DOCSIS Packet drop. Speed test report correct speed.

Any DOCSIS experts in here?

One of my sites is having traffic loss. The ISP has replaced the cable modem with three different models. Almost no correctable on downstream, SNR is 41 to 43 db +5 on down, Up is 42 to 43. RF Plant reported no noise in the line after a couple day.

Down Channels

16 Channels DOCSIS 3.0 QAM256

1 OFDM

Up Channels

3 DOCSIS 3.0 QAM64 Channels

Packet loss of 2-14%

It creates a pattern when using ping plotter. See attached pictures. Same pattern happen when directly connected to the modem with a PC. So it not my router.

https://imgur.com/a/GPC3uMj

If pinging the modem externally its only dropping in the last route which makes me believe its a RF issue or CMTS issue.

200 ricoh printers not working on dhcp, how to troubleshoot?

We have something like 200 ricoh, all are configured static due to that issue. I'm there since December and would like to make the servicedesk life easier to configure and manage those printers. 

There's one big default vlan where there's like 1500 devices. Infra is made of hp/Aruba. 

When a ricoh printer is connected on this vlan it doesn't acquire an dhcp address. On all other vlan the process work. 

We captured the network traffic on the dchp server and he doesn't receive anything for the ricoh when connected on this particular vlan. 

The network administrator verified all the switch and router parameters and they are identical to him. 

Now the magical touch, on Friday a ricoh technician came to debug, he connected the ricoh on a 8 ports switch he bring, he connect his switch to ours, and bam...  it works. We made the same test with a hub we had and it worked as well. We also made a test with a 8ports hp switch we have and it doesn't worked... Previously we made our network capture using port mirroring so we didn't detect that difference. 

We wiresharked the issue, and in the scenario where it doesn't work the ricoh doesn't emit a dhcp discovery/request. 

I still don't know what to think about that, if there's something misconfigured on the network or not, or if the ricoh receive something in his boot process that prevent her to launch the dhcp process. 

Thank you for any hint you can provide, I would really appreciate any help and would be happy to answer any more questions 

Private VLAN for users/endpoints?

Is it feasible to put user workstations in a private VLAN?* They shouldn't really need to talk to each other, and it would be more secure in the event that one of them gets malware or compromised in any way. Have any of you tried this or considered it? Is there a better way to achieve client isolation on a wired network?

[Edit] * I'm referring to the "Private VLAN" feature on Cisco switches where hosts are only allowed to send packets to one port (e.g. the default gateway), and traffic between hosts is forbidden.

What Type of "Abnormal" or Interesting Environments/Networks do You Work On?

I'm curious to see what kind of "non-standard" networking roles some of you work in and how you ended up there. I'm in an odd place where I like what I do, I like the freedom I have, but I'm getting burnt out and feel like I should be paid more for all of the extra project design/engineering I'm doing.

I'm a tech in a union job so I'm kind of really limited in upwards growth where I'm at so there is no incentive to go above and beyond (which is my personality and frankly why I'm getting burnt out).

Personally, I work at a large Electric/Gas Utility. We have a large private infrastructure that consists of many sites (Offices, Power Plants, Substations, Radio Towers, etc). Our small team manages this infrastructure consisting of Microwave backhaul, dark fiber, private owned fiber as well as two-way radio systems, paging infrastructure (yes some still carry those sweet Motorola pagers around), and SCADA radio systems (substation data, poletop devices, Gas gates, etc). Our private MPLS network extends to all of our offices throughout multiple states, all of our power plants, and to over 100 substations (Honestly don't know how many substations at this point, we add more every week it seems). Almost all of these sites are private connections save for a few rural sites that are away from everything else.

A lot is happening in terms of expanding infrastructure; New towers, upgrading backhaul, major private fiber build-outs coming down the pipeline. It's insane and our team and my group can't keep keeping on like this. Budgets for projects increasing exponentially each year. It's a literal shit show.

What other type of different things do you all do? I feel like my knowledge of TDM, Microwave, and Nokia 7705 gear doesn't help me much anywhere else besides another utility..

Configuring a router interface as a dhcp client using netmiko

So I am fairly new to network automation. I am trying to configure a router's interface to be a dhcp client for a DHCP server on the same network. Now from what I know of netmiko, you have to specify the ip address of the device when referring to the device in the python code to be able to send configuration commands to it. But how would you specify the IP address if the device doesn't have an IP address as of yet. I am sorry if I am skipping some fundamental concept, I'm just really stuck on this. Help?

Latency path and BGP

What is the impact of latency on BGP? Meaning if one way latency is say 50 ms and later it keeps hovering around 80. How does this impact BGP convergence or establishment etc?

Need help with port forwarding

I am trying to port forward a Minecraft server. I have the port forwarding configured correctly, the only problem is it isn't working. I think the reason may be that i have another router behind an at&t provided router. I can't remove the at&t router as i won't receive an internet signal. I assume i need to forward the port again on the at&t router or set the at&t router to be a bridge with the second. Any advice would be greatly appreciated.

Revert Dns changes on windows 10 personal computer

Hey so Im looking to block content on my ccomputer so I followed the guide here https://cleanbrowsing.org/guides/windows to change my dns.

Essentially it boils down to 4 commands i made on windows 10

netsh interface ipv4 set dns "Wi-Fi" static 185.228.168.168 primary

netsh interface ipv4 add dns "Wi-Fi" 185.228.169.168 index=2

netsh interface ipv6 set dns "Wi-Fi" static 2a0d:2a00:1:: primary

netsh interface ipv6 add dns "Wi-Fi" 2a0d:2a00:2:: index=2

I previously never touched any default settings. How would i revert back these four commands so my computer uses its default dns settings

Cisco 9500 ACLLOG Issue

Has anyone had problems getting ACLLOG to work on a 9500’s ACL. It works fine one my other NXOS switches, but for some reason I have no luck with the 9500.

The show logging up access-list cache isn’t always empty too.

I have the log levels for ACLLOG and the log file set correctly. ACL with the log action is applied inbound on a vlan interface.

Do IGP protocols "touch" FECS at all?

I'm learning about MPLS in school and a question on my midterm asked "how do interior gateway protocols deal with forwarding equivalency classes in comparison to link state paths?"

But the thing is I'm pretty sure the IGPs are just there to lay the foundation for the LSPs (link state paths) instead and don't deal with fecs at all. The label bindings are exchanged on the data plane not the control plane. No?

Cisco ASA 5520 - Remote Access VPN: Works, but no ping. Why?

Hi All,

I have an ASA 5520 in the US with remote access VPN capabilities via Cisco VPN Client. I have another site over in the UK that the US ASA has a site to site VPN to. In addition to that, the US ASA has site to site VPN's to about 140 other ASA's throughout the world. When connected to the remote access VPN, I can ping all of those sites, EXCEPT for this UK site...BUT....the actual services are accessible over this remote access VPN for the users in the US reaching out to the UK. I just can't ping the IP of the very same server that is successfully providing these users access, from the remote access VPN subnet. If I go to the US site and try to ping it (off the remote access VPN), it replies fine.

Packet tracer shows ICMP is permitted in both directions on both of the ASA's. The sniffer shows this:

An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command

Inspect ICMP is on the UK side, not the US side. Tried turning it off. Didn't matter.

Fiber cut Seattle

Anyone else have a ton of sites down in WA State? We have about 60 sites down, apparently a Zayo owned circuit was cut in Tukwila and I also heard about a cut between Walla Walla and Lagrande.

This happened at about 8:00pm last night and still haven’t restored service yet.

Hands on Cisco ACI / DNAC possible?

I want to gain experience / proficiency in these products to give me a fighting change in the job market - standing out against other lowly CCNAs

Can they be used in GNS3 - if so are there any decent resources for learning the basics / day to day stuff?

Lower network latency for new-style TLDs? Are there any benchmarks or general insights?

I'm wondering if any of the new / long-form TLDs have typically lower-latency than classic 'prime' TLDs of olde.

I understand that some countries could have higher latency, if they've made all DNS bottleneck through the country. I don't really know how propogation happens across all/most/many of them. Which major DNS sign up for all TLDs, or which they defer (is that even right?)

Is .xyz slower or faster than most? What about .bank, etc? Compared with .mk or .az?

I'm sure there's tons of naivety in what i'm asking. Thanks for any bits you know, or bigger picture insight. (i've read the sidebar; i'm not asking for some homework or a test question.)

Looking for suggestions for a cable tone and probe kit

Hey guys, I need a cable tone and probe kit and I’m looking for some suggestions. Anyone have one they can recommend? I don’t mind paying a little extra as long as it’s durable and trustworthy

DANOS Project - early findings

Hi networking,

Just though I'd share some of my (very) basic findings toying around with the recently open-sourced AT&T project DANOS in case you're interested in giving it a spin.

tl;dr; - don't make the same mistake I did trying to run it on Xen/xcp-ng.

So far, my experience has been very positive, but by no means have I explored all the features available or have been able to stress it. For more information, here's a link to the project:

https://www.danosproject.org/

(If this isn't the correct place, please let me know where it would be more appropriate as I am relatively new to Reddit. I did have a peek at /r/NFV but that place seems to be dead)

I'll start out with being able to install from the downloadable iso on various local hypervisors/clusters I have at my disposal:

KVM - Xeon E5 W, Intel NICs, Local Storage, Centos 7
oVirt - 3 Node, Xeon E5 W, Intel NICs, iSCSI, oVirt 4.3.7
xcp-ng - 3 Node, Xeon E5 W, Intel NICs, NFS, xcp-ng 8.0.0
ESXi - Xeon E5 W, Intel NICs, Local Storage, ESXi 6.7
Hyper-V* - Core i7-7800X, Intel NIC, Local Storage, Windows 10 Pro

*Sorry, out of real servers at home, and power budget :)

These findings were based on 4 CPU, 4GB RAM, 10GB SSD VMs. I've found that the router likes at least 2 cores to run. My first inclination is that it uses a core for management while the rest are used for processing packets.

Installed from ISO, booted from disk

KVM - Pass
oVirt - Pass
xcp-ng - Pass
ESXi - Pass
Hyper-V - Pass

Dataplane Up, Reachable (DHCP IP, Default Route, ICMP, SSH)

KVM - Pass
oVirt - Pass
xcp-ng - FAIL
ESXi - Pass
Hyper-V - Pass

The only system that the dataplane does not run on is the Xen based hypervisor, which is where I started. It will boot in HVM mode, but not in PV mode. But if the dataplane doesn't start, it's useless unless you want to have a peek at the CLI. I have tried everything I know with Xen and I couldn't get anywhere. I wasted a lot of time on this because I didn't RTFM like an idiot. Once I moved to other hypervisors, everything worked great.

I *assume* since I've had a good experience with all the KVM testing I've done, that Proxmox would run DANOS just fine, but I've got a lot running in my clusters, so that will have to wait.

FWIW, I've run VyOS on all of the above +Proxmox with much higher loads and more features running - no issues with dataplane on Xen. The dataplane itself is noticeably different from VyOS and that's where AT&T seems to have focused much of their work after the acquisition.

I plan to run some performance tests with what I've got - basic routing protocols, specifically loading a few full internet tables, throughput, compatibility, IPSec etc.

Today I will try all 3 major cloud providers and will follow up in this thread on how I make out. I suspect that since AWS is Xen-based, DANOS will not run on AWS on regular EC2 instances, but I'm interested to give it a shot on their new KVM-based Nitro hypervisor and might have better success there.

Anyone else's experience with more advanced configurations or performance testing would be appreciated! I'll share whatever I find.

Question ieee802.11 : Can an AP send probe requests ?

I was wondering if an AP in infrastructure mode can send probe requests like client. I searched on internet and all I found was that "stations" can send probe requests, but does "stations" mean AP+client or just client ?

Thanks ! :D

Cisco Firepower 2110's

Hi All,

I seem to be having a weird issue with some new Firepower 2110's we purchased.

We have a total of 3 of them and on all 3 only the first 2 ports work. Ethernet 1/1 and 1/2. They are smart licensed with the ASA standard license but I can't get any of the other ports to work.

Cisco TAC told me yesterday that it sounds like hardware failure but all three devices are acting the same way. I feel like I'm missing something, or I didn't set something up correctly.

Ideas?

Setting password for protocol usage in firewall

Is there a way to set a password like for instance if I am trying to SSH into an endpoint? I am testing ideas to maximize security for a network. If I set a firewall rule that only a certain endpoint could SSH into a server or other resource, you could keep them safe even if that endpoint was compromised. You could even go a step further and setup MFA with this password. Is this possible?

edit: Surely this has to be, sounds like an enterprise level firewall feature? Or perhaps there is a software that does this?

Lightweight Linux Distro for Networking Troubleshooting

I am interested in creating a live Linux Distro for USB that would contain network troubleshooting software like Wireshark, Nmap, you name it. Would anyone have some good suggestions?

Juniper Open Learning - Free Certificate at Completion of Web Training

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=10175

Not at all associated with Juniper.

Been waiting for this opportunity. Just sharing it here.

Also, insights about the training would be helpful.

Could use some routing help ... iptables?

I am trying to route traffic coming from a docker network ... I have Wireguard up and running, and unlike the examples that route ALL the traffic through the VPN based on destination. I am trying to route only SOME of the traffic based on the source.

Essentially I want all the traffic coming from 10.30.0.0 (docker bridge network) going through he wg0 interface, except for traffic that is going back to the same network or my lan. So essentially just outbound internet traffic.

I have it working ... sort of ... using static routes.

post-up ip rule add from 10.30.0.0/16 table 200 post-up ip route add default via a.b.c.d metric 2 table 200 post-up ip route add blackhole default metric 3 table 200 post-up ip route add 192.168.0.0/16 via 192.168.0.1 table 200 post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200 

Using table 200 for all traffic coming from 10.30.0.0 default route is through wg0. The fallback route is a blackhole, kill switch in case wg0 goes down.

Next two routes take care of routing anything internal around wg0, otherwise the containers can't talk to each other on the networks or any webgui's can't be accessed. This works perfectly.

EXCEPT I call this routes in /etc/network/interfaces.d/wg0 so that the interfaces gets created and brought up in boot. Everything is fine except for this route:

post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200 

It fails because the docker bridge isn't up yet so it can't create the route because the gateway is missing. For the time being I hacked it together and used "@reboot" in cron to bring up the route after the docker network is up.

Is there a more elegant solution? I thought of marking all the packets coming from 10.30.0.0 that are not destined for 10.30.0.0 or 192.168.0.0 and (iptables -s 10.30.0.0/16 ! -d 192.168.0.0/16 etc etc) to avoid having to use that route, but I cannot figure it out for the life of me.

Appreciate any help

Interviewing at a ISP for a internship in the NOC

What questions should I ask as the candidate? Also what is a good way to prepare for the interview?

NetFlow impact?

Preface : I am not primarily a network engineer, but a sysadmin whose networking knowledge tops out at a CCNA R&S/Sec.

I wanted to get a community opinion on the impact that enabling NetFlow/sFlow across ~800 Juniper switches would have. This is in the context of implementing Cisco StealthWatch, and I understand that it’s entirely dependent on topology, but bear with me.

Our senior network engineer is concerned less about bandwidth and more about resources on said switches, stating that he’d crashed a Nexus 9K with NetFlow, and that he’s been burned numerous times in the past by enabling it. My understanding is that if it’s configured correctly, and you’re not trying to ship out every piece of data under the sun, you’re likely going to fair well.

Is he paranoid, or am I naive?

How do I change my DNS from the Xfinity online interface?

I looked everywhere in the settings 10.0.0.1 and googled it with no answers. I want to switch to Cloudflare's DNS 1.1.1.1 for better speeds and security.

Capturing packets at 10Gbps or greater.

How do you guys packet capture at 10Gbps or greater? Looking for a portable way to do this. The only thing I see that isn't basically a monitor bolted to a desktop with a handle is ProfiShark 10G. They don't give pricing on the website so I doubt it's in a realistic price range that my company would pay for.

Brocade to Meraki Spanning-tree interoperability

We're in the process of ripping out our Brocade ICX switches with Meraki.

The Brocades are running 802.1w spanning-tree for all VLANs

But when we plug in a Meraki the Meraki's uplink port enters a blocking state.

Reading the documentation Meraki doesn't have a full implementation of Rapid PVST+ and recommends running Trunks with native VLAN 1 on all uplinks to allow interoperability...

But that's for Cisco > Meraki and it's not working with our Brocades.

Anyone have any experience with this?

Or I'm I just going to have to trial and error this until I get it to work?

How to troubleshoot inconsistent connection?

Hi all,

Sorry if this is a frequently asked question, I've got no idea what I'm doing both setting up and troubleshooting networks.

But, I recently converted my shed into an entertainment room, and obviously set up an ethernet network to use my computer out here. Net works fine, except the connection is very unstable. I seem to drop out super inconsistently, some days I don't lose connection, other days every minute or so I lose internet.

Basically all the info I know off the top of my head is;

NBN box (I'm aussie), goes into router, router goes into switch, switch goes into ~35 metres of cat5e through the roof, out into the shed, into another switch, then through the wall out to my computer.

Sometimes when I lose connection, on the network tab in the task bar it says connected to network but no internet connection, sometimes it says not connected to network, sometimes it says connected to network and internet connection, but I don't actually have an internet connection? most confusing part is every now and again, the switch seems to not be connected to the house (the indicator LED is turned off in the shed and in the house)

Now, I have no idea how to diagnose the issue(s) but I am willing and able to learn, I just have no idea where to start.

My apologies if this is a confusing post, or if there's not enough info, I am happy to provide clarification or extra information if needed.

Any help would be greatly appreciated, I plan on spending a lot of time out here and so I would love to get this fixed if possible.

Thanks :)

Remembering TCP Header Flags

Personally I've always found Mnemonics handy for such things.

R - RST - Reset

A - ACK - Acknowledge

P - PSH - Push

E - ECE - Echo

F - FIN - Finish

U - URG - Urgent

C - CWR - Congestion Window Reduced

S - SYN - Synchronize

You're welcome. Put this on a white board somewhere in your office.

Plugging ethernet to my laptop cuts down my WiFi signal strength?

I have a desktop and laptop both hardwired to my router individually. It's a Linksys e4200. If I unplug my laptop my WiFi signal is very strong on the other end of the house. If I leave it plugged in then the signal strength is almost non-existent. Why is this happening?

Is there any other way to get the router public ip when ddns isn't working ?

i don't have any always connected device other than the router so i can't use any update client tool

How is Cloudflare's public DNS (1.1.1.1) so fast?

I can ping 1.1.1.1 in < 1ms, Google's DNS is 14ms, OpenDNS is 14ms, Quad9 is 45ms, . This is across AT&T fiber. Do they have better peering agreements or what? Just a coincidence they have a better peering agreement on ATT's network near me?

I trust Google's DNS more so that's what I use, but I'm just curious.

Skinny on Aruba Networks

Hi All,

My company is doing an evaluation on wireless in the coming months. As I gaze into the all knowing magic quadrant I see Aruba showing as a top contender.

I am however aware that they are owned by HPE. My question to everyone is Aruba operating as it's own company or is HPE running it? I hear HPE ruins most things it buys, so i'm curious if HPE is doing what Cisco does with Meraki and let's it operate like a red headed step child or puts a ring on it and operate it like an owned product of HPE?

Connecting two small offices that are close, but in different buildings

My company is expanding into the building next to us, and door to door, it's less than 100' away. There's approximately 5' of permeable ground between the buildings. Both offices are wired for cat 6. My plan is to have a contractor pull any required permits and run (weatherproof exterior) cat 6 between the offices, burying and going up walls and over the roof as needed. I'll join the second office's network into a switch in the first office.

I'm considering that maybe I should run multiple lines in exterior conduit for scaling and failure, or fiber, but this may be overkill. Thoughts? Is there a better way? Something I'm not thinking of?

Using Routemap to Filter traffic using multiple ACL statements

Hi all,

I am trying to use Route map to filter multiple ACLs in one hit and applying them to an interface.

Is there a way to this using routemaps?

So basically ACLs  below:

ip access-list extended SSH_WebApps
permit tcp 13.50.60.0 0 0.0.0.255 host 192.168.1.2 eq 22

ip access-list extended WEBSERVICE
permit tcp 13.50.60.0 0.0.0.255 host 192.168.1.2 eq 80

I have 3 interfaces:

GigabitEthernet0/0 192.168.1.254 YES NVRAM up up
GigabitEthernet0/1 200.60.65.1 YES NVRAM up up
GigabitEthernet0/2 110.60.65.1 YES NVRAM up up

G0/0 ==> LAN

G0/1 ==> Primary ISP

G0/2 ==> 2ndary ISP

​

So looking to filter on both wan interfaces

Would appreciate any help

Thanks

Cisco ASA - VPN using Identity/CDA for ACL Rules

Hello,

As the title suggests - has anyone got Identity/CDA working when using user rules in a filter access list?

What I want to achieve is users VPN in using their AD credentials. From here, there’s a Filter ACL that limits what users can access depending on their user group.

When authenticating - I can see the user on CDA with the IP address of the VPN subnet, however i cannot pass traffic.

If I remove the ACL or put an IP any any at the top, traffic works fine.

Any suggestions?

Cisco 9300 Reflexive ACL

Can anyone confirm whether the C9300 supports reflexive ACLs?

It seems I cannot find a definitive answer in the guides or command references

Do I need my ASA Flash contents backing up?

Hi all,

Quick question as my Google-Fu has failed me... We had 2 x 5516x ASAs providing our external access, one of them recently failed and was replaced.

We restored the running config from our SolarWinds NCM backup, then we copied the contents of the Flash: from the still-working ASA to get ASDM and anyconnect versions consistent across the two ASAs, but there was also a bunch of XML files relating to VPN profiles. This sparked a discussion; "should we have been taking a full backup of the ASA's Flash:?"

The anyconnect and ASDM packages are easily enough available so we're more interested in the contents of the XMLs and any other configuration that's not stored in the running config. It's been suggested that pasting in the running config will generate those XML files should they be missing, but there's the concern that without those files and just the running config backup we wouldn't have our full service restored.

Does anyone else backup their ASA Flash: contents? Know of any Cisco whitepapers that advise if it is/isn't required.

Thanks in advance guys.

Need advice with an infrastructure planning

Hey there,

We are planning to deploy star-type network in a new office building, with approximately 30 "beams" connecting to centeral switch. Some of this are dedicated to IP cameras (like 8 switches with 90 cameras in total). My question is what kind of bandwith/bottleneck problems are possible here, how do you guys integrate surveillance traffic in to your networks?
All switches are with all 1G ports, cameras is 5MP (actuall transmition quality is unknow at the moment) User traffic per switch rather low around 10Mpbs
At the moment we are looking at c9200 and c9300 as a hardware for this network

Thanks

Whitelist on Cisco WLC

Hi,

I want to know the best way to create a MAC address whitelist for a specific WLAN. I have a list of my allowed MACs and i want to block everything else.

I saw MAC filtering but it doesn't seem fast to do and even if i do add the MAC in the mac filtering, is it considered a whitelist or blacklist.

I saw an option for ACL but can i use it for whitelist and call it in the WLAN.

thanks in advance.

PSA - CDPwn: Five new vulnerabilities discovered in Cisco Discovery Protocol

For those that haven't read the headlines yet, Cisco has issued updates for vulnerabilities that were published yesterday.

https://www.armis.com/cdpwn/

Fortunately IOS and IOS-XE do not seem to be impacted.

What are some start-ups that you can realize in networking !

No text found

Netflow analyzer ranking

I figured I'd pick the brains of some fellow IT geeks!

I work for a large fortune company out of Canada.

Which Netflow analyzer is the best and why? I have an idea, but I'd like to get your unbiased pov.

SolarWinds, Manage engine, Darktrace, RSA, Vectra

Semi cheap fiber optics testers for OM1 to 3 and OS 1 and 2

Looking for some advice on decent, but cheap, fiber optics tester units for OM1 to 3 and OS 1 to 2. I'm working for a company that has a number of sites that have a large geographic foot print, often over rough terrian and we are often in need of a decent tester to determine if the cable is bad or works (can pass light, or even the dbm)? Looking for something that is decently cheap, under $500, and somewhat user friendly that can do mainly SC and LC. I'm not too concerned on know where the cable break is (2 out of 3 times a cow or something has chewed through it) or anything like that, just that it's still up or time to run a new one.

Could really use some advice on a decent tester, that should it break or go missing, not to worried and can get another. Any insightful input would be great!

Cisco 9200 - "Service unsupported-transceiver" error

Evening guys,

I'm standing up a fleet of 9200s, ran into this and couldn't find anything online about it.

Trying to run "service unsupported-transceiver" on a C9200L-48P-4G, running firmware 16.9.3 or 16.9.4 yields the following output -

Switch(config)#service unsupported-transceiver % Ambiguous command: "service unsupported-transceiver"

If I do "service ?", I actually see "service unsupported-transceiver" listed twice.

I've got 2 of these switches running on 3rd party SFPs from FS, I ran "no errdisable recovery cause gbic-invalid" and the links are up with no errors, "sh inv" shows the SFPs nice and happy.

Doing "sh int gig1/1/1 trans de" shows the following output

Switch#sh int gig1/1/1 trans de Transceiver monitoring is disabled for all interfaces.

Has anyone seen this or have any insight?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Cisco ise problem or flaw

Running cisco ise 2.3 patch 5. Keep having posture redirect problem. What does this do and why do I even have it? Not using remediation.

Opinions on Palo Alto firewalls and Panorama v. Checkpoint and other brands.

Looking to see what others Opinions are experiences are on various other firewalls. Currently Checkpoint is bugging out on us quite a lot. I recently started dropping "hello" TLS packets for one particular application only (Also sharing the same certificate as other traffic that did get through) but gave no indications or logs that this traffic was getting error-ed or denied.

Our new Architect is pretty well at wits end, and likes PA. I have a very limited exposure to it. And when I did it was pre panorama.

But as a security guy CP does some really nice things in terms of IPS/IDS and the ability to correlate logs track threats etc. (Their IPS stuff is honestly one of the best security tools I have)

Also coming in R80.40 the https inspection is getting an overhaul.

I have another close friend that loves their PA, and no issues with it. Our vendors that also sell PA say really they're not all that different in terms of maintenance, bugs or general quirks.

Not a particular fan of Sonic wall or firepower. Fortigate I have 0 experience with, but was also warned about their product stability and fixing bugs. (Just what I heard.)

The other issue we're looking to over come is needing actual FWs for remote sites that we're moving DIA from MPLS. Possibly looking at SAAS FW instead of direct appliances to lower costs and management.

Also ripping out one for the other seems like more work than we'd want especially if there's no drastic difference.

Thanks for your input.

Aruba 8320

We are looking at replacing our core HP 5406 with a pair of Aruba 8320s. We are a a mid size school with around 1000 users. According to HP/Aruba all me current 10g spf+ modules are compatible. My vender has come in with a really good price on them. With a lifetime warranty and my current adapters working I’m leaning towards purchasing the 8320s. Has anyone had any experience with them, any pros or cons?

Point to Point wireless bridge

I need a point to point solution for my company. I've never done point to point before so I wanted to double check before I started ordering stuff. I was looking at a couple of the Ubiquiti NanoBeam's. We don't need to go very far, a few hundred yards at the most. I'm assuming I just need two of the NanoBeams? There isn't any other hardware required other then regular networking stuff on both ends? It looks like they are about $100 bucks a piece. Do they work well or is there another solution that would work better?

​

Edit: I'm aware they both are going to need a PoE switch or PoE injectors.

Catalyst 9500 Stackwise Virtual

This is a newish feature on a newish switch platform which always makes my hair stand up.

​

Is anybody using this yet? Is it scary? How has Stackwise Virtual behaved on the 9400s, since they've had this feature for longer?

Core Switch Upgrade

Currently planning on doing a core switch upgrade at my workplace to remove our old Catalyst 3560-X. I would like to upgrade to a 48 port, with POE and 6-8 SFP(+) ports with a budget of 2500. I really don't want another Cisco as I can't stand their licensing nonsense and would like to move away from that. I've seen decent offerings like the Juniper EX2300-48P (not enough SFP ports) and the Fiber store offerings look nice but are pretty sketchy from some reading around this subreddit. Basically I'm not a networking pro and there is too many options.

Need help making one VLAN talk to other VLANs

I am currently in the process of building the network for my department's new facility.

Our current setup consists of several Cisco SG550x stacks, a watchguard m570 firewall, and another SG550x between the firewall and our ISP.

We have several VLANs setup on this network. I need to be able to pass traffic to and from one of those VLANs to several other of our VLANs. Thus far I've been unsuccessful in figuring out how to make this happen. Our senior network guy had made several references to using the ACL list to make this happen, but unfortunately he was terminated from our organization recently and now me the other tech are scrambling to figure this out.

From what I've been able to gather online I need a router device or a layer 3 switch to do this. All of our SG550xs are currently in layer 2 mode. Is it possible to do this routing in our watchguard?

Any help would be greatly helpful. Thanks.

Google Maps style mapping software

Is there any software I can use to create a network map with the following:

• When you zoom out, you get a general picture/backbone. Zoom in on something, get specifics and local topologies.
• Have different layers (VLANs and where they span, physycal cables, L3 coverage)

NOC Dashboard

I have been tasked with the initial setup for a NOC dashboard for my small company. Would be looking to be able to monitor the uptime on our clients primary networks. Any suggestion on a pretty base NOC dashboard that is easily setup?

Looking for ASA 5516-x with firepower service real-life throughput

I want to enhance my network security, from a internet traffic/mallware/DNS perspective. I got 2 ASA 5516-x traditional firewalls in failover. According to Cisco datasheets they can deliver 900Mbps throughput. I am looking at a possible replacement to Cisco 2140 NGFW, but prices are insanely high, compared to traditional firewall.

And according to Cisco datasheet regarding firepower services on ASA 5516-x, the throughput will decrease with 50%. So my question is, do anyone have experience with firepower services on an ASA appliance regarding performance?

Or maybe some of you got suggestion for another firewall product with better security than just NAT/ACL.

GS752tpv2 VLAN -- what am I missing?

Hi All,

VoIP Phone has a connection, but phone does not work. This is a little detailed, but after a day I've had no response from the Netgear community forums so I'll try here. Maybe it's a netgear thing or maybe it's a "Jeff doesn't understand VLANs" thing.

I'm upgrading to new switches and trying to get voip and data vlans working so users can plug computers into backs of phones. Working with a GS752TPv2.

• Data is vlan 1 (default).
• Voice is vlan 20.

I'd like it set up so phone vlan 20 can connect to the gateway through port 47, and data through a SFP LAG to my LAN. Port 48 I'm leaving untouched in case I mess something up I can still plug into the thing.

I'm trying to use VLANs to have the switch split the phone off into one port on my gateway, and the data to the LAN (gateway is a Sophos UTM so only sort-of does VLANs, so I'm running my data and my phone into two separate ports on it, hence the untagged port 47 below).

• Data works fine. I plug into the back of the phone and I can get to my LAN.
• Voice is another story. The phone boots. I get a screen. But no dial tones and cannot call it, also buttons do not work. (Yes, I tested the phone in my old switch and it works.) Below is more detail on my setup. It may be that it's just getting power and not finding network. But it's getting an IP (from the Data side, and the plan is set to the phone vlan).
• VLAN 20 is on ports 1-46, tagged.
• VLAN 20 is on port 47, untagged.
• VLAN 1 is on all ports, untagged, except port 47; it's not on there at all.
• Port PVID is 20 on port 47, 1 on all others.
• Voice VLAN Config set to VLAN 20 for ports 1-46.
• Auto-VoIP enabled on ports 1-46, and port 47: protocol-based, class 7.
• VLAN 20 Routing is set to an address I set aside in my voice network.

Not sure it matters, but the Phone (avaya 9608) just happens to be plugged into port 2 on the switch. I tried other ports without succcess. VLAN set to 20 on the phone.

Anone seeing what I'm not? Let me know if more info will help; I'm not sure what else would be relavant.

Thanks!

Jeff

Is there a way to monitor which ports are open in a server?

Basically, a way to know what ports are open, or in listening state, in a server, particularly Ubuntu Servers.

I'm not really sure if I'm asking this the wrong way but I was assigned to create a monitoring system for all our servers and to know/monitor what ports are opened.

​

Like for sure, port 22 is open in all our servers. I want that to reflect in a dashboard.

What if other random TCP ports are opened, how can I show that in a dashboard?

​

Metrics monitoring is fine, I used the combo of InfluxDB, Grafana, Telegraf.

I'm just confused by what is assigned to me.

There's a language barrier going on internally so I cannot really clarify.

Before I ended our meeting, I was thinking maybe there's really a "port monitoring" dashboard in grafana, so I googled away. But for 2days now, can't find anything.

​

I was thinking too, if I just make sure that the server is being monitored in CPU, memory, network, or any metrics, why bother monitoring what ports are open? Besides, ports are opened selectively for each server, so what's there to monitor?

​

Hope you'll are getting what I try to ask and can point me in the right direction.

How much annual leave do you get? (US)

Asking for me.

I'm UK based, but will soon be marrying an American and then we will decide where to live. Returning to the US is a distinct possibility as she would like to be closer to her family.

We are weighing up what our quality of life could be and holidays are a major concern for her. She tells me they aren't really a thing in America.

I currently work within the network team of a UK university, I get 41 days paid holiday per year. This came up once in conversation with her father and he was pretty shocked.

It's worth noting that universities are public sector. If I went private, pay would be higher but my holidays would likely drop to around 28+ (28 being the legal minimum if you work 5 days a week full time).

Generally speaking, what's annual leave like in this sector in America?

[HELP] Setting Up WLAN with Login Credentials

Hello, is it possible to setup a home wifi to have multiple login accounts, instead of just using SSID and its password? Similar to schools, you are given an account and a password.

Learn About Cybersecurity And Computer Networking Through This Board Game

Computer Networking terminologies may be rather complex when it comes to educating the layman and especially kids on it. Came across this super dope way to break down the concepts into bite-size pieces via a board game. A really interesting concept brought to life. Definitely worth checking out. Here's the game.

Checkpoint Firewall HA Single Virtual MAC? (Does this exist???)

Hey Networking Experts,

I am looking at a couple of Checkpoint Firewalls in HA deployment, and maybe someone can illuminate whether this unique behavior is expected, or not expected, because it doesn't seem to make sense.

They share a single VIP (two CheckPoint Firewalls in HA), but don't appear to share a single Virtual MAC address, so when there is a failover, the (at the time) secondary has to send out a GARP for the new MAC address for their VIP. This is a completely different behavior from what I am accustomed to with FirePower Firewalls, which share both a single VIP and Virtual MAC.

Is the shared VIP and unique MAC addresses of the CheckPoint Firewalls (after a failover) an expected behavior for these devices, or should they share a both a VIP and a Virtual MAC like seen on Cisco Firewalls?

Can they be configured to use a singe Virtual MAC?

- Thanks Reddit Pro Team

PA-220 - High latency with AWS VPN?

/r/paloaltonetworks/comments/ezjsu6/vpn_slower_than_old_router/

How do ISPs enforce modem compatibility?

I was reading about purchasing a modem for use with my local ISP and noticed that they produce lists of compatible modem models.

How is this compatibility enforced, if at all? Is there some technical mechanism by which they could tell if I'm using an "unapproved" modem? Or, is this really just more of a marketing thing to ensure people don't blame their ISP for their bad hardware?

From what I previously understood, my ISP will just hand me a DHCP lease once I give them my MAC address over the phone. I looked a little bit into whether it's something with the DOCSIS standard, but Wikipedia claims that all versions are cross-compatible: https://en.wikipedia.org/wiki/DOCSIS#Versions

There are some vendor codes that you can pass in a DHCP request, but I'm not sure those would be used for identifying very specific models of hardware.

I thought I'd post this here instead of /r/homenetworking because I'm more interested from a technical standpoint about how the ISP could possibly enforce their approved lists. I'm a little surprised that I haven't been able to find anything about how they restrict modem types. A lot of people claim that you really need to get a "compatible" one, but I have no idea why.

I will likely be getting one on the compatibility list anyway, I just am really curious how they'd tell if I'm using a compatible one.

Thanks!

remote desktop control not working over VPN on the router (different networks)

Hi, I have 1 PC with windows 10 on it and another with Ubuntu. The one with Ubuntu is connected directly to a router with expressVPN on the router and no wifi. So now, I try to connect via RDP from my windows (which is connected to WIFI) to Ubuntu (which is connected directly to VPN router) and it doesn't work, it gives me an error saying that the PC can not be find etc etc.Now, when I connect the Ubuntu PC to wifi, the RDP works fine and the IP adresse to which I connect changes.Is there any solution to it as of why I can't connect to a PC that is connected to a router with VPN?

Just to be more clear, main router is connected to the modem the 2nd router (with expressvpn on it) is connected to the main router via ethernet

ubuntu machine is connected to expressvpn router

windows machine is connected to main router

both have internet connection and no lags whatsoeve
I tried to ping the other systeam from my windows PC and it didn't work.

Getting Into Consulting/Contracting

So ive been toying around with the idea of doing some side projects/freelance work and eventually doing consulting full time. At the moment i work full time for a medium sized enterprise and would be doing this on my off time

. For those of you who are doing this now , how did you find your clients? I dont know many business owners so word of mouth is out the question. Also do you feel like the pay is more lucrative and employment more stable ? Any gotchas?

System for managing thousands of small distributed networks?

This is mostly an exploration into whether such a system exists for our need. We have hundreds, soon to be low thousands, of small residential networks that we'd like to have some sort of central control over. We aren't looking to link all of them together, but we would like a way to manage WiFi network settings and possibly some routing/protocol settings (mainly blocking things like Bittorrent) at each location in a centralized and organized fashion.

Each location only needs to have a residential-quality small network; nothing more than a standard wifi + router combo is needed. Is there any system out there from the big networking companies that's designed to manage a large fleet of small networks?

My mind initially went to Ubiquiti, but I don't think their Cloudkey system is up to the task. Even if we ran it on a big AWS instance I don't think I'd fully trust it; I've seen some flaky behavior from them before and I wouldn't want to put all of this infrastructure under that single point of failure.

We already use Rently to manage some devices at our locations and that has worked pretty well for us; their API integration lets us do things like control smart locks programmatically, and I'd love to see something like that for this use case.

Any tips on where to look for something like this?

What's the most horrific flat network you've seen in real life?

Yes, this is for a homework assignment (sort of, it's a graduation project). No, I don't want anyone to do the work for me. Please don't delete.

The capstone/graduation project is preferentially a real project done at your real work. I work for a big bank, change management makes ancient Sparta look liberal and laid back, so that's not happening. Making something up is an option, but they want it to be 'indistinguishable' from a real project in the deliverables you end up with.

I know what I want to do: Design a campus network from the ground up. For their purposes, it'll be a brownfield deployment replacing a flat, poorly segmented college campus network with a proper hierarchical, modular network just like the Good Book CVD documents say they should be.

In the interests of keeping things 'real', though...how often are badly designed, mostly layer 2, nightmare networks still a thing you run across anymore? I had something to the vague effect of this simplistic layer 2 ring in mind, with each switch in its own building, a couple vlans stretched across the campus and IVR done really inefficiently RoaS style from a data center in the campus 'main building' basement.

Is that realistic? Ever seen anything like this in real deployment? Ever seen anything worse? What were some of the symptoms of the poor performance you saw on your monitoring tools/complaints from endusers if you did? What were some of the consequences you saw in networks like this one/worse than this one?

I can imagine some problems (wasted bandwidth from STP blocking one direction in the ring, poor STP failover time, easily saturating links for inter-VLAN traffic that has to hairpin up to the router and back out, lack of redundancy, etc), but I was interested in hearing about real world experience because my current professional experience is in telephony, not directly in the networking world yet.

Any war stories in this genre anyone would like to share?

SFP and port speed interplay (Layer 1 question)

I have a 100Gb port with a 40Gb QSFP+ module in the slot. The output on the switch indicates support for partitioning modes of 1x40Gb or 4x10Gb. If I specify 4x10Gb as partitioning mode, but don't use a breakout cable to accomplish "true" 4x10Gb, and instead just connect the fiber directly into the module, will the port function at 10Gb? or not at all?

Cisco 9400 - Link Flaps/Drops getting logs and alarms

I configured logging on a new Cisco 9410 v 16.9 to precisely like the Cisco 4510 switch. Hundreds of PCs, Printers, etc. which on a daily bases turn off and on, SCCM maintenance updates, blah blah blah? It makes sense not to get these logs locally and on Prime. If not my poor Cisco Prime Server would've been fried.

​

​

Not sure why I'm getting logs sent to my Switch and Prime. If I have it identical to the rest of my 4500s? is there a different behavior on the 9400 for logging? 0-7? something missing?

​

​

​

​

Cisco 9410

Feb 5 11:31:15.105: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up

Feb 5 11:31:15.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/14, changed state to up

Feb 5 11:31:16.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up

Feb 5 11:31:16.352: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/24, changed state to up

Feb 5 11:31:17.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/24, changed state to up

Feb 5 11:31:18.512: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/19, changed state to up

Feb 5 11:31:19.412: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/29, changed state to up

Feb 5 11:31:19.512: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/19, changed state to up

Feb 5 11:31:20.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/29, changed state to up

​

​

​

​

Cisco 4500

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level critical, 0 messages logged, xml disabled,

filtering disabled

Monitor logging: level critical, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level notifications, 415949 messages logged, xml disabled,

filtering disabled

Exception Logging: size (8192 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

Trap logging: level warnings, 415840 message lines logged

Logging to 1.1.1.1 (udp port 514, audit disabled,

​

​

​

​

​

Cisco 4500 is not generating any logs or Prime alarms event though you see flaps.

​

DTP information for GigabitEthernet1/0/24:

TOS/TAS/TNS: ACCESS/OFF/ACCESS

TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q

Neighbor address 1: 000000000000

Neighbor address 2: 000000000000

Hello timer expiration (sec/state): never/STOPPED

Access timer expiration (sec/state): never/STOPPED

Negotiation timer expiration (sec/state): never/STOPPED

Multidrop timer expiration (sec/state): never/STOPPED

FSM state: S1:OFF

# times multi & trunk 0

Enabled: no

In STP: no

Statistics

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

0 packets output (0 good)

0 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

0 link ups

119 link downs, last link down on Wed Feb 05 2020, 06:30:57

Migrating from Cisco vWLC to vWLC

Hi ladies and gents, I am a bit lost, but hoping you guys can help at least point me in the right direction. My company is going through up grading our virtual WLCs to a much larger virtual appliance. This is because we are running 3 vWLCs so we have an N+1 environment. The WLCs can only hold a certain amount of APs, and we can't upgrade them to hold larger amounts. So, we are upgrading and simplifying our set up. We are going to now be running 2 WLCs so we still have the N+1, but now we have 2.

This leads me to my question, We would like to literally move the configuration from the old one to the new one. I know we can pull the configuration, and edit it, but is there any best practice that I should be aware of? Is there a specific migration process? Is there any pitfalls that I should be aware of?

TextFSM - Parsing of "show interfaces counter errors"

Hi all,

I'm quite new to TextFSM, and I'm trying to parse the output of the command "show interface counters errors". Here is a sample output of the command:

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Gi0/1 1 2 3 4 5 6 Gi0/2 11 12 13 14 15 16 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi0/1 21 22 23 24 25 26 27 Gi0/2 211 222 233 244 255 266 277 

What I would like, is this output when I parse the data:

['Gi0/1', '1', '2', '3', '4', '5', '6', '21', '22', '23', '24', '25', '26', '27'] ['Gi0/2', '11', '12', '13', '14', '15', '16', '211', '222', '233', '244', '255', '266', '277'] 

The first template I wrote is this one:

Value PORT (\S+(/\d+)+) Value ALIGNERR (\d+) Value FCSERR (\d+) Value XMITERR (\d+) Value RCVERR (\d+) Value UNDERSIZE (\d+) Value OUTDISCARDS (\d+) Value SINGLECOL (\d+) Value MULTICOL (\d+) Value LATECOL (\d+) Value EXCESSCOL (\d+) Value CARRISEN (\d+) Value RUNTS (\d+) Value GIANTS (\d+) Start ^Port\s+Align-Err.* ^${PORT}\s+${ALIGNERR}\s+${FCSERR}\s+${XMITERR}\s+${RCVERR}\s+${UNDERSIZE}\s+${OUTDISCARDS} -> Continue ^Port\s+Single-Col.* ^\S+\s+${SINGLECOL}\s+${MULTICOL}\s+${LATECOL}\s+${EXCESSCOL}\s+${CARRISEN}\s+${RUNTS}\s+${GIANTS} -> Record 

However, the output is not right:

['Gi0/1', '21', '22', '23', '24', '25', '26', '21', '22', '23', '24', '25', '26', '27'] ['Gi0/2', '211', '222', '233', '244', '255', '266', '211', '222', '233', '244', '255', '266', '277'] 

I found a post on the forum giving a solution in pure Regex: TextFSM logic - Avoid capturing same data twice

When I adapt it to my needs, I have a match for what I need: https://regex101.com/r/DY0Meb/6

However, I'm unable to translate it in a TextFSM template, it fails. Here is my template:

Value PORT (\S+(/\d+)+) Value ALIGNERR (\d+) Value FCSERR (\d+) Value XMITERR (\d+) Value RCVERR (\d+) Value UNDERSIZE (\d+) Value OUTDISCARDS (\d+) Value SINGLECOL (\d+) Value MULTICOL (\d+) Value LATECOL (\d+) Value EXCESSCOL (\d+) Value CARRISEN (\d+) Value RUNTS (\d+) Value GIANTS (\d+) Start ^${PORT}\s+${ALIGNERR}\s+${FCSERR}\s+${XMITERR}\s+${RCVERR}\s+${UNDERSIZE}\s+${OUTDISCARDS}(?=.*\1\s+${SINGLECOL}\s+${MULTICOL}\s+${LATECOL}\s+${EXCESSCOL}\s+${CARRISEN}\s+${RUNTS}\s+${GIANTS}) -> Record 

Any clues about how I can get the desired output ?

Any help would be very welcome :).

Thanks in advance !

Hustlers University by Andrew Tate

Hello, I have the latest and maybe one of the best and most practical business courses released last few years. It's by Andrew Tate, with content about 7-8 hours and included updates when available. If you are interested DM me.

IOS XE ASR1001-X Ansible/Netconf identityref error

Hello, I have an ASR1001-X running XE 16.9.4. I am working on an ansible playbook to make certain configuration changes using netconf and yang. It works just fine against a CSR1000v running 16.9.4, but when I try the ASR1001-X I get the error below. Even trying a simple get-config produces the same error. I can ssh to the command line of the router just fine, i can also retrieve the capabilities as well. Any ideas?

The full traceback is: File "/tmp/ansible_netconf_get_payload_tvs6bfsr/ansible_netconf_get_payload.zip/ansible/ module_utils/network/netconf/netconf.py", line 86, in get_config response = conn.get_config(source=source, filter=filter) File "/tmp/ansible_netconf_get_payload_tvs6bfsr/ansible_netconf_get_payload.zip/ansible/ module_utils/network/common/netconf.py", line 76, in __rpc__ return self.parse_rpc_error(to_bytes(rpc_error, errors='surrogate_then_replace')) File "/tmp/ansible_netconf_get_payload_tvs6bfsr/ansible_netconf_get_payload.zip/ansible/ module_utils/network/common/netconf.py", line 108, in parse_rpc_error raise ConnectionError(rpc_error) fatal: [rtr01]: FAILED! => { "changed": false, "invocation": { "module_args": { "display": null, "filter": null, "lock": "never", "source": "running" } }, "msg": "b'error: expected type identityref, got boolean.\\nerror: expected type identityref, got boolean.'" } 

AT&T gave me the network address as my gateway address

Just switched over to AT&T Business and the IP address they gave me for the gateway is the network address. The Internet connection works, but my router doesn't like it at all and is throwing errors about invalid gateway address. I have been having issues with my client VPN connections refusing connection and I want to rule this out as the reason. I have an open ticket with AT&T about this. Has anyone else encountered this and if so, are you having any issues with VPN connectivity for your clients?

2x100G Data Center Interconnects

Toying with the idea of purchasing 2X100G circuits between our data centers to use for multiple various circuits that connect in different places in the network and have different requirements. Thinking to land the 2x100G circuits to a pair of switches and then provision 10/25G ports off of those switches for different "circuits". Think of a poor man's WAN.

There are a couple of ways I can think of achieving what I'm looking for. Looking for other ideas or suggestions. Maybe it would be best to actually run some ONS if we want to do such a design. Any other ideas for more of a poor man's WAN, aside from just purchasing individual 10G circuits when the need arises?

-Simple VLANs - obvious spanning tree, blocking, wasted bandwidth

-MPLS L2VPN - seems overly complex for the need

-EVC

What do I lose doing MPLS/routing on a L3 switch vs a fully fledged router?

Im looking for some advice. We have a private mpls network built using poi t to point links. Routers are Cisco isr 4000 series.

All links are currently <1Gb. I have a requirement to uplift this to 10Gb. Our standard is to go ASRs or ISRs. If I want >3 x 10Gb ports I would essentially be forced to get ASR 1001-HX if I want to continue using routers.

My main question is: what is the main thing that would stop you doing mpls on a Cisco cat 9k? It has the port density I need, the throughout, does vpnv4 and mpls.

But I need to have the justification as tm why we need routers vs l3 switches... What's the general gap between them here?

Can you use Ethernet and Wifi with same IP?

I keep a static IP on my Ethernet port and want to use my wifi as backup with the same IP (in case the Ethernet ever fails) on Windows 10 Pro. This is so clients can keep connecting as they are pointed towards that static IP. Is there a way of doing this?

Adapter and PoE adapter on Cisco AP

First of all I want to say hello everyone and this is my first time posting on this sub and sorry for any grammar mistakes.

The other day I had a job to check why one Cisco AP wont work. When I came there I noticed that AP is getting power from PoE adapter, and also its "default" power adapter is also plugged in. Stuff there told me it was working like that for the last couple of years. My question is who gets priority, PoE or Power adapter? I thought that doing that can damage your AP, or whatever you want to supply power to.

Deception Network

Hello Networking folks,

Can somebody share some resources for the working and deployment for deceptive networks. There are some like companies Attivo, Rapid7 etc. having products for the same but doesn't give much insight about the technology. What I know is that it is very much different from traditional honeypots.

It will be awesome if someone can share some primers for building deceptive networks.

Velocloud Repurpose Hardware?

My current employer has some Velocloud 520 appliances that were purchased as part of a pilot, but are no longer used/maintained.

Wondering if there is any possible way to repurpose these devices as fancy Linux boxes to use as network endpoints for testing/validation, there are a lot of ports so they would be great for testing multiple network segments at a branch site.

Anyone know if it is possible to reflash these boxes with a basic Linux image?

ZOC vs Serial on macOS

I want to get a terminal emulator that most importantly supports xmodem. If a IOS upgrade borks and I have to manually roll back, I want to be able to transfer files quickly and safely through xmodem on the router/switch console port.

In my research, I've come across Serial (https://apps.apple.com/us/app/serial/id877615577?mt=12) and ZOC (https://www.emtec.com/zoc/) However, both seem very similar in terms of positive reviews, feature sets, and updates.

I'm curious as to what everyone on /r/networking thinks. Thanks for advice given in advance!

23 yr old Sr. Network Engineer - AMA

Hi everyone. Always have wanted to do this type of thing. I'm a 23 year old Sr. Network Engineer in the midwest. I make close to $70k/yr. I find that rare to see (correct me if I'm just in my own bubble) so I figured/wanted to do an AMA

Miniature Router/Switch Models?

Odd question... but I wondered if anyone knew of anywhere that sold plastic or metal tiny models of switches and routers? Often times at my desk we'll be discussing a particular network and I thought it'd be neat to have a tiny little router and switches to mimic topologies.

If not, might have to think about getting something 3D Printed maybe

PSA: 25G SFP28 Twinax with Qlogic 41xxx NICs - Autonegotiation woes are back!

I wanted to put this out here for anyone who might have issues in the future. I spent too many hours today fighting with a Dell S5248F switch trying to uplink Dell R640 servers with QLogic 41262 NICs via twinax at 25Gb. Roughly 40% of the links failed to come up at 25Gb out of the box, with some ports randomly working occasionally. All interfaces came up when I forced the switchports to 10G mode only.

The fix was hard coding the QLogic NICs to 25G mode only via the NIC bios and setting the switchports to disable autonegotiation. It was a frustrating few hours trying to figure this one out. I'm sad to see autonegotiation issues making a comeback!

Cisco WLC to Aruba ClearPass guest network.

Hey Networking Pros,

Are any of you running a guest network on a Cisco WLC offloaded to an Aruba Clearpass web server?

I am talking about where the splash page is hosted by the Clearpass server, instead of it done locally on the WLC.

I have come across some unofficial documentation that states that this is usually done by means of simply configuring the WLC for External Webauth, as opposed to a Central Webauth as done with Cisco ISE.

Do you guys use in your own deployments Mac filtering with AAA override and CoA like when authenticating to an ISE server, or are you just doing it as external auth to the Clearpass web server?

Does the Clearpass server even support CoA?

Any help is appreciated. -Thanks

I'm going to let me Cisco Certs Expire

So I find myself in a predicament, any of the CCNP exams are ~$350 each where I am and I am finding it very hard to be bothered studying for it. The Exam changes in a few weeks and my cert expires in a month. I'm 10years now in the industry and I'm thinking it will be good thing as I will stop focusing on Cisco and probably get a Juniper Cert (considering 80% of my day is on juniper). Just wondering if anyone has been in my shoes and either regretted letting their cert expire or used it as an opportunity to break free from Cisco and branch into other vendors / technologies.

using iperf3 for internal network speed testing

So im using iperf3 to do internal network speed testing from one client machine to a server.

These are the speeds im getting

https://imgur.com/bGBIP9D

​

im not quote sure why im on a 1gbps network. Its a cisco 3850 stack latest and greatest software. I feel the speeds thould be allot faster.

​

Does that seem normal or am i reading it wrong?

Suggestions for standard 48U rack build / correct placement of rack mounted devices?

If I'm in the wrong sub please let me know!

Looking for a quick suggestion on what to do. I'm putting in a 48U rack that will in a new server closet this weekend. It is open, no doors or sides or anything. Room will be locked at all times. I just was looking for suggestions as far as where to mount this equipment, in what order, spacing, etc, possibly from someone who mounts this stuff all the time. I don't want to have to move it again later! The rack will accommodate the following:

1 x Ubiquity USG-4 (1U)

1 x Ubiquity Cloud Key Gen 2 (with Rack mount kit, 1U)

1 x 48-Port Ubiquity POE switch (750w, 1U)

1 x 48-Port Ubiquity switch (1U)

1 x HP Blade server (PBX, 2U)

1 x HP Blade server (1U)

1 x HP Tower server (on shelf, sideways maybe? ML310 Gen8 v2, 4U if sideways I think)

1 x Comcast Gateway Modem (on shelf, sideways, 2U I think)

1 x Adtran Router from telcom company (1U)

1 x Battery Backup UPS (2U)

1 x Power Distribution Unti (1U)

​

That's it. The problem is that the patch panels for about 130 CAT6 drops were punched down into a wall mounted rack that's about 6' off the ground. It is on the right hand side wall all the way at the back sticking out from the wall right near the back wall, sticks out about 1'l. The wiring guys had to mount it to something while we were waiting for floors to be put in the office so I can build the rack. The server room is relatively small, probably 4' wide max by about 6' deep. Because the patch panels are already mounted on the back right hand side wall, there is enough room for the rack to slide in to the left of it, however I will have to run like 5' or 6' network patch cables from the mounted patch panels through the back of this rack into my switches. Do I mount the switches on the back side of the rack facing the back wall? This makes for easier patch cable management/shorter cables, etc, but will be a pain for me to see anything at a glance and get to in the future. Also, do I mount my servers starting at the bottom (right on top of the UPS)? Do I put 1U Spaces between these devices? Does the Power distribution unit go in the middle? Bottom?

If anyone can throw me some quick advice to make things easy for me in the future to work on that would be great. I will purchase any shelves I need to prior to installation.

Network scripting

So I was thinking about experimenting with netmiko, but netmiko does not support telnet?

Don't worry we only use telnet on airgapped networks and only if we have to.

But is there a netmiko alternative that supports telnet? Hopefully one with lots of examples.

Is there any reason to have a VLAN untagged on port that is tagged with other VLANs

Working with HPE switches.

I'm a bit confused on the using "untagged" on port used for interconnecting to another switch.

I need to tag/allow all vlans on a port, why would I leave a VLAN untagged?

My switch to switch connections should have all vlans tagged.. why does it allow me to have a untagged VLAN?

Thanks

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Tasked with the demo of large amounts of fiber. Unsure of safety.

I'm working in a data center, and have been tasked with demoing large amounts of fiber (over 100 trunks of OM3/OM4 that are hundreds of feet long). This would be something they would hire a vendor for in the past, but it is now falling on us in house.

Cutting the fiber trunks into managable pieces for disposal seems like the way to go, but I'm worried about airborne glass, plus the fact that some of the fiber is wrapped in metal conduit.

Anyone have experience or safety tips doing a project like this? It's completely out of my field of expertise, so I have no idea where to begin.

NIPAP question: IF run on a virtual server, how much resources to ask for (ram and hdd space)?

I looked at the install guide but there was no info. I plan to install NIPAP on Ubuntu and need to request a VS. They usually ask how much resources you need. Can anyone say what is recommended to run Ubuntu or Debian and NIPAP with enough to spare for future proofing?

Cat 4500 Issue

Feel free to call me crazy - We just lost ~7 4506 switches at the same time. They have nothing in common except a connection to the same bgp core (via multiple hops). BGP Core shows healthy, no events. We have not lost anything except 4500 series switches. I'm thinking some type of platform issue, but am questioning my sanity at this point. TAC Cases open. Thoughts?

We finally convinced to owner of the ISP I work for to upgrade to an alcatel (nokia) 7750 SR12 and I need help desperately

I have tried contacting Nokia directly to set up a service contract, I have tried rep after rep, no one will call us back, and we've tried since OCTOBER. We NEED a current (19.10.R2 )release of the SR OS, or he's going to make us send it back. Contact me via DM if you need to, but I need help.

Just recently earned my CCNP! What types of jobs should I be shooting for with 1 year of Enterprise Network experience as a jr. engineer + the CCNP r/S?

Not sure if this breaks rule #5 (Apologies if it does!) since I'm already in the Networking field, just want to see what the best progression strategy would be.

​

​

Thanks!

Does anyone know in which RFC is HTTPs standardized?

I have an assignment in my computer network class, which includes this question, but can't find the answer anywhere, any help is appreciated!

Slow file transfer over OpenVPN

Hi all!

Scenario: We have 2 site-to-site VPN connection between HQ and the DC. 1 VPN connection for the new environment and 1 connection for the old one. This setup is made for migrating the infrastructure from old LAN behind old firewall (Fortigate) to new LAN behind new firewall cluster (OPNsense). The new VPN connection is setup with OpenVPN and the other old one is setup with IPSec (IKEv2).

Problem: File transfer (SMB) over the IPSec connection is always 4 times faster than over the OpenVPN connection.

Question: Is it known that SMB is by definition slower about an OpenVPN than an IPSec? Is there a best practice regarding encryption configuration for the OpenVPN connection? Is this different per CPU type / model?

Could you guys help me for my fyp (final year project) I need it for my third year . Could you guys suggest me some easy ( or hard , don't really care ) but epic ideas . If you need any information about me , ask in comments

No text found

Am I configuring this Firewall Filter/ACL correctly?

I have a Site-To-Site VPN configured Traffic comes in on my secure tunnel interface and out the WAN interface. However I want to block specific traffic to azure storage account. I can not get this access list to work, can any point out what I am doing wrong?

A little info,

WAN interface is ge-0/0/0

Interface ge-0/0/1 is my LAN

Interface ST0.0 is my VPN tunnel

​

Firewall filter Configuration

aabdulr2@SRXLab# show firewall

family inet {

filter Block-AZStorage {

term 100 {

from {

destination-address {

52.239.152.0/22;

}

}

then {

reject;

}

}

term 101 {

from {

destination-address {

0.0.0.0/0;

}

}

then accept;

}

}

}

​

Interface Configuration

aabdulr2@SRXLab# show interfaces

ge-0/0/0 {

unit 0 {

family inet {

filter {

input Block-AZStorage;

}

dhcp {

update-server;

}

}

}

}

ge-0/0/1 {

unit 0 {

family inet {

address 192.168.0.1/24;

}

}

}

st0 {

unit 0 {

family inet;

}

}

Parsing output from parse genie - ansible

Hi all, I'm looking for some assistance parsing some output I'm getting from the parse genie module for Cisco. Please see my playbook below.

​

---
- name: Show interfaces
hosts: switches
gather_facts: no
connection: local
debugger: on_failed

vars_prompt:
  - name: "mgmt_username"
prompt: "Username"
private: no
  - name: "mgmt_password"
prompt: "Password"

tasks:

    - name: include parse genie role
include_role:
name: clay584.parse_genie

    - name: define provider
set_fact:
provider:
host: ""
username: ""
password: ""

    - name: show interfaces
ios_command:
provider: ""
commands: show interfaces description | ex SWAW
register: interface_description

    - name: set facts on interface_description
set_fact:
genie1: ""

​

​

​

My output looks like this

​

ok: [10.189.11.81] => {

"msg": {

"interfaces": {

"Ap1/0/1": {

"description": "",

"protocol": "up",

"status": "up"

},

"FortyGigabitEthernet1/1/1": {

"description": "",

"protocol": "down",

"status": "down"

},

"FortyGigabitEthernet1/1/2": {

"description": "",

"protocol": "down",

"status": "down"

},

"GigabitEthernet0/0": {

"description": "",

"protocol": "up",

"status": "up"

},

"GigabitEthernet1/0/1": {

"description": "",

"protocol": "down",

"status": "down"

},

"GigabitEthernet1/0/10": {

"description": "< TEST-ACCESS >",

"protocol": "down",

"status": "down"

},

​

I'm looking to just grab interface names such as "GigabitEthernet1/0/1" in my output so I can loop them into another task to make changes to those ports. Any thoughts on how to properly do that?

VRFs and the CAM table on layer3 switches

okay here's an interesting question (I think).

If you have a layer3 switch which has mutiple VRF's customers. Two of the VRF customers are operating firewalls in a HA setup using VRRP and are using the standard VRRP Virtual MAC address.

Now on the layer3 side of things that's fine. show arp is specific to each VRF 'show arp vrf customer1'

What isn't seperated however would be the CAM table. If I do 'show arp vrf Customer1' and 'show arp vrf customer2' they each show the correct MAC address which is the standard virtual mac and therefore the same.

Now surely at a point the layer3 switch will use the CAM table instead to forward the frame and as the mac address is shared it will have two entries going out of two seperate ports.

How does the layer3 switch distinguish which mac belongs to which at the layer2 level?

I have this scenario at the moment and neither customer is having issues but I'm scracthing my head as to how both their firewalls are not receiving traffic not intended for them.

I've asked them to change the VRRP MAC to a none standard mac just in case.

Thanks

Reset Cisco ASIC drop counters?

Does anybody know if you can reset the counters for this command?

show platform port-asic stats drop

Using it on a cisco WS-C2960X-48FPS-L.

It seems that the switch keeps the drop counter even if you use: clear counters

I would like to reset the ASIC drop counters on the switch, is it even possible?

NetDB alternative

Hi,

We are using NetDB almost daily but the latest version dates from 2017.

What is a good alternative for this tool ?

Regards,

S

[HELP] 20GHz & 60GHz WIFI Router

Hello, i think this is the right place for posting this,

Recently i got a IgniteNet router MetroLinq™ 5 LW and i have to place it in top of a tower, so my question is, at which frequency will it cover long distance?

I need to get it as far as possible.

I m a noob so don't hate me for this!

IPv6 DS-lite. CPE can only be IPv6 on the WAN side???

Hello

We are testing DS-lite and as per understanding, the CPE can only be IPv6 stack and should not be IPv4 stack or dual stack??. At the same time, CPE is provided the AFTR URL. CPE tunnels end users IPv4 traffic in IPv6 to AFTR.

Also has anyone used linksys velop for DS-lite deployment? If yes, what has been the experience like?

Thank you

Strange drop in LDP over port

Hey guys,

Wondering if you could assist.

I am frequently seeing a drop in LDP adjacency between two 6500 devices. OSPF is also running over this link aswell but this remains active and doesn't drop. There is a small spike in CPU during the drop, but the CPU has been much large than this and not caused a drop previously, so I think the CPU increase is a red herring. No errors on the interface, no saturation either.

Have any of you seen this before? LDP dropping over the link, but not the IGP.

cucm sip trunk

Hello,

Iam trying to configure a sip trunk that points to a cluster call managers. in another way, I want to configure the sip trunk so that if the pub call manager is down, it will automatically connect to the sub.knowing that on one side I have one call manager while the other side I have two call managers.

any help please.

thank you.

Finding ILEC in a specific area?

Hi All,

Basic question here: Is there a way I can find out who the ILEC is in a given area? I've looked online and it doesn't seem there is a clear cut way to do so.

Any info helps. Thanks everyone!

To manage or not to manage.

So as many of us do I get called by a recruiter a few weeks back seeking my time to talk over a role. Typically I dismiss these calls as I'm generally quite happy with where I am work wise. I get to work remote pretty much all the time and have a TON of freedom around my daily schedule die to the nature of what I'm doing writing automation for networking.

The recruiter like most tries to find an angle to get 5 minutes to talk. His angle of choice was what dollar amount would make it worth 5 minutes. I of course through out an amount that on the upper 3rd of what the job in question pays for my area. He says that's doable and the client would have no issue paying that for the role.

After talking a bit I discover the role is in fact an operations manager role for a global team. They seem to be a good company with very positive response to questions about the business. I'm not relying solely on folks in interview process but also folks I can find through some OSINT to talk with outside the it world and in it.

So now the ultimate choice on whether to move to the dark side and become a manager or stay an engineer. The manager role is about 50/50 technical hands on when needed along with managing. So I will not totally get out of the trenches so to speak. At 20+ years in the game I've pretty much climbed to the top of the engineer/ architect side of things, there really isn't much more upward movement at this time. Which of course translates to not many big pay bumps as well, not that what I get paid now isn't great for the area either.

Choices choices choices.....

Question on implementing Vlans

HI all!

I have a sonicwall nsa 2650 with port 1 to our Comcast modem, port 2 as gateway for staff network x.x.0.1/24, port 3 as gateway for public WiFi x.x.99.1/24, and port 4 for gateway for a few public use computers we have in our lobby x.x.50.1/24

I have 5x tp-link 48 port managed switches that our endpoints connect too, with an 8 port poe with 8x ubiquiti nano-hd WAPs connected to it.

I’m wanting to implement 4 vlans, 100 for staff, 200 for public access PCs, 300 for WiFi, and 400 for a future credit card reader.

My understanding of vlans would be to set each port for whatever device plugs into it for each network as Untagged for the corresponding vlan (ports with staff machines untagged 100, public PCs untagged 200, WiFi untagged 300 etc)

I then set the port that connects to the next tplink switch (typically port 48) as tagged to act as a “trunk” correct?

Is there anything I’m missing with this? This will be my first implementation of vlans.

Appreciate it!

TLDR: am i correct to assume i UNTAG all ports connected to each "group" of endpoint devices, and TAG the "trunk" ports the connect the managed switches?

Thanks!

Help Connecting Server/Switch to Internet

Hello, we relocated to a new office and are trying to get a server and the local computers to connect to the internet. I wasn't there when the server was unplugged and transferred to the new building so I'm unsure how all the cables were hooked up to begin with. We bought new dell workstations that run on Windows 10 as well, and we had cat 6 ran throughout the building. The server is running Windows Server 2019. The modem is a Technicolor brand. Our IP is Comcast business. I'm trying to figure out how everything should connect. The server rack has a 24 port switch. Currently the modem is connected to a router which has two cables going out to a server and out to the switch, the switch is ran to all the other computers and printers. After doing some research it seems I need to maybe run the modem to the server and then the server to the switch, then the switch to the router as a wireless access point, as well as all the other devices. And maybe use the server as dhcp and dns for routing. Honestly this is a bit out of my element. I believe the server was most likely previously set up this way but I'm not sure. I feel confident that I can figure this out with a bit of help. There server has a static IP. And the server has two nic's. One is obtaining the info and the other has the ipv4 settings customized. Any advice or maybe a push in the right path? Thanks!

Can I broadcast wifi to multiple cabins on one property?

Building 4 cabins all within a 75' radius. Can I setup a wireless router in one of them and expect to get a good signal all around? Should I run cable into each cabin instead? Also should I get 100mb sppes or 400?

Alternative to Netalyzr?

Hi, Berkely has shut down the Netalyzr service. I used it to help diagnose internet connection issues for myself or users when i had a tech support job, along with asking for the network info file and tracert.

Has anyone found a good alternative to it that tests and shows as much information?

Step by step to diagnose a network problem?

This is a question that always gets asked on interviews. I'm a junior in the networking world and am curious how more senior guys tackle this problem.

Scenario: You have an end user who says the "internet is down" or the "internet is slow".

Where do you start? What are the steps you go about addressing this?

Default route fail-over between BGP peers? (BFD questions)

Good morning! I just wanted to get some peoples opinions on what they would do/try in my situation to see if there's a better way to be doing this.

​

I have an office site that has two routers, we will call them B1 and B2. These routers are connected to each other and running ibgp between them. B1 is also peered via ebgp with our ISP1, and getting a default route from the bgp peering. B2 is then also peered with ISP2 which is an IPVPN/L3VPN connection; also peered with ISP2 is our datacenter which is sending a default route into the "mpls" for other sites to use as backup internet.

​

So pretty simple multihome setup: B1 connected to ISP1 and getting default via BGP, B2 connected to "MPLS" and getting default route from datacenter via BGP.

​

But, right now failover is set up doing an IP SLA with a static route out to ISP 1. I inherited this network a couple years ago and I have been going through and slowly updating/optimizing/fixing all the patchwork routing - and this month is FailOver-January.

Is there a better way to be doing this? I was thinking BFD (assuming the DIA ISP supports it). But I have a few questions about BFD: 1) does BFD need to be configured on just the ISP1/Primary peer session, or on both? 2) if both does the multihome being on two different routers cause issues? 3) Is there an issue doing BFD on a peering with the ISP2 doing IPVPN when the peering is with the ISP but default is coming from the remote datacenter (2 hops away)?

​

If BFD isn't the cream dream here, what else do people recommend? I can't get access to my networking lab for a couple weeks so hand jamming configs in excel for testing fun once I get back into an office.

Best "alternatives" to putty?

Hello all!

I currently use SecureCRT from VanDyke to facilitate in telnet/SSH sessions.

However, the licensing structure is very draconian and instead of just buying licenses for the new version I'd thought I'd reach out and see what you all are are using.

I do like Solar-Putty... its a nice interface but does lack some of the more powerful scripting/integrations that SecureCRT has.

​

What are you all using???

How can I best find my network bottleneck?

My internet has gone from 100mbps to 500 now but my firewall/router can only handle about 200 down and 300 up. The router is in a VM which uses a PCI NIC for passthrough.

The resource load on the router is pretty low when running a speedtest, which leads me to think that it's the NIC or network I/O rather than a lack of resources.

How can I test this theory? Any good way to see the I/O of a NIC interface, particularly in Linux?

The software is pfSense if that helps at all. The connection is fiber and all copper is gigabit, so it shouldn't be a problem with cabling.

Objections to training?

Hi all,

I'm working to put together a training plan for a team. We're expecting to get a bunch of objections from management. What are some of the objections you've heard in your career? We're trying to be well prepared with responses to each of the objections.

At a minimum we're expecting these objections:

• Training is too expensive.
• What if we train people and they leave?
• We don't have time for training.
• They already know how to do their job, why do they need training?

If you have any other objections to add to the list, I'm keen to read them. Feel free to include responses as well. Hopefully there are some other people in /r/networking that will benefit from this.

Thanks!

Using Ntop to export/alert when new users join a Network

Hi all,

Just wondering if anyone is familar enough with ntop to help me out.

At the moment I have ntopng running on a Pi 3b+ thats connected via ethernet to my router and im using the web browser within the pi to access ntop (wish I could use my computer, but for some reason cannot).

Either way, does anyone know how to set up some form of alert so that when an individual joins/connects to the network, I am told (either through a log export ideally, or an email or other alert form) what the device name is, mac address, time since etc etc., essentially all the info that is located under the 'device' tab of ntop.

Thanks,

Induce SSID Switch in clients via NAC.

We're trying to solve an issue with our corp/guest wifi. For reasons outside of my control, we have to allow userID/password access to wifi. This however allows people to connect their personal devices to the corp wireless. We're in the process of rolling out EMM, and Forescout. Has anyone come up with a method to force non-EMM users, (or anyone for that matter), to be moved from one SSID to another? We'd like to have it so that if you're not enrolled in EMM, then you get kicked off corp and presented with our captive portal for guest.

What feature of a router improves latency sensitive and packet loss sensitive applications?

A good router helps with this? And what feature of a router improves the experience with these type of applications? Is it QoS or is there more to it?

​

Latency and packet loss sensitive applications like voip, videocalls and videogames.

Less sensitive applications could be music and video on demand services.

What makes it so that one can play an online videogame or make a call without lagging/distortion, while another person watches netflix without buffering.

As long as there are no problems with the ISP and there is enough bandwidth for both applications. Let's suppose both cases: wired and wireless connection.

Metadata tags for networking sharepoint

Hey all, I work for a large corporation on the network infrastructure team that currently has very poor documentation procedures. As a company we recently went to the newer version of sharepoint and I have taken it upon myself to try to get the documentation up to snuff. That said, I want to make a flat documentation structure backed with metadata so that it’s easy for people to upload their data without having to drill down into a folder structure and eventually become disorganized and also so things are also easier to find.

Now to the question: does anyone currently use a flat documentation structure with metadata for network documentation? If so, would you be able to share the structure and categories that you use for your metadata please? I’m currently planning ours out and can’t decide what the most efficient metadata tags would be and am looking for ideas and inspiration.

Thanks!

Cisco FTD future

Hi,

I heard some rumour cisco is going to develope a new NGFW (real unified image) and drop the firepower NGFW slowly.

Does anybody know if this is true or just total shit talk?

Had some annoyances with people not knowing what they're doing and asking for and led to a collaborative rewrite of the "You Can't Handle the Truth" speech (O/T)

Mods - If not allowed I fully understand but it was some good stress relief for my team this morning.

You can’t handle the truth! Son we live in a world that has firewalls, and those firewalls have to be guarded by men with laptops. Whose gonna do it you? You desktop support tech? I have a greater responsibility that you can possibly fathom. You weep for Netflix and you curse the Networking Team. You have the luxury. You have the luxury of not knowing what I know, that Netflix’s death while tragic, probably saved bandwidth; and my existence while grotesque, and incomprehensible, to you, saves company resources. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall! We use words like protocol, source, destination. We use these words as the backbone of our network security spent defending something, you don't use them at all. I have neither the time, nor the inclination to explain myself, to a man who rises and sleeps, under the blanket of the very network that I provide, and than questions the manner in which I provide it! I’d rather you just said ‘thank you’, and went on your way. Otherwise I suggest you pick up a laptop, and take the on call. Either way, I don’t give a damn, what you think you are entitled to!

[Hiring] Wireless Guru/God/Savior

Our goal is to determine if we have a problem (or problems) with our wireless network, the breadth of the problems, and the solution to the problems. We envision the right person to be an expert in wireless networks in the enterprise environment. This includes expertise in Cisco wired and wireless networking, expertise in authentication (NPSRADIUS, PEAP, EAP-TLS, Ruckus Cloudpath), DHCP, tuning wireless roaming/timing/frequency/power parameters, knowledge of RF tuning in a residential campus environment, client configuration and performance issues and resolutions, performing appropriate data gathering and assessment of metrics to assess wifi health status, and a proven history of problem resolution with wireless issues.

Connect public and private subnet virtualbox?

Hey,

So I created two virtual machines with virtualbox.

One machine resembles a database server and one a webserver.

I want to make sure the vm with the vm is reachable from the outside/Host, whereas the vm with the database server can only be reached from the vm with the webserver.

What network adapters do I need to add/configure to make sure this scenario is met?

WLC 8540 SSO Failover random

Hi all,

i have 2 WLC in sso with Release software 8.7.106.0. For the same client i have others 2 WLC (that are used for testing) in sso with the same release software. The WLC are in 2 different datacenter and the following prerequisites are respected:

· RTT Latency < 80 ms

· Bandwidth ≥ 60 Mbps

· MTU 1500 bytes

The only difference beetween the 2 WLC of prodcution and 2 WLC of test are that they are linked on different switch, but same model (juniper).

We have random reboot of primary WLC and so, the backup become primary.

Someone have any idea on this issue?

thanks

Anybody using the Spamhaus DROP, EDROP or BCL service with BGP?

As the title asks, anybody using the Spamhaus DROP, EDROP or BCL service with BGP? I'm wondering what your experiences have been and how quick they are to add prefixes responsible for SPAM and botnets.

More info - https://www.spamhaus.org/bgpf/