Difference between having different vlans and having different subnets on a switch

I am at the Uni, and this question is inspired from some Networking courses I am studying (it is not an homework question though) so apologies if this feels question feels noob-ish,

I am currently trying to wrap my head around segmenting network via switches. From the look of things It feels I can do this via two ways (not sure if there are more ways)

​

1. I could assign IP addresses to hosts connecting to the switch from two different subnets. Basically I could say Port 1 to Port 10 would contain host with IP address in 10.0.0.0/24 while Port 11 to Port 20 will have address in 50.0.0.0/24
2. I could create two vlans (vlan id 10 and vlan id 50 ) on the switch and connect hosts I want to be able to communicate on ports having the same vlan.

From where I stand, it looks like these two approaches help me achieve some form of segmentation. Going by first approach approach, host within the 10.0.0.0/24 won't be able to directly reach host in 50.0.0.0/24 network.

Same also if I used vlan. Host connected to port with vlan 10 won't be able to talk to host on vlan id 50, even when they are on the same subnet.

My question then is:

1. What is the differences between these two approaches?
2. What are the draw backs and advantages
3. Are they really different ways of achieving the same thing as I am thinking, or they are setup for different use cases

Thanks

Routed access layer but still have default gateways live in the core?

Simple question. I would like to redesign my network so we’re using routed access layer (access layer switches have layer 3 routed ports up to the core/dist no vlans stretching/layer 2) but it’s super important that the hosts default gateway still exclusively live on the core layer.

For this we would not want to do any kind of tunneling like L2TP, and no other kinds of encapsulation like VXLAN etc.

We would also expect core redundancy to be seamless like if one core goes down the hosts will not drop any pings, etc.

I was thinking since there will be a layer 3 hop between the hosts and the default gateway that we could use proxy-arp to help the hosts get to the core default gateway.

To help the core get back to the hosts we could do souce-nat overload on the access switches (or should I say access ROUTER amiright) on the northbound interface.

The main advantage of this is the default gateway for the hosts is just a Loopback address on the core routers so you could have it the same on both cores and use anycast.

I labbed it up in GNS3 and ping is definitely working between two different access pods so I feel like the basic proof of concept is solid. What potential gotchas or issues could I run into?

Senior Project Ideas - Network Automation

I'm in the last part of my Networking B.A degree and I'm having a severe case of blank thoughts when coming up a good senior project idea. The topic I was assigned is Network Automation.

What I came up with on my own was setting up an Ansible environment and making it push commands to a Cisco switch, but due to my lack of knowledge in Linux it's proving to be a bit more than I can handle before the end of April...

Not looking for handouts, just a good idea to run with. Appreciate any ideas or suggestions. Thanks!

trying to get l3vpn work

I have the following L3VPN topology. VRF CUST-A is configured on the PE routers. I also have mp-bgp neighborship from R1/R2 towards RR (R3).

I am not able to ping from 9.9.9.9 towards 10.10.10.10

https://imgur.com/a/B1bd94Z

1. R9 can see the loopback of R10 (10.10.10.10)
2. ping 10.10.10.10 source 9.9.9.9 doesn't work
3. sh ip route vrf CUST-A : https://pastebin.com/F79pF6KD
4. How does R1 know that it should use the global routing table when it looks up the next hop 2.2.2.2 (loopback of R2) ?

Anyone familiar with ZOC terminal?

I just got a copy of the ZOC Terminal and the software is pretty usable. Couple of questions though:

1. Can ZOC be configured to always prompt for the SSH username? Especially if I opened the connection using the quick connect window. I constantly forget to type in the username in the quick connect window for SSH connection and I had to close the session to re-open quick connect...I think ZOC does do keyboard interactive authentication for SSH but seems only for password though...I do have my frequent sessions saved already.

2. Under the log folder, there is always this "Calls.log" file created and updated while I connect to different devices. Anyway to stop ZOC creating and updating the Calls.log file?

Thanks!

Firebox M370 IPsec tunnel to a Cyberoam/Sophos device.. No Proposal Chosen

I'm trying to swap in this new firewall and I've got local/internal traffic flowing nicely but forming an IPsec tunnel to a remote site with an old Cyberoam/Sophos firewall. I mean I'd expect IPsec to be fairly standardized. You verify the phase 1 and phase 2 transorms are identical then you're golden expect that's not what happening.

I guess a couple things I'm wondering is: Is a lower security more 'compatible'? Do things like rekeying, the SA life.. does it matter to be identical? And on the Firebox.. whats the difference between Branch office VPN and BOVPN Virtual Interfaces?

Juniper vSRX clustering between two hypervisors - confusion around Fabric and Control links

Hi, I am in the process of setting up a cluster of Juniper vSRX Firewalls. In order to provide HA each node of the cluster will be running on a separate hypervisor.

This is where the confusion arises. I've seen a similar deployment where one of the links was provided over a GRE tunnel between the two hypervisors, but I cannot remember if it was the Fabric or Control link?

Do both the links send large amounts of broadcast traffic or is one unicast that can be ran over the network rather than a tunnel?

If both are run over the tunnel, does this risk a split brain situation if the tunnel goes down?

Whats the best practise for this setup?

Cheers

Next step in career

Hi all,

I did my CCNP before the feb cut off and now I'm hungry for more. My colleague who is a CCIE is advising me to go for devnet certs rather than start the journey for CCIE.

Is that sound advice? What are you guys choosing to do and what's your reason for that?

Thanks, M

Setting VLANs on new Watchguard Firebox.. this is weird

So today I'm attempting to put into production a new Firebox M370 so replace our very EOL Cyberoam device. The very first road block I'm hitting is with creating VLAN interfaces. I'm used to Cisco and Fortigate having sub-interfaces. I have 1 Trusted/LAN interface that should include 5 VLAN's for internal routing. But the guides seems to suggest that I change the Interface Type to VLAN.. but I feel like this will break the fact that it's a trusted interface and I'd love my ability to manage the device.

Should I enable a 3rd interface and use it solely for VLAN's? Then do I cable that new VLAN interface which will result in basically two LAN interfaces...?

have not yet found a guide/instructions/video on VLAN's for a LAN interface...

Thanks

Any good examples of NDN networks out there?

Admittedly new to this community but long time dev with super interest in networking. I recently came across NDN networks https://en.wikipedia.org/wiki/Named_data_networking and was curious if there are examples of any in use currently and also what this community thinks of them :)

Found this in the wiki article so looking at that for now https://named-data.net/ndn-testbed/

Need industrial network upgrade.

Currently using wifi in a metal working environment. The equipment is cnc electrical discharge machines. These use a spark in an oil bath to erode metals. The problem is the spark acts as a broad band transmitter. It messes with wifi , or any radio frequency. We use roll around carts as cad viewing stations. Sometimes the files are large, and the wifi is a bit slow. Getting some new metal working machines soon. Would like to see wired viewing stations for cad drawings. Perhaps even built into the new cnc machines. Was thinking cat6 shielded cable. Not sure if fiber is needed.

Any suggestions are appreciated.

Anyone familiar with Comer’s Diagram?

Could anyone explain Comer’s Diagram in regards to a user using a browser on a WiFi-connected laptop to access a website’s graphics, audio, and video? Been having trouble understanding the different parts of the Comer’s Diagram.

Thanks!

Creating smart home in Cisco Packet Tracee

Hi, 

Was wondering if anyone would be able to help me with this. I am using Cisco's Packet Tracer software to build a smart home. Its not too complicated an consists of the following:

1. PT Smartphone

2. DLC100 Home Gateway

3. Appliances, Fan. Webcam. Lamp, Window etc. 

I have them wirelessly connected so they can be switched on via the smart phone (Through its desktop application IoT Monitor) and the network adaptor is PT-IOT-NM-1W.

Basically I want to implement security and have a way of logging and viewing how traffic is running in the smart home? 

I think i can use a packet sniffer for this? Just not sure how to do that? 

And for security i can see there are options such as WPA, WPA-PSK and so on but they all seem to be the same? And in terms of testing security i have no idea how i would test these? 

Sorry for all the questions, thanks for any help on this.

What is meant by the term AVN?

I am new to networking and trying to get my head around unicast and multicast streams and the term AVN keeps popping up. I have searched online but can't really find an explanation to what it is.

Bizarre L2 issue following L3 change

Hi,

I am scratching my head following a networking change for a client last week. They have a stable site to site microwave link from their primary site to their DR with several smaller sites in between (due to geography), and have a management VLAN stretched across this so they can ping all switches at all sites, and monitor them with PRTG.

Implemented new upstream firewalls, and for the first time, an internet connection at both primary and secondary, OSPF core and started removing static routes as they were replaced with OSPF routes.

Everything seemed ok...

Except users at intermediary sites started complaining about voice issues, and investigations show 10-20% ping drops AT TIMES along the L2 management VLAN.

We made no changes to that VLAN, and no switches in between are running routing, just acting as L2 Bridges.

​

Any suggestions?

How to start a career in networking?

I would like to get into IT and find a career that is flexible and pays well- I currently own a business teaching basic STEM concepts to elementary school students using LEGO, and part of my motivation for introducing kids to the world of STEM is that I feel most people my age (I’m 26) were not encouraged growing up to get into tech, and lots of us are getting what are honestly quite useless degrees (I have a BS in Health Science and have never made even 40k/year in the 5 years since graduating). So I guess you can say I want to walk the walk and talk the talk, and I do think I can do two things at once (own and operate a business and get into tech, especially since they’re related). I also currently work part time at my alma mater in the tech center as a lab monitor/ help desk person, which has gotten me interested in networking. But I have no idea where to start! My boyfriend is a software engineer so he’s trying to help but it’s all a lot of information and I’m not sure where to go from here!

Bandwidth vs throughput

Hi All, taking an example of Assymetrical DSL connection with speed as 10M/8M (download/upload)- looking on Internet could only find a single value refered to as bandwidth and also for throughput ,so in this case would we refer to bandwidth as 18M (10M+8M) and throughput would be what we measure in real time as ex - let's say speed test revealed as 6M as download speed and 4M for upload speed then throughput for this connection would be their sum as 10M.

Please check me if my NATing logic is correct

I don't know much firewall, but need to NAT the IP address of a single device.

Got a hold of a Fortinet 60D. It has the following ports on the back: 1- 7, DMZ, WAN1, and WAN2

For this test I just want PC1 to have a natted IP address and be able to communicate with PC2.

All in my lab/local. No internet/ISP involved.

Does this make sense? Connect a PC to Port 1 and another PC to WAN1, like this:

PC1 --- Port1 [Fortinet 60D] WAN1 --- PC2 

Will this work for my basic test?

Am I on the right track here?

Thanks!

What do websockets links look like? Like http is http://google.com but what is websockets?

Title

[Update] Jitter on local network when using RTP, but only on wired.

Original Post

So, nothing has worked so far and we're out of ideas. The network is being blamed for ONE device not working in the entire setup and it truly sucks.

We got the intercom system to connect to the network switch which was nice, but that didnt solve the issue. We put QoS on the switches and ports that were necessary, and that didnt solve the issue.

I'm going to put a link to the wireshark file if anyone wants to have a go - using something called 'wetransfer', I googled a way to transfer large files that came up simply because onedrive shows the company info and I didnt want to do that:

Its an ~70mb pcap file https://we.tl/t-2QUaocqODF

Cisco IP routing on L3 switches

I'm trying to make sure I understand the full capability of using the "ip routing" command on a L3 switch. Enabling "ip routing" ONLY enable inter-vlan routing assuming the SVI of the switch is the gateway of the VLAN. If I have some switch down the line with with SVI for VLAN 1 and 2, traffic is still being routed all the way to the gateway of the VLAN before being routed to the other VLAN.

Help with NETFLOW

Hey all!

First off, I don't really know much about it. From what I've gathered, NETFLOW is a way to analyze the data that flows through a device. I've been tasked with turning Netflow on on some routers we have. However, the people who want it on can't get it to come up on whatever program they are using to view it LiveNX and think it's the way it's configured.

This is on an ASR 9000 - IOS XR 6.5.2

Currently, we have the current config:

flow exporter-map netflow source MgmtEth0/RSP1/CPU0/0 destination (IP) 

However, when we type:

show flow exporter netflow location 0/RSP1/CPU0 

there is no data.

However however, if we type

show flow exporter netflow location 0/0/cpu0 

the data is there.

I was under the impression typing in the source in the config would change which interface the data would be visible on. It sounds like I could be wrong though? That I need to match the source where the data is already being sent to, rather than moving the data to my source.

If that's the case, how do I match my source to location "0/0/cpu0"?

Connection for small business

I’m from a small family business with terrible WiFi. Looking to upgrade to something better; BUT ALL THE WEBSITES HAVE SO MANY PACKAGES AND ARE SO COMPLICATED.

All I need is enough for three computers to browse and upload some simple docs, and a card reader. Who should I check out? I don’t mind paying extra if the process is easy

PS We’re based in the U.K.

Provider Edge Layer Two Devices Term?

Trivial question. What generic term would you call layer 2 edge devices such as OLTs for FTTH or DLSAMs for DSL? I feel like provider edge is reserved for layer 3. Just curious.

Permit tagged redistributed routes to one BGP path while denying the same routes to another path

Got another one for you guys that's stumping me. We are in the process of migrating MPLS by flipping remote sites one by one. We have two Data Centers that all remote sites will still need paths to regardless of the MPLS they are on.

Here is the issue the two data centers exchange each others routes via EIGRP, so in order to not have them exchange each other's routes over BGP we have tagged them to be denied when being redistributed to the BGP.

The problem with that is as the remote sites migrate over they have to use 1 data center as a "transit" to the other and since the redistribution command is global and not per neighbor the remote sites can see all but the tagged eigrp routes.

Any idea how I can get around this will still protecting the data centers from loops?

Draw up a quick image to kind of show what I'm dealing with

https://imgur.com/N1QqxDa

Cisco AnyConnect License Count

Might be a silly question but hard to find. Is there a simple "show" command to see how many licenses you have for any connect on a cisco ASA?

Thanks!

Useful Python Scripts for Work

Hi there. I am not a programmer but rather network engineer for the past 15 years of my life. My brain just doesn't work with programming. Apparently in my work right now, we are required to produce at least 2 scripts that we can use as part of our KPI. So obviously I'm dead. They want us to produce Python scripts as they say this is the future and we cannot get away from it. Can you help tell what scripts can I make that we can use? It doesn't have to be very complex programming but just something I can use to submit (like a college student). First thing I have is to create a script to populate all the LAN switches with a new VLAN if there's a requirement. What other things you can suggest? Again, doesn't have to be very complex. :) Thanks!

Major Packet Loss to Certain Geographical Regions - ISP Related?

Hey Everyone,

I've been analyzing this issue for quite a bit and it's sort of baffling me.

I work for a company that deals with large data sets everyday. We send large medical images through IPSec VPN tunnels. This mostly requires us to send terabytes of data around the country daily with certain hub servers that offer gig/gig fiber strategically placed geographically. We have uncapped bandwidth at our main Tierpoint datacenter, with what they call an ISP "blend" for internet access.

Basically, what I have been finding is that during our peak hours 10 AM - 4 PM, packet loss drastically increases but only to certain geographical regions. Even sites with lower latency metrics, packet loss will be greater. We have basically every ISP out there and I am at a loss.

I've been running Ping Plotter to track these metrics, and some days the packet seems to flip flop from one site to the other. Some sites I can visibly see one node through a trace route consistently dropping our packets, and I have no idea why. Off hours I am able to essentially send data at 40-50x speeds with seemingly no other traffic around it.

I have tried lowering MTU, clamping TCP MSS, upgrading my firewall's firmware, upgrading our IPSec algorithms, and nothing seems to help.

For what it's worth we use a FortiGate 200E with CPU/memory usage never really touching 20%.

Any ideas?

Solarwinds Real-Time Bandwidth Monitor

I have a TV/Monitor in my office and watch SNMP on some critical router interfaces. Has anyone figured out a way to CLI launch instances of the Solarwinds RTBM or save the layout of all your windows?

I found the data is saved in Pollsers.xml under the AppData folder but its inconsistent when trying to restore that file.

Basically everytime the machine reboots i have to reset all the monitors manually.

*I am sure there are other elaborate systems that do some SNMP graphs NOC view to - just trying to do something on the cheap. Any other suggestions appreciated.

Thanks!

Ways to hide a VPS's IP address + better DDoS protection

Hi everyone!

I recently purchased a powerful VPS to host a few services I've been working on (currently still not planning on load balancing VPNs and such because the scope is still small, even thought they would partly solve the problem) . I've been wanting to do 2 things:

A. better hide my VPS's IP address

B. get better ddos protection. my provider supposedly provides DDoS protection, however, I don't really trust them.

With those 2 things in mind, and with the fact that I'm not looking to spend an extra 50$ on ddos protection and since I'm planning to do more than just host a web server (which pretty much eliminates services like Cloudflare), I've been looking at alternative ways.

More specifically, I've been thinking of buying a less-powerful VPS from another VPS company (which provides good DDoS protection, such as OVH. If you know any other good ones, please do tell!) in the same area with a good latency between both data centers, and use it as a gateway/proxy server and point my domain name to the new VPS. That's good and all, but I've been struggling with deciding on which way I should do the actual tunneling - I've come up with the following solutions so far:

• Set up a VPN on the second VPS
• GRE tunneling
• SSH tunneling (SOCKS?)- for some reason I think it might not be a reliable way, but feel free to correct me
• Suggestions?

I would love to hear your opinion on each one of the methods and why one might be better than the other (or, if you've got more ways to tunnel that you can suggest, please do, I'd love the info!).

Thanks in advance!

Python Script to Collect AnyConnect Users Traffic Volume

Hello everyone,

​

This is a quick and dirty script that I put together to SSH into an ASA, do the "show vpn-session anyconnect" command, scrape the output for usernames and traffic usage, sort the output from highest to lowest, and finally print the output and put it in a text file.

This was done in a rush to try and figure out how was using all the bandwidth. I know there are a million ways to improve it and would like to hear suggestions. Also this was only tested on ASA 9.8.

Without further delay, here is the script:

# -*- coding: utf-8 -*- """ Created on Thu Mar 12 11:46:02 2020 @author: jj """ import re from operator import itemgetter from netmiko import Netmiko from getpass import getpass i = 1 userlist = [] gig = 1024**3 meg = 1024**2 data = '' un = input('Username: ') pw = getpass('Password: ') ip = input('IP address: ') device = { 'host': ip, 'username': un, 'password': pw, 'device_type': 'cisco_asa', } try: net_conn = Netmiko(**device) print('Connected to:', ip) data = net_conn.send_command('show vpn- anyconnect') net_conn.cleanup() net_conn.disconnect() print('Closed connection to device') except Exception as e: print(e) lines = data.splitlines() for line in lines: userstats = [] if re.match('\AUser', line): user = line.split()[2] if re.match('\ABytes', line): tx = int(line.split()[3]) rx = int(line.split()[7]) userstats = [user, tx, rx, rx+tx] userlist.append(userstats) sortedlist = sorted(userlist, key=itemgetter(3), reverse=True) with open(ip+'.txt', 'w') as output: for item in sortedlist: if item[3] > gig: string = (str(i)+'- '+item[0]+' Volume of traffic: '+ str(item[3]/(gig))+ ' GBytes') print(string) output.write(string+'\n') else: string = (str(i)+'- '+item[0]+' Volume of traffic: '+ str(item[3]/(meg))+ ' MBytes') print(string) output.write(string+'\n') i+=1 

​

Hope it helps someone out there,

-JJ

Experience about Aruba ACSA & ACMA

Hi

I have been asked to get this certs, how hard are they?

Does anyone know any good online videos for them?

I work in marketing and need help with defining an IPV6 range, for IP exclusion. I want to block all traffic from our office IP, which seems to change every day (although I think it stays within a range?) How on earth to I define and write and IPV6 range? THANKS!!!!!

Our IP format is XXXX:XXXX:XXXX:XXX:XXXX:XXXX:XX:XXXX

What is Coronavirus or Covid-19

Coronavirus

Tips/help needed for reorganizing a server room with new racks

Hello all,

To clarify, I'm really junior in networking.

After 3 weeks of employment my management asked me to reorganize the server room. The main reason is because they have no clue what is currently still used and what not. Also the server room is consuming too much power to cool the racks so they want an solution that cools within the racks. There are in total 12 racks and I should reduce it to 8.

I've already made an inventory list of what is currently in the server room.
I'm also creating a document in Visio to rearrange all the devices into the new racks.
What should I pay attention to when rearranging the racks?
Any tips on how I should handle the next steps?

Thanks !

Any FTD 6.4.0.8 issues, mainly concerning Anyconnect VPN?

Hey! Just wanted to check of anyone here have run into any major issues with version 6.4.0.8?

We're about to upgrade our 2110's this weekend because of some major bugs in our current version (6.4.0.6) . And we've had some major bugs in 6.5.x so we're avoiding that track for now.

6.4.0.7 is the recommended for now but the there are quite a few bugs fixed in 6.4.0.8

Main concern in Anyconnect VPN, since we're going live with our deployment on Monday.

Thanks!

Listen address vs. firewall rules

While configuring a server, a question came to my mind: If I don't want a service to be accessible from the network/internet, is it better to set the listen address to 127.0.0.1/::1, to set a firewall rule, or both?

I am aware that firewall rules are much more powerful and allow for example to make a port reachable by only a handful of addresses, but in this simple case I would like to only consider the scenario, where everything except localhost is blocked.

I'm looking forward to your opinions on this matter.

Cisco doesn't recommend FirePower (to us) !

After several years of fighting we have received an e-mail from Cisco where they told us that they agree with our proposal to migrate our firewalls to other ngfw vendor (such as Palo Alto or CheckPoint).

Our background is easy, we have several FMCs and FTDs in our company and we have huge problems with them. When we count number of TAC cases just last 2 years, we have 1 case opened every 2 weeks. Some of them are affecting traffic, some of them are just cosmetic issues. But with the most expensive ngfw solution on the market, I should not have a feeling that I am Beta tester.

In their officall e-mail they agreed with us that next 6 months there won't be any significant improvement (not even planned 6.6 will fix our issues) and therefore they cannot ensure the stability of our platform.

​

Congratulation Cisco, maybe they already decided that FP is causing them so much reputation and financial damage, that they will end with it.

Hopefully, because with all the information about upcoming 6.6, I don't see a future here.

TOOLS TO EXTRACT IP TO IP CONVERSION FROM L3 SWITCH

I'm migrating Juniper Switch which is L3 for ml80 VLANs with CISCO Nexus switch, in earlier setup all VLAN members can talk to each other as its default nature in switches. In migration I am trying to introduce VRF and group the VLANs. Please suggest some free tool to analyse the existing session conversation to understand the traffic pattern between VLANs.

Daaam Python You Scary

So Ive been playing with python at work for switch configuration, making custom apps for helpdesk all sorts of stuff cause its fun and sometimes useful-ish.

I had to re cable an IDF so that it would look all clean instead of a horrible spiderweb. I decided this was a PERFECT reason to write some kind of script up that would transfer configs from one port onto another, and all id have to do is the pretty cabling.

Quick script descript: Have an excel sheet with two ports (7/0/1 , 6/0/1) per row, the first port is the config I need to transfer to the second port in row. It copies all configs into dictionary and then, defaults ports and writes configs one by one...

Well I use proverbial Python superglue and duct tape to get this script together, wait till after hours, run it..

As soon as I see that the script is collecting the info, I start uncabling everything and just enjoy unplugging dozens of cables. As soon as I finish I realize my script crashed due to some kind of timeout (havent taken the time to find out why exactly it crashed) right after defaulting all ports....... So i have switches without an cables, and no configs anywhere.

Havent had such good solid heavy panic in a while..... Long story short I had a backup config and had to go through port by port physically looking up what config was on it, where it should go and setting it up..... worked out but took wayyy longer than it should have.

I remember some guy talking about automation how it can make your life 1000 times easier or how you could end up poking yourself 1000 times in the eye in a blink of a second.

Thought some of you might enjoy the suffering, now its time to go to sleep and wake up early to deal with all the incoming network connectivity calls.

Multihomed BGP w/ another subnet

I just stumbled across something I've never seen or considered before.
I have 2 ISPs, and am running BGP peering to both ISP's with my /24 network.

I just found out that one of the ISP's is sending a /28 network to my peering IP on my BGP router.

Is it even possible to use that subnet if I'm handling my /24 and default routes on the same router?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Temperature monitoring on the Cisco ASR 9010

Anyone have any good practices on which temperature sensors to monitor on the ASR 9010? I'm having a surprisingly hard time finding this info online.

Router using only lan

Hey guys i got a quick question. Are there any routers that work only on a lan connection to the modem because my modem doesnt have a wan port?

Looking for ZScaler info/recommendations

Now that Microsoft 365 Business is going to get AADP1 with Cloud App Discovery I want to try out their native Zscaler integration. Can someone here suggest a setup/config for my lab suitable for 25 users? (I know very little about zScaler, an expert in Microsoft side).

Electrical Isolation - Ethernet options

First post here, please let me know if this is the wrong place to pose this question...

I am dealing with a situation where I suspect surge/spikes coming in via the Internet Service provider's coax line, and therefore I wish to propose a solution that will eliminate this as a possibility.

I realize that there are a lot of surge prevention power bars that have a input/output for coax, but I have read a lot of bad reviews of this sort of implementation.

In my mind, I was thinking of implementing a fiber converter that will act as a electronic isolation device from the WAN side.

My questions are as follows...

Is this type of solution practical? Is there a better and easier way? Does anyone know of a Ethernet-Fiber-Ethernet device?

Arista vs Cisco Nexus

Hi All

I am looking into jumping boats and give Arista a try for a new project we have. Does anyone has had experience with them and can tell me how it went? Right now I am looking into using some 7050TX3-48C8-F from Arista instead of our usual instead of the Nexus 93108TC-EX.

PSA: Webex is now free

Cisco opened webex up for free use. Unlimited use, no limitations (there used to be a three person limit on free accounts). Don’t have a work from home video conference solution? Now you do.

Cisco historians, how did cisco screw up wifi and not allow the iPhone to be only a wireless device? (Language)

Adam Curry recently went on the Joe Rogan experience and talks about meeting with Steve Jobs and introducing podcasts to the world. In the sitdown with Jobs he mentions that he was angry because Cisco screwed up wifi. What was Jobs referring to?

https://youtu.be/NaPKrZTUoUs?t=1056

iPerf & JPerf Testing - 10GB NIC Test

I've been running into an issue that I need some advice on.

1st: I have two desktop PCs, both installed with 10GB NICs and 1GB nic (for remote access).

• PC1: OptiPlex 9010 / Win10 Pro / 16GB mem / i7-3770 @ 3.4GHz quad core (acting as client)
• PC2: OptiPlex 990 / Win10 Ent/ 12GB mem/ i7-2600 @ 3.4GHz quad core (acting as server)

I've connected each of these PCs, on their 10GB Nics, to a Cisco C9300-24T switch. On the switch I've installed two SFP-10G-SR-S and ran LC to LC OM3 (multimode) fiber to the devices.

Now, the test that I'm performing is between these 2 devices running ONLY at layer 2. When I run a default TCP Test, I'm only getting 2.47 GBytes transfer and 2.13 Gbits/sec bandwidth. When running a UDP test, while setting the bandwidth to unlimited "-b 0", i get 3.18 GBytes transfer and 2.73 Gbits/sec bandwidth.

When I directly connect the 2 PCs together and running the same tests, I get even worse results.

Why am I not see better transfer and bandwidth speeds?

When uploading my Security Certificate file into my web application, it's asking me for the KeyStore password. Can someone tell me how to find it? More inside.

The cert file was provided to me from our customer ... Are they responsible for giving me the KeyStore password? Or is there a way I can find it within the Security Certificate itself...

​

Thanks.

Can someone explain me subnetting?

Was given a question about to calculate to calculate how many bits (most minimum) would you borrow from the host bits of a given ip address and subnet mask (192.168.1.0/18) network and assign equally to five different subnets in the same physical LAN? How many users can be supported for each LAN?

To be honest, my knowledge is very vague, i know how to calculate network ID and broadcast IP and usable hosts but i don't seem to understand if expected to divide into different subnets. I tried looking online for various tutorials but can't seem to grasp the concept. Just hoping if someone could clarify or at least point to me what i need to do. Thanks.

Best practices for site-to-site vpns

I am the sys admin for my company. We don't have a dedicated net admin, so I have had to handle this role as well. We have about a dozen sites, each with a sonicwall. I am trying to figure out the best practice for connecting these sites via VPN. In the past we've used the sonicwalls site-to-site vpn option, but lately I've been using tunnel vpns with static routes. I'm debating between setting up route advertisement and then filtering in the firewall rules rather than individual routes, or going back to site-to-site, which functions much in the same way as route advertisements by explicitly stating which networks or objects to offer.

​

I'd appreciate some feedback from someone experienced in this aspect.

Need IT Partner in Toronto

Hi Everyone,

Due to COVID-19, our company is facing travel restrictions. This would be great, however we're going to be under the gun pretty soon to bring up a new distribution center in Toronto. :(

It's a big city, so lots of IT partners that can rack switches and drop configs on them. I'm hoping that some of you have companies you actually like working with in Toronto.

Software to flash dell switches ?

Just wondering how you guys flash new dell emc switches like s4200-on, s5200-on. There’s a lot of components that need flashed and it’s a pain doing that individually. Does dell have anything to automatically install the latest packages on these switches ?

Is e-mailing half-duplex or simplex method?

Pls help. I have a hard time figuring it out :)

Wireless Authentication/Security

Hi to all,
Im planning to secure the wireless connectivity of my company.
Im thinking that the "EMPLOYEE" SSID cannot be used by other user unless he is registered/authenticated in our domain. If yes, he needs to input his/her windows/ad account to login.

Im using CIsco WLC 2504 model

Or if you have any other suggestion to secure wireless network connection please share also guys.

Cisco ASA 5506-X | Leased Line w/DSL Failover | Default Route Preference

Hi,

I have a requirement to configure an ASA 5506-X to have both a leased line connection and DSL connection terminating into the same device with the leased line being the preferred route.

My setup is as follows (IP addressing for testing only):

interface GigabitEthernet1/1 nameif LL_WAN ip address 77.1.1.2 255.255.255.252 ! interface GigabitEthernet1/2 nameif FTTC_WAN pppoe client vpdn group groupname ip address pppoe setroute ! route LL_WAN 0.0.0.0 0.0.0.0 77.1.1.1 1 

Now from what I can see, the "setroute" command automatically establishes a default route which is all well and good, but I cant seem to de-pref it. I need the preferred default route to be the leased line route and was going to use a track statement to drop that route should reachability go down.

I have tried creating a static route manually but become stuck when offering a next-hop IP. With it being DSL, the next hop IP is the same as the FTTC_WAN interface which is doesn't like.

ERROR: Invalid next hop address 1.1.1.1, it matches our IP address 

My experience with Cisco routers is you can configure the below where you specify the interface as a next hop rather than an IP:

ip route 0.0.0.0 0.0.0.0 Dialer0 

I can't seem to see anything similar on the ASA and without being able to lower the preference on the DSL default route it means this solution cannot go ahead as it is.

Any help would be greatly appreciated.

Thank You

Hosting a local Media Server with no internet

Hey everybody.

I hope I am in the right sub for this.

My situation is a bit different. I am in the military, US Navy to be exact. At home, I have a full media/plex server at home. I want to provide something similar at work.

I trying to copying my media library over and setting up a small local server for roughly 8 people to watch and consume media on laptops, iPad/tablet and phones over Wi-Fi. We don’t have Internet available once we are underway.

I was considering copying my Plex server over but that would require a app and user account for each user on a mobile device and paid subscription for mobile viewing. Laptops wouldn’t be much of a issue once they establish a account prior to the underway.

I was wonder if there is a better option to use for sharing this media locally on various devices from mobile to laptops.

Thanks everybody.

How to connect host machine to the Mininet network on VM?

Any kind of help would be appreciated. Thanks

Is a Tunnel the layer 3 equivalent of a Tap at layer 2 and vice-a-versa?

NB: I know the rudiments of what a tunnel and a tap is :) I'm asking if there's an underlying conceptual theme united the two things. They are both unidirectional in the sense of their respective layers right? ie, a tap is literally unidirection from output to source (or vice-a-versa) or it would be a reverse-tap? And a tunnel (conventionally) is one-way in the server-client sense?

Am I on the right track, or am I joining dots that shouldn't be joined?

Setup of a IAP-205 with CLI

Needing some help to setup a iap-205 with cli. I know how to reboot and get into cli but I dont remember what commands to issue next to setup correctly. If some has a list I would appreciate.

Thank you in advance.

Catalyst 4507. Old IOS mismatch on the supervisor engines. Should I upgrade both to newest firmware or match older configs on supervisor.

My supervisor engines are mismatched on my switch. Both versions on the engines are old at end of life. Should I just upgrade with a brand new config? They are redundant so there should be no downtime.

Opinions on this supplier?

Hello everyone, I'm looking to make a purchase of some networking equipment, I was wondering if anyone has some experience or has heard of the following online shop: router-switch.com. I don't trust customer reviews on the site itself, since they could easily be made up. I barely found this two review sites, where they hold a very (supposedly) positive rating: https://www.resellerratings.com/store/Router_switch and https://es.trustpilot.com/review/www.router-switch.com. Something seems off, however. They claim to be "one of the biggest Global Network Hardware Supplier" and "a leading provider of network products". It just seems odd to me that, despite selling as much as they claim to sell, they barely have 4 negative reviews (can be found on the first link). Moreover, two of those reviews were kind of alarming: they imply they sell counterfeit or refurbished (not advertised as so) products, one of those reviews had two comments that claim to be "customers" but they say (kind of) the exact same thing (kind of shady, isn't it?). Maybe I'm a little too paranoid, but I have to take precautions since the equipment is for the company I work for, and the project's budget is sizable enough to have me worried. Anything you can share about your experience as a customer is welcome and appreciated.

Noob with a vlan question!

Sorry in advance because I'm sure this has been covered but I'm learning about vlans and how to set them up for iot homelabs and had a very basic networking question. Did i mention I'm a noob?

So i get (i think) that vlans exist on certain ports or banks of ports of managed switches. Regular computers would exist on one vlan, iot devices on another. The next level up would be a router, which then connects to the modem and then the Internet, right?

So going the other direction

1) Internet/cable company

2) home modem

3) router or router modem combo

4) managed switch

5) all the vlans

Is this correct?

If you wanted a dedicated WiFi network for each vlan, would you just shove another router in between 4 and 5 for each respective vlan?

Very slow download/upload speeds on Dropbox exclusively

Hi guys, I got this super weird situation with dropbox.

At a certain point, around 3 or 4 weeks ago (possibly more) my dropbox download/upload speed decreased to 1mb/s.

My connection is 100 Mbps, so I was having 70-90 mb/s normally.

The thing is that all other sites, uploads and downloads work well.

Tried incognito and even Microsoft Edge - results still the same. Reset my network fully, same.

Tried on my laptop within the same network and the speeds are high as they're supposed to be, so I guess the problem is in settings of my pc somewhere. But I don't know where to look.

Dell emc os10 and opx

Anyone here have experience with configuring switches running Dell EMC OS10 and OPX on the onie platform? We have new switches that we're trying to configure on our network and trying to find someone looking for a remote gig to get us started. We currently have a bunch of switches all running FTOS and had not needed to add to our network in a while. Not looking for a full professional services engagement but trying to get up to speed and understand what needs to be done to add these in... new blade chassis has the os10 switches and we got another switch that has OPX 3.1 on it. Thx.

Redistribution OSPF into EIGRP doesn't work

Hello guys, doing my lab with packet tracer, its about IGPs, i'm currently trying to solve problem, i've got problem when i try to redistribute OSPF routes into EIGRP, i've done redistribution between EIGRP into OSPF, those routes showing up as O E2 as they should be. I've packet tracer file if someone want to help me.

I Think its just a bug in packet tracer but not 100% sure, i use version 7.3.0.0838 of packet tracer

Link to packet tracer lab - https://drive.google.com/file/d/1mlmgZCY9bHqVNYY0JVBNirHkDsXprOGH/view?usp=sharing

L3 IPVPN + WWW

Hoping for some guidance.

We are a company spread across 12 sites, all connected to a L3 IPVPN with carrier managed CE Cisco routers. Internet is delivered into the data centre and is accessible by all sites on the VPN.

What I'm trying to work out is if we get a 2nd internet circuit delivered into head office for some redundancy, how do we handle the failover in the case of a DC outage (carrier managed DC with a few outages over the years)?

I've got an OK theoretical handle on BGP but not a huge amount of hands on experience managing it so hoping the Reddit brains trust can help me understand how this might work given the carrier MPLS network in the middle which is making me scratch my head a little.

I have tried Googling the issue and reading through Cisco CVDs but can't seem to find anything to explain how it might work. Any vendor references would be great if you know of any.

Firepower syslog to remote target - broken after code upgrade

Already ranted on FP, so I'll spare you. Curious if anyone has experienced a complete break in logging to a remote syslog target following an upgrade? Captures show nothing, so the FTD seems to not be sending messages. TAC has about 3-4 hours into the case so far with no ideas. Configuration is the same as when it was working.

​

If not, nbd. Hopefully TAC can pull through. Was working on 6.2.3, broke on 6.4.0, and is still broken on 6.4.0.7

Need help updating SSL Cert

I've been asked to update our SSL Certificate on our load balancer and it's something I've never done before. I'm trying to figure out what to do.

It's asking for a key file and certificate file. I'm not sure how to get either one of these. I was given a .crt .pem and .p7b file that was downloaded from GoDaddy. Based on my research it seems like I need to generate the key file through OpenSSL.

I followed directions on this site - https://knowledge.digicert.com/solution/SO27347.html

but don't understand how doing this would link to the cert I downloaded from GoDaddy, so I think I'm just missing a step or something. Any help in the right direction is appreciated.

Does my switch slow down my internet connection?

I was wondering if my switch is outdated and throttle my overall internet speed because it has been a long time since i bought it. I don't know much about networking so maybe someone can help me. Here is the setup: Internet Cable goes to a Easybox 904 xdsl Then to a switch Allied Telesis AT-FS716L Then it splits to three routers and one of them I'am connected to and using is configured as a access point i think. Please let me know if you need more information

Routing loop? - Firewall interface?

Hi,

I have the following config:

router ospf 1 router-id 10.22.1.65 ip route 0.0.0.0 0.0.0.0 Loopback1 ip route 10.22.8.0 255.255.255.0 10.22.1.250 ip route 10.22.14.0 255.255.255.0 10.22.1.254 ip route 10.22.15.0 255.255.255.0 10.22.1.254 ip route 192.168.103.0 255.255.255.0 10.22.1.250 ip route 192.168.104.0 255.255.255.0 10.22.1.254 ip route 212.50.160.56 255.255.255.255 10.22.1.3 

If you trace the connection to something in the 10.22.14.0/24 network, you get this

Tracing the route to 10.22.14.9 1 * * * 2 10.22.1.253 0 msec 0 msec 8 msec 3 * * * 4 10.22.1.253 0 msec 0 msec 0 msec 5 * * * 6 

(And it keeps going like that)

The 10.22.1.253 the address is the SVI of a VLAN

interface Vlan810 description SVI:: IDC - FW01 Linknet ip address 10.22.1.253 255.255.255.252 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache end 

I've done this from our core switch

​

From windows, I logged onto a machine with an IP of 10.22.13.1 and got this (similar, basically)

C:\Users\Administrator>tracert 10.22.14.9 Tracing route to 10.22.14.9 over a maximum of 30 hops 1 <1 ms 3 ms 1 ms 10.22.13.254 2 <1 ms 1 ms 1 ms 10.22.1.1 3 * * * Request timed out. 4 2 ms 1 ms 1 ms 10.22.1.249 5 * * * Request timed out. 6 2 ms 1 ms 1 ms 10.22.1.253 7 * * * Request timed out. 8 1 ms 1 ms 1 ms 10.22.1.253 9 * * * Request timed out. 10 4 ms 1 ms 1 ms 10.22.1.253 11 * * * Request timed out. 12 3 ms 2 ms 2 ms 10.22.1.253 13 * * * Request timed out. 14 1 ms 3 ms 2 ms 10.22.1.253 15 * * * Request timed out. 16 1 ms 2 ms 1 ms 10.22.1.253 17 * * * Request timed out. 18 1 ms 2 ms 2 ms 10.22.1.253 19 * * * Request timed out. 20 2 ms 1 ms 1 ms 10.22.1.253 21 * * 

I'm not sure how this can be fixed? It does have the

ip route 10.22.14.0 255.255.255.0 10.22.1.254 

route

​

sh ip route shows this:

gb-bfd-idc-cor-01#sh ip route | i 10.22.1.254 S 192.168.104.0/24 [1/0] via 10.22.1.254 S 10.22.14.0/24 [1/0] via 10.22.1.254 S 10.22.15.0/24 [1/0] via 10.22.1.254 gb-bfd-idc-cor-01# 

The firewall's IP is 10.22.1.254, not 10.22.1.253

​

Our current core setup is this:
https://ibb.co/0QZCJ8m

Cheap router for small business

Hello, I am about to build a small business network and need help with picking a router. It should be able to handle at least 2 subnets and preferably gigabit speed or at least 100 Mbit/s

One subnet is for a file server and similar, the other will be for regular staff. Total connected devices at one time will never exceed 20 at this point. It would also be nice to have one subnet to spare for future purposes.

Budget is preferable around 100$ but not more than 200$.

I have looked at tp-link and have good experience with them. What do you guys recommend?

Networking side projects

Hi fellas. I was wondering if any of you know of any network projects to do? What I mean is, for example, if you did a computer science degree you'd know programming so you could create small projects and whatnot. What about if someones doing a networks degree, which I am. Theres zero programming involved in my degree, just stuff like CISCO CCNA and cyber security stuff . What could I create and how? It's not like I can "program" a network, if you know what I mean. Any help would be appreciated.

Best practices for accessing multiple clients on different ports behind the LAN side of a router which is securely connected to a VPN on its WAN side

Hello you all! I have a question regarding some best practice tips and tricks on how to access clients on a LAN behind a router.

Here’s a quick overview over what I want to accomplish:

We at my company are currently in the process of developing and “IoT” device. One or multiple of these devices will be connected to a router by NetModule (for now). The router is an LTE router and it routes all traffic into a VPN provided by our ISP which again is connected to our onsite firewall (for now – I am aware that this is by far not the best solution to this).

The reason for this is that we want to be able to access these routers and devices while they are deployed in the field in case, we need to configure something more. I set up the firewall to block any traffic except for the bare minimum of SSH, HTTP(S) and ICMP so we can test a little bit.

I can access the router no problem via the “public” IP it has inside the VPN tunnel (10.x.x.x – so a private range IP on the WAN side of the router).

Next to the normal IP-Tables firewall the router also supports stuff like NAPT for Port translation and all different kinds of routing possibilities like static, extended or multipath routes, multicast via IGMP Proxy or static routs ect.

Next to all of that it also supports different VPN protocols as either server or a client. So, my question would be what would be the best way to approach making the devices in the LAN of the router reachable?

I’ll limit the access to the LAN of the router to a specific part of our company network and we’ll have made sure to isolate and segment all that stuff so no worries on that side. I just want to have some input on how to make x clients with x ports accessible without compromising much security and without exposing everything to the WAN.

Thanks so much in advance! And I hope you all will have a great rest of the week!

Startup networking suggestion

Hello Everyone,

Can anyone suggest the network equipment needed for the startup company with a team of 15 members? Please provide the product link if possible.

About Canada [Question]

We have hundreds of offices, and hundreds of thousands of clients across Canada, Each with independent ISPs, and since last fall, the level of packet loss and ping times have gone up significantly. Congestion has gotten out of control. We notice it at work, and even my personal line is awful.

I've also been Feilding questions here on Reddit. Rogers cable out east seems to be particularly affected, but they are treating each complaint like individual line issues (which they are not). Most of our wireless carriers have had service outages in the past two months, which is odd.

The issue seems to be one of backhaul congestion, and not one of individual last-mile issues. All carriers and ISPs are affected as far as I can tell.

What could cause a massive country wide change like this? Is it the introduction of streaming services (Apple TV+, D+, Stadia)? Canada is rolling out 5G wireless hardware, so there are infrastructure changes happening now and we recently added "Unlimited" mobile Internet access. I don't think that could cause that much congestion....

Our clients have noticed slowdowns and loss on their home connections.

Any ideas?

I am at a loss.

Corona Virus and VPN traffic

Do you think our VPN infrastructure for work from home is sufficient to handle the increase?

Help with route poisoning in relation to EIGRP

Does anybody have a good guide or online reading material for poison-reverse / route poisoning in the EIGRP protocol? I have a topology where unless I bump up the delay on one of the interfaces, a neighboring router poisons the route and it never shows up in topology.

I get why the route may not be feasible, but what would cause the poisoning?

​

thanks

Aruba IAP-205 issues

We have a network that has 4 IAP-205.  We had to go and add some IAP-305 due to not having coverage.  We have Juniper switches and setup the ports for the new IAP-305 just like the IAP-205.  Plugged in the IAP-305 and they lit up no problem.  They are seen on the network.  They are not showing up in the cluster.  Looking for thoughts on what to try to find out what the problem is now and how to fix it.  

Thanks in advance

Help me improve my network. Trying to enable routing on my catalyst switch with SVI's.

Hey guys, so I just started a new job and am responsible for cleaning up/improving the current configuration.

The VLANs are all trunked to other layer 2 switches, which have management IPs. If I want to check them, I need to physically plug into a switch on the network and telnet into the management IPs.

You can see how this is a pain in the ass for monitoring purposes.

What should I do at this point? I was thinking of enabling routing on my core l3 catalyst and redoing the VLANs.

VLAN 10 = 10.1.10.0 /24

VLAN 20 = 10.1.20.0 /24

Upgraded to 300+mbps need a router!

Hey y’all!

Title says it all. I raid regularly on WoW, my girlfriend loves to watch shows whilst doing so.

I want a router that can handle 900 mbps.

Want something rationally priced. But I’m also happy to spend what’s necessary for 6-10 years.

Network design for a startup

Hi all,

I have the unique privileged of design a cloud-first network design approach for a startup. Currently, we have very few desktops that are totally remote with point-to-site VPN enabled, however in the below proposal we're trying to build out our first on-premise location.

We plan on using a shared workspace environment (in this example, WeWork) so we'd ideally like to segregate our network traffic, and route most of our internal server-based traffic through internal routing mechanisms, using a site-to-site VPN.

We will only have one site for the time being, but I think in this picture it should accommodate for additional spokes connecting to either the single hub, or a second hub with redundant peerings.

Can you guys please have a look and let me know if you think I've missed something? I'm not a networking guy so interested to have your take on it as well!

https://imgur.com/a/W7h28pH

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Such a thing as a cellular hotspot device for a home network?

Is there a “hotspot” device I can get that I could connect directly to a router to provide internet access for all of the machines wired to that router?

When I search for devices I’m only seeing “jet pack” type devices which are designed to plug directly into a single machine.

Note: Verizon is preferred.

M1000e M3601Q uplinks

Hello all,

I'm in the process of redeploying an old HPC system that's comprised mostly of M1000e chassis with 10Gb Ethernet and QDR IB. The M1000s have Mellanox M3601Q switches in them and I'm wondering what the best way to hook them up is. Traditionally we do 1 IB cable per compute node, but if these actually behave like switches that'd be like having 16 uplinks to a switch, which is around 8 or 16 times as many as we usually run. Should I run only a few (2, 4, or 8) cables to the back of these things or do I run all 16? Previously it had only 8 hooked up to each chassis but seeing the state the cluster was left in I'm not sure that's a good idea.

I'm also wondering if I should hook them directly up to the core or if I should still run "leaf" switches in each rack. My main goal is to ensure that MPI works properly for 96+ nodes and that the I/O from our file system isn't poor as these will mount users' home/work directories and our software stack over NFS.

For those of you who have intentions of taking CCIE 2.0 how are you preparing for it?

Mainly I am asking about the LAB. Particularly the Software Defined Infrastructure domain as its 25% of the exam. It seems like everything else you can piece together through various other pre existing training materials. DEVNET material out there should be more the enough to approach the Programability part of the exam.

Quick Sanity Check - Cisco Stacking

Hello All,

I'm new to environments with Cisco switch stacking so I'd like a confirmation before I propose a change/upgrade. Any help is appreciated!

Currently we have an IDF with 5 Cisco 2960X-24PS-L switches and we need to add a 6th. Our current setup is one up-link per switch to our core, 2x Cisco 3850-24T-S in a stacking configuration. We do not have any spare SFP ports on our 2x 3850-24T-S available. My proposal instead of adding an additional 3850 family switch would be to add all 6 switches into a stacking configuration to add redundancy and up-link capacity. My idea is the following;

Place the IDF switch ports GigE 0/25, 2/25, 3/25, and 5/25 in a LACP group that would trunk back to the Core

Place the Core switch ports GigE0/1/1, 0/1/2, 1/1/1, and 1/1/2 in a LACP group as well.

Would this work and is it supported? Diagram below.

https://i.imgur.com/8Uzdfkw.png

Catalyst 9300 to ACI in VPC one port in Suspend.

Hello,

I am pretty inexperience with the ACI and I am having trouble getting this to work:

https://i.imgur.com/9JOsq7T.png

It may be a gap in knowledge in how it works, or a design flaw, does anyone know an easy way to get this working?

We need both of these links up so we can failover in case a link goes down and for throughput. Both of these links work individually so I know it isn't a layer 1 issue.

This setup works for all the switches in HQ already, but they are direct connections and not point to points.

Thank you.

Edit: The original image contains the Access port configuration which is not in use here is the VPC policy we use: https://i.imgur.com/lZAUesT.png

How do you configure your firewalls to route over EVC connections?

So just today I got the ok to setup a new remote site for DR. So I called our ISP that provides us with a 1x1GB fiber circuit and was told they can offer EVC's now. The guy compared it to MetroE or P2P T1's from the old days.

Am I correct in thinking (I havent' found a decent example online yet) that the interface in SiteA for the EVC to SiteB will be addressed on SiteB's subnet?

And that I'll just be doing simple subnet routing between them? Likely either termination all EVC's onto a switch with VLAN'd ports or dedicated ports on the firewall?

LACP + Vlan Trunking on ISR integrated Ge ports

Hi everyone,

I would like to setup an LACP link between an ISR and 2 Aruba 2930M switches. On my ISR, I have 11 GigEthernet interfaces. 7 of them are based on the NIM-ES2-8 module, which does not support Etherchannel.

The three remaining GigE port are the three integrated port of the ISR, which are compatible with Etherchannel. I managed to configure 2 of them on the same channel group, no trouble. My question now is how do I configure the vlans I need to tag ? Because the switchport command doesnt exist on this type of port.

I learned about the existance of this commands : port-tagging encapsulation dot1q 3

But I am not able to tag more than one vlan ID.

Does this mean I have to create sub interfaces for both of my GigEth, like this : Gi0/0/1.2 Gi0/0/1.3 Gi0/0/2.2 Gi0/0/2.3

? Im not sure where this is going... Can someone help me define the way to do this ? Thanks a lot ! Cheers.

Thoughts on Ubiquiti in a business environment

Good day everyone. I wanted to get some feedback from the experts while I'm doing my research. But what is everyone's thoughts on Ubiquiti products in an enterprise environment? One of the goals for this year is to replace our old switches with a few (maybe four) 48 port switches. My boss recently bought Ubiquiti for his home and is really digging it. He really likes the cost and the features. But whenever I hear something is really cheap I kinda have to take a step back and wonder why. It looks like the features of Ubiquiti Unifi (e.g. VLANs at least) look solid. But I've heard support is very flakey and that makes me nervous. I'm also seeing that a few of them have 10GbE support but not on every port. Most of them are 1GbE. We currently have 1GbE with our current old switches but I want the 10GbE so we can have an upgrade path. Right now we have a Cisco ASA for any routing and WAN stuff. Thank you all in advance.

Should we be worried?

..that one of the biggest IX, the AMS-IX uses the same photonic cross-connects which may or may not be used by a certain gov't agency in certain dystopian ways as highlighted by a certain individual who likes to blow whistles?

https://www.ams-ix.net/ams/documentation/ams-ix-topology

​

do you poeple know what i am talkin about?

NX-OS Upgrade Non-ISSU

What is the difference between install-all vs manually defining kickstart and boot variables? On Cisco's guidelines:

I can either do

Method 1:

install all kickstart n7000-s1-kickstart.7.2.0.D1.1.bin system n7000-s1-dk9.7.2.0.D1.1.bin

which will automatically reload the switch with the updated code

​

or I can do

Method 2:

boot kickstart bootflash:n7000-s1-kickstart.7.2.0.D1.1.bin

boot system bootflash:n7000-s1-dk9.7.2.0.D1.1.bin

copy running-config startup-config vdc-all

reload

Add Vlan to Cisco Switch

Bare with me as Cisco cli is not my forte, but can do it once pointed the right way

The switches are both Cisco SG300

We need a new vlan to be sent across the core switch over the uplink port to a 2nd switch in a different building (where we need the vlan)

​

I see the following on the Core switch

 interface gigabitethernet48 description "Trunk to Juniper Firewall port 6" spanning-tree portfast switchport trunk allowed vlan add 3,20,30,40,50,100,200 switchport trunk native vlan 2 

and, which is the uplink between the two switces

 interface gigabitethernet52 description "Uplink to sw-hanger-1 port gi28" switchport trunk allowed vlan add 2-3,20,30,40,50,100,200,220-221 switchport trunk allowed vlan add 230-231,240-241 

and my show vlan

 Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 gi50-52,Po1-8 Default Required 2 2 gi48,gi50-52 static Required 3 3 gi48,gi50-52 static Required 20 20 gi48,gi50-52 static Required 30 30 gi48,gi50-52 static Required 40 40 gi48,gi50-52 static Required 50 50 gi48-52 static Required 100 100 gi1-25,gi27,gi29-48,gi50-52 static Required 200 Mesh gi26,gi28,gi48,gi50-52 static Required 220 name1 gi26,gi50,gi52 static Required 221 name2 gi26,gi50,gi52 static Required 230 name3 gi26,gi50,gi52 static Required 231 name4 gi26,gi50,gi52 static Required 240 name5 gi26,gi50,gi52 static Required 241 name6 gi26,gi50,gi52 static Required 

So I would assume I would need to add a vlan to the switch by

 config vlan database vlan 150 --- to add it exit 

Then configure the ports to add it correct?

 conf t int port gi48 (and port 52) switch port trunk allowed vlan add 150 end 

And that should add vlan 150 to the switch and then assign it to both port 48 and 58

And then do the same on the other switch

Coffee Shop Network Setup

Hello everyone, I am helping a local coffee shop setup their network before they open. The space is 2700 sq. ft and they expect 40-50 connected devices during peak usage. I'll post a link to an image of the floor plan as well. We'll be setting up two networks, one for POS/owners, and one for guests.

I feel confident setting up Ubiquiti unifi devices and am planning on using the following:

- Ubiquiti Security Gateway

- Controller: Cloud Key

- Switch: 8-60W, 4 PoE

My question based on the floor plan and usage is what access points to get and how many. I feel less confident choosing these as I have not done many installs. Any help would be greatly appreciated and I can provide more info if needed.

OSPF area default-cost vs default-information originate

Can anyone explain me, or point me to some reference, about what's the difference between the two commands with respect to how a default route is injected in an nssa area form an ASBR and how the metric is calculated?
When using area area-id default-cost the metric of the route injected in an nssa area seems not to take in consideration the path cost to the ASBR, but only the cost defined on the command.

​

Thank you

rfc-6598 vs rfc-1918

Hi,

What's the difference between RFC-6598 addresses and RFC-1918 addresses?

Thanks,

Mapfumo

Push multiple Anyconnect Profiles?

Putting together this document in the event that a large amount of our users have to work remotely, and trying to find the easiest way to give access to our back up Anyconnect VPN.

I know how to manipulate the XML file on the local device, but lets be real 99% of the user will not.

Is there a way to add the secondary profile to the Anyconnect client through like push or download when the user starts their current client?

pfSense sending ARP request before sending DHCP ACK

I'm writing my VNFs and noticed that pfSense is broadcasting an ACK requesting the yet-to-be-assigned IP address before the host has even received DHCP ACK. What happens is the ARP request gets ignored by my VNFs because I don't have received the DHCP ACK and don't have my IP address yet...

Is it normal? What is the best way to deal with it? I was thinking about broadcasting a gratuitous ARP so the pfSense (and other hosts in the subnet) updates it's ARP tables.

Devices not getting IP from AP

We have a Fortigate 60D that is at one of our remote sites. On this Fortigate we have a port configured for our WLAN. The AP which is a Ruckus AP gets an IP from the zone controller back at our main facility.

The issue is none of our clients that authenticate on the AP are getting an IP. This AP was setup and working at our site. So I'm assuming it has to do with the configuration on the fortigate. Any ideas?

Trying to figure out why my Fortigate won't install a particular route/LSA

So I've got a few OSPF areas. Each rack is an area, and the spine switches make area 0 between them.

As the Fortigates are in two racks and because I'm using their FGCP cluster protocol, in order to make the port/IP configuration the same on both units in the event of a failover, I connected each member of the Fortigate cluster ("the Fortigate" from here on) to the leaf switches in both racks. This naturally puts them in two OSPF areas, neither of which are area 0. Just some background. This is something I plan to change/fix, but for now it is what is it.

It's also important to mention this is a pure layer 3 underlay network I'm talking about, with "routing to the host", so my hypervisors are advertising routes. And one final piece of background is that the Fortigates, being the gateways, are ASBRs as well.

So, in the two racks where the Fortigate has a presence (areas 100 and 200), I'm getting all the routes from the hosts. They get advertised as E2 as they are being pulled from other sources on the hosts and distributed into OSPF.

However, in a third rack (area 300, of which the Fortigate is not a member), the routes propagate through the spines, into the leaf switches in the other two racks, but the Fortigate won't install them for some reason. So a leaf, which only exists in area 200, for example, is installing the E2 route from area 300, but the Fortigate which exists in areas 100 and 200 is not.

I can post a rough diagram in a bit if it'd help. I'm thinking it's something to do with the Fortigate being in two areas and OSPF avoiding a routing loop. I have a backup plan in the meantime to get the traffic moving, but I wanted to see what you all think, as I'm not too well versed in OSPF.

Thanks in advance, happy to answer questions you might have.

Cisco modulus size

I was changing my DH key size on my switches and I saw this line Modulus Size: 1024 bits, from the output sh ip ssh and my question is why I am seeing this and how can I change it? My crypto key is 4096 and as you see my dh is also 4096, but I am not sure why I am seeing the modulus size 1024. Any ideas?

SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr MAC Algorithms:hmac-sha1,hmac-sha1-96 KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 4096 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3909557376 Modulus Size : 1024 bits ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCp 

​

Flow control, send / receive buffers, interrupt rate

What is the general recommendation for these advanced settings on network adapters?

Nexus 9364C entity tree

I am looking into integrating our N9K-C9364C switches into our management system. In particular, I need to find a way to link ports in ENTITY-MIB with interfaces identified by ifIndex... should be easy, right?

But this is how ports are numbered in ENTITY-MIB (just first four for brevity):

 5206 | port | 1 | Linecard-1 Port-1 (Linecard-1 Port-1) 5210 | port | 5 | Linecard-1 Port-5 (Linecard-1 Port-5) 5214 | port | 9 | Linecard-1 Port-9 (Linecard-1 Port-9) 5218 | port | 13 | Linecard-1 Port-13 (Linecard-1 Port-13) 

So Ethernet1/1 is Port-1, Ethernet1/2 is Port-5... Ethernet1/54 is Port-261.

What the ... ? Looks like I will need to special-case this. Or is there any logic to how Cisco dumps info into ENTITY-MIB entPhysicalTable?

Can a DSL phone line enter an Ethernet port in a router and still emit internet?

Business client has a DSL modem, that is ought to be replaced. My only experience are with routers having Ethernet ports. Can a phone DSL line (from where the Internet comes from) enter an Ethernet port in a router and still connect to the Internet?

LAN Messenger server & client installation step by step [guide]

Office internal team chat software (Offline team chat) install guide https://www.youtube.com/watch?v=qeyGaRrqppU

Script to tet port connectivity for multiple IP

Hi Guys,

I have a requirement of testing a list of servers to find if the connection is open to these IPs on particular port. Is there any script that can be used to automate this? Something that reads the server IP from a file and writes the output in another file?

Thanks much!

ISP Info, What is this called?

I got this info from the ISP, I know I gotta use it to configure the switch. But its semi-jargan to me. What is this called if I want to find youtube/study material on breaking down this specific info to configure a new switch for inside and outside.

Click to see image

Jitter on local network when using RTP, but only on wired.

This is a long one, hoping I can get someone's help.

We have a home that has a VoIP intercom system (2N is the brand). This system is tightly integrated with their home automation system, Savant. Savant has a proprietary touch panel running on Android that, when the intercom button is pressed, a screen automatically opens with a camera view of the intercom displaying an option to answer the call. They also have a proprietary iOS and Android app for mobile/ipads. Typical stuff...

I rebuilt this entire network with 6 VLANS from the ground up and am having issues with ONE thing that I pin pointed today using wireshark (I dont know where I can store it if anyone wants to look at it, so just tell me where to drop it).

Problem: VoIP calls to or from the intercom have jitter and thus, choppy audio. Only on the wired network on their touch panels. On the Savant App, on wifi, audio is crystal clear.

Here's the layout of the land: topology

Not my design.

From the touch panel to the Intercom there is a <1ms, sometimes <.5ms response time.

On wifi, we have no jitter. I'll be connected to the same WAP that is on the same switch as the touch panel (AVRack) and I'll make a call to the intercome just fine. But when I initiate it from the touch panel, immediately you can hear the choppiness.

There are 5 touch panels throughout the home and they all do the same thing.

Im available for the next 5-6 hours to answer any questions.

Screenshot of jitter

Can ANYONE demo FG's SD-WAN Cloud-Assisted Monitoring & OCVPN?

I'm looking to compare FortiGate's featureset with others. Can ANYONE show me or point me to an explanation? I'm familiar with VeloCloud, and it sounds like Fortinet is bringing some of the same features to FGs, but I'm unclear.

I can't find explanatory screenshots and/or video overviews of the SD-WAN Cloud Assisted Monitoring or OCVPN usage. I just need to see them in use or have them explained other than as abstract features.

Thanks in advance to anyone who can help clarify.

Cisco WAN MACSEC

Hi All,

Does anyone have any experience with Cisco's WAN MACSEC? It looks like a really interesting solution but the documentation is incomplete to say the least.

Would like to know if this works on any L2 point-to-point link or do you still need ethertype 0x88e5 to be forwarded unmodified?

Nornir vs. Ansible: what path to take?

Hello everyone

I'm somewhat lost in my endeavor to decide in what direction our networking automation should go..

A little bit of context; we're looking at a BGP EVPN VXLAN implemention in the near future, which we want to automation at least to some degree. The main focus is on VRFs, VNIs, BGP neighbors, interfaces and so on. But I suspect once we're there, it should be possible to abstract all of the configuration to YAML files and create a single source of truth. Although that is not the point right now. Probably an important point is, that we are at zero right now. Well, apart from some small scripts to collect information (with Netmiko and TextFSM) from other switches.

Where I'm at right now: I've played around with Nornir quite a bit lately. I do feel comfortable with it. I attached a link at the bottom with a sample of what I've done. If it's any good, I don't know..

I like the way I can handle all of it in Python and in conjunction with Jinja2 templates. I suspect there would be a bit of initial legwork but I can see a solution with it. On the other hand, I started to get comfortable with Ansible to really compare the solutions and ease the descision making process. And I have to tell you, I am not comfortable with Ansible right now. There seem to be very different approaches across the internet, and many of them I do not really like.

There are a lot of things I can't quite wrap my head around. For example, the directory structure I'm "supposed" to use. Do people create a role directory and then what? For example "spines"? And then a task directory where my YAML is at? Below I shamelessly linked a Github Repo with an example, it's not mine. Is this the way to go?

I'm not sure if I like the whole "I use a model ("nxos_ip_interface") where I can, if there is none, I just use "nxos_config" with config lines in the playbook (Jinja?) and if I absolutly have to, I'm gonna write my own module". Thats messy, isn't it?

Well, I don't really know, what to expect here. I guess I just want to have a discussion, some insight from others. In the end, I'm supposed to recommend a solution. For know I tend to go with Nornir, but to be very honest, I'm not even sure on my own and really struggling with finding arguments. Ansible is like Cisco in networking, nobody is going to hang you for going with it. That's in no way a justification to choose it, but it's one argument in the room...

Thanks in advance for any ideas, recommendations, links for educating myself and so on.

BGP Configuration Script (Nornir)

Some online example doing Ansible

PS: I'm don't usually post here, so if I broke any rules, please have some mercy...

what is a IPF number?

hi, i received a latter from a frirnd with a IPF-computer-number. and than there was written six numbers after that like the following: IP: ****** (every * is a number, i just dont want to revile it for security reasons) please help find out what it is!

Subnet Question

I have taken over the network admin from a previous employee that left the company. He left minimal (if any) documentation. I am trying to replace a small home office VPN router for one of our sales people and the only info I have is what is listed below for the IP scheme of the users home office. The existing device has died so I have no access to the previous config. If I am looking at things correctly the gateway IP listed here is not correct, it should be 172.19.254.209?

IP Range: 172.19.254.210-172.19.254.220

Subnet mask 255.255.255.240

Gateway 172.19.254.225

Fiber Tap for Monitoring

HI All, I have the need to monitor the connection between 2 direct-connected fiber devices. For design reasons, they cannot go through an IP network. I am trying to find a passive monitor that fails open. So if the tap power fails, the devices will not be affected.

I am looking at Profitap LC Fiber TAP Module, which appears to not even require power. Looking for the community's experience with this or similar devices.

Aruba 535 Power Troubles on Cisco Switches

Curious if anybody else has experienced some trouble deploying Aruba 535 or 555 series access points on Cisco switches?

Have deployed about 10 of these on Catalyst 2960 access switches at this site with some trouble - had to toy with them to get them to boot, make sure LLDP was running, etc. Eventually, once I got one working to be the IAP master, the rest seemed to pull firmware and fall in line.

But now I'm trying to add two more AP's, and can't for the life of me get them to boot properly.

They are installed, and when I patch them into my switches, they boot "halfway" - show an LLDP neighbor entry (with an APIPA address, never pulls DHCP) and show in the switch's MAC address table, but these entries disappear after about 2-3 minutes.

During all this time, no matter if I leave PoE on auto or static 30W, the AP only ever pulls 15. As a result, you can see the light flashing green, which indicates the radio is disabled, since the APs are running on 15W but require at least 30W.

Anyhow.... Just curious if anybody has figured out the trick with these things.

---

EDIT: Since it seemed like a power issue, I bought a 60W PoE injector and tried putting that in-line, but no change.

DHCP Management in 2020

Hi /r/networking, sysadmin here who has a customer who is asking about DHCP management solutions.

My customer recently moved to Azure, and previously had their multi-site DHCP hosted on a colo Windows Server (x2).

Now that colo server is gone and they cant host DHCP server role in Azure, they were going to go back to handling DHCP on the routers at each local site, but that is not centralised, so not great to manage etc etc.

Is there some sort of other solution, hardware/software they can buy which anyone could recommend to do this job for them? They are not huge, 30ish sites.

Thanks!

Question regarding buffebloat chart from dslreports and if I should look into it more?

I get an F rating for bufferbloat on dslreports. When I look at the chart after the test, the chart shows that while Idle it spikes to over 1000ms, download also spikes past 10000ms, and upload barely spikes at all.

I have heard that bufferbloat really only affects you jf other users are hogging up all of the bandwidth, but if the chart shows spikes while Idle, does that mean that it is possibly affecting me at all times? Or what does the idle portion actually mean?

Anyone have experience load testing VPN

I am trying to figure out the easiest way to load test my VPN. The best thing I can think of is spinning up a bunch of instances in the cloud and use TREX to generate traffic and stress test our setup.

Anyone out there have experience doing such a test? Is there a better way to approach this?

VOIP issues, only incoming.

We've hit a with a voip issue and I'm hoping someone might be able to point me in the right direction.

Brief history: Went from Coredial to Skyswitch about a year ago. It's been a rocky road. Lots of issues with any client over like 5 phones. After working with Sonicwall finally determine that we've been grossly undersizing our firewalls ( we use them exclusively ). Went through and upgraded all problematic clients and the issue seemed to be resolved.

We found out along the way that SS sends registration like every 5 seconds, as opposed to our other provider that sends them a more normal 3600.

Fast forward to today. One client is having continual issues. It is only on inbound calls. They describe it as a fading in and out, "like someone is leaving you a message" is what they say.

I've listened to hours of calls and I don't hear it. What I do hear is the incoming calls sounds like they're clipping. LIke the audio is way too hot, but not every call.

We've ruled out the firewall. It's properly sized and has all the correct rules for SS.

I've talked to verizon twice now, they have Fios with a static block. They came out once and said everything is fine, talked to them again recently and they see no issues and will be happy to come back out for a fee.

Internally phones are vlan'd.

VOIP provider has looked and has said yes we see pdv and jitter.

We use the same firewall rule set for all our clients so we've ruled that out. ( Same as least as VOIP is concerned) So that's where we are.

From the pcaps you see that outgoing look fine. But incoming RTP streams are full of loss and jitter. Also you see that they have CN playload when outgoing does not.

RTP Streams

If you look at any of these calls ,I've been using "prepare filter" I see no issues with the RTP packets.

Looking for a little direction here. I'm still working with the provider on this but figured someone may have an idea.

Cisco 3850 recovery options

Hi All,

Kind of related to my last post but thought best to start a new discussion as my original query has been answered:-

I am currently trying to install a new switch stack in a remote office which I have no physical access to, 5 out of 6 switches are working fine however one of them is currently stuck in a boot loop.

I have managed to get access to the switch via a console server and I am now in rommon (or whatever its called on the 3850), from dealing with boot issues previously I have tried to delete the packages.conf as I suspect it is corrupt but flash is currently read only so I cannot change anything, I also cannot boot from a .bin file as there isn't one in flash, though I do have the .pkg files for 3.7.4E.

I cannot get the switch online temporarily to connect to a tftp server or use USB drives to download/install any new software due to politics/security or carry out the emergency recovery documented by Cisco.

Does anyone have any suggestions in order to fix this?

Please let me know if you need more information from me.

Problems with scanner disconnections since replacement of old AP's with new Cisco MR33

Hi all,

I'm having currently a problem I can't find a solution for and I hope maybe someone here can help me out.

I recently (1-2 weeks ago) replaced all our old Cisco AP's (models Aironet 1200 and 1240) with new Cisco Meraki MR33 and since this replacement barcode scanners constantly drop the connection when being actively used and not moving.

The models of the scanners are Tecton MX7 (old model but supports WPA2-AES) and Falcon X4 (very new - active since 2019). We first thought it had to do something with the scanners as some are really old ones, but as the issue only started after replacing the AP's, we are somehow thinking it could be because of the new AP's, but I'm unsure how to troubleshoot this kind of issue. Is there some kind of permanent reauthentication that happens that was not at the old AP's? I see the scanner on the AP is associated for a few seconds/minutes and then drops.

The scanners connect through WPA2-AES and authentication is with AD credentials to our DHCP server which is our radius server.

Anyone has an idea what the reason could be and how to solve this ?

Or is there something I can try on the AP's that proofs that the AP's are working fine with the scanners, but that something neesd to be modified on the scanners ? Laptops or other wireless devices have no issues.

All AP's are all hung up at the same location, so normally the coverage should be almost the same.

Thanks in advance

Cisco 3850 boot problems

Hi All,

Im currently trying to setp up a new stack of 6x Cisco 3850 switches and all but one have joined the stack successfully.

One of the switches however seems to be stuck in a boot loop and I do not physical access to the switch to interupt the boot sequence but i do have console access via a console server so is there a way to interupt the boot sequence via the console?

Project mgmt tools for techs

Are there any techs working on projects who swear by any particular tools that help them keep on top of things? I've tried migrating my to-dos and priorities to Trello, but without a paid account I run out of boards. I doubt the organization I work for would sponsor a Trello account.

Some people around here use Excel, but I find that requires a lot of initial overhead. I'm neck-deep in a project and need to get up and going fast.

Open to suggestions.

OpenNAC Documentation

Hello everyone !

This is my first post ever and i apologies if i am posting in the wrong category. i am a masters student with an assigned project using OpenNAC. i have been endlessly trying to have access to their wiki forum which requires an account verification by an administrator. i tried contacting them through their website but failed to get hold of anyone :( and my account has not been verified. (since 3 weeks now)

https://redmine-opennac.opencloudfactory.com/projects/opennac

would it be possible for anyone to provide any documentation they might have regarding the product

Thank you in advance for any help !

Im unable to find power management in the Device Manager

Im attempting to set up Wake on Lan and Im unable to find power management.

Routing Configuration Assistance Needed

Good Evening. I have 2 separate networks I am trying to get connected. I have one network, 10.x.x.x that has a direct Fiber connection into my Netgear M4100-50G Switch. The Router on my network is a SonicWall TZ400. I need to know how to get the routing configured correctly so that network and my 192.168.x.x network can pass traffic. Any assistance with this would be greatly appreciated.

Dilemma with DMCA Notice

Hello, My company has received a DMCA notice from Comcast Business. The notice lists that BitTorrent was used to download a movie illegally. Since we have a guest Network, what measures should we do to prevent this from happening again? I was looking at SSL decryption, but that seems difficult since we also have a guest Network. We have a Fortinet firewall currently. Would just a standard firewall setting stop the issue? Since most traffic is SSL, it wouldn't really stop the issue. I also heard about the 6 strike rule and don't Comcast to stop our service.

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

GRE Tunnel, OSPF, and Static Route Problem

Hello guys, I am having a problem with our activity in networking. We are told to apply GRE tunnel so that we can reach from PC 1 to PC2 or PC 2 to PC 1 only in 3 hops (not passing through the ISP router). I managed to do that though, but I need to make the ISP router to be a backup path whenever I SHUTDOWN the Tunnel0 interface. Meanwhile, if I shutdown the Tunnel0 interface and try to reach PC2 via PC 1 it gives me recursive routing (seen at the picture). I am using OSPF on R1 and R2, and we are not allowed to configure OSPF routing on ISP. I think the problem is on my default routing on R1 and R2, or the summary routes on ISP or both. I really need help on this one can't seem to find the solution myself. :( Topology Recursive routing when i shutdown tunnel 0 interface

R1 config ISP router config R2 config

Portfast removed from access port if BPDU received?

I'm testing this in my lab. Everything I can find, including the new CCNP OCG and from google results, says that if a portfast enabled port receives a BPDU it will lose its portfast status. I'm unable to replicate this.

I have a 2950 switch with an access port connected to an ESXi host running a Kali VM. I am testing without any kind of BPDU or Root guard set up, the port config is pretty simple:

interface FastEthernet0/20 description ESXi Server switchport access vlan 20 switchport mode access spanning-tree portfast 

Here is STP status during normal operation:

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0012.4322.0480 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0012.4322.0480 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/17 Desg FWD 19 128.17 Edge P2p Fa0/18 Desg FWD 19 128.18 Edge P2p Fa0/19 Desg FWD 19 128.19 Edge P2p Fa0/20 Desg FWD 19 128.20 Edge P2p Fa0/48 Desg FWD 19 128.48 P2p 

When I send a BPDU into port Fa0/20 the only thing that happens is that port becomes a root port for 20 seconds and then goes back to a designated port. Nothing changes about the port config, portfast remains in place.

Can someone help clear this up? There are lots of little errors in the 350-401 OCG but this is not the only place I've seen it published so I don't know what the deal is.

Openvpn Deployment 2.7 Default Profile Issue

/r/sysadmin/comments/ffjjsc/openvpn_client_install_options/

Is checkpoint still relevant?

I have experience with ASA/FTD and fortigate (tiny little bit on PAN). Reading a recent Gardner MQ for the security or NGFW market player, checkpoint is rated lower the Cisco, PAN and fortinet...

So it Checkpoint still relevant from market share, security technology and innovation perspectives?

In my region, have not heard anyone has checkpoint firewall...

Limiting RDP to Windows Server from Specific Subnet

Hello Guys!

Is it possible to limit RDP on Windows Server 2012 R2 from a specific subnet, i know that it can be done by allowing specific users to RDP.

NetGear GS724T Question

Hi guys.

Can you restore a backup config file from a GS724T V2 to a GS724T V4?

Thanks!

Personal Trusted Cert

I'm trying to create a wildcard cert just for my internal/home lab servers and equipment. A part of that lab environment is a guest page with Aruba controllers and Aruba Clearpass. Is there a way to create a wildcard cert without having to verify it? (since I technically don't own an external domain).

I'm willing to spend some money on it if I have to, just not like $200+ just for a cert that's going to live inside a lab environment.

​

p.s I really hate certs and hopefully I'm not the only one

Peering and Transit advise needed

Hi all, I’m looking for some advise on peering and transit. First of all some info on what we do currently.

We have 2 x routers receiving full routing tables from two separate transit providers. Our routers are iBGP peers and we advertise a single /22 aggregate to both transit providers. Both routers are located in our own facilities and the transit providers drop the service off on Openreach tails.

I’ve been looking into peering at an IX to shift some of our traffic off the transit links. I haven’t had any experience in IX peering and I was looking for some advise or tips on the best way to go about it in the UK. I’m torn between:

1/ putting a router in colo and renting a P2P circuit to connect it back to our network. Maybe even moving one of the transit connections to the colo to reduce the cost of the tails circuit. Peering directly on the IX.

2/ using a service like IX reach to remote peer at an IX and maintain the transit connections in our facilities.

3/ something else that I don’t know is an option yet.

We’re a reasonably smallish network with the closest IX being about 100 miles away as the crow flies.

Appreciate and advise or pointers. I’m proficient enough in BGP configuration to run our network, but I lack any experience of colo or transport networks, aside from renting P2P Ethernet circuits for remote offices.