Thank you to all Network Engineers

I'm not sure if this is allowed but it doesn't seem to be against the rules. Please let me know if there is a more appropriate place to post this.

I want to say a big thank you to all the network engineers who are in every corner of the world, keeping our network infrastructure up and running. In these uncertain times, everyone is working online and I am sure network traffic is at its peak right now. No one can imagine what would happen if our networks were allowed to fail right now. I'm not a network engineer but I deal with some network tech and I know how hard it can be. So I raise a glass to all network engineers.

• Thank you for working endless shifts to monitor the networks and minimising downtimes.
• Thank you for working hard to manage the traffic loads and for increasing the bandwidths.
• Thank you for re-routing global network traffic so everyone still has an optimal experience
• Thank you for spinning up new servers and maintaining current servers for the increased loads.
• Thank you for making text, voice, and video chats services available to everyone
• Thank you to the people working at streaming platforms to manage the bandwidth needed for everyone to stream their favourite shows.
• Thank you for answering our silly questions about why we can't connect to our network services.
• Thank you to everyone who still takes the time to educate our next generation of network engineers even though you had a long day.
• Thank you for keeping the networks running even though you might have the same personal fears and uncertainty as every one of us. And a sincere sorry to everyone who might have been hit more personally than the rest of us.

I know that I definitely missed out some groups of people, let me know and I will add to the list. I just want to let everyone know that you are appreciated. You may be working in the background but you are not forgotten.

Thank you to all network engineers. You keep the world running.

how does routing work with LANs connected on WAN links?

Problem Statement:

A network is being planned with three sites, New York, Westchester; and Long Island. New York has 40 hosts, Long Island and Westchester each have 10. There will be WAN links between New York and Westchester, Long Island and Westchester, and New York and Long Island. You have been assigned a class "C" address space of 10.1.1.0/24. Divide the address space accordingly so that you have room for expansion and so that you do not excessively waste addresses where they will never be used. Each router has three network interfaces, please list the P and subnet mask (in CIDR notation; i.e. 10.1.10.0/24) for each one. Provide the complete routing table for the New York router.

Confused as to how the addressing is going to work with the routers, is each going to have 2 IP addresses, a LAN facing one and a WAN facing one? are the WAN facing addresses on the same subnet?

GNS3 Frustration!!!!

I'm trying to set up GNS3 to do some lab work. For the life of me I cannot get this thing up and running.

Using:

• Virtualbox version 6.0.18
• GNSVM Version 2.2.6 (from GNS3 website)
• GNS3 version 2.2.6

I continuously receive different errors:

• "Conection refused (localhost:3080)"
• "VirtualBox version 6.1 or above is required to run the GNS3 VM with nested virtualization enabled on Intel processor."
  • I've tried to enabling VT-x under VirtualBox settings > System > Processors, however it is grayed out.
  • I've tried the solution to re-enable by changing settings under the config file, but that made things worse. I've since uninstalled and reinstalled Virtualbox with clean settings
• "Please check firewall"
  • Already made sure GNs3 and Virtualbox are whit listed.

Has anyone gotten GNS3 to work?

How does telesign assign a reputation score to phone numbers?

Since Telesign is so popular with major companies, I feel like someone should know a bit about their black box score system. From my understanding, you get a better score if you are with a reputable carrier, the phones account is a bit older, and you've successfully used that number for MFA. But surely they can't give someone a bad score because they haven't done these things. Are there any other factors that influence the score, in particular, give you a worse score?

Beginner networking question regards to wireshark

Is there a difference between using && and (and) when using the packet filter? Some people in my class told me there was but im unable to reach them and Ive been testing it on my own and the seem to do the exact same thing?

Flashed Solo AP Firmware, Can't Access Admin Controls

I'm pretty new to Ruckus and the enterprise grade networking scene. I bought a Zoneflex R700 off eBay hoping to use it in my home without a controller. I flashed the following firmware in my haste and now I can't access the admin panel:

https://support.ruckuswireless.com/software/1728-zoneflex-solo-access-point-110-0-0-0-675-ga-software-release-r700

I read somewhere that Solo AP firmware or Standalone firmware means that you have to access the admin controls through command line SSH after setting the local IP, subnet and gateway address, but that doesn't seem to be working either. Any tips on how access it and/or flash a firmware with a GUI admin interface, ideally one that would let me use it without a controller?

What is wrong with this IP address - and why?

This is the IP address in question.

172.16.254.160/27

I know that it is a network address, but what I'm struggling to do is to understand how to work that process backwards. Or basically, how you'd explain that you'd look at that address and be able to explain WHY it's a networking address.

I know how to discover the subnet mask, broadcast address, network address, etc, from an IP, but I'm really struggling to find any sources on how to properly articulate how you explain "This is actually a networking address for x reasons."

Aruba s2500 just flashes and does not boot.

I bought it off eBay, it worked fine on config and setup. After 24 hours I went to install in my rack and on power connect it just flashes lights and spins fans about once every 15 seconds.

Seller has not responded.

If I leave it on after about 30 mins it does boot but if I disconnect power and reconnect it fails and takes 10-30 mins of the flashing before it start a normal boot. It has newest bios (from the seller) and I have not touched anything except turned off dhcp and changed the SFP ports from stack to 10g.

Any ideas?

Cisco ISR 4331 Not Honoring Tunnel IPsec Profile?

Hi all, I have a strange problem that I'm hoping to get some input on.

I have a bunch of Azure subscriptions, and a bunch of different pieces of equipment making tunnels to them from different physical locations. Over the last month I've been upgrading all tunnels from the default Azure IKEv2/IPsec configuration to meet a particular security standard. I do this with a custom Azure IPsec Policy.

​

The default:

IPsecEncryption: AES256

IPsecIntegrity: SHA256

IkeEncryption: AES256

IkeIntegrity: SHA96

DhGroup: DHGroup2

PfsGroup: None

​

My new policy:

IPsecEncryption: AES256

IPsecIntegrity: SHA256

IkeEncryption: AES256

IkeIntegrity: ECP256 (this is how Azure refers to group 19)

DhGroup: ECP256 (group 19)

PfsGroup: ECP256 (group 19)

​

So far, I have completed this upgrade successfully with about 10 tunnels, mostly with Cisco ASAs, but also some Ubiquiti EdgeRouters, and one Ubiquiti USG. It's been easy and smooth.

Now, I'm trying to configure the same thing with a Cisco ISR 4331. The problem I'm running into, is that the ISR doesn't seem to be honoring my new "Tunnel protection ipsec profile."

I have configured the below on my ISR, and then I put the custom IPsec policy in place on the Azure side. The tunnel drops. If I remove the custom IPsec policy from Azure, but LEAVE THE CONFIGURATION ON THE ISR, the tunnel establishes... uses the old default settings. How is this possible?

-----------------------------------------------------

interface TunnelXX

description VPN Tunnel to Microsoft Azure Subscription 1

ip address <IP> <Subnet Mask?

ip tcp adjust-mss 1350

tunnel source <My external Interface>

tunnel mode ipsec ipv4

tunnel destination <My Azure gateway>

tunnel protection ipsec profile IPsecProfileName

​

crypto ipsec profile IPsecProfileName

set transform-set MyTransformSet

set pfs group19

set ikev2-profile MyIkeV2Profile

​

crypto ipsec transform-set MyTransformSet esp-aes 256 esp-sha256-hmac

mode tunnel

​

crypto ikev2 profile MyIkeV2Profile

match identity remote address <Remote Address><RemoteMask>

authentication remote pre-share

authentication local pre-share

keyring local MyKeyRing

​

crypto ikev2 keyring MyKeyRing

peer <MyPeerIPAddy>

address <MyPeerIPAddy>

pre-shared-key <MyPresharedKey>

​

crypto ikev2 proposal MyIkeV2Proposal

encryption aes-cbc-256

integrity sha256

group 19

​

crypto ikev2 policy MyIkeV2Policy

proposal MyIkeV2Proposal

-------------------------------------------------

If I run "show crypto ikev2 sa" and "show crypto ipsec sa" I see the tunnel established with the old crypto settings. How is this possible when I have configured my new IPsec profile with "tunnel protection ipsec profile MynewStuff" ??? Is the ISR allowed to ignore that if something is wrong? I'm very confused. Am I missing a step here? I have tried clearing the SAs after reapplying the custom ipsec profile in Azure, but the tunnel just wont establish until I remove it, and allow it to use the defaults, which the ISR should see as a mismatch.

I'm in IOS XE 16.09.05. Very grateful for any help or insight you might have. Thanks.

Are there any online platforms that have labs and courses for networking?

Similar to a cloud guru or linuxacademy.

Struggling with BGP AS Path Access-Lists

I'm currently trying to influence inbound traffic from remote AS 3 to enter my AS 1 (1 eBGP router) via AS 4 which is currently directly connected to mine. Essentially, I want AS 4 to be used as a transit AS for AS 3 traffic inbound to my AS. Topology

The problem is that traffic from AS 3 is currently using AS 2 as a transit AS. I want to make AS 4 the transit AS instead of AS 2.

At the same time, I don't want to impact traffic originating in AS 2 from hopping across into my AS.

​

I'm currently considering the idea of using a route map to prepend my AS number of 1 onto AS Paths matching "2 1". This route map would then be sent out to my single eBGP peer in AS 2.

Am I doing this right? Nothing I try seems to alter traffic inbound from AS 3.

Are you using 802.1x authentication for wired clients?

I’ve been successfully using 802.1x (RADIUS) authentication for our corporate Wi-Fi network and for our VPN users for a few months now. Setting up NPAS on Windows Server was easy enough and authentication is very solid.

However I’ve yet to add RADIUS for our wired clients. All of our client computers (Windows 10 and a few 7’s) are on their own VLAN.

Just to get an idea, how many of you here have implemented RADIUS authentication for wired clients? Any issues I should expect?

Does anybody have experience using Zenitel Stentofones on Cisco UCM?

We recently installed a TCIV-2 Stentofon at one of our sites. I followed the recommended procedure from the Zenitel website:

https://wiki.zenitel.com/wiki/Cisco_Call_Manager_10_configuration

The Stentofon won't register in CUCM. I’ve tried deleting the device from Call Manager, factory resetting and reconfiguring the Stentofon, recreating it in Call Manager, and then adding the device back to the network and am not having any luck.

It should be noted we are on Call Manager version 11, although I don’t think there are in functional differences that would affect this particular situation. In addition to that, I’ve tried mimicking the configurations of our other functional devices, both on the Call Manager and the device itself, and haven’t had any luck.

I can rule out device and network issues. I've run through troubleshooting for both. I've tried configuring the switchport as voice vlan, as well as access and trunk. For the record the other functional Stentofons are in voice.

I can give more details of necessary, but I figured I might be shooting into the dark here anyway. Let me know if you have any tips or tricks. Much appreciated!

Feedback on Fortiswitches

Hello there

I am comparing juniper and fortiswitch for a deployment in a factory. There is no fancy routing protocols, there is going to be about 9 access switches and 2 agg ones.

It is an extremely simple setup, just some vlans passed down from a fortigate and distributed.

Obviously the junipers would crush it, but I like the idea of the full stack integration of the network gear and also I believe that it would be much cheaper for the fortiswitches.

What is everyone's opinion on them?

What are some good Linux based NTP servers?

No text found

ISP failover across two sites

I’ve got a design issue that I think should be straight forward but I’m just failing to implement here. Network diagram is https://imgur.com/a/9j1UaTP.

I have two sites, site A and site B each with a connection to the internet connected to a Palo Alto firewall. The Palo Alto then connects to a Cisco 3650 and our own fibre connects the two. We then have a number of satellite sites connected through various media which results in a more circuitous route from site A to B.

At the moment everything runs through Site A. The Palo Alto advertises a default route through OSPF and the rest of our network is EIGRP. The connections to the ISPs are static routes. I just want to have the Site B internet connection as a backup if A fails but also be able to use both if there’s a complete failure of the routes from A to B such as a fibre cut.

What would be the best way of doing this? Should I move the default route back off the Palo and onto the Ciscos instead? Should I bring up a direct link between the Palo Altos and use SLA tracking? Any help is greatly appreciated.

Cisco ASA 5512-X - upgrade CPU?

Hi

Is it possible to replace the CPU with a better one in the above ASA? For example the i3-540 that is in the 5515-X? Or even a CPU that isn't officially supported like a i3-550/i5-750?

Patch Panel Connectivity Issue

Hello,

We are organizing our network and began implementing a patch panel today. We had perfect connectivity plugging the RJ45 cable directly from our ISP box to our gateway. After cutting and punching the cable from our ISP into the patch panel, and connecting that port to the gateway, we are unable to connect to the WAN... Or at least the internet from what it seems. Any ideas other than a busted patch panel?

Cisco ACI: Okay to mix dmz and intranet?

I've seen a few videos and docs that describe it being done, but was wondering about those who actually use ACI to day to day in their data centers.

We have a fairly mature and stable production ACI system for our intranet server infrastructure, and I was wondering if I could extend this to our DMZ servers. All of the traffic forwarding between DMZ tiers would be handled by firewalls. ACI switch fabric would be doing purely L2 and L2-extension. Zero routing and no contracts. Also, all of the AppProf/EPG/VRF/BD would be contained within a separate tenant in ACI as well.

I would rather not stand up a whole separate fabric for this, and the stretched layer2 would be critical for delivering dmz capability where there's lack of internet infrastructure.

Any thoughts? Safe to do?

Trunking issue between CE switch and PE router after configuring vrf.

I'm fairly certain this should have just been a simple Router on a Stick configuration. But I cannot figure out why I can't ping across my trunk. Vlan is up, trunking is up, interface is up on both ends, ip addresses are the same prefix. My topology, the first image is how I have it setup in GNS3

CE1(config)#do show ip int brief | exclude down Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up Loopback0 150.150.150.150 YES manual up up Vlan20 172.17.20.6 YES manual up up CE1#show int trunk Port Mode Encapsulation Status Native vlan Gi0/0 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/0 20 Port Vlans allowed and active in management domain Gi0/0 20 Port Vlans in spanning tree forwarding state and not pruned Gi0/0 20 Switch#show ip route …… Gateway of last resort is not set 150.150.0.0/32 is subnetted, 1 subnets C 150.150.150.150 is directly connected, Loopback0 172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.17.20.0/24 is directly connected, Vlan20 L 172.17.20.6/32 is directly connected, Vlan20 CE1#show interface vlan 20 Vlan20 is up, line protocol is up Hardware is Ethernet SVI, address is 0c40.6c49.8014 (bia 0c40.6c49.8014) Internet address is 172.17.20.6/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:09, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 452 packets input, 27120 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 44 packets output, 5128 bytes, 0 underruns 0 output errors, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 

PE1:

PE1(config)#do show ip int brief | exclude down Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES NVRAM up up GigabitEthernet0/0.20 172.16.20.7 YES manual up up Serial3/0 172.16.10.1 YES NVRAM up up Serial3/1 172.16.30.1 YES NVRAM up up Loopback0 10.10.10.10 YES NVRAM up up Loopback1 11.11.11.11 YES manual up up PE1#show ip route ……. Gateway of last resort is not set 10.0.0.0/32 is subnetted, 1 subnets C 10.10.10.10 is directly connected, Loopback0 20.0.0.0/32 is subnetted, 1 subnets O 20.20.20.20 [110/65] via 172.16.10.2, 01:57:03, Serial3/0 21.0.0.0/32 is subnetted, 1 subnets O 21.21.21.21 [110/65] via 172.16.10.2, 01:57:03, Serial3/0 30.0.0.0/32 is subnetted, 1 subnets O 30.30.30.30 [110/65] via 172.16.30.3, 01:57:03, Serial3/1 172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks C 172.16.10.0/24 is directly connected, Serial3/0 L 172.16.10.1/32 is directly connected, Serial3/0 O 172.16.20.0/24 [110/128] via 172.16.30.3, 01:57:03, Serial3/1 [110/128] via 172.16.10.2, 01:57:03, Serial3/0 C 172.16.30.0/24 is directly connected, Serial3/1 L 172.16.30.1/32 is directly connected, Serial3/1 PE1(config)#do show ip int g0/0.20 GigabitEthernet0/0.20 is up, line protocol is up Internet address is 172.16.20.7/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding "bmwm5" Downstream VPN Routing/Forwarding "" IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: MCI Check IPv4 WCCP Redirect outbound is disabled IPv4 WCCP Redirect inbound is disabled IPv4 WCCP Redirect exclude is disabled 

Confusion over HP NC522SFP + Ubiquiti MM SFP 1GB Module

I’m using the SFP modules in a R710 and an EdgeRouter X. The R710 detects the HP NC522SFP card but has no IP assigned to it.

The SFP port on the router is greyed out on the web interface, despite being enabled. I’m using a LC to LC multimode 10Gb duplex cable.

Is the cable the weak point in this configuration? I’m utterly lost on which part belongs where.

Cisco DMZ Switch Recommendation

Hi all, I'm looking for a recommendation for a brand new Cisco DMZ switch. It has to be brand new, so not looking for used money savers, although we don't want to spend more than needs to be spent, obviously.

Ideally, the model would be stackable so we can put in another for redundancy later down the road. To clarify DMZ (it gets used a lot) this will be between the ISP gear and the Firewalls, layer 2 only.

I first went to the Cisco 1000 series... but that bluetooth access made me nervous (maybe I'm just getting old).

Is the 9200 the default for this? Is there a class of better hardened switches for the DMZ that Im failing to Google? I welcome any and all opinions, and thank your input!

Has anyone migrated to full blown app centric mode?

Anyone here done a browndfield Network Centric migration and then start to convert apps to app centric? If you wouldn't mind sharting how many apps so far? I'm finding people just add another endpoint to the network centric platform instead of taking the opportunity to build new apps in app centric mode. My motivation is to see if it is popular yet or not. I suspect no because you need app dependcy mapping software before doing so which usually costs thousands of dollars and no one wants to spend that much because they thought they bought the magic box machine.

Network Design for Theatre/Venue

We're about to open a performance/live music venue, and we need to provide Wifi and a corporate network. The building is 100ft long x 50ft wide, mostly concrete and steel stud. Public capacity is 650 people. We have a 2gig business fibre connection.

The owner hasn't given me a budget, but the GM and I are confident we could go mid-range gear. We have tons of downtime right now, and we want to handle it internally mostly as a learning experience.

I've planned WAP locations for coverage, and the ability to handle large volumes:

• 1x Backstage
• 3x Auditorium Space
• 1x Production Office/Control Booth
• 1x Lobby
• 1x Outdoor Canopy (Ticket Scanners)

We need to segregate the network into specific VLAN's/Networks

• Public Wifi
• Guests (Tour Crew & Performers)
• AV/Control Network (Just for Wifi, they have their own switching infrastructure)
• Corporate, POS and Ticketing System
• Security Cameras

I'm most familiar with Unifi (I've deployed a small Unifi system in my other job) and I'm confident in their APs for a network of this size, but not certain about their switches and definitely have no faith in their current line of Routers. We for sure want content filtering on our public network and the corporate network.

So what I'm thinking of, is designing out three systems:

• the high-end one as Cisco Meraki
• the midrange one as Ruckus?
• a lower end one as Unifi APs, Switches and a different Router (Fortigate?)

I've never deployed my own Meraki system, but I have worked on a previous client's existing network. I would love single pane of glass for management.

Thoughts? Suggestions/Experiences?

ACL Help for VLAN Segregation... what am I missing?

Working on getting my network segregated a bit to protect us a bit more from having ransomware cryptolock every workstation on our network.

I have a bunch of VLANs that contain user workstations. Presently, every workstation VLAN can talk to every other VLAN.

The goal is the following: User VLANs (example VLAN705) can only communicate with the following other VLANs:

• SERVER Vlan (10.55.55.0 255.255.255.0)
• IT VLAN (10.85.55.0 255.255.255.0)

• a single host on another VLAN (that single host is 192.168.2.8 255.255.248.0), but not any other hosts on that VLAN.

• They should also be able to access the internet freely, and the subnet of the router is 10.88.88.0 255.255.255.252.

I've tried umpteen different ACL combos and I can't figure it out. Here's the current ACL I'm working with:

ip access-list extended USERVLANS permit ip 10.55.55.0 0.0.0.255 any permit ip 10.88.88.0 0.0.0.3 any permit ip 10.88.89.128 0.0.0.127 any permit ip 192.168.2.8 0.0.7.255 any deny ip any any int vlan 705 ip access-group USERVLANS in 

I know I'm completely screwing this up but idk how.

Fortigate play nice with StrongSwan

Hey

I'd like to get StrongSwan working with a Fortigate unit. The VPN tunnel uses ikev1 with certs and then xauth. So that's an easy leftauth=pubkey, leftauth2=xauth. Well, no.. That just doesn't work. It gets stuck, the firewall cannot find the sent cert it messes up. It's because the official Forticlient vpn client sends request as if it was ONLY authenticating by cert and then some magic happens and some time later sends xauth too.

This is from a working Forticlient (debug on the vpn fw):

ike 0:4d609233317bcfb8/0000000000000000:13984: negotiation result ike 0:4d609233317bcfb8/0000000000000000:13984: proposal id = 1: ike 0:4d609233317bcfb8/0000000000000000:13984: protocol id = ISAKMP: ike 0:4d609233317bcfb8/0000000000000000:13984: trans_id = KEY_IKE. ike 0:4d609233317bcfb8/0000000000000000:13984: encapsulation = IKE/none ike 0:4d609233317bcfb8/0000000000000000:13984: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:4d609233317bcfb8/0000000000000000:13984: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:4d609233317bcfb8/0000000000000000:13984: type=AUTH_METHOD, val=RSA_SIG. ike 0:4d609233317bcfb8/0000000000000000:13984: type=OAKLEY_GROUP, val=MODP2048. ike 0:4d609233317bcfb8/0000000000000000:13984: ISAKMP SA lifetime=86400 

And this from my leftauth=pubkey, leftauth2=xauth

ike 0:fc67cd9d55028ab8/0000000000000000:13986: negotiation result ike 0:fc67cd9d55028ab8/0000000000000000:13986: proposal id = 1: ike 0:fc67cd9d55028ab8/0000000000000000:13986: protocol id = ISAKMP: ike 0:fc67cd9d55028ab8/0000000000000000:13986: trans_id = KEY_IKE. ike 0:fc67cd9d55028ab8/0000000000000000:13986: encapsulation = IKE/none ike 0:fc67cd9d55028ab8/0000000000000000:13986: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:fc67cd9d55028ab8/0000000000000000:13986: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:fc67cd9d55028ab8/0000000000000000:13986: type=AUTH_METHOD, val=RSA_SIG_XAUTH_I. ike 0:fc67cd9d55028ab8/0000000000000000:13986: type=OAKLEY_GROUP, val=MODP2048. ike 0:fc67cd9d55028ab8/0000000000000000:13986: ISAKMP SA lifetime=86400 

which eventually lands

ike 0:XXXXNAMEHEREXXXX:13986: peer CERT not found 

As can be seen, auth_method should only be rsa_sig and not rsa_sig_xauth_i. Which is only leftauth=pubkey. But that also doesn't work as then StrongSwan neither responds to xauth requests nor does it send on its own.

Now back to the working Forticlient debug log (on fw):

ike 0:VPNNAME:13984: initiating XAUTH. ike 0:VPNNAME:13984: sending XAUTH request ike 0:VPNNAME:13984: enc ... ike 0:VPNNAME:13984: sent IKE msg (cfg_send): ip and stuff here ike 0:VPNNAME:13984: peer has not completed XAUTH exchange ike 0: comes ips here ike 0: IKEv1 exchange=Mode config id=blabla ike 0: in blabla ike 0:XXXNAMEHEREXXX:13984: blabla ike 0:VPNNAME:13984: received XAUTH_USER_NAME 'my.user' length 10 ike 0:VPNNAME:13984: received XAUTH_USER_PASSWORD length 16 ike 0:VPNNAME: XAUTH user "my.user" 

Which again is quite f#*&n odd... It seems like Fortigate FW sends XAUTH request, Forticlient doesn't respond and then yet it just sends XAUTH on its own? Despite its initial type=AUTH_METHOD, val=RSA_SIG ???

​

Seems absolutely out of spec for me.. Is there any way I can get StrongSwan behave that way? Or any other open source client for that matter. So again. FW is configured to use cert for auth and then xauth (via ldap integration)

​

Thanks

Identifying ports and protocols from Windows Event Viewer

I've been tasked with figuring out what ports and protocols are being used by a new software install and was told I could do so using Windows Event Viewer but I can't find the relevant information I'm looking for. Can someone point me in the right direction?

BGP for All Training Videos

Good series of training videos that assume you know very little, and covering many common situations:

Border Gateway Protocol (BGP) is the primary routing protocol used to transfer data and information on the Internet or autonomous systems. BGP is a Path Vector Protocol which maintains paths to different hosts, networks and gateway routers and determines the routing decision based on rules, filtering, weight and community.

Understanding the myriad options for routing can produce efficiencies for institutions and create opportunities for research and education networks to collaborate.

• https://learn.nsrc.org/bgp

Calix Firmware

Anyone here have access to any Calix firmware? We have B6 GPON olts & E7-2 that are on old firmware and don't play nice with newer ONTs. Calix seems to keep their downloads behind a brick wall, and won't provide us with "My Calix" accounts because we didn't purchase equipment directly from them.

Radius issue

I have a radius server and a dhcp server.

I need to authenticate the user just by mac address.

From what i found out this is how the user file should look.

MacAddress

# Cleartext-password := "",

Auth-Type := local,

NAS-Identifier == "dhcp",

Framed-Pool = "POOL-IPv4"

But can I bypass the Cleartext-password field? I don't want the user to enter any credentials.

Should it work this way? Should it work by Cleartext-password := "MacAddress" ?

I couldn't find any documentation regarding this need

Tips For Making Professional and Visually Appealing Diagrams

/r/sysadmin/comments/fu8o1x/tips_for_making_professional_and_visually/

Watchguard Firebox t35 VPN licenses question

Does the Watchguard T35 require you to purchase VPN licenses for the SSL Client? I know the unit supports upto 25 VPN connections and it appears that the IPSEC client is license based but are the IKE2 and SSL VPN Client options also license based?

How do I simulate 10k users's bandwidth? Details inside...

We are seeing daily latency and jitter spikes lasting ~ 45 minutes, starting at 1:00 PM. This coincidences directly with most of our staff watching a youtube stream of our provincial health authorities' daily briefing live stream.

Every day at 1:00 PM, thousands of users start watching this live stream; it works fine; however, microsoft teams and avaya are both having serious issues due to latancy and jitter spikes.

In addition to other leads we are chasing down, I have been asked to try to simulate that kind of load on our network so that we can gather diagnostic data in the middle of the night, rather than at 1:00 PM.

I need to simulate ~ 10-15k users all watching the same youtube stream... Any thoughts on how to get this done?

I'm not asking for free or even cheap; I'm simply looking for tools that can help me get this done; FOSS is better, but we can buy enterprise tools if needed, too.

SD-WAN implementation

First off, I hate the term SD-WAN; it implies that running full tunnels is somehow new. All of the high end SD-WAN appliances from VeloCloud, Silver Peak and Cisco load balance at the packet level. I would assume they are all using EIGRP because why invent the wheel but I don't know how much of the spec Cisco published in their informational RFC? Cisco is most certainly using EIGRP. I was hoping to gain some insight from people that have used these high end appliances on how the manufacturers implement load balancing at the packet level? In my experience with MikroTik load balancing at the packet level causes all kinds of issues with out of order packets, etc.

Replacing manage engine netflow analyzer

Hi I'm in abit of pickle with budget contraints and firm wants me to look into replacing manage engine netflow analyzer with something cheaper and that basically will do a similar and almost the same job.Any suggestions please.

Wiring Cat5e not in standards A OR B.

I'm quite new to my job as an IT Infrastructure apprentice, I've started getting more of a work load and learning some new things.

So, around last week or maybe the week before I taught myself how to terminate ethernet cables. Mainly cat5e.

I followed the B standard for wiring and the cables worked. The computer I tested them on (I don't have any proper testing kit around) had perfectly fine Internet connection for all I could see.

However. I've just realised that I might've wired them wrong. I wired them using the B standard but with the clip facing TOWARDS me. I can't find anyone else who has done this. The cables have Internet but something must be wrong, care to tell me? Also, when they're plugged in to a switch only the left indicator light it's lit.

I know there is probably other standards than A OR B but I couldn't find anything anywhere.

TL:DR = I wired Cat5e using being standard but with he clips facing TOWARDS me and they have connectivity. What does this mean?

Help with MESH Repeater.

Dear Community,

I have a DOCSIS main router which connects to the internet and it does not support MESH network capabilities. Using LAN1, I connect my Router-1 to the DOCSIS station and then create WLAN MESH network. I connect my Router-2 to this WLAN MESH network. But the problem is time to time my DOCSIS station restarts which kills my Router-2's internet connectivity. Everything is working but the Router-2 does not have an internet connection anymore even though the user interface for Router-2 says it is connected to the internet.

Please tell me if there is a solution to my problem. I would be very much thankful.

My DOCSIS station is https://zuhauseplus.vodafone.de/internet-telefon/kabel/router-optionen/

My Router -1 and Router -2 is Fritz!Box 7490.

Thank you

CCNA Labs amidst CoVid-19 Quarantine

Since my place is under quarantine due to CoVid-19 I've been doing one lab in one day to freshen up the skills I've acquired during my CCNA review and exam.

I started doing labs using Cisco Packet Tracer starting from the most basic topics, then I'm going down to the advance ones. If y'all want to follow me just watch and please subscribe.

Thank you, and I'm hoping you'll all be safe during these times!

For questions, suggestions, recommendations, and reactions. Just message me or comment on one of my videos.

CCNA - YouTube

Turning a single machine into multiple nodes on the global network?

Howdy, I was wondering if there was a way to make one machine connect to a website an arbitrary number of times via different ip’s. Perhaps through numerous VPN portals?

I have some CS experience, but not a lot of networking experience.

FYI, this is for a personal project, not some giant DDOS thing.

Looking for help with AD access across vlans

Hello, I have recently setup vlans on my lab network and I am able to ping both ways to and from the DC (AD-DNS-DHCP) my vlans are getting dhcp and I can access files shares but I am unable to join new clients to the domain or replicate between my DCs on different vlans. I have a pfsense router, cisco 3560G switch and servers are all virtual on ESXI 6.5.

I have also verified nslookup is resolving properly to the DCs.

Any ideas are greatly appreciated!

CenturyLink prefix persistently hijacked by Firstlight?

There's a weird case of hijacking prefixes 216.158.168.0/24 and 64.30.26.0/24, which according to RPKI belong to CenturyLink(AS209).

However, these prefixes are advertised since 2016 by Firstlight (AS5738), and according to RIPE Stat the advertisement by AS5738 has much higher BGP visibility. You can check the RIPE Stat widget or this snapshot. AS209 started advertising the prefix only in March 2020.

In RADB AS5738 is the owner of that prefix. However, in WHOIS CenturyLink (AS209) has marked the prefixes as Hijacked.

Back in 2007 these prefixes were advertised by AS16425 (Innevi) which was later acquired by Firstlight, but covering prefixes were advertised by AS19094 (Level3) which was acquired by Centurylink. AS16425 was a customer of AS19094. Is it possible to have some kind of ownership dispute, or it may be prefix squatting? Can CenturyLink register a prefix in RPKI if the prefix ownership is disputed?

Cisco Networking

I am needing to be able to have IGMP-Proxy upstream and downstream or the availability to block an IPs (devices) from accessing another IPs (device) on the same VLAN.

I am looking for a router that has a managed 4-8 port switch built in (if Cisco offers that) and an internal AP.

and or

I am also looking at a router that has a managed 4-8 port switch built in (if Cisco offers that) and an external AP. Hopefully a PoE switch built-in to power the AP. 

If they don't offer a 4-8 port managed switch built into there router, what switch would you suggest looking into? It need to have PoE to power the AP.

It would be ideal if it is all GUI based as I don't know CLI, having a web GUI is ideal because I can access on my iPad as I don't own a computer.

I am not looking at yearly or monthly subscription options or anything with a license.

Looking for Courses during “Rona”

/r/PLC/comments/ftxjd7/im_having_a_hard_time_learning_and_finding_ways/

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC.

Statically assigned DHCP issue on carrier modem

I've been having an issue with a carrier modem and a meraki mx64.

Essentially we have the mx64 set up for a private 192.168 network, and a statically assigned gateway of 1.1.

We generally request the carrier set up their modem for static ips for outside the network and private ips inside the network, statically assigning the modem to be 192.168.1.1 for the gateway ip.

But I've had a couple of sites now where I see the carrier modem advertising as the 192.168 ip on the switchport, and after a little while it changes to the carrier public static gateway ip, then back and forth. About twice an hour.

Side note, the carrier static IP that actually gets assigned to the mx64 is way outside what's actually in the subnet. A .212 when the gateway is a .6 /30.

What's going on here? I feel like it's related to dhcp somehow.

(I know the easiest fix is just get more static ips, and set the mx64 up for a nice tite static block, but the customer dunnae want to. So cant. And convincing otherwise is a no go. Other sites work this way. U_u)

How many people work in pre-sales in here? I have some questions

Hello all, I’ve been working in pre-sales for a few years. My latest role is for a smaller company doing pre-sales and delivery.

There are a lot of tasks that I’ve run into over the last two years that are time consuming, for instance when trying to do a design for a new core, putting a bom together or just getting the information of how many sfp’s, modules, interfaces, etc.. takes a lot of time. Same with migrations. Creating the scripts, mapping interfaces etc. it all takes time.

What are some of your tasks that are boring and take a lot of time?

What have you done to speed up these tasks?

Rancid q - using a jump host

I would like to collect config on some remote site switches that are not directly accessible via my rancid collector.

They are available from the site edge router.

Has anyone set up a connection profile that will use an edge router as a jump host to pull configs from directly inaccessible devices?

For Cisco networking device automation, are there any tasks that cannot be done on Cisco Prime, but could be done with a python script?

Been getting pretty comfortable with Prime lately. Thought about also jumping into some python to learn more automation tasks. Would python be in any way more beneficial than prime? Are there any tasks you do regularly that cannot be done with prime, but could be done with a python script?

Is connection to the home shared or dedicated with docsis 3.1?

Hi everyone!

Quick question, not sure if anyone will know this : internet providers over cables used to have a shared connection in neighborhoods. If everyone was downloading at the same time, speed could go down.

Is it still the case with docsis 3.1? Or is the last mile now a dedicated connection?

HPE NC522SFP 10gbit dual sfp PCI card on Centos 7

Hello everyone, I got a PowerEdge R620 with a hpe NC522SFP 10gbit dual sfp pcie card, I added it on to Pci slot 1, and this nic shows on Idrac https://prnt.sc/rrjawm it detects it on Centos 7 but cannot connect to it, also I added the SFP and shows link on switch and no link on the card (with copper sfp) and with fiber SFP just has no link, nothing, I tried installing some drives over RPM but allways throws errors, even downgraded to centos 6 no success, can someone help me out?

Thanks in advance

Fiber interface dBm power level at warning

We have cisco nexus 9000 and one of 40G interface showing port transceiver power level at warning when i check on command line i found following.

Question:

1. what is the normal power level for transceiver in dBm?
2. what would be the impact if its in warning/alarm level? (currently i am not experiencing issue issue)

​

# show int e2/11 transceiver details Ethernet2/11 transceiver is present type is QSFP-40G-SR4 name is Fiberstore part number is QSFP-SR4-40G revision is B serial number is D87C2016912 nominal bitrate is 10300 MBit/sec per channel Link length supported for 50/125um OM3 fiber is 150 m cisco id is 13 cisco extended id number is 16 Lane Number:1 Network Lane SFP Detail Diagnostics Information (internal calibration) ---------------------------------------------------------------------------- Current Alarms Warnings Measurement High Low High Low ---------------------------------------------------------------------------- Temperature 25.79 C 80.00 C -10.00 C 73.00 C -3.00 C Voltage 3.40 V 3.59 V 3.00 V 3.46 V 3.13 V Current 7.03 mA 11.00 mA 2.00 mA 10.00 mA 3.00 mA Tx Power -3.01 dBm 3.99 dBm -10.60 dBm 0.99 dBm -7.61 dBm Rx Power 1.08 dBm + 3.99 dBm -12.51 dBm 0.99 dBm -9.50 dBm Transmit Fault Count = 0 ---------------------------------------------------------------------------- Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:2 Network Lane SFP Detail Diagnostics Information (internal calibration) ---------------------------------------------------------------------------- Current Alarms Warnings Measurement High Low High Low ---------------------------------------------------------------------------- Temperature 25.79 C 80.00 C -10.00 C 73.00 C -3.00 C Voltage 3.40 V 3.59 V 3.00 V 3.46 V 3.13 V Current 7.03 mA 11.00 mA 2.00 mA 10.00 mA 3.00 mA Tx Power -2.73 dBm 3.99 dBm -10.60 dBm 0.99 dBm -7.61 dBm Rx Power 0.08 dBm 3.99 dBm -12.51 dBm 0.99 dBm -9.50 dBm Transmit Fault Count = 0 ---------------------------------------------------------------------------- Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:3 Network Lane SFP Detail Diagnostics Information (internal calibration) ---------------------------------------------------------------------------- Current Alarms Warnings Measurement High Low High Low ---------------------------------------------------------------------------- Temperature 25.79 C 80.00 C -10.00 C 73.00 C -3.00 C Voltage 3.40 V 3.59 V 3.00 V 3.46 V 3.13 V Current 7.03 mA 11.00 mA 2.00 mA 10.00 mA 3.00 mA Tx Power -3.11 dBm 3.99 dBm -10.60 dBm 0.99 dBm -7.61 dBm Rx Power 1.63 dBm + 3.99 dBm -12.51 dBm 0.99 dBm -9.50 dBm Transmit Fault Count = 0 ---------------------------------------------------------------------------- Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:4 Network Lane SFP Detail Diagnostics Information (internal calibration) ---------------------------------------------------------------------------- Current Alarms Warnings Measurement High Low High Low ---------------------------------------------------------------------------- Temperature 25.79 C 80.00 C -10.00 C 73.00 C -3.00 C Voltage 3.40 V 3.59 V 3.00 V 3.46 V 3.13 V Current 7.10 mA 11.00 mA 2.00 mA 10.00 mA 3.00 mA Tx Power -3.09 dBm 3.99 dBm -10.60 dBm 0.99 dBm -7.61 dBm Rx Power 1.56 dBm + 3.99 dBm -12.51 dBm 0.99 dBm -9.50 dBm Transmit Fault Count = 0 ---------------------------------------------------------------------------- Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning 

First job as a network engineer

Did anybody else feel lost and completely dumb as their first time as a network engineer? I had several years Service Desk and NOC experience doing more basic troubleshooting. All with the same company. I got my CCNA and got a job with a new company at the end of February. I trained for a month on day shift and now I'm on night shift. I feel dumber than I have ever felt before. It feels like none of my textbook knowledge is helping all that much. Sure I know the commands and how the stuff works but with all these incidents being unique I'm not even sure where to begin troubleshooting with a lot of them. It definitely has a lot to do with learning a new infrastructure but part of me can't help but feel that isn't all there is to it. I constantly am having to wait until morning to ask a coworker about the 1 or 2 incidents that pop up over night that I have no idea how to even begin troubleshooting. I was just wondering if this struggle is normal in the beginning?

Arpanet and Network Engineer Talent correlation.

I know many of the Arpanet folks are near the end of their lives but I had a shower thought this morning and started to look at old maps. Do you think there is any correlation to these maps and saturation(not the best word) of network engineer talent? I'm trying to think of something that may be a better metric to measure, but I'm directly in this field as a result of tinkering with things with my father who was in telecom.

Map - https://imgur.com/a/mnaVS6W

Creating a VPN network for multiple destinations.

Hello!

My boss tasked me with creating the required infrastructure to work from home.

Now, my job has multiple locations that need to be connected, but, i also need to separate them so someone from location A can't connect to location B and vice-versa, also, there should be good security.

Now, we have a rack in a datacenter and badass internet, so, my plan is as follows:
Setup 2 VPN servers, one that does the client (VPN A), the other does the destination (VPN B), there's a username and password plus authorised MAC address and a certificate just to be on the safe side.
Everyone connects to VPN A, and based on the input data (user+pass+MAC+cert), it forwards the connection to VPN B that makes the final tunnel to the destination.

Because this is unplanned, i have to deal with the employee's home computers as most of them didn't get laptops, and i was thinking that VPN A would accept 3 protocols: L2TP, SSTP and OpenVPN. VPN B will connect to the location over OpenVPN. If you wonder, L2TP and SSTP is more for compatibility, as it has to deal with vastly different configurations and mobile phones.

As for volume, i expect about 250 people to use it at the same time, and about 5mb/s internet bandwidth per user should be enough, as they need just remote desktop, our network is fully capable to handle this ammount of traffic.

I know it might sound complicated, but having it centralized is an actual requirement.

My question is, how to bridge VPN's like that? I've never done it before.

This is why you take time to plan and wire a rack correctly

Having to remove completely stuck rear mounted switch installed by an ex-tech. His lack of planning is infuriating but finally got it removed.

Switch removal album

Minor Issue with Cisco Anyconnect VPN Configurationthat has been driving me insane

So i am currently in the process of setting up a second VPN access for my workplace. In terms of functionality and access control everything is working perfectly fine however there is one small issue that has been annoying me (and the handful of users testing the VPN connection) for a while now.

After closing nad restarting the Anyconnect client the "Connect to" field is always auto-filled with "fwvpn (IPsec) IPv4" instead of the vpn URL used to actually connect. "fwvpn" ist the first Hostname that i gave the ASA when i did the first time setup to enable ssh access, interfaces, etc. In the grand scheme of things this isn't actually a real problem as you can simply erase that and retype the URL you want, but i has been irritation nonetheless.

Does anyone know where this field is from (only time "fwvpn" shows up in the config is the self signed certificate used for ASDM on the management interface) ?

Image of what I mean

If anyone thinks its relevant: The ASA is a 5516-X running 9.9(2)61

GRE Tunnel issue I can‘t get my head around

Hi,

I‘m currently working on a GRE tunnel solution for ZScaler with 4 tunnels from two routers behind a FW that does NAT. I build a lab to test everything but my GRE tunnels don’t behave as expected. They show on two routers (the ZScaler side) up/up but are up/down on the enterprise side. I have keepalives in place and the IPs of the enterprise routers are static NATed to “public IPs”. Here is the Topology with NAT rules and translations, which seem good to me. And here is the config of Tunnel61, between Router 6 and Router 1.

interface Tunnel61

description "Zscaler Primary Tunnel"

vrf forwarding VRF1

ip address 172.16.61.6 255.255.255.0

ip tcp adjust-mss 1436

keepalive 10 3

tunnel source Loopback1

tunnel destination 10.12.1.1

tunnel vrf VRF1

Does anybody know why this is happening?

Anyone get domain based split tunnel working on PA Global protect VPN?

I'm very new to PANOS so it's been a little painful trying to get this working myself. Right now I have things set up as simple as possible. Only one domain is in the split tunnel list under client setup for the GP gateway. I can dial in successfully and when I access the defined domain, it uses the split tunnel. Problem is, everything else I try to access while dialed in also goes through the not-so-split tunnel as well. Anyone have any advice or docs they can point me towards? I'm getting ready to open a support ticket with PA, just thought I'd ping you guys first since I know a lot of you are big fans of the platform.

Eng 1 - 52k Salary.. Fair wage ?

I work for one of the largest ISP's in the world and just started as a Network Engineer 1. I had no previous engineering experience before this other then a bunch of certs, CCNA in RS, Security,Design.. a bunch from CompTia.. I was hired at $52,780 a year.. Am I being screwed?

Business owner with a couple questions regarding virtual PBX systems.

Hello! My wife and I own a business and I moved everyone to working remotely weeks ago. Our employees (and us) are connecting to our office using RDP over a VPN connection.

That's all working fine, however my solution for the phones was much less elegant. I just forwarded our main office line to a Google Voice line. It's working fine, however my wife and I cannot handle the call volume on one line, so I've started looking into some of these virtual or "cloud" PBX systems.

My main question is, does it simultaneously ring for all users, like a normal PBX system would? That's really the only feature we need this for, but I can't find much info on it. That's tells me it's either not offered, or so standard that it's not even listed, haha. I'm not familiar enough with the technology to know what to look for.

Secondly, any recommendations? We need something with a desktop application, rather than just a mobile app like Grasshopper. Like I said, the only other real feature we need is for it to ring on all endpoints so that any one of our employees can answer it.

Hopefully this made sense.

DialUP IPsec through 2 firewall short timeout

Hello

I'm a bit lost now, i have this setup:

(Internet) -> [Stormshield SN900] -> [FortiGate] -> (LAN)

I have a dialup IPSec VPN configured on the FortiGate to provide remote access for my users .

On my Stormshield i have a dedicated public IP, on which i NAT udp500 and 4500 to the FortiGate. The thing is, i had to source Nat as well, so the FortiGate only sees the IP of the Stromshield as IPSec peer, not the remote public IP.

However, is have some small loss of packet when using the VPN (RDP dropping, mail server disconnected etc...) but the VPN remains UP all time.

I've tried to tweak the TCP MSS but no changes.

Can the source NAT be a problem there?

Syntax Highlighting for Juniper/Cisco/Arista (SSH)

Hi ,

Around a month ago a saw a post on this subreddit about syntax highlight using Neovim. Since I don't use Neovim and another user suggested a tool called chromaterm , I gave it a try and found it super nice and easy.

In this repo I'm sharing my config with the instructions to use for anyone who is interested. I hope someone else finds it as useful as I did.

Use Cases

1. Reading Firewall Rules (Junos)
2. Reading show ip bgp summary (Arista/Cisco)
3. Reading show interfaces (Cisco / Arista / JunOS)
4. Reading route-maps (Cisco / Arista)
5. Reading Prefix lists (Cisco / Arista)
   

Instructions

Limitations

Thanks to the creator of this fantastic tool chromaterm.

Have a great day and stay safe with all this COVID-19 madness!

HP Arubas - anyone know what "Custom Port Name" is for?

This Custom Port Name (image) is a field I see when I go to "edit" a port in the Web interface.
Could this be something I can use for documentation? Or does anyone know what this is for?

If I do 192.168.1.0/23 do I cut my hosts in half?

I'm learning about subnetting and they used 192.168.1.0/23 as an example stating that, that wasn't possible because the proper way would be 192.168.0.0/23, then they said that 192.168.1.0/23 was possible but your network ID would still be 192.168.0.0, and your Broadcast IP would still be 192.168.1.255. Now I am left wondering, if I did has my network set up to 192.168.1.0/23 would that cut my hosts in half giving me 205 hosts?

Cisco RV320 GW to GW VPN from private IP address

I'm connecting two Cisco RV320 routers together over VPN - an office and a residence. The office gateway has a static public IP; The residence gateway has a dynamic public IP. The purpose of this VPN is to connect an office IP phone that been moved to the residence.

I was able to do this successfully, repeatedly and reliably when both routers are at the head of their respective networks. If I must, I will deliver the router in this configuration. It will require bridging their current AT&T U-Verse router so the RV320 gets the public IP address. It will upset their current network configuration, but will get the job done for this user.

I would like to save this user some trouble by configuring their RV320 to work from BEHIND their U-Verse router. That is to say, the remote gateway WAN1 port will have a private IP address when it reaches out to the office gateway. This turns the RV320 into a network endpoint with only the office IP phone connected. I've had sporadic success creating a tunnel, but I cannot get the tunnel to reconnect if it becomes disconnected. This needs to be seamless and automatic.

Can someone tell me what I'm missing or suggest another course of action that would work better? Thanks for reading.

ISP BGP point-to-point links between routers?

Does anyone here know how best to handle these? Specifically the /30ish subnet between the routers? All the BGP guides I find are somewhat generic and always discourage advertising these into BGP itself but never explain why. They mention using an IGP, loopback & static routes, and I do understand how all of that works; but what is recommended in real life scenarios?

I know you can use an IGP to handle this but I am interested in how ISPs connect their iBGP routers.

For example, one datacenter I manage has a BGP session with 2 different ISPs to 2 of my routers. Cogent to router A & Hurricane Electric to router B. They each gave me a small public subnet to peer with them on. These subnets are advertised because they are routable on the Internet. But beyond that I have no idea what ISPs are using to connect routers in their own AS and to external ISPs.

A part 2 to this question would be how ISPs interconnect with each other. I know generally they converge at Internet exchanges with a route reflector/server, but I am interested in the subnets they are using to do this. Are they public and Internet routable?

One last thing. I have 2 different routers, one connected to each ISP (eBGP) and then they were connected to each other (iBGP). They are each getting a partial/default route table from their respective ISP. Instead of using next-hop-self, I simply advertised the /30 into iBGP at each router so they each have an organic route to the next hop ISP router instead of router A announcing itself as the next hop to router B for routes on Cogent. Is there anything wrong with this?

Thanks for all who chime in ;)

What would you look for in a network documentation tool?

It's an open discussion

802.1 radius authentication

Hello, I put this on r/wireless but for some reason it was removed as spam?

I'm doing a Uni project and I've to investigate what happens when a laptop is powered up and connects to an AP using a radius server for authentication (WPA2 Enterprise).

So far I can see we have

1 - Probe Request

2 - Probe Response

3 - Authentication Request

4 - Authentication Response

5 - Association Request

6 - Association Response

Where I'm getting confused is where the radius authentication comes in, I initially thought it would be at steps 3 and 4 above, but some other information is suggesting the radius authentication takes place after these 6 steps.

If anyone could shine a light on this I would be very grateful.

Cheers

Any Akamai / ThreatAvert users with a "Luna Control Center" account willing to help me out?

I have a recurring problem where Spectrum Internet will blacklist my domain name. This happened 6 months ago, and some helpful r/networking & NANOG users that work for Spectrum informed me that Akamai ThreatAvert feed blacklisted my domain -- rightbridge.net

I've had a hell of a time trying to get help from abuse@akamai.com and support@akamai.com. Ultimately, not being a customer they won't help me or even validate the problem exists. I'm assuming someone that is an Akamai / ThreatAvert customer could submit a simple ticket "Remove rightbridge.net from ThreatAvert feed" to quickly resolve this.

Additionally, any ideas how I end up blacklisted would be appreciated. I'm at a complete loss on this. None of the public blacklists show any problems:

https://mxtoolbox.com/SuperTool.aspx?action=blacklist:rightbridge.net&newAppVersion=1

Akamai's own tools at:

https://akamai.com/us/en/clientrep-lookup/

Indicate my servers did not receive a bad risk score..

I'm tempted to switch my DNS from Rackspace to Google or route53, but I'm not sure that would even make a difference.

Any potential issues in enabling jumbo frames globally on Nexus?

We are experiencing a VMware performance issue and we discovered that jumbo frames are not enabled for all ports. As opposed to tracking down all of our vmware and SAN interfaces 1 by 1, I thought I would just do it globally. Has anyone done this? Is there any threat that something may break by doing it?

Thanks!

Cisco Core Switch upgrade questions

I'm looking to upgrade our Cisco core switch. it's an old 3560 catalyst with a pretty basic configuration. The existing 10/100 ports are split up into VLANs for various client and server groups. The switch is largely there for routing. There are a combination of static routes and BGP for our connections to branch offices. The current north and south connections are all 1Gb Ethernet and a combination of L2 switches from various vendors (Dell, HP, Cisco whatever was available when others purchased). The configuration on this switch rarely changes. I'm talking one config change every 3-5 years. For this reason, it's gone largely ignored.

I'm hoping to change that with a core switch upgrade and have a few questions.

We are a medium size business. We are very flexible on budget. I want something that is easy to configure, deploy, and maintain going forward, so that it doesn't go ignored in the future. I have plenty of networking experience, so am comfortable configuring a Cisco, even if I haven't had to do so in over a decade. My only lack of experience is with managing BGP, as it's something I rarely have to engage.

1. Cisco site is recommending the upgrade path from a 3560 to the 9300. Does this upgrade path sound fair, overkill, or lacking?
2. With this upgrade path, would I likely be able to copy the config line for line on to the 3560, reducing configuration and implementation time.
3. There was a previous concern among the decision makers that Cisco licensing is difficult and overpriced. Is that true nowadays?
4. Are there other vendors we should consider? I figured transitioning to a different vendor would greatly increase time to implement. Not a deal breaker, but hoping to implement something sooner rather than later.

Any feedback or suggestions are helpful. Thanks!

Oxidized Install Fails CentOS 7

When following install guide for Oxidized according to the steps listed for RHEL and CentOS ( https://github.com/ytti/oxidized#installation), I get the following error when running gem install oxidized:

Could not create Makefile due to some reason, probably lack of necessary libraries and/or headers. Check the mkmf.log file for more details. You may need configuration options.

It appears this issue has been noted here: https://github.com/ytti/oxidized/pull/2050

Has anyone been able to successfully install the latest Oxidized on CentOS 7?

Global IP allocation

I have been trying to figure out the whole global IP address allocation. I noticed some IP addresses are showing the location as (EXAMPLE) North America but its IP registrar is RIPE. Why is the IP European but located in ARIN territory?

Firepower Rant - AnyConnect SAML

I am slowly regretting my boss's decision to move all of our ASAs over to FTD Code, and then lifecycle them with the 2130s. As you all are probably aware, Anyconnect is severely limited on FTD. I did manage to get the Umbrella Connector working on Anyconnect via a flexconfig. I am now trying to get SAML deployed on the Anyconnect Policy, via Flexconfig. The problem I have is getting the Signing Cert added to the device. Wondering if anyone has successfully gotten it integrated even though it is not supported. Trying to avoid having to buy more Cisco Firewalls, just for VPN access.

​

PS. We could use RADIUS, but we are implementing MFA and it requires the user to type the method of Authentication at the end of their passwords, providing an absolutely terrible user experience

What is an SFP and what is it used for?

Hello. I do mostly small business networking, nothing too enterprisey. Anyway I have a client who has just sent me a picture of some cables that he's been sent by another supplier, they are SFP+ Direct Attach Copper Cables, 1 meter in length.

I've Googled them and clearly it's a bit topic. But what I'm finding difficult is just to get a straight answer on what they're actually for, as in what is the use case. Not how they work, but why, what's situation where these things are useful? So I was hoping someone here could enlighten me. Thank you!

Troubleshooting intermittent timeouts between an F5 and our Hyper-V Infrastructure

Hi everyone,

I've been stuck with this topic for a while and not sure where to go next. If anyone can point me in a direction I would be very grateful. I have very little experience in this type of "deep dive" network troubleshooting.

F5 support has told me the issue is "between the F5 and the VM", which doesn't help much since the connection goes F5 <-> Switch <-> Hyper-V Clusters. The switch is managed by our datacenter provider while we own both the F5 and the Hyper-V Clusters.

What happens is that we will have intermittent timeouts of connections to the F5 that I have yet been unable to reproduce reliably. At random intervals, accessing one of our virtual servers will time out. Sometimes this happens 10 times in a row, most of the time it will work fine immediately after. My next step would have been to see if this issue occurs on infrastructure other than our clusters. They are both configured exactly the same so the issue could be existent on them both.

The traffic in Wireshark looks like this:

On the server (10.0.0.58):

No. Time Source Destination Protocol Length Info

2381 14:10:57.92 10.0.0.58 10.0.0.43 TCP 66 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

2744 14:11:00.92 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

3394 14:11:06.93 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

On the F5 VS (10.0.0.43):

No. Time Source Destination Protocol Length Info

7736 14:10:57.93 10.0.0.58 10.0.0.43 TCP 66 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

7738 14:10:57.93 10.0.0.43 10.0.0.58 TCP 62 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

8560 14:11:00.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

8562 14:11:00.93 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

10983 14:11:06.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

10985 14:11:06.94 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

17059 14:11:18.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

Wifi Planning Tool

Heya fellow network guys and gals,

currently i am searching for a tool that allows me to place access points on a floor plan.

Not more and not less, everything i want is a tool that allows me to simply import my floorplan, locate my AP on the point i want - thats it. no RF Planning, no site survey etc.

we already have Airmagnet Pro for a site survey tool and that also has a pretty solid planner, but thats way too much for me now (and i dont have the external wifi usb adapter with the mac address where thew license is bound with me) and i just dont like the very little AP symbol that is overseen quite easily.

do you guys have any ideas? Maybe its just something super simple i cant think of right now. (Making a red Dot on Paint is too simple tho XD)

Would appreciate an answer - thanks!

Avocent Console Server and CDP/LLDP

Hi all,

Do you know if the Avocent terminal servers can be visible by CDP/LLDP from a switch they’re connected to?

Sadly, I have only remote access to the switch and no access to the Avocent appliance at all, so I’m trying to figure out if there’s any way for a remote engineer to confirm what device is actually connected to that one access port.

Any hints greatly appreciated. :)

Compare system hostnames with dns records

Does someone know if there's a script/tool/suite which is able to compare system hostnames (read out via snmp preferably) with the reverse DNS entry of it's IP address?

For instance: On the dns side you have 4 records: switch1 A 10.0.0.1 switch2 A 10.0.0.2 switch3 A 10.0.0.3 switch4 A 10.0.0.4

But on the device hostname side it looks something like this: switch1 10.0.0.1 switch2 10.0.0.15 switch3 10.0.0.3 switch4 10.0.0.28

So I want the script to scan a subnet, find out it's reverse DNS entries and then compares the reverse DNS entries to the real hostname of the device. In my example I want the script to tell me that there are differences between DNS Names and real systemnames at switch2 and switch4.

Or does someone have a better approach to cleaning up a shitton of old DNS records?

Not sure if the right spot please redirect me if not. Looking for a fibreoptic (SL) to USB3 media converter in a small form factor. Any leads?

I already have one with gigabit ethernet but I want to try a new piece of hardware that requires USB 3 and needs to fit into a small space and have a temp rating of around 80°C. Or is their a work around for it?

Current unit has a foot print of W: 1.75” (44mm) x L: 2.25” (57mm) x H: 0.84” (21mm) I'd like something this size or smaller.

Routing traffic from on-prem subnet outside advertised BGP subnets to AWS VPC

Hi,

a little while back I tried setting up a site-to-site VPN between my on-prem lab and my AWS VPC.
I do this via CloudFormation, and I decided to advertise the AWS subnets via BGP.

Some details:

AWS VPC Subnet: 10.0.0.0/16
Subnet A in AWS: 10.0.0.0/24
Subnet B in AWS: 10.0.1.0/24
Subnet C in AWS: 10.0.2.0/24

On-prem subnet: 172.21.20.0/24

OpenVPN server IP address: 10.0.0.200
OpenVPN Tunnel subnet: 10.1.100.0/24

Laptop/OpenVPN Client ip: 10.1.100.60

Tried to make a gliffy as well: https://imgur.com/a/lKfjn03

Description

Currently, BGP from AWS advertises 10.0.0.0/16 successfully to my Juniper SRX, and traffic flows as expected with the VPN tunnel established.

In the AWS VPC, I have set up a OpenVPN server in EC2. It has a elastic public ip associated to it, and it sits in the subnet 10.0.0.0/24.

When I configured OpenVPN, I set the OpenVPN tunnel subnet to be 10.1.100.0/24.
This was chosen as you cannot specify a route more specific than the VPC CIDR which is 10.0.0.0/16 in the route table.
The message if you try to specify a more specific route in the route table is "This route table is used by a subnet, and doesn't support route destination which are more specific than VPC local CIDR."
In the route table, I set up a static route for 10.1.100.0/24 --- > IP address of the instance hosting the OpenVPN server, in order to get around the above issue.

When I connect to the OpenVPN server using my laptop (10.1.100.60), I can ping other servers hosted in the VPC, and I can also ping the OpenVPN client (the laptop) from a server hosted in EC2 in the 10.0.0.0/24 subnet. So the routing within the VPC works.

I can also from the laptop, ping my servers hosted on-prem in the subnet 172.21.20.0/24.
The subnets are propagated to the route table in AWS via BGP.

My problem is, I cannot send traffic from on-prem (172.21.20.0/24) to the OpenVPN clients, since the advertised routes from AWS via BGP is 10.0.0.0/16, and the OpenVPN traffic is using 10.1.100.0/24.
If I run tcpdump on one of my servers hosted on-prem (172.21.20.0/24) while pinging it from the laptop connected via OpenVPN, it send the respond back to the OpenVPN server (10.0.0.200).

So I know i need to route traffic destined for the subnet 10.1.100.0/24 to the OpenVPN server 10.0.0.200. That's clear to me.

However, from the AWS documentation "The virtual private gateway does not route any other traffic destined outside of received BGP advertisements, static route entries, or its attached VPC CIDR" https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html

Does the above have an impact in setting up a static route to the OpenVPN server?

​

How do I route traffic to the OpenVPN tunnel subnet from my on-prem SRX, via the already established AWS VPN tunnel to my VPC?

- Can I set up static routing? eg 10.1.100.0/24 -> 10.0.0.207. My brain is having a hard time understanding the language of the AWS documentation listed above.
I did a test already, but I could not get it to play along. I did this on the SRX: set routing-options static route 10.1.100.0/24 next-hop 10.0.0.207
I think this does not work due to the IP adress of the OpenVPN server, 10.0.0.207 is not reachable from within the SRX itself as its using a 169. address.(https://forums.aws.amazon.com/thread.jspa?threadID=48379)
Show route 10.1.100.0 tells me that it's still routed by the route 0.0.0.0/0

- Did I shoot myself in the foot, and need to redesign the the whole VPC and network (if so, how should I do it instead?)

I am fresh to both networking and AWS, so any hints appreciated :)

Are Cisco 40Gb BiDi SFP's supported in Intel 40Gb NIC's?

I'm working on a project where storage appliances are equipped with Intel XL710-QDA1 40Gb cards, but there is only 10Gb fiber infrastructure. Would it be possible to use Cisco 40Gb BiDi QSFP's, like the QSFP-40G-SR-BD in this card to be able to utilize the existing cabling?

Does anybody know, has anybody used this exact combination?

Issues with multicast on an isolated Layer 2 Network

Hi all,

I am troubleshooting an SCCM multicast issue for a client and wanted to confirm something before I look at the SCCM configuration and server specs. The network is non-routable and doesn't even have a router attached. In fact all switchports (including the SCCM server) are in VLAN 1 - and VLAN 1 does not have an IP address assigned. There is no requirement to.

The switches are all Cisco 3650 switches with IGMP Snooping enabled but default.

My question - Will IGMP Snooping work without a router? I've done a little research and it seems that an IGMP Snooping Querier is required in the absence of a Multicast Router.

Is this correct? If so, do I need to configure only a single SVI on a single switch as an IGMP querier? Or do I need to configure a querier on all switches within the domain.

Is there any additional config I should be aware of to optimise multicast traffic?

I will be heading out tomorrow to troubleshoot.

Thanks!

ESXi host and Cisco 9300-24T issues

I just got done with VMWare support, and have narrowed down the connectivity issues with this host to CDP issues on the Cisco switch. The issue began after a 10Gb NIC died in the host, and was replaced by Dell support. After the swap, the observed IP ranges won't populate. I have verified that the uplink ports are part of the same port channel, and that they are seen as CDP neighbors.

I know this is vague, but i'm not sure where to dig from here. If a config, or other information is needed, please let me know and I will provide it.

Thank you in advance for your time.

Just wanted to say Thank You.

The world is more than ever dependent on the internet right now. and it's for folks like you that keep it running smoothly despite the massive amounts of traffic. I don't think we ever appreciate how important connectivity is in our lives and those people who make it possible. Thank you so much!

How Tailscale Works

Hi everyone, long time lurker here.

I recently started a company with some friends building a WireGuard-based mesh VPN. We finally took the time to detail the design. I'd love to get some feedback on it: https://tailscale.com/blog/how-tailscale-works/

Migrating from a 1941 to a 3945e... as a VM engineer

Hi there, I have been thrown in the deep end of the networking pool, our network engineer is in isolation and we are having issues with our Cisco 1941 router that is a million years old (roughly) randomly rebooting.

The connection is a basic ASA5515 --> 1941-->Telstra ethernet hand off thing.

I have an old 3945e sitting in the store room that I got up and running with MOST of the same config but I have hit a snag.

When I copy the config over there are 2 parts that either don't work or seemingly dont exist? The section below is where I fall apart. I can’t put a vlan on the 3945e. I can do a "vlan?" and it says database and I can manually create a vlan 1 in there but then I cant configure it at all.

Here are the parts with sanatiser on them:

​

ip inspect name fw1 tcp

ip inspect name fw1 udp

ip inspect name fw1 icmp

ip inspect name fw1 ftp

​

and the 3945e doesn’t know what they are, is this a firewall thing? I see it on the gi 0/0 interface on the 1941 but I don’t know what its for

​

interface GigabitEthernet0/0

description connection to internet

bandwidth 200000

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip access-group ISP1-in in

ip inspect fw1 out

duplex full

speed auto

ipv6 address xxxx:xxxx:xxx:xx::x/64

service-policy output pm-shape-queue-out

!

interface GigabitEthernet0/1

description Firewall External Interface

no ip address

duplex auto

speed auto

!

interface Vlan1

ip address yyy.yyy.yyy.yyy 255.255.255.248

ipv6 address yyy:yyy:yyy:yyy::y:yy/64

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (Gi0/0 next hop address)

!

ip access-list extended ISP1-in

remark #--------  General Policy -------#

deny lotsa stuff

 permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit icmp any any echo

permit lotsa stuff

ipv6 route xxxx:xxxx:xxxx::/56 xxxx:xxxx:xxxx:xxxx::x:x (this is the next hop on the vlan 1 ipv6 address)

ipv6 route ::/0 (Gi0/0 IPV6 address)

​

Any help would be greatly appreciated, and feel free to explain it like im not a network guru, because... well I'm not

COVID and Cisco certification

I was going to let my certification lapse as I was planning on quitting for good in the next couple of years and thought I could ride that out with my current employer. Then COVID happened. My employer is crying poor and maybe they'll fold in the upcoming months which will force me to get another job.

My situation is that my CCNP expires in July and historically, for whatever reason, HR still puts a premium on having Cisco certs. Given the circumstances globally, does anyone know what Cisco is going to do? Right now in my country it's at necessary travel only and the lockdown is becoming more strict everyday. I don't see myself waltzing into the nearest testing centre and I'm not even sure they'd be open at the moment!

Firewall Recommendations for SMB

Hope everyone’s doing well with this crisis.

I’m looking to upgrade our FortiGate 80E firewall and seeking recommendations.

• 25 Users in Total
• 15 SSL VPN Users
• 40 Devices
• 350/35 Internet Speed (Please don’t laugh, it’s Comcast’s Fault)

I am thinking of Cisco ASA 5515-X but I don’t have enough CLI experience to solely depend on it so how’s ASDM or does it have actual GUI? I used it many years ago.

Second option was maybe SonicWall TZ600 or NSA 2650.

It has to be in compliance with FIPS 140-2 which means no Meraki or UniFi (Cries on the inside).

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC.

Separating Servers and Client PCs

I'm helping a buddy of mine clean up his company's corporate network, and the most importan aspect I recommended was to divide into VLANs. Everything was on a flat address space (192.168.1.0/24) and obviously this presented many issues.

The entire network is based on UniFi hardware and Windows AD DCs acting as DHCP and DNS servers.

I've successfully separated IP cameras, printers, workshop machinery and devices and employee's mobile phones into their own VLANs. Different SSIDs for gust Wi-Fi is also in place.

Now, what's left are the Windows servers and client PCs. As I mentioned, there are two DCs acting as DHCP and DNS servers, currently offering IP addresses only to domain joined PCs, as every other device gets an IP directly form the USG. This is working perfectly fine although every computer in the domain can see every server when going to Network in Windows Explorer.

Both DCs have a scope setup in the 192.168.1.0 range. It's split up 80/20 so both are offering addresses. The same goes for the DNS Reverse Lookup Zones, each one has the 1.168.192.in-addr.arpa zone.

I created a new VLAN subnet in UniFi with 192.168.40.0/24 to place all client PCs there. DHCP was set to Relay pointing to the current servers.

My questions are:

1. Should I create a new scope in the DHCP servers for the 192.168.40.1 space? Should I add a second Ethernet adapter to listen on the new scope?
2. Should I also create a new primary zone in DNS for it?

I want the DCHP and DNS servers in 192.168.1.0 to serve all clients in 192.168.40.0.

Would this be OK or am I giving the wrong advice? It's been a while since I setup DHCP and DNS on Windows Servers.

Sorry if this is the wrong sub. Stay safe.

anyone use Raritan KVM/Console (Dominion SX)? I'm trying to disable CBC mode ciphers

I cannot see a setting on our Dominion SX to disable CBC ciphers.

in the security settings page, the only options are for AUTO, AES-128, AES-256 and RC4, then you have the option to enable/disable FIPS4.0 and also options for TLSv1.0, 1.1 and 1.2

I chose AES-256 and enabled FIPS4.0, with TLSv1.2

butt he security scan still shows up for "CBC mode ciphers is enabled"

​

how to fix this??

​

thanks

Which modules in pure Python scripting you guys use to parse configs? I used to use Ciscoconfigparse, anything better out there?

As the topic says. Used to use Ciscoconfigparse but wondering if anyone found something better?

Internal Speedtest

Looking to implement a localized speed test tool. Users in remote offices can run an internal speedtest from there PC to our server in the DataCenter (that will host the speedtest). Any good suggestions?

Please help me make sure I understand this right! (VC vs MC-LAG)

Hi there

In the past, I always saw people do stacking to have 'redundant' uplinks on the stack and the downstream gear.

I believe MC-LAG is the way to do it with Juniper these days for the hypothetical setup below:

Combo fw/router (not redundant, identified already as SPOF) feeding 2 links to, say, 2 EX4650's. These EX4650's have MC-LAG going between them and each EX4650 has one link to, say, EX3400's downstream. This setup would provide EX3400 uplink redundancy all the way to the firewall, right?

[Question] Hello, can someone recommend me a book to learn the basics of networking? Pls dont shoot me if this isnt the right redditpage to ask this...

No text found

Sending this on behalf of our network engineer

We recently acquired some Cisco Firepower 1140 NGFWs to replace our 5515x's. We use Riverbeds and the network engineer I am assisting had a question regarding this migration of configuration settings for using tcp-maps for option 76 and 78. I found a forum post on Cisco's website but no answers. I am hoping someone here may have a solution.

https://community.cisco.com/t5/network-security/ftd-2110-configuring-tcp-options/m-p/3864701#M923345

Safe Place to get ScriptLogic SL360 Tool Suite? All search results lead to the sketchy freeware sites. I know SL360 is Freeware but I can't find a good source.

/r/PLC/comments/fsgg9x/safe_place_to_get_scriptlogic_sl360_tool_suite/

ISE: IPSK same SSID but assign different VLANs

Our goal is to have one SSID shared by all external companies hiring office space on our campus, give them a password each and thereby their own seperate VLAN.

Is it possible to do this without having the endpoints profiled already in ISE? I can't figure it out.

Thanks.

SNMP Question

Hello-

I'm curious about a value I'm getting with SNMP. The OID 1.3.6.1.2.1.69.1.3.4.0, I understand what this OID is for. The only thing I don't understand is what the integer 5 means. After searching online the only explanation I get is Other. Any help would be greatly appreciated.

Internet Options for Sorority House Fiber vs Coax

I have some questions about internet at a sorority house. I redid the network with 25 APs and a USG 4 to help with wifi connections. There are about 70 people living in the house and the number can flex up to 150 during a day with other people coming in the house. Internet use is regular streaming and web browsing. Currently they have a spectrum agreement ending in october for 200/200 fiber for 1300/month. I have gotten two new quotes for similar fiber service for 850-950. I can also get 1000/50 coax for 200/month.

​

Question is do I need to spend the extra 600+ a month for fiber?

My Project is an On Prem Video Storage of Body Camera Footage and Transfer it to a Remote Server Location Everyday.

We have 150 Stations: Each Station accumulates videos of 200Gb to 500 GB a Day. These are video files of Body Cameras of 3 minutes each. I need these videos files to be stored locally. What is the best suggested Network Architecture? Also what type of storage NAS/ISCSCI System would you recommend?

Server: Once a Day all the files stored on the 150 Stations needs to be Synchronised with a Central Server. What is the right way to do this synchronising as the data is huge. Also what is the recommended architecture for Storage in the Central Server?

I am looking for best practices. Also given the tough times if somebody is looking for consulting with us for this project which will last for 3 months would be happy to chat more.

What are tie cables?

I read that when building out an IT room you need tie cables between racks. What are those? I don't think they're the Velcro that keeps the cables together.

Cisco Access Point for Wireless Site Survey

I am going to conduct wireless survey in a multi floor building, type of traffic will be data and voice I have got Ekahau AirMagnet Kit, but I am confused in chosing the right access point model. I got multiple choices like Cisco 1800, 2800 and 3800 series access points. Which one of them is better and why would be it better choice.

How does Windows 10 select among DNS servers on multiple adapters?

I've been seeing an issue recently with VPN users who can't properly resolve our internal addresses.

As near as I can tell, the machine used the local network to resolve DNS, and some ISPs DNS servers, instead of responding 'I don't know' to unknown address requests, return some useless IP for 'dnserrorassist.att.net' or whatever (which--omgwtf!?).

So far I've solved this by forcing local DNS to use 8.8.8.8, but I found an article recently that suggests simply changing the route metric for the VPN to be lower than the local adapter. I realized that I have a deeper problem: I don't understand how Windows name resolution actually works. It seems obvious that it chooses the DNS server on the lower-metric adapter and then falls back to another, but I've never actually seen this written down anywhere (and it's been more than a few years since I did networking 101).

Can someone explain this or point me to an article for it? Thanks!

Free access to ACM Digital Library - Networks and Communications

I thought maybe for someone it can be useful.

To help support our community working remotely during COVID-19, we are making all work published by ACM in our Digital Library freely accessible through June 30, 2020. Learn more

https://dl.acm.org/subject/network

What 4-8 port Poe switch do you guys use and would recommend?

I wanted to explore more options for 4-8 ports Poe switches. Which model and brand do you guys like and would recommend? I'm used to Cisco, unifi, but plan to test other models.

How did you learn how to map a network?

Looking to learn how to map my corporate network. I work on a small team in a small local municipality. Thing haven’t been properly updated in whom knows how long.

The only tool I know for mapping is visio but have never used it.

Are there other/better tools? What would you recommend and to go about learning how to map everything out.

How is this site able to provide searchable netblocks with such granularity?

Hey folks- network engineer here, looking for some help reverse-engineering how this (really powerful) free service works. The site I am talking about is ipv4info.com and the unique ability it provides is a searchable database by keyword (for organization, contact, etc, etc) for even the most tiny of network allocations.

FIRST: If you suspect I am about to spam you to sell a service, please see the last line of the post and also read the content here carefully and judge for yourself; you can no longer pay for data from this site, and it seems to be moribund and not making any revenue off of any obvious advertising (though I guess the traffic rankings do boost the value- whatever...)

SECOND: If you still thinking I'm spamming you / advertising but you have some helpful technical answers for me about how it might work, feel free to send me a direct message if you don't feel comfortable potentially sending more traffic to this site

THIRD: If anyone is able to help me figure out how this works, I'm happy to put up a clone as a free service and open-source the tooling/backend- though the fact that it's shutting down and based in Russia makes me wonder if it is up to something that can be considered a "gray-area" ...

... back to the point. I am very aware of whois/rwhois. I pull down the latest rwhois raw database files from all of the RIRs (ARIN, APNIC, LACNIC, ...) every night over FTP, parse them out, and do some searching based on keywords for some organizations that I work on contract for to provide them data on their Internet assets when they need third-party verification of "inventory"

What I found at this specific site when I stumbled upon it just a few months ago (which is apparently defunct, not taking new customers, and starting to have stale data) is a bunch of /28, /29 and /30 CIDR blocks that can't be found via any paid or free service I've been able to find over the years. This includes searching via the individual RIRs themselves using their keyword search mechanisms as a I mentioned.

I'm wondering how the heck it is possible that they have this data in this keyword searchable format. I understand I can always rwhois an IP address and get back the fields that contain keywords that I am looking for (e.g. the name of a customer's business) but for that you obviously need to know the IP address first. So, chicken and egg. And I'm not going to try to actively whois every IP on the Internet and get banned from every rwhois service before I get .05% through. I figure even excluding RFC1918 addresses, there's just too much search space since you have to search within the larger blocks to discover these smaller ones. Brute force searching just doesn't seem feasible unless it's part of some hybrid approach

To be clear- I am not talking about a standard searchable ASN database site- these are a dime a dozen and I've been using them for years. I'm not even talking about the equally common sites/services that let you find smaller CIDR blocks, typically /25 and larger via keyword searches. None of these sites turn up the networks that this site finds.

Example: As an example of how this is different, go to the ARIN site and search for "Exxon" (AND NO, I AM NOT AFFILIATED WITH EXXON EITHER!)

Using ARINs keyword search, You'll be able to track down a handful of their network blocks, especially a few of their big ones. Great. Now go to the site I mentioned in the first paragraph and type "Exxon". The networks it returns is significantly longer and contains a relatively large amount of really small networks, down to /30. These obviously are not all Exxon corporate- but at least a few are probably small Exxon corporate remote sites, maybe egress points, out of band management for DR, or surveillance gear. They are not all just random little gas stations or loosely affiliated entities. I guess Exxon wasn't a great example, but still, it works to demonstrate the point.

Can anyone speculate as to how they are getting this data in such a way that it is searchable by keyword?

After talking to a few friends, some ideas came up about monitoring for route announcements passively, then performing some active rwhois queries, and then continuously updating via this basic approach. But none of us are quite sure if this is actually practical.

I'm not necessarily looking for an equivalent service/site (though I would be very interested if there were any) but I am very interested in figuring out how they do this as it would help me in my work quite a bit- these small networks are often not well known to the organizations that are responsible for them, and they end up being the source of an outage or a security incident eventually, so having them discoverable so easily is really significant.

Before jumping to any conclusions and telling me that this site/service provides no unique capability, please give it a shot with any large international corporation as an example- find a small block (maybe a /29) see if you can find it via a keyword search on ARIN's site or ARINs rwhois DB snapshot files (or any other RIR for that matter) and then do a whois on it to see that the data is in fact correct.

BTW- In case anyone suspects I'm advertising for the site, I'll point out that it seems to have been a pay service at one time but is no longer accepting payments/subscriptions. It also says that the domain is for sale. It seems to be based in Russia. I assure you I'm not based in Russia, nor am I trying to attract attention to a moribund site in Russia.