Amazon, NOT Cisco, VPC

I wanted some clarification from some the guru's on this sub whether there is any major difference to amazons setup of VPC's vs traditional networking on a basis of all three planes (managment, data, and control).

Does it more or less operate like a DMVPN Phase 1 setup where you are connecting from a Hub, in this case your client laptop who is initially VPN'ing via amazon private gateway per subnet your deploy in the VPC (which consists of whatever instances you are trying to access).

If not what is a comparative analogy that could be made?

Firewall Networking Priority Scheme

Is there any way we can skip the basic top to bottom priority scheme for firewalls and let it decide priority based on rule traffic. For example: at any usual time an X type traffic is allowed but at the time of a DoS it should start blocking the same X type traffic. Keeping it consideted there is no next gen firewall or machine learning involved. This is your usual firewall say sonic or pfsense.

Wireless Router in my shed

Hello great minds of r/networking!

I have a quick question regarding a wireless router. Let’s say I have some IoT devices in my shed. These do not have wireless network access but I would like them on the Internet to get updates and whatnot. Could I put a wireless router in my shed and have the wireless part connect to my Internet connection instead of broadcasting its own connection and use the ports on the router to provide Internet access to the IoT devices?

I have a Belkin N450 and Belkin N600 to choose from.

I have tried mostly with the N450 as an access point but it doesn’t show on my network and I can not ping anything on it.

Is it possible to broadcast something like a radio wave with no destination on WWW?

In other words, is there a mechanism to send packets with no destination on the World Wide Web and receive them?

Just, , I thought the current websites is passive.

Question: How many public IP addresses does a large university need?

Imagine a university in a country like China where many websites are censored by the government. Let's say 50% of all the students are constantly connecting to the internet via some sort of VPN. And we have 10k students connected at any moment. How many public IP addresses does the university need to handle this?

Also, if the university runs only one webserver, can it operate using only one public IP address?

[RANT] Fortigate - Death by a million choices

I implemented Palo Alto (PAN) firewalls at my last job, and loved them. I've always heard the two best options these days are PAN or Fortinet, so when I started at a new company, and they had Fortigate in place, I was excited to dig into them.

I started to notice some weird things when going through existing config, like the security policy section is called "IPv4 Policy"...but where's IPv6? Security policies referenced actual interfaces, instead of zones. NAT was configured in the security policy, not separately. I couldn't find everything I needed until I checked a "Feature Visibility" button or found out it had to be done via CLI.

So I started to read through the Fortigate Cookbook, and guess what I found out? There is a million ways to do everything (*slightly exaggerated). Some quick examples:

IPv6: You need to enable IPv6 in Feature Visibility, then you'll be able to configure IPv6 security policies that are completely separate from IPv4 policies. But, would you rather have your policies not be IPv4/IPv6 dependent, and all be in one place? That's possible too, if you enable "Consolidated Firewall Mode", but watch out, as that will delete all your current IPv4 and IPv6 policies.

NAT: Each policy has a NAT section, which is fine when you have a couple rules in a branch office, but troubleshooting that can be a nightmare with hundreds of rules at HQ/DC. No problem, Fortigate gives you the option to enable "Central NAT", which enables another configuration section for centralized NAT configuration. Now, you should also be aware if the firewall is in profile NGFW mode or policy NGFW mode. Because this will also affect NAT configuration, and separates "Firewall" policies from "Security" policies...

This may not be a big deal, but when you're on a team, and everyone does things slightly different, its nice to just have one "right" way to get things done. With PAN, you have to use zones, there is one place for all IPv4/IPv6 policies, one place for NAT...you get the picture. You don't have to worry about which configuration "mode" the firewall is in. Oh and you need FortiManager and FortiAnalyzer to replace Panorama...and I might need FortiAuthenticator as well? I think I have a FortiHeadache...

I'm really hoping it gets better from here, because right now I want to run back to my old DC and give my PAN's a hug.

Note: I will give Fortinet kudo's for being inexpensive, having a decent, free SD-WAN implementation, and a variety of models (with PoE too!)

Cisco ASA and excluding URLs that are both private and public

Hey guys, I have a scenario that I’m trying to find a resolution for. When users are on my network and hit an internal DNS server to go to site example1.domain.com, they resolve to a private address and route over an MPLS network to get to that site that is hosted in a data center.

When that user goes home, that site example1.domain.com is available publicly.

Here is my issue, when a home connects to our corporate VPN to get to other internal apps and file shares and their vpn settings are set to use an internal DNS server, I want to continue to keep example1.domain.com to resolve to its public IP. Yes, we allow split tunneling.

How do I exclude example1.domain.com from resolving with a private IP and trying to route through the VPN and then across the MPLS network?

Thanks!

1U UPS

Hi all. Im looking for a UPS, but with some specifications for it to work for me. It needs to be a 1U UPS, that has a depth of less then 300mm, preferably around 270-280mm. Also, needs to white, or at least silver/grey with a white faceplate.

Needs to be able to run a Synology DS918+ and a small UniFi setup for not more than 10 minutes to be able to shut it all down safely.

Does such a unicorn exist?

A little overwhelmed

Sorry - I just don't know where else to post this, or whom to talk to besides my co-workers. This is more of a rant. Please feel free to post your own experiences and/or suggestions.

​

So, recently - I've switched jobs. My previous job of 6 years was great. All Cisco shop, campus environment in which we had dedicated teams for everything. Tiered Routing/Switching team, security, collaboration, etc.. Around 40 employees I would say. I was a tier III network OPS engineer. Everything was great.

​

I've recently switched jobs. And my new environment is the complete opposite. We are doing WAN Edge services in a few locations with a handful of network equipment. Fine. But now, the dilemma I face is that we have all the technologies fall under my responsibilities. Routing, switching, firewall, collaboration with a multi-vendor environment..... I was in the process of going through the CCIE EI but had to pause due to the need to learn Cisco ASA. Fine. I did the Udemy bootcamp, labbed up everything the instructor went through (context-based, active/passive, active/active, etc..). Now have to learn Juniper, which is completely new to me. Gotta learn zone based firewall, etc. Okay, fine. Then need to learn collaboration/voice VoIP stuff.

​

I am prioritizing learning based on the needs of the job, but sometimes I feel overwhelmed. I am OK with learning new technologies, but being a tier III engineer in which things will potentially get escalated to me scares to me a little. For that reason, I am developing a good relationship with the vendors and will escalate (TAC, Juniper, if I need to). I feel like the reward will be great once I get past this challenge, but I hate the fact that I am putting my CCIE goal on hold.

HP Aruba 2929 - way to report on ports and Macs?

All I can do is telnet or get to web interace and it’s hard to find what port a Mac is on. In command prompt I have to scroll pages. If I try to copy paste to excel the spacing is all crazy.
Is there a tool or trick I can use to just export to a CSV all ports and what Macs are connected? Even better if I could see IP addresses on each ?

Multi tenant segmentation

Hi everyone, I would like to ask, what are you using to segment multiple customers from each other, if they land on the same firewall and you have a common service they access, and this is a routed network.

I currently need to redesign our backup infrastructure solution which is a bit messy. The firewall where the backup servers reside on, is also the firewall where our management to our infrastructure, and on this firewall there also terminates a few linknets to route some traffic between the customers for the backup solution or access to their enviorment from our management vlan. I will not be able to put some of the services in a VRF for a few customers, because they need to access to the backup servers.

It's kinda messy and i really have a bad feeling how this is made.

Want to create a geographical map of our network

Hi! So I've worked at a NOC for about a year now, and we've got some input from our sellers and some customers that our alarm overview is pretty ugly.

We're using something called spectrum, and just output the minor/major/critical alarms on a wall with four TV-screens. Now someone mentioned that I could use something called Cacti to get info via. SNMP, and place a switch or router where it physically reside on a geographic map.

I think that sounds pretty cool and been reading a bit how to configure Cacti and the weather map plugin, but having some thoughts if this is actually the solution I want since I can't find any examples that reflect something that I've described above.

Could someone help me point me in the right direction?

NonProfit needing switch suggestion

Hi. I work for a nonprofit as a SysAdmin. I'm 6 months in and have discovered the MSP that they have been using for a few years now is just not cutting it. I'm upgrading our vSphere cluster to 10GbE and need some recommendations for a switch (or two for redundancy). We dont have a network admin so I'm going to be the one managing the network. I have very little networking experience. Can anyone help me out?

Port-channel config help

Hi,

I have plugged 2 UTP 1Gb cable on 2 ports of a 3750 switch and 2 ports of a 2960 switch.

I am trying to trunk the 2 switches with a port-channel, but something seems off in my configs since the port-channel reports a speed of 1000Mb/s when I wass expecting 2000Mb/s

Config on Switch1

interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface GigabitEthernet1/0/11 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode on ! 

Some more info

Switch1#show interfaces port-channel 1

Port-channel1 is up, line protocol is up (connected)

Hardware is EtherChannel, address is d4a0.2ab7.b48c (bia d4a0.2ab7.b48c)

MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 0/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, link type is auto, media type is unknown

input flow-control is off, output flow-control is unsupported

Members in this channel: Gi1/0/11 Gi1/0/12

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

12227738 packets input, 2355872064 bytes, 0 no buffer

Received 115654 broadcasts (114816 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 114816 multicast, 0 pause input

0 input packets with dribble condition detected

30714069 packets output, 25032340084 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Switch1#show etherchannel

Channel-group listing:

Group: 1

Group state = L2

Ports: 2 Maxports = 8

Port-channels: 1 Max Port-channels = 1

Protocol: -

Minimum Links: 0

Config on Switch2

interface Port-channel1 interface GigabitEthernet1/0/23 channel-group 1 mode on ! interface GigabitEthernet1/0/24 description Trunk Port to Stack Master's port 12 channel-group 1 mode on ! 

Some more info:

Switch2#show int port-channel 1

Port-channel1 is up, line protocol is up (connected)

Hardware is EtherChannel, address is 00cc.fc21.7e98 (bia 00cc.fc21.7e98)

MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, link type is auto, media type is unknown

input flow-control is off, output flow-control is unsupported

Members in this channel: Gi1/0/23 Gi1/0/24

ARP type: ARPA, ARP Timeout 04:00:00

Last input 19:36:42, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 58000 bits/sec, 106 packets/sec

5 minute output rate 4000 bits/sec, 5 packets/sec

30728351 packets input, 25033314906 bytes, 0 no buffer

Received 7136969 broadcasts (626201 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 626201 multicast, 0 pause input

0 input packets with dribble condition detected

12226992 packets output, 2355786810 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Switch2#show etherchannel

Channel-group listing:

Group: 1

Group state = L2 Ports: 2 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol: - Minimum Links: 0

Can someone help me get it right?

Websense - Replacement Time

Finally we get to do it this year! After god knows how many issues with bad categorisation, terrible support and issue after issue Websense is finally being given the bin.

Now the big question is what do we aim to replace it with?

We've been looking at a good few different vendors to POC but trying to see if theres any we may have missed.

Considerations so far have been:

• Bluecoat: Seems to be the closest direct replacement but we've been warned that since being bought by Symantec they're just ignoring any organisations of our size (government with about 1000 staff). POC was done last year and didn't seem too bad from what I was told.
• zScaler: We've had Citrix in talking about this a few times but very little movement. Will probably have to look at it more.
• Palo Alto: We already have a couple on site for segregation on a small part of our network so we'll be able to use these for a POC. The organisation has traditionally used dedicated proxy appliances so moving to a UTM approach would require a bit of selling (but might go well since our Perimeter firewalls are up for renewal at a similar time). Have to see how well it behaves with multiple AD groups on single users has I've seen this cause problems before (eg having basic access + social media or basic + collaboration ). Also there are concerns about changes in application categorizations can break more then just a few URLs.
• Fortinet: Similar to the Palos with similar concerns. Have used it in a previous role back on v5.2 and thought it worked relatively well.
• Trustwave: Haven't really thought about. Webmarshal has burned me badly in the past.
• Ironport: Doesn't look to have changed or improved in many years.
• McAfee Web Gateway: Hasn't been reaearched much.

Pretty sure thats all we've looked at!

Has anyone been down this path that could offer some advice on things we may have missed or what we should aim for? Our main concerns are application level control, categorization and response times for changes + support along with the fun on multiple AD groups controlling permissions.

Thanks Guys!

Cisco ASA QoS for Voip, policing too slow

Hello guys,

I have a problem with my Voice network:

I have a 30mbit link and set up policing for input and output to throttle all traffic apart from voice subnet to 25 mbit leaving remaining bandwidth for voice subnet.

My problem is that during congestion, before policing kicks in all my voice calls are getting dropped. Regarding to iperf it takes 3-4 seconds to throttle the downloads. Is there anything I can do so my voice calls remain stable during heave file transfer, downloading etc.?

Cisco Asa 5506-X.

How does Ethernet over coax work?

Hi is anyone here old enough / engineringly enough to know how Ethernet over coax worked.

It only has one conductor!?

Thanks a lot.

​

p.s. I'm not from an engineering / networking background, a computer scientist.

Redistribute Static Routes into EIGRP

Hello Guys,

I have the following scenario wherein one of our branches we have a 3850 (IP Base) switch acting a the core in the network, 2 WAN routers are connected to the same cores from different ISPs.

EIGRP is configured between both routers and the core switch, we are looking to achieve active-standby links with the core and to redistribute all static routes from the core switch to both routers.

Once im entering the redistribute command under the EIGRP configuration nothing is showing on both routers,

I have done my searched and mot of the communities are saying that in order to have full routing capabilities on my core switch Enterprise license should be present there.

Anybody can advise on this, also I need some ideas on how to tune the EIGRP metrics on both routers to achieve the active-standby links with the core switch.

Anyone doing always on VPN for employees?

Wondering if anyone is doing "always on VPN" for employees, even when they are in the office? I would need to configure only 'visitor network' in every office and then allow access to DC from VPN subnet. Adding a new office would be easy as the users would terminate to the same subnet from everywhere and managing fw rules would be easier. Might even switch to role based fw rules instead of just using IP subnets.

On the downside I would still need to configure networks for printers etc. In the future we'll probably replace the switches to models that support Aruba's Dynamic Segmentation so in distance future we would have only visitor + dynamic segmentation networks everywhere.

Started wondering this as it seems FortiClient doesn't have any sophisticated way to know if it's in an office network or not, you just need to enter IP networks manually for it to figure out whether it should connect via VPN or not.

So the option is either to get other VPN client software, or just use VPN everywhere. We have FortiGate firewalls in the DC, they have more IPSEC performance than we would ever need for users.

Any thoughts? Thanks!

Change link based on quality

hello all, I have a network of branches with dual internet connection from different ISPs and I have brought up two DMVPN connections one on each ISPs connection for failover now when a link from ISP1 doesn't go completely out but starts giving me about 4-15% packet loss my branch will switch back and forth from primary link to secondary link and back to primary this goes on and on until either I manual shut down ISP1s link in my router or the packet loss goes down to 0 meanwhile all my VOIP sessions are getting dropped and people complain about bad connection now I have IP SLA configured to change my route if the first ISP goes down but I need a way to both to change my default route and failover to secondary DMVPN Tunnel when ISP one start getting packet loss more than 2 percent. basically I want to change a link based on quality.
I really need your help.

Cluster of Barracuda firewalls. Problem with duplicated syslog packets.

Hello,

I have a few 2 nodes clusters (different F models) i i'm sending all syslog packets to rsyslog server. Unfortunately i have noticed that also second (standbay) node is sending the same packets. Is there any way to disable sending packets from inactive Barracuda?

Thank You Pet

Generating BPDUs on a linux machine/Mac to test STP functions

Hi,

I'm trying to test some STP functions i nmy lab like BPDU guard etc. I have a couple of old Macs plugged into a couple switch ports and I'm wondering if there is a homebrew program I can download or something that I can use to generate BPDUs. Is there anything like that? I also have a Kali Linux VM that I'm not very experiencd with but it might be easier to use that also.

Gloves to protect hands

Anyone have any recommendations for gloves that will protect fingers and hands when doing a lot of plugging and unplugging cabling?

I’m involved in a project where we are upgrading a ton of switches and pinching RJ45 ends and tracing thousands of cables in the closets is really doing a number on my hands and fingers. Not to mention how everything in data closets is sharp and I occasionally cut myself.

I want something that still gives me dexterity to do the work, but doesn’t leave me raw at the end.

What are you using for remote VDI

My business is moving away from VMWare and Horizon View and towards Azure/Hyper-V. We have been tasked with replacing Horizon View and going with a more Microsoft/Cisco centric solution. We are evaluating Cisco Anyconnect and Duo to faciltate remote access to our Hyper-V VDI environment. Anyone out there using this combo? Pros, Cons, lessons learned?

​

Ill edit this by adding we have requirements of hosting on prem still, so a pure Azure VDI/ DaaS model isnt possible in the short term.

If your ISP is throttling you why wouldn't using a VPN stop that? I have a bit of an understanding of MPLS in the provider network but no idea what happens in this specific situation

No text found

New job, in a pickle setting up new switches

Hello everyone

​

I just got a new job as parttime teacher and computer support at a school. It's great, most problems are easy to deal with... but they recently purchased a bunch of new switches and it's my job to get them set up.

​

I've got 1 big problem, and it's that I can't seem to get trunking to work (this is the first time I'm setting this up). We're using a combination of D-link 1510 series switches and 1210. As an example, I'm currently working on setting up 2 trunked ports from one 1510 series to another. When I go into VLAN settings and set up the necessary ports for trunking, things get messy. I've got 2 switches next to me, connected to my laptop. I'm linked with 1 switch, but can get into the other switch (they're connected). Once I set up trunking, I can't access the secondary switch anymore. I need to change the cables around, remove the settings and then they're connected again.

​

The old setup has less trunking than the new one they want to implement, but the old settings aren't giving me any insight at all.

​

So poor me has no clue what to do for now, just messing around trying to get things to work. The school has no issues with this, they know it's new for me and that it's a learning process, one they tossed on me. I just need to figure this thing out and then I can finish setting them up.

​

Anyone who can point me in the direction of a decent, easy-to-use guide that tells me how to get this to properly work? Preferably with information why certain steps are needed, so that I learn while following the guide. Thanks a bunch, sorry if this is coming over as confusing, I'm quite confused myself.

OSPF Routing and ROAS Cisco Config Issue

Hi everyone, I am having a bit of trouble trying to get full network connectivity on a 3 router OSPF, ROAS lab where I do not have access to a Layer 3 Switch.

It seems like there is an issue with the Sub Interface and the OSPF BDR's R01 and R03.

Can anyone point me in the right direction, advise correct config or notice any issues with what I have produced,

Any thoughts are appreciated!

​

Network Topology: https://imgur.com/a/tNH0poF

​

Scenario/Current status:

• I can ping the sub-interface IP addresses (g0/1.10 and g0/3.10) on R01 and R03 from all routers.
• I can ping SW01 SVI interface IP from R01 only.
• I can ping SW02 SVI interface IP from R03 only.
• I cannot ping the SVI interface on either switches from R02.
• I cannot ping interface G0/1 on R03 from SW02
• I cannot ping interface G0/1 on R01 from SW01

​

Device Config Snippets:

R01: interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ip address 192.168.11.254 255.255.255.0 ! router ospf 10 router-id 1.1.1.1 network 10.0.0.0 0.0.0.3 area 0 network 192.168.11.0 0.0.0.255 area 0 default-information originate --- Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/0 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0 O 10.0.0.4/30 [110/2] via 10.0.0.2, 00:29:53, GigabitEthernet0/0 192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.11.0/24 is directly connected, GigabitEthernet0/1.10 L 192.168.11.254/32 is directly connected, GigabitEthernet0/1.10 O 192.168.22.0/24 [110/3] via 10.0.0.2, 00:29:53, GigabitEthernet0/0 

​

R02: interface GigabitEthernet0/0 ip address 10.0.0.5 255.255.255.252 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.0.0.2 255.255.255.252 duplex auto speed auto media-type rj45 ! router ospf 10 router-id 2.2.2.2 network 10.0.0.0 0.0.0.3 area 0 network 10.0.0.4 0.0.0.3 area 0 default-information originate --- Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/1 L 10.0.0.2/32 is directly connected, GigabitEthernet0/1 C 10.0.0.4/30 is directly connected, GigabitEthernet0/0 L 10.0.0.5/32 is directly connected, GigabitEthernet0/0 O 192.168.11.0/24 [110/2] via 10.0.0.1, 00:30:14, GigabitEthernet0/1 O 192.168.22.0/24 [110/2] via 10.0.0.6, 00:37:44, GigabitEthernet0/0 

​

R03: interface GigabitEthernet0/1 ip address 10.0.0.6 255.255.255.252 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3.10 encapsulation dot1Q 10 ip address 192.168.22.254 255.255.255.0 ! router ospf 10 router-id 3.3.3.3 network 10.0.0.4 0.0.0.3 area 0 network 192.168.22.0 0.0.0.255 area 0 default-information originate --- Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O 10.0.0.0/30 [110/2] via 10.0.0.5, 00:38:01, GigabitEthernet0/1 C 10.0.0.4/30 is directly connected, GigabitEthernet0/1 L 10.0.0.6/32 is directly connected, GigabitEthernet0/1 O 192.168.11.0/24 [110/3] via 10.0.0.5, 00:30:20, GigabitEthernet0/1 192.168.22.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.22.0/24 is directly connected, GigabitEthernet0/3.10 L 192.168.22.254/32 is directly connected, GigabitEthernet0/3.10 

​

SW01: interface GigabitEthernet1/3 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto ! interface Vlan10 ip address 192.168.11.253 255.255.255.0 ! ip default-gateway 192.168.11.254 

​

SW02: interface GigabitEthernet1/3 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto ! interface Vlan10 ip address 192.168.22.253 255.255.255.0 ! ip default-gateway 192.168.22.254 

Port Security Violation between 2 directly connected switches

Hi Guys,

I just came across something I have never experienced before and just wanted to know if anyone else has seen this.

Scenario. We have 2 switches, Switch A and Switch B. The 2 switches have a direct trunk connection to each other. An engineer connected a PC to switch B on a port configured with vlan 10 for example. This port is configured with port security with a maximum mac address count of 3 and sticky mac addresses

He then took that same PC and connected it to a port on switch A that is configured with vlan 10 but does not have any port security in place. The PC managed to pick up a DHCP address however the PC is unable to do anything else. I can't be pinged by anything other than from the directly connected switch

Checking for port security violations and there is nothing alerting me to this being the cause of the issue on either switch A or switch B. If sticky mac address for this PC is removed from the port of Switch B then the issue is resolved and the PC connected to switch A is pingable and can speak outbound with no issues.

Is this normal behaviour of switchport security? And if so, why is there no log messages or port status alarms to notify you of this? It not obvious that the issue is being caused by port security if you are not already aware that the PC was connected elsewhere beforehand.

I always thought that the sticky mac address command only looked for a PC being connected into another port on the same switch and did not realise that it also triggered if the PC was connected on another switch that the original switch could speak to.

Thanks in advance.

How do I execute commands in netmiko in the dumbest possible way?

hello, how can I do something like this:

#!/usr/bin/env python from netmiko import Netmiko from getpass import getpass device1 = { "host": "x.x.x.x", "username": "user", "password": "pass", "device_type": "device", } net_connect = Netmiko(**device1) command = "conf t" command2 = "exit" print() print(net_connect.find_prompt()) output = net_connect.send_command(command) print(net_connect.find_prompt()) output = net_connect.send_command(command2) net_connect.disconnect() print(output) print() 

I have tried this but it seems to get into a loop. As you see I would prefer it to be done in a dumb sequential way.

Will my Mac address be seen by other computers on the Internet?

As I have understood, the layer 2 of the OSI model will contain the Src and Dst MAC address.

So when the data frame leaves my computer and is received by the webserver somewhere in the Internet, will it see the Src MAC address of my computer or will it be changed by switch in the middle?

Netmiko ASA Object Group

I am currently writing various scripts with netmiko and mostly all fine as they are show commands.

1 issue I have with an ASA is creating an Network Object Group with multiple hosts, it stops after the first one is added, as if Netmiko doesnt know what to do.

ssh_connect = ConnectHandler(**cisco) commands('object-group network testgroup', 'network-object object abc123', 'network-object object abc234', 'network-object object abc456', 'network-object object abc789') sendtoasa = ssh_connect.send_config_set(commands) output.write(sendtoasa) 

The last line just writes to a file, connection works no problem, and I can see it creates the object group, but nothing else,, am I missing something?

​

Thanks

Fluke Tester POE Error

Hi everyone. I’m after a little help. I have a POE Camera that has stopped working. Camera tests fine straight into a switch. The CAT6 run tests fine with a Fluke Tester with the fluke termination device on one end and the fluke test unit on the other. Shows all pairs are straight though and good with a 19Ft length. But when I test the camera end of the cable with the fluke unit and the other end into the POE switch. It shows a switch connection but also a exclamation mark error (!) meaning ‘high voltage’. Any idea why it would be a good and solid cable run, but through an error when in the POE switch? I have tested multiple ports on the switch and all is good there. Any advice would be appreciated. Thanks.

Need someone to recommend a wireless technology/protocol for a timer based obstacle course.

Not sure if this is the correct sub to ask but I am building a timer based obstacle course and need someone to recommend the best wireless protocol for the job.

• There will be one button at the start and another at the end.

• There will also be a raspberry pi to receive data from the buttons.

• When the first button is pressed, it will send data to start a timer on the pi.

• When the next button is pressed, it will stop the timer on the pi.

• The pi will then upload the time to a database.

• The buttons can range 15m to 50m from the pi

Which wireless technology would be good for hooking up the button to send data?

I would use wifi for the buttons with an esp32, however I found out that wifi kills battery life meaning the buttons would barely last for over a day.

Dell R710 EVE-NG Setup

Hello, I was wondering if someone had any knowledge of setting up EVE-NG on a Dell R710 server? I want to use the server to run my Cisco virtual lab along with a couple of windows services (DHCP, DNS, Active Directory) then in the future, I plan on adding some physical hardware. Thanks!

802.1x wifi on Chromebook Questions

How are you guys handling Chromebooks and certificates for wifi? I am using Ruckus AP's and Cloudpath for authentication. We have a bunch of Windows laptops and Chromebooks in carts that students check out so they never get the same device. I configured the system to use device based certificates and that config went out to through GPO just fine on the Windows machines. Student checks it out, turns it on and it's authenticated by device so they just login and don't have to worry about it. On the Chromebook (managed in Gsuite) it seems like they have to go through some steps each time they login to generate a certificate to get comnected which I guess is a problem (I don't have to take care of the devices just the wifi infrastructure). Just curious what others out there are doing.

Network Engineer Study Direction

/r/ITCareerQuestions/comments/fe8jfp/network_engineer_study_direction/

Best Practice for Multiple Data Center Router Redundancy?

I understand VRRP can be used within a data center for redundancy but is less desirable across data centers. What are the best practices for router redundancy across data centers?

Stackwise question on 9500's

I've used 2 QSFP-H40G-CU3M cables to stack 2 9500 24-4yc's with the dual active detection. Can I use 2 more of these cables for the virtual link? So end up not using fiber or sfp's, just the 4 cables to make the 2 switch stack?

Looking for software suggestions

I am looking for software suggestions that can solve my use case explained below.

I have a group of systems running on my LAN that manage to run different services like video-streaming server(HLS), MongoDB server, socket.io server, Jenkins server and few other services running on TCP protocols.

I have an ec2 instance running on AWS with static IP and now I want to create TCP tunnels from my AWS instance to my systems running on LAN to access them from static IP for global access of my services.

Currently, I am using a private ngrok server setup on my aws instance to solve this use case. I am looking for software suggestions as I face issues with TCP tunnels in performance, Cannot get a fixed port on the server to tunnel ssh,hls(TCP protocols) harder to manage if you have a swarm of services switching ports on the server.

Wireless Device Isolation from SSL Inspection [Help Request]

We recently deployed a Barracuda F18 firewall on a small/medium size business. SSL inspection is enabled so a certificate was deployed to the network via GPO to avoid issues with certificate. The firewall is configured into a bridge configuration with all WAN traffic going through to a mikrotik 951G after SSL inspection and IPS and content filtering.

​

The issue we are experiencing is wireless devices such as mobile phones/ipads are connecting to the network and as such not getting the certificate from group policy. Causing them to get certificate problems on all apps and web browsing. (No issue with laptops)We have tested installing the certificate on these mobile devices however still experience certificate issues and apps just refusing the connection while some apps choose to work using the certificate.

​

The wireless network is a unifi environment with a cloud key linked into our portal

​

Ideally we would like to keep the wireless network to go through the firewall before reaching the internet however we are trying to identify a way to not have mobile phones/ipads. Also trying to avoid the purchase of new equipment if possible.

​

Any advice would be helpful and will provide further information as requested.

​

Current traffic flow

​

Internet-----> Mikrotik 951G (10.0.0.254)------->Barracuda F18 Firewall(10.0.0.253)----->Switch(basic)----->Lan/Wifi(10.0.0.x/24 DHCP provided by onsite server)

Advice on how to complete this challenge?

I'm trying to solve this problem in packet tracer but I'm a bit stumped. I know it has to do with super netting but I'm unsure. Can anyone give some advice?

Here's the problem

link

Tunnel Server

I have been looking for a tunneling server that can create tunnels on client to tunnel server on demand by just making a request from the server, Unfortunatly I did not find any software that can do this, I have been managing all my test systems which are clients that run my servers locally I want these client ports to be tunneled to server on demand only. Does anybody know any software can manage to do this stuff or I was planning to build one for myself.

Port Forwarding experts?

I need help port forwarding because whenever I try to port forward for GTA V online it doesn’t work. I check if the ports are open after I port forward but they’re not open. So if anyone knows how do I do it perfectly please help me do that. Would be great!

Crimping a solid rj45 wire?

So I've been struggling to run the Cat6 that is the solid copper wires, not the stranded copper wires. My issues is that if I crimp an rj45 end to those cables, it barely works right because they just fail, theyre soo thick that crimping doesnt really secure them and it ends up coming loose. But crimping the stranded copper works. The solid is only good for punching down in a patch panel or keystone jack.

Are the solid copper wires the ones you don't crimp an rj45 cable to?

NX-OS Smart Licensing Headache

Okay folks, I have not dealt with smart licensing until now. Bought a new Nexus 9k and I tried to follow the guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/licensing/guide/b_Cisco_NX-OS_Licensing_Guide/m-smart-licensing-for-cisco-nexus-3000-and-9000-series-switches.html#concept_9k90A621A807234C70AF3851D179966DEN

Heck half of the commands aren't even on this switch. I can't for the life of me figure out how to get this thing to register with my smart licensing account.

Does anyone have any idea what I am doing wrong or have any suggestions/guides?

meaning of a c(2,1,2) architecture in convolution code question.

i have a qn.

Generate a convolutioon code for a input bit streams of 10011 using a c(2,1,2) architecture.

what does the c(2,1,2) part means? and if you can; please show me how will this enoder be drawn?

what is the difference between c(2,1,2) vs c(2,1,3) encoder?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

HSRP over GRE/IPsec tunnels?

So I have this small task to implement failover between two routers connecting to a switch that goes to the firewall. I only need a failover solution, load balancing is not needed.

See the drawing below.

https://i.imgur.com/8qiyilz.png

I have configured HSRP but only on the physical interfaces, not subs. Can I use the VIP as the tunnel source and implement tracking pinging the other side of the tunnel?

What happens if mid transfer the first router link goes down and HSRP switches to the other router, do the packets go in a black hole?

Thanks!

terrible latency with Pakistan

a bit of a shot in the dark here.

We have a client based in Karachi connecting to a on prem VDI solution to our office in Montreal. They are complaining the latency is so bad its making even the cursor jump/laggy, so I can only imagine screen refresh. We have north American clients using the VDI solution with no issue.

not sure why my options are at this time. pingplotter shows about 250ms delay, which doesnt seem that bad me.

short of finding a better provider in Pakistan, any options?

STP blocking uplink port, correct way to avoid?

Gear: HPE Aruba 2530G 52-ports switch.

Config: Uplink is port 52, as those last four ports are SFP-ports. A colleague managed to patch up a cable from port 4 AND port 14 as well to the upstream switch - making two "loops".

Problem: The Aruba figured it would block port 14 and 52! That's maybe fair enough, but only port 52 has all the VLANs, which practically took down the whole switch, as port 4 now being root port only had an untagged vlan..

Question: What's the correct to avoid this and make the STP keep 52 as root port if another loop occurs? (Port priority, root guard, bpdu guard/filter etc)

​

BTWs: I tried "span 52 prio 4", this had NO effect to my surprise! But this is maybe not the correct way to do it? Docs says per-port priority doesn't work for RSTP, seems that MSTP is multiple RSTP too.. But the fact that is selects a root port that doesn't even have more than 1 untagged vlan seems odd to me, but I'm not really into the different STP protocols.

Example from CLI, edited to match what I saw on console:

 Multiple Spanning Tree (MST) Information Did try some googling, but wonder what is the best practic method to solve this. Force Version : MSTP-operation IST Mapped VLANs : 1-4094 Switch MAC Address : 08f1ea-28d580 Switch Priority : 32768 Max Age : 20 Max Hops : 20 Forward Delay : 15 Topology Change Count : 21 Time Since Last Change : 41 mins CST Root MAC Address : 2c59e5-8c8d20 CST Root Priority : 16384 CST Root Path Cost : 40000 CST Root Port : 52 IST Regional Root MAC Address : 08f1ea-28d580 IST Regional Root Priority : 32768 IST Regional Root Path Cost : 0 IST Remaining Hops : 20 Root Guard Ports : Loop Guard Ports : TCN Guard Ports : BPDU Protected Ports : BPDU Filtered Ports : PVST Protected Ports : PVST Filtered Ports : Root Inconsistent Ports : Loop Inconsistent Ports : | Prio | Designated Hello Port Type | Cost rity State | Bridge Time PtP Edge ----- ---------- + --------- ---- ------------ + ------------- ---- --- ---- 1 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 2 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 3 100/1000T | Auto 128 Disabled | 2 Yes No 4 100/1000T | 20000 128 Forwarding | 6cc217-9b99e0 2 Yes No <- 5 100/1000T | Auto 128 Disabled | 2 Yes No 6 100/1000T | Auto 128 Disabled | 2 Yes No 7 100/1000T | Auto 128 Disabled | 2 Yes No 8 100/1000T | Auto 128 Disabled | 2 Yes No 9 100/1000T | Auto 128 Disabled | 2 Yes No 10 100/1000T | Auto 128 Disabled | 2 Yes No 11 100/1000T | Auto 128 Disabled | 2 Yes No 12 100/1000T | Auto 128 Disabled | 2 Yes No 13 100/1000T | Auto 128 Disabled | 2 Yes No 14 100/1000T | 20000 128 Blocking | 2 Yes No <- 15 100/1000T | Auto 128 Disabled | 2 Yes No 16 100/1000T | Auto 128 Disabled | 2 Yes No 17 100/1000T | Auto 128 Disabled | 2 Yes No 18 100/1000T | Auto 128 Disabled | 2 Yes No 19 100/1000T | 200000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 20 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 21 100/1000T | Auto 128 Disabled | 2 Yes No 22 100/1000T | Auto 128 Disabled | 2 Yes No 23 100/1000T | Auto 128 Disabled | 2 Yes No 24 100/1000T | Auto 128 Disabled | 2 Yes No 25 100/1000T | Auto 128 Disabled | 2 Yes No 26 100/1000T | Auto 128 Disabled | 2 Yes No 27 100/1000T | Auto 128 Disabled | 2 Yes No 28 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 29 100/1000T | Auto 128 Disabled | 2 Yes No 30 100/1000T | Auto 128 Disabled | 2 Yes No 31 100/1000T | Auto 128 Disabled | 2 Yes No 32 100/1000T | Auto 128 Disabled | 2 Yes No 33 100/1000T | Auto 128 Disabled | 2 Yes No 34 100/1000T | Auto 128 Disabled | 2 Yes No 35 100/1000T | Auto 128 Disabled | 2 Yes No 36 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 37 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 38 100/1000T | Auto 128 Disabled | 2 Yes No 39 100/1000T | 2000000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 40 100/1000T | Auto 128 Disabled | 2 Yes No 41 100/1000T | Auto 128 Disabled | 2 Yes No 42 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 43 100/1000T | Auto 128 Disabled | 2 Yes No 44 100/1000T | Auto 128 Disabled | 2 Yes No 45 100/1000T | Auto 128 Disabled | 2 Yes No 46 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 47 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 48 100/1000T | 20000 128 Forwarding | 08f1ea-28d580 2 Yes Yes 49 | Auto 128 Disabled | 2 Yes No 50 | Auto 128 Disabled | 2 Yes No 51 | Auto 128 Disabled | 2 Yes No 52 1000LX | 20000 64 Blocking | 2 Yes No <- 

Did try some googling, but wonder what is the best practice method to solve this.

RPi SFP+ backwards compatibility question

Very new to the world of networking, caveat. I'm trying to connect a RPi 4 (Gigabit ethernet) to a SFP+ media converter with a 10Gb module in it, into a fiber optic link which connects to the other media converter with a 10Gb module in it, connected in turn to a second RPi 4. Would this be feasible from a compatibility perspective of a 1Gb vs. 10Gb issue?

Interview for first networking job

I have recently obtained CCNA and have been studying at university whilst working in IT for the past 3 years in a second line role. I have my first interview for an actual network position tomorrow, any tips for first timer or what to expect?

British Telecom - Experience

We are reviewing a large global BT bid for our WAN/SD-WAN requirements. We've used dozens of global providers over the years but never BT. I wanted to know if any of you have experience with BT regarding their quality, service, escalation, on-line tools, speed of implementation and account management...

BT has been willing to provide references but they will obviously be favorable references. I would like an engineers opinion thats "been there and done that" with BT. We have several global WAN providers we know and trust that can meet the requirement. I want to give a fair shake to all of the providers, however.

​

Any input and or thoughts will be greatly appreciated - Thanks in advance.

My printer doesn't work, can't scan and send email. All other functions are working

Error message:

​

Job status: Failed

Think it has something to do with SMTP being wrong. Where do i start?

4-5 ISP scenario across multiple warehouses

Hello everyone. I was asked if I could assist with a project that someone is doing. They have 4 warehouses all connected via fiber and one via a wireless link. Right now they have 2 ISP's coming into the main warehouse and that gives internet with failover for all the other warehouses. This is with a fortigate 500d pair in HA.

They want to bring in 2 or maybe 3 more ISP's to another warehouse and have it as a failover for the main warehouse. This way to save power, they can shut down the main warehouse when not producing product and also in case something happens to the main warehouse or that stack they still have redundancy.

Right now there aren't any routing protocols in place, it seems fairly flat to me. Is this where OSPF or something would come into play? I also believe the 500d's are replaced with the 500e's, am I right on that assumption?

How would you guys do it? So sorry, this is my first encounter with fortinet gear and quite frankly a scenario with more than 2 ISP's.

Thanks, Jason

Firepower 2100 ASA version recommendations please!

Panic-purchase Firepower 2100s have been purchased and "need" to be stood up yesterday. Intend to use ASA instead of FTD for simplicity of design. This will be used for VPN only. Is anyone running these with ASA? I have no experience with the 2100 series and my only advice is a couple of yellow stars on the Cisco site next to two Interim releases.... sub optimal to say the least.

F5 load balancers - Two HA pairs across DCs

Hi all,

Trying to run through a design in my head.

Assume there are two DCs, a primary and a backup DC.

There are a pair of F5s at each DC in a HA configuration.

If primary DC goes down, am I right in saying that routing traffic over to the other backup pair at the other DC is going to require a route change and/or DNS changes and that there is no configuration that can be done on the F5s to "link" these two HA pairs together

Thanks

Opinion question: Thought on OpenVPN/UPD firewalls?

So here at work I'm shopping for new firewalls for the main and two remote sites. The requirements are 50+ OpenVPN over UPD users, 5 x IPsec tunnels and SD-WAN with a min 2 1x1GB circuits.

First I was thinking I'd try to roll pFsense onto Microtik hardware. I've since learned that might not be the best idea compatability-wise.. even though I think the MT hardware for SMB is sexy as hell.

Of course there is rolling your own hardware but I am looking for SFP+ in a nice 1U enclosure, ideally with some manufacturer support. I'm fine with roll your own at home but not in an SMB with so many remote people and with me being the only IT person.

Edgerouter? I know OpenVPN is possible via CLI.

pFSense.org sells a decent looking 1u rack mount with SFP+ but it's a grand. If I have to spend a grand then so be it but I was hoping for more in the 7-800 dollar range.

Any thoughts? I'm all ears.

Site-to-Site VPN working in one direction only. How do I debug?

The Disclaimer:

I'm not a networking professional, I'm doing networking at my company on the side because I'm the only one with an it background (level of expertise: "knowing enough to be dangerous").

I'd really appriciate any help narrowing down the following problem so I can maybe ask more specific questions in a related vendor/community subreddit like /r/openwrt/, /r/OpenVPN/ or /r/PFSENSE/.

​

The requirement:

• My company wants to connect some IP Cameras in our warehouse (lager) to the dvr in the main office.
• Here is a network diagram: http://stable.ascii-flow.appspot.com/#Draw7758801818203273020
• The way the dvr works requires it to connect from site 1 (static ip) to lte-router(dyn. ip) (or more specifically the connected cameras) at site 2.

​

The problem:

• The connection only works from site 2 to site 1 and not the other way around
• Pinging from the lte-router to the dvr (10.0.1.10) works perfectly fine.
• Pinging from the dvr to the lte-router openvpn ip (10.0.253.2) works.
• Pinging from the dvr to the lte-routers lan ip (10.22.1.1) doesn't work.. Sadly that't what I need.

​

What I checked:

1. OpenVPN config on lte-router: https://pastebin.com/HwEfVGQK
2. OpenVPN config on server: https://imgur.com/5rQzZvE
3. OpenVPN on pfSense recognizes the connection as (server-client) but it is configured as peer-to-peer. Compare this https://imgur.com/a/wFicW6V with [2].
4. Routes: https://pastebin.com/raw/T6fMB080
5. package capture of the ping from the dvr on the vpn interfece of the pfsense shows:
   1. IP 10.0.1.10 > 10.22.1.1: ICMP echo requests;
   2. no responses
6. capturing the ping from the lte-router on the vpn interfece of the pfsense shows:
   1. IP 10.0.253.2 > 10.0.1.10: ICMP echo request
   2. IP 10.0.1.10 > 10.0.253.2: ICMP echo reply

​

I already wasted two days on this and I'm all out of ideas. Is there something obvious I'm missing?
Any help would be greatly appreciated!

Good router/wifi solution?

Hi,I am personally not so experienced with networking in general know very little.After some online searching i still cant find any good answers but ill get straight to the point.What router is best suited for 40~ users that mostly only use it during lunchbreak?It needs to be powerful enough to make enough to enable all users to stream video at least 1080p.It needs to be able to punch trough at least 2 walls/floors and have good range.It needs 5,0 GHz since the office is already competing with a lot of other routers/devices in 2,4 GHz on all channels.It could be a dual router setup although the space is not super big.We Feed it a 1 Gigabit. (might be wrong terminologi but i think you undertand)My boss did give me the "Don't think about the cost." but preferably not too wild :]

P.S I apologize if this is a very easy question and/or if my English is bad.Thanks in advanceBest regards from Viking.

Best Enterprise WIFI router for 50~ users?

Hi,
I am personally not so experienced with networking in general know very little.
After some online searching i still cant find any good answers but ill get straight to the point.
What router is best suited for 50~ users that mostly only use it during lunchbreak?
It needs to be powerful enough to make enough to enable all users to stream video at least 1080p.
It needs to be able to punch trough at least 2 walls/floors and have good range.
It needs 5,0 GHz since the office is already competing with a lot of other routers/devices in 2,4 GHz on all channels.
It could be a dual router setup although the space is not super big.
We Feed it a 1 Gigabit. (might be wrong terminologi but i think you undertand)
My boss did give me the "Don't think about the cost." but preferably not too wild :]

P.S I apologize if this is a very easy question and/or if my English is bad.
Thanks in advance
Best regards from Viking.

Automating our CMDB

/r/sysadmin/comments/fdews0/automating_our_cmdb/

Unique type of Mac makes port shutdown in port security

Dear Guys ....

In one of my switch I do have port security enabled and one mac with "0000.0000.0002 " many times make ports shut ......when I search the mac I found nothing ....can any one support .

Will someone please define "transit" for me in networking terms? I will further explain my question in the comments.

As layman, I think "transit" means to move from one place to another. In networking, as a layman, I think that everything is in transit; that's what we do -- we move stuff. But it's become clear to me that "transit" has it's own meaning in networking. I just can't seem to define what it means and it's scope in terms of networking.

Maybe this is a dumb question and my confusion is from how I learned of the word "transit". For example, one ISP I used to work for would say something like "this circuit doesn't have transit on it. Send this ticket to ______". I would know that is true because I didn't see a certain code and know that that type of circuit "didn't have transit". I'm still not clear on what it means "to have transit", though.

This feels like such a dumb question, but people in networking seem to use the word "transit" in a specific way that doesn't quite fit with my connotation of the word.

Troublehooting fiber optic link - FX/SX consideration?

I have an industrial setting, with a fiber optic uplink from the production area to the IDF room. The area can get warm and humid. The fiber uplink is a new installation of OM3 cable. The switches at both ends are Cisco industrial switches IE-3000-8TC.

We're having some reliability issues with the link. The original installer had installed FS SFP-100FX-31 SFPs. When I replaced the SFPs to Cisco GLC-SX-MM-RGD SFPs, the problem seemed to go away. I just did it today, so I'm still testing to see if that fixed the issue.

I'm wondering if the problem is simply a faulty SFP, or if it's related to using FX instead of SX type optics.

I'm not really sure why FX optics were used. What considerations could there exist in an industrial environment to choose between FX or SX type optic?

Ubuntu DHCP Server not Leasing to remote vpn network

Hi all,

​

I have a dhcp server that sits behind an ASA that is used for ipsec l2l. However, I am unable to:

1. Ping the server from the other remote site
2. it does not lease ip addresses to the remote site using the IP helper config on the remote switch

Any idea why this would be the case?

Do I need to open up ports on the asa for dhcp traffic to traverse?

Trouble Connecting a Multi-Port Switch Directly to Fiber Internet

I just bought a switch because my wi-fi router didn't have enough ports. I connected my fiber modem to the switch. From the switch I have ethernet cables connecting to my wi-fi router and other devices. What's strange is the wi-fi router gets an internet signal and all wi-fi connected devices have a good signal, but none of the devices using an ethernet cable direct from the switch get a signal. Can this fiber modem only generate one IP/signal - and for some reason it's prioritizing the wi-fi router?

Thanks for your expertise!

Add 10GB into Cisco SG500 (non-X) stacks

Looking to upgrade the backbone at a location with 10GB between a couple of rooms on opposite sides of the building. Also figure we can move the servers and Synology NAS's to 10GB as well.

Currently everything is on a Cisco SG500-52P stack - not the X series, so there is a 4x SFP ports - 2 at gigabit and 2 at 5GB for stacking. There is currently stack cables connected.

Not seeing a clean way to get all the benefits from 10GB here. I can connect the rooms and get the servers connected at 10GB, but then when I connect in the SG500 stacks, I've got a nice 1GB bottleneck. The servers and NAS's will be 10GB which will help backup speed at least.

Doubt I will get budget for more than a couple of SG350XG-24TG switches. Highly doubt anyone will give me money to upgrade switches.

Is there something I am missing besides maybe just doing a 4GB aggregate in each room into the existing stacks?

Thanks for any creative input!

Ever have VPC orphan ports? How did you fix it?

TAC is taking too long to get me an answer. I have compelent storage that gets isolated and kills our VMware environment when we reload one of our 5Ks. sh vpc orphan ports lists the compelent ports and others as orphans and I can't get a straight answer from TAC on how to resolve it. They claim it's based on the hosts ability to participate in VPC. Dell says Compelent does not participate in vpc. Given that, anyone have anything to contribute?

Thanks!

Python - Sorting interface names

This is actually harder than I thought. I was wondering if someone here already did it:

How do you sort interfaces correctly, given the following example:

te1/0/1

te1/0/10

te1/0/11

te1/0/12

te1/0/2

te1/0/3

te1/0/4

te1/0/5

te1/0/6

te1/0/7

te1/0/8

te1/0/9

te2/0/1

te2/0/2

te2/0/3

te2/0/4

te3/0/1

I was thinking of sorting by regex(The digits after the last /slash/) but that won't work because it will sort te2/0/1 before te1/0/2.

I fell like I'll have to write some convoluted function just to get this right.

What Happened To SCTP? Anyone uses it on a daily bases.

https://en.m.wikipedia.org/wiki/Stream_Control_Transmission_Protocol

Is it able to http proxy on games or messenger?

With Charles Proxy on my iPhone, I can see network traffics of web-based contents, however It does not show most traffics of games or messenger messages. Is there any way to see those?

LacNIC rDNS - "Some of the name servers are not authoritative"

Hello all,

Been fighting to setup reverse DNS with LacNIC for the past couple days - no issues with ARIN... Every time I go and try to add the block a /22 to LacNIC's rDNS setup tool I punch in the name server with authority (the SOA) and it comes back with "Some of the name servers are not authoritative"

Any ideas here, any one have experience with LacNIC reverse DNS and got any tips? Like I say I set up our prefixes with ARIN that use the same DNS servers without and issue.

Thanks for your time and help!

Unknown MAC

A strange MAC just popped-up in a port-security alert.

7e:7e:7e:Removed

I can't seem to find any vendor info on the 7e7e7e OUI.

Did some internet searching and came up empty handed, perhaps someone here has an idea.

This isn't mission critical, just curiosity.

**EDIT**

Going to consider this Case Closed for now.

Likely that this is related to the endpoint doing jitter testing. I'm seeing some semi-periodic port-sec. blocks on the same port from seemingly random MAC address' containing variations of the jitter test patterns described here.

Going to continue to dig into the specs. of the host device that is connected and try to verify if it's designed to and attempting to perform these tests/checks.

Big Thanks to u/youngeng for the lead!

TACASC+ and management questions

Hi, im kind of new to networking. only started a bit over a year ago at university.

We've to design a network and got told it'd be easier to use tacasc+ to manage the switches and such.

In the project specs, it talks a lot about management VLANs and I was wondering if all switches need to be on the same VLAN in order for tacascs+ to work or if I'm thinking about this stuff the wrong way

​

Appreciate any help thanks

Have I made a mistake in this design?

I'm reconfiguring the MSP I work for network, it's sat alongside the current setup so I can play about within reason with the config.

The new core is Huawei chassis switches, various firewalls hung off it and an OSPF relationship with connecting routers for ISP /internet access.

The transit between the switch and the routers is using an RFC1918 address. In testing client internet access everything works fine, but a test migration of a client with an AZURE VPN amongst others broke, all their internally hosted external webpages worked fine, as did internet access, but all the VPNs all dropped and wouldn't come back.up until.i reverted to the old setup.

The IP ranges used are identical new to old setup, the only significant difference is the transit IP range.

Should I have used an external address? Are the VPNs failing due to the internal subnet in use?

clustering ASAs to increase VPN capacity bad idea?

We have 2 Cisco ASA 5555-X boxes in Active/Standby and are looking to cluster them together to increase our AnyConnect VPN capacity due to the likelihood that many more people will start working from home. We have all the licenses, so that isn't an issue. We also have F5 LTMs and seen mentions that that could be a better solution but without any documentation I can find. Anyone have any insights?

switching and routing port on ubiquiti

What's the difference between the switching and routing port on the ubiquiti ERPoe-5.

If I connect my IP cam (to the switching port), can I see them if my computer is connected to the routing port? Is there a communication between switching and routing port?

edit: can the console port be utilized as an additional port?

I'm a little bit confused.

thanks in advance!

Radius redirect

Hi guys,

does anybody know a tool to redirect radius requests based on attributes to different servers?

Just got tasked with finding a way to seamless switch to a new radius based on the username or group.

thanks

Network Loop???

I need some assistance Reddit.

Using the below switch configuration on a Cisco 2960G port at a convention event, I heard that these 2960G's were causing network loops. Here is what the switch is https://www.newegg.com/cisco-2960g-24-x-rj45-4-x-sfp/p/0XP-003P-002P7

However, these 2960G were shipped back to me. When i went to troubleshoot, i stacked and connected four Cisco 2960G switches and purposely interconnected all of them with multiple links, trying to create a loop. I set my computer up on the bottom of the four switches, and the internet connection came in on the top of the four switches.

When purposely trying to create a network loop, i could see in the logs of the switches that the 2960G gave me a "%SW_MATM-4-MACFLAP_NOTIF" as expected but immediately fixed itself and the loop ended. Even with me purposely trying to create a network loop, the switches worked just fine.

​

^!

^{!Dumb Switch Config}

^!

^{no service pad}

^{service timestamps debug datetime msec}

^{service timestamps log datetime msec}

^{no service password-encryption}

^{hostname OnsiteSwitch\}2960G)

^{enable secret 5 $1$xrid$a63hqkDYrQwnXLbYnViJT1}

^{Username admin privilege 15 secret 5 $5$A/Hm$QacAqn4qCZke9PgOtkwtaH/}

^{no aaa new-model}

^{system mtu routing 1500}

^{no ip subnet-zero}

^{errdisable recovery cause psecure-violation}

^{errdisable recovery interval 30}

^{spanning-tree mode rapid-pvst}

^{spanning-tree extend system-id}

^{vlan internal allocation policy ascending}

^{interface range gigabitEthernet 0/1-24}

^{no shut}

^{switchport mode access}

^{spanning-tree portfast}

^{interface Vlan1}

^{no ip address}

^{no shut}

^!

^end

​

tl;dr: Please check my config above, it was reported it caused a network loop, but I do not see how.

Data center hardware recommendations and HP questions

We're starting up a new data center site and I need to pick the switches and routers to put in there so I would really appreciate some input from the more experienced in this field.

We're starting off with 2 racks but will soon go to 5-6 racks of equipment.

The only gear we have there right now is a pair of HPE 5945 switches from one of our customers so for the switching part I was thinking of going with those same switches because so far they seem pretty solid and I see the community is satisfied with their performance and the HP support, other reasons for going with these switches are staying with the same vendor so we don't end up putting in 4 different vendors like in our previous site and last but not least is the management that is kinda nudging me in that direction. Do you guys have any experience with these switches? Would you recommend them?

For the routing part I have no management nudge and that probably makes things even more difficult with all the options out there. We've been using VyOs for years now and we're very satisfied with the performance and stability but for the new site we decided to go with a physical router. The router will be doing BGP with 2 ISPs over 1G links with no need for full routing table, budget is ~10k per unit. In the spirit of staying with the same vendor I've been looking into what HP has to offer and while their stuff looks ok on paper I can't find any good and relevant community feedback which brings me to the question, is anyone using these routers? Are they any good? And why is it so hard to find any customer information or feedback on them? The only thing we do know is that we don't want to use Cisco. What would you recommend for this use case? We've been looking into some Junipers and Fortigates but unfortunately we don't have much experience with them because right now we're more in the Dell and opensource waters (VyOs, pfSense, Untangle etc etc).

Any and all input will be greatly appreciated! Thank you!

How much CPU is actually required to keep something like connectivitycheck-gstatic.com working at low latency for billions of devices?

Background: connectivitycheck-gstatic.com is Android's and Chrome's "is the internet reachable" URL, whenever you turn on Wifi/Mobile or open Google's browser it automatically checks the URL to see if you got a internet connection.

Purely inquisitive question, I assume gstatic-conncheck's job is not much more than a few ICMP roundtrip packets, so pretty much one of the most simple requests that your networking device can do, it's got me wondering how much CPU grunt do you need to do something so simple but at the massive scale of the requests it needs to work with (Android devices, Chrome and some other browsers, and probably more)

SD-WAN and VDI Traffic

Hi all

A customer am working with has Citrix VDI environment functioning.

Right now , they are considering moving to SD-WAN and they are considering Viptela as a first option and Versa as well (Though Citrix is trying to enter as they already have existence).

The question is (I know that Viptela do support application-aware routing) but it can inspect VDI traffic and customize the application?

Thanks

Semi multi-tenant environment

How are you separating your production network, oob, and tenants without mpls?

Is your master/global table only contains the IGP links and BGP learned routes?

Or you just simple segregate the tenants from production using the firewall zones and everything is on the master/global table?

DNS over HTTPS in a corporate environment?

So I am asked to POC DNS over HTTPS for our corporate environment. I am not sure about where I should start looking from. I have enough time to research and POC this on our development cloud environment. I believe this is for connectivity between our network and hundreds of our client networks. So I believe this has to do with browsers? Or is it something that needs to be enabled network wide. If someone can share a guide or steps involved in this it be great.

Networking with a printshop?

I work at a company that has about 7 wide format industrial printers. I want to wire the printers and computers via Ethernet to a router which connects to a switch and have the computers reliably connected to the network/internet.

Currently the computers network card is what is connecting to the router/internet while the switch is only being utilized to connect a handful of printers to one of the 3 computers. Each computer had about 3 printers connected.

The only problem is my boss says that the days with printing demonstrations running (multiple jobs on the printers running simultaneously), this could bog down the network. While I see his point of a multi GB file being processed to the printer, I also believe that wiring via Ethernet is still the best option, maybe the reliance of automatic metric can be of use in this scenario.

Any input/similar experience is appreciated.

WIFI 5 mesh for 20 000 sqft and 200 devices

Greetings,

Does someone have advice on the following setup I want to built: - 20 000 sqft coverage, open office with lot of meeting room, no closed office - All AP are link in a meraki fully manage 24 port switch with 2.5 gbps support - Most device are phone and tablet - PC and Mac laptop for project manager - Google spreadsheet, zoom and hangout meeting - Apple TV presentation / casting in conference room

I am looking for: - strong analytics data gathering to monitor each AP client drop - if possible, ability to gather that in mysql or at least the log so i can built a dashboard for the support team - ability to profile data usage per client per ap - identify dead zone - control ap power to adjust overlap - control roaming at 60 db - QOS at the ap level - meraki switch will help me manage the overall supply and data prrofiling of each ap

Please, if you have experience with a setup or a tech let me know. I will share detail progress of my installation, performance and result of the project.

(Edit) : I am looking for advice on what to buy AP. Model and mesh setup. :)

Switching server rack input to new ISP, help

At work my boss had ATT install a new business line. The patch panels lead to a switch box and the switch connects to the old ATT modem with a single Ethernet cord. It works. But when I remove the single Ethernet cord from the old ATT modem to the new ATT modem the internet doesn't reach the office computers. I back traced enough to notice that the Ethernet cable that links the patch panel to the switch box is dead. So I'm assuming there's some config I have to do with that switch box. It is a Cisco ASA-5506-X. Any Advice? And yes the new ATT modem has a live stable connection. Please forgive if I missed up or used incorrect terms. I'm not a networking guru. ☺️

Trying to start a VPS hosting service, however the guest machines won't connect to WAN

I have got two different subnets, the first is set by the router (255.255.0.0) and includes the host machine under a DMZ, this has access to WAN. From here, I have the physical connection of the host server pointing to a virtual interface that routes the traffic from the hosts (255.255.255.0). Because they are in a different subnet I have added a static route on the router to direct the traffic.

The issue is that I can ping/traceroute to the router from the guests but can't access WAN. If I expand my subnet on the router to 255.0.0.0 I get WAN access, but can't access the machines anymore locally (as the static route doesn't work from within the same subnet) - if I change it back, WAN access persists for about 10m before disappearing again

I've already spent a lot of work getting to this point being able to access the guests from lan, and being able to ping the router.

This is driving me nuts. Not sure where to go from here for troubleshooting, but I feel it's a network configuration issue

Ethernet Extender - 900 Ft Ethernet Run

Anyone have experience with different ethernet extenders? I do work for some farms and i have one in need of connecting two offices together and the run would be about 900ft. Whatever wire is run would need to be somewhat robust, it wouldn't be out in the open outside but it would be run through a barn which is not temperature controlled and comes with everything barns come with - humidity, lots an lots of crap, etc.

Currently looking at an ethernet over coax device made by startech:

https://www.startech.com/Networking-IO/Media-Converters/Ethernet-Extenders/Gigabit-Ethernet-over-Coaxial-Unmanaged-Network-Extender-Kit-2km~EOC1110K

Something faster would be nice but i'm not sure fiber would hold up. I also don't have the tools to terminate fiber and haven't done it since trade school almost 20 years ago.

If i don't sort out a wired solution wireless will be the next option which i have lots of experience with, only trouble is having to over the top of the buildings there is just so much barn in the way.

Running two VPNs and a DDNS?

Hi. This type of technical detail is beyond my paygrade. I like to use a VPN at all times when it's possible (streaming Netflix would be an example of when I must remove the VPN to access their site). Until now, I have just relied on a VPN client at computer, mobile device, etc. The problem is, I sometimes forget to turn it on. So I thought, I'll just install VPN on router so it's on whether I forget or not. But first of all, I just want to make sure that this will work and it's not, for example, making my security worse -- I have no reason to think so but what do I know.

My router is telling me to use Dynamic DNS and I have no idea what that is or how it works. It looks like there are some free options. But is there anything I should know before going ahead with this? I am basically wandering in the darkness here, no expertise to put things in perspective.

I have been looking at two free DDNS services: https://freedns.afraid.org/ and https://www.nsupdate.info/.

Any advice is greatly appreciated.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

HSRP and IPSEc tunnel

I currently have two locations connected over the internet via IPSec tunnel. All kit is Cisco.

One of the locations has recently been upgraded, and there is a now going to be a two tier redundant architecture in play (doubling up for failover). There will now potentially be two routers at this site using HSRP to provide a redundant path for LAN traffic. The other branch will remain the same with a single router.

What is the best way to design the site to site with one of the sites having two routers and the other having one? Will the two router failover site require two internet connections also? If nothing else, I'd like to be able to convince them to stick with the one router as each site

Thanks.

One Domain Multiple Subnets

I'm currently still going for my networking certifications and I am fairly new to the field so bear with me. At my technical school, we were tasked with creating a network. We have one virtual server running Windows Server 2016, one Cisco 1941 router, and one 16 port Cisco switch I can't remember the model number of. Our switch currently has 3 VLANS, each on a different subnet, as per the criteria of the project. We origionally only needed 2, but I decided I wanted to make my life harder. The VLANs share a trunk port on the switch thag connects to G0/0 on out router. We used subinterfaces to make all our subnets work on one router interface.

Here is my main issue: we would like to configure Active Directory on our network so that users can log into domain devices. The issue is that we are not sure how we make our domain accessible to two of our subnets, but not the third. We have already configured DNS and DHCP to work properly across all networks.

Subnetting Information in case it is needed: Subnet 1(Management): Network Address: 150.133.207.1/26 Default Gateway: 150.133.207.1/26 Server (DHCP/DNS): 150.133.207.3/26 VLAN75 (Switch): 150.133.207.2/26 Active Directory?: Yes (Hopefully)

Subnet 2(Staff): Network Address: 150.133.207.64/26 Default Gateway: 150.133.207.65/26 VLAN76 (Switch): 150.133.207.66/26 Active Directory?: Yes (Hopefully)

Subnet 3(Guest): Network Address: 150.133.207.128/25 Default Gateway: 150.133.207.129/25 VLAN77 (Switch): 150.133.207.130 Active Directory?: No

Cisco Mobility Express - Mismatched Firmware

Hi All,

So I purchased 3 Mobility Express Cisco AP's from my reseller - Two 2802's and one 1832. The 1832 is firmware 8.5.140.0 while the 2802's are 8.8.125.0. The controller is the 1832. Naturally, the 2802's won't associated to the ME controller because the firmware of the ME WLC is under the firmware of the ME CAPs. When I reported this to the reseller, they basically said, "sucks to be you, take it up with Cisco." Problem is, you can't download Cisco firmware without a Smartnet contract, and my company doesn't purchase Smartnet contracts on count that the network is 1,000+ Cisco devices and we aren't blessed here with a liberal IT budget.

Is there anything that can be done from the ME controller to downgrade the ME CAPs to 8.5.140.0 or upgrade the ME Controller to 8.8.125.0 without possessing the firmware packages of either?

Firepowers and ISR? Or just Firepowers

Hello all and TIA,

I have a bunch of branch sites with anywhere from 5-100 users. Smaller sites use 2911s, larger sites use 3925s, and it's time to upgrade. All sites currently connect through MPLS, but we want to replace that setup with DMVPN over plain commercial lines.

The upgrade path for 2911s points to 4331s, and replacing 3925s with 4431s. At smaller sites especially, is there a reason to purchase both router and firepower devices? Or can the firepower device serve in place of the router? What are your thoughts?

How to test specific port on server without Telnet

Hi all,

How do you test an open port between Windows Client A and Windows Client B? It looks like telnet was depreciated with newer versions of Windows.

Need help naming Network API

I'm the scrum master of a Network Automation Engineering team and I need help in naming our Network API.

The name needs to be clever and catchy and should be indicative of the fact that it's a network API.

Thanks in advance!

Interpreting MTR output

When I ping 8.8.8.8 it completes with little packet loss. However, mtr 8.8.8.8 gives the below output where it can't reach to destination address. How would you interpret this output? *IPs are modified

Host Loss% Snt Last Avg Best Wrst StDev

1. 10.10.10.1 0.0% 47 0.8 1.6 0.7 16.6 3.0

2. 10.10.10.2 0.0% 47 0.4 0.3 0.3 0.4 0.0

3. 200.1.1.1 0.0% 47 0.9 0.9 0.8 1.1 0.0

4. 200.1.1.2 0.0% 47 1.9 1.9 1.8 2.1 0.1

5. 200.1.1.3 2.1% 47 3.3 3.4 2.7 13.1 1.8

6. 200.1.1.4 1.3% 47 2.4 7.5 2.3 27.4 7.2

7. 200.1.1.5 1.8% 47 2.6 3.1 2.4 16.0 2.1

8. 200.1.1.6 2.2% 47 2.6 2.5 2.0 6.5 0.7

9. ???

10. ???

11. ???

12. ???

13. ???

14. ???

15. 200.7.7.7 0.8% 46 11.9 12.6 11.5 19.1 1.8

20% bandwidth loss due to "overhead?"

I've got an ISP telling me that 40 down on a 50mb SLA is "acceptable because of overhead" directly connected to PE equipment.

I'm not insane right, that is complete nonsense?

Stream Android's camera to local network

Hello all, I am new in this kind of stuff and my English is also not good so don't hate me for this,

I want to stream my Android's camera on my PC and stream voice from my PC to Android. Currently I am using IP Webcam app on Android which uses http to stream camera and I can access that on any device with browser, it's video stream is good but audio delays upto 10-15 seconds, and an app called Zello for audio stream, which functions as walkie-talkie and works only if there's internet connection. I have tried several of those types of app but no one can give me good results. I want this to work on local network (without internet) and to work in low WiFi signal (if possible) Just think of this as an network CCTV in which I can watch it's camera and send voice to it's speaker.

Combining Multiple Wireless WAN Sources?

So I'm going to be going to a convention at a hotel and we need bandwidth, about 8 MBPS uplink, to stream an event throughout the entire convention. Unfortunately the hotel doesn't really have facilities in place to support increasing the available bandwidth and we were told just to use the wifi at the hotel.

Our plan instead is to use a small linux box or even a raspberry pi to us volunteered phone-hot-spot bandwidths as WANS, combine them into a virtual interface, and then bridge them to the computer that's doing the streaming. I've tried doing this with various flavors of linux and ifenslave but as I understand it now 802.3ad doesn't apply to wireless interfaces since that operates at layer 2 and I need some means of combining bandwidth at layer 3.

As I understand it Twitch uses UDP for live streaming so I'm wondering if there's a tool that can load balance outgoing UDP packets across multiple interfaces or if there is a layer 3 link aggregator that will combine multiple interfaces into a single interface such that a single session gets the bandwidth of all aggregated links.

Thanks in advance for any pointers! I know this sounds like a crazy question.

Question about interview

Hi guys!

I'm getting an interview for a position in a major social network.

I'm at the "technical interview" step right now and they told me that I'm going to be queried about network engineering concepts, vocabulary and work methodology. That's all the info I have at the moment.

What topics do you think I should refresh?

Cisco Catalyst 9300 L Factory Reset

So I have a Cisco Catalyst 9300 L non PoE. I performed a complete factory reset to default settings and this is what I get below. The question is, how do I go about getting the image back on the device?

​

Thanks,

​

Initializing Hardware...

​

System Bootstrap, Version 16.12.2r, RELEASE SOFTWARE (P)

Compiled Fri 10/25/2019 11:48:55.48 by rel

​

Current ROMMON image : Primary

Last reset cause : PowerOn

C9300L-48T-4X platform with 8388608 Kbytes of main memory

​

WARNING: Bootable URL's in BOOT variable not found or exhausted.

Please check the ROMMON configuration or boot command usage.

switch:

vSRX VMWARE Console

So, I've finally managed to install vSRX in VMWARE and link it to my GNS3 (can start the VM and stop it in GNS3). However, I now have issues with the console only displaying for a second in GNS3/SecureCRT and stopping afterwards.

Console access is set to localhost:5000. GNS3 has also installed a named pipe in VMWARE but same exact issue. Output displays for a few lines and then stops.

Could someone assist?

​

https://imgur.com/a/IbfDIOh

OSPF - NSSA redistribution

Hi All estimated nw colleagues, I'm dealing with a simple layout and what it seems not to be an obvious solution. Three nodes R1,R2,R3 as in this picture:

https://imgur.com/V9hFZfp

R1 path should always be preferred over R2, both for inbound and outbound traffic. In the event of R1-R3 link outage, the traffic should follow the path R1-R2-R3 (this is why I need process 33 redistribution between R1-R2 over OSPF 10 process).The fact is that NSSA type routes are less preferred as External type routes so, in the event of R1-R3 neighborship down, R1 will install E2 routes coming from R2, and they will be kept also when R1-R3 recover.Does anyone have any advise or a best design to solve this (without putting R1-R2 in the same NSSA area and process which is not a desired layout) ?

Full view in VRF on ASR1001 : still doable ?

Hi,

I'm migrating my Mikrotik powered personal ASN to a Cisco ASR1001 based one. Got three of those for dirt cheap, upgraded them to 16GB RAM and latest recommended IOS already.

I have two (soon to be 3) full-views as transits and two (soon 4) IXPs.

I'd also like to shrink my address plan from a /22 to a /24, so I'd rather cut down on /31s for interconnects, thus making me think of going MPLS-L3VPN for the public routing zone, with a private IPv4 underlay, and 6VPE for public IPv6.

I don't have much routing-policies constraints, so I could use Selective Route Download to lighten up the FIB's load, but I guess that would impede telemetry' consistency (Netflow).

So the question is : could I realistically load full-views in a VRF on this hardware, or should I keep them on the GRT ? Or would you advise for SRD in any case, eventually with an external route-collector / flow parser ?

Thanks !

VPLS Best practice

Hi All,

I have several VPLS connections running between the same PE-R devices and I currently create a new VPLS connection when a new VLAN is required between the CE devices and I feel like this is not best practice as I can see the configuration getting unwildly as more routing-instances are needed per VLAN.

Topology - CE is a switch trunkport at both ends

ce -- pe1-- p0 -- pe2 -- ce

Would it be best to keep them separated like this or wrap them into in a single VPLS routing instance

Personally im starting to think wrapping them into one VPLS routing instance would be best but everyones thought are welcome

Difference time & dmvpn

Hi, need help.

I am working on the configuration DMVPN between our main office and remote offices and have one doubt. Main office and remote offices are located in different timezones and use your own NTP server. Can this time differences configuration impacts on work of tunnels?

I think it shouldn’t but want to know your opinion.

Thank you in advance for your advice.

Cisco 2800 Remote LAN & 802.1X

Hi

I have setup a Remote LAN on a 5520 WLC running version 8.10 .112.0. The purpose is to be able to connect a printer to the AUX Port and have it come online as a regular switchport.

I have bridged the remote lan SSID to the corporate interface in the controller and it works like a charm until i enable 802.1X on the SSID.

It appears that no traffic is allowed on the port before it's authenticated, so by the time i reach the desktop on the PC, DHCP has timed out and assigned a 169.254.X.X address. Once it's authenticated i can manually do an ipconfig /renew in which it receives an IP-Address.. This is obviously easy from a laptop which i'm using for testing but not applicable from a printer.

The cisco documentation is terrible for this topic and says nothing but "simply enable 802.1X"..

There is a checkmark saying "Pre Authentication", when enabled it asks for a pre auth vlan id, i have tried to configure litterally any VLAN i have available on the WLC but it does not make any change. The client still does not receive an IP-address until i manually type in ipconfig /renew in a CMD.

Does anyone have any experience with 802.1X on Remote LAN AP's and know how to accommodate this so the device can actually receive an IP-Address prior to being authenticated?

C9300 stacked switches : failover problems

I'm using a couple of C9300 stacked cisco switches on which we plug in customer owned firewalls in a ha setup.

If either switch dies the other switch should carry on and the same for the customer firewalls.

I've just come across a strange bug (at least I think it's a bug) which is causing failover to not work.

Each customer firewall has its inside interface in a vrf (mpls customers). We simply have a static default route pointed to the customers inside interface of their firewall. The backup firewall will take over this IP in the event of a failure of their primary. All pretty simple.

Now we recently had an issue where a customers firewall failed over. It all looked fine on the switch, Arp tables, mac address table etc were all updated but for some reason the default route pointing to their firewall was being ignored. The only way I could get traffic to use the default route was to remove it and add it back exactly as it was.

Clearing arp entries, mac tables etc didn't fix it. Only removing the default route and adding it back.

This is despite it all looking fine in the routing table.

I'm going to look at upgrading the ios but just wondered if anyone else has seen this?

Thanks

How do you run dropbear and openssh in a Server at the same time

No text found

Draw network designs while on video call - Device suggestion.

Hi guys, for those of you working from home, when you are on a video call with colleagues and want to draw them a fast network design, like you would do in paper or in a white board, what device are you using to do it electronically? for example, some tablet with stylus that is compatible with macbook air and can be used to draw in the screen area of the macbook?

Thanks!

My employer is laying off multiple resources in a shady way - do I have the resume to move on?

Throwaway account for privacy

Context: I currently work for a small MSP/MSSP (1-50 employees) as a technical engineer who recently laid off about 10 people including a executive director, multiple PMs, and a few technical resources due to "financial constraints and production reasons" all in the last 30 days. While most of the resources that got laid off were horrible hires to begin with and made way too much money, the technical resources that were fired have been with the company for over a decade and were incredibly smart, hard working individuals, and didn't make much money (40k-55k). The answers I received from management about the technical resource terminations were "they didn't have enough billable hours". These resources didn't have any billable work to execute due to the sales team's inability to bring in any good leads for the past quarter. The executive management team that is now controlling the company were all external hires from larger 1-500 employee companies that were on-boarded this past year and hired almost all of the people that just got let go. The data they used to determine everyone's employment status during the termination craze only included each resources billable percentage for the past quarter, the average hours worked per week (salaried), and the amount of money they made a year. The trend that I saw for the resources who got fired were grossly overpaid, low billable rate, and taking lots of PTO. I also hear rumors that our company is living month to month financially. Essentially, there's some extremely shady shit going on with upper management and I don't feel comfortable. While my billable rate is in good standing for the time being, I put in a ridiculous amount of hours each week and never take PTO.

I have 5 years of help desk experience and 8 months of system engineering experience with a CCNA, Fortinet NSE4, and Network+. I want to get hired somewhere like AWS, Google, or Microsoft as a network, server, or data center engineer. I don't want to go back to being a help desk tech for another 3 years to climb up the ladder at a new company again...

So my question here is this: Do I have the resume to move on from this company or should I stick it out for another year as an engineer? Would would you do in my situation

Any feedback is appreciated. Thanks for reading!

Simulate latency between two Virtualbox VMs

Hello there, my boss has tasked me to set up a nfs server in the Bay Area but the nfs clients are in Texas. I would like to prove why that might not be a good idea.

I am trying to figure out how I can simulate latency between two VMs in virtualbox so I can get some hard data. Any tips on how to do that?