IPv6 Proxies: 2019-12-29

Saturday, January 4, 2020

How can I improve my answer to this networking question?

Hello everyone. I got a networking homework problem. I did my best to answer it. I'd like to know how I can further improve my answer or if I have made any mistakes. Thank you in adavance :)

Question

Using the knowledge of IP allocation, subnetting, wireless networks, WANs, VLANs, etc., design a network for a large organisation with several branch offices island-wide. This organisation has the server farm and the DMZ in the Head Office, and a disaster recovery site in a branch office. DMZ has public IP addresses. All branches and office networks use private IP addresses. VLANs are configured for executive networks and general staff networks separately. Wireless networks are used with restricted access to some services. Only DMZ has IPv6 support.

My answer design:- https://imgur.com/m8dKhlg

Turnkey wireless broadband solutions for streaming out?

I have a sudden need to provide 20Mbps upstream from a mobile rig. A single LTE modem won’t cut it.

One solution would be a Mushroom Networks LTE bonding router, but that would still require buying and managing multiple LTE modems and separate cell provider costs. My needs are somewhat temporary.

Is there a simpler way to solve this use case? Are there services which will ship a simple solution (at a price) for getting a high upload bandwidth connection that is mobile?

Problem L3 mpls vpn cisco

I configure a mpls using "ospf +bgp"and "eigrp between CE<-->PE,at the moment I just have two clientes connect client one with "172.70.70.0/26",client two with"172.70.70.64/26" .

The routing looks fine from one client I can see the other clients network.But I cant ping from one client to another, but for example client1 has a 172.70.70.0/26 and I can see this routing in the client2 table...

Gateway of last resort is not set

172.70.0.0/26 is subnetted, 2 subnets

D 172.70.70.0 [90/33280] via 10.100.37.6, 00:09:30, FastEthernet0/0

C 172.70.70.64 is directly connected, FastEthernet1/1

10.0.0.0/30 is subnetted, 2 subnets

D 10.100.37.0 [90/30720] via 10.100.37.6, 00:09:30, FastEthernet0/0

C 10.100.37.4 is directly connected, FastEthernet0/0

do you have any idea whats went wrong ?

and I also can see both network from client 1 and two in both PE:

PE7#show ip bgp vpnv4 all

Route Distinguisher: 120:120 (default for vrf CLIENT2-1)

*>i10.100.37.0/30 172.25.3.30 100 0 ?

*> 10.100.37.4/30 0.0.0.00 32768 ?

*>i172.70.70.0/26 172.25.3.330720 100 0 ?

*> 172.70.70.64/26 10.100.37.530720 32768 ?

and from the PE I can ping just the connected CE not the other one CE.

Ping from the PE7 conneted to the client2 "172.70.70.64/26".

Sending 5, 100-byte ICMP Echos to 172.70.70.65, timeout is 2 seconds: !!!!! Sending 5, 100-byte ICMP Echos to 172.70.70.1, timeout is 2 seconds: .....

I hope someone can help me, thanks a lot

Bottleneck on the network

Hi all,

My company just got a 1Gbs internet. The ISP router is connect to the firewall then from the firewall connected to the switches.

I did a speed test on ISP router and the speed is around 970+ but when I plug to the switch the maximum speed I can get is around 200-250 is it common or is there any bottleneck in the network?

MPLS conversion to Layer 2

So planning a MPLS migration to Layer 2 ASE(switched network).Infrastructure is pretty standard as in 20 branches that are connected thru MPLS ie BGP that has our EIGRP networks injected. We have 2 data centers that are primary exit points for the branches. The data centers also have SIP trucks associated with them as well as 1 of the branches.

Anyone have any experience with such a conversion? We are thinking of eliminating all the branch routers and upgrading the current switches to newer 9300/9400 and just using the Layer 3 function to route traffic using our EIGRP as BGP will going away.

Why does an 802.11n network using 2.4GHz, utilise over 80% of the available bandwidth in a 40MHz channel?

reference

Please refer to the above image, I can't get my head around this!!!

DNA Premier and ISE Plus license

I have got Cisco Catalyst 9300-48 port switches with DNA advantage license.Additionally I have got DNA Center appliance and ISE Appliance with Base and Plus License

For micro-segmentation in SDA, do we DNA premier separate license with the switch ?

Please help.

MPLS VPN L3 question CISCO ?

Hey guys I trying to understand and configure a simple l3 mpls vpn, I am using a previously topology where I had a service provider with bgp + ospf. Now I configured mpls over this topology. And looks fine, but I am with problems to understand:

I decided to use rip between my CE <--> PE so I did this in the PE:

vrf definition CLIENT2-1 rd 120:120 address-family ipv4 route-target export 20:20 route-target import 30:30 router bgp 30 address-family vpnv4 neighbor 172.30.3.3 activate - neighbor 172.30.3.3 send-community extended address-family ipv4 vrf CLIENT2-1 redistribute rip router rip address-family ipv4 vrf CLIENT2-1 redistribute bgp 30 metric 2 network 172.70.70.0 network 10.0.0.0 interface FastEthernet0/0 description CONNECTION-TO-CLIENT2-1 vrf forwarding CLIENT2-1 ip address 10.100.37.2 255.255.255.252 duplex half end

In the CE "customer edge" side I did this:

vrf definition CLIENT2-1 rd 120:120 network 10.0.0.0 network 172.70.0.0 no auto-summary exit-address-family

Makes sense ? dindt work ... :(

my client "CE" has this lan 172.70.70.0/26

my network between CE-PE is 10.100.37.0/30

Thanks a lot for any help.

Friday, January 3, 2020

USB Ethernet Adapter

I have a server that boots Linux (a stripped down RYOlinux running Busybox) off of a USB The only network drivers that are on this distro are the Intel e1000 and e1000e. I would like to upgrade this server, but the motherboard I want to use has a Realtek NIC. Please note that non-persistence is important for my application. I see my three options for this:

Slipstream (?) the Realtek driver. I am unsure of how do do this.
Find a USB Intel NIC and change the server application to eth0 to eth1 (or eth2 in the case of my server with two Realtek NICs onboard. I am unsure of where I would do this, I belive I would edit /etc/rc.local as the interface is specified as a command line when the server app is called on boot)
Add a PCI Intel NIC and do the same as #2 but i prefer a USB NIC.

So does anyone know of any USB NICs using an Intel Chipset? Am I correct in thinking that /etc/rc.local is where the server app would be called from? Does anyone know how to add drivers to a live linux USB?

Advice needed on SFP+ to RJ45 conversion (Auto Negotiation)

I've recently been looking for a portable 10GbE Ethernet to Thunderbolt 3 adapter and come across a few. The smallest/lightest I've found is this device from QNAP:
https://www.qnap.com/en-uk/product/qna-tb-10gbe

It comes in 2 variants- the T is a standard 10GbE/NBASE-T connector for RJ45 cables, and has auto negotiation (or Multi-Gigabit) capability so that you will always receive the maximum transfer speed if connected to say a 5G or 2.5G instead of a 1G network. In my opinion, that versatility is vital for a portable device, as you never know what network you'll be connecting to, and running at 1G speed on a 5G capable connection just because your device is 10G and not 5G is as frustrating as it is absurd, and I'm so glad Auto negotiation came along to put a stop to that.

The second model, the S, has an SFP+ port instead of the RJ45 NBASE-T. Now I've not much experience with SFP at all, hence looking for guidance.

There's a plethora of SFP+ to RJ45 connectors out there. As the S model QNAP is cheaper, in a dream world, using it with an RJ45 converter gives you additional versatility at less cost, as you could then connect to both RJ45 and SFP+ connections with the one device. I've also seen comments that the SFP+ model is fanless and therefore silent, whereas there are come complaints about the NBASE-T versions high pitched fan whine, so another added bonus (but I've not yet confirmed this to be the case.)

The problem is, from my brief research, and per the specs on QNAPs website, SFP+ doesn't have the same autos negotiation/Multi-Gigabit capability as NBASE-T. You either get 10GbE or 1GbE. See my earlier paragraph for why that's disappointing.

If I were to purchase the SFP+ model adapter, and an SFP+ to RJ45 connector to slot in, I'm hoping that the adapter would just continue to accept up to 10GbE and the connector could continue to auto negotiate, so that when connecting to a 5GbE connection, you still get 5GbE and not 1GbE. I saw this following module where the title seems to suggest it would be possible:
https://www.roc-noc.com/mikrotik/routerboard/SplusRJ10.html

But without the Knowledge around SFP+ and how it all works, I'm hoping someone here can help me understand if that would be the case. I'd hate to pick up the S model adapter only to find that every ethernet connection was limited to 1G, or perhaps those modules don't just work for all SFP+ connections, but specific hardware, and it's not even possible to convert the QNAP SFP+ adapter to Ethernet at all!

The future proofing, versatility, slightly lighter weight, supposed quieter operation, and cheaper price for the base adapter are all telling me there would be no downside should an auto-negotiating converter work out. But given that the majority of connections would be ethernet, if it's not possible, then it rules out the SFP+ model completely. Any advice is much appreciated.

It's possible to identify non HTTP running on port 443?

I need to develop something similar to ngrok as I have a group of machines that run behind firewalls and the only communication is trough 80/443.

The idea is to establish a TLS connection on 443 to a central server and use this connection as a tunneling point to run a SOCKS5 server.

And the question is, firewalls are able to identify that I'm not running HTTPS on that port? Because the initial communication will be different.

Does this exist? RJ-45 "coupler" that does DHCP

I've got a bit of an odd use case where I need to connect two Nintendo Switch systems together via Ethernet, and that's it - nothing more than device-to-device communication (for running PvP tournaments). Currently, I'm able to connect the consoles to each other directly as long as I manually assign IP addresses on each system. Alternatively, if I connect them both to a router, the router manage DHCP and no static IP assignment needs to be done.

Manually assigning IP addresses is tedious, especially since in this use case the systems are not my own and the systems used are not consistent from day to day (as the player base shifts). Ideally, I would love to have a middleman device that both systems can plug into that can act as a lightweight DHCP manager, possibly even being powered over the Ethernet cables themselves. If the middleman device always assigned the same IPs for each port, that would work.

Does such a device exist, or am I just describing a really basic router that doesn't exist due to low demand?

Grandstream phone VLAN voice an data same port

Hi I have an issue with a Dell N1500 switch and a Grandstream phone. Reading best practices documents. I configured the port like this:

interface Gi1/0/17

switchport mode general

switchport general pvid 500

switchport general allowed vlan add 500

switchport general allowed vlan add 55 tagged

VLAN 500 is data and VLAN 55 Voices.

If I have the port with this configuration I can reach the gateway in the PC. But the phone cant register to the central IP. If I remove the switchport general pvid 500. The phone can register to the central IP but I cant reach the PC gateway.

Any suggestion?

Simple question on identifying intermediate device by counting TTL

I have an issue with receiving RST packets when trying to access a particular service on a server. Running wireshark from the client side, I see that RST packets occur at TTL of 57 the source being the server IP. The server is a Linux box with a 64 TTL and there are 11 hops to the server from the client which results in a 53 TTL for good connections not facing the issue.

When the RST occurs and the TTL is 57, that tells me that it is not the client or server causing/sending the RST, but rather a device in the middle that is breaking the connection. If it was the server causing the RST the TTL for the RST packet would be 53.

My question is this, which way do I count the hops to determine what device is causing the RST if the TTL is 57? Seeing as how I am running the wireshark trace from the client, do I count hops from the client side or should I count hops from the server side seeing as it is the source of the RST?

Given the above, In the example below would I identify the device causing the RST packets to be d.d.d.d by counting down TTL from server side or would the suspected device be h.h.h.h by counting from the client side?

Example trace route:

1 a.a.a.a client side gateway

2 b.b.b.b

3 c.c.c.c

4 d.d.d.d

5 e.e.e.e

6 f.f.f.f

7 g.g.g.g

8 h.h.h.h

9 i.i.i.i

10 j.j.j.j

11 k.k.k.k

12 l.l.l.l server

QoS on every interface on the path?

We have a phone vendor telling us that all of the switches and routers need QoS configured. Traditionally we only configure it on the WAN interface of the edge device as internally we have a full backplane on all the switches. This is from the vendor doc: "If VoIP traffic passes any single interface without QoS configured, the effects of quality issues are felt on a call as if no QoS is configured anywhere along the path."

Is there any validity to that?

Campus Core Switch Replacement

I need some help with Core switch replacements we have brocade MLXe-8 and 16 cores running VPLS over MPLS and OSPF routing between 3 sites. Inter-site links are 10GbE. Also we have Dell 2x TOR 5248 switches on VLT that support VxRail / VMware ESX servers with stretched clusters between two of the DCs using layer 2 stretched vlan.

1) Any ideas for replacement and resiliency ?

2) Is VxLAN and EVPN the future replacement for VPLS over MPLS or are there alternatives ?

3) Can you vmotion traffic across site using VxLAN ? i.e Direct Link between site A to B fails so looking to vmotion vms from Site A to site B via site C using existing links to A and B considering we have a stretched vlan using same IPs at site A and B.

4) The Dells have 4 x 10GbE to MLX Core so just wondering about oversubscription as currently there are current 5 x 25GbE ESX host connections per TORS switch is this an issue?.

NASA MeshNetwork recent code & documentation - maybe someone on /r/networking will find this interesting and useful

This is an interesting Github repository from NASA.

MeshNetwork

https://github.com/nasa/meshNetwork

The Mesh Network Communication System is a peer-to-peer communication network architecture that enables communication between network nodes of various types. The initial primary goal of the system was to enable communication between small formations of cubesats or other small satellites, but the basic mesh architecture is applicable to data exchange between network assets of any type. The system has been flight tested on formations of small unmanned aerial systems (sUAS) and shown to provide low latency data throughput for dynamic flight environments.

Are HTTP proxies (a la Charles) days numbered as we move to HTTP/3 and QUIC?

How can we possibly have similar functionality to Charles Proxy to inspect https resources when we move to HTTP/3 over QUIC?

I frequently use Charles Proxy to inspect HTTP and HTTPS traffic (and Wireshark to inspect UDP packets) from my mobile phone for exploration and app development.

Does HTTP/3 (over QUIC / UDP) even allow something like an HTTP proxy with a self-signed certificate to interact with “https” resources?

I read about the CONNECT request in HTTP/3, but it sounds like it still makes a TCP connection with an origin server. I don't understand how that would work with an origin server that expects HTTP/3 from the client.

Without a QUIC proxy, there's no reason to use your own certificate because the origin server won't recognize, or be able to decrypt, the payload.

Cisco CCDA training and preparation?

I’m currently CCNA certified, thinking about going the CCDA route for my next renewal due to the emerging needs of my organization and the industry.

Only problem? I don’t have any development training. What should I be looking for?

Looking for a reliable Ethernet on/off switch for work phone system

I work in a small office using a VoIP phone system. We've been told we can plug these phones in anywhere and they'll work with their built in numbers. The boss is needing to move a phone into his home to take care of his wife, but won't always be home. During business hours when the phones are not forwarding to our cell phones he is not wanting the phone to be ringing if he's not there. My idea was an on/off switch for the Ethernet cable, but it seems everywhere I look they're super sketchy or look like they're for trying to cheat at video games. Anyone have any suggestions for a on/off or "kill" switch we can use to turn the phone off when he's not there that doesn't require him unplugging it every day?

MTU issues over IPSEC tunnel between ASA and Meraki MX

Happy New Year everyone, hope you are well.

In my last thread, I was able to get some helpful advice from a fellow Redditor to adjust MTU settings on a client MX WAN port to 1452: https://www.reddit.com/r/networking/comments/ehr04l/potential_mtu_issue_between_meraki_mx_and_asa5515/

This this did clear up warnings about fragmentation issues between the MX and the SDWAN Bonder, but the root issues still persist:

Issue: HTTPS and random other TCP traffic sporadically becomes unusable between these sites connected by IPSEC tunnel. Issue is temporarily resolved after bouncing IPSEC VPN, but comes back up after so many hours.

For everyone's convenience, this is the flow of traffic:Client MX > SDWAN Bonded Internet > IPSEC TUNNEL > digitalsquirrel's ASA5515

Current observations:

SDWAN Bonder MTU for all WAN and LAN interfaces (1500)
SDWAN Bonder Tunnel MTU - 1452
Meraki MX WAN port MTU - 1452
MTU from client to server of SDWAN tunnel and IPSEC VPN - 1362
MTU from client to local switch or MX 1472
MTU from server to client 1350
- server to client starts at 1362 MTU but then drops to 1350 after first test.. same from server to multiple other clients across the same SDWAN and IPSEC tunnel

Misc Other Notes:

ASA5515 is in production for other clients with multiple VPN tunnels to the outside interface, so I cannot make wide spread changes.
We have another similar client with an MX > SDWAN Bonded Internet > Meraki Dynamic VPN > digitalsquirrel's MX that doesn't experience any of the same issues.

LACP Timeout Fast vs. Slow

I've got 2 Juniper Switches with ae's over DSL. The bandwidth Isn't great and the runs are somewhat shaky.

We get tail drops semi-occasionally because there's no QoS on the line (not going to change, at this time).

The LACP timers are set to Fast (1 sec), on both ends.

We get LACP timeouts on one of the Switches, presumably because it's failing to receive PDUs in-time (and that's presumably because of the tail-dropping)

Pros/Cons to setting these timers to Slow as an alternate route to alleviating this?

(My thought is that it would at least give the switch a bigger window of time before screaming that the line is down.)

WLC 8540 issue Management interface

Hi all,

thanks in advance for your support; for a customer i have an issue with management interface, ssh and https connetction doesn't work but icmp work. There are 2 WLC 8540 in SSO and all the firewall permit both ssh and https.

From Service port I can reach both in ssh and https the WLC , so there isn't issue of configuration. I have tried by entering this command "config network mgmt-via-dynamic-interface enable" but even that doesn't work.

Did someone have the same problem as me?

Thanks all.

Xmas Slowdown within a VAR

From what my peers say Xmas and new year slowdowns are common when at a reseller, how do people stay motivated? I understand it is a great opportunity to study but when there is no tangible work I really struggle to get any sort of momentum, this compounded with the fact I work from home means that I cant feed off any colleagues enthusiasm.

Guess I am just venting but it feels like such a grind sometimes when I know I it shouldn't be, just wondered how more experienced consultants/engineers deal with it.

Thursday, January 2, 2020

Troubleshooting High Output Queue Discards

What would be the major cause of high outbound discards on a switchport?

We have a switch in a remote location on the other side of the country and staff are complaining of poor network performance. I can see that on one of the switches on the uplink port there is a huge amount of Outbound Queue Discards. We’re looking at 3.6 billion since the last reboot (almost 2 years ago).

At first I thought it was QoS as I could see that there was traffic hitting the policy, but now we’ve tried disabling QoS on the port and they’re still reporting slowness. We’ve also checked that there is no duplex or speed mismatch.

One side is a gigabit switch, the other side is a 100mbps switch, but I can see that the gig switch has auto-negotiated down to 100m so I don’t think that should be causing outbound discards for the port.

At the moment I’m leaning towards a bad cable or some interference from the warehouse it’s in.

Anyone have any ideas of anything else I can check?

Dell FTOS 9.3 and higher 1Gig SFP compatibly

Hi guys,

I have a Dell switch a s4048-ON that has FTOS 9.3.

We use finistar 1Gig SFPs for all our dell switches (S4810s and 20s) but this new FTOS does something funky with the same Finistar SFPs.

After a weekend of not in use the client will come in to work and all the 1Gig connections will be down. It’s like the switch shut them off into some sort of sleep mode. In order to reactivate them they have to be pulled and plugged back in or the switch has to be rebooted.

Does anyone have a fix for this? Or is there a cheap SFP for the new FTOS images which will work for a 1 gig SFP. Remember the 1 gig finistars worked fine for the older FTOS version 8s.

Dropped frames and shoddy motion detection with 14 IP cameras

Hello,

I have been tasked with deploying a security system for a small business. I have made efforts to do research and avoid bottlenecks.

Here's what I'm working with:

14 Amcrest IP2m-851E cameras (1920X1080p) @ 9FPS and VBR H.264, streaming limit set to 4,096Kbs

Netgear unmanaged 16 port gigabit network switch (GS316). This powers and handles connections for all the cameras.

Fios G1100 gigabit router

Security server/PC running an i5-8400, 16GB RAM and 11TB RAID with 2 12TB WD purple drives and Blue Iris.

My target is to have them at 9FPS with motion detection recording, in an attempt to keep recordings for as long as possible. However, after installation, I'm having issues with the camera recordings being extremely choppy, skipping entire seconds of footage, and motion detection happening only after motion has happened for quite a while, and not seconds before detection as I've set in Blue Iris. I've tried iSpy, which seems to work a bit more reliably, but with much lower framerates, higher CPU usage, and still the same issues with seconds of missing footage and dropped frames.

So I thought, perhaps the write speed of the hard drives is too low. Task manager shows quite minimal usage overall of system resources with Blue Iris. Then I thought the security PC network connection was not fast enough (but it is able to achieve 150mbs to the internet). I thought the network switch is overwhelmed, but I have a gigabit switch and router, which I thought would be overkill for the cameras. I plugged the PC into the network switch and was able to achieve 150mbs download/upload, with all 14 cameras connected and recording. So I've assumed that the switch and router are not overloaded.

At this rate, I'm not sure what's bottlenecking my setup, or if I've made a stupid mistake somewhere. Any suggestions as to what could be a potential bottleneck would be greatly appreciated as I really need this system up and running, and I can't think of what might be wrong. Thank you!

[HELP] I need help understanding how to use the console port on this switch

I am attempting to set up a new homelab as a hobby, so I bought a Force10 S50-01-GE-48T-V managed switch and two R410s (they were like 20 a piece, so I figured why not).

For the life of me, I cannot figure out how to connect the console port to my PC.

From my understanding, as stated in the document, I used "a straight-through RJ-45 copper cable (a standard Ethernet cable) into the console port. ", page 16. So I used a standard Ethernet cable and I plugged it into my computers Ethernet port. As you can guess this did not work.

So I went and bought a RJ-45/DB-9 adapter and connected the Ethernet cable from the switch, to the Ethernet port of the adapter.

I also bought a DB9 to USB RS232 Serial Converter Adapter as I was searching on the internet and it seemed like this was the recommended way to connect to this switch through my computer which lacks a serial port. However, the problem I am running into it seems like is that the RJ-45/DB-9 adapter is male, and the DB9 to USB is also male. So I figure I am either doing something wrong or I bought the wrong cables/converters.

I would appreciate any help with this I can get as I am simply trying to pick up another hobby.

What’s your preferred way of splicing CAT5?

I spliced about some Cat5 cables for security cameras (I was moving the equipment to a climate controlled area closer to the fiber) by putting male jacks on the Cat5 and using a female-female Cat5 coupler from eBay. This was 4 years ago and some cameras are starting to go down.

What would you use to splice these together? I was considering a 110 block, but open to ideas.

Router login with no ping

I have a conundrum that I'm hoping y'all can help me with.

I'm running 300ft of Cat 6 cable. However, no matter how many times I redo the connections and test for continuity, the best I can get is a connection with no packets. If I use that cable to go from my laptop to the router (netgear) I can log in to it. But when I ping it, I get 100% loss.

Two days of this. Any help would be appreciated.

Today I screwed up

I want to remind you all to slow down and always check your changes, take it from me and do not be like me!

Routine change I have done many times inside ACI but this time I was in the wrong context menu and deleted the parent profile and not a child profile. This was 100% on me, yes I wish Cisco would not allow a parent profile to be deleted while it contains child profiles but in the end it was still on me.

Yes I was able to roll the change back in less than 2 minutes, but in those 2 minutes VPCs between our virtual compute and storage were completely destroyed...

So learn from me, slow and steady. All those fancy servers, storage and services do not work when the roads are all broken.

TATA communication in CHI has 20% packet loss, how to open a ticket?

they have 25% packet loss, we do not have service directly with them and we have confirmed with our ISP the loss is not on the hand off and it is inside the TATA network

however they hardly exists does anyone know how to get ahold of someone?

ping to 63.243.129.120 are dirty and 63.243.129.121 are clean (i'm guessing the same box)

we vaey from 0% to 30% loss and it will run clean for 2-4 minutes then go bad again for 2 ish minutes

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Thanks /r/networking: 1 year ago I asked you for feedback/your opinion on FTD/Firepower

In October 2018 I created this post to gather some feedback on using Firepower/FTD in production.

We did try it ourselves in production though so we could form our own opinion, overall it really was as bad as described in the texts you see on the internet.

Usually you don't expect everything to be really good, sometimes the documentation is not really that well or maybe the interface is performing not fast enough so you use the CLI which you don't really mind... but for FTD it is really the overall experience where almost every single part was horrible from the beginning and you could not reasonable argue for such a product at all. From initial deployment, software upgrades, daily operation and troubleshooting... just everything.

Negative aspects:

Overall Software quality: We did 2 minor software upgrades, one of them caused an outage, the other one took a couple of hours and did mess up a few things afterwards
Documentation: is either not existing or even just wrong (for example NAT64 configuration, confirmed by TAC)
Central Management: Cisco representatives told us directly that everything below the largest FMC hardware appliance is not usable and we won't be happy with it (to be fair this specific hw generation is now end-of-sale)
Hardware Performance: They showed us an internal performance calculator which provided ridiculous numbers, we sized really carefully as we all know datasheet numbers are "a little bit off" most of the times, but for FTD this was really just unbearable
Development: "Everything will get better in the next release" should be printed on t-shirts, they just kept promising and promising, keep in mind that we already looked at FTD in 2018 and have been aware what progress was made up to this point

Positive aspects:

Price: they made an absurd cheap offer to stay in the game
Integration: as we have a lot of Cisco products in place, integration would obviously be native into those if needed (e.g. Cisco ISE, Wireless controllers etc.)
Cisco seems to be aware and they know they have to do something about it

They had to compete against Palo Alto and it really was straight forward, I was very impressed how Palo does things, especially the central management which provides quite a few features you normally have to use a 3rd party tool like Algosec or Tufin.

There was a lot of politics involved as we have been an all Cisco shop so far and a few people really did not like to move away from it, but the evidence was more than enough against them and stability was the key argument.

In the end we migrated most of our productive clusters within 2019 and are very happy Palo Alto customers. But honestly I think almost every other major Firewall vendor would be better than what we saw with Firepower.

Something I noticed when comparing them is that Cisco is still putting out fires and doesn't seem to have the time or ressources for appropriate development of the product (the still rush half-finished features into the field).

We still bought a few Firepower hardware appliances and run ASA software on them if we don't have the need for NGFW features (e.g. dedicated ClientVPN Firewall) and even on those we face major issues with the delivered performance.

In 5 years everything might be different but for now: stay away from Firepower/FTD if you can.

^Happy ^new ^year

Swapping Airflow Fans on S4820-T

Hey guys,

So I just realized that I bought two fan modules and a single power supply module to change the direction of airflow for my Dell switch. Currently everything is plugged in via reverse airflow, from PSU to ports.

But the switch needs to pull from ports and push out PSU so normal airflow is needed.

On these 4820's they have individual fan modules, unlike the older 4810s and s60s which have a PSU and fan modules in one module/component.

So in my haste I ordered two fan modules and a replacement PSU for a PSU that had gone bad. Since the PSU had gone bad I figured I would also swap out the airflow fans to make it cool more effectivly. I realize now that by swapping two fan modules and one PSU that there will still be the orginial PSU that is reverse airflow, as oppossed to normal airflow.

So I was reading the documentation on the switch or about the switch, and it says that both fan modules need to blow the same direction or the switch will shut down. So I'm thinking that the PSU airflow doesn't matter, but the fan airflow does.

Does anyone have any experience with swapping out fans on the Dell 4820T? Can I leave the single reserve airflow PSU in, while swapping out the single PSU normal airflow, and the two switch modules normal airflow?

So:

1xReverse airflow PSU (one fan)

1xNormal Airflow PSU (one fan)

2x Normal Airflow fan modules. (2 fans each total of 4 fans)

With the above setup, will the switch automatically shut down or will it continue to function? I'm not that concerned about the single PSU fan blowing the opposite direction as long as the switch is functional. I'd rather have two operating PSU and the 4 "airflow" fans pulling from the ports and blowing out the back.

https://www.force10networks.com/CSPortal20/KnowledgeBase/DOCUMENTATION/InstallGuidesQuickrefs/S-Series/S4820T_9.4(0.0)_InstallGuide_Apr_09_2014.pdf_InstallGuide_Apr_09_2014.pdf)

Fiber to RJ45/Ethernet conversion

I've got an upcoming connection that I need to make that the site only has fiber to drop where our equipment will be. Our Pepwave router doesn't have a fiber input. Is there an easy conversion box? Is that the best way to make the conversion? This will be a temporary network setup for a live show.

Today, I managed to keep an SSH session alive between restarts

I run Debian 9 on VirtualBox on a Windows 10 host. I happen to live in an area with seasonally chronic network shenanigans, so every now and then, I have to Avada Kedavra (tilde-dot) my broken SSH sessions, but I witnessed this weird one today.

I hibernated the host, turned off my phone's hotspot and went for a walk. I dehibernated to Windows' lockscreen 2 hours (give or take) later, but I still wasn't hyped about refactoring, so I left it at the lockscreen. After some 45-ish minutes of funny YouTube, I ditched the bed for my workspace again. This time, I pushed past the lockscreen, manually reconnected Windows to my phone's hotspot and made for the VM, where I met a seemingly dead SSH session. I typed in a command and hit return with a shrug, but it actually spat out appropriate results. After about 3 internal WTFs, I ran more commands, just to make absolute sure I was on the remote machine.

I'm still on the the immortal session, with all but one question for y'all who actually know their RJ45s...

How?

Avaya Data VLAN DHCP Issue

Hello All,

Recently, we moved our Phone DHCP server to Server 2016. In doing so, it appears the Data DHCP server is not handing out proper information.

I have the Data DHCP server setup with options, VLAN 14 is our Phone VLAN:

176 L2Q=1,L2QVLAN=14

242 L2Q=1,L2QVLAN=14

However, when clearing phone values, the phone does not grab the VLAN14 from this configuration.

All of my other phones are working properly, but only if the values are not cleared on the phone. This issue happens on any phone that i clear values back to default.

I have switch(es) Tagged for VLAN14 and untagged for data network. Any other thoughts here?

Is there a CLI command to determine GRE over IPsec?

I'm a student implementing a GRE over IPsec on GNS3 however not really sure if I implemented IPsec over GRE (if possible).

Any hints/commands that can clarify that I really did what I was required off. And how do I know if it's site-to-site or point-to-point? Any suggestions are greatly appreciated.

Looking for advise for how to tackle this problem

Hello all,

As you can see in the picture, i have drawn up a mock scenario of the current situation I'm in. We have separate networks at our site for admin and production. We currently placed a temp building down about a block away and have a point to point to this building using the production network. We now need to add a VoIP phone and desktop computer that connects to the "admin" network. My question is how should I accomplish this. I figure I VLAN off the Network A devices that are on Network P, set up routing and access list on FW, and setup IP helper THROUGH the firewall. Thoughts and suggestions? Here's a drawing of the Mock Network

Can console port on a router also work as management port. Any advantage of management port?

I am new into networking industry, and I've been told to provide management port access to configure a router (Cisco 2900). This is to be done by connecting the router to one of our access switches. I want to know if configuration can be done by providing console access via my laptop through putty. I dont know how to provide management port access. Does management port have any advantage over console port.

Command Prompt's commands for networking ease of use

So today I found by typing "mode" in cmd you can find out your COMM port number and also by typing "getmac /v" list the MAC addresses of your current PC and with "getmac /s hostname or IP address" for remote PC.

I would appreciate if you can provide any other commands that are very helpful for ease of use.

Cisco Catalyst 9120 Series Access Points Licensing

Hello,

We recently bought some Cisco Catalyst 9120 Series Access Points and were obligated by the third party vendor to purchase these licenses with them (per AP):

AIR-DNA

D-CISCODNAS-SEE-T

PI-LFAS-AP-T

WLC-AP-T

AIR-DNA-A-T

AIR-DNA-NWSTACK-A

AIR-DNA-A

We do not use Cisco DNA nor Cisco Prime infrastructure.

Is this normal?

Can I use managed switch as a router?

I have ISP via ethernet and have managed switch, and now my AP with wifi broke. I tried to google a little, but can't find any tutorial or something... :(

how to reboot network devices with Ansible

With Ansible Engine 2.9 there is now improved handling for wait_for_connection with network devices. This means that network devices can lose connectivity (for something like a reboot) and the Ansible Playbook can continue working as expected. You can perform some tasks, perform a reboot, the continue operating the Ansible Playbook programatically.

This requires two important steps that may be new for Ansible novices! (One), you need to deal with prompts, which are super common with network devices during a reboot, and (two), dealing with the connection going down programmatically.

For (One) you can use the cli_command module which deals with prompts, here is an example for a Cisco IOS routers->

--- - name: reboot ios device cli_command: command: reload prompt: - Save? - confirm answer: - y - y

For (Two) you need to use the meta: reset_connection like this->

- name: reset the connection meta: reset_connection

With the combination of (One) and (Two) you can now use the wait_for_connection with network devices. You can do something like this

--- - name: reboot ios device cli_command: command: reload prompt: - Save? - confirm answer: - y - name: reset the connection meta: reset_connection - name: Wait for the network device to reload wait_for_connection: delay: 10

hopefully this will help some folks that need a programmatic way to reboot routers! I have written a small blog post here, but I didn't want to break rule #3 for reddit so I rewrote some portions to help folks that prefer only using reddit!

Quick Question - iBGP peering on Border Routers

I do not see a problem with this, but I want to bounce this off a few of my peers. There is obviously a need for iBGP when you have two or more border routers to ensure the best path to any network on the internet. I've seen the P2P iBGP link be private IPs and public IPs. Can you use either? Or is it only BP to use public IPs to peer your border routers with iBGP?

Setting Static IP on VLAN on Cisco SG200 boots me out of the web interface

Hello everyone,

Quick question that has me stumped. This is a brand new Cisco SG200 switch I have, 8 ports. I've connected to the default 192.168.1.254 web-interface and created some VLANs, including a management VLAN. However, when I try to set a static IP to the VLAN, the web-interface immediately locks up and I'm no longer able to ping the default IP address or access the web-interface anymore . Does anyone know why this is the case?

CNAM or equivalent in the UK

I'm trying to set up caller name for a company in the UK such that when someone receives a call from us, they see our company name with/instead of our telephone number. I know that this is possible in the US using the CNAM system, but I'm struggling to find out if this is possible in the UK.

Anyone had any luck with this?

Thanks.

What's the issue with using a Linux/Unix box (PC hardware) with extra PCIe Ethernet ports instead of a Cisco or Juniper router?

This has been a lot on my mind lately. Cisco IOS routers are basically just underpowered embedded computers, why not opt for a cheaper solution and just use a x86-64 PC/server instead?

Please help me with this Subnetting work...

Hello, I'm college student from the UK (which is basically grade 11/12 in the US) and I'm just desperately trying to pass the Cisco Networking part of my course. I have to type up a report on subnetting and I've come up with these subtitles to steer my work in the right direction.

Introduction:

What is a Subnet:

Uses of Sub-netting:

Subnetting a medium network:

Subnetting a large network:

Usefulness of private subnetting:

Conclusion:

The assignment details were to "Justify a private sub-networking scheme, which could be used on medium or large-scale systems, identifying individual sub-networks". I've searched high and low, I'm struggling to find detailed information of private subnetting and how it's implemented. Not even Cisco makes it clear. I don't even know what they mean by 'justify'. Justify why it works? I don't even know what a scheme is!

As far as I'm aware, subnetting is splitting IP addresses and using them inside LANs in order to prevent network congestion, and I understand subnetting has to be done in the command line (I think) but I don't exactly understand the difference between private subnetting and not private subnetting.

Could anyone please point me in the direction of resources to help me correctly answer these subtitles?

Thank you!

PAC File influence application like Outlook Office 365?

Hi All,

We are using PAC file in our environment and Outlook O365 which the server name is configured using the address of https://mail.company.com/xxxx and I want to confirm the below.

My question is regarding the forwarding of Outlook, Does it used the PAC file which includes the proxy server to connect to the cloud mail server https://mail.company.com/xxxx since it is bound to internet via https? If Yes, Is there any application or can we verify if pac file being used for outlook to reach the server? or this PAC file being used by the browser only and not by outlook application?

Thank you

Is it true that downloading a large file at a high speed slows the internet for the others using it?

If i say for example im downloading a large game at 50mb/s, will this slow the internet connection for the others?

Can a Buffalo BS-MP2008 translate between Jumbo Frames / MTU9000 and standard frames / MTU1500?

Hi, sorry I am not an export in networking, but have to operate a small office IT with mixed requirements.

I have some Linux servers, a Synology NAS and different kind of clients (Macs, PCs, ... ) with different networking requirements.

One (soon two) desktops are used for video editing. Hence, they would benefit utilizing jumbo frames between them and the NAS for sure.

As I can configure our 10Gbit switch Buffalo BS-MP2008 on every port to use or not to use jumbo frames, I wonder if it is capable to translate between MTU9000 and MTU1500. To my understanding, this would have to be the case. But I am not sure.

Thanks for your input!

Why does enterprise Wifi use GRE tunnels between AP and controller?

I have previously used Unifi APs - in general, these tend to be pretty simple affairs - the AP grabs a IP address, clients connect to it, and they get internet connectivity. At most, you can use different VLANs for different SSIDs.

However, I'm now using Aruba APs - and they seem to establish a GRE tunnel between the AP and a local Wifi controller.

Also, they have a separate controller, through which all traffic passes, which is different ot Unifi.

I'm looking into Ruckus and they seem to do the same - and from research, it seems many Enterprise Wifi vendors (Cisco) do the same, with GRE tunnels, as well as a dedicated controller.

My question is - what are the main advantages of this approach, over the simpler Unifi/consumer-style approach?

New UniFi "datacentre" switches

/r/Ubiquiti/comments/ehxubp/unifi_leaf_and_spine/

Wednesday, January 1, 2020

Virtualized LNS recommendations

I currently land my VPDN tunnels and PPP subscribers on old Cisco hardware, the function of which I'm looking to replace. I'm considering virtual options for portability and future proofing, and was after some recommendations borne of experience.

Requirements are pretty basic; Terminate VPDN tunnels and land PPP subscribers either in the global table for internet subscribers or in a client VRF. I currently do this in Cisco land by returning various attributes based on the login username.

I've looked at vMX and Mikrotik but haven't found many other options. On the surface they both look like they'll do what I want, possibly with some drama sorting out the VRF thing.

Does anyone have experience with these products in this function, or alternative recommendations?

Deploying Unifi AC APs to Cisco PoE Switch?

Hello everyone,

I'm planning on using the Unifi AC Pros for our wireless network implementation. A simple preface that this is my first time working with Ubiquiti. I currently have a Fortigate 100D that is acting as our layer 3 device. It is in charge of Inter-VLAN routing, internet access (SFP fiber), and access policies. I have grouped together about 7 ports into a hardware switch (LAN) and created/assigned 5 VLANs to this hardware switch on the Fortigate. The VLANs on the Fortigate also provide DHCP and DNS, here are the VLANs:

VLAN 10 - Guest (192.168.10.0/24)
VLAN 16 - Corporate (192.168.16.0/23)
VLAN 32 - Dev (192.168.32.0/23)
VLAN 64 - Management (IT) (192.168.64.0/23)
VLAN 774 - Primus (Voice) (192.168.7.0/24)

I have a Cisco SG200 8-Port PoE switch which I plan on connecting the Unifi APs into. I hoped that I could use one of the ports on the switch as a trunk port to the Fortigate for the VLANs I want for wireless and then plug in the APs to the other ports. Is this implementation possible? And what would I need to do to configure the APs in this environment? Thank you.

T1 Circuit Bouncing

Hello,

One of my sites has bundled T1s. The circuit has been bouncing for the last day or so. I have a ticket open with the provider, but want to make sure it isnt anything on our end. I am a fairly new engineer and am not sure how to interpret some of this data. I see the interfaces flapping, but there are errors on the T1 controllers.. would this point to a provider issue at all? Or am I facing a hardware issue? I appreciate any input on this.

Here is the output from the show controllers T1 command:

T1 0/1/0 is up.

Applique type is Channelized T1

Cablelength is long gain36 0db

No alarms detected.

alarm-trigger is not set

Soaking time: 3, Clearance time: 10

AIS State:Clear LOS State:Clear LOF State:Clear

Framing is ESF, FDL is ansi, Line Code is B8ZS, Clock Source is Line.

Data in current interval (824 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Total Data (last 24 hours)

0 Line Code Violations, 204 Path Code Violations,

0 Slip Secs, 7066 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,

41 Errored Secs, 8 Bursty Err Secs, 33 Severely Err Secs, 7054 Unavail Secs

T1 0/1/1 is up.

Applique type is Channelized T1

Cablelength is long gain36 0db

No alarms detected.

alarm-trigger is not set

Soaking time: 3, Clearance time: 10

AIS State:Clear LOS State:Clear LOF State:Clear

Framing is ESF, FDL is ansi, Line Code is B8ZS, Clock Source is Line.

Data in current interval (823 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Total Data (last 24 hours)

0 Line Code Violations, 159 Path Code Violations,

1 Slip Secs, 7066 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,

30 Errored Secs, 8 Bursty Err Secs, 22 Severely Err Secs, 7063 Unavail Secs

T1 0/1/2 is up.

Applique type is Channelized T1

Cablelength is long gain36 0db

No alarms detected.

alarm-trigger is not set

Soaking time: 3, Clearance time: 10

AIS State:Clear LOS State:Clear LOF State:Clear

Framing is ESF, FDL is ansi, Line Code is B8ZS, Clock Source is Line.

Data in current interval (822 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Total Data (last 24 hours)

0 Line Code Violations, 105 Path Code Violations,

2 Slip Secs, 7077 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,

31 Errored Secs, 12 Bursty Err Secs, 18 Severely Err Secs, 7097 Unavail Secs

Here is the output from show logs:

*Jan 1 19:48:44.550: %LINEPROTO-5-UPDOWN: Line protocol on Interface Multilink1, changed state to down

*Jan 1 19:48:44.562: %BGP-5-NBR_RESET: Neighbor 10.10.4.50 reset (Interface flap)

*Jan 1 19:48:44.565: %LINK-3-UPDOWN: Interface Multilink1, changed state to down

*Jan 1 19:48:44.571: %BGP-5-ADJCHANGE: neighbor 10.10.4.50 Down Interface flap

*Jan 1 19:48:44.571: %BGP_SESSION-5-ADJCHANGE: neighbor 10.10.4.50 IPv4 Unicast topology base removed from session Interface flap

*Jan 1 20:06:27.957: %CONTROLLER-5-UPDOWN: Controller T1 0/1/0, changed state to up

*Jan 1 20:06:27.962: %CONTROLLER-5-UPDOWN: Controller T1 0/1/1, changed state to up

*Jan 1 20:06:28.954: %CONTROLLER-5-UPDOWN: Controller T1 0/1/2, changed state to up

*Jan 1 20:06:29.958: %LINK-3-UPDOWN: Interface Serial0/1/0:0, changed state to up

*Jan 1 20:06:29.962: %LINK-3-UPDOWN: Interface Serial0/1/1:0, changed state to up

*Jan 1 20:06:30.956: %LINK-3-UPDOWN: Interface Serial0/1/2:0, changed state to up

*Jan 1 20:06:38.357: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0:0, changed state to up

*Jan 1 20:06:38.358: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1:0, changed state to up

*Jan 1 20:06:38.375: %LINK-3-UPDOWN: Interface Multilink1, changed state to up

*Jan 1 20:06:38.377: %LINEPROTO-5-UPDOWN: Line protocol on Interface Multilink1, changed state to up

*Jan 1 20:06:39.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/2:0, changed state to up

*Jan 1 20:06:42.670: %BGP-5-NBR_RESET: Neighbor 10.10.4.50 active reset (BGP Notification sent)

*Jan 1 20:06:42.670: %BGP-5-ADJCHANGE: neighbor 10.10.4.50 Up

*Jan 1 20:46:31.862: %CONTROLLER-5-UPDOWN: Controller T1 0/1/1, changed state to down

*Jan 1 20:46:31.867: %CONTROLLER-5-UPDOWN: Controller T1 0/1/2, changed state to down

*Jan 1 20:46:32.857: %CONTROLLER-5-UPDOWN: Controller T1 0/1/0, changed state to down

*Jan 1 20:46:33.864: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1:0, changed state to down

*Jan 1 20:46:33.864: %LINK-3-UPDOWN: Interface Serial0/1/1:0, changed state to down

*Jan 1 20:46:33.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/2:0, changed state to down

*Jan 1 20:46:33.879: %LINK-3-UPDOWN: Interface Serial0/1/2:0, changed state to down

*Jan 1 20:46:34.857: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0:0, changed state to down

*Jan 1 20:46:34.857: %LINK-3-UPDOWN: Interface Serial0/1/0:0, changed state to down

*Jan 1 20:46:34.861: %LINEPROTO-5-UPDOWN: Line protocol on Interface Multilink1, changed state to down

*Jan 1 20:46:34.869: %BGP-5-NBR_RESET: Neighbor 10.10.4.50 reset (Interface flap)

*Jan 1 20:46:34.870: %LINK-3-UPDOWN: Interface Multilink1, changed state to down

*Jan 1 20:46:34.876: %BGP-5-ADJCHANGE: neighbor 10.10.4.50 Down Interface flap

*Jan 1 20:46:34.876: %BGP_SESSION-5-ADJCHANGE: neighbor 10.10.4.50 IPv4 Unicast topology base removed from session Interface flap

*Jan 1 21:04:13.113: %CONTROLLER-5-UPDOWN: Controller T1 0/1/0, changed state to up

*Jan 1 21:04:13.118: %CONTROLLER-5-UPDOWN: Controller T1 0/1/1, changed state to up

*Jan 1 21:04:15.113: %LINK-3-UPDOWN: Interface Serial0/1/0:0, changed state to up

*Jan 1 21:04:15.118: %LINK-3-UPDOWN: Interface Serial0/1/1:0, changed state to up

*Jan 1 21:04:23.109: %CONTROLLER-5-UPDOWN: Controller T1 0/1/2, changed state to up

*Jan 1 21:04:25.110: %LINK-3-UPDOWN: Interface Serial0/1/2:0, changed state to up

*Jan 1 21:04:25.204: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0:0, changed state to up

*Jan 1 21:04:25.205: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1:0, changed state to up

*Jan 1 21:04:25.226: %LINK-3-UPDOWN: Interface Multilink1, changed state to up

*Jan 1 21:04:25.228: %LINEPROTO-5-UPDOWN: Line protocol on Interface Multilink1, changed state to up

*Jan 1 21:04:31.731: %BGP-5-ADJCHANGE: neighbor 10.10.4.50 Up

*Jan 1 21:04:33.204: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/2:0, changed state to up

Question about internal network. Happy new year!

A silly question probably but I work on a boat and we have movie servers, NAS drives for ships backups etc. I understand the principle on how these work over the network and I appreciate that things like Apple tv’s require a connection to the internet (even home sharing for some reason).

Why does our network transfer files slowly, and movies take forever to load, sometimes to the point of not at all, when our internet connection isn’t great? If it’s all internal why does it suffer when we are in areas with low internet connection, it maybe be coincidence but it’s very consistent....

Thanks in advance

Good starter books for Networking

Hi all. I was hoping someone would have recommendations for a good starter book when it comes to learning about networking. I was thinking of picking up the Cisco networking Essentials but was worried it was not a good starting point. I can imagine the Dummies networking book is somewhat mediocre? Any suggestions or tips would be greatly appreciated. Thank you!

Does having someone on call for New Years make sense?

Has this ever come up at your job? It seems like the chance of something going wrong increases significantly on January 1, I'm wondering if any companies mandate someone being on call?

Right now I'm dealing with GPS sync not working on my Cambium radios, it stopped working world wide exactly at 9PM UTC on Dec 31, I can only assume it was something time related.

2020 Predictions

'sup /r/networking.

Over the past decade, I've made a number of predictions for around the 2020 time frame. I'm going to try enumerate on them and say where I am with them. Please feel free to use this post as a place where you can either reflect on your own predictions for 2020, or predict the next decade in networking.

Cisco will exit the routing/switching market by 2020

Around the 2012/2015 timeframe, I was commonly saying that Cisco will exit routing/switching "by around 2020". This was based on their constantly eroding market share in edge routing and DC switching (They remain in enterprise however).

Given their last few years of "becoming a software company" and now their latest move of "Cisco Silicon One", I think I'm on the right track, just overly aggressive timelines.

Overall, I'd say I was a 50/50 on this one. Trends matched up with where I was thinking, however I never expected Cisco to actually play to their strengths (ie: focus on being a foundry). Time frame was also overly optimistic.

Arista will be the new Cisco by 2020

Pretty sure I was right here, Arista is the first choice in DC switching, and fast becoming represented in edge routing.

NetEng jobs will go away

Pretty sure I'm right here. There's very, VERY few NetEng jobs out there right now. I just changed jobs, and I can tell you most of my interviews was coding/algorithms, and maybe 20% NetEng.

So, /r/networking - how did your own predictions go? Do you have some for the coming year/decade?

Tuesday, December 31, 2019

SSH CA authentication

Hey everyone,

I'm a previous network admin and have experience with Juniper, Cisco and Arista products. Before logging a million and one support cases, I'm wondering if anyone has any ideas if SSH CA authentication is supported by any of the regular vendors out there.

For security reasons, I've got to implement SSH key management for our Linux and supporting systems and I thought if I could extend this down to the network elements it would be a really good solution. Replacing RADIUS and keeping TACACS+ for command auth / logging.

My only problem is that, either my Google-fu is bad, or the only people that seem to have anything to do with it are Arista. I can't see support for this from anyone else.

Anyone else tried this?

Thanks,

Berny

OpenVPN on Docker Routing w/ PfSense

I have a server (IP: 192.168.101.2) running a Docker container with OpenVPN Access Server. OpenVPN AS is giving all clients IP's in the 172.16.0.0/24 range. I would like these clients to access everything in the 192.168.200.0/24 range.

I have a PfSense setup with the 192.168.101.0/24 and 192.168.200.0/24 VLAN's both set up and a firewall rule running in between them:

Source	Port	Destination	Port	Gateway	Queue
192.168.101.2	*	192.168.200.0/24	*	*	None

However, this is having the effect of letting everything on the 192.168.101.2 server through to 192.168.200.0/24. I only want the OpenVPN clients to be able to get through to 192.168.200.0/24, instead of the entire server.

---

What PfSense settings should I add/change on that firewall rule to get only the 192.168.101.2 VPN Clients to access the other subnet, instead of the entire server?

Indirect DMVPN Route using EIGRP

Hello, looking for some advice on what config setting I am missing...

Sites A, B and C are all connected via DMVPN with 2 separate "clouds", Tun100 and Tun200 on each site. Running EIGRP for route distribution amongst all sites. Each site has 2 routers one has Tun100 and the other has Tun200. The routers are connected to the core routing switch at each site via a /30 subnet for each router.

Tun100 and Tun200 between Site A and B is down. Tun200 between Site B and Site C is down. Tun100 between Site A and Site C is down.

This results in there being a path between Site A and Site B such that Site A connects to C on Tun200 and then in turn could connect to B on Tun100.

However, EIGRP doesn't seem to distribute this routing path. I can't figure out why it won't distribute that route short of the two DMVPN routers are not EIGRP neighbors of each other, so it won't redistribute routes that way. But I am not certain. An example of the eigrp config is below. The 10.2.255.0 network is the router<-->core switch at the local site. 10.255.252 = Tun100 and 10.255.253 = Tun200 address space.

Any ideas on what I am missing that would help push this indirect route into our routing table?

router eigrp 100 network 10.2.255.0 0.0.0.3 network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 passive-interface default no passive-interface Ethernet0/1 no passive-interface Tunnel100

INE / CBT /ITPro /Youtube?

Looking for opinions on learning resources yall have used. Going to get a subscription for 2020 to step up my skills and grab a cert or 3. Looking at INE / CBT Nuggs / IT Pro. They all seem to be have some advantages the others don't have. Thoughts?

Static Routing Preference Question

Hi r/networking,

I have a pulse secure appliance that is connected to our network via static route to our transit LAN subnet. Our firewall has an interface on this same LAN and there is a static route configured to the Pulse Secure client. Our firewall currently has a site to site vpn with AWS using BGP. When connected to the pulse secure I can reach the firewall and all of the locally connected resources. I've determined that in order to route to AWS, I'll need to include a static route on the firewall over the correct tunnel interface. If I add the static route in the firewall this will definitely take precedence over the BGP route, but if for some reason the static route is unavailable will it naturally go to the BGP route? (we have a few redundant tunnels configured in case one drops). Am I incorrect in assuming the static route on the firewall will correct the issue from the firewall? Will there be any additional issues from adding the static route?

Thanks in advance and sorry if this is a stupid question, but I'm on a time crunch and just inherited the entire management of our network.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

ARP issue??? -need help!!!

having the weirdest issue intermittently over the last 24 months... once a month between the hours of 8am-1pm. (basically 30 day gap between incident)
we have a DMZ with a Windows application proxy server on i, on prem we have an ADFS server to authenticate. however our external CRM site will go down - it will become unreachable -
we contacted our dns record host thinking it might be something on there end but they get 404 error when trying to connect to the site - so the site server is able to be contacted but nothing else works? when signed onto the WAP server you cant even connect to the crm server via browser. this lasts for 4 hours on the dot, then come right back up. this makes me think ARP, i am NOT a network guy, i know what arp is but have no arp experience. our entire network is 3-layer switches with the DMZ having its own 5port switch(which i have 0 details on)
you cannot connect to this site from external. internal works fine. while the issue is occurring.

we are still able to connect our webmail server and our RDgateway server, which route through the WAP server and authenticate via ADFS server. we tried changing our dns server from opendns to googledns and our own dns server, with no change.

ive dug through the WAS logs and the ADFS server and dont see anything weird. this is huge because all of our call center employees use crm.

any help is appreciated!

How do I block/filter a website with a long URL from my Huawei router?

So I know how to filter websites that have shorter URLs but when the website has longer URLs it doesn't allow me to block it.. how do I solve this issue??

Low cost LTE router with built in wireless

I'm looking for options for a low cos LTE router that has build in wifi to used on US based LTE networks. Support for both AT&T and VZW in same unit is ideal, but not required.

I'm effectively looking for osmething a little more robust than just buying an AT&T hotspot device/VZW jetpack device. I know CradlePoint is the gold standard but looking for lower price bracket where I can reliably have up to 20 wifi devices connected (although more typical number would be around 10).

MikroTik LtAP or wAP seem like they might be a good fit, but I have zero experience with them or MikroTik in general.

High inbound utilization on outside int (Cisco ASA)

Hey guys,
I have an ASA that I am getting WhatsUpGold notifications that the inbound utilization on the outside interface is sometimes spiking to 150 - 160%. I can see on some ASA monitoring where this is happening but I can't find anything like the Src IP. I don't see anything in the log of the ASA. Kind of new to this. Any ideas?

Setting up a tiny business infrastructure?

Hi all. So this will probably be a really stupid question. I’m sorry I missed moronic Monday.

Anyways. My MIL has a tax business. She has about three people that work in her office. They all share files but some share from this computer and some from that. She has an old win 2003 business server that she store files on. She has about three different computers just sitting there with different files and she has to power them on so she can access them.

I’m not an IT guy. I know about computers and a little about networking. But not enough to do this without a little guidance. So my goal is to get all of her files in one location. Preferably on a cloud server somewhere so they can all access it without storing it on her PC. Her 2003 server has all the roaming profile info and login info for her work so I need to keep those settings somewhere. Ok it’s a freaking mess in here. Not even sure where to begin. I need to find her some sort of server software to house her business info. I need to move all the files to a central location and then preferably with a hard drive back up somewhere.

Anyone have info on a good business cloud that is easy to set up?

In my mind this should be easy. Move files. Network all computers together. Figure out how to move the logins or create all new ones and just kind of streamline her processes. However with never having done that before I’m not sure where to start or what kind of craziness I’m getting myself into. Any advice or suggestions? Did I make sense at all or was that unusable information?

Cisco 2960X Ws-C2960X-48TS-LL commands not recognized

noob question here...

I'm trying to create policy maps and class-maps

But when I go into global config I am unable to create any of these maps as they are coming back as unrecognized commands. Is this switch able to do these commands?

The current IOS has been updated to 15.2(7)1E1 and the SW IMAGE is c2960x-Universalk9-M

Any assistance is greatly appreciated.

Cisco Self Signed Certs

So I am getting a little anxious, as I am new to networking and I'm not 100% certain that we don't have Cisco self signed certs.

So I found this link and it suggests to use Cisco CLI Analyzer and run System Diagnostics, but it doesn't mention if this is a disruptive or nondisruptive.

Is this something that can be ran during the day?

How to find out what method was used to close a connection ?

Given there exists a client and a server, and client does an active close using shutdown() with SHUT_RW, is there a way to find that client used SHUT_RW from tcpdump?

Viptela: EIGRP on Transport VPN0

Does anyone know if EIGRP is supported on the Transport side of Viptela? I see that they have just added it to Service-side VPNs. Also, is it supported on Vedge Devices or just Cedge devices.

Thanks in Advance.

Is L2TP VPN allowed by default on ASA?

So i have setup a vpn server behind Asav firewall with one to one static nat.. at first I added access-lists of port 1701 500 5500 and i am able to connect to the vpn server . so I tried removing the whole access-list and I still can connect to the vpn.. I am confused.. does asav allow them by default?

Can i connect 60 Cisco IP phones directly to my Cisco 2911 router?? (I'm a beginner in Voice)

Hi guys,

So i am doing a project where i have 60 IP phones and 60 PC'S which i have to connect to my network

Network:

Cisco 2911 router
Cisco 2960 POE Switch (3 x 48 ports)
Cisco 7960G IP phone

Things i have done:

deployed cable for both PC and Phone separately (I have seen posts where it shows that one cable was enough from the switch)
Purchased Voice line from my provider.
Purchased bandwidth from my internet provider

Confusion:

Can i connect my IP phones directly to my POE Switches -> Router and then NAT it to the IP given by Voice provider (IS it a good practice?)
Also will my internal calling be charged like extension calls?
IP PBX vs router what is a good solution
Should i get an IP PBX or my router will work fine?

TIA.

Monday, December 30, 2019

CCIE vs College Degree CS [Difficulty]

How would you compare the difficulty in obtaining a CCIE R&S to a BS in Computer Science.

I know this isn't apples to apples. Obviously a degree would typically take longer. Maybe just comparing the more advanced/difficult CS classes.

Where to lease subnet /22

Hello,

I am looking to lease a /22 block subnet routed to a dedicated server (ARIN)

Have been having trouble finding companies that are willing to lease to me

Anyone have recommendations for me?

Thanks

Cisco Warm Upgrade

As the title suggests, has anyone used this with Cisco before?

Just wondering if something needs to be configured or how it works? I can’t seem to get it working on a 2960X model?

Noob question

I am trying to understand networking.

Say I want to hist a website.

Can I host this website on a virtual machine with firewall rules on the host and place machine in a DMZ zone where an IPS sits, how do you connect these 2 to ensure all traffic is reviewed by the IPS before it reaches the webserver?

What is the flow of such setup?

Proxy>IPS>WebServer?

Need help regarding ubiquiti wifi network

I require some help to reinstall my Ubiquiti wifi network setup I have at home.

Almost two years ago i turned my sky wireless router into modem only mode and connected it to a Ubiquiti PoE switch to the switch I had a 3 ubuqiuti access points installed and a hybrid cloud key controller. Managed to set it all up and created a new wifi network everything working fine.

Recently I had to restart my wifi network due to power issues everything was turned off for a short amount of time. When turned back on I noticed the key controller was flashing white and the internet dropping in and out and some of the wifi cams were not connecting. I reset the key controller but now i have had to set up a new site. The problem im having is my PoE switch and all the APs are connected to my old site on my old wifi network name. When currently logged in I cant find / see that site anywhere.

What I want to do is be able to take control of my old site that had my existing wifi network name and APs / clients (im still connected to this wifi network and my APs must be working there blue coloured and internet is working). How do i regain control of my old site? Or can you help me set up a new site.

Routing packet loss on Nexus running VPC

Trying to get my head wrapped around a packet loss issue we're experiencing on a pair of Nexus Switches.

2x Nexus 3548's in VPC cluster

https://imgur.com/Zhkbjmn

The Nexus switches are acting as the routing core for our network. The Nexus share OSPF routes to/from our firewall cluster on a stick for MPLS and internet.

We have a variety of edge switches + switch stacks connected to our Nexus core. Each switch has 2x 10GB fiber uplinks back to the nexus, split 50/50 between the two Nexus switches for redundancy. All uplinks are layer 2 LACP trunks.

Aside from this weird packet loss issue when routing between VLANs everything else seems to be working fine.

Packet loss issue is not reported when routing from internal VLANs outbound to the MPLS or internet. Issue only occurs between VLANs terminated to the Nexus.

Scenario: New server is connected directly to the Nexus switches, 1x 10gb cable to each switch in a VPC LACP etherchannel. Windows Server is set in LACP mode for load balancing. LACP comes online and traffic gets through. Uplink ports to the server are untagged on VLAN 40.

From a layer 2 perspective everything seems ok. The server can communicate with anything on the same VLAN without issue.

But when it tries to route to any of other other VLANs terminated on the Nexus we get about 50% packet loss. Instinct tells me that when packets are sent to Nexus A they get routed fine, but when the hit Nexus B the packets are being dropped or aren't getting routed.

Relevant config:

feature vrrp feature ospf feature interface-vlan feature hsrp feature lacp feature vpc feature lldp

vrf context vpc_keepalive

vpc domain 5

peer-switch peer-keepalive destination 123.1.1.2 source 123.1.1.1 vrf vpc_keepalive peer-gateway auto-recovery

spanning-tree vlan 1-3,10,40,50,80,101,200-205,2011,2020,2030 priority 0

interface Vlan10

no shutdown no ip redirects ip address 10.20.1.2/24 ip ospf passive-interface ip router ospf 100 area 0.0.0.0 hsrp 201 preempt delay minimum 300 priority 110 ip 10.20.1.1

interface Vlan40

no shutdown no ip redirects ip address 10.1.40.1/24 ip ospf passive-interface ip router ospf 100 area 0.0.0.0 hsrp 40 preempt delay minimum 300 priority 110 ip 10.1.40.5

interface Vlan101

no shutdown no ip redirects ip address 10.0.101.4/24 no ip ospf passive-interface ip router ospf 100 area 0.0.0.0

interface port-channel30

speed 10000 switchport switchport mode access switchport access vlan 40 vpc 30

interface Ethernet1/45

switchport switchport mode access switch access vlan 40 channel-group 30 mode active no shutdown

PoE Wirless Router

Hi,

Does anyone know a wireless router with 4 ports and at least two of them with PoE?

Thanks

Potential MTU issue between Meraki MX and ASA5515

We have a client with a Meraki MX utilizing SDWAN (bonding two internet circuits) connecting to our ASA5515 via IPSEC tunnel.

After deploying SDWAN at the client site, we have started to see sporadic issues with HTTPS and other TCP traffic across the tunnel. PCAPS show a successful TCP handshake and so far the only issues I can see are the occasional TCP retransmission and a MTU fragmentation rarely. These issues are only remedied temporarily by bouncing the VPN from the Meraki side. When performing a TCP dump from the SDWAN bonder at the client site, I am seeing sporadic MTU errors:

14:29:26.018413 IP SDWANBONDER > CLIENTMX: ICMP (ASA5515) unreachable - need to frag (mtu 1452), length 556

I've done some pings across the tunnel from a client device to a server hosted behind the ASA5515 and found that the MTU of next hop is 1374. After finding this MTU, I configured the MTU of the SDWAN bonder interfaces to 1346 but started noticing other progressive network issues, so I have since reverted these changes.

Does anyone have any suggestions for how I can approach this problem? I have not experienced it when doing MX to MX VPN with SDWAN, only MX to ASA so far.

Bandwidth to edge devices, when is enough really enough?

Hopefully this makes sense. But I understand Server bandwidth inside a data center will always increase to handle the workload of thousands of connections occurring simultaneously. But traditionally we can see that Data Centers have backbones that are far GREATER speeds compared to end devices (workstations etc...).

With this being said what I'm trying to think about is, will we ever reach a limit in terms of bandwidth speeds to end devices that will be able to accommodate for any type of applications/software/connections/resolution that it needs? Like, even the most bandwidth intense applications with the highest resolutions possible, what does that look like from a bandwidth perspective for an end user?

I would think that the biggest player in figuring out what speed will be needed (10GIG/100GIG etc..) is the resolution of the application being used. 4k, 8k, 16k, virtual reality?

Have there been any bandwidth tests using these resolutions? I know youtube videos now support 4k, but I have no idea how to find any information on 16k and Virtual Reality bandwidth specifications.

Anyone have any clue where to find this information?

Cisco SD-WAN versioning meaning?

I think I follow Cisco's versioning for routers/switches. From what I read, every third release is a "stable" release. For instance 16.3, 16.6, 16.9, 16.12 are the releases that receive longer term maintenance.

What about for SD-WAN? They have 17.2, 18.3, 18.4, 19.1, 19.2, and now 19.3.

Basically they just released 19.3, I was on 19.2, it's unclear to me whether I should upgrade to 19.3, or stay on 19.2 and wait for further maintenance releases to that branch

EDIT:

I should add, this is the only actual notice I can find: https://www.cisco.com/c/en/us/products/collateral/routers/sd-wan/eos-eol-notice-c51-743306.html Stating that anything 18.3 and older is end of support Dec 24 2020.

54% higher efficiency for Starlink: Network topology design at 27,000 km/hour

/r/spacex/comments/efhz3x/54_higher_efficiency_for_starlink_network/

static routes

Hello,

First of all I would like to say that I am new in networking and I have no idea how things work. I have really bad ethernet connection speed so I bought cheap USB WiFi adapter, I connected it to pc and everything works fine. Now I have 2 connections 1 via ethernet and 1 via WiFi. I would like to use ethernet for everything except streaming live on youtube via obs. I already searched up some things and come to find out that I need to set a static route. After about 4h of research and I still have no idea how to set that up. Any help would be very welcome, thanks in advance, Nejc.

Have a situation...need to battery power a POE switch in the field

So the issue I'm running into is that I'm seeing that most are 48V input...which is quite high and requires a large battery......any POE which runs at a lower input voltage. Anything hooked to iit will be only 5V at most...

Hey everyone, I'm trying to reach people who would be interested in MRP/ERP software for small-medium sized manufacturing businesses (more details in the description)

Hi, i'm a representative of MRPeasy - a provider of cloud-based MRP/ERP software for manufacturers. Our goal is to reach as many businesses as possible, who might benefit from such a system.

Instead of spamming subreddits with links, I prefer to engage with people directly, and attempt to present something of value - after all, why should you bother clicking a link? Did anyone actually ask your permission? Attention is arguably one of the most important things in life, and in business.

Transparency and honesty are two things I also regard as essential in business, and with that in mind, this is why i'm writing to you all today! So if you know someone who might be interested, please consider sending them our way!

Here's a link to our website, for anyone who might be interested in learning more: https://www.mrpeasy.com/

Thank you and all the best to you!

Christian

Best Practice for Stack Uplinks

Hi Folks,

How many up links to core I need for this fully connected stack (1-2-3-4-5-6-7-1) ?

Any suggestions?

Sunday, December 29, 2019

Portfast and RSTP BPDU gaurd

Hey guys, So I setup a network last week and I used RSTP global on each switch.

Then on the edge ports I used RSTP edge port BPDU guard. However I noticed that the clients didn’t get their IP addresses until 15 seconds or more, in fact many clients got a self assigned IP address then a DHCP address.

So I’m figuring I should also enable PortFast 0.

Now here is a few sticking points, firstly why do some switches use just port fast while others use port fast 0?

Secondly, I guess I’m wrong, but I thought RSTP edge port was the same thing as portfast. Why do I have to enable both port fast and edge port bpdu guard? I thought rstp replaced Stp...

Could I get some insight please?

My company lab is kind of primitive, What's your setup?

Lose cables, sometimes people knock some cables lose or worse, slightly tug at the connection so it appears to be connected but you have to see the light to know.

We still use static IP addresses to access hosts in the lab.. What's the setup in your labs?

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Allowed vlans in trunk

I've been looking over our switch configs that I've inherited and I have a question on allowed vlans on trunk ports. The interfaces I'm questioning have our access points connected to them.

Currently all ports that have a access point connected to them look like this

interface GigabitEthernet1/0/6

switchport trunk native vlan 9

switchport mode trunk

spanning-tree portfast

I feel they should be configured as below to only allow the vlans that we want:

interface GigabitEthernet2/0/7

description AP-MS104

switchport trunk native vlan 9

switchport trunk allowed vlan 6,9,10,70,155-157

switchport mode trunk

Edit: our VoIP is set up the same as our Access Points which definitely doesn't seem right.

What and how should a repeater be setup for multiple VLANs and access points?

The current modem/router is configured with multiple VLANs and access points for each network. A number of devices are some distance away from the access point and regularly drop the connection. This isn't a corporate or enterprise environment to purchasing enterprise grade equipment isn't an options. I'm assessing the ability to increase the range of the signal via a repeater.

Is there a repeater that can support multiple VLANs? If yes, what make and model are recommended?
Can consumer grade repeaters be used?
How should the repeater be configured?

/r/networking appreciation post

Hi all,

i just want to express my appreciation for everyone and everything in this sub as it helps me expand my knowledge about enterprise network in a huge way.

Why you may ask?

I have been deputy teamlead in technical 2nd level customer support at a quite big ISP here in GER for ~1,5yrs now.

As deputy teamlead we are supposed to answer the technical questions from our colleagues and there's little to no documentation for technical things above our level.

Sure there's a NOC and if you get to know some of the guys they answer the questions you have but I don't want to look like a total fool to them so i read books about networking, VoIP, etc. In addition to that i extensively lurk in this sub and read nearly every post including the comments as those are cases out of the field to which i wont have access.

TL;DR

Great sub here, really enjoy all the discussion and analyzing of problems straight out of the field, they have taught me much i wouldn't have learned another way.

Thanks & Everyone have a great 2020!

What NETWORK problem is best/easiest troubleshot by looking at packets in Wireshark?

Yesterday I made a semi-obnoxious comment in another thread that got me downvoted pretty hard. (At least for this sub.) That comment was that a good networking engineer didn't really need to learn how to read packet captures in Wireshark as a core networking skill, because our primary responsibilities are layers 1 through 3, and you should never need to open up Wireshark to troubleshoot ANY issue in those layers.

However, I also posed a question in response to my backlash: If I'm wrong, prove me wrong. Name any situation where a NETWORKING problem (read: layers 1-3, something that you would have to fix on a switch or router) where you could only, or most easily, solve the problem by jumping to Wireshark and looking at packet captures.

And honestly, no one was able to answer it. I stand by what I said, that for a Networking Engineer, you don't need to EVER go to Wireshark to solve any NETWORKING problem. Problems of a higher layer? Absolutely. If you want to see if a server didn't send a SYN+ACK, or see what error message it sent, something like that, that's not a Networking problem. At that point you're doing the application owner's or the server owner's job for them. You are NOT troubleshooting a network issue at that point. You're doing someone else's job for them. Wireshark is their tool, not ours.

Here were some of the attempts at answering my inquiry, and my replies to them.

Attempt: A VoIP Customer (apparently you are working at a UCaaS vendor?) is complaining of call drops and quality issues, and wants you to verify that their traffic is being marked with the proper DSCP values. What easier way to do this is there than viewing their traffic in Wireshark?
My Response: Netflow, or even show policy-map interface and verify that the counters for Priority Queue and Signaling Queue are incrementing. Anyway, Netflow is the best answer, if the question is "verify that the traffic is being marked with the proper DSCP." Why would you EVER default to pulling captures and viewing them in Wireshark when Netflow, SFLOW, etc can easily tell you what traffic is going across your device, and if it has any DSCP markings. Done. Easy. Next!
Attempt: How are you going to verify asymmetric routing? Only Wireshark can show you if packets with the wrong destination address are reaching a host.
Response: That's not how asymmetric routing works. It doesn't cause packets with the wrong destination address to reach a host. ARP problems can typically cause that, and that's most easily troubleshot using show commands on your switch and/or router.
Attempt: ICMP is working to the server, but SSH is not.
Response. Then that's a higher layer issue, and it's NOT our problem as a Networking Engineer. It's not like we have protocol-based PBR installed on our network. We route packets based on destination address, if ICMP is working, but SSH is not, the problem is so obviously a server/app problem at that point a Networking Engineer does not need to be the one who is assigned to that ticket.

Anyway I am just curious since that hit a smaller audience, if I open this one up to the entire subreddit, does anyone have any GOOD examples of a NETWORKING problem (again layers 1-3, something you need to fix on a router/switch) where jumping into Wireshark to look at pcaps is the best/easiest way to troubleshoot that. Because I honestly believe that there's basically no reason to ever do that. imo if you are at the point of looking at stuff in Wireshark, then you are already the wrong person looking at the issue, and it should go to the app/dev/server guy instead.

Help me convince my boss we need a helpdesk

Apologies if this isn't the right sub.

Network admin for a few months now at current job but I wasn't told technical support was part of the job, i.e. fixing laptops, PCs, printers, etc.

It's a five man team and it seems the technical support side of the job really breaks your concentration and sucks away your time from the administration. From my point of view this makes projects take a lot longer to complete and absurd amounts of money may be spent on consultants. What this also means is working from home is not trivial because of the hands-on and in-person nature of technical support.

I believe if the job was focused on just administration it would allow the administrators time to study (a couple guys really need to) and be more effective at the job. More time is spent just managing stuff instead of having time to discuss and design new solutions.

Has there been any research done on the effectiveness of splitting tech support from administration? I'd like some hard evidence that shows it as we know management loves numbers and charts. The only evidence I have is anecdotal where our competitors are doing better than us and they have dedicated helpdesk/tech support lol

What kind of equipment should I have to lab for Network +?

Just wanting to know what I'll need to do net + labs. I don't have a lot of money so I need some budget friendly options. Any help is appreciated. :) Thanks I'm advanced!