.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Virtual switch configuration

Hi everyone, an I.T. noob here, I want to know, how to check the mac table, vlan configuration, etc in a virtual switch.

Is there a way to get a cli output from virtual switch on how its configured?

I wanted to know if we can configure a switch the way we would configure a cisco switch and learn more about it in view of configuring it securely without data leak to neighbor Virtual Machines.

More Windows vs. Linux / MacOS window scaling throughput differences

Following on from https://www.reddit.com/r/networking/comments/alf8h2/tcp_window_scaling_windows_vs_linux_crazy/ (now archived), for the last few months I've been spending far too many hours comparing and contrasting Windows machines with Linux and Mac machines on a superfast symmetric LFN (residential gigabit fibre).

Fundamentally, the same symptoms /u/gandalf8110 observed are what I'm also seeing - throughput performance is utterly terrible on the Windows machines, almost irrespective of what I modify/change on the NIC or Windows.

The PCs are powerful, easily capable of steady gigabit in a LAN scenario. With either machine booted to Linux, they're also easily capable of sustained maximum throughput in either direction to public or private iperf servers. A Mac running on the same network under same conditions is also fine on both LAN and WAN; the same tests performed under Windows (Windows 10 1908 or Windows 7 Pro) give awful results by comparison. Nowhere near the maximum available bandwidth utilisation in identical conditions.

The only thing I've not tried yet is testing over a 10 gig NIC or with a non-Intel chipset NIC, but I doubt it will make any difference. I have a laundry list of variables I've checked, disabled, tried or tuned.

The only conclusion I've come to so far is that Windows' TCP windowing behaviour seems erratic at best, horribly implemented at worst. What have they done with their CUBIC implementation combined with how Windows manages the TCP stack which is causing such a huge deterioration in performance? Is there any solution to this at all?

Issues with management server not seeing a host.

Hi all.

Please excuse what I am sure is a novice question. I just got a new job at a manufacturing facility doing IT work, and am very green when it comes to troubleshooting. I have done as much homework as I can on this issue based on my level of knowledge and will post below.

We have a server at work connected to 5 hosts. These are all connected on a private management network it seems (a 10.net), and all of them also have a secondary NIC connected to the main company network. Somehow this server no longer sees one of the hosts, even though it is up and running, so I am getting critical alerts every 5 minutes for no reason (there is a monitoring software set up on the server as well as it serving a few other purposes).

The host that can no longer be pinged apparently is "blueapp" (private IP: 10.0.2.5) and monitoring server is "monitor" (10.0.2.16). I can ping monitor's management IP from 'blueapp' no problem, but cannot ping the other way around. From blueapp, I can also ping greenapp (10.0.2.4). It is on the same company VLAN (162) as well. I have verified in the network settings that these all share the same subnet mask, etc.

However, from greenapp, I cannot ping blueapp's private IP for whatever reason. If I do a tracert they all time out. I can ping the regular network IP though (XXX.XXX.50.142) and get a response back immediately.

I am thinking this is a firewall issue. Blueapp's firewall is on, domain profile, yet greenapp's firewall is off for the domain profile. However, what I do not understand is, should this restrict communications on the private IP network? I can understand how this would affect communications via the public IP. From what I have researched if a computer can ping "one way" then it is a firewall issue.

There is one other guy who works here and did maintenance over the weekend, so I am almost confident that something may have gotten changed inadvertently, such as firewall rules. The firewall is ON/domain profile/for Blueapp but OFF/domain profile/for Greenapp. However since it is not critical and all systems are functioning I really would like to figure this issue out without his help, to prove to myself I can do it.

If I have missed anything to look at or if my logic is off, please let me know.

Cisco ACI L3Out - Cat9500 Router OSPF

Hello fellow network gents,

I’m running into a peculiar problem using Cisco ACI L3Out.

So the setup is a multi-pod with 2 physical separated sites. We have built an L3Out for each Tenant. So every L3Out has a separate VRF in a separate user Tenant.

When we establish a neighbour ship with our router at the other end (OSPF). The router at the other end is a Catalyst 9500 running IOS-xe. When we establish the neighbourship something very odd happens. All routes that have been learned by the 9500 from ACI, from totally different Tenants are withdrawn. They remain withdrawn for at least 12 minutes, after that the Cat9500 will relearn them as type-5 routes.

So I am establishing a neighbour from 1 tenant and when it’s done, it will withdraw all the learned routes from other L3Outs in separate VRF and separate Tenants.

I’ve tested removing the neighbour and nothing happens, but when I re add it, i can’t ping any gateways (Bridge Domains) anymore inside of ACI and the route is removed from the OSPF database on my Cat9500.

We are using a redundant vPC connection to the Cat9500 to peer the L3Outs on, using sub interfaces. The OSPF configuration is on the sub interface.

Cisco ASA VTI IKEv1 VPN with NAT.

Hello guys, I'm trying to set up a site to site VPN using VTI IKEv1 and it's working well.

Traffic can go from network 10.10.3.0/24 to network 192.168.1.0/24

But I don't quite understand how to NAT IP addresses to hide the real network range that sits behind.

What I want is traffic that comes from 10.10.3.0/24 to be NAT'd to a made-up IP say 10.10.10.1/32 and then that then NAT'd to 192.168.1.0/24 on the other side.

I've done this loads with NAT rules using encryption domains it appears this method does not work with VTI interfaces. Can someone point me in the correct direction?

My configs are below. I have a very basic config..

Site1

# Public IP 5.5.5.5 # Network 192.168.1.0/24 # VTI IP 15.15.15.6/24 # Steps # Can you ping peer? # ping 6.6.6.6 conf t crypto ikev1 enable OUTSIDE crypto ikev1 policy 20 authentication pre-share hash sha group 5 encryption aes-256 lifetime 86400 exit tunnel-group 6.6.6.6 type ipsec-l2l tunnel-group 6.6.6.6 ipsec-attributes ikev1 pre-shared-key cisco*123 exit crypto ipsec ikev1 transform-set SITE1-TRANSFORM esp-aes-256 esp-sha-hmac crypto ipsec profile SITE1-IPSEC-PROFILE set ikev1 transform-set SITE1-TRANSFORM set pfs group5 exit interface tunnel 10 nameif TO_SITE1 tunnel source interface OUTSIDE tunnel destination 6.6.6.6 tunnel mode ipsec ipv4 tunnel protection ipsec profile SITE1-IPSEC-PROFILE ip address 15.15.15.6 255.255.555.0 exit route TO_SITE1 10.10.3.0 255.255.255.0 15.15.15.5 

Site 2

# Public IP 6.6.6.6 # Network 10.10.3.0/24 # VTI IP 15.15.15.5/24 # Steps # Can you ping peer? # ping 5.5.5.5 conf t crypto ikev1 enable OUTSIDE crypto ikev1 policy 30 authentication pre-share hash sha group 5 encryption aes-256 lifetime 86400 exit tunnel-group 5.5.5.5 type ipsec-l2l tunnel-group 5.5.5.5 ipsec-attributes ikev1 pre-shared-key cisco*123 exit crypto ipsec ikev1 transform-set SITE2-TRANSFORM esp-aes-256 esp-sha-hmac crypto ipsec profile SITE2-IPSEC-PROFILE set ikev1 transform-set SITE2-TRANSFORM set pfs group5 exit interface tunnel 20 nameif TO_SITE2 ip address 15.15.15.5 255.255.555.0 tunnel source interface OUTSIDE tunnel destination 5.5.5.5 tunnel mode ipsec ipv4 tunnel protection ipsec profile SITE2-IPSEC-PROFILE exit route TO_SITE2 192.168.1.0 255.255.255.0 15.15.15.6 

Watchguard BOVPN basic questions

I apologize if these are basic questions, but I wear many hats at my company and some fit better than others.

We have a rack of co-located web and db servers at a remote location. We use an M270 as a firewall to protect those assets as the web sites are publicly available. The WAN is a /30 from the co-location company and the LAN is a /28 of public IPs.

I added a T55 to our office and want to create a BOVPN between our office and our colo so that when files are transferred between office and web/db servers, or our web administration is accessed, or RDP is used the connection is encrypted.

My questions are this. Is only traffic between A and B routed through the tunnel? In other words, I don't want ALL traffic from our office (T55) sent through the BOVPN - just traffic to and from the M270's /28 network. And vice versa - I don't want thousands of daily web site visitors routed through the T55. Watchguard support suggested that I set it up so that the config is <=====>.

2nd question is what happens if the BOVPN is down? Do we (T55) lose connectivity to our assets (M270) or will the Watchguards detect that it's down and route traffic normally through the public internet? When I apply the config locally to the T55 will I lose all connectivity to the M270 (so I must configure the M270 first and then trust that when I save changes to the T55 it will work)?

High ping response time every 3 minutes (HP ProCurve 1810-24GE)

Our three HP Procurve 1810-24GE-Switches are kinda weird. First I noticed in Zabbix that we have high ping spikes (up to max. 200ms) on all the three switches every 3 minutes. An example:
At exactly 1:00:40 the spike starts. The peak is nearly always exactly one minute later (1:01:40). Exactly another minute later its back to normal again (1:02:40) and after another EXACTLY 2 minutes it all starts again (1:04:40).

So there has to be some task or so that is blocking my pings or smth like that, right? Any idea what it could be? Exactly these three switches are also the same that do not provide any data to my Zabbix graphs besides the "Ping" and the "Ping response time"

NFX250 JDM Management Port eth0 not reachable

​

I have an NFX250 running version:

root@jdm# show version
## Last changed: 2019-09-03 21:03:43 UTC
version "15.1X53-D40.3.secure [dc-builder]";

I want to upgrade the software via the JDM, so I know I need to upload the package via the Winscp and run a couple of commands. However, first i need connectivity to the JDM Out-of-Band port which is the eth0 in this version as shown below:

root@jdm# show
## Last changed: 2019-09-03 21:03:43 UTC
version "15.1X53-D40.3.secure [dc-builder]";
system {
root-authentication {
encrypted-password "$6$H7r8x$jlt3bvJpAt24bj8EyeZwADCuAHZ6gCiw5KymN.r6XWcPRSTmhRr8GS5MWT5MwjSQhZC0O1hX5YA8M.3OMV4nY0"; ## SECRET-DATA
}
services {
ssh;
netconf {
ssh;
rfc-compliant;
}
}
phone-home {
server https://redirect.juniper.net;
upgrade-image-before-configuration;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.10.254;
}
}
interface eth0 {
vlan-id 0 {
family {
inet {
address 10.10.10.11/24;
}
}
}
vlan-id 1 {
family {
inet {
address 10.10.10.20/24;
}
}
}
}

If i connect my PC to the management port of the NFX  250, i must be able to ping the eth0 IP: 10.10.10.20/24. However, i'm not able to ping it or connect to it via Winscp. If i ping this IP from inside the NFX it is pinging.

Can someone help me with this?

Best place to start switch APIs ?

I'm attempting to automate see switch configuration and I'm not sure where to start or which switch OS would be the easiest to do a POC with? Any suggestions?

Best tool to monitor WAN connection?

Hey! Bring me some good suggestions. What would be the best tool to monitor current usage of a WAN connection via a Cisco 2130 HA pair. Our customer want to be able to see real time usage on the WAN connection. Are there any good tools for this? Preferably one that could be displayed on a nice dashboard.

Is car radios 0g or is it 1g?

I'm having a hard time to understand the a tual difference. Both are analog but 0g is halfduplex which seems to fit for the car radio. But also 0g is so old (1940 old). And it was bigger devices in nature. Can anybody give me examples for both and tel me what car radios are? Which communication generation do they use?

How do I connect to the management interface of a dell n3000 switch with just an ethernet cable

I'm pretty sure this is a very silly question but please I need someone to point me in the right direction.

I need to setup the switch for remote access so someone else can do the config. I have the documentation but still can't figure out how to access the console. I've tried plugging it into my pc and setting the default ip (192.168.0.1) but no dice.

Pleaseeeeee anyone

Thank You!!

Is there a way to see based on a MAC Address, if it's a LAN or WiFi Adapter?

basicly whats written in the title.

​

Didn't really know which subreddit would fit for this, but i guess this one should be right?!

​

I got some MAC Addresses, and i wanna find out which are from a Wifi Card and which are from a LAN Connector.

Is there any way to find out?

​

​

THX in advance :)

Which tool could add delays in HTTP request body to Test our HTTP server timeouts configuration ?

Hi, I’m currently working on configuring a HTTPd Webdav server, and its different « Request Timeouts » and we want to test it (triggering the timeouts) using a HTTP client. Do you know a tool/application/library, that can add delay to the HTTP request body ? Thanks

Export access rules from Checkpoint SmartConsole

So I have 'inherited' some Checkpoint FWs. As I'm only used to ASAs I'm still a bit lost. Can someone help with exporting the access rules to a html file? There must be a way as we have one in our documentation but it's outdated.
We're running version 77.30 (don't ask)...

Weird configuration that I'm not familiar with, but need to write a report about.

Hey everyone,

So we have a vendor that does the networking for our projects and they have always been flat networks. Recently we starting doing vlans and the vendor was tasked with creating a multi vlan network for projects moving forward. We've noticed that some of the projects just have random issues of outages, or wifi not working properly, things taking too long to connect, so on.

I was tasked with looking over their config to find any issues and I've noticed that they do things a little differently than what I'm used to.

These are brocade switches (I'm a cisco guy, and brocade does things different if I understand correctly with their tags and trunks, thats why I mention it) and here's how they are configured:

All ports are tagged with all vlans, we have 5-7 different vlans, and then a dual mode is set to allow only the traffic that should be on that port.

This configuration is clearly working because the network DOES work, but I cant help but think it is improperly configured due to the issues they experience.

I took it upon myself to redo one of their networks using untagging and only allowing the specified vlan on the port that it needs to be on, and so far, everything works fine and things just seem 'snappier'. Devices get IPs faster, services respond quicker, outages resolve in less time, etc.

Am I wrong to say they are doing it iscorrectly and there are better practices?

Best Practices for VLANing small network (sub 15 PCs)

So for small, individual sites (think less than 15 PCs) is it really a benefit to VLAN the Network other than for VoIP phones?

I see lots of people VLANing off Printers, Servers, and Workstations in like a 10 user network. What is the primary benefit? All the workstations have to talk to the server and printers. Isn’t this just causing more management on the IT end without providing much of a benefit?

subscription question

Has anyone purchased the pfsense subscription? If so, what has you experience been thus far?

I use my environment for production with multiple clients and wan IPs. I'd like to make the network more secure, but require additional assistance from support, but is it really worth getting?

Les serveurs NTP Microsoft et Google, outils de collecte de données personnelles

No text found

Help understanding "Lightning Grade Protection" for switches?

Greetings!

Sorry if this is a noob question, I've searched around and can't seem to find any answers or information that's helping to bring me clarity. I'm an electrical noob.

I'm looking at some HIKVision (shudders) PoE switches, and one model in particular mentions Lighting Grade Protection, 4kva for ports, and 6kva for power supplies. But I don't see that mentioned on much of their other gear. Here is the particular switch in question: https://www.hikvision.com/mtsc/uploads/product/accessory/Datasheet_of_Web-managed_PoE_Switch_20190424.pdf

I don't see many switches from other brands mention a rated lightning protection either, but I'm not a networking pro, so I thought I'd come to the hivemind to ask. :D . Wasn't sure if this was just odd vernacular or not?

Network Tracking Database (NETDB) install

Hi all

Does anyone have proper instructions on installing NetDB with VMware?

What is it like working for Cisco finance department?

Hey all! For those of you who have worked for Cisco (as a financial analyst or other roles in the same department) before, how was it like? Pros? Cons?

I know this company has been pushing hard for that cloud strategy. While Cisco makes numerous acquisitions to better its product and service offerings, I also wonder if these LoT and cloud innovations improve the way the internal teams such as finance complete their responsibilities.... also wonder if there are any internal challenges

How to set up a DMZ in this case?

Hello redditors, finally I got fiber and a public static IP in my house. Now I need some servers but due to security reasons I need first a DMZ.

This is my situation: https://imgur.com/a/vtotZJd (the DMZ is not yet configured)

Basically the ISP Router is useless, I can only forward ports, assign static IP addresses and little more. Than I have and old fully configurable router running OpenWRT.

I know in a proper DMZ my servers should be in the middle, between internet and my LAN but unfortunately this is the only way to go I can think about.

How should I configure my firewall and a subnet in order to be the most secure as possible?

Access to Cisco 3702I Autonomous Firmware

Does anyone know how I would be able to get the autonomous firmware for the Cisco 3702I access point? I work for a non-profit charity and after hiring a security contractor was advised to upgrade the firmware due to "a bunch of vulnerabilities" in their current firmware. These access points were incorrectly ordered several years back not realizing they needed the controller (before me) they were going to send them back but our supplier got us the autonomous firmware.

As expected without a current valid service contract, we don't have access to any autonomous firmwares, especially whatever is the newest. Worst case is we are going to yank the Cisco's and put in some Ubiquiti gear due to cost, not my preferred method. Can anyone help? Thanks!

ChromeCast cross VLAN, Blocking other MDNS Devices

Hi all
Got my first chromecast today and went to set it up, but then remembered it uses MDNS for network discovery.

I was going to install it on my IoT Network (I have a few VLANS to keep devices separated) but hit a roadblock with the cross vlan mdns issues.

I know i can enable a few things on my router (unifi USG) and get cross vlan working (quite a few forums online telling you how)

The problem is I dont want to turn on cross vlan for everything, as I have other devices I want to keep separate (cameras, printers etc)

Is there some way ( firewall rules ideally? ) that I can say allow the chromecast (IoT Vlan) to be accessible from my main and guest vlans? while stopping everything else (printer for example) from being discovered on the guest vlan?

I know there are options like mdns repeater servers which I can use if needed, just wanted to try avoid having to run another VM just to route traffic.

Thanks in advance.

Gold standard open source host discovery?

Hey all, I'm looking for a solid host discovery tool. I know and have used a lot of the standalone tools out there but I need something a bit specific. Not only should it do on demand/scheduled scans but I need something real-time. For instance Forscout eyesight receives a copy of client segment DHCP traffic (via ip-helper). This triggers and automatic response of WMI/nmap/switch snmp data discovery right when a host comes online. With retention and alerting of this data it could be a workable tool for my SOC. I'm tackling BYOD but real NAC is a looong term project. Ideally my SOC will use this tool to track down and take action on unmanaged hosts. My heart would sing if LibreNMS or had integration support for something like this...or maybe I feed it to Splunk. Thanks for reading and any for inspiration.