Saturday, April 18, 2020

Flame this topology

I am studying for CCNP ENCOR, and this all started as "I just want to configure BGP between a couple routers. And then it grew.

My question aside from does the design even make any sense and would you see anything like it in the wild, is how to get the PC's out to "The internet" without having the 172.1.X.X networks participate in BGP?

Would I need to be using NAT/PAT? And Can I have two outside interfaces? Are the links e0/3 between routers in each AS even necessary? My worry was what if say e0/1 on R3 went down while R3 is the active router...HSRP has some way to tell if that happens and make a switch right?

Disappointed in my self for having these knowledge gaps but hopefully someone can help out. Hit me with any clarifying questions you need.

Difficulty of the informational density of Networking+

I'm taking an 8 week college course for Network+. This was reduced to 7 weeks, due to Corona. This course is....ridiculous. By far the hardest class I've taken so far, halfway through my Database Development Major.

We've gone through translating binary/hex/decimal, cabling, subnetting, IPv6 and IPv4 addressing, data transmission, troubleshooting, TONS of ports and protocols, literally fucking HUNDREDS of acronyms with deep concepts behind each one, OSI Layers, DNS, DHCP, ARP, TFTP, NTP, LDAP, SMB, H.323, SIP, SMTP, FTP, A, AAAA, PIR, SEV, PTR, RS, APIPA, NAT, PAN, PAN (Not a repeat typo), SNAT, DNAT, IDF, IEEE, TCP/IP, ICP, NOS, SMPPT, CNSM, IMAP4 POP3 for just the tip of the iceberg.

I get a lot of these are very important concepts; but, it's week 3, and this shit is stressing me out. 30 hours a week, with just this one class. I'm not remembering shit, either, because it's too dense. Class is supposed to prepare us for Network+ cert, but I see no way to absorb all this dense info in less than 2 months.

Any advice? Will I even be partially prepared for the Network+ cert? I hear it's tough. I plan to study after the class ends as well, but dunno if the discount voucher the class provides will last.

ASR9k - RPKI Server within vrf?

Seems pretty basic use case that Cisco overlooked here but let's get with it.

Trying to do RPKI validation properly on my network. Thought I was fully compliant, but with Cloudflares new testing tool, discovered I'm missing something here and not sure how to work around it.

https://i.imgur.com/tlvxG9p.png

On my ASR9001, its default table is just internet, I manage it fully with OOB interface. It has rpki servers configured to communicate out the management interface, but populates the data properly into the BGP table. I then have it signal via iBGP to the neighboring 9006.

On the 9006, internet is in its own vrf while connecting to transit and peers. It gets the iBGP signals for RPKI from the 9001. However this data appears to only apply to the 9001's routes, not the 9006's, as the 9006's routes show "not-known" for RPKI status. I will have "not-valid" or "valid" next to "not-known" on the 9006 due to this for the same netblock.

So I assume what I need is the 9006 connected and talking to my RPKI servers. However with internet in a vrf, this seems impossible as I can only configure rpki-server functions on the default table on its routes (which are all management table routes anyway for private space).

Any ideas/workarounds I can have it apply RPKI validation information to the 9006's routes?

Antimalware Solutions

We have Kaspersky Endpoint Security but we also want to have Antimalware/Ransomware protection.

We are looking to add something like Cisco AMP, Malwarebytes, Sophos Endpoint for all our clients and servers. We have total 2000 clients and 95 servers

Looking for some feedback about products they use and how hard these tools are effective on the endpoints

Thanks in advance for any suggestions

What is it like to be NOC engineer in ISP

Hello Senior member, I’ve just recently got my CCNA 200-125 last FEB and got offered a job as NOC engineer in my local ISP. What is it looks like and which area should I focus more? I’d like some advice. Thank you.

Gbit over Shielded non-twisted cable?

I am facing the issue of having a cable run of like 20-30 meters (Guess) which consists of 8 non-twisted solid core wires, the cable is foil shielded. I cannot really just run a proper new wire because its embedded in the wall wiring. I tried calculating the length given the awg and resistance but since I measure a roundtrip resistance of 12 Ohm's either my equipment sucks or I have bad contact (Dont really want to solder for testing this)

If I had to guess I would assume running ethernet over this should work just fine, but can anyone maybe offer a more educated guess than me? Thanks in advance :D

Allowing FTP using ACLs

Hello, I'm at my wits end trying to figure out what is wrong with the commands I am using.

I have two hosts, 172.22.19.48 & 172.22.19.176 (behind closest routers Gi0/1 interface) , These are the only hosts that are allowed to reach an FTP server (172.25.30.15) two routers away.

On the closest router to the source, I'm using an extended ACL.

The goal is to allow only those two hosts access to the FTP while their entire subnet can access the DNS server (172.22.23.39)

(config)# ip access-list extended MultiHosts

(config-ext-nacl)# permit tcp 172.22.19.48 0.0.0.128 host 172.25.30.15 eq 21

(config-ext-nacl)# permit tcp 172.22.16.0 0.0.3.255 host 172.22.23.39 eq 53

(config)# interface Gi0/1

(config-if)# ip access-group MultiHosts in

The second line uses the WM 0.0.0.128 to ensure both hosts are allowed trough and none else.

The third line uses a WM of 0.0.3.255 to ensure the entire subnet can reach the destination.

Why can I not reach the FTP server from these hosts?

An Article on Transport Layer

Give it a read..

https://medium.com/@gopprojjal/transport-layer-and-its-utility-7b96afbd2c7d

JDSU HST-3000

Hey everyone, can someone tell me please where can I buy LCD screen for JDSU HST-3000 ? A customer drove his car over my tool bag and my jdsu was in it? Any help would be appreciated.

Are Ethernet speeds in gigabits/s or gibibits/s?

Various areas of computer science have different traditions on using base 2/1024 versus base 10/1000 prefixes, when discussing speeds and capacities. Storage vendors always use base 10 SI gigabytes, but I don't remember the convention in networking, specifically Ethernet. Can someone please remind me if " gigabit Ethernet is actually 1000³ bps or 1024³ bps?

WaveVpn - Gamers/Business' Favorite! (Tunnel: Residential Client->OpenVpn->Residential Proxy)

WHY ARE WE THE BEST?

WaveVPN is a unique VPN that works for most, if not all services that prevent ips from being proxies/vpns. We provide residential ip-driven vpn connections, which means when any website estimates your IP address as a proxy or not; will automatically assume its a home IP address.

https://u-nlimiteds.com/wave

Friday, April 17, 2020

First Career Core L2/L3 Network Replacement - Datacenter/Campus Shutdown and Startup

Hey All,

I'll be performing my first collapsed core shutdown in my career. It's a hybrid campus and datacenter mix in a small/mid environment with netapp, ucs, vmware stack.. I wanted to reach out to see what advice the community would recommend on things/issues to watch out for during a shutdown while replacing the L2/L3 core and start up. Leaning on the experience of the community would really help me out me a lot, especially while the network is so critical during a COVID-19 world we live in today.

I'm the only senior member of my team with the knowledge of all systems to be able to perform this maintenance window and I don't have a change control and/or peer review partner to lean on at the moment with some of my team/head counts not being filled at the moment which has put a lot of workload on me, which to be honest made me learn a lot from improving my storage, virtualization, networking, systems, and ansible/automation skills to be able to support a datacenter/campus.

I'll be replacing a 6504 VSS stack and nexus 5k distribution with nexus 9K's and reconnecting the access layer and datacenter (UCS and NetApp) port-channels. These 6504's have been running a bit too long :) with EoL next year glad to replace them and get updated code. At the same time I'll be removing VTP from the switches and re-configuring the VLANs on the access layer (the exact same VLANs trying to minimize changes)

My current plan is as follows in a converged infrastructure in a non-certified "flexpod"

Make sure we have all documentation for IPAM, management addresses, and non-domain/active directory passwords in a location that is accessible while the network is in outage mode and export the password vault system to an encrypted offline file and all SSH private keys. In addition also have TFTP copies of all startup/running configs for all cisco devices, UCS, VMware config export, RVtools export, netapp sysconfig, and palo alto firewalls export.
Shutdown all VMware level VMs and domain controllers (hosting DNS, DHCP, and AD).
Shut down ESXi Cisco UCS hosts but leave the UCS/FI's running.
Leave NetApp cluster (A700 and FAS8200) running.
Replace Core l2/l3 network with new Nexus 9k with a logical migration of the configuration (which I"m confident in the most as most of my experience is in networking).
Start up ESXi hosts/blades via UCS FI mgmt https once l2/l3 back online which mount NFSv3 to netapp datastores (which haven't been shutoff).
Connect to ESXi host mgmt https and start up domain controllers (bring up DNS, DHCP, and AD service) with offline local ESXi admin/password.
Once AD/DNS is running bring up the rest of the environment/services and test everything with the whole team.

Thats my rough/high-level playbook. I'll be labeling all fiber/Cat6 mgmt/data ports ahead of time to allow re-patching to be easy, fast, and stress free.

I have a couple of fluke fiber cleaning kits while disconnecting all the SMF/MMF fiber and have extra SMF/MMF patch cords and Ethernet cat6 patch cords as well. At this point I feel like I'm ready and have nothing else to do, so I figured talking to the community would be the best course of action right now.

Extremely gratefull for any feedback, insight, and advice for my plan I've laid out in advance and your experience doing similar work.

mpls-te on isis with Juniper

Working on understanding mpls-te

diagram: https://imgur.com/a/uHfqG5M

I want to use the red path as primary and my blue as backup.

Why has the blue path come up but red path stays down?

relevant show commands

show commands on r1: https://pastebin.com/03AipPrv

show commands r2,r4,r5,r7: https://pastebin.com/FTtawXUw

**diagram**

Each router has a loopback of itself i.e. r1 = 1.1.1.1, r2 = 2.2.2.2 etc

running isis everywhere. Yellow router = area 1 and green router = area 2

every device is configured as L1/L2

enabled rsvp on all links

**troubleshooting**

checked colors of all links - ok

checked rsvp enabled on all links - ok

shut down xe-0/0/0 on R4 and shutdown xe-0/0/0 and xe-0/0/1 on R1 to force traffic to go from R1 to R4 > R5 > R7 -- ok (i.e. traceroute works)

What purpose do extended vlans serve?

I'm not clear why 1006-4094 exist nor what makes them more special than vlans 1-1001? The only explanation I found online is "They are mainly used in service provider networks to allow the provisioning of number of customers."

That doesn't make sense to me because any service provider worth their salt has more than 4k customers, and managing 4k vlans seems unruly.

VMWare Velocloud SDWAN

So I have a question for anyone who has worked or not on the configuration of edges for VMWare Velocloud. So there are two options for configuring private DNS on the edge device. One is on the main configuration page that says DNS settings and the other option is under Configuring VLAN, when you enable DHCP. So I wanted to know what's the difference between the two types of settings?

I have copied the link that shows the screenshot of both settings. Thanks

https://imgur.com/a/WQK5kPb

two ssp-40 in 5585-x - can not install ASA image

Hello, trying to get my super "cost-effective" fw ha setup up& running, but got stuck simply tried to boot into ASA image from rommon using tftp, tried the whole bunch of images i.e:

asa9-12-3-9-smp-k8.bin

asa922-4-smp-k8.bin

asa964-36-smp-k8.bin

But each time I end up with:

Launching TFTP Image...Execute image at 0x14000
Cisco Security Appliance admin loader (3.0) #0: Mon Mar 16 18:31:24 PDT 2020
Platform F1-GENERIC
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! This is an ASA image and cannot be loaded on a PIX platform !!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Rebooting...

What am I doing wrong ? Would really appreciate any direction...

Network Monitoring Infrastructure

I am part of a team managing around 230 sites and whole of infra is of cisco make. We are already using IBM Tivoli NCCM for managing configuration of network devices. We have a zabix agent based real time Monitoring framework developed in house. We have almost all steps filled except for anything on the automation domain and management is harping on us to get something. The network is still managed based on CLI and we have SDN on our roadmap. DC first then WAN and sites.

I wanted to know the latest monitoring technologies or network management suites which will increase my visibility. I am mainly looking for 1. Increased Visibility 2. Better troubleshooting help since almost all of it is manual. 3. Better linking between layer 3/4 with application layer.

Any product or links will be appreciated.

DELL 5500 series, best budget switch for homelab?

I recently acquired a DELL r720 and as a result have to upgrade my network. After doing some research I on this sub as well as r/homelab, and keep getting recommended the dell 5500 series (5524, 5548). Im wondering if the 5500 series has any other competition at this price range. Some key advantages that I've seen for the 5500 is the price as well as the sfp+ ports.

Datasheet for reference: https://www.dell.com/downloads/global/products/pwcnt/en/powerconnect-5500-series-spec.pdf

Interface Error issue

Hello Folks, I ran into a strange issue today. The interface connected to my WLC controller shows the below error. Can somebody please help what does this error mean and how to act on it.

%SPANTREE-7-PORTDEL_SUCCESS: Interface gi1/0/3 deleted from vlan 92,142, 231

Note : This is a trunk interface and spanning tree port fast has been enabled on this port.

Simulating a crappy network for benchmarking - Need second opinion on my benchmark-setup

TL;DR: Dev, not an expert in networking. Trying to simulate really bad WAN connection for benchmarking. I came up with a way how to do it but not completely sure about it. Pls help me verify that my setup makes sense. I am afraid my benchmarking-results won't be meaningful at all if I make any mistake at this stage.

Hello fellow redditors,

I am a developper trying to create an application that should works well even under bad WAN conditions (High latency, potentially high loss, maybe over VPN, ...). To verify that my application works well enough I tried to build a testing environment where I can simulate different network conditions.

I read a lot of blog posts on how to do this under Linux. I found out that Linux has a lot of the tools needed already on board (tc and netem). I came up with a setup that consists of three ubuntu VMs (server, client and router) and two virtual networks between them. I made tried to make a drawing (benchmark-arcitecture.png) to make my setup clearer for you. I configured the router VM to IP-Forward so client and server can reach each other. To then simulate the network latency/loss/bandwidth I created below script that is executed on the router Ubuntu-VM.

#!/bin/bash LATENCY="50ms" JITTER="10ms" JITTER_CORRELATION="25%" LOSS="0.1%" LOSS_CORRELATION="25%" RATE="10mbit" sudo tc qdisc del dev enp0s3 root sudo tc qdisc del dev enp0s8 root sudo tc qdisc add dev enp0s3 root handle 1: netem delay $LATENCY $JITTER $JITTER_CORRELATION distribution normal loss $LOSS $LOSS_CORRELATION rate $RATE sudo tc qdisc add dev enp0s8 root handle 1: netem delay $LATENCY $JITTER $JITTER_CORRELATION distribution normal loss $LOSS $LOSS_CORRELATION rate $RATE

The thing I am the most unsure about in this setup are the two tc-commands. I built them together from different things I read in several blog-posts. With some trial-and-error i got it all to work. Now I am somewhat afraid that I made some mistake in this setup that would later cause all my benchmarking-results to be not meaningful at all.

Now here are my questions:

Is it really true, that I need the tc/netem command for both network interfaces (because they only apply to outgoing packages). I am afraid of accidentally adding twice as much network-crappiness as I intend to in this way.
Do you think that this approach can work/is any good at simulating realistic bad network conditions?
Maybe do you know a better solution how to simulate bad WAN conditions?
I already used ping, tracepath and iperf3 to try to verify that the connection actually behaves as I am expecting. Do you have any other suggestions how I could verify that my network simulator behaves in a realistic way.
Little bit off the original topic: What do you think would be some really bad (but still realistic) network conditions (latency/jitter/loss/bandwith) that I should be using for my testing.

Of course any other suggestions on that topic are very welcome.

Thank you:)

Cisco nexus CRC error on interface

Folks,

Image - https://imgur.com/a/lFq5nmq

I have dual stack vPC setup between 4 cisco nexus switch as per above design. I have noticed recently that getting CRC error on cisco 3064 all 4 interface connected to N9K, and during peak traffic time getting more CRC error, these error are not very high also per minute i would say 1 or 2 error randomly popping up on those 4 interfaces. I know CRC has direct connection with Layer 1 (cable, port etc..) but in my case how can be possible both switches and all 4 interface throwing CRC?

After clear counter

# show interface e1/51-52 counters errors -------------------------------------------------------------------------------- Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards -------------------------------------------------------------------------------- Eth1/51 0 12 0 12 0 0 Eth1/52 0 20 0 20 0 0 -------------------------------------------------------------------------------- Port Single-Col Multi-Col Late-Col Exces-Col Carri-Sen Runts -------------------------------------------------------------------------------- Eth1/51 0 0 0 0 0 0 Eth1/52 0 0 0 0 0 0 -------------------------------------------------------------------------------- Port Giants SQETest-Err Deferred-Tx IntMacTx-Er IntMacRx-Er Symbol-Err -------------------------------------------------------------------------------- Eth1/51 0 -- 0 0 0 0 Eth1/52 0 -- 0 0 0 0

Interface config

interface Ethernet1/51 description *** vPC trunk to N9K *** switchport mode trunk switchport trunk allowed vlan 10-12,20-22,27-32,39-40,50,100,200,300 speed 40000 channel-group 3 mode active interface Ethernet1/52 description *** vPC trunk to N9K *** switchport mode trunk switchport trunk allowed vlan 10-12,20-22,27-32,39-40,50,100,200,300 speed 40000 channel-group 3 mode active

what else could be wrong here, my peak traffic usage on these switches around 10 to 20Gbps during peak.

If you see image screenshot, you will noticed signwave between e1/51 and e1/52 so in day e1/51 has more CRC error and in night e1/52 has more errors, that doesn't make sense to me

Cisco Nexus 9k - ARP flood every 60 seconds

Let me preface this by saying I am not a network engineer, but I play one at work because that's how it goes. I inherited this environment, there were some extremely bad choices made in the past (they created loops, large subnets [/23]).

We had seen a lot of broadcast traffic coming over a link from our old DR location, there is as MAN between it and the primary. They had not limited the ports to the VLAN chosen to link the two, so each side (due to again bad choices of using the same VLAN numbering) could pass broadcast traffic from one to the other. Once the ports were configured to allow only that VLAN broadcast traffic stopped on that link and my primary site calmed down quite a bit.

So here is my question:

At the "DR" site I am seeing ARP floods around every 60 seconds. Wireshark indicates these are all from the Cisco Nexus 9k (9396px). Can anyone think of why the nexus would be doing this in that interval? I have searched and scoured forums looking for what this could be, but due to my own ignorance (I am learning...) I am sure there is something I am missing.

Could it be the arp cache aging timeout?

Thanks to anyone who spends a few seconds on this, I appreciate it!

Edit:

ARP timeouts are default, 1500 seconds (25 minutes).

My banter of the day. Upgrading Cisco Nexus switch.

Hi all,

I would like to share with you the adventure I have had the latest 3 weeks in my attempt to perform a firmware upgrade on a pair of Nexus 5596UP switches.

Background: We have 2 nexus 5596UP switches with a L3 card installed and multiple vPCs going through them. No FEX devices, but 3750s are hanging out of those switches, among other things.

Those switches run EIGRP, BGP, IPv6, PIM, MSDP to name a few. They had around ~650 days of uptime and they are both complaining about TCAM Exhaustion among other things. Anyway, we hit a bug that would not prepend AS paths when being redistributed via BGP so i thought i would take the challenge to upgrade them.

I write the change, I take a show run, ver, spanning tree, vpc, license, arp, arp all vrfs, ip route, ip route all vrfs and begin to upgrade switch 2.

I issue the command "install all kickstart bootflash:///kistart-whatever.bin system bootflash:///whatever.bin <cr>

It does the calculations, tells me that I am running Layer 3 services therefore a downtime HAS to happen and I press "y". The switch initiates a reboot. Note that I was doing that remotely, via a remote console server.

I can see in the console that the reboot process has initiated, and then nothing. I wait 5-10-15 minutes and no output from the console. I then decided to physically visit the DC.

Entering the comms room, I can see that the switch is powered on, but no LEDs are blinking besides the PSU and the STAT. No console output. After a couple of power cycles, I called Cisco to raise a P1 case. While waiting for the case to be created, I searched on my phone "Cisco nexus not booting".

I came out with FN 64094 - Nexus 5596/UCS FI 6296 - System Fails to Boot After a Power Cycle - Workaround Provided
https://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64094.html

I was thinking "sh*t".

TAC entered the WebEx chat and asked me to provide console output. I said there is none. I have already power cycled twice with no luck. I have then pasted the FN URL in the chat. The engineer responds with something like:

"Please give me a minute to read this"

3 minutes later:

"I will send an RMA unit."

Note that this was a Saturday in a COVID-19 lock-down! Although a bit stressed, this was the most exciting thing that happened to me in days! I have arranged with the courier, the DC provider and the device came. I then unboxed it, put the current firmware in, tried to copy the whole config (note it does not work and manual intervention is required), and notice that we are missing features due to licensing.

I then decide to label all switchports with the label printer. Power down the faulty switch. Understand how to unrack that beast; remove the ears from the broken one, put them in the RMA, rack the RMA back, plug all the cables in and power it on. Note that all ports are currently in shut state because the config is not fully applied yet.

I save the old switch in the racks somewhere, but I could not save the box since we do not have a cage in that DC, and all the OPs left (it was 22:00 local time). So I put it in a corner somewhere, hoping they do not dispose it.

The next day I am reporting that to my line manager and explaining that I need the license to be installed before finishing config. License came, I have installed it, finished copying and verifying the config and I go physically to the DC. I get there, I do a "no shut" on all the ports and so far so good!

The next morning I get some email alerts showing that the switch has crashed overnight due to:

Reason: Reset performed due to component Error

System version: 7.3(3)N1(1)

Service: SUNNYVALE ASIC FAILURE

Sent the tech-support output to Cisco which then dispatched another RMA. Note that this was during the Easter weekend which the device was supposed to be sent on Thursday afternoon, but came Monday at around 21:00. So I raised another emergency change to swap the RMA with another RMA switch.

I am now at the same place I was before the upgrade. I am in the process of raising a change to preemptively patch Switch1 so it does not hit that field notice. After that I will be able to successfully upgrade the 2 switches.

TL:DR. I tried to upgrade the firmware on a Nexus switch, the device crashed, Cisco sent an RMA which crashed the next day and they sent an RMA for their RMA.

Move from Enterprise Networking to ISP - Senior Level

Was wondering if anyone had managed to move from enterprise networking to ISP later in their career? I've got about 15 years expereince, CCIE, various other Cisco and non-cisco qualifications.

I did work for a large ISP about 10 years ago, but due to the job market where I lived the only options to advance were enterprise. I now work as a TDA/Pre-Sales/Consultant type role for a small consutlancy, who are a good employer, however I really want to move back into ISP type stuff as I find it more interesting, and I am a bit tired of dealing with customers with the same problems over and over.

I've sinced moved, and where I live now their are a few ISP's, and I have applied to similar roles as to the one I have now, but I don't even get a response. I'm assuming this is mainly due to my expereince being so Cisco and enterprise centric, eventhough I do have ISP expereince from earlier in my career.

Thanks!

Site-to-site VPN between firewall and Windows Server

Hi everybody,

I'm responsible for the IT of a SMB with 10 end users and currently planning on how to get rid of our on-prem server. There's nothing too fancy on there so I intend to migrate to M365 Business for AD, file server, Exchange etc.

However, we're using a small ERP system (Windows software with the need for a MySQL database) which can be moved to "the cloud" and I'm not sure how to handle it. I figure that I'd need a site-to-site VPN (that's also what the OEM told me) but the issue that I see is that we have a hardware firewall at our site but not at the datacenter where the cloud/virtual server would be located.

What would be the simplest/most straight-forward solution to get this working? I know about virtual firewalls but this comes with subscription costs and the need for virtualization. I found some articles describing how to make it work using only Windows Server but I'm not sure if/how this would really work. I'm also open to which hosting provider to use (I know Azure offers a site-to-site solution but I just can't figure out what the whole Azure solution would cost us) if there's someone offering this from the get-go.

As you probably figured out, I'm not a pro and will surely talk to my IT shop about how to approach this. I just wanted to know beforehand if moving our ERP system to cloud would be a viable option at all.

DIA Tracking

Hi all

We are considering moving to SD-WAN solution with DIA is one of the parameters.

Internally we are considering RFP responses we received and we are considering some vendors to invite : Cisco , Nuage , Velocloud.

What I have not be able to find if Nuage do support DIA tracking? They support DIA for sure but am not aware of tracking.

SNMP trap for SIP Options.... is it do-able?

Hi all,

When a SIP endpoint is monitored with SIP Options, is there a way to monitor when these endpoints stop responding (i.e. are down) on any equipment?

I can see it on Syslog, but I would like a SNMP trap (or something along those lines) to trigger and alarm when the endpoint goes down.

But I am guessing this would mean user editable OID's being available on the equipment?

What are the options for monitoring this, or would it be better to catch the syslog message with some C&M software?

Help with a portable, self-contained network.

Hi all.

This may come across as a very dumb question, but while I understand basic networking, I'm not sure of best practice for this scenario.

While in Corona Virus chaos, I've put together a small Live Streaming video rig, and I intend to start offering my services to groups, clubs, churches, businesses, sport teams, etc who can't currently hold meetings and events due to the lock down.

In my system I have 2 devices, a video switcher, and a h264 encoder, both with static IP's so I can access their control settings easily. I also have a laptop with a static IP and this all works great on my home network.

What I want to do is take this gear out, and plug into any old ethernet port in an office, church or building that has internet - and have everything work.

So need the WAN interface to receive an IP over DHCP, translate that into the range of my fixed IPs, and spit out DHCP addresses in the LAN range to my laptop and anything else I plug in to my system.

Is this a 'Best Practice' way to set something like this up, or am I completely wrong. What kind of router or managed switch do I need to set this up? I was looking into a Ubiquiti Edge Router, will that be OK?

Thursday, April 16, 2020

Man-in-the-middle'd by my marketing firm?

Okay, so a little backstory: I started having some intermittent issues contacting my domain controller. Lots of machines losing their connectivity, logins failing, dropped connections to the file share, etc. One machine went down completely. I set to troubleshooting. We'll call my domain contoso, for the sake of readability, and I'm sure you've all heard the reference.

So, start running tracerts and pings, and just establishing a baseline for my network, which is admittedly janky as a fox, but that's a different (albeit, embarrassing) post.

Everything seems to be resolving, IPs are coming back with replies, etc. Then someone suggests I try nslookup on Amazon, just for kicks. I get a reply, but it isn't what I expected.

"amazon.com.contoso.com" and an IP that is most definitely not Amazon. I check into it with Firefox, and look into the cert, and it comes back to my media company - let's call them Citycenter.

What happened, here? Did they likely do a web crawl, and find my name and address as the domain registrant, realize it belonged to us, and stick it under their umbrella? Could that be causing my issues? I have machines on my net that return DC.contoso.com as the same funky address as the Amazon lookup. Is that my connectivity issue? I just don't know. The issue is super intermittent, and sometimes the machines work fine, other times I lose my domain trust relationship, but it's hard to see, since my users sit at their desks and run on cached profiles.

For reference, my net is basically all my machines, DC included, tied into a dumb switch, which is tied into my router. Incidentally, wireless connections to the router are not capable of connecting to the domain, guest network or otherwise - but I suspect that's a misconfig on my part I'll address in another post.

Is this my media company's problem? We have our outward web domain, which they manage, so I don't know why they pulled this under their umbrella. But it's an annoyance, and they're telling me that they may not be able to fix it right away, all things considered. What can I do?

Broken Multicast or Service Discovery Issue

Hi Guys,

I'm hoping you can shed some light on an issue that I'm trying to get closure on. I design and install custom home & business automation systems. RTI is my choice product, it interfaces with various TouchPads, handheld remotes, and of course an app.

A command processor is central to all of the devices in the system. This works great with only certain routers. We normally use Ubiquiti and Luxul products, and it's smooth sailing, so we mostly stick to this every chance we get. But sometimes in corporate environments they don't want our equipment on their network for security. In this case, we just need a basic router to handle a few devices.

I believe rti hardware & the app rely on a broadcast from the command processor in order to "locate" & communicate. Wireshark shows very regular broadcasts every second or two from the processor. This will work for a few hours between 2 - 12 hrs without issue. Then it just disconnects and the only fix is to reboot the processor and the cycle repeats, some random period later, it's lost again. This happens for sure on netgear, linksys, and of course the crap the cable company hands out.

RTI has some pretty smart people on its team, they only use Luxul and that's as much info they can give on the subject of networking unfortunately.

Bottom line, I'm curious what the deal is with this! It bothers me that the reason has not surfaced over the 8 years of working with this line of products. Can Broadcast & Multicast break or some service discovery be ignored on certain routers?

Your help is greatly appreciated, I've been thinking about asking the real experts here for quite some time. I know you'll have something good on this topic!

Any way to extract sip password from a Huawei Router?

Hello,

I have a HG8145V5 router which has a sip client built in. The ISP sends voice traffic on VLAN 660. I downloaded the config file and can see the following clause,

<SIP AuthUserName="11112345678@sbc.com" AuthPassword="$3mYnQLbLsQ-2z|c&amp;=hKV=AE.\PxA4lZ&amp;a\DOV1F.$$" URI="11112345678@sbc.com"> <X_HW_Digitmap DMName="" DigitMap="" DigitMapStartTimer="20" DigitMapShortTimer="5" DigitMapLongTimer="10"/> </SIP>

I am guessing the password is hashed. Is there any way to get the actual password or to use this hashed password with a sip client?

I know what's X.x.x.0/24 ip space, can anyone explain what is X.x.x.1/24 or X.x.x.2/24? Which addresses can be used?

No text found

How to setup a wireless network without internet for people within an apartment building?

Hi, is it possible to setup a wireless network WITHOUT internet for people to communicate with smartphones connected to the network via a basic router?

There isn't many people with internet in my building and with social distancing requirements it is difficult for them. Some of them don't even have phone service. Can I take basic router and set it up so folks can talk or message each other with certain smartphone apps? I would not be able to leave a computer connected to it but I have a computer to use to set it up.

And what kind of router would be necessary?

I have tried a basic internet search

Thanks!

VOIP Reg issues

I am lost right now need some help, We recently upgrade att from 20 meg to 150 and they came out installed same model router and ran new line to it. During the turn up we moved our cisco router to the new att router and data was fine but our voip phones instantly lost. Getting error 480 temp unavailable followed by ICMP error. Of course att saying nothing changed from last router to new. Onsip our voip provider was not able to help find root cause either. Any ideas where to look while I'm waiting for some sort of response from att would be very appreciated and helpful

Cat6a Cable

Okay...so I need bulk cat6a cable. Monoprice has 1000 ft. of purple cat6a for $145. I hate purple...but it’s a great price! Would you do it...or hold out for a common color like blue? Anyone know of a better place to get a good deal? I know...I’m a cable color snob.😂

Monoprice cat6a cable

What's the best way to direct certain devices on my network through VPN?

Hi all. I currently have an eero network at home and I'm running piHole as a DNS server. I'm interested in building a VPN gateway with RPi, but I'd like to be able to point devices to it on the fly without having to mess with too many settings. Ideally, it would be awesome if I could assign profiles to my devices at the router level. One for VPN and one to bypass. That way if I wanted to switch profiles on the fly, it would be simple to do.

Why are there collision domains on 10BaseT Ethernet cables when using a hub?

I'm not sure why there are collisions if the first 2 wires on the 8P8C crimp send data and the 3rd&6th wires receive data. Why would receiving and transmitting at the same time cause a collision if there are separate wires for those respective purposes?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC.

What's the deal with windows server 2019? Are they pushing everyone to linux?

I tried the shitty "FOD" free trial joke, pretty much unusable for a single off install, it looks like they want everyone on the cloud or expect you're enterprise. All I want is a single god damn copy of windows gui on a server. Guess I have to get Windows 10?

Why the DHCP offer is not a known unicast?

I understand that a DHCP Discover is send as a brodcast since the requesting client doesn't know any info about the DHCP server. However I wonder why the DHCP offer is send to MAC FFFF.FFFF.FFFF when the frame with DHCP discover message includes the MAC of the requesting client and could be used as the destination MAC for the DHCP offer.

I did test this behavior using packet tracer and it looks to me like it will be more efficient if only the DHCP discover would be send as a frame flooding. I am understanding correctly? Any technical reason for this behavior?

https://www.netmanias.com/en/post/techdocs/5998/dhcp-network-protocol/understanding-the-basic-operations-of-dhcp

P.D. This is a personal educational question not a college or exam question. I did research before posting but I haven't been able to find a definitive answer.

Need some direction!

So my job is a little mom and pop setup for a nonprofit. Recently I noticed that I was having issues with RDP into some of our end users connected to WAPs. ICMP to these devices sends back destination unreachable.

The issue seems intermittent. My colleague may be able to ping a device(both by IP and FQDN) and I won’t be able to. Both my workstation and his are connected to the same switch. If I bring my laptop over to the other building(still not on the same WAP but in the same building), I’ll be able to ping those devices I couldn’t in my office, but I suddenly won’t be able to ping devices that I could from my office. The next day I could come in and be able to ping devices I couldn’t the previous day.

It’s insane and I’m having a hard time finding any rhyme or reason to it. I’ve run NMAP scans and found open TCP ports for RDP, RDP is enabled on the workstation, no local domain firewall rules blocking this traffic(that I can tell anyway) and no firewall ACLs. I feel stuck. I checked for collisions at L2 and not seeing anything that’s jumping out as either.

I feel dumb....

basic question about CRC and Tcp checksums

This is just a noob question, but I can't find the answer anywhere.

I don't understand how Tcp/IP packets can be insured against corruption with just a 16bit checksum. Hypothetically this should miss 1 in 16000 errors, which isn't much. The reading I have found on the internet says that the ethernet frame has CRC 32bit error checking, which is supposed to mitigate this problem, but my understanding is the ethernet frame is stripped before sending over the internet, which would mean the CRC check doesn't help with any errors accumulated over the transport of the packet over the internet.

Can someone tell me what I am not understanding please?

I need to create a simple messaging program that is guaranteed to be error free, and I am just wondering if I need to create my own checksums for all the data sent over Tcp/IP, or if Tcp/IP can be trusted to be secure?

Thanks.

Activating Multiple IPS rules in SRX

Hello,

There is a limitation with SRX IPS rules that we can't activate more than one. This means we are forced to use the same IPS rule in all our Security policies. Did anybody overcome this problem with any kind of workaround?

It's totally logical to have different IPS rules for servers and clients and zones.

Anyone know of any open source heat mapping software that is free?

Basically my company will only let us use visual RF (because it's free) for heatmapping.....and it's kind of dead.

i was trying to look around and see if there were any other alternatives but i tried a couple and they just weren't as feature rich as visual RF.

any help would be great.

Can sFlow monitor VOIP? (I'm guessing no.)

Hi Network Admins,

Does anyone know if sFlow can be used to monitor VOIP?

Here’s why I ask, and why I think the answer to my question will be “No.” I’ve recently spun up an instance of vFlow, Verizon Digital’s Dockerized sFlow Docker collector. The image works great, and I highly recommend it. My boss likes it too, and asked me to think about if we might be able to use vFlow to monitor VOIP calls.

Here’s everything I know about VOIP:

VOIP uses two protocols: SIP is used for signaling, RTP is used to carry actual voice data.
When a VOIP call is initiated between two peers, those peer negotiate using SIP (UDP 5060). In one of those initial “handshake” packets, the peers will communicate, “You send RTP on UDP 12345, I’ll send RTP back on UDP 12346.”
Once that step is completed, all RTP packets for the duration of the call will use only those agreed-upon UDP ports.
After the call is completed, there is a quick tear-down process, also managed via SIP.

Okay, now imagine Peers A and B are initiating a VOIP call over my sFlow-enabled network. Here’s what I think happens:

Via SIP, peers A and B agree that A will used RTP on UDP 12345 and B will use RTP on UDP 12346.
However, sFlow does NOT sample that key SIP packet containing the previous information.
A and B begin their VOIP call and begin transferring a lot of RTP data.
sFlow reports a lot of traffic on UDP 12345 and 12346. However, there is no way for sFlow to realize this is VOIP traffic.

Because of the nature of random packet sampling, I’m guessing the above scenario happens almost constantly. To see a batch of traffic on UDP 12345 and 12346 and then know for sure that that traffic is VOIP, sFlow would need to sample the SIP packet listing the agreed-upon ports, and the SIP packets used to teardown the call later. What are the odds that those SIP packets will be sampled for every VOIP call? Practically nil.

I did a bit of Google searching for “sFlow VOIP” but all I see to find are ad websites for professional sFlow products and academic papers. I’m guessing that this means garden variety sFlow simply can’t monitor VOIP, for the reasons I’ve listed above.

Does anyone know if I am correct? I would love any thoughts or advice on this. Thank you!

D-Link backup over TFTP failure

I almost hope that no one can help me with this only because that means they had to suffer through using D-Link stuff. Anyway...

I'm trying to back up all of our switch configs and finally got to the D-Link stuff. I'm reading over the documentation and I'm pretty sure I have the command right, but I get a failure message.

 DGS-3420-52T:admin#upload cfg_toTFTP 10.80.181.19 dest_file c:\cfg\DGS-3420-52T2 -1.cfg unit 1 Command: upload cfg_toTFTP 10.80.181.19 dest_file c:\cfg\DGS-3420-52T2-1.cfg uni t 1 Connecting to server................... Violation failed! Fail!

Nothing else has been giving me this much trouble over TFTP or HTTP. This site might be stupid because it always has different network issues from everywhere else, but that might just be the wifi controllers. I was able to backup the Brocade core with TFTP just fine though so I think it's a D-Link specific problem.

Unable to ping to host on nexus switch from other subnet

There's a management subnet, say 10.0.10.0/24 that i'm trying to connect to. 2 Nexus switches are accessible and can ping / ssh into. However whenever I try to ping a N3K 3064, it's blocking traffic from other subnets. Connecting locally onto the same vlan, everything is working fine.

Tried comparing the working nexus and the 3064 configs but can't see anything that would prevent this. The ACL copp-system-acl-icmp has a permit any any on it. The ACL copp-system-acl-ping also permits any echo and echo-reply. Would there be some setting i'm missing that prevents ping from other subnets?

Cisco ASA - Object-group service question

Hi,

When creating object-group service when applying the object-group to the acl where is it applied to?

Is it applied to the source or destination?

i.e:

access-list outside-in extended permit object-group Standard-80-443-PortGrp object obj_any object obj_web01

--in the above example. Would the service group that contains tcp 80/443 be applied to the source or destination?

Thanks in advance.

Question about POE.

I'll keep this question short and simple, Im considering purchasing a Dell PowerConnect 5524P, with has POE. My question is, is the POE that this switch supplies compatible with Ubiquiti equipment such as AP's.

Appreciate any input. Thanks

China Unicom to US Latency/PacketLoss (Apr-15)

We started observing really high packet loss and latency between US and China Unicom, report is a submarine cable break causing congestion on remaining paths. Anyone here have any addition details and/or also observing impact?

Help with older computer with discontinued Wireless adapter

Ive been trying to find solid answers to this for some time now. I was hoping someone here can help.

Im using an older toshiba laptop with windows 7. I cant update to windows 10 bc it says "wireless adapter not compatible" or something like that. Also, Im noticing my wifi signal fluctuate like CRAZY sometimes..It will hold at 144mbps, then drop to 15mbps, than 56mbps and back to 144...sometimes it goes to 300mbps and 270..etc.

Ive been trying to find out whats causing it. I cant find a driver update bc it says my driver is discontinued.

Intel centrino advanced-n 6200 v 13.2.0.30

I dont know what to do...

Common network issues in Enterprise network.

Hi guys,

Hope this is the right community to post this.

What are some of the most common L3 and L2 issues are faced by you guys in an enterprise network, also some of the most trivial cases too? How do you start the troubleshooting? What is your troubleshooting philosophy? Real-life examples will be highly appreciated.

GNS3 BGP lab exercises

Hi,

Anyone knows where can I find a list of GNS3 topologies with a list of exercises in order to practice BGP? I mean, the idea is to have a list of pre-defined exercises instead of creating my own topology and make up some exercises.

thanks!

PROs/CONs to having separate BGP ASNs as opposed to having one larger BGP ASN?

Hey all.

I'm having a difficult time trying to figure out what the pros/cons would be to having one large BGP ASN as opposed to 2 or 3 smaller ones. A little context:

We have one site on the east coast that is one BGP ASN. Another east coast site not too far away (50 miles give or take) that is another BGP ASN and then a third one out west. We just had a discussion of potentially collapsing the east coast sites into one ASN and it got me thinking, what are the benefits to collapsing them? What are the benefits to keeping them separate?

Thanks.

In-path Proxy for QUIC

I've recently started researching on the QUIC protocol and came across the following while reading the QUIC Manageability draft - " QUIC proxies must be fully-fledged QUIC endpoints, implementing the transport as defined in [QUIC-TRANSPORT] and [QUIC-TLS] as well as proxy-relevant semantics for the application(s) running over QUIC (e.g. HTTP/3 as defined in [QUIC-HTTP])."
I understand why the proxies would have to be terminating proxies and complete handshakes individually with the client and server, however, why would they require to be "fully-fledged QUIC Endpoints" is what I don't understand properly. If they support handshakes, and repackage the packets from the client and server, with the correct connection ids and checksums, wouldn't that be sufficient or are there specific features of this protocol that make this unfeasible ?

Wednesday, April 15, 2020

SFP+ compatibilities with SFP

I realize some of this may be based on vendor. But I have a newer project where there is a mIn office and then single mode fiber already ran to multiple other buildings. Building are small so was looking at 8 port POE switches that had SFP uplinks.

However most of the distribution switches I look at have SFP+. I need at least 8 ports SFP/SFP+ in the main office to go the different buildings.

Can I put an SFP transceiver in an SFP+ port and it step down to 1 gig SFP versus trying to do 10 gig. Really don't need the bandwidth and trying to keep project cheaper than doing 10gig everywhere.

Any thoughts or input would be nice. I don't usually touch fiber like this.

We were looking at like single mode 1310nm SFP transceivers. It's hard to find general rules of thumb on compatibilities. Have googled a few things and still unsure on how or if this would work.

Any thoughts, advice or recommendations would be helpful.

Thanks

NEST WIFI and Lack of VLAN workaround

Hey guys,

I am so annoyed at the moment. I switched ISPs thinking hell yeah, I am getting a better rate and more reliable. WRONG. The new ISP requires VLAN.

So 4 hours later, here I am sitting ANNOYED.

I do not want to throw away my nest ecosystem. I have lots of nest products including thermostat, nest hello, and not to mention 3 damn pucks.

So to get around this, would you suggest buy a Ubiquit EdgeRouter X? How it will work is I am in Australia with HFC NBN, so pretty much the Network Termination Device (like a modem) will be connected into the Edgerouter, and then the edgerouter into the main nest puck. My question is: will Mesh still work as normal, or am I going into a crappy double NAT or whatever situation and I have made my network so much more complicated and I instead should get rid of the nests and buy the Ubiquiti pucks?

SDWan solutions with a hardware SDWan appliance and a soft client? (windows 10, android, etc...)

Are there any SDWan providers that provide:

A hardware SDWan box
A software SDWan client for Windows 10
zScaler integration

I am aware of VeloCloud that meets these requirements;

I don't believe Citrix SDWan has a soft client

I don't believe Checkpoint has zScaler integration

I am not familiar enough with other SDWan solutions to know if there are other solutions that meet these 3 checkboxes.

Other "nice-to-have" things:

Andriod/iOS SDWan client
Linux / Mac SDWan client

Any other options I should look at?

Are any of my believed statements above false?

CMDB - Options

Hi,

We have a lot of link/ph lines/ devices to keep track of.

What does everyone use to document all these?

Was hoping for a free/opensource web based app, if they exist ?

I am trying to understand VPNs

So when I connect to a network using a VPN, it takes my data which is wrapped in a TCP header, and re-wraps the whole packet into a UDP header.... What I don't understand is why does it get wrapped in another header at all? Why can I not just connect to my network using normal TCP packets and a password to access network drives? I am not confused about using UDP specifically, I know that wrapping a TCP packet inside of another TCP packet causes problems, but why wrap it at all?

Is it a bad idea to export action communities?

I'm a small transit operator. I just set up communities, informational and action. On ingress, I strip any existing informational communities with my AS and apply my own. On egress, I apply the actions associated with the action communities.

My question is: should I be stripping action communities on egress (after I apply the actions)?

I asked around a bit and was told "yes" but not given a reason other than "security through obscurity". But I'm going to publish these communities publicly anyway, so I don't really think that makes sense.

Very basic and specific questions about IP.

I apologize if this is not the place to ask this questions.

I have been studying for N+ exam but I have some concepts that I cant grasp my mind around.

1)Everytime I turn on my computer, does it get new IP address? If so, who assigns me this IP address? I know that DHCP server assigns it automatically but where is that DHCP server? Is it in my router? Did it by itself decided what is my IP scope and subnet mask?

2) Same question about DNS. I understand that it maps domain names to IP addresses. But where did it get in my computer? is that in my router?

3)If I have a network of 10 computers. Do they change addressed every time and then notify DHCP or does DHCP keep track of the addresses that changed?

4)In large networks, are there computers just dedicated to DNS and DHCP? or do they run on the same computer? or do they run on a computer which is also used for someone at the help desk. also, if they do , do they look like a regular computer or is it anything different?

5)Subnet musk is logical division of the network. If I have 2 groups of 5 computer each and they are in different subnet, how would it be possible for them to communicate? if it is possible please explain how. Because, if they are different logical groups and one is not allowed to talk to another, is there NO way of communicating in case it is needed? (i think this is the dumbest question of all)

Again, I am a complete dummie in this subject. I just think that if books or videos explained BETTER how things work and why do they work like that, and showed a real life example I would understand better. I just want to really understand these concepts because I find it hard to move on to other subjects since these are considered to be basic. If i will ever have a job interview and someone asks me "what is IP address" I know that "its just an address like your house you know....but on your computer" is not going to be enought.

If anyone is willing to answer my questions I thank you a lot

HSRP between DCs

Howdy,

I am trying to get an understanding of the best (most common, best practice) way to accomplish this. We want to have an internal core Router1 (C9500) at a DC1 and an internal core Router2 (4500-X) at DC2. They will share certain interface VLANs using HSRP (which is not setup yet). These HSRP'd VLANs would primarily be for the virtualization network. Currently these routers are using EIGRP to communicate with each other via an etherchannel bundle.

Since we use EIGRP to route between these two cores, I would assume that across these same physical links that we would need to L2 span these HSRP VLANs. Is this all that we would have to do to get this working?

The main goal is to be able to swing VMs between each DC without having to re-ip the VM.

Could someone please shed some light on this topic for me?

Low Wireless Link Speed - Cisco WAP571

Hi Guys,
I have two wireless access points in my workplace, one in the office (Cisco WAP571) and one in the workshop (30 ish meters away, BT Business Hub 6)
the Cisco WAP571 is supposed to support upto 1.3Gb/s with 3x3 Mimo on AC wireless,

the BT Business Hub 6 is only listed as "AC Wireless"

My problem is, on the BH6 I can get upto 1083Mb/s however on the WAP571 the highest it will go is 866Mb/s

Client is a Galaxy Note8 as this is the fastest wireless device I have, in theory this confirms it has at least a 3x3 mimo antenna array

I cannot figure out for the life of me how to push the WAP571 up-to full rate (at least full rate of my client device), we are getting gigabit internet shortly so I'd like as much wireless throughput as possible. (I am aware this basically halves in actual usage, another reason I was the PHY as high as possible)

Is 'Flat' the Correct Word Here?

In a report, a consultant is defining 'flat' in this way:

"In a flat network there are only access level switches and core level switches; distribution level

switches are omitted in a flat network when compared to the hierarchical topology."

My understanding, as an old network guy is 'flat' means a non-routed, non-VLANed LAN. Wikipedia defines it similarly. I am concerned this wording will cause confusion when it comes to implementation. I have 2 questions for you all:

1- Is my concern legitimate?

2- Is there a better word than 'flat' for what he is describing?

Client unable to access partsbase.com from their location. Trying to find cause.

A client of mine accesses the partsbase.com website often. Suddenly today they cannot connect to it. Won't work with any browser. They use Optimum for internet access and are using a static IP. They are behind a Watchguard router. I remoted in and did a ping test to the partbase.com directly from the Watchguards diagnostics and the test failed. Traceroute responses fail after Hop 26 (* 52.95.1.167 29 ms 52.95.1.111 28 ms). I switched the external IP assignment on the Watchguard to one of their other unused Optimum static IP's just to see what would happen and had same results. I have no problem accessing the website from my internet connection, which is Optimum as well, or even via my cellphones data plan. Any ideas?

What type of NAT is this?

Hi guys, could you please help me and explain what type of NAT is this?

nat (interface,interface) source static host1 host1 destination static host3 host4

MPLS latency increase explanation

Hi r/networking,

I'm quite a novice however I have a question regarding MPLS routing. I often have to explain to clients who provide traceroutes that a latency increase to roughly 135-150ms is normal when the hop is via MPLS, however I'd like an explanation myself as to why this is. An explanation as basic as possible would be appreciated, as I'd like to provide this information to clients who bring routing issues to us where possible.

Thanks everyone!

What are some really simple but tricky networking questions you know?

Bored as hell. Let's have fun

TFW you found clients even your boss didn't know they existed.

One day I was randomly looking at our arp tables and CDP/LLDP neighbors. Mostly hoping to find whatever needs upgrading. And then it stuck out, a horrendously outdated AP. Has not been updated since 2011. This was even before the guys that were at my company before me.

It was not pingable, all ports were closed and it was only visible via CDP and only on other devices that were close by. None of my passwords worked. The hostname was a very descriptive 'Router 1'.

Worst of all this device defied everything on how we usually configure devices and several of our policies. I just had to go down that rabbit hole.

Well, I start tracking down its mac address in arp tables until I come to a Linksys. A Linksys SPS enterprise switch. Anyone remember those before they were absorbed into Ciscos SBS lineup? And there it was, an interface with a description containing the customers name.

I ask my boss/CEO whether he knows anything about them and he is like, who are they? Then we ask accounting if they are still paying us. Turns out yes they are and their payments are very regular. Exemplary even.

Nothing, I call the client and ask to get an IT person which I eventually get. I ask him to reset our password(luckily he had an admin account as well on the device) and we arrange an appointment for my visit to them so I can upgrade that old beast. Turns out they have been trying to contact us as well on our old contacts.

Eventually the date came and it was a 2 hour job stepping it trough updates and being careful that nothing breaks. Luckily everything worked out fine. I enabled remote management, did some cleanups and everything was just fine.

Once in every blue moon you can find clients that you really can forget about. Though you really don't want to(forget about them).

Dual-Wan Setup/Load Balancing IP Range Question

Hi, I'm setting up a dual-wan router at the small business I work at and I'm planning to configure it for load balancing and failover. I'll have the two routers running into the load balanced router. My question is will I have to divide the IP range between the two WAN facing routers? My inclination is to think I won't because users are routed only between each respective router and the load balancing router where they will be assigned new IPs but I'd like some input.

How to catch TCP packets going through interface and completely change them?

I am exploring the problem of TCP over TCP. Specifically the situation when a TCP connection is wrapped into TCP tunnel (Tor, HTTP tunnel, WebSocket tunnel) because UDP tunnel can not be used (DPI blocks VPN).

I thought that application whose traffic is tunelled usually doesn't require TCP with it's guaranted delivery (and slowdown) because a tunnel already handles network issues. The only thing that application wants is a transport which establishes connection, that's why it uses TCP socket.

I decided to implement a software which sits on both sides of a tunnel, catches TCP packets on tunnel network interface (e.g. tun0), prevents them from being sent, wraps them into UDP and sends to it's instance on the other side.

How can I catch packets? I've looked at iptables and libpcap but I can't find the solution.

FHRP Isolation in traditional L2 back-to-back vPC DCI

https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/118934-configure-nx7k-00.html

Referencing the this topology (ctrl+f for "Dual L2/L3 POD Interconnect")

In this back-to-back vPC trunk configuration, I am trying to achieve FHRP domain isolation so each site has it's own version of Active/Standby SVIs. According to this document I just have to apply a PACL to the DCI trunk interface (Po20/vPC20 in my configuration) and configure "no ip arp gratuitous hsrp duplicate" on the stretched VLAN SVIs, and I should achieve this isolation. I have it stood up with 4x N9Kvs in GNS3 right now, but I can't seem to get it to stop sharing HSRP information across the DCI. One data center has an Active and a Listener, the other has a Standby and a Listener. Is this a GNS3 bug or am I missing something here? Seems like a simple enough config.

config:

interface port-channel20

description L2_to_9k1/2_vPC20 (Inter-DC Trunk)

switchport mode trunk

switchport trunk native vlan 999

switchport trunk allowed vlan 94,1000

ip port access-group DENY_HSRP_IP in

spanning-tree port type edge trunk

spanning-tree bpdufilter enable

vpc 20

7k1(config)# show access-list DENY_HSRP_IP

IP access list DENY_HSRP_IP

statistics per-entry

10 deny udp any 224.0.0.2/32 eq 1985

20 deny udp any 224.0.0.102/32 eq 1985

30 permit ip any any

interface Vlan94

description Stretched_L2_Example_VLAN

no shutdown

no ip redirects

ip address 10.200.0.15/27

no ipv6 redirects

ip router eigrp 100

ip passive-interface eigrp 100

no ip arp gratuitous hsrp duplicate

hsrp version 2

hsrp 94

preempt

priority 140

ip 10.200.0.30

Cisco AP send BPDU on Cisco Switch?

Hi All,

We have a Cisco AP AIR-AP2802(18.5) typical flexconnect setup which connected on managed switch which have a BPDU guard enabled and the issue is that recently we can see that the AP send BPDU causing the interface to get disabled which result connection issue which clients connected to that AP.

Seen that this mostly due to bug on the current AP version but we have multiple site using this same AP model and version but only a single site getting this issue and note that we just recently encountered this and this happens on a random time/day.

question:

Is it possible that the wireless client (laptop,ipphones,mobile) can forward/genarate a BPDU to AP then AP forward the BPDU message to switch?
If #1 is true, How can we prevent this and identify which host mac address sending the BPDU messages?
Is is possible to filter,block,disable the BPDU on AP?

Thank you

Tracking Internet status (IP SLA)

On most of my clients' networks, there is usually an IP sla checking the internet path to initiate failover. The most common trackings I've seen are icmp ping 8.8.8.8 / 8.8.4.4.4 / 1.1.1.1 / OpenDNS (cant remember IPs). What have you guys seen in enterprise networks to track if internet is up?

How complex is a bank's network?

People around me often consider a bank's network as something very advanced, very complex and very secure and they even take so much pride in having done any kind of project for banks and i am curious about how true that statement is. I like to think that banks are just another large enterprise, so their networks would not differ too much from usual enterprise networks except maybe in scale.

I am just a junior network Admin with about 2 years of experience and I never worked on something large but I like to think that places like google, amazon, netflix and service providers have much more complex infrastructure. Basically, I think any business that is building networks/resources for public use would have a much more advanced architecture.

I really would appreciate it if anyone here could share their experience in either of those environment, and how much did they benefit/learn from each environment.

Firmware Update Process

Hey all,

Currently have some tasks around pulling together some central process for the upkeep of our infrastructure (Patching critical devices for vulnerabilities/ bugs etc). Unfortunately, we don't have any central inventory or NSOT system due to the way org is structured to use as a base. (Separate distinct BUs)

The current process is around excel documents and manual data entry from version reports (Cattools) and then manual lookups to Vendors for the latest code etc.

Was wondering how others have this and what tooling you may use? Dabbled in some Python scripts to pull vulnerability details from cisco and have been thinking how to pull this into a repeatable process and automate as much it as possible, as this will be handed off to other teams to manage on day-to-day.

My initial thoughts were NSOT (Netbox?) w/inventory of devices > interacts with devices to get the latest data (NAPALM/ ANSIBLE) > interacts with vulnerability data (Via Public APIs) > engineer reviews data (New vulnerability this version X is vulnerable) and initiates upgrades. (Actual upgrade part is separate although forms part of the process).

Powerapps (Microsoft) could be an option for that external lookup but might involve some manual entry.

Any thoughts on this would be appreciated.

EDIT: We do have a CMDB (service now) coming but this is for one part of the business only.

Cisco ASA - interface inside management

N7k - -out- - ASA - -in- - N9k

There is a p2p in outside link where I can ping and ssh asa outside ip from N7k (asa dgw).

There is a trunk between asa and n9k, asa side one of these sub interface is the GW for mgmt network(10.0.0.254/24).

N9k has a Svi in this network (10.0.0.251) and it's pingable and ssh from N7k and remote networks.

Why can't I ping and ssh asa ip 10.0.0.254 from N7k even if it's GW for n9k that is reachble? No policy hits when I try..

It's my first time with a asa. Thanks

Tuesday, April 14, 2020

Azure VNet & VPN connection question

Hi all, I'm looking for network advice on a setup I have here.

I have a Azure VNet with a network gateway using a S2S connection. This gives access to the target network I need to access.

I want to be able to connect to this VNet using Azure VPN client (this would mean P2S).

I've tried various methods, my favorite but didn't work; create new VNet, create Gateway for P2S, setup peering, this didn't work as I can only use one network gateway when using gateway transit.

My address pool is what limits me here:
VNet: 192.168.40.80 /28
Subnet01: GatewaySubnet 192.168.40.80 /29
Subnet02: InternalSubnet 192.168.40.88 /29

I have tried making the address pool bigger, allocating the space to a new subnet and attaching that subnet to a vm. I wasn't about to see the target network from Subnet03, but I can on Subnet02.

So I'm not really sure what I'm doing, it has made my head spin.

How do I add the P2S connection into my setup? What should I be doing?

Best remote team processes

Since we're all sick of troubleshooting VPN connectivity during this pandemic, I wanted to get some feedback on what's working well for remote teams.

Do you have a weekly standup meeting that is effective and works well? Asynchronous standup? Does your team have some unique process that helps with everyone's visibility of what's going on?

Mostly curious about processes but software/tools would be good to hear about as well, especially if they're being used in unconventional ways.

Switch in AP?

So I’m trying to handle the influx of family at home with corona and the amount of needed hardwire connections. I currently have my router running an AP farther away in the house, I need to hardwire 3 new devices that are near the AP. I got an unmanaged gigabit 8 port switch from a friend and having been having some issues making it work for me so I’m wondering if it’s because my set up won’t work.

So what I’m wondering is can I plug the switch into the extra port on my AP to then have 8 ports in this area of the house to use? Or does the switch need to plug directly in to the router, causing me different problems to solve?

Thank you for answering what is probably a dumb question!

Subsequent connections to websites are failing on entire network

Starting late last Friday, internet at our office stopped working and attempts to remotely connect would fail.

Internet remained down until Monday morning when I restarted our firewall (which seemingly did nothing) followed by our network switch, which appeared to resolve the issue. I'd like to note that I was able to successfully ping google.com between resetting the firewall and switch yet webpages were not loading in a browser.

By 11am on Tuesday, the internet became extremely slow or nonexistant and still remains this way. Our ISP saw nothing wrong from their end.

Usually the initial connection to a website will load fine, however further navigation on that website will initially stall for 20-30 seconds before maybe loading (very slowly) or more likely an error such as "ERR_CONNECTION_RESET".

The issue is very noticeable in our ERP (NetSuite). If I close and open Chrome, I can go to any URL in NetSuite and it will load fast as usual. Navigating to another page is when the page stalls (according to Chrome Dev Network Tools) for 20-30 seconds and usually won't load. Restarting Chrome lets me access the new page near instantly.

When going to fast.com or speedtest.net, we see the usual ~50Mbps download speeds. Upload speeds on speedtest.net have been <0.10Mbps, however that may be due to our firewall.

Does this sound like hardware starting to die, or something else?

VMs can't get to internet

Hello,

I'm new to networking so go easy on me, but I could use some help here.

I have a server running VMware ESXi on it. It's connected to a cisco switch which I believe I have configured properly to have the port it's connected to set as a trunk that allows all the other vlans on my network.

I have pfsense set up to handle DHCP, and I can see on the ESXi itself that it was able to pull an ip address from pfsense. However, my vlans can't get anything. In vmware I added a port group with the correct VLAN and set the NIC to the newly created interface but it wont get an ip.

The strange thing is that when I go into the DHCP leases in pfsense, it shows that it assigned the VMs I created their own leases! I thought maybe if I set them manually that would resolve the issue, but they are still unable to ping anything. What am I missing here?

The ESXi host itself does not have a vlan tag set, but the port it's plugged into has a native vlan of 600 set if that makes any difference at all. I feel like there's some important step I'm missing here....

Palo Alto Prisma Access client bandwidth degradation

We just recently purchase Palo Alto's Prisma access solution and notice that bandwidth is for users with high speed internet (1gbps). At first I thought this could be a wifi interference problem or something else, so to isolate out all those variables, I decided to run these test on a linux server with GP 5.0.9 on GCP.

I seem to have found some very interesting statistics. I used a n1-standard-8 (8cpus, 30gb ram) instance and ran the test with and without the GP client. Here are the stats...

``` -------------WITH GP-----------------------
user@instance-3:~$ speedtest-cli --simple
Ping: 31.575 ms
Download: 250.10 Mbit/s
Upload: 230.51 Mbit/s
user@instance-3:~$ speedtest-cli --simple
Ping: 28.773 ms
Download: 241.40 Mbit/s
Upload: 214.32 Mbit/s
user@instance-3:~$ speedtest-cli --simple
Ping: 28.729 ms
Download: 243.25 Mbit/s
Upload: 203.31 Mbit/s

--------------WITHOUT GP -------------------
user@instance-3:~$ speedtest-cli --simple
Ping: 32.858 ms
Download: 2088.64 Mbit/s
Upload: 221.67 Mbit/s
user@instance-3:~$ speedtest-cli --simple
Ping: 30.414 ms
Download: 1978.77 Mbit/s
Upload: 210.96 Mbit/s
user@instance-3:~$ speedtest-cli --simple
Ping: 23.552 ms
Download: 1390.41 Mbit/s Upload: 240.83 Mbit/s
```

Looks like the download has a cap of 250Mbit/s as GP can't get past that in the download. But without GP, I get greater than 1,000Mbit/s.

Has anyone else run into similar speed issues?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC.

errdisable recovery cause small-frame??

Howdy,

I have come across an old 2960 switch with an additional command 'errdisable recovery cause small-frame' configured globally for the default user ports. I have never seen this command before and went to research it to find it doesn't seem to be very threatening.

CISCO

You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the threshold) are dropped since the port is error disabled.

I was wondering if anyone had any real work examples of why this would be used? Because my gut it telling me to remove it from our Template for next tech refresh.

How can I learn more about fiber L1 troubleshooting without doing it?

Short of it I now work with remote clients who are required (want to) to configure their own closets and we have a fiber connection giving us trouble. I've seen among others terms like looping, loops, normalize, and the like. Where can I go to learn more about this process and fiber in general? I've only ever really dealt with CAT#\RJ45 cables before.

Cisco ASR series is still in demand What are your thoughts ?

No text found

Repeat after me, “Wi-Fi is not the internet!” I said, “Wi-Fi is not the internet!”

Thank you.

Cisco C3560CX SNMP v3 - can't authenticate

I was hoping someone could review the steps I have taken and see if I did anything obviously wrong. Any help is much appreciated.

Steps taken:

1) Reviewed Process - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_digital_building_series_switches/software/15-2_7_e/b_1527e_consolidated_cdb_cg/configuring_simple_network_management_protocol.html

2) SSH'd to a WS-3650CX-12PC-S

3) confirmed software version - 15.2(4)E1

4) retrieved EngineID for our SolarWinds intstance - 3

5) configuration ran based on document linked above:

enable configure terminal no snmp-server snmp-server engineID remote [10.10.10.10](https://10.10.10.10) 300000000000000000000000 snmp-server group monitorgroup v3 priv snmp-server user solarwindsuser2 monitorgroup remote [10.10.10.10](https://10.10.10.10) v3 auth sha R3dactedPassw0rd priv aes 128 R3dactedPassw0rd2 end

6) Attempted to add node in solarwinds using SNMPv3 with theses settings:

SNMP Port: 161 SNMPv3 Username: solarwindsuser2 Authentication Method: SHA1 Authentication Password: R3dactedPassw0rd Encryption Method: AES128 Encyption Password: R3dactedPassw0rd2

7) Test Failed, SolarWinds states node did not responded, node does not respond with the supplied read/write SNMPv3 credentials . Reviewed SNMP debug on switch:

 SNMP: Packet received via UDP from [10.10.10.10](https://10.10.10.10) on Vlan111 SNMP: Report, reqid 62037, errstat 0, erridx 0 usmStats.4.0 = 6 SNMP: Packet sent via UDP to [10.10.10.15](https://10.10.10.15) SNMP: Packet received via UDP from [10.10.10.10](https://10.10.10.10) on Vlan111 SNMP: Report, reqid 2147483647, errstat 0, erridx 0 usmStats.3.0 = 6 SNMP: Packet sent via UDP to [10.10.10.10](https://10.10.10.10)

Does any one have any thoughts as to why I am unable to authenticate?

Proofpoint is having Data Center and DNS issues - Outage

https://pbs.twimg.com/media/EVlRtVmUUAEXhit?format=png&name=small

If anyone else uses PP essential or email fraud. Or really any of their products

ISPs filtering ICMP; Recommendations on UDP based tracing tools?

Hey all,

I ran a tracert on a client's machine and it returned a log with two hops with just source and destination. After some digging around, I heard this was common with some providers like FIOS.
Anyone have recommendations for UDP based tracing tools without using third party applications?

If client is behind NAT, client cant finish establishing an ssh connection with one particular server

I have a linux server, where as long as the client is on a routed interface, SVI, etc and as long as the access list permits it, the client can connect just fine via SSH.

Once the client(s) move behind any NAT, the connection (SSH) between the client starts - and then just when it should establish (when not behind a NAT - it can accomplish this in about 100 packets start to finish)- the client throws out a FIN ACK and the session is shutdown.

I thought it could possibly be TCP timestamps - but almost all of the other linux boxes have TCP timestamps on, and they are not affected at all.

Any clue as to why this one server doesnt like clients behind NAT? I've tried doing 1:1 NAT - no help.

also, one caveat. Cisco Twice NAT works over an SSL VPN - but its the only NAT out of 4 that I've tried that does work. And I cant seem to replicate this type of NAT on any other device (needs to work on a Fortigate VPN - both IPSEC and SSL clients cant finish establishing a connection to this one server).

I did just open a case with Fortinet as well, but I'm honestly not expecting anything helpful initially - primarily, because I dont think its a Fortinet issue. Since, this behavior is replicatable by multiple platforms.

anyways, anyone have any ideas?

Broadcom/Symantec dropped the Packetshaper product line in March 2020.

They want to transition customers to Allot. I'm a bit shocked that it was so sudden. https://www.globenewswire.com/news-release/2020/03/23/2004603/0/en/Broadcom-Partners-with-Allot-to-Offer-Symantec-PacketShaper-Customers-a-Smooth-Transition-to-Allot-Secure-Service-Gateway.html

Can't ping machines on SSL VPN

So we use 2 VPN clients GVC and NexExtender. We give the user the choice of which one to use. Sometimes one works better than the other from users homes. But for some reason I can never ping or see a machine on the network when it is connected via NetExtender. This doesn't happen with GVC. Do you networking gurus have any thoughts on this? I can provide more info as needed.

Site-to-Site VPN

Hello,

Thank you for taking the time out of your day while reading this post. I need some advice about NAT and site-to-site VPN, as I am new to networking. The layout here is that I need to set a site-to-site VPN only on a few devices on my network, so these resources could become available to another company. My current CCNP book only teaches configuration if you know the other side's internal IP of resources. I'm sure this company will only want to give us their public WAN. Luckily I believe our Sonicwall 5600N will allow for IP addresses to have a NAT that I believe we can map back to our customer's public IP address. What kind of configuring would the customer have to do? Are there any foreseen issues that can arise without having knowledge of his internal private network? How can I start doing this process automatically instead of manually? Thanks in advance.

Why can macOS users not connect to our office L2TP VPN over IPsec (Draytek Vigor 2952) using the built-in Mac VPN functionality but Windows users can?

Hi all, I am have set up user accounts for both Windows and Mac users for our Draytek VPN and put in the exact same pre-shared key and IP address - but Mac users are unable to connect using these credentials using the System Preferences > Network menu.

The error message I receive is 'The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your administrator'.

Can anyone help? As far as I can see all the settings are correct.

What are the requirements for Windows to accept UDP packets?

I have an embedded device where I'm programming the microcontroller, MAC, and PHY and I want to send UDP packets to my Windows machine through a directly connected ethernet port.

embedded device <-> USB ethernet adapter <-> Windows desktop

I have the following Python server listening for UDP packets on the DA7A port

import socket UDP_IP = '' UDP_PORT = 0xDA7A serversocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) serversocket.bind((UDP_IP, UDP_PORT)) while True: print('hello, I\'m listening') data, addr = serversocket.recvfrom(1514) print('========\n\tConnected by ', addr) if data: print('\tdata bytes: ' + str(len(data))) print('========')

The packets as I receive them in wireshark (and create them in the microcontroller):

0000 00 e0 4c 68 01 2f 22 22 22 22 22 22 08 00 45 00 0010 00 20 80 00 00 00 80 11 00 00 64 64 64 02 64 64 0020 64 01 da 7a da 7a 00 0c 00 00 de ad be ef

But they are never received by the Python server.

I have a static IP set on the desktop as 100.100.100.1 and the firewall is set to accept inputs to DA7A.

I did get the server to receive packets from my laptop in the following config:

Laptop <-> router <-> USB Ethernet <-> Desktop

But only when using DHCP for both the laptop and Desktop. I.e. setting static IPs in Windows made the setup not work (I didn't spend much time on this setup). This makes me think there's some other setup communications I'm not aware of but I can't figure out what they are.

Smallest Cisco router that can hold the full BGP table?

Hi,

at our university we have a lab in which students can get exprience working with Cisco (ISR 4331) and Juniper routers (SRX 240) with BGP, OSPF, etc... They have a dedicated Internet link and get the full BGP tables, v4 and v6. We now have the issue that the ISRs seem to run out of memory when we try to use both tables and we have to preaggregate the routes which we want to avoid. Now the people responsible want to buy new ISRs (or similar) that can hold both tables. As we all don't really know Ciscos products and their website is kind of confusing, could you maybe recommend which router we should buy?

Would a low TTL on Windows DNS SOA record cause Windows to hang on bootup?

TL;DR at the bottom, this needs some background to make sense.

Troubleshooting a very strange problem here that has been going on for a couple of weeks now. It requires a laptop swap for those affected and I'm really struggling to find a definitive cause and fix it. It feels like a networking issue but I can't say what for sure.

A bit of preamble:

We're running Macbook Airs with native Windows 10 (mix of 1903/1909) and when they're away from the business network during this Covid-19 work from home period, a cold boot hangs either just before the login screen, or just after. The machine is responsive but never finishes what it's doing- like it's waiting for a timeout or something to complete which never does.

Forcing it into Safe Mode shows "a timeout occurred (30000 milliseconds) was reached while waiting for a transaction response from the DNSCache service" multiple times and no other clues. You can log in fine in Safe Mode- with or without networking.

Our software loadout is very minimal- Office 2016, Teams, LAPS, Synergist (billing/invoicing software, fairly basic but up to date) and OpenVPN.

I've sent out 6 laptops with a completely fresh install of 1909 with the default Apple-provided Bootcamp drivers to try and eliminate driver updates or OS issues - no change.

However I've just noticed that the SOA record for our internal domain name on our DNS server is set to 1 minute when it should be 1 hour- not sure why.

Does anyone have any experience of this problem and is there any way this very low TTL could be causing this issue when the laptops are away from our business network?

Is there any way to properly diagnose this?

TL;DR - 1 minute TTL on internal domain SOA record. Windows hanging on login when booting away from company network, DNSCache service referenced in Event Viewer. Having to swap laptops during lockdown, need help.

Is Microsoft the best cloud solution for my business

Hi, I’m a business owner and want to get an integrated system on the cloud. There are many bundles, and Microsoft is the one I seem to get recommended the most. I have 30 employees; what would be the best cloud system to subscribe to?

Nexus BGP 31-Bit Prefixes

Has anyone attempted to implement BGP peers with 31-bit prefix links between Nexus devices?

We are having some issues with BGP peerings where a new peer will sit at Idle/Active until the Nexus are rebooted. Once a reboot is done, the peer comes up and is able to be bounced even and will still come back up. It seems like the Nexus may not be allowing the session on a per-neighbor basis. It seems to work if you use prefixes below /31.

IP reachability between the two devices is fine. ARP looks good and Ping works as well as other protocols. It just will not bring up the neighbor initially unless a reboot occurs.

We are working on a VXLAN EVPN deployment and would like to run EBGP as the underlay/overlay and /31 prefixes are the preference to use for P2P links between Spine and Leaf.

We are opening a TAC case but I just wanted to get some opinons to see if anyone had any experience with this.

The devices are Nexus 9K's running 7.0.3 code train.

Sample Config:

router bgp 65000

log-neighbor-changes

address-family ipv4 unicast

maximum-paths 2

neighbor 10.0.0.1

remote-as 65010

address-family ipv4 unicast

send-community both

Possible to start your own business as a Network Engineer?

Hi Reddit

I have been a Network Engineer for about 10 years, achieved my CCIE, worked for a few companies (ISP, Vendor Enterprise) and was hoping to look into starting my own business - Guess I have an entrepreneurial spirit and would like to be my own boss + would like having a career with the opportunity to scale. (more than one client)

What options are available out there for Network Engineers to do this? When I try and google Network Engineer Consultant (My City) I do not seem to find any businesses, what I do find is contract for larger companies / Project work. Is that the only option out there for us?

When I look at doing something that caters to small businesses, they seem to be MSP’s that are much more Microsoft / Sysadmin focused, from what I can see they all seem to keep their engineering staff in house.

I guess another way to ask this, does any company outsource Network Engineering services ?

Monday, April 13, 2020

Network Administrator

What are the logical steps to becoming a network admin?? I have a bachelors degree in IT with advanced networking as its focus. I have a good background but want to improve!! What should I study/learn and how should I go about experience??

Should I become certified?

I am an MIS student graduating next spring. I ultimately would like to go into Business Analyst/Project Management. However, I do like the idea of working in networking. Should I become certified while I still get my student discount and have all this free time to study given COVID? I have the funds to do so. I have no knowledge working in IT besides my degree which from many IT forums isn't very relative. Is it worth it for me to get my certs at this time. If so which ones should i get? I was thinking the Comptia Triad. Also could I skip working in helpdesk given the certificates and degree if i understand the job? helpdesk has been my biggest deterant from working in this line of IT and wanting to go into BA instead

How secure is IPSEC?

I’m searching for information on how secure IPSEC really is. I’m struggling to find a video or white paper that shows if it has any real world vulnerabilities or if it is still considered to be truly secure.

Comptia Network+ and Security+ Worth it ?!

Hey guys, I am about obtain my associates degree on information system technology this May & I am planning to go for these two certs after graduation. I am not working in IT field at this moment but would love to. Everyone talks about how hard it is to get the “first” job in this field and the questions I had is -Are these 2 certifications worth it? -Will these courses give me solid foundation to start my IT career?

Would seriously appreciate any advise and suggestions.

University project on network automation

I am working on a uni project and we have to design a network for a tier 2 ISP providing services to 10 Tier 3 ISP's. We want to automate the network and I wanted someone's review on how I can make the network better for automation. I can't post the network here because of concern about plagiarism but our professor asked us to reach out experts for advice. Can I pm someone who could help maybe? I could also use some help deciding what devices to use and how to implement load balancing. I'd be very grateful

Single Mode Fiber Reliability Figures

Hello fellow r/networking people!

My background is in wireless engineering and network design. I have been working with utility companies to deploy wireless solutions to transform SCADA networks into smart grids. My current project includes a paper study of alternative solutions to be submitted as a conclusion to a grant. I have been having a hell of a time finding MTBF figures for hung versus trenched fiber. Does anyone have any leads they could share on this reliability statistic?

I could only find one source for trenched fiber MTBF, and none for hung fiber deployments.

Any help would be appreciated!

Advice on Private Peering with Customers

I'm going to be setting up some peering with multiple (maybe 20) customers/vendors we work with over private circuits either with direct cross connects or virtual ones using Equinix ECX. They need to be able to send traffic to our datacenter and we want return traffic to go back over the same link.

My thoughts were to setup a VRF per customer and assign an /29 subnet in the 10/8 network for the link. On our end we would use our main ASN and on their end they can use a real ASN if they have one otherwise they can just use a private ASN. BGP between us and them with prefix lists filtering everything inbound/outbound to IPs we agree on. Some customers may not own their own IP blocks/ASN so we would want to be careful what we allow.

On our end we advertise the same public IPs we also advertise over the internet. We accept public IPs from the customer.

Once the routes are advertised between them and our VRF we leak their routes from the VRF into our default routing table and let it propagate to the rest of our network. Same story in reverse for some routes in our default VRF to them.

The reason I am looking at VRF is so they can't route anything to us but traffic destined for our datacenter. We don't want them to advertise our IP blocks to their upstream carriers and we won't advertise their IPs to ours. Neither of us want to be used as a transit ASN for the other.

Is this a good approach or is there something else I should be doing?