Saturday, September 28, 2019

Will VLANing 100% isolate traffic in this scenario?

So without getting too far off in the weeds here - I have two locations. Site A and Site B.

A switch at Site A has as a direct run of fiber 1 mile to Site B.

I’ll be introducing public WiFi at Site B. I’ll be using client isolation on the public WiFi SSID, as well as tagging all traffic on that SSID with say VLAN500.

The AP will be connected to the core switch. Port will be an access port on VLAN500.

The uplink port on Site B’s switch will obviously be a trunk port passing all VLANs. It will trunk all traffic back into Site A, where i will configure another port on Site A’s switch as an Access Port on VLAN500, which will then go to a separate firewall.

Is there any risk whatsoever at compromising the internal LAN? I’ll have some extremely sensitive data on the internal network that shares the same switch to get back to the internet at Site A.

Where to learn dynamic routing with BIRD?

I don't exactly have a specific question but rather am looking for help finding good resources that are specifically for learning dynamic routing with BIRD. Ideally, I was hoping to find something structured a bit like a course, or at least some problems to solve to guide my reading.

If this breaks rule 5 then I apologize. I've been working for an SDN company for a while now but I don't have a background in Net Dev.

Thank you in advance.

Hands on networking book?

Hello

I work for a rather large cooperation and often have to troubleshoot networking problems for customer systems. Although I got a degree in computer science, my networking background is rather weak in my opinion. Often, I have to ask for help from a senior sys engineer regarding any complicated network problem (typically involving VLANS/Tagging/Etc). Is there a book I can purchase that targets practical scenarios? I'd like to go buy a switch and tinker around some exercises. I've read a a network+ certification book but it doesn't really get too much into the hands on of networking. Thank you very much and I'm sorry if i posted this in the wrong subreddit.

How do you survive in networking if you are a colour blind?

No text found

Accessing camera NVR from external network through port forwarding or OpenVPN?

I apologize if this is the wrong sub to post this question. If it is, I would love suggestions for the appropriate sub.

Here's what I'm trying to figure out. I'm trying to setup a NVR camera system for somebody's office. I initially set it up for them through port forwarding from a TP-Link router that is connected to a static IP address from ISP that isn't used by any other devices in this person's office. I did advice them to look into something else or ask an IT person for better solutions as this is not a very secure way to access your cameras and these NVR boxes are not to be trusted, even though the company that sells it is from the US.

I've heard about setting up OpenVPN to access the camera's remotely. It seems like a pretty easy thing to setup. The TP-Link router is running DD-WRT and it should have the OpenVPN options for username and password. Then I guess I download the config file and install OpenVPN on the devices the person wants to remote view the cameras. Is that correct? The owner wants to access the camera viewing on his iPad, which works with port forwarding. Would OpenVPN work on iOS and is there a way to use the config file on iOS?

Here's where I'm getting a bit confused. I looked into this a bit further and found myself finding info about pfsense and how I shouldn't let IP cameras have access to the internet at all. I have no clue how to set any of this up. Is that necessary for this use case? I have fairly limited networking knowledge, but if this is doable by the average person with decent tech literacy, I can look into this if you think I should.

Essentially this is the current setup. The camera is connected to a TP-link router that is connected to a static IP address from ISP. Port forwarding is enabled to access the camera from remote location on Windows PC and iPad. All other devices this office uses is connected to firewall routers that was setup by IT professionals on the other static IP addresses. This business is franchise, so the computers and business equipment is setup by the IT people sent by the franchise company. Only the NVR is connected to the TP-Link router (wi-fi disabled too). None of the other devices run off of it.

Edit&Commit Crontab Nokia

Hi Team,

Could anybody help me to edit & commit changing on old Nokia ip400 (ipso/clish) Without breaking anything or losing the stability of the equipment in production. I need to remove some jobs.(Tuesday midnight in special) If anybody needs more information, please advise me. TIA

Software Release: 3.2.1-fcs1 Software Version: releng 849 11.24.1999-102644

DO NOT EDIT THIS FILE - edit the master and reinstall.

(/tmp/crontab.2674 installed on Thu Sep 1 10:48:03 2005)

(Cron version -- $Id: crontab.c,v 1.2 1997/11/11 00:25:18 kevin Exp $)

38 1 * * 3 tar -c -f /var/admin/CONF.tar /opt/pkg/FireWall-1-des.v4.0.SP-5.ipso3.2.1/conf 38 1 * * 3 tar -c -f /var/admin/DATABASE.tar /opt/pkg/FireWall-1-des.v4.0.SP-5.ipso3.2.1/database 39 1 * * 3 cp /config/db/initial /var/admin/INITIAL.txt 41 1 * * 3 ftp -p -i 2.2.2.2 0 0 * * 3 /opt/pkg/FireWall-1-des.v4.0.SP-5.ipso3.2.1/bin/fw logswitch 10 1 * * * /var/admin/collector 12 1 * * * /var/admin/monitor.sh

SSH Attempts from Public IP reaching TACACS Server, They Shouldn't!

Hello Network Folks,

I have an HPE MSR edge router that has an ACL on the VTY interface which permits only private IPs. However today I get an alarm from the TACACS server that there are too many failed auth attempts. So when I see the logs on the router I see failed auth attempts from 182.61.163.252 (China), when simply put these attempts should be dropped by the routerlike may other IPs by virtue of the ACL.

Am I going crazy! what am I missing?

Help with ISE 2.4 and Guest SSL for Redirect page

I have my Guest Portal redirct page working great with a GoDaddy public cert for every platform except Android. The more I looked into it it looks as though Android must have the Intermediate bundled into the cert.

I concatenated them both into a cert in the Issued>Intermediate order and the file open up and looks fine. I replaced the cert in ISE and it still doesn't work. I exported the cert from a Wireshark capture and a Windows client and the intermediate looks to be stripped out.

Not sure where I'm going wrong here.

What is MEU?

As in an NNI to and MEU.

ACI L3Out Routes Leaked Into All Tenants

I have a question about L3Outs... Pretty new to ACI. I understand basic MPLS L3VPNs decently. We are utilizing common tenant and default vrf for our 2x L3Outs. One L3Out is for default route and whatever networks live on the perimeter. The other L3Out is for the "rest of backbone" network. All tenants need access to both L3Outs. Today we are leaking all of our backbone routes into each tenant and are exceeding maximum number of routes and having issues programming routes into hardware.

My question is if I leak only the default route to the tenants, the theory is that I will drain all traffic toward the common tenant, then the common tenant has more specific routes to tell traffic where to go. As long as the contracts allow the traffic, will this work as desired? As I understand it we would export the default route with a target then import that target into the tenants... And vice versa from tenant to common. The theory is any tenant to tenant (excluding common) will still be exported/imported on a per tenant basis as needed and will still route directly between each other without traversing the border leafs).

Router with 2 LTE's and multiplying packets over both interfaces

Does anyone know a router where I could have two LTE connections active, and mutiply packets over each interfaces. I feel like this is the only way to guarantee some kind of connectivity in a moving vehicle where the signal strengths etc might change all the time. I've had situations where the mobile link is up, but you can only get the OSPF packets go through and pretty much nothing else as it's so slow. From the routers perspective it sees the link as up and doesn't switch to another link.

And with routers that fail over to second link after a certain period, it might be already too late. If the vehicle is moving there might be a blind spot for the first ISP for 3 seconds and then it is fixed. So this is why I though multiplying packets over two interfaces could work. I would have a second router in the DC that receives the packets from both ISPs and replies to the first one and drops the second one if it ever comes to the router as it's a duplicate.

As a non-profit situation this also would need to be budget friendly setup :) I'm also open to an idea of getting industrial grade mini-pc and fitting that with multiple LTE cards and then doing this all with software router/linux.

Thanks for any ideas!

WinSCP like app for Android

Hi, i have few linux servers, i used them as storage box. These are old boxes which i access by ssh with winscp from windows pc but sometimes i need to transfer files directly from android to these boxes. Is there any android app which can do that ?

Note: I can't install NAS software on them and i use SCP

Interesting presentations/talks from the networking industry

Recently, I stumbled upon a couple of presentation from netflix where the engineers explain Netflix architecture and the kind of interesting stuff they are doing at Netflix. What are your favorite talks from some of the best engineers in the networking world? Please share.

If anyone is interested in the Netflix video, This is the link

Shortel (Mitel) VOIP and Cisco QOS

We are working on setting up our QOS on the following catalyst switches

(Catalyst 3750x) (Layer 3 Site 1)

Catalyst (9410) (Layer 3 Site 2)

Catalyst 2960s/x (Layer 2 Edge)

According the the mitel document https://bit.ly/2ntFiOi we can use auto qos and the phones use LLDP

Do we need to configure access lists and policy maps/service policy's on the 3750x and 9410? Or will auto qos be sufficient?

The commands suggested by mitel are below, any help is appreciated

2960s/x

Mls qos

Auto qos or Auto qos srnd4

Srr-queue bandwidth share 10 10 60 20

Priority-queue out

Mls qos trust dscp

Auto qos voip trust

Switchport mode access

Switchport access vlan 10

Switchport voice vlan 20

No cdp enable

Spanning tree portfast

3750x/9410

QOS

Auto qos voip trust or auto qos trust (first interface) <What does first interface mean?>

Auto qos voip trust or auto qos trust (first interface) <what does “first interface mean?>

Service-policy input AutoQos-4.0-input policy

Service-policy output autoqos-4.0-Output Policy

Switchport mode access

Switchport access vlan 10

Switchport access vlan 20

No cdp enable

Spanning tree-portfast

Ip access-list extended acl-qos-shoretel-RTP

Remark shoretel-voip-media

Permit udp any any range 10000 14500

Ip access-list extended acl-qos-shoretel-voip

Remark shoretel-voip-call-and-system-control

Permit udp any any eq 2427

Permit udp any any eq 2727

Permit udp any any eq 5060

Permit udp any any range 5440 5443

Permit udp any any range 5445 5446

Permit udp any any eq 5450

Permit tcp any any range 5060 5061

Permit tcp any any eq 5430

Permit tcp any any range 5447 5448

Permit tcp any any eq 5452

Permit tcp any any eq 31453

Permit udp any any eq 31453

Class-map match-any class-shoretel-media-input

Match access-group name acl-qos-shoretel-RTP

Match dscp ef

Class-map match-any class-shoretel signaling-input

Match access-group name acl-qos-shoretel-voip

Match ip dscp cs3

Class-map match-any class-shoretel-media output

Match access-group name acl-qos-shoretel-voip

Match ip dscp ef

Class-map match-any class-shoretel-signaling-output

Match access-group name acl-qos-shoretel-voip

Match ip dscp cs3

Policy-map shoretel-output-policy

Class class-shoretel-media-output

Set dscp ef

Priority

Class class-shoretel-signaling-output

Set dscp cs3

Bandwidth remaining percent 15

Class-class-default

Set dscp default

Bandwidth remaining percent 60

Policy-map shoretel-input-policy

Class class-shoretel-media-input

Set dscp ef

Class class-shoretel-signaling-input

Set dscp cs3

Class class-default

Set dscp default

Service-policy input shoretel-input policy

Service-policy output shoretel-output-policy

Interface ten gigabit ethernet 1/0/1

Description trunk port

Switchport mode trunk

Qos trust dscp

Auto qos trust

Service-policy input-shortel-input-policy

Service-policy output shortel-output -policy

Anybody using aci with VMWare integration

Anybody using aci with VMWare dvs integration? Any issues?

Bonus question. Has anyone successfully migrated from network centric mode to application centric mode. How did you map the dependencies and how long did the migration process take?

Friday, September 27, 2019

How does WIFI client devices switch between 2.4Ghz and 5Ghz

Not a wifi expert here and trying to understand how does the wifi client switch between 2.4 and 5Ghz ssid ...

Say I have a wifi network with multiple standalone APs and all the APs are capable for both 2.4 and 5Ghz bands. Clients’ wifi card/adapter supports both bands as well. I configured Corp-WIFI as the SSID name on both bands with WPA2 PSK. Would wifi client switch between the two bands automatically?

If so, what is/are the factors for clients to make the switch?

If not, why and how should design/setup the network to utilize both bands efficiently? Just use “intelligent” band steer function in the AP?

Content filter blocking our MDM

Hello,

I'll try to keep this as short as possible. We use an MDM (Jamf Pro) that is cloud hosted. We also use iboss as our web content filter. There is a setting in it that blocks connections using non standard ports. Problem is Jamf operates on port 8443. Is there any way we can remedy this other than disabling that setting. I'm told completely turning it off is unsafe and I can get why. The problem is Jamf is hosted by AWS and their IPs change almost weekly.

Bizzare Network Issue

I’ve been fighting a weird network gremlin for 3 weeks. About 2-3 times a day, various parts of the network become unreachable. It seems to vary each time it happens. I have noticed that discards-in on many core switch ports seem to increase during these blips. I’ve also noticed that every time it happens, I end up with a ton of BAD ADDRESS in DHCP. It seems to only happen during the week when users are onsite. I don’t think it’s rogue DHCP.

I’ve enabled DHCP snooping on the edge and DHCP flood protection and MAC address checking on the core and it doesn’t seem to have helped. Any ideas?

What's you attitude towards Shodan scans?

Do you just let them do their thing or block them? They make my IPS bark but I don't worry about it too much at the moment. I'm wondering if I should.

2019 laptop with rj45 port?

Networking people, what laptop do you all use? Have you all switched to the dongle life already? I can't seem to find a laptop with an rj45 port, it seems the thing now is USB-C maybe usb a and hdmi. Any recommendations?

Cisco ASA 5525 Site-To-Site VPN Filter Odd Issue

Hey folks,

We were attempting to get LDAP traffic to pass to and from our remote site over a site to site VPN tunnel. The tunnel has been up for weeks, lots of other things work fine, but we were having issues with LDAP from the remote site to our site. Both sides have ASA’s. We checked and troubleshot our ACL’s on the VPN over and over and to no avail we couldn’t get it working. All the correct ports were allowed on both sides, etc.

I created a top level access rule in the ACL that points to the VPN to just allow all IP traffic to and from the client at our remote site that was trying to use LDAP. This didn’t fix the issue. I said “ok, must be an issue on the remote side’s ACL.” I removed the access rule I added, saved config, and for some reason it reset the IPsec VPN. After the VPN reset, everything started working.

Does changing ACL’s associated with a VPN reset the VPN after you save the config? The is the first I’ve seen this happen.
Does anyone have any possible idea why the VPN reset would have fixed our issue? I’m at a loss here. There were ultimately no ACL changes made, and the VPN reset resolved the problem magically.

It’s worth noting, before it started working, I could only see LDAP UDP traffic coming from the remote site, and going back out. No TCP connection was being established. After the VPN reset, the TCP connection established and everything started flowing.

Appreciate you taking the time to read.

IPsec ikev1 and ikev2 run on same Cisco ASA?

We have multiple Cisco ASA IPsec tunnel running over ikev1 but today one of customer asking for create ikev2 tunnel but i am not sure we can run both ikev1 and ikev2 on same Cisco ASA?

Is it possible to run both on same box?

iptables LOG implementation

I'm trying to forward traffic from one virtual interface (eth3) to a tun (tun0) interface within a container. I'm able to forward ping and iperf traffic with adding the following iptable rules

iptables -t nat -A POSTROUTING -o connectify0 -j MASQUERADE

iptables -A FORWARD -i connectify0 -o eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth3 -o connectify0 -j ACCEPT

I'm unable to forward TRex generated traffic. I see it in eth3 using tcpdump but it isn't getting forwarded to tun0.
Looking at ways to debug it using iptables LOG option. How would I LOG the cause for eth3 not forwarding traffic to tun0 ?

I hate SFP/SFP+ modules

What is up with the ridiculous amount of incompatible variations of SFP/SFP+ transceivers/modules in the networking world? Jesus it's so bad. I feel like the networking world just tries to be complex on purpose.

Backup Config Network devices With Python

Hi everyone,

I need to backup my network devices. I think possible with python I try something and I can connect with ssh and send command.But how can I backup config I didn't understand. Anyone did that?

Thanks for help.

Cisco warning: These routers running IOS have 9.9/10-severity security flaw

Cisco has disclosed over a dozen high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software, including a nasty one affecting its industrial routers and grid routers.

The company is also warning customers to disable an L2 traceroute feature in IOS for which there is public exploit code.

The bug is due to an incorrect role-based access control (RBAC) evaluation for controlling access to the guest OS in IOS.

An attacker would need to be authenticated to exploit the bug. However, due to the RBAC issue, the bug allows a low-privilege user to request access to a guest OS – such as Linux instance running on a VM within an affected device – that should be restricted to administrative accounts. These are defined in IOS as 'level 15' accounts. An attacker can exploit the bug to gain access to the OS as root user.

There are no workarounds, so customers will need to ensure they're running a fixed version of IOS. However, if an upgrade can't be done immediately, Cisco suggests that disabling the guest OS "eliminates the attack vector" and so may be a suitable mitigation. Cisco offers instructions for uninstalling guest OS in its advisory.

Cisco has also published an informational advisory for an issue in the Layer 2 network traceroute utility in IOS and IOS XE. The feature is enabled by default on Cisco Catalyst switches. The company notes it is aware of public exploit code available for this issue.

Cisco is urging admins to review which versions of Cisco IOS and IOS XE their devices are running to ensure these have been updated to versions that address 13 separate flaws.

By design, Cisco notes, the L2 traceroute server doesn't require authentication and allows an attacker to collect a whole lot of information about an affected device, including the hostname, hardware model, configured interfaces and IP addresses, VLAN database, MAC address table, Layer 2 filtering table, and Cisco Discovery Protocol neighbor information.

"Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network," Cisco warns.

Cisco has provided information about how to secure the L2 traceroute server in the advisory. The advice includes, among other things, disabling the server or upgrading to a version of IOS or IOS XE that has it disabled by default.

However, upgrading to a version with it disabled won't be possible until later this year. These versions include Cisco IOS 15.2(7)E1 December 2019, and later; Cisco IOS XE 3.11.1E December 2019, and later; and Cisco IOS XE 17.2.1 March 2020, and later.

In the meantime, there are also options to restrict access through control-plane policing or access control lists.

Easiest way to tell if our downed internet is us or the ISP?

Im looking for a quick way to tell if our downed internet is us or our ISP. Should I be able to ping our internet facing IP? Any other reliable way to tell quickly-ish?

Yet another Infiniband post | Ethernet mode

https://ift.tt/2lGsFz6

Multi-gig Juniper switches

Question for the Juniper peeps out there.

Has anybody have any experience with the new EX2300MP models yet? Is it just another EX, except with a few "special" ports, or are there specific considerations I should know about? I'm assuming they can be added to virtual chassis with other EX2300 models, but haven't found any articles to corroborate.

Love to hear your thoughts. Thanks.

Basic question about (M)STP with non-STP capable devices in path and link cost calculation

Hi, stupid question but if I have devices (wireless point-to-point microwave links in this instance I'm thinking of) that don't actively participate in STP but do forward BPDUs, this should be transparent to the switches processing STP BPDUs at different ends of the wireless link? So they simply see it as

switch1 <---BPDUs --> switch2

when it is in fact

switch 1 <-- BPDUs --> microwave link device 1 <-- BPDUs --> microwave link device 2 <-- BPDUs --> switch2

Even though there is a BPDU forwarding device that does not participate in STP between switch1 and switch2? I'm thinking about the way they calculate cost here, and which path would take precedence? My guess is that the switches would see it as 1 hop, even if it is 3 since they cannot know?

Cisco 3750x microcode update

hi r/networking!

I am trying to upgrade a Cisco 3750x stack running 12.2-55-SE3 to the current starred release 15.2-4-E8. Obviously I am trying to minimise the downtime and I am lucky enough to have a spare stack to practise on. I have tried the following commands:

archive download-sw /imageonly /overwrite /upgrade-ucode tftp://x.x.x.x/c3750e-universalk9-tar.152-4.E8.tar

archive download-sw /imageonly /overwrite /force-ucode-reload tftp://x.x.x.x/c3750e-universalk9-tar.152-4.E8.tar

Both upgrades succeeded, but the microcode upgrade was done after the reload resulting in 30 minutes downtime. I get the following error message during the upgrade:

Could not find UCODE image on switch 66254736. UCODE upgrade may occur after reload.

Switch 2 reloading...

Could not find UCODE image on switch 66254736. UCODE upgrade may occur after reload.

No UCODE upgrade. Reloading.

Then the stack proceeds to reload as normal. Anyone have any ideas? Can I use a different code version to stage the upgrade?

VMware ESXi and Protecting VMs with pfSense

Hi.

I'm migrating a physical web/mail server into VMware ESXi. The network has an existing physical firewall in place. I need to replace the physical server with two VMs. I was also hoping to install pfSense inside of VMware ESXi to logical make a DMZ network for the VMs to connect through.

Topology

Real firewall -> Real Switch -> VMware EXSi -> Virtual WAN -> pfSense VM -> Virtual DMZ -> web/mail VMs

My reasons for implementing it this way.

If the VMs are compromised the attacker can't get out of the VMware ESXi network, since with pfSense I'm filtering traffic outbound as well. Even if they managed to they still have the physical networks security measures to deal with. As the real network is already segmented into OFFICE STAFF/DMZ/WAN.

I really need some guidance.

Is this unnecessary work for a small benefit?
Should I instead just run two VMs in ESxi while using the physical network to protect them?

Thanks for any help and have a nice day.

DMVPN

Iv found my self a bit stuck with a dmvpn solution our current dmvpn on 2 routers not in a cluster but master and backup but also running with HSRP has reached its capacity and I need to extend it whilst keeping all the spokes connected. my initial thought was to to just change the subnet mask and update the eigrp but when i Labbed it. it dropped all the spokes because of a miss match on the subnet, so then i thought I would run 2 hubs on the same router. That caused the same issue based on using the same external ip and a different eigrp AS so now im at a loss on how to increase it. has any one done this before? be currently have 500 spokes. on our ASR 1002 and i need to atleaset double it. any advise would be gratefully received.

Buy or Lease Ip Block

So currently this going be my first time buying a ip block for our company.

So my boss want's to have our own IP block's so we look more "professorial".

Since I am currently banging my head against an empty server rack figure out which is better.

Leasing a /24 ip block buying a /24 ip block

And what are the pros and cons.

Thanks guys!

SoT for ISP Services?

Hey all

Something has been bugging me for quite some time now and I feel like I need to vent a bit... Hopefully someone has/is in a similar position and can relate.

Background:

I work as a Network Engineer for a smallish ISP (400k or so customers) and mostly do design/automation. Right now, most network related things are unfortunately being done manually which of course is quite time consuming and error prone.

Previously I have been focusing my efforts on simplyfying/standardising network configs as well as automation of most tasks that haven't been related to a SoT (as we've never really had a functioning SoT for devices/services).

Lately I have begun to migrate all devices into Netbox (I know it's DC focused, but it's still 10x better than current device database we have) and now automation related to our devices is underway (automatic monitoring, backup, provisioning etc)

The issue:

But the devices themselves as a service provider is just a small part of course. I have tons of ideas related to automation/provisioning of our services. The issue I'm facing is that our services are not documented in a way that a computer can intepret these...

For example, a basic internet service in most cases just says which IP prefix the service is using, no info if it is a route/next-hop ip info/BGP route/directly conencted/which PE Device/Access Device the service is connected to etc. Most of the time if there is any additional info, it is written down in a freetext comments field..

Essentially it requires a human operator to log into the specific PE device in question to see what setup the customer actually has...The system we have in place for storing above service data (inhouse built OSS/BSS system essentially) also doesn't exactly have any good API functionality

The current system in place is unfortunately so bad, that people have begun to document services in Confluence (intranet). But as you can imagine, it is not a good SoT in any way when you want to automate things..Only a human can intepret the data stored there.

So I'm starting to wonder what type of solutions are out there for these types of issues? For documenting SP services (HSIA, L3/L2 VPN etc). In what type of systems do you guys keep your data about the services you provide? In some form of OSS/BSS system?

I feel like it probably shouldn't entirely be the job of a Network Engineer to do this kind of work, but I'm starting to feel like my hands are tied and I can't do any work without there being a decent system in place where via API for example I can fetch data about services in order to provision/configure/monitor them etc.

Palo Alto M-100 upgrade

Anyone has encountered any problem if you upgrade M-100 to version 8.1 with the stock 16gb?

Block TOR exit nodes on Checkpoint VSX-Firewall

Hey Guys i hope you can help me. At the moment there are much attacks going on in our company. Every day we have to block external IP addresses on our external Firewall. For me it is just stupid cause when an attacker finds out that he has no access anymore he just change his IP... We activated the Geo protection (Checkpoint VSX Cluster) but there is one more thing: TOR. Its exit nodes don't give a shit and avoid the geo protection and the IP's are changing... Maybe some guys made some experiences with this. Thanks.

Thursday, September 26, 2019

Not New to Newtworking World, But Kids Love iOS Dilema

Okay. So I've been in the industry, probably on the side of it frowned upon, for years but have since left. I've noticed iOS devices open and hold open such weird ports and I often wonder if there is even a purpose.

My question to you is, you brilliant minds 😊, is there a preferred switch or something else for specifically controlling iOS connections? I have had issues with my past catching up with me before, so I don't need Apple broadcasting extra information about us ever. Anyways, thanks guys!

DC requiring XC for BGP

This is a first for me, maybe it's more normal than I am used to. Just wondering what others experiences are.

One of the DCs we have equipment colocated at is being made our primary location soon. We requested a BGP session so we could move our IP over and they came back with saying that we would have to pay for a pretty expensive cross-connect just to get BGP working. Is that normal? That seems like bad network design to me since many other providers allow BGP without physical routing changes.

Edit: We already have a network drop from the DC that we have been using with their existing BGP blend. We would be peering with the DC.

Multicast question: How is this working?

We are undergoing a data center refresh at my company and are running multicast on one of the devices that's going to be decommissioned. This device is the rendezvous point (RP). As I've begun reading about PIM-DM, PIM-SM, and BIDIR-PIM in preparation for the multicast change, I've come to believe the current topology is either working by accident or b/c a half-baked BIDIR-PIM setup ends up behaving like PIM-SM.

Can any multicast pros corroborate this? I'm about to read RFC 5015 to see whether this is explicitly mentioned. This is a Cisco shop, in case the implementation matters. Some points below.

The web-fw, web-sw, and cor-fw are all in the same subnet.
The cor-sw is connected to the cor-fw only.
The web-sw is the RP.
As you see in the masked output, the two firewalls are configured for PIM BiDir but the switches are not, b/c BiDir PIM was enabled, but not configured.

When I do a show ip mroute on the RP, I see a lot of (S,G) entries rather than strictly (*,G) entries as would be expected of BIDIR-PIM (from what I understand).

Edit: We are doing BIDIR-PIM (or tried to, at least) b/c we have lots of senders/receivers.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Anybody here using Ruckus ICX 7750s? We just keep encountering stacking bugs, and I'm hoping it's not just me.

No text found

Anything pretty for monitoring Cisco switches?

What’s something cheap/free for monitoring bandwidth/throughput of a stack? I have a 3850 stack at work and a few other sites. Looking for something that I can use to monitor throughout of ports, laggs, overall throughput, port status etc. I know I can grab most through CLI but is Grafana capable of something like this?

Cheers

The Datacom DM984 destroying lives. Advice

Had to make my title interesting as first time posing here.

I work for a small start up company. We’ve got a apartment building with 5 flats in that all have the Datacom DM984 GPON ONU in. The Datacom ONU essentially keeps becoming unreachable after about a week. Then the user has to power cycle it and it usually works.

I believe the config has been uploaded wrong but can’t find the correct one anywhere.

I have tried Datacom and distributors etc

Anyone had similar experience or any advice?

Vulnerabilities in Cisco routers/switches

There were a bunch of vulnerabilities announced yesterday, and they're not the usual "hardcoded credential in peripheral product nobody uses", but IOS/IOS-XE/NX-OS stuff that many of us might need to worry about.

So far, there's nothing that's leading me into emergency patch mode, but I'm curious if any of you have come to a different conclusion. Anybody freaking out? Seeing evidence of exploitation?

https://tools.cisco.com/security/center/publicationListing.x https://www.zdnet.com/article/cisco-warning-these-routers-running-ios-have-9-910-severity-security-flaw/

Enterprise P2P to outbuildings

We have 3 small outbuildings that need connectivity for cameras and a handful of low-bandwidth devices, IoT shit, etc.

Cabling/trenching is not an option. They all have power and LOS to main campus. 5Ghz spectrum is clear. Max aggregate bandwidth <50Mbps. Looking for ~100Mbps goodput capacity.

We have a few Aruba AP-277s in production, but they are cost-prohibitive for this use-case.

Thoughts?

Multiple sites and tunnels - issues with identical VLAN and IP ranges? Recommendations on staying consistent and avoiding conflicts?

I'm sorry if this is too beginner for this sub but I'm not sure where to ask. I'm trying to collect ideas/suggestions/best-practices for scenarios where you have separate entities/companies that require tunnels to each other for certain networks at each of those buildings to be able to reach a server at one location.
For example a security system with cameras. If you've got 2 separate buildings (A and B), and the server and cameras are at site A, but there are cameras at site B that need to link to the server at Site A, and cameras require IP addresses, then what is the best practice for IP ranges at each site? Would a tunnel between the firewalls lead to IP conflicts if Cameras at Site A has the same IP as one at site B? Like 10.105.1.8? or is it best practice just to ensure ranges are unique and separate?
Right now it's a theoretical question, no specific hardware or software involved at this time.
Just curious if multiple sites can have same uniform VLAN and IP ranges to keep documentation easy and management consistent.

Mixed 10gig/25gig/100gig Network Speeds During Migration

Hi,

I'm currently running 10gig/40gig in the datacenter with 10gig to hosts, and am looking at upgrading to 100gig with 100gig to hosts via ConnectX6 PCIE 4.0 NICs.

The upgrade would likely happen in phases spread out over a few years. I'm wondering if I should be looking at breaking out 100gig ports to 4x10gig and use QSA / QSFP+-to-SFP+ adapters on the NICs to keep hosts at 10gig until everything is capable of 100gig. This would also include running some of the 100gig ports at 40gig for uplinks into the current infrastructure.

Are there any major downsides to allowing hosts to run at mixed 10gig / 100gig for an extended period? I imagine switch buffer overruns would be a problem, but most of our applications are TCP and it would handle retransmits. ASIC would be Trident 3 on the 100gig switches, Trident 2+ on 10/40gig switches.

For internet facing applications, how important would you say it is that you have matched speeds out to the internet edge? We drop to 1gig at our internet edge so I'm curious if that will present any issues.

Thanks!

I feel like this is a dumb question... (Cisco 3750/3850 Management as L2)

So - my Cisco experience is typically with a core L3 3750/3850 etc... spinning up L3 SVIs and then connecting trunks to L2 switches and tying an IP of a management VLAN to one of the L2 switches for remote ssh etc...

Now - here's my situation, Fortigate (handling L3 and vlan interfaces) I have two unifi switches currently, strictly as a L2 device... HOWEVER , they have IP's tied to a "mgmt vlan" on the FG. For instance, on FG, VLan 100 = 192.168.1.1/24 ,. so on UniFi, I have the DEVICE mgmt vlan as VLAN100, and an IP of 192.168.1.2 or w/e .

Now - here's where I'm confused in my logic. I am replacing these UniFi's with a stack of 3750x's- primarily for stack power and stack capabilities. Unifi isn't going to cut it here... I don't need the L3 routing capabilities so I'll be using them without IP routing. BUT - in order for me to have SSH capabilities and an IP on these switches for management... How do I go about it? If I :

int vlan 100

ip address 192.168.1.2 255.255.255.0

That's basically saying ok this switch is the master of this INT and they'll clash, right?

How can I just add an IP for mgmt purposes and let the FG control the SVI?

I'm not used to doing Cisco deployments this way so I'm confusing myself.

Hope my explanation is clear!

Cheers

errdisable issues on 2960x

So we had a bad LAN controller to a HVAC system. One of the techs had issues with a port so they moved it twice to try and fix the issue of no connectivity to the HVAC system. I went in to check on this after the third attempt and I saw the three ports that were tested were in errdisabled state.

I've tried shut, no shut. Also tried to have errdisable recovery and errdisable recovery interval 300. After these few things the ports remain down and disabled.

Any ideas?

Port Name Status Reason Err-disabled Vlans

Gi2/0/38 err-disabled loopback

Gi2/0/42 err-disabled link-flap

Gi2/0/44 err-disabled link-flap

wnms-idfo-poe(config)#errdisable recovery cause psecure-violation

wnms-idfo-poe(config)#errdisable recovery interval 300

wnms-idfo-poe(config)#

wnms-idfo-poe(config)#end

wnms-idfo-poe#

wnms-idfo-poe#sh errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

arp-inspection Disabled

bpduguard Disabled

channel-misconfig (STP) Disabled

dhcp-rate-limit Disabled

dtp-flap Disabled

gbic-invalid Disabled

inline-power Disabled

link-flap Disabled

mac-limit Disabled

loopback Disabled

pagp-flap Disabled

port-mode-failure Disabled

pppoe-ia-rate-limit Disabled

psecure-violation Enabled

security-violation Disabled

sfp-config-mismatch Disabled

small-frame Disabled

storm-control Disabled

udld Disabled

vmps Disabled

psp Disabled

dual-active-recovery Disabled

evc-lite input mapping fa Disabled

Recovery command: "clear Disabled

Anyone have 4900M service contract? Switch flash got completely wiped, and Cisco doesn't have record of ours.

Overnight the bootflash somehow got completely wiped on a core switch at one of our schools, so it's just stuck in rommon mode. Somehow our service contract wasn't renewed, or Cisco doesn't have a record of it, so I can't download the image off their site.

Anyone able to download this image for me? cat4500e-ipbasek9-mz.152-1.E3.bin

Multipathing in Ekahau

Hi guys, this question is more related to Ekahau, but seeing how they don't have their own forums, I thought I'd try here.

So I've been doing a live survey using the Ekahau sidekick in a warehouse setting due to reports of spotty connection in some of the racks. The signal looks okay all around, however Ekahau showed me rapid fluctuations in signal strength while i was standing completely still. I'm not sure if this is just the way Ekahau measures the signal, or if I actually found hints of multipathing (which really wouldnt surprize me, since we're talking about tall, narrow rows of metallic racks).

Here's an example of what I'm seeing, although sometimes the fluctuation was more extreme (think -43 to -70).

In the event it is multipathing, beside lowering the data rates and transmit power, is there in your experience anything to be done? Seeing how the APs deployed are Meraki, lowering the maximum bitrate is not an option.

pfSense-CE-2.4.4 firewall rules good practices? open ports 80/443/etc - Need advices.

link to my firewall and NAT rules: https://imgur.com/a/qLmjPjg

Hi,

I've setup pfSense-CE-2.4.4 on a dedicated server with a public IP for my company network (small startup). All is working and fine (VPN, routing, basic firewall).

I did a small and simple network audit with nmap and the results show me that TCP ports 80 and 443 are open. Of course this is not a surprise if you see my port-forward and firewall rules, i need some services running on my LAN behind the pfSense firewall to be accessible by the Internet.

But i don't think having ports 80 and 443 wide open on the WAN interface inbound is a good idea.

Can anyone help me find a proper solution at this security issue ?

Thanks a lot.

link to my firewall and NAT rules: https://imgur.com/a/qLmjPjg

Subdivide Cisco Switch?

Is there a way to virtually subdivide one 48 port switch into 6x eight port switches? Our group builds out a software package that must be tested on different hardware sets. Each package has the exact same IPs, VLANS, and some MACs even; the package can not change. In order to avoid having 8 different switches I'd like to subdivide a single switch into multiple virtual switches that are completely isolated from each other. In a perfect world I'd also like to be able to connect to all eight software packages via NAT translation or something. I feel like I'm on the right path investigating VRF but I can't seem to get it to do exactly what I want. I have several Nexus 3172s and Cisco 9500s at my disposal. Thanks!

Anyone using a MacBook to configure Cisco devices through Terminal or iTerm?

Just started using a MacBook at my organization and running into weird issue when trying to copy portions of a config for a device into Terminal or iTerm. When I get to sections that are sub-commands and have leading spaces, a capital B will appear at the front of the line when pasting into Terminal or iTerm.

If I delete the leading spaces for the sub-commands, I have no problem. But a-lot of times we will copy configs from switches to use as a template or replacement and removing the leading spaces does not feel like the best approach.

Edit: I am connecting to them via SSH, not console.

https://imgur.com/a/6PrUzWo

Breakout Super Core

So a lot of the 100Gig switches out there can do 40Gig mode w/ four 10Gig breakouts. Depending on the model of switch that allows for over 120 10Gig connections which is a huge port density in a 1U form factor!

If your datacenter has less connections than that to accomdate, what are the actual technical disadvantages to just connecting everything to a single pair of switches? Assuming everything has redundancy, i.e. each server connects to both switch A and B. How is it more risky than doing a traditional spine/leaf, since you still need two switches to physically fail before you lose connectivity.

Not trying to be a smart arse just genuinely trying to figure out what makes it a bad idea.

You basically just collapsed a data center network into literally two switches. Everything would live on those switches... the SVIs, the VLANs, and physical server connections, plus northbound connections, all on one switch due to the high port density. This eliminates the need to do any kind of overlay network.

Interestingly enough these 100Gig switches are also much cheaper than 48port 10Gig switches despite offering triple the port density. They can also be licensed to do full routing and bgp. You can set them up for redundancy any way you want like MLAG or virtual switch stack.

Thoughts?

Networks are like sewer systems - an explanation

When people blame the network a way to explain is that it’s the core infrastructure - like a sewage system - everyone’s shit gets taken away to somewhere else. If you’ve got a problem with your shit, it’s very unlikely that the infrastructure is to blame. It doesn’t care, it’ll still carry your shit where it needs to go. Whatever is in your shit.

Unless of course there’s too much shit and everything just backs up.

Oxidized Web Issue

Yay another Oxidized setup issue thread.

CentOs 7, oxidized 0.26.3, oxidized web 0.13.1 , puma 3.11.4, ruby 2.6.1

So I have been struggling with oxidized for a couple of days now. I got it once to work with librenms but could not get the service to work. after several tries i got it working with ruby rvm and an unpriviliged user. The problem I am now running into is that 127.0.0.1:8888 is not showing the webgui and thus the config is not loading in the librenms device config tab.

I checked the listeners and there is only 1 pid listening to 8888 which is the oxidized service.

[oxidized@UGRPLNMS01 oxidized]$ sudo lsof -i -P -n | grep LISTEN <omitted> ruby 2394 oxidized 6u IPv4 2009079 0t0 TCP 127.0.0.1:8888 (LISTEN)

telnet <ip>:8888 Could not open connection to the host, on port 8888: Connect failed

web: connection refused

palo alto in between: tcp rst server

I already added the port to the linux firewall:

firewall-cmd --zone=public --add-port=8888/tcp --permanentfirewall-cmd --reload

[oxidized@UGRPLNMS01 oxidized]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client http https ssh ports: 8888/tcp 8888/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

oxidized config:

--- username: ------ password: ------ model: junos interval: 3600 log: "~/.config/oxidized/log" debug: false threads: 30 timeout: 20 retries: 3 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ groups: {} rest: 127.0.0.1:8888 input: default: ssh, telnet debug: false ssh: secure: false output: default: file file: directory: /home/oxidized/deviceconfigs source: default: http debug: true http: url: http://ugrplnms01.-----.local/api/v0/oxidized map: name: hostname model: os group: group headers: X-Auth-Token: '--------' csv: file: "~/.config/oxidized/router.db" delimiter: !ruby/regexp /:/ map: name: 0 model: 1 username: 2 password: 3 vars_map: enable: 4 model_map: cisco: ios juniper: junos

nginx config:

 server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }

I am probably overlooking something as it has been 5 years since I worked with Linux. Anybody got some pointers?

There are now 80 meter 10G RJ45 SFP+ modules, whats the tech behind those or downsides?

Its seems that several 3rd party optics providers (who also sell RJ45 SFP+ modules) recently started to sell 80 meters editions.

For a long time 30 meter was the upper limit due to power budget of a SFP+ slot (there were not enough of power to shoot a 10G signal 100 meters through a TP-cable with RJ45 interface which a builtin 10Gbase-T RJ45 can do).

Anyone in here who might have some info on how that suddently happended techwise (what kind of chip or technology suddently emerged to be able to increase the signal strength by 167% with the same power budget and standards as previously)?

Or for that matter does the new 80M RJ45 10G SFP+ modules have some kind of drawback compared to the 30M editions?

Assuming that a 30M module will speak to a 80M module as long as the total cable length in between is less than 30 meters... same as a 30M module can speak to a builtin 10Gbase-T RJ45 as long as the total length is less than 30 meter.

Wednesday, September 25, 2019

IPv6 Design Question

I think I may be confusing myself and confusing two different subjects.

I am just now trying to understand the uses cases of IPv6. In the past we tried to limit the scope of broadcasts by making limited subnet size and vlans (for example arp broadcasts); however, broadcast is no longer available in IPv6, so is there any reason to limit the size of our subnet's?

Tracing Gigabit SFP Connections on Cisco

Hi,

I've inherited an environment of old Cisco gear (35xx series) with an 8-port Gigabit (SFP) core router connected to various other 35xx switches over fiber. Is there a way to identify which fiber port on the core is connected to which switch via the CLI? All I can seem to find is info on the local SFP, not any information on the remote SFP.

All help appreciated!

Cannot access blocked websites even after using Cloudflare dns

Basically title.

I am trying to access a few website blocked in my country but can’t even when I changed my dns to Cloudflare’s on my router.

However when I tried using their app on my iPhone it installed a vpn configuration and I was able to access said websites. Why is changing the dns on my router not working?

(Dns caching on my phone shouldn’t be an issue as I checked my dns on a website through it and it says it’s correct).

NERC-CIP Standards

I've been investigating how much my environment will need to change in order to meet the current/future enforced standards and I'm curious what others (hopefully in this sub) have gone through.

CIP Standards

Why are you passionate about networking?

I was asked this in an interview that I was already extremely nervous in and it caught me off guard and I could not formulate a good response on the spot. I’ve been thinking about good answers to this question and I’m curious about why you guys are passionate about networking and how you’d answer the question.

USG pro 4 to Watchguard 510

I've been working on getting an ipsec tunnel from the USG to the watchguard for several weeks now but every time I turn it live, the home office with the 510 loses all internet function. Phase 1 is set at esp-sha1-aes(128) DH group 5 nat-t disabled IKE enabled 30 sec interval 5 fail attempts. All IPs are correct and the home and remote subnets are different. Can post more information if needed, just looking for a step I might have missed.

Edit 1: I reread this and felt noobish. Internet function meaning I can not resolve anything outside of the home subnet and the remote subnets.

Viptela ACL no protocol define?

Hi All,

I would like to ask if this command permits all protocols (TCP/UDP) or there's a specific ports that will be allowed by fault or none? Since there no specified destination port neither Protocol.

 sequence 30 match source-ip 172.20.0.0/16 destination-ip 10.168.0.0/16 192.168.0.0/16 ! action accept count seq30-counter

Currently checking the Viptela documentation about this. Thanks

Any ideas for a somewhat humorous one-liner about this topic (networking)? I.E "there is no place like 127.0.0.1".

Its for a gift for my dad.

Acronis to back up PCs on a network?

Just got tasked to look into software that will allow us to back up hard drives for PCs on our network. Ideally if the computer crashes we would be able to plug a new computer in and push the image quickly.

Also heads up: I’m not a network technician, I fix radios in an environment that is becoming increasingly IT, so my terminology may be completely off and products probably exist that I have no clue about.

My manager mentioned Acronis and, sure, looks like it would do it, but he’s talking about going around to each individual computer and cloning the hard drive to sit on a shelf somewhere as a ready to go spare which sounds silly to me because we should be able to set up a server with a RAID and back them up over the network, right?

Can anyone point me in the right direction? I imagine something like this exists that would meet our needs but as a radio technician I have a hard time knowing where to look.

Thanks!

VPLS terminating on Nexus Core

Need help convincing boss that landing WAN VPLS into the Nexus Core is wrong and should terminate onto a WAN aggregation router. I am suggesting one WAN router per VPLS instance with redundant connections to the nexus cores. I am receiving heavy pushback to move VPLS directly into Data Center cores... any suggestions?

Ordering an SSL Cert Question

I have to ask this stupid question, and I apologize because I truly don't know. SSL is generally port 443. If I want to order a cert from a signed CA that needs to talk on a different SSL port like 8443. Do I need to inform the signed CA of this?

TYIA.

FO Patch Cable Slack Management

Can anyone recommend a good horizontal slack management for fiber optic patch cables?

I like this one: https://www.middleatlantic.com/products/accessories/horizontal-cable-management/pcs-series-horizontal-fiber-spools/pcs-3-2h.aspx but are there any that come with doors to hide the madness?

Help port forwarding

I am trying to port forward for my rust server and I can't get it to work. What do I put in the external host and internal host and what do I put in the internal port and external port boxes.

1:1 NAT a VLAN to another network

I might be inventing the wheel here, help me understand if this makes any sense:

I've got many networks, all unique except two of which are both 192.168.1.0/24
I want to hook all of them up to be routable, using VLANs and a Layer 3 switch

Is it possible to "shift" the public side for the VLAN of the second 192.168.1.0/24 network to a completely different network 192.168.2.0/24 using 1:1 NAT? I'm not wanting to NAT the network to "public" IP on a larger network, but rather to "public" IPs on it's own network. The routing table on the layer 3 switch would need a route that says "go to the gateway i.e. 192.168.2.1 to get to 192.168.2.0/24, and then NAT handles the rest.

The things on these duplicate networks benefit from having the exact same network configuration, but external tools benefit from being able to directly talk to all the devices. I could 1:1 NAT them to some "larger" 10.x.x.x etc. network but I don't think I need that if they are all "public" and routable via the switch as the gateway.

Is this something any Layer 3 switch is capable of, or am I re-inventing the wheel and there is a different more common solution?

Netgear ProSafe XS 10Gb - cheap, but are they cheerful?

Anyone have any experience with Netgears 10 gig switches? I'm going to need 10 or so ports worth and the budget is not lavish, which led me to these. I mean... how bad can they be, really? I'm a HP fan usually but I'm not aware of anything they have for remotely those prices. You get what you pay for, sure, but surely the Netgears would, you know... switch some simple jumbo frame traffic without shenanigans?

Juniper Networking JNCIP-ENT Resources

Does anyone here know some quality resources for prepping for a JNCIP-ENT exam. I know juniper has their training portal. However, they are super expensive. I was curious if anyone knows some alternate resources.

Securing a network for beginners?

I've got a network with multiple web- and gameservers open to the internet. I haven't taken any steps regarding network security besides using pfsense. Where can I get good advise on properly secure the network, for beginners in this area?

What I already have:

pfSense (Firewall & Router; Dell R210 II)
Managed Switches (D-Link DGS-3000 & DGS-1510)
FreePBX-Server
Two VM-Servers, running websites and minor services
FreeNAS-Server with Nextcloud
Multiple Gameservers (Windows Server 2019)
Plex-Server
ReverseProxy (Caddy)
Private WiFi
Three external networks connected via VPN, only for PBX and management)

What's the best place to start from here, without spending too much money on hardware but getting the most out of the security part?

Sane way to report guest wireless traffic? Cisco shop with ISE, Firepower, etc

Right now we have a report that details IP addresses on a guest subnet navigating to certain websites. Basically source IP is the guest device IP, then dest are the external IPs they touch. The report is pretty much completely useless because 1) the source IP gives us no indication of who did what, and 2) the destination isn't looked up in any meaningful way.

We use Cisco ISE for guest portal authentication, FirePower/ASA fire FWing, Cisco WSA for web filtering, Cisco AireOS for wireless, Windows Server DHCP, the works.

What is the best product/way to use these products to get my upper mgmt a report that basically has the Source as the guest username from ISE, and then the destination as the resolved DNS IP or some sort of AVC to categorize what traffic they're using

I imagine Cisco has a product that costs a fortune to do this for me, but I'm wondering what it is :)

Can a problem with Sonicwall router cause latency problems with the actual cable modem

Client of mine has Optimum. Lately they have been having internet issues that I traced back to super high latency. Ping tests from the Sonicwalls diagnositics to various domains including Google were in the mid triple digits. Optimum determined problem was at the cable modem and required a reset which they did from their end and then everything was good. A week later same thing and again they reset the modem and again everything was fine. It happened again today. I have requested they come out and swap out the modem which they are doing later today. But just wondered if somehow a problem with Sonicwall router itself could cause the connected cable modem to experience latency issues over the course of time?

Cisco 9300 TrustSec configuration help

hi everyone,

i have (4) 9300 switches run dual stack and there is a trunk running between them and i need to enable TrustSec on the Trunk line,

this is a way to explain the topology :

S1+S2 <====Trunk====> S3+S4

i did this conf:

enable
configure terminal
interface type number
switchport mode trunk
cts manual
no propagate sgt
sap pmk key [mode-list mode1 [mode2 [mode3 [mode4]]]]
end

but i cant get the TrustSec to work it stuck on INIT, i even but the interfaces in same vlans across the trunk but i cant even ping when cts manual is enabled

any help?

Palo Alto Panorama M100 memory

Has any taken the top off or replaced their M100 memory to go to 9.0? Wondering what the actual memory specifications are instead of paying $800+ to Palo Alto for their branded memory.

After pinging an address it does not show up in the ARP table. NAT/ARP stops working Cisco891f.

NAT stops working then ARP stops working until we remove and re-add the NAT command on Cisco 891f.

Notice below how after pinging an address it does not show up in the ARP table.

cisco891f#ping 10.193.189.216
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.193.189.216, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
cisco891f#ping 10.193.189.217
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.193.189.217, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
cisco891f#sh arp 10.193.189.217
cisco891f#sh arp 10.193.189.216
cisco891f#

Must remove and re add the following command to make it work....for awhile.

ip nat outside source static 192.168.30.216 10.193.189.216 add-route

Rebooting the router also makes it start working....for awhile.

The problem always returns between 10 minutes and 10 days later.

Tried on both IOS but still have problem:

c800-universalk9-mz.SPA.156-3.M5.bin

c800-universalk9-mz.SPA.157-3.M4a.bin

Help with a Legacy Enterasys Serial Pinout?

Hey folks, first time networking post here.

I have two Enterasys D2G124-12p's I've been trying to reset and configure. Thing is, is that non of my Cisco/Juniper serial adaptors or cables work.

In the manual for the D2G124, they state to use a standard straight-through RJ45 with a DB9 adaptor into your terminal. Tried that with every adaptor, no luck. Putty Blank screen even with enter key.

The pinout in the manual for RJ45 is this:

RJ45 to DB9 1 (rx) to 2 4 (tx) to 3 5 (grd) to 5

I have no issues with 1(rx) to 2, but on these DB9 adaptors I have, 4 and 5 are both pinned together (red and green), so I can't seperate them without breaking the pin.

What am I missing here? Every other serial cable uses almost all of the DB-9 pins, but this is some weird standard I haven't seen. Thanks for any tips!

N5K-C5548UP vs N5K-C5548UP-FA

I have a question regarding the Nexus 5

N5K-C5548UP and N5K-C5548UP-FA

First of all I don’t really understand the difference between both.

Also as I’m looking through the matrix for Transceiver:

https://tmgmatrix.cisco.com/?si=N5K-C5548UP

It seems like the –FA version doesn’t take SFP+, or am I wrong?

I’m a bit confused because when you look at the description of the FA it seems like it’s 32*10G built in.

Thanks in advance.

I'm Confused on IP domain-name command and IP domain-list for dns and dhcp.

I know that IP domain-name is used for ssh but from there on i don't know what else is does.

Trying to configure a router as dns server what the point of putting ip domain name and other names using the ip domain-list ? why?

Dell PowerConnect 5548 automation

Our company uses a lot of old PowerConnect 5548 switches for servers. We have created a number of automation scripts in perl and python which are based on pexpect and netmiko. The issue that we encounter is that the switches occasionally freeze up when sending commands and then end up skipping a number of the following commands. So in ACL rule case, it would miss a few ACL rules. This happens with both telnet and ssh connections. The hangups are noticeable on manual command entering as well. The solution so far was to slow down command entering process as to give each command time in case of a freeze-up but it's not very efficient and slows down the whole process noticeably.

Has anyone dealt with these switches and found a way to manage them in an efficient way? Just curious how other people deal with them (if they actually do).

Tuesday, September 24, 2019

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

WiFi troubleshooting: SSID not showing

Hello people! Thanks for reading my very first real post on reddit and any help that may come from it.

The other week I was at a conference center with conference wifi for everyone. I have an iPhone 8 and a Samsung gs7. The SSID being broadcast showed up fine on both mobile devices but not on a cheap tablet that I purchased for the occasion (Samsung Tab A?). I reasoned that it was my own fault for buying a cheap tablet and maybe it was something to do with their hardware since I made sure to apply all applicable updates.

Now I'm at another conference center with 2(actually 6) laptops. They're all Dell Inspiron 15: five running windows 10 home, the other running windows server 2016.

This time, I have the same problem. I see the SSID being broadcast and can access from windows 10 home laptops.. but not the machine running windows server.

I wish I could drop it and move on but this kind of tells me that my prior assumption, that maybe it was a problem of hardware, is not necessarily right.

I have been working all day and haven't really had a moment to stop and think this through or do any significant research on the topic (and on that note I might need to come back and make edits/clarify because I'm too tired to go back and re-read this). Google searches flood me with common troubleshooting techniques that were not helpful. I don't really care about getting this specific device onto that wifi network. What I want is to understand why some devices can't even see an SSID. Why would 2 Any advice on where to start looking for an answer would also be helpful if there is no one that can help answer my question. Thank you for any help.

Confused IP Range

I am currently pinging a Domain Controller at my school and I am confused by the IP address output. All of the other Domain Controllers I have pinged used the Class A range but this DC, in particular, had an IP address of 129.219.4.9 Since this IP address does not fall in the range of non-routable IP addresses how is it possible to use this IP address for DNS?

Subnetting

Hi, Im currently a networking student in college. Im so confused with Subnetting. Can I get an ELI5, please?

Dell S4048 / N series / Core VLT questions

Hi Everyone,

We are having a few problems / issues with a large scale network put together with two dell S series 4048's at the core of the network (yes yes I know...)

So I've never come accross VLT before, and I was wondering if someone who knows more than me can help.

The whole network is not performing as it should, generating a whole TON of arp traffic and giving us slow response times to our switches and devices, causing WiFi disconnects and all sorts. This is not a small network either - think 18,000 users 4500 desktops and countless BYOD devices.

I'm just trying to diagnose the problem, but could do with a few answers to questions so I know where to look.

Just for clarity - I have done the obvious - disconnecting buildings and services, wireshark etc etc but this problem seems to be difficult to find.

The system was installed by an IT vendor who made a huge muck up of the project and sadly we can't get them in to clean up their mess, so its down to us!

Current Config:

Core - two Dell S4048's running latest firmware, configured as a VLT pair. This forms the core switch at the centre of the network. These switches are doing all layer 3 routing for the system.

Linked to

Aggrigation - two Dell N4000 series connected as VLT peer lags to both of the S4048's above. Most servers, and buildings plugged in here.

My questions:

In a Dell VLT scenario as above, we have configured a vlan interface ip address for each vlan. On both sides of the VLT this is configured as the same IP address, and for the corresponding vlan this is the IP we are giving to clients as the default gateway - is this an accepted config?
What should we have configured as our mac aging times etc, there are conflicting articles online (and dells documentation) about what this should be set too.
Ping times: Currently we are experiencing absolutely appalling ping times to the core of the network, and outlying switches (think 50-600ms) - some network devices do not priorities ping, but I think this is indicative of our problem. Even when the cores are isolated during down time, pinging them from just one device plugged in, gives a 2ms response time which does not seem right.
STP - Should we have per-vlan spanning tree turned on? Documentation suggests we use RSTP on the links to so that they are protected as they boot up. which leads too..
STP root. Should the S series above be the root bridge? some documentation seems to indicate that we use the aggregation layer below.
Dell to HP - anyone have any issues connecting Dell switches to HP 5400 and older HP switches?
Dell N series LACP trunks - do these normally have poor response times?

Happy to post config snippets etc if anyone things they can help...

Thanks,

Robin

ASR1001-X - What does 1 million IPv4 routes translate to in terms of transit providers

In the below document it states that an ASR1001-X can hold 1m IPv4 routes if it has 8GB of RAM. I have an ASR1001-X in production with 8GB of RAM, it's taking full table from 2 providers and a further number of routes from peering sessions.

My routing table will only store each route once, the best route is chosen so I have 1 copy of full table in there, ~700k routes across both providers and peering. I can see in BGP I'm receiving a total of about 1.8m routes.

ASR Data sheet: https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-441072.html

My questions (more of an either-or):

How can I be receiving 1.8m routes when the ASR1001-X with 8GB of RAM can only support 1m routes?
If the above is because it only stores one copy in the routing table, why would you need 4m routes like you can get if you upgrade to 16GB of RAM?

BGP / JunOS question

We have datacenter A which is running MX104's and has a /22 subnet (2 of the /24s are in use here).

We have another datacenter B which is similar config, using one of the /24's from the above /22.

We're decommissioning datacenter B and bringing the hardware to the office to use in house. The problem is we no longer have our BGP guy. I know anout about JunOS to navigate and change/break things.

What am I looking at to make that /24 work at the office assuming we have internet with a static IP? Do I need to involve the office ISP to peer with them or anything? Or if I change the ip in the router to the new static ip of the office and update the neighbor AS, will it just magically work?

Wired 802.1X EAPoL supplicant on ISR WAN port

I'm looking for suggestions to enable 802.1X supplicant authentication on a Cisco ISR WAN port.

Scenario: My college residence provides unmetered internet access through ethernet ports in every room and requires users to authenticate using 802.1X-2010 EAPoL with EAP-PEAP-MSCHAPv2 (username/password) on the network. IEEE 802.1AE/"MACsec" security is not deployed. A Webauth failover is activated when no 802.1X credentials are provided in 5 seconds, but this is not desired as it puts the user in a VLAN with metered internet access. Their switch (a C2960X) only allows one (1) MAC address per switch port, and they recommend (and allow) a personal router when multiple devices in a room need internet access.

Problem: My previous router, a Ubiquiti EdgeRouter 4, didn't support 802.1X supplicant natively in EdgeOS 2.0 but would allow external Debian packages to be installed, so I deployed wpa_supplicant to authenticate the router using 802.1X. The current replacement device, a Cisco ISR1K router running IOS-XE version Fuji-16.09.04, also doesn't natively support 802.1X supplicant on the WAN port [1], and I'm stuck finding a simple and elegant method to enable 802.1X supplicant authentication on the Cisco ISR WAN port.

[1]. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/config-ieee-802x-pba.html#GUID-2C674232-26A2-42DC-A214-DFDB3BB73FCC

DHCP Relay forwarding address

Hi all,

Looking for some clarification on how this works. I always thought that the interface vlan that the helper was set on would be the forwarding address of the packet.

for example -

interface vlan 1

ip address 192.168.0.1 255.255.255.0

ip helper 10.0.0.1

interface vlan 2

ip address 192.168.1.1 255.255.255.0

ip helper 10.0.0.1

if a DHCP broadcast is seen on vlan 1, the packet to the dhcp server will have a source address of 192.168.0.1 and if a dhcp broadcast is seen on vlan 2 the source address will be 192.168.1.1.

The reason I ask is we use Meraki MX's with 3 interface vlans assigned 10,20,30 vlan 30 is a restricted vlan that has firewall rules applied to it with a default deny at the end of these rules. This caused DHCP to stop working as meraki send all DHCP unicasts from the highest VLAN/IP to the DHCP server.

Is this bad practice, just plain wrong or working as intended on Meraki's behalf? It seems crazy to me as I now can't fully lock down that VLAN. Do other vendors deal with DHCP in the same way? I had a look in the RFC but couldn't see anything about it.

Airconsole alternatives?

Hi, I have a legacy AirConsole XL that's having issues that needs to be replaced. Curious if there are other alternatives in the market and particularly interested to find out if any of you carry small Mikrotiks, Bullet LTEs, or Opengears in your bag and how your experiences have been with these. My use case is the typical one, consoling in without having a direct cable between my laptop and device, and ideally doing so over 802.11 or reliable bluetooth. My only hesitation about buying another AirConsole is the lack of development on the firmware front and some mild kludgy behavior that has been reported in other threads.

I am not able to ping Radius Servers from WLC (Mobility Express)

Hi everybody;

I have the following question, i just installed and configured WLC controller with 7 AP's, the management interface have the ip address 192.168.10.90. i am able to ping the interface vlan 10 (internally is the management vlan) of switch 1 (192.168.10.22) and even i am able to ping from WLC whatever ip address from managament vlan of all of devices of my network. I tried to ping my radius server 10.102.100.1 too, but in this case i am not be able to.

On switch 1 i can ping the radius ip address 10.102.100.1 , and also i tried ping 10.102.100.1 source 192.168.10.22 and i can ping.

What could it be the problem??

https://kxiwq67737.i.lithium.com/t5/image/serverpage/image-id/43594i6E1F966677ADB64A/image-size/large?v=1.0&px=999

(Cisco Controller) >show interface detailed management

Interface Name................................... managementMAC Address...................................... 00:00:5e:00:01:01IP Address....................................... 192.168.10.90IP Netmask....................................... 255.255.255.0IP Gateway....................................... 192.168.10.22IP Address Type.................................. StaticExternal NAT IP State............................ DisabledExternal NAT IP Address.......................... 0.0.0.0Link Local IPv6 Address.......................... fe80::c6f7:d5ff:feb3:1a60/64STATE ........................................... NONEPrimary IPv6 Address............................. ::/128STATE ........................................... NONEPrimary IPv6 Gateway............................. ::Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00STATE ........................................... CREATINGVLAN............................................. untaggedQuarantine-vlan.................................. 0Physical Port.................................... 1DHCP Proxy Mode.................................. GlobalPrimary DHCP Server.............................. UnconfiguredSecondary DHCP Server............................ Unconfigured

Is there something wrong?

If i connect a Laptop Directly to the switch in vlan 10, i am able to ping to whatever side.

The switchport configuration is the same like i put in the scheme.

I think the problem it should be here:

(Cisco Controller) >show system routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 srcr37.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 srcr3192.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virtual

What is your opinion??

What it should be the command to configure routes??

Kind regards.

Has anyone used the openspeedtest.com speed test server?

I'm looking to host a speed test server on my network that I can put on my website. I've seen a few options like Ookla, which costs a couple thousand a year or so. Then I stumbled across this one I'm not familiar with, http://openspeedtest.com/. Has anyone used it? Why is it free when others are charging hundreds or thousands for similar products? I see Missouri S&T is hosting it, but other than that I don't see it anywhere. Just seems a little sketchy.

took wireshark of AD server, and seeing some weird packets for traffic neither sourced or destined for AD server

For starters we have two 9k's as our Data center core. We have vlan 1 (i didn't design this shit) hosting a network 10.1.0.0/16 (again, I didn't design this shit)

we had to do a capture for other reasons, and I started to see traffic sourced and destined for things that are in VLAN 1, but not the AD server

AD Server = 10.1.1.94

Capture shows things traffic on 1433 for 10.1.1.189 and 10.1.1.182 and other various IPs in vlan1 that aren't the AD servers.

What could cause this?

Dept of Transportation Network Engineers

Forgive me, but this peaked my curiosity the other day driving home from vacation.

How does the infrastructure looks in regards to all the cameras and other devices DOT uses on the interstates/highways. I'm sure you may or may not be able to share much, but worth a shot.

Do each of the camera poles have their own switches? L2 or L3?
How big are the networks you support?
Are each of the boxes interconnected? Fiber?
What vendors do you use?
What does a typical day look like for you?

VoIP QoS in routed network

I'm quite new to VoIP but I need to configure everything to deploy IP PBX and phones in my network ( simplified diagram). I, more or less, know how to setup QoS on switches (ES1, DS1,DS2 HPE comware ) which are connected to PBX and phones. but what to do withe the routers (R1,R2,R3 those are also bigger HPE Comware switches with L3 routing enabled).

Is it enough to enable qos trus dscp on interfaces going to switches and leave rest at default values? I've checked packet dumps and it seems that packets which arrive to PBX/Phone have correct values in DSCP field.

Juniper Policy Enforcer Used Case and Benfits

Hello,

I'm trying to understand when do we need to purchase the policy enforcer. As per my experience, if you want to control the security on firewalls to push policies and logs, you just get the security director and if you want to manage the routing of the firewalls and switches you get the network director.

1- Do we need it to push policies to third party devices only?

2- If we have the policy enforcer, do we need the security director or they have to be together

3- What's the best case to purchase it?

Upgrading IOS on Stacks

Hey Team,

I've got the job to upgrade IOS on a number of stacks for a client of ours. My question is this:

Once I start the upgrade on the master switch, what will happen to the other switches in the stack and more specifically what will happen to connections on the other switches in the stack? Does the IOS update take out the entire stack until all are upgraded to the same IOS or does it do them one by one?

I will be using the .tar not the .bin so I can do it all in one command.

I have tried to google this but not found much and I can't practice as we do not have any stacking switches in the lab.

Thank you.

Cheapest full stackable hp or cisco switches

Hi,

i searching for 2 cheap root switches, want to stack that two to a virtual switch (full stack).

Whats are the cheapest series from hp or cisco that have a full stack feature? There could be some years old and on the second hand market.

Regards

Captive Portal Assistant - Says successful login before actually prompting to login?

Hi all,

I've got an unusual scenario whereby some users trying to authenticate to public/guest wifi at certain locations are getting issues with the Captive Portal Assistant we use at our organisation.

The issue seems to occur on public wifi that requires a user to click "Continue" on the first redirection page before actually getting to a login form.

Our laptops use a captive portal helper to sandbox this redirection for compatability/security, and at these particular places it crops up saying "You are now connected to the internet. This app will close." at the very first page BEFORE you can type in your email and guest password etc.

This pop-up occurrs straight away and stops the user from pressing the "Continue" button on the first page redirection, meanign they are unable to complete the registration form for the WiFi.

Does anyone have any idea how to fix this? And whether it is a networking issue or an issue with the captive portal helper application we use?

Cheers in advance! :)

Monday, September 23, 2019

If anyone is interested in joining a multi-level marketing company that pays to recruit and also teaches you how to make income off your phone message me now! Only $165 to get started, this is a life changing opportunity 💯🙏🏻

No text found

Can we associate ACL with snmp-server location string | SNMPwalk?

Hi,

I'm just wondering if we can associate ACL snmp-server location string, I'm currently reviewing a case and I'm seeing that hit/matches continues on ACL spefically ACL #77 but I can't locate where exactly did this ACL was applied.

Logs:

Router#sh ip access-lists 77 | i matches 20 permit 192.168.45.0, wildcard bits 0.0.0.255 (377 matches) 70 permit 10.170.226.0, wildcard bits 0.0.0.255 (1415 matches) 80 permit 10.170.140.0, wildcard bits 0.0.1.255 (265562 matches) Router#sh ip access-lists 77 | i matches 20 permit 192.168.45.0, wildcard bits 0.0.0.255 (377 matches) 70 permit 10.170.226.0, wildcard bits 0.0.0.255 (1415 matches) 80 permit 10.170.140.0, wildcard bits 0.0.1.255 (265591 matches)

seq 80 is increasing....

Configuration related to #77:

Router#sh run | i 77 access-list 77 permit 192.168.40.0 0.0.1.255 access-list 77 permit 192.168.45.0 0.0.0.255 access-list 77 permit 192.168.52.0 0.0.0.255 access-list 77 permit 192.168.64.0 0.0.0.255 access-list 77 permit 10.168.35.0 0.0.0.255 access-list 77 permit 10.168.240.0 0.0.1.255 access-list 77 permit 10.170.226.0 0.0.0.255 access-list 77 permit 10.170.140.0 0.0.1.255 snmp-server location xxuxxxxe2xxxxxxxv77v2

I'm not sure if this v77 means something or related to acl? or realated to snmpwalk?

Thanks

Routing not working as expected over VPC

I've hit a strange issue with routing in one part of my DC and I'm struggling to see what I've done wrong.

I can ping a device consistently with no issues but if I try to SSH to it from the same source it does not work. SSH from a different location that doesn't rely on the same path it works fine.

I apologise in advance for how crude my diagrams are, I have no access to reddit other than on my phone.

The network is not what I would like in this part of the DC as it is connected to an existing environment to allow for a migration that will take place soon. I had to fit the new network to connect with the existing as no major changes could be made on the existing. Otherwise everything is working beautifully. I have a spine and leaf network using 9Ks and eBGP following this rfc for guidance. https://tools.ietf.org/html/rfc7938#section-5.2 The section of the network I'm describing is intended for external connections that could be presented in a number of different ways. I designed the external environment to be as redundant as possible but also flexible.

Topologies Layer 2 connection to existing network

ASR1002X-1 --VPC-- NEXUS3K-1 --VPC-- 4500X-VSS

ASR1002X-2 --VPC-- NEXUS3K-2 --VPC-- 4500X-VSS

Layer 2 connection to new network.

ASR1002X-1 --VPC-- NEXUS3K-1--P2P--Palo Alto FW

ASR1002X-2 --VPC-- NEXUS3K-2--P2P--Palo Alto FW

The ASRs have one cable to each 3K in a port-channel. On the 3K side these are configured as port-channel with VPC. Between the 3Ks and the 4500X there is a VPC port-channel again. The 3Ks are connected to each other with 2 cables. Between the 3Ks and the FW each switch has a link to each FW with P2P routing. The FWs then connect to the rest of the new network.

Layer 3 ASR1002X --OSPF-- 4500X-VSS --- I would have preferred BGP here but I couldn't implement it.

ASR1002X --BGP-- NEXUS3K --BGP-- FW

Each ASR is connected to the 4500X using ospf. The 4500x is sharing the existing network routes with the ASR then those are redistributed into bgp and shared with the 3Ks which then share to the FW.

The problem

When I ping the 3Ks from a device connected to the 4500 I have no issue. However if I SSH to one of the 3Ks, number 2 on the diagram, my request times out and using a debug I can see the request never reaches the switch.

The other 3K has no issues and I can reach both from the new network without any problems.

When I run a trace from the 4500 to the 3K that isn't working the path is not what I expect or what the routing table tells me it should take.

Path seen in trace 4500X -- ASR-1 -- 3K-1 -- FW -- 3K-2

But it should take this path and when I check the routing table it agrees with me. 4500X -- ASR-1 -- 3K-2

I'm a bit lost at this point and am hoping someone has some more experience with VPC to help me out.

I was dropped into the deep end a bit with the new network build, it's much much bigger than anything I've ever been responsible for. I'm pretty happy with how most of it turned out but this one issue is really bugging me.

The one thing I am thinking of trying next is to implement a layer 3 connection between the 3Ks and peer with IBGP. The issue with this is I only have the one set of cables currently running between them which is used for the VPC peer link and Cisco documentation says to not run layer 3 over this.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html

Should I stick with hub and spoke topology in my situation?

Admittedly not a networking professional, but a sysadmin with networking duties.

Currently our enterprise is using a hub and spoke topology, for most things. All (8) remote sites are rural on DSL or satellite connections. They all have usable download speed, but minimal upload speed. The hub is in a metro area with a gigabit connection. I don't even think all sites combined could saturate the hub connection.

Would there be any benefit or drawback to allowing the sites to talk to each other more for things like DFSR?

I've been moving more services to hub and spoke as I go, just because the hub connection is very reliable and these remote sites are quite flaky. Just asking for a sanity check before I keep moving forward like this I guess.

Downtown Seattle P2P with IP Access Needed ASAP.

Hello,

I’m in need of a P2P ideally from the Westin but other uplinks are viable. I am two blocks over and have line of sight but no gear with me or contacts in place.

Anyone know who has wireless links available for a 5-6 month project I need -Reliable- bandwidth ASAP.

Cisco ASA upgrades for the uninitiated

Hey r/networking, I’m more traditionally a systems guy, so forgive me if this is a basic question.

I have a 5508-x running on 9.6(4)-34. I recently upgraded it from an older release of 9.6(4) due to a dos bug (not the 213 days one).

Anyway, to play it safe I stuck in the 9.6(4) family and just updated to the latest. However, in the interest of not letting the system get too far behind, I thought it might be time to research going to one of the latest builds, 9.8? 9.9? However, trying to read through Cisco’s website is kind of a pain for the uninitiated, I was wondering:

Is there a quick and easy place to find change notes for the mere mortals? (Example of something for SQL Server: https://sqlserverbuilds.blogspot.com/?m=1)
Anyone have any advice, should I go straight to the latest? We’re not doing much, we have a handful of IPsec tunnels, Remote access, normal firewall inspection, and only one open port for an external facing service. The only thing I could find that stood out to me was the addition of VTIs in one of the releases. 95% of my tunnels are IKEv1, but I’ve got one up to Azure that is ikev2.
What’s the general relationship with ASDM, AnyConnect and the ASA version? I see in the matrix that my particular version has shows to be compatible with ASDM 7.9+, does that really mean on up (to 7.12, etc), or just within the 7.9 family? Same with AnyConnect, have there been strict requirements that the version match the ASA software?

Very high GARP traffic after Sophos 550r2 failover

Sophos 550r2 in HA pair. On our downstream (inside) switches, we are noticing very high GARP requests coming from the Sophos' after a Sophos failover (approximately 62,000-84,000 pps). The Sophos serves as the L3 boundary for a /19 RFC1918 l2 network (inside).

Is this a normal amount of GARP traffic? It seems like an excessive amount.

Palo Alto / Solarwinds network atlas integration

So been trying to implement this at work since we just installed solarwinds for our monitoring. But the OIDS to support network mapping topology don't seem to be there out of the box.

Anyone have any experience creating custom pollers for this mapping functionality? I can't even find the specific topology OID when I go through the palo alto list.

Any help would be greatly appreciated.

Packet Loss Issue

The company I work for has been dealing with an internet issue for about two months now. The issue went away after we did some troubleshooting / changes and I thought it was resolved.

We're seeing slowness across our WAN. I'm seeing about a 30% packet loss when pinging devices. Our setup goes ISP - unmanaged switch - 2 Fortigate 200E (in HA) then they each go to one of our main switches (HPE E5406 zl). I'll see packet loss if i ping any virtual IP on the main switches from the fortigates. Unless it's the same VLAN as the fortigate IP. What steps can I take to troubleshoot this further. I suspect the main switches are causing the issue but i'm not sure where to look.

Do I really need a managed switch for this high availability setup? Details inside.

Hey /r/networking

Sorry if this is a dumb question - I'm not a networking admin, but am being forced to wear that hat for the time being.

We have a remote office whose firewall we just changed out from sonicwall to Sophos XG Series + Sophos high availability (not my first choice, but we have these firewalls from a decommissioned office)

We put in the single firewall for now without HA, and we were running into crazy problems with their core internet connection (allstream) while running completely fine on their backup non business class connection from a different ISP.

Awhile later and a few tickets with vendors later, Allstream told us that it appears that our connection is not set to 100/100 full duplex -- it wasn't - we had it set to Auto/Auto.

Now, with that said, in order to do the HA, I need a switch between the WAN connection and the two firewalls. Do I really need a managed switch in order to ensure that this connection is 100/100 full duplex all the way through, or is there a better/less expensive/less management way to do this?

Thanks a bunch!

How do Earthquake-prone areas like California deal with buried fiber?

How can they plan their network with buried fiber lines where the possibility of the ground shifting and snapping the fiber.

Are they aerial runs? Just a Florida NOC Agent whos fed up with people digging and cutting his transport links.

2960XR - 15.2(6)E - QinQ Support ? (Azure ExpressRoute)

In the middle of an expressroute deployment that is a little different from your standard microsoft example configs, we are treating azure cloud as a DMZ and terminating it onto a palo alto, but i have ran into some pitfalls.

Azure ExpressRoute uses QinQ natively.
PALO ALTO does not support QinQ natively...
have a switch @ the datacenter that i was hoping to land ExpressRoute on and then tag the (c) tags down to the palo alto.
2960XR im finding conflicting information, some forum posts say the 2960XR supports traditional QinQ but not selective, and im having a hard time understanding if i need strictly traditionally or if i need selective ? (first time using QinQ)
basic diagram of what i am trying to achieve

CURRENTLY I am running this UNTAGGED with a single C-VLAN rolling across which makes this circuit up and operational, but we don't get the IP SLA 99.99995 support from microsoft that management wants. Has anyone in this community ever setup QinQ on a 2960XR series ? Everything im reading online says this needs to land on our ASR but we are treating Azure as a DMZ instance so that complicates our configuration, and to top it off we are out of ports on our ASR at the data center.

2960XR - Layer 2 & Tunneling Config Guide

Azure Router Config Sample

Forum Post asking about QinQ on 2960XR

What is the correct model number?

I have a few switch stacks (3650's) and when I run a show ver, I get a different part number than show inv. Which of the 2 would be the correct part number? Show inv shows a 48FD-S while show ver displays a 48PD.

 show inv NAME: "c36xx Stack", DESCR: "c36xx Stack" PID: WS-C3650-48FD-S , VID: V04 , SN: Serial # NAME: "Switch 1", DESCR: "WS-C3650-48FD-S" PID: WS-C3650-48FD-S , VID: V04 , SN: Serial # show ver Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- 1 52 WS-C3650-48PD 16.6.5 CAT3K_CAA-UNIVERSALK9 INSTALL Switch 01 --------- Switch uptime : 30 weeks, 3 days, 7 hours, 17 minutes Base Ethernet MAC Address : MAC Motherboard Assembly Number : Serial # Motherboard Serial Number : Serial # Model Revision Number : N0 Motherboard Revision Number : A0 Model Number : WS-C3650-48PD System Serial Number : Serial #