What would be a good list of books to learn how the Internet works?

I’m specifically looking for things that aren’t covered in CISCO training. I think CISCO, Juniper, etc gets me up to layer 4. But I want to know the whole thing.

Right now I’m doing CCNA for the bottom four layers. But what are some good books to read in order to understand:

-the upper layers -how TCP/IP works -how the Internet works

Once I have that and I have CCNA then I think that’s plenty of networking and then I can be more prepared to go into python network programming, which I will ask about later.

UPDATE:

This isn’t for career questions. I like to learn networking and I want to eventually learn network programming as well.

Would it be in any way beneficial to shield each individual wire in twisted pair cabling?

So there is F/UTP, which has an outer, single layer of foil. There's U/FTP which has foil around each pair. There's F/FTP which combines both. However, would it be beneficial to foil each individual wire?

I assume the answer is no, as this type of twisted pair cabling barely exists if at all, but im curious. Wether the answer is yes or no, why is it that way?

Micro-combs utilized to achieve 44.2 Tb/s over a 75km single mode fiber link.

Ultra-dense optical data transmission over standard fibre with a single chip source

TLS Certificate received is different than what was sent

Hello folks,

​

Have a PCAP taken at the client (host base capture) and server side at a datacenter . I am not sure exactly sure where the capture point is at the DC.

The TLS certificate leaving the client is signed on the day of the PCAP, but that certificate seen on the server side is completely different (with a way wacky date, years off). Its riding the same IP packet (sequence # is the same). This is causing problems for our client application.

What could be causing this to happen? Some kind of mis-configured TLS proxy of some sort is what I am thinking... but what specifically?

Can't get new Fiber static IP to work [Edgerouter ER8]

So, we recently had fiber installed and with it came a new static IP address. So I unplugged from our previous modem and plugged into the demarcation panel. Of course, there is no internet.

This is the new info they gave me:

IP: 70.XXX.XXX.0/29
Gateway: 230.1
Subnetmask: 255.255.255.248

Currently, our config looks like this:
https://i.imgur.com/KJh6a5Z.png

So I tried changing the IP in the GUI to 70.XXX.XXX.2/29
(.2 becuase it said cannot assigned network address as IP address)

But I still have no internet. Any ideas on what to do? The subnet mask likely changed as the old IP was /28 and .240 ending.

I'm a lost system admin, any help would be greatly appreciated!

I am a university student offering to create software for free as part of my degree.

Reaching out to mid to large size ecommerce businesses and agencies. What is the biggest problem you are currently facing? I am aiming to solve that, for free. I'm a computer engineering student with experience in ecommerce, currently looking for a project for my final year. It is a thin window in my life and a golden opportunity for you to have multiple months of development work to create a bespoke software tool totally for free.

The proposition is win win. Everything I’m offering will not cost you a penny/cent as I will benefit in another way which will be explained shortly.

How you benefit:

You could have a nagging issue with your business (or your clients) that needs a software solution. Or you may see a way to increase profits in your business but don’t have the time or resource to create a software tool that would allow this.

Perhaps you manage many SKUs and want to track changes in PPC performance changes as a result of modifying elements of your product listing. Perhaps you have stock prediction issues. There are hundreds of ways to increase margin, there must be times where you think ‘if only I could../if only I had a tool that…”.

I am offering to create a software tool for you for free as part of my university degree. As a brand this can be directly implemented in your business or as an agency this can be white labelled at a big discount.

There are always holes needing plugs in business, usually it costs a lot for bespoke plugs to be made.

This can be a complex tool, the more complex the better my grade will be.

How I benefit:

I will have ownership of the proprietary software tool (of course your copy is yours and free for you/ or at least highly discounted if you are any agency whereby your clients pay full price to you), and I will sell this tool to other businesses in similar situations to yourself.

For any software tool I need data, the data you provide (to solve your challenge/increase your margins) would allow me to make my tool. I’m quite happy to sign any kind of privacy agreement.

I get a great result in my degree and finish university with a good side income from my software tool.

Credentials

Computer engineering student with experience in ecommerce, committed to completing my degree to a high standard.

My project co-ordinator is a university professor with 30 years’ experience in software engineering, she specialises in machine learning / AI. I Can provide all details and arrange 2 or 3 way call with you me her, and give any other details required.

My business partner/ non-academic mentor has 12 years software developing experience, and has been project lead on mid-size projects in the past.

Setting up a second router behind my ISP's router.

I currently have my ISP's router

10.10.10.1 /24

I have a second router I need to install behind it. Its LAN is 10.20.20.1 / 24

I tried setting it up for DHCP (WAN Side) and it doesn't get connectivity.

I tried manually setting up w/ a static IP

GW: 10.10.10.1

IP: 10.10.10.2 (I am 100% sure no other host is using .2)

Subnet: 255.255.255.0

This doesn't work. Devices behind the 2nd router can not access the internet.

But if I set a laptop with that IP info it will work just fine. Can anyone tell me what I'm doing wrong? Thanks in advance.

Looking for help with BiDi MMF SFPs, media converters or other alternatives to replacing MMF with SMF

Two of our student dorms are connected to the campus with a radio link. On the campus side we operate the transmitter, power supply and a ~20 m 2-core MMF connecting it to a patch panel in a utility room on the top floor. There our 2 cores are connected to a university-operated MMF running some 20-30 m to the building's core-switch.

The radio link should be able to transmit 2 to 2.5 Gbit/s over this distance, it only has 1 SFP-Port though and the manufacturer told us, that we'd need a BiDi-Duplex-SFP transceiver for SMF to be able to transmit more than 1 Gbit/s. Due to some issues with 3rd party network equipment in the past, we're not allowed to operate a switch on campus, a media converter would be ok though.

Our 20 m MMF has to be replaced soon and an estimate for that came at ~1000 €. To replace both our and the university's MMF with SMF, we'd have to pass an additional ~6 floors/ceilings. The dorms are operated by a non-profit organization and I'm quite sure they won't see the benefit of paying triple the required amount to fix our cable (my estimate, still missing some specs to get an estimate) for bandwidth we currently couldn't even use as our bandwidth is limited to 1 Gbit/s by the university's firewall until it gets upgraded.

To save some money - or have an alternative if the board rejects the extended replacement - we could

1. place a media converter in between to convert from 2x 1 Gbit/s BiDi SMF to 1x 10 Gbit/s MMF or
2. use a 2x 1 Gbit/s BiDi MMF SFP transceiver, if those exist.

Media converters with 2 SFP-Ports that can switch between different bandwidths are hard to find and the ones I found cost beyond 1500 €. Did I just not look in the right places or are these devices that expensive?

On another thread u/Gesha24 linked a BiDi-MMF transceiver, which is only simplex unfortunately. Are there also Duplex variants of these? On the net I found this 2.5 Gbit/s transceiver. Is that what I'm looking for or is it just 2 links with 1.25 Gbit/s each only transmitting and not receiving any data?

I'm a little in over my head here and would really appreciate any recommendations have or alternatives you see :)

I know these aren't the dimensions usually discussed on this subreddit, but I hope it's more in this direction that home networking. All in all, 250 residents would be really grateful - I assume - if they weren't stuck on 1 Gbit/s for at least the next 5 years.

Cisco VRF licensing A9K

Dear Community, I'm reaching out because I'm having troubles understanding Cisco's Licensing model for VRF applications.   This is concerning the ASR 9006 with the following config:   2x power + fan 2x A9K-RSP440-TR 1 x A9K-24X10GE-TR 1 x A9K-2X100GE-TR   Looking for the license we need on this to run VRF. https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-1/sysman/configuration/guide/b-sysman-cg51xasr9k/b-sysman-cg51xasr9k_chapter_0110.html   My questions are:   I see a couple of VRF licenses online but I understand that these licenses are for separate cards here, so do they need to be on the RSP or on the 10 or 100G linecards? Or am I just wrong?   Ex:   A9K-24P10G-IVRF - Infra. VRF lic. for upto 8 VRF instances per 24-port 10G/1G A9K-IVRF-LIC - Infrastructure VRF LC License. Support up to 8 VRFs A9K-24P10G-AIP-TR - Adv IP License for full scale VRFs for 24-port 10G/1G TR LC A9K-2X100G-AIP-TR - L3 VPN License for 2X100GE Linecard Transport Optimized   Any answers, feedbacks or even advices on where to find a concret response are more than welcome!

Thanks in advance,

COVID-19 Curveball: Secure Network Setup

I have a puzzle I need a little advice on.

Because of COVID-19, I find myself needing to support a unique setup for several of our employees. We work on secure material at times and we need a way to sandbox these employees. For a basic idea, please see this network diagram

The puzzle: we need to set up a computer (or multiple computers) and multiple wifi devices on a network we don't control (the employee's own network). We need to make sure we don't touch any configuration on the employee's side. Because we need to secure and manage the wifi, we need to deploy our own wifi router to the employee. The employee has their own network--branching off from there, we need to setup a secure network so the computer(s) and wifi devices we deploy to them cannot reach out to the Internet except for a few notable exceptions. Not such a big deal at this point. We can MAC whitelist devices connected to our wifi router/firewall and we can block outbound traffic on our router/firewall.

Enter the difficulty: we need to talk to the computer(s) we deploy on the secured network. We need to send files to/from the computer(s) we deploy. We may also need to remotely drive the computer (Windows 10 Pro). Ideally, we could set up a VPN server on our router/firewall that we could connect to and manage the devices in our secured network. With double-NATing and the upstream employee router/firewall in the way, connecting to our internal devices is easier said than done.

One thing we could do is set up remote control software (Team Viewer, LogMeIn, RemotePC, etc.) on one or all of the computers we deploy. This should allow to gain control of the machines. And we could block all ports on our firewall except for what's needed for the remote control. Seems doable but we'd prefer it to have the connection always on, and we also need to be able to exchange files to/from the computer(s).

I'm wondering if there are any other solutions I'm not thinking of or unaware of. Any clever new VPN-type applications that would allow us to connect into our internal network?

How can I create a site in which you can access a proxy server?

How would I be able to use a proxy server through a website? For example, say I have a website and a proxy server. How can I embed the proxy server into the website?

example

Any suggestions are welcome!

Any way to automate changing the default linux shell password for Dell OS10 switches?

I am a newbie at using python/netmiko. I have a new bunch of dell OS10 switches and was able to make a lot changes thru netmiko. Howveri am stuck on automating the password change for “linuxadmin” user. How do I go about changing the Linux shell password from default linuxadmin? I plan to keep the shell password same for all switches.

Thanks in advance

TACACS authentication issue in lab setting

I've had TACACS working in my lab before but recently I started over in order to work on some proof of concept stuff to eventually use at work. I've just about used up my google-fu skills and I'm still coming up empty. I'll provide as much detail here as I can.

High level, I'm running the free version of tacacs.net on Windows Server 2016. I can confirm reachability to the server from my test devices (via ping and also telnet to port 49). I can see via packet capture that the server is receiving TACACS packets but from the debug output on a switch I see TAC+: 10.10.2.26 (62167124) AUTHEN/START/LOGIN/ASCII queuedNo authoritative response from any server.

Here is the relevant config from the switch (switch IP is 10.10.1.2 and the server is at 10.10.2.26):

aaa new-model aaa authentication login default local aaa authentication login tacauthen group tacacs+ local aaa authorization console aaa authorization exec default local aaa authorization exec tacauthor group tacacs+ local aaa session-id common ! ! tacacs-server host 10.10.2.26 key cisco ! ! line vty 0 4 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all line vty 5 14 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all line vty 15 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all 

Here is the debug output resulting from the command test aaa group tacacs+ ciscouser ciscopass legacy:

https://pastebin.com/piZnGa8g

The tacacs.net config is default except for the ciscouser/ciscopass user I set up. The clients.xml file is totally default and should be allowing all 1918 addresses as clients.

I have a packet capture from the server during the test command above but I'm not sure of the best way to share a pcapng file online. If someone can help there I'd be happy to share that as well.

There is a firewall in-between the client and server but it's wide open so I don't think that's the issue. Can anybody help point me in the right direction?

Ansible URI playbooks using Cisco.com APIs

https://github.com/automateyournetwork/CiscoAPI

Making a 4g proxy at home.

I'm trying to make a 4g network proxy at home. I want 100s of ips available at the same time. I have 3 rooted android phones. Could you lads instruct me a bit how do I go about it? Do I need 100s of devices with 100s of Sims to make 100 of ips available at the same time and what happends with Mac of the server? As I need the every ip to be unique to the device using it?

Also if that is not possible , can I connect multiple wifis at multiple VM'S with one usb adapter?

Sorry if my English is bad,it's my 3d language.

How to get free Internet?

So my internet provider gives me 100 GB of limited internet but unlimited youtube. Is there any way I drive all the traffic through youtube so that I get unlimited internet

If a modem is connected to a router by ethernet and that routers Ethernet ports are 10/100Mbps is the Maximum speed of that routers WiFi going to be 100Mbps?

To be more precise, a friend has his eye on a 3 node mesh Wi-Fi network. The Ethernet ports on the bottom of what will be is primary node is only 10/100Mbps. However, his ISP is feeding his modem a 200Mbps line, and his modem has 10/100/1000 Ethernet ports.

Will his WiFi speeds be limited to 100Mbps ?

What are the limiting factors for fast networking speeds?

I read something a while ago about the US having I think it was COAX cables for our networking as to which new cities are getting fiber optic and so I was wondering if anyone had any articles about if the government has any plans for replacing the lines. Thank you!

HG8245H Router not Hard-Reseting

I got this router from a friend that had it stored away, and I need to test some servers locally the router needs to be set as a repeater so dhcp must be deactivated.

Hard-resets don't work, RESET button doesn't work and unplugging it doesn't work either. Account/Password combinations from the internet don't work either. This particular router gives me a 192.168.0.X network by default.

Is there any reason to buy a RJ45 > DB9 console cable and separate USB adapter as opposed to a RJ45 > USB cable?

I just got my first enterprise switch and I need a console cable. I have the option to buy a console cable with DB9 connector and USB adapter combo like this or I can get one which is RJ45 >USB directly like this one. I can't find an answer to this question anywhere. My proclivity is to just get the straight USB model but then I began to wonder if I would ever have a need for the serial connector.

Which should I get? Thanks!

SD-WAN vs Site to Site VPN's

I'm looking in to a couple of options to get SD WAN set up at my company to allow more remote working.

I currently use a Unifi USG3 at home and know it has site to site VPN capabilities. How does this differ from SD WAN? Is this something Unifi can support?

Background:

We have 4 locations where people are currently based. As things stand, data sharing is quite archaic. If we want to share files we email them across, no shared locations / network drives.

We are looking to maintain these 4 locations, however also want to allow people the opportunity to work from home as and when they wish, yet still have access to everything as if they are in the office.

We also have sales reps out on the road who could do with access to centrally stored information, as well as our CRM platform.

We can do most of this over Office 365, however things like shared storage for non Microsoft items would be nice, as well as a secure connection for our CRM and payment processing platform.

Thanks

cable tester says line is broken but I still get gigabit

Hey all,

I've been fixing the network of a certain location. It was a mess. A lot of wires had to be repatched and a patchlist had to be made. While doing this I've been using a cheap wiretester to check all the wires and determine which patch goes where.

There were a lot of wires where my tester claims that at least one, sometimes multiple connections failed on the cat5e cables. The numbers were mostly 2 and 6, but 3 and 4 were also up there. Even tho the tested results, I could still get gigabit (measured) over those lines.

How is this possible? As I understand 1,2,3 and 6 are crucial for a connection. I'm guessing the tester is fucking up, but how come? It's been good to me for at least a year now.

Looking forward to your idea's because it's been messing with me for a couple of days now.

Cogent Issues in Midwest

Master Case ID hd11147773

Pour one out for them

IPv4 to IPv6 6to4 Address Converter

Had to convert some IPv4 addresses to 6to4 addresses recently, so wrote a simple script. Hope it might be of use to someone else!

https://github.com/JamieEC/6to4_converter

Your connection to this site is not secure??? How can I fix this error?

https://chrome.google.com/webstore/category/extensions

This site can’t provide a secure connection

chrome.google.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

What is going on here??? Any suggestions on how to resolve?

Using Ubuntu 20.04 &

Brave Version 1.9.72 Chromium

Not sure if this is a netwoking issue, cannot find a solution from any of the other OS or browser communities though?

Determining required buffer sizes + a sanity check

A customer of mine wants to install border devices in Equinix colocations to host 10gb wavelengths back to their campus and 10gb cross-connects to their cloud providers, who they will peer BGP with. I don't know what the exact traffic flows will look like, but I do know that there will be DC-to-CSP flows and CSP1-to-CSP2 flows.

They're a cisco shop and typically I would recommend going with ASR 1k routers for this purpose, however, the customer plans to use Nexus 3k switches instead. I don't know which ones they plan on using (they aren't procuring the equipment through us) but 3524-XL's seem like they'd make the most sense in this case. I have some reservations about this, so I'd like to get your guy's opinion on the conclusions I'm making.

1. The nexus switches don't [appear to?] have any traffic shaping capabilities, so instead of building lower-rate virtual circuits over a shared 10gb cloud exchange connection, they're going to have to order physical cross-connects to each CSP. If not, they are going to have to oversubscribe their cloud exchange interface massively (4x 10gb VCs over a single 10GigE interface). This, in turn, may cause Equinix to indiscriminately drop packets during periods of congestion.
2. The nexus switches have less than 10% of the buffering capabilities of an ASR 1001-X. So when traffic comes in from their 10gb wavelength circuit and goes out on a GigE cross-connect, packets could be dropped due to insufficient buffering. Therefore, all their physical cross-connects would need to be 10gb.

What do you guys think? Is my thought process sound? Am I being paranoid?

Issues with IP Fragmentation when using EAP-TLS in RADIUS

We enforce 802.1x on the user access ports of our work from home devices (mix of Aruba RAP/IAP). The certificates/certificate chains EAP-TLS needs for workstation authentication are being stuffed whole inside single RADIUS Access-Request packets, albeit in 255-byte EAP fragments. Is there anything within EAP that allows these EAP fragments to be split across multiple RADIUS packets? Are there tweaks within EAP that result in only the host cert being passed rather than an entire chain?

C9500-40X-A SFP question?

Anyone using these and lining them out with bonafide cisco SFPs? I ask because I have a quote for 2 x C9500-40X-As w/78 x GLC-TE and 20 x SFP-10G-LR and it comes out to $60K in SFPs alone. I thought maybe I would buy a handful of each and get the rest from fs.com or some other 3rd party.

Also looking for feedback from people using these as their cores?

VLAN Trouble with pfSense

Hello everyone,

I have a question in regards to pfSense and an employees computer here in the office. A former employee who was a real certified network engineer wired and setup our network here, so I'm coming into this not knowing exactly the wiring to this building.

For some reason an employees computer has decided that it wants to sit our public WiFi network instead of the in-house LAN network. The computer is connected via LAN and it's not connected to any WiFi. It's the only computer in the entire building that seems to have this issue. When I manually set the IP address in Network Settings of Windows, it no longer has internet, even with a static DNS set of 1.1.1.1. Our company is trying to stay PCI complaint and I'd assume a work computer on the guest network is not a good thing haha.

If anyone could help me resolve this, that would be amazing!!

Multiple L3 interfaces to another switch, need to force EIGRP to advertise out a specific interface

Hey all,

Hoping this is doable, but we will see. On my voice router, I have 3 sub interfaces. One is for the inside/lan and let's just say the IP is 10.0.0.1/24, the other is for SIP provider #1 and let's just say the IP is 10.0.2.1/24, and the other is for SIP provider #3 and we can call the IP 10.0.3.1/24. The problem I have is the inside interface says IP NAT INSIDE because for SIP provider #1, we have to translate our traffic (so it says IP NAT OUTSIDE on that subinterface). We do not do this for SIP provider #2, but the traffic from the LAN comes in on the interface that has IP NAT INSIDE on it, so my connectivity fails. I am thinking the only way around this is to make a 4th subinterface that points towards the LAN, 10.0.4.1/24, but I need to advertise 10.0.2.1/24 out that interface and not out the 10.0.0.1/24 interface. Can we do this? Or this there a better way?

Can't connect to Cisco AnyConnect VPN while working from home

Hi there,

Sorry if this is off-topic or the incorrect sub for this, but I'm trying to connect to Cisco's AnyConnect VPN on a corporate PC at home, and I can't get it to work. As soon as I click 'Connect', the error ''The VPN connection failed due to unsucessful domain name resolution'' appears all the time, and at the bottom it says 'Limited Access: DNS failure'. But internet access in all my other devices (on wi-fi) is normal. The PC I'm having this issue is via Ethernet. What could I do to fix this?

Some info that might be useful:

- I have 300mbps internet with an Arris TG1692A router/modem

- The Ethernet Port LED is Green/orange on the modem and red/orange in the corporate PC. but when I connect the cable to my own PC, everything works properly.

- The Cisco VPN prompt is the first thing that shows on screen, therefore I have no (AFAIK) access to Control Panel, network settings, tunnel settings, server settings etc.

- I'm using my ISP's DNS.

- IT support says 'bruh turn your router on and off'. Which I had, like, 10 times or so.

I'm such a layman on this subject. Could you guys help me?

Thanks in Advance!

What type of Autoencoder should be used for Recommendation(Collaborative filtering) of Cellular network data?

Hi folks

I'm new to machine learning and want to build an autoencoder over recommendation system for cellular network data to compare the results after with or without autoencoder, I'm confused where should i start and what python libraries have builtin functionalities for such task, the most examples I found are for Image and movie/product recommendation. any help would be greatly appreciated, thanks!

Clos fabric argument

I'm in argument with senior engineers at my work about how they want to build new network design. I've only been at this place for 3 weeks and they don't seem to trust me :(

Goal is to build new network for internal esxi setup. It is 33 racks and I suggest to build s standard 3 layer Clos, with two "zones" of 16 and 17 racks each

However they do not want to use "superspine" and would prefer to interconnect the zone spines.

I attach a simple diagram showing what they want.

https://imgur.com/a/sUhDi1p

TO me this is not the way to build Clos, I'd prefer to do superspine layer for interconnecting between zones. Please let me know if their design is OK or should i push harder? There is potential for more racks to be added in the future so growth is hard in their design

VPN throughput

So I am curious what kind of throughput people get while on their VPN. We have some real pain in the ass user who is pushing a complaint up the chain about how he has a 300Mbps home connection but ONLY 50Mbps through VPN. He's on the westcoast and our DC is in Texas. Everything works fine, just wants 300Mbps through VPN. We use AnyConnect if it matters. We checked to make sure nothing was saturated in the datacenter, MTU settings are fine. I think he's just being unreasonable but now management wants an answer why it isn't better. Any thoughts?

Cabling interference question with CAT6 and Teck #3 AWG

Hello,

I need to lay both a CAT6 and Teck #3 (3P + gr) between 2 buildings 35m apart. I intend to dig an 18" trench (local specs...) but am not sure how to house my cables in order to prevent any interference.

Even if I have to buy 2 pvc pipes to separate the cables, it is still less painful than digging 2 trenches.

• Should I even be considering this?
• What would the 'interference' be like? ...a drop in speed? not work at all sometimes?
• Would STP help instead of UTP?
• How should this be grounded properly?

Any alternate advice?

Thanks

How do you explain upstream carrier issues to management?

https://www.news4jax.com/news/local/2020/05/21/att-blames-internet-issues-on-damaged-cable-in-jacksonville/

​

We are located in the NYC area, and are a Verizon customer.

​

Back story, Wednesday night we started getting alerts our sites (They sit behind Akamai Site Shield) were failing to be polled from our main DataCenter (Pretty much any other website on the internet was working). After a few hours of troubleshooting internally, we got out System Operation and Monitoring team to setup NetPath monitoring. Doing a NetPath to the Akamai Edge Key our DNS was resolving to, we noticed traffic dying out in Miami AT&T.

Looking at Verizon BGP looking glass in New York for our Akamai End point, the ASN path was Verizon -> AT&T -> Akamai EU -> Akamai US. On our edge Verizon edge router, I cleared BGP neighbors and shut down our interface, all traffic failed over to our secondary circuit and everything started reporting as healthy. Looking at NetPath traffic was now going Sungard -> Level3 -> Akamai EU -> Akamai US. I pretty much told everyone on the MIR (Manager Incident Response) call we lucked out, that our backup internet connection had a BGP peering other then AT&T, if it didn't the failover would of fixed nothing.

They then asked why polling was working out of our Campus DC. I explain we are running ECMP with Verizon and LightTower with IP SRC /DST hashing. The Solarwinds Poller running NetPath in our Campus happened to be taking LightTower, so it was reporting as up. Once everything reported as up in our main DataCenter, I was asked which of our Customers were effected. My response was it depends. For me as a Comcast customer looking at Comcast's BGP looking glass they have a direct peering with Akamai, I would of been fine as a customer. A customer with Verizon FIOS, would of taken the same path through the bad AT&T segment (If their DNS resolved to the same Akamai Edge Key that ours was).

I was then asked how do we make this no occur again, I said we could get more diverse carriers, but with out knowing all up stream BGP peerings for every destination on the internet it a roll of the dice. I just replied we could buy every carrier located in the US :-D

Wondering how some of you guys would handle this.

[WINDOWS] question regarding "Last Update" value in output from 'netsh' command when listing neighbor cache entries (MAC addresses)

Unsure if this is the proper subreddit to ask in, but here goes...

I'm helping a coworker with a small inventory script that lists, sorts, and searches the entry list when issuing commands netsh interface ipv4 show neighbor level=verbose and netsh interface ipv6 show neighbor level=verbose

I am using level=verbose as it makes it slightly simpler to parse the the output.

Example entry in the output:

Neighbor 192.168.1.250 ---------------------------------------------- Datalink Address : 34-62-88-dc-36-c3 State : Reachable Last Update : 0 

My question is: what does the "Last Update" value denote? (It does not show in the regular non-verbose table output.)

After spending some time googling this I am not really getting anywhere. The verbose output mode on this command is not documented anywhere it seems. My coworker does not know, and said it's not necessary to include it in the script's processing. But I am still curious. I am assuming it's the age of the entry - or when the State was last changed, but I'd still like to know for sure.

---

Another curious thing is that when running the aforementioned commands in a cmd shell, "Last Update" will always show value "0" on all entries in the output (as shown above). Always.

But... if I run the command through a parent process (i.e. AutoIt), it will show an integer i.e. "55229928". This value is always different whenever the command is run, (but it is the same on all entries in the list).

Example when executed through AutoIt:

../.. Neighbor 192.168.1.250 ---------------------------------------------- Datalink Address : 34-62-88-dc-36-c3 State : Reachable Last Update : 7767808 Neighbor 192.168.1.251 ---------------------------------------------- Datalink Address : 34-62-88-dc-20-22 State : Reachable Last Update : 7767808 ../.. 

Any ideas?

vrrp on debian using keepalived

I have two debian hosts in the role of routers, running VRRP for a public /29 IPv4 and /64 IPv6 subnet. They are running keepalived to provide vrrp. R1 is master, R2 is backup, it's working.

A test host in this subnet is using the keepalived virtual_ipaddress/VIP as it's gateway for both v4 and v6.

As expected, the first hop in a traceroute/mtr from the test host to the internet shows the current vrrp MASTER host, but the icmp replies are generated from the physical interface address and not the virtual_ip / floating VIP.

Is there a config option or a sysctl in debian I can tweak to force the routers to reply to icmp with the VIP instead of the physical interface address?

Googling I came across the "use_vmac" option in keepalived, but I don't fully understand what this does and if it's what I'm after.

Is it just me or has INE's pricing gone up dramatically?

I previously had the all access pass for $1,699.00/2 years, I just went to renew and noticed that it's now @ $1299/1 year. This is starting to get way too expensive. I've been out of the loop for the past 2 years on their pricing, are they still having decent sales?

I'm actually somewhat salty it seems their marketing/sales team have decided that it's time to clawback all access. It would have been nice to be offered as someone who was already an "All access" to keep going with that, now this is just painful and expensive.

Does anyone have any recommendations for other upcoming providers or is INE still the bees knees?

Aruba CLI speed-test command

Hi all - I'm just testing out an Aruba 515, and I'm curious if anyone else can get the Aruba CLI "speed-test" (iperf3 client) command to exceed ~550Mb/s (just testing wired interface, no wireless complication to it).

I've tried different cables, different ports, negotiating at 1g instead of 2.5g. No errors at all on ports and no improvement from swapping stuff anyway. iperf sever on other side of test is connected to switch at 10g and all other devices get near max throughput. I'm starting to just think the Aruba CLI command just can't generate more traffic, but can't find anything on the web to confirm or deny. Appreciate anyone who can sanity check the command on a 515.

Thanks in advance.

Windows 7 limited to 10 connection or 20 if there's Windows XP on the LAN?

My workplace currently have a bunch of PC connected on LAN. Those PC use old OS because they're never connected to the net and they run specific accounting software. There's a few PC which are Windows 7 and others are Windows XP.

I read that Windows 7 allows up to 20 connection to a single PC through LAN while XP allows only 10. My question is if a mixed of Windows 7 and XP PC tries to connect to a Windows 7 "server", is that number of connection limited at 20 or 10?

Also, is it possible to view who are connected or how many connection are there to the server?

Site can't be reached (Facebook, Instagram, Messenger)

So this problem I had started after I updated my windows 10 on my laptop. I only had it updated after 2 months, because I had a problem with trying to update it. So, after that I tried to load up fb, insta, and messenger, and for some reason it will say "Site can't be reached." so I tried it on microsoft edge, and it said the same thing. Weirdly enough, if I refresh those websites a lot it will load them, but facebook seems to be more difficult to load.

I've tried everything on the internet to fix this
-flushing dns
-cleaning and restarting chrome
-running troubleshoot (Nothing happens)
-restarting DNS Client

tl;dr: Facebook, Instagram, and Messenger won't load on all browsers. (But will load after constant refreshing)

vLAN and Segmentation Question

I have a small business that I have been tasked with helping. The setup is a Comcast Business Gateway and an SG500X-24 switch in Layer 3 mode. The office is a building with individual suites in it that will have internet provided to them as part of their lease. There are 8 suites in the building and each will need their own subnet and none of the offices should be able to access anything but their own traffic and the internet.

So that is the setup.

Currently I have configured the SG500X switch and tested and can achieve the following:

-The switch (10.1.10.10) can ping all of the gateways for each of the vlans (192.168.11.1-192.168.17.1)

-The vlans can all ping the primary switch IP

-None of the vlans can ping any of the other vlans (using ACL's)

-The switch (10.1.10.10) can ping the Comcast router (10.1.10.1) as well as get to the internet (8.8.8.8)

-Any computer that plugs into the correct ports on the switch is issued a DHCP address that corresponds to the vlan that is assigned to that port.

-Computers with a DHCP address can ping their gateway IP as well as the switch IP but can not ping the gateway for any vlan other than the one they are currently on

The problem comes when trying to get any of the vlans to talk to the router. They cant get past the switch. I have set up static routes (192.168.11.0 255.255.255.0 10.1.10.1 and so on for each vlan) in the Comcast router but still am unable to get any communication between the router and the vlans.

Router: 10.1.10.1

Switch: 10.1.10.10

VLAN 11-17: 192.168.XX.0/24

I know that the initial response will be 'ditch the Comcast and get a real router' but unfortunately funds are basically non-existent and I have to work with what I have. If I have missed something completely basic please humor me, I am a systems guy that very rarely gets this far into networking but I was handed this and told to make it work. Any help you guys can provide would be greatly appreciated. If needed I can post a comment with the running config from the SG500.

edit: fixed formatting

Network + exam from home

CompTIA has allowed for online testing and i wanted to share my experience with it.

Network+ online testing video

Do you feel the new CCNP Enterprise is relevant to today's networks?

I'm thinking about getting a CCNP Enterprise (ENCOR and ENAUTO), because I want to learn the base knowledge for working on modern enterprise networks. I know that the old ccnp's went into a lot of details about older technologies that are not as prevalent in today's networks (there is still some very useful information). Im curious if anyone has taken the Exam or any parts of the exam (ENCOR, AUTO, Route-Switch), and your opinion how relevant the new material is in today's networks.

Establishing connection for OPC UA through private WAN

I am trying to send data through OPC UA using a gateway eWon FLEXY102 with a special 4G sim that enables me to tap into a private network.

The OPC UA client is on the remote server and the OPC UA server is on the gateway(which doesnt have any ping function towards the server, it's pretty much like a mobile device). Right now I can ping from the remote server to the gateway, but when I use my OPC UA client i can't establish a connection using the IP endpoints.

However, when I connect the gateway to my laptop (ethernet cable), i can establish connection to the OPC UA client. Which should mean that LAN connection is alright.

Everything on the gateway is configured to enable opc ua and the default port 4840 is open and let through the firewall.

I should add - there is a NAT at the firewall that changes the IP in the sim to the IP range within the private network and vice versa.

I'm wondering if I have to route LAN connections to WAN ? Or is there something I'm missing ? Newbie here so any help is much appreciated, sorry if it seems that I am missing some info which I'd be glad to supply !!

Looking for a super cool looking WiFi router

Doesn’t have to be anything technologically advanced, just good and cool looking.

For example, I saw one a while back that looked like a DnD dice.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

It took me 2 hours to punch down 5 cat6 in a patch panel

It was my first time. Should I be a lot faster?

VM Network Traffic

Hello all!

I'm not quite sure if this is the correct subrebbit for my question but ill go ahead and give it a shot! Currently my father works on a heavily restricted and monitored surface for his state agency. He has been told that he cannot go on sites like Amazon, Best Buy, etc on his work device after hours. I currently run a test server in our home for the different state agency I work at. 😄On my test environment I currently host 2 VM workstations. My questions is, he is able to remote into my VM on the network while off his vpn, is network traffic monitored through RDP or just through the host VM? I ask this because I hope his network traffic cant be monitored over RDP because he is just physically grabbing the screen.

Thank you!

Does anyone have any experience setting up a Verizon Wireless USB730L USB modem for failover on a Watchguard T-35W firewall?

My client would like to add failover protection in case his Optimum account goes down. I wanted to know if anyone has any experiences configuring this particular modem on a Watchguard. I know sometimes USB LTE modems can be a pain to get working on the various brands of firewalls.

Using SNMP to Automate Documentation

Currently, all of our documentation is stored in a Google Sheet (Our organization uses GSuite). It works well, and I like the fact that is cloud based. We (mostly) use aruba for our switches, and I was looking at the CX Switches, and one of the features that they have is Google Sheets Integration. You can pull data from the switches into your google sheet automatically, and that got me thinking. Since a lot of that same data (port, custom port name, tagged and untagged vlans, ect) can be pulled over SNMP, has anyone built a tool to pull data from SNMP and feed it into a google sheet?

I imagine that this wouldn't be hard to build (even using a tool like oxidized to pull pull the configs and parsing the necessary information from that), and using the Google Sheets API. I just don't want to reinvent the wheel.

I've looked at going to NetBox - and it is certainly full featured and a great documenting tool, but I would like to keep it cloud based, and NetBox has way more features than we would use.

Anyone Looking to make some extra money?! Need pre-wired 66 blocks

What I need is pretty basic. I am opening some offices across FL and GA. I would like some pre wired 66 block that I can just mount and hook up to the phone modem and got right into my patch panel. They will need to be done to my custom specifications, which are pretty basic. You can be anywhere in the US.

We will just need to agree on a price and I will pay per 66 block you complete. I need 4 asap and we are opening 6-8 more offices in the next 6-8 months, so hopefully you can continue to make them on an as needed basis.

PM me and we can discuss further.

For you MPLS experts out there, question on route-target import.

Our org is trying to find a way to dynamically accept route-target imports on PEs when exported from another device. The reasoning is as we get more and more PEs that need to be a part of this VPN, we have to go touch a bunch of different devices and it's getting unruly to touch every single one in a single maintenance window. We're running our own MPLS, so the providers for the underlay circuits are not involved.

Besides automation (we're not there yet), is anyone aware of a way to do this on Cisco devices running NXOS and/or IOS-XR?

TIA!

Andrew Tate's courses

I got all of them.

DM me.

• Chess Mastery
• Fitness
• Network Brilliance
• PHD
• Body Language
• How To Be a G
• Hustlers University
• Iron Mind
• Webcam Course

• God Mode, Elite Playboy

• Revenge

• Obsessed

• TOP 1% Blueprint

How would you troubleshoot these resets/bandwidth issue?

Hey folks,

Looking for a few perspectives to make sure I don't have confirmation bias here. TLDR: Server team has issues replicating SAN across the WAN and gets resets when they attempt to use too much bandwidth (that they have configured within constraints of what physically is available for BW). My question to the community, has anyone had issues with Nexus flowcontrol or brocade flow-control causing resets on traffic?? Otherwise, what would you do to isolate the issue?

​

More context:

Topology generally looks like this:

SITE 1 SAN - SW - SW - FW - SW - Long Haul RTR - Long Haul RTR - SW - FW - SW - SITE 2 SAN

​

I've looked at interface speeds, and most are 1gb+ (10,40 etc), however the WAN connection at Site 2's long haul router is a 200m provisioned circuit, which is the lowest available bandwidth on the whole path. Obviously there's more traffic than just this SAN replication happening, but it's a lot of data to try and put into a logical way and reason on the issue.

​

Generally speaking, configs of sw/FW/rtr's are relatively simple... VLANs, security zones (srx's), BGP (long haul)... no QOS/COS/etc, no shaping/prioritizing.

​

The tricky part is that no interface is ever at 100% when they receive these resets. Specifically the "bottleneck 200mb" averages between 40-80% utilization... but they still receive resets when they dial the replication throughput up too high. I did notice (newish network to me) that TCP flow control is enabled on all of the switches, which makes me wonder if between that and TCP's native windowing if there will always be a buffer and I'll never see bandwidth hit the 100% but resets will occur due to those protocols trying to control utilization (or would I see a rollercoaster of peaks/resets?).

​

Thanks for any thoughts.

How do smaller Cisco partners sell product?

Curious to hear how some of these smaller partners are getting sales when the gold partners eat up all of the rebates/discounts. I assume it's because there's a working relationship for some reason or another, and that's how they get the business? Or are there programs from Cisco to help smaller businesses out?

AnyConnect gateway selection based on RTT

Hi all! Was curious if anyone uses AnyConnect OGS or something similar for clients to find the best gateway based on RTT/latency. Right now we round robin between our two datacenters in the States. Of course this could lead to some latency issues with users if say they are in southern states and get a gateway in the northern area. I know a lot of you guys/gals here work on much larger networks. Was just wondering what you do(if anything).

Palo SD-WAN vs Silver Peak and Check Point

We implemented Silver Peak (SP) SD-WAN last year and it has been fantastic. The SP appliances run in front of our Check Point (CP) firewalls (both on-prem, SP is virtual, CP is physical). CP is up for replacement this year so naturally we are looking at PAN as a potential replacement (we only did a 1-year deal with SP as we knew we wanted to re-evaluate with new firewalls). Looking for feedback in these specific areas:

1. It appears the general consensus is you can't really go wrong with PAN over CP in terms of a next-gen firewalls, but any feedback from recent switchers?
2. Sounds like PAN's SD-WAN solution is still in it's infancy and it will be a bit before CloudGenix is integrated. Is it mature/fully featured enough to go all in with PAN and drop SP?
3. For those of you who have PAN, but utilize a third party SD-WAN solution, why and how do you have it architected (e.g. PAN inside or at the edge of SD-WAN product, BGP, OSPF) ? I found a discussion here, but not a lot of feedback.

References for Low Voltage and Network Cabling Standards

So thanks to you guys, I recently discovered that my company has been incorrectly installing structured network cable incorrectly (crimping male ends with solid core).

Unfortunately my superiors are resistant, with their response when I ask them about it being ‘prove it’

My cursory google search didn’t turn up much. Does anyone have references on the correct standards for low voltage and network cabling and termination?

Meraki SD-WAN Woes

Background:

​

We have been on Meraki SD-WAN for about two years now; the network team didn't get a lot of say in it. The director and architect that forced it upon us are no longer with the company. We use their most powerful appliances, the MX450s as one-armed concentrators in our DCs. We utilize traditional Cisco infrastructure inside of our datacenters, Meraki is just for the autoVPN to our remote sites. We don't split tunnel so all traffic comes back to the DCs. We have about 300 remote sites with dual VPN tunnels back to each DC. Deployments, ease of use, uptime and hardware reliability have been great. Features, code and changes are inconsistent. Important data/reports is not available. They have this error checking feature half implemented that is slowly turning our network into a series of interconnected bricks. There have been frustrations, and we came close to a deal breaker late last year (20% packet loss around 9am on all VPN tunnels almost every day for a few weeks), but we are making progress and using their API to fill in some gaps and automate stuff.

​

This week:

​

Well now we have another bug, this one is on our most important head-end. This error is preventing us from making any changes to the device. We have an open ticket going back to 2019 on this and everytime we escalated Meraki said the developers are investigating this. At the time we didn't realize the bug affected the entire device. Well it's almost nine months later and they're still looking at it. Except now I need to make a change to the head-end, and we are holding back multiple projects. If something happened and we NEEDED to execute any type of change on it we couldn't because of their error-checking. Spoiler alert: Meraki doesn't know where the error is coming from either.

​

I opened a new ticket on this and Meraki immediately closed it without any communication at all. "The developers know about it" says Meraki. If I open a ticket saying I cannot make changes to my production network, responding "we know" and shutting the door is pretty poor service even for Cisco.

​

I don't know what to say, this problem is well over my head now. I have been trying to defend Meraki and SD-WAN as a whole. I'm still of using SDN tech for the right situations, but Meraki has a long way to go before I could recommend them for SD-WAN.

OSPF default information originate ALWAYS - eliminates default route being received

Hi guys -

I've been through Cisco articles and a fair amount of Google-fu, and still not certain what's caused this issue.

​

I had 2 switches, A & B. Each were peering with another pair of switches over OSPF.

A peering with C & D; B peering with E & F.

All established fine. All receiving routes fine from their peers.

But A was not receiving a default-route (0.0.00) from C/D;

B was receiving 0/0 form E/F.

I did an examdiff and found that on A I had configured:
default-information originate always

whereas on B I simply had:
default-information originate.

I hadn't come across this always command before and assumed it was a typo on my part (indeed it was). But looking up what it actually does, it simply ensures that, even if the router doesn't have a default-route, it will still advertise one.

The only other command difference was to do with TACACS, so this seemed like I'd found my problem. I swapped to default-information originate and, hey presto, I started receiving 0/0 from C/D.

But I don't understand why this is the case, and Cisco's documentation doesn't help at all.

Can anyone please help me understand the root cause of the issue?

Thanks!

Issue with sonicwall gvpn

Can anyone give me some help with a VPN issue I have been having? ITs Sonicwall GVPN and what happens is anytime I get disconnected this is what shows up in the logs. I get disconnected probably every 15-20 minutes while working, have tried updating all W10 updates, wireless nic drivers, wired nic drivers, changing from wireless/wired connection, etc. Any ideas?

https://imgur.com/A87CT3w

Importing multiple public keys?

We're trying to decide between using radius or rsa keys for securely logging into our switches and routers. We've got both working in concept but one thing I'm wondering is if there is a somewhat easy way to import multiple public keys into the devices. We're don't have a huge infrastructure but company-wide we have a few dozen switches and a dozen or so routers and between 5-10 users who would need access to all of them. Needless to say it would be a huge pain to go through the key-string commands and paste each user's key into the config of each device line by line. Since the config would be the same for each we could create a text file and copy/paste. Are there any other less-cumbersome methods for public key distribution that people have used?

Shallow 10g switches?

What are some good shallow 10g switches? That can fit in shallow wall mounted network cabinets?

We have some shallow mikrotiks and Ubiquity edgemax switches that have 10g but we have had bad experiences with them.

Urgent help needed, ASA 5516x not responding

there is a bug that makes my company's ASA 5516x suddenly stop responding, its powered on and lights going off and on like its operational but nothing is responding 

no data going through, no access ssh nor console is working (its like your PC on and nothing working),

i would have to restart the firewall manually to make it work again

what can cause such thing because i kept looking into this matter without any solution

version : 9.8(2)

Help with Switch Issue

We have a problem switch (Adtran Netvanta 1544P) that is currently plugged into our network stack. It connects back to our main switch. Recently, this problem switch has created an issue where it will bring down traffic going into the main switch. There are only about 20 active connections on the problem switch that are also POE. When the issue arises we are unable to ping main switch in the facility. Disconnecting or rebooting the problem switch will return everything to normal. It will run fine for a few hours then repeat this pattern. There are no new connections into the problem switch and has worked fine for the last 5 years.

The only thing that I can see is that the chassis fans seem to operating at 92% consistently and the POE CPU temperature is running at 102 F. I'm unable to see a flood of data into the switch.

​

Thanks

A Network Scanner with a GUI in Python

Hello all! I am an A Level Computer Science student who is trying to gather some suggestions on my upcoming NEA project. For my project, I am planning to create a Network Scanner with a GUI for students aged 13-18 who are keen towards learning cybersecurity and networking. Below are a few questions that can help me with how I approach this project:

1. What are some core functionalities that you think are essential to any networking software?

2. How often do you use any networking tools during worm and in what situations are they necessary?

3. What are some of the key issues and obstacles when using these networking tools?

4. In an office environment, what are some of the most common flaws within the office’s network that tend to be overlooked, and can potentially be exploited easily?

5. Do you think a GUI will be appropriate for a network scanner intended for students? Please clarify.

6. What are the networking softwares that you use commonly, and what are some ways that you can suggest to improve these softwares?

Thank you very much for your time, and if you do not mind can you please briefly explain your job title.

What is the impact of DWDM devices (IE: ROADMs) on the propagation delay of a long-haul fiber-optic link? Nonexistent?

So the speed of light is about 300,000 kilometers per second, but due to the higher refractive index of fiber optic cabling compared to that of a vacuum, light, for the purposes of networking, travels at about 200,000 kilometers per second; this equates to a propagation delay of 1 ms of latency per 200 kilometers. I'm curious to know, though, how do technologies such as DWDM affect this? If I have a wavelength on a service provider's network, will their ROADMs introduce additional delay to the connection? If so, by how much?

F5 BIG-IP pool member can only reach itself via its own virtual server

Why might I do this you ask? Basically for diagnostic purposes. Obviously I have monitors, but I need my own source of truth to know whether or not services on my pool members are up.

I am using LTM to load balance syslog. I require redundancy at the pool member level, and just one server isn't enough to handle all the traffic.

I run a simple bash script which generates syslog messages and shoots it at all the ports and protocols open for syslog on the box itself, and those that sit on the load balancer. However, when those diagnostic messages hit the load balancer, they never arrive at the other pool members. Only the pool member that originates the traffic gets traffic from the load balancer. Node statistics show traffic going to all pool members, but the other pool members don't see it.

Virtual server is stateless UDP. Datagram LB enabled. No SNAT or AutoMap (because I must preserve the true source IP of the originating host, because sometimes that's all I have to filter on). If I SNAT, it works. So I suspect this is just me not understanding layer 2/3/4 well enough. Same behavior when using TCP syslog via the F5 as well.

Diagram

What's going on in the southern states (I'm in FL)? Anything using Cloudflare DNS is not working online

Anyone else experiencing this or am I just the unlucky lot?

Can I power a mikrotik hap ac with a TP-LINK TL-SG1008P through PoE?

The tp link switch is powered via outlet. I tried powering the hap ac using an ethernet cable (a short flat one) plugged into the PoE port on the tp link, but no success.

Any ideas?

What are you charging on an hourly basis for outdoor Fiber installation? Southern California

I have a job coming up where we'll be pulling roughly 10,000' of SM fiber to 24 inground vaults (6" conduit - empty, spaced roughly 500' apart) to serve 70 homes (an additional ~20,000' of fiber from the inground vaults to the homes).

Each of the vaults serves 4-5 homes each and has existing (empty) 2" conduit run to the nearby homes (roughly 300'-500' on average). We'll be pulling the cable, fusion splicing 70 connectors in the fiber distribution hub, labeling, testing, etc.

All of the runs will be through existing underground conduit.

I'm in Southern California.

So if one man was doing all of this work I estimate it would take 160-180 hours. What would you charge your client on an hourly basis for this type of work? We're fully insured, have all the tools, etc.

We aren't going to breakdown the hourly cost to our client, we're going to submit a bid for the entire project which includes all of the materials, labor, etc.

I'm thinking we should be right around $150/hr for this type of work, just trying to get an updated idea of what others are charging on an hourly basis for this type of work in my area.

Looking for effective WAP options.

We're a small MSP IT Company. Our target clients are SMB with 1 to 100 staff. We've been installing network hardware for years, but finding lately that good options for WAPs are getting harder to find, especially at a price point clients would like. We aren't a big enough company to buy a bunch of different WAPs and test them ourselves, and installing untested hardware with new clients is a sure way to lose repeat business if the hardware we purchase doesn't get the job done. Our biggest issue is probably signal interference, it's common that we have 50+ competing wifi signals across all the channels. The only WAPs we have found that consistently work is the MR line from Meraki, but the upfront and annual licensing costs are a hardsell with our customer size. We've used: Unifi, good price, terrible configuration, worse support Cisco WAP 371, 571, etc reasonable price, very susceptible to interference Dlinks, don't seem powerful enough, latency issues with only 10 people connected TP-Link, Trendnet, Tripp Lite, just don't seem to work, more SOHO options than SMB Ruckus, pretty good, higher upfront price range Mikrotek, really good prices, hard configuration

What are other people using that they have found successful?

Migrating DHCP from 2008 to 2016

We have a Win 2008 DHCP server handing out addresses to our L2 switch environment. There are multiple scopes for each switch type with the third octet changed for each one. For example Switch type 1 gets 192.168.2.x and switch type 2 gets 192.168.3.x. We utilize the vendor class option to shunt the types into the correct scope. This results in varying scope subnets of which all of the are either /23 or /24. Looking at a wireshark it appears that the /16 on the server NIC is handed out to all devices who receive an address and everything happily communicates.

I've exported and imported that scope into a new 2016 server. In testing activating the new scope I was losing management to devices, which would cause me to backout of my test and back to the old server. I compared the wireshark capture and the device that I lost management to received the correct IP address, but was handed the scope subnet of /23 rather then the server subnet. I discovered I can reach it from another switch in the same scope that has a /16.

Is this a behavior change in 2016 DHCP from the original server set up (inherited by me)? The overall preference would be to keep the 2008 behavior for the 11 scopes we have for the devices all in the same management network.

Klein Rj45 Crimpers Failing Qualifier tests.

So I have a pair of Kleins (VDV226-110) Rj-45 crimpers. After a job all ends were tested and they all passed using a kleins VDV526-052 tester (simple end tester). There are no visual indications of a bad crimp.

However when we started having network issues with about 50% of runs and brought in the qualifier (Fluke), it turned out the Rj45 ends were indeed the issue.

Is there anything I can check on crimpers that would cause this? or should I just ditch them out of an abundance caution and go with a different brand? A little disappointing $60 crimpers perform this poorly.

How to tell if ntp server is a "pool"?

What magic can I do to determine if a particular ntp server is a "pool?" For example, does time.google.com represent a "pool" or just a load-balancer for time(1/2/3/4).google.com?

Allied Telesis - Assigning IP's to physical interfaces?

Hello all,

Our company is looking into alternate vendors for parts of our network. We're currently testing an AT X930 layer 3 switch. Is it possible to assign an IP address to the physical interfaces on these boxes? We've found in the documentation how to assign IP's to VLANs and Loopbacks but we can't find anything about the physical interfaces. Any help would be appreciated. This device is brand new out of the box for reference.

Need help with PTP network setup

Hello everyone,

Background:
Please excuse the noob question, I have tried to do my research but am unable to find the answer I need and don't want to order expensive shit I don't need. I am trying to extend a wifi network to reach from the main building out into a farm field to provide networking capabilities to a weather station. We initially used an engenius ENS202 and this worked fine. The weather station only ever pushes a few hundred kb and thus the weak signal it was able to repeat worked fine. Unfortunately it died and they discontinued it, and we haven't had any luck with any of their newer products. I haven't found any other outdoor repeaters and ultimately decided a PTP network would likely function better.

Question:
The remote device I am trying to connect to must connect through wifi. If I purchase something like the airMAX NanoBeam AC 5 GHz Bridge would I also need to purchase an outdoor AP to create a new network for the device to connect to?

Is there a more simple way to do this? There is a clear line of site but no way to run out a cable. The network speed does not need to be amazing.

​

Thank you!!!

Recommendations for creating 10GbE subnet

I'm looking to set up a 10GbE connection between my Synology NAS and my video editing workstation. Currently my entire network is gigabit, but ideally I'd like to only replace the connection between the two devices.

Here's a simple diagram showing my setup and current ideas. (I'm a real networking novice, please bear with me)

I think I'd prefer idea 2 (10GbE switch between the devices) but I'm not sure if the data has to go back to the router when communicating through the switch (thus defeating the purpose). The NAS has a static IP address and I've tried disconnecting the current switch from the router and the workstation and NAS maintain connectivity, so I believe it would work.

I would really appreciate any input or feedback on anything I may be missing here. Thanks in advance!

Setting up a VPN for a small business without an office network

The company I work for is small (6 employees) and we had a single office with a single static outward facing IP address. I would then whitelist that single IP address for things like AWS and client databases that we needed to connect to. With the whole office now working from home, if anyone needed to connect to something, they would VPN into the office network then be good to go.

Now the company owner has decided we all work well enough from home, that we are going to get rid of the office. But we still need to connect to several outside websites (some of which we don't directly control).

While I could get everyone's home IP address whitelisted in the short term, it would be a huge pain to deal with in the long term.

What I ideally need is some kind of virtual office network to VPN into and then use the IP address of that virtual network as the one being whitelisted. However I have no idea how to go about finding such a thing.

My ideas are either renting server space at a company like www.tierpoint.com, getting a static IP for just us and then setting up a VPN system to that server. Or finding a VPN company that can do the same for us (ideally this as it would be easier to let someone else handle setting everything up).

Fucking COMCAST their route server doesn't allow any commands, am I missing something?

Pretty sure they aren't accepting our advertised routes.

Log into telnet://route-server.ip.att.net and every single command says

authorization failure

Gee thanks guys!!!!!

Free NSM with network map | The dude alternative

Hi.

I'm desperately looking for The Dude alternative. For now we have two major problems:

- Does not perform well with 1000+ devices, some graphs randomly stop from being shown, sometimes can't read the available interfaces on the device.

- Does not have 64bits counters, which makes it really hard to read 1Gbps + trafic.

Basically, what I need is an NMS system to monitor network devices using SNMPv2, the NMS MUST have the capability of drawing maps like The Dude does. We need trafic, cpu, latency, memory, and other graphs which can be obtained via SNMP. We also need notifications (preferable via Telegram bot). The NMS MUST be able to work with large amount of devices.

I've been looking at Prometheus, but I could not find a way to draw maps, and seems to be more an alternative to Icinga. Icinga also can't draw network maps. I don't need any server monitoring as we are using Icinga to achieve that and we are really happy with it.

I've also checked Observium and LibreNMS, I could not find maps there neither, I found a plugin called Weathermap, but it is not as good as I wish it could be.

For now, I'm considering NetXMS, and Zabbix. I would like to hear some reviews about them, specially, about NetXMS.

Regards.

Network layer satellites

How is the network layer implemented for satellites? I know they use lasers in physical layer and we could use tcp for packet transfer, but how does the network layer work.

Are there routers in space? How would it choose the best path?

Advice for a newbie on configuring an active/active setup

Hi Guys!

Hope you are all well.

I have a quick question with regards to configuring our core switches in the best way possible!

A little background on the network.... We have 1 Fortigate 80E firewall sat at the edge of the network which handles all routing to the WAN and Internet. Connected to this is an Edgeswith 48 port PoE which subsequently has 8 access switches connected out on banks of desks. This switch also has 9 Unifi Ap's connected which it does not provide PoE power to (we have concerns as to the reliability of the Edgeswitches PSU's when put under stress from PoE)

Here is a rough diagram of our network I drew up....

https://app.lucidchart.com/invitations/accept/7a05f290-c1c6-44c9-b516-0dd6a342da7d

We are hoping to add in another Edgeswitch to work alongside the current one so that they could share the load going out to the access switches and AP's

What would be the best way to configure an active/active setup while also having an additional switch to replace a failed one. What would be the best way to configure redundancy? Ideally having some sort of automatic failover system.

My thoughts so far were that we would have both switches connected to the FortiGate firewall and then connected to each other (one of the switches link to the firewall would be redundant in case the other switch went down) We would also split the load of access switches etc between the two core switches. We could then have another switch ready to hot-swap in case of failure? Or even better is there a way to have an additional switch setup to automatically failover onto? or would we need an extra switch for both switches? I do not believe Unifi's Edge switches are stackable as well, or at least not logically.

Our objective is to have a situation where 2 switches share the load and in the event, one fails, another can take its place as quickly as possible, allowing for an active/active with redundancy setup.

Any suggestions greatly appreciated! :D

Kind regards

Oliver

Firmware for Cisco 3750G EOL

I was gifted a few 3750G-TS switches. I wanted to throw one in my shop. I’m not worried about security since it’s just an internal test bench. I logged into my Cisco account to see if I could grab the latest firmware before it went EOL but it’s not in the support database anymore. Am I SOL or is there a way I can grab the latest firmware for this switch. Thanks!

3rd party website up check

I had someone try to tell me that 3rd party sites to see if a site is down, something like isitdownrightnow.com, are reliable. While I don't agree, and many of my team don't agree, I wasn't really sure how to hell the person that they were incorrect in their statement. But for all I know, maybe I'm wrong? To me those sites aren't reliable bc we dont know how they were designed to check if it's down.

How would you bring that up to an end user and explain why they shouldn't rely on "isitdownrightnow.com"

Cisco SD-WAN Input Help Needed ASR1002-X TPM and 10GB SPA Support

We had a meeting with our SE recently and he just informed us that the ASR1002-X running SD-WAN does not support the 10GB SPA. They also told us that the 1002-X does not have a tamper proof module.

Has anyone found any evidence on this when working on their deployments?

Abysmal upload speed

Hello,

We are using zyxel p-2812hnu-f3 in one of our remote places and the people working there are having really bad upload speed. I mean even download isn't anything great, but upload is the real problem.

https://i.imgur.com/TMsjSfx.jpg

We are using Google DNS, and I tried tracert from my own PC (the one on the left), which works fine and then from the colleagues , where it gives me * instead of contacting the provider (she has Telekom).

They are all there connected through Ethernet cable.

I don't really know if anything can be done about this, except switching a provider or maybe a firmware update? (the latest one is from 2014 for this router, which I doubt will be helpful)

IPSEC as a LAN client?

Hello everyone,

Sorry if this is a noob question

I want to set up a work VPN in the office that employees can connect to (planning to use perimeter 81)

However, the Modem+Router that was provided by the ISP (Reliance JIO) does not have ipsec

Can I get an external third party router (I have a TP Link W8961N on hand) and use ipsec over there?

Sending tagged frames to a untagged port.

We have a switchport which is "untagged" / "access vlan 10". Now what happens if that port receives tagged frames ?? (Explain both cases, tagged frames with vlan 10 & tagged frames with ,say, vlan 120 ) !!

Are services on the same ASN related in anyway?

Hello! I was wondering if services or websites that are hosted on the same network (same ASN) should in any way be considered "related"? For example, I checked an application that was hosted in a network where pirated content, pornography, torrents, tor exit nodes etc. are hosted and a lot of IPs have been reported for malicious activities, should I also consider this application be "malicious"?

3rd party delivery aggregator

Hey guys,

I work for a company that takes 3rd party delivery platforms like Ubereats GrubHub postmates chownow Doordash caviar and combines into a single tablet printer system.

I'm looking for restaurants owners, head of operations or marketing for chains that can see this as an opportunity to streamline their delivery.

What is a good channel to reach out to or blog/forums where I can find restaurant owners or corporate decision makers.

Looking forward to connecting!

DHCP best practices in service provider network

Hello,

I am wondering if I might solicit some advice and a sanity check on the best way to design a multi-subnet DHCP implementation.

Currently, there are routers in multiple regional locations with subnetted ip blocks on customer facing interfaces. Customers in a region get a number from ranges designated to that area.

Two new dhcp servers will be installed in a FOA configuration at different locations. It's been suggested to me that all customer subnets from all regions be thrown together in a DHCP range "pot" available to any customer in any location - allowing for customers from multiple regions to have an IP in the same subnet and to make "it easier." Can that work? How would it be implemented on the router side? How would the dhcp server know where to send a requested ip?

I'm also wondering what potential issues could be caused by the described setup, why it might be better to do it that way as opposed to the current way, and/or whether there's another, better way of doing I haven't mentioned.

TIA for your time.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Cisco DACL Syntax checker??

Do we know if there is such thing as a syntax DACL checker out there besides the one within Cisco ISE?

Cisco CML personal (virl) lab review

Cisco CML personal 2.0 (aka VIRL) is out so can someone provide some honest review about functionality or any bug or frustration because currently i am running EVE-ng and so far so good but also thinking to get CML personal edition to see which one is easy and simple to play.

Creating a Udemy course that picks apart NAT on a Cisco ASA/ASAx Firewall -- need 5-10 volunteers to demo it, please =)

Hello,

I'm about 95% finished with a new course on Udemy where I pick apart Network Address Translation on the Cisco ASA and ASAx platform.

The course first discusses core NAT concepts (i.e., what is nat, what are all the ways of translating packets, etc). Then goes into a deep dive for configuring NAT on a Cisco ASA(x). It's meant to take you from zero NAT experience to being an expert on NAT, and in particular NAT on a Cisco ASA.

I'd like to get a few folks (preferably with some ASA exposure) to run through the class to proof and demo the course and let me know what you think.

If you're interested, please DM me, I'll message you with a free access to the course when I finish (likely, later this week).

If you're interested but don't want to be one of the initial 5-10 beta testers, just respond here and I'll update with a discounted (or free, why not) coupon code when it's live (maybe next week).

I'm not linking anything here intentionally, this post isn't advertising, simply looking for volunteers.

How to troubleshoot slow VPN? What next?

Our help desk is swamped with calls from users reporting slow VPN connections. Applications affected include Outlook, Active Directory, Dameware (RDP tool), and shared network folders.

Our VPN and firewall service is managed by Company A and ISP is Company B. Company A confirmed no issues on their end - enough CPU and RAM on the appliance. We are well under our concurrent connection limit. Company B confirmed that we were well under our allocated bandwidth.

What to do next?

Unmanaged media switch

As part of an AV installation I need to supply a small switch for media folks to plug various devices into as they need for events (camera controllers, Audio over IP, etc). Given the nature of some of the devices they may plug in, I have a couple specific requirements for the switch and am having trouble locating an appropriate model. Specs include...

• Minimum
  • Unmanaged
  • (x8) 1G ports
  • Non-blocking
  • PoE on each port
  • No EEE/Green Ethernet/802.3az
• Ideal
  • PoE+ on each port
  • Diffserv/QoS
  • Higher available wattage for PoE(+)

The big factor is no Green Ethernet. The media traffic can be burst in nature and high bandwidth if they do any sort of media over IP. As such, I can't have any ports idle or go into a low power mode when traffic slows down; it needs full power all the time. It seems this is not always documented as to whether a switch has Green Ethernet or not

While I know a small managed switch could work if setup correctly, I do not want to even give someone the option to change settings, hence unmanaged. Some of these end users are students and can be rather, curious.

Thanks!

ISP Circuit Managment

Hello,

I am curious to understand how some of you handle ISP circuit allocation and management on a global scale. The network I work on has sites throughout the US, EU and APAC. When I first started working here, many of the sites used local and regional carriers, which made management quite difficult. Each site has different providers and some of those providers did not speak English or have a web portal for opening tickets. I thought a better, more manageable solution was to choose two well known global providers that had good support and web features and standardize each site with a primary/secondary using those two providers.

I thought that was a good idea. If a circuit went down, you knew exactly who to contact. However, I am now finding out that going this route with specific providers may be costing a lot more per circuit and could be compromising path diversity.

Bonus Points: Do you use a third party to source and manage your circuit contracts?

5G- Please give your views/ideas/advice or any comment on the below post.

Will it be possible ? And what problems will come?

As 5G is gonna use millimeter waves, it gonna require many small towers for emission, it can be connected to the light poles on the streets and can be even shared and transmitted via mobile hotspot/Bluetooth.

I actually dont have too much idea...i have to give a presentation for a ideation in my college and gatering ideas and information....and thank you

Communication on L2 switch without static IP

I’m working on a system that would ideally be able to communicate between a server and multiple clients over an L2 switch. The L2 switch would probably be connected to a gateway that would run dhcp etc, but I want to make it so it doesn’t have to be, if possible.

I could just create static IPs, but that would be a lot of setup for how many clients would be connected.

I’m pretty new to more advanced networking, but figured someone here might know.

IP Address / Subnetting Tool

Looking for a simple subnetting tool. My vision here is pretty simple UI that just lets me show netblocks, how they nest, which ranges are still available, etc.

I have no need for IPAM solutions that integrate with DHCP, require a server, do scanning, or any of that. Really, I'm looking for a glorified spreadsheet. That can maybe save into a file.

I can't find the magic Google-fu to find such a thing. Because everything returns really big IPAM tools. :)

Ipsec tunnel mode vs transport mode (with ESP) question

Greetings everyone,

Anyone could point me out why would we want to use "tunnel" mode to add an extra IP header?

From what I saw if we look and analyze a packet in wireshark:

This is Transport mode:

https://scontent-vie1-1.xx.fbcdn.net/v/t1.15752-9/98065733_265413391269414_5199767491944906752_n.png?_nc_cat=107&_nc_sid=b96e70&_nc_ohc=7YElVVBDy04AX9rwP7O&_nc_ht=scontent-vie1-1.xx&oh=273bc37cddc4668868ddaa6b93cf9860&oe=5EE8F29E

​

​

And this is Tunnel mode:

https://scontent-vie1-1.xx.fbcdn.net/v/t1.15752-9/98114771_244528820299832_2444806594471395328_n.png?_nc_cat=102&_nc_sid=b96e70&_nc_ohc=fbFgp3hkORoAX8rHdW-&_nc_ht=scontent-vie1-1.xx&oh=5afea1c28bbf69d29de147548ed182e9&oe=5EE8E64B

​

​

Now, either wireshark is bugged, or there is absolutely ZERO difference between the two packet.

They say that in "tunnel mode" there is an additional new IP header that was generated.
(So in "Tunnel mode" we had an original header and another totally same new header was replicated and put in front of the whole encrypted packet? or what the hell.)

Why would we replicate and put the totall same header in front of our encrypted packet?
Because we could make sure that the "original encrypted header would be fully untouched"? or something?

​

Anyone could help me out with this?

Point out whats the difference between the two wireshark packet capture?

Grid Bank Full - Cisco NCS5500

Hi everyone,
I am coming across the following error at work. Cisco TAC has given me a solution, but they have been taking forever to answer some questions about their solution, and I thought maybe someone here would know.
We have two NCS5500 devices running 6.6.3 that are giving out this error:
ipv6_rib[1232]: %L2-GRID-3-BANK_FULL : GRID POOL 2 TYPE GLIF BANK 1 is FULL

CISCO TAC RESPONSE:
"These are messages from grid which stores FEC of non-ECMP next-hops. If remote PE uses per ce label allocation, it can exhaust this resource on the NCS and we would see HW programming failed for the routes as well.

If this keeps happening, it is recommended to use label allocation per VRF for better usage of FEC resources. You can check resource usage by below commands:

sh contr npu resources fec location 

sh grid pool 2 bank 1 location 

Please let me know if you can make label allocation change."

The questions that I am trying to answer:
If we upgrade to 7.02 will this fix the issue by being more efficient?
If we do switch to per VRF do we have to do it network wide, or can we do it on just the two devices whose tables are full?

ANY INPUT IS GREATLY APPRECIATED!!!!!!

Double Plc Network

Hello everyone, i want to know if i can add a new plc kit ? I already have one its the devolo dlan 1200+ but its not working that good when someone is connected to it (not the box), so i figure out i can buy a new plc kit, but im wondering if it will work

"Always UP" IPsec tunnel between Cisco and Fortigate

Hi,

I have an issue trying to keep IPsec tunnel session alive.

There is an IPsec tunnel configured between fortigate and cisco IOS device. Fortigate acts as dialup ipsec vpn server, cisco - client. Cisco router must initiate ikev2 session to bring up this tunnel. The problem is that usually cisco device won't send any traffic, so tunnel goes down after lifetime expires. I need a solution to keep this tunnel always up.

I've tried configuring DPD with no success ("dpd 10 2 periodic" under ikev2 profile on cisco, and "On demand" setting on fortigate).

It is possible to configure "IP sla" on cisco router to ping something on the other end of the tunnel, but this type of configuration doesn't seem right.

​

Any ideas?

Thanks

Network Mapping Solutions

I would like recommendations on a network mapping solution. Ideally, our requirements are:

1. A web based interface that can be put on a NOC monitor with auto refresh capabilities.
2. Background to be a topology view of a town, ideally google maps/earth background.
3. The ability to have each of our devices on the map, and color code the status of the device based on its availability.
4. The ability to show links between site/devices, the amount of traffic flowing across them, and the interfaces which link them.
5. It would be nice for the links, if we could physically draw the path, to represent the path of the underlying fiber infrastructure in the ground or wireless links. So of our links however are carrier owned so we don't know the physical path, only the logical path.
6. It would be great if these links where updated or generated using LLDP, CDP, and other automated methods.

Please let me know if you have any recommendations.

Thin Client Solution

Hi All,

In this topic I am quite green and was hoping someone could shine some light on it.

Here is my virtual environment: - Win Server 2016 - Win 10 Host

I am trying to figure out how to deploy thin Client solution and test it using that win 10 client over RDP.

I tried googling some stuff and downloaded WTware but nothing worked as exported.

I basically want my win server to be the server and the VMs host, and we will have small on os's on thin clients (if possible PXE bootable).

Does anybody have some experience with deploying Thin Clients or some knowledge ?

TIA

F5 BIG-IP - Routing

Hi all,

On an F5 BIG-IP, can I safely create a default route (0.0.0.0/0) whilst not affecting the management route? I want all traffic to route out via a specific gateway whilst keeping management traffic as it is. I have configured a management route that is working. I am worried that when I add the static route (whos gateway is obviously on a different subnet to management) it might disrupt my management access.

Thanks

Junos/PyEZ/ Is there any way to get Routing-Instance info (interface, instance-type, protocols) ?

Hi there cool cats and network engineers, I'm working on JSNAPy if you guys familiar with it needs commands to verify / check status of the customers through <routing-instance>.

For example: show vpls connections instance abc. I need to know the RI is abc. I want to achieve that through input: interface of the customer: ae2.2002, I will get result as routing-instance abc, instance-type: vpls, protocols: vpls, ext...

Is there any operations commands or snmp mib to retrieve these info? I have searched the internet, the use of configuration snmp { routing-instance-access; ... } but as far as I know we might have to configure this for each customer.

I want to autonomation this process for all the customers and then through python get some random interface customers (aeX.Y) then get me name of RI, protocols, instance type.

Have anyone of you pros out there experience this issue before?

'ae7.3022': { 'ifAdminStatus': '1',

'ifAlias': 'FTI-L3VPN-ABC-CUSTOMERA',

'ifOperStatus': '1',

'nameRI': 'L3VPN-FTI-ABC-CUSTOMERA',

'protocols': '',

'routing_options': 'static'}}}

Through my py, I have get these info by rpc.get_config

data = dev.rpc.get_config(filter_xml='<routing-instances/>', options={'inherit':'inherit'})

Any faster or optimized ways to earn this?

Network Security, overkill?

Maybe this a pretty dumb statement/question but I’m posting to get folk’s reactions...

If I have a firewall doing my NAT to the Internet with dual WAN internet uplinks and then multiple computers and servers sitting behind it on the LAN side of the firewall... are those computers really EVER at risk of random infections, viruses, malware?

Let’s assume no user ever checks email on these computers, never opens web browsers, etc. Is there honestly a security risk to just having a basic setup like this?

Are there really ways for intruders to reach my computers even though they are sitting behind my firewall with all ports closed inbound?

Thanks

Trying to wrap my my head around SDN.

I want to take my personal lab out of the L2 / VLAN age into the current day and play around with some SDN.

​

Been reading up on Cisco ACI, VXLAN BGP EVPN, Arista CVP, etc... I think i have the gist of it, but one thing i can't quite grasp. My workload is almost entirely VM based, and i plan to use Open VSwitch on my hosts. From my understanding, Open VSwitch is going to do the overlay for me, the servers will be the VTEPS for the VM's.

​

At this point, whats the use of ACI and the like? If the hypervisors are doing the overlay, would i not just need a basic L2 spine / leaf setup. Maybe use VPC instead of STP in that regard? The only question comes when non OVS / VXLAN devices need access to some subset of the network. In this case you would just need a switch that can be a VTEP to handle the VLAN -> VXLAN transition for those devices?

Or a router / server could do it too i guess, but a switch seems more elegant.

​

EDIT: For example, using some some cisco 9332pq's as spines, VPC to some 3132q's to get a basic leaf / spine. Then on the spines do VTEP for a few SFP+ ports to feed some downstream catalysts for a non vxlan access layer.

How are these cat5e cables terminated?

DSC-0107.jpg

Looking into how to get these working correctly as place is wired and wall plugs are there but Ethernet doesn't work.

Connect long Ethernet from ONT to RG to extend? Or just run long CAT5 or CAT6 from gateway port to room?

Thanks guys! Much love

VPN killswitch (prevent IP leakage)

If my VPN loses connection I need to ensure my local IP is not leaked.

Setup:

-Win 7 VmWare [Network Adapter: Bridged]

-VPN using SoftEther

-VPNCheck Pro (killswitch)

VPNCheck Pro closes my browser (Firefox) when my VPN goes down to prevent IP leakage.

However, I require a kill switch which will immediately stop ALL network traffic, not just close Firefox, OR just have all traffic forced to only travel through the VPN.

Any suggestions?

Nornir/YAML error

Hi, i've just started getting to grips with Nornir and YAML to be honest. I have created the config.yaml, hosts.yaml and groups.yaml files in notepad++ and have only have these 3 lines of code to start with in python:

from nornir import InitNornir nr = InitNornir(config_file="C:/Users/<REMOVED>/Desktop/config.yaml") nr.filter(site="uk").inventory.hosts.keys() 

I'm getting these errors:

Traceback (most recent call last): File "C:/Users/<REMOVED>/PycharmProjects/test_project/nornir_test.py", line 2, in <module> nr = InitNornir(config_file="C:/Users/<REMOVED>/Desktop/config.yaml") File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\nornir\init_nornir.py", line 64, in InitNornir config = Config.from_file(config_file, **kwargs) File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\nornir\core\configuration.py", line 308, in from_file core=CoreConfig(**{**data.get("core", {}), **core}), TypeError: __init__() got an unexpected keyword argument 'num_workers' 

My config.yaml file looks like this:

--- core: num_workers: 10 inventory: plugin: nornir.plugins.inventory.simple.SimpleInventory options: host_file: "C:/Users/<REMOVED>/Desktop/hosts.yaml" groups_file: "C:/Users/<REMOVED>/Desktop/groups.yaml" 

Any help with this would be much appreciated, go easy i'm just a newbie with Nornir

Bias Current?

I've recently starting implementing LibreNMS for network monitoring, and as I was configuring alerts and whatnot today, I saw an interesting one come in that I don't really know anything about, and I haven't been able to find anything on the internet (or at least anything that wasn't above my head).

I'm getting an alert for Low Bias Current on one of my SFP+ / Fiber ports but I'm not really sure what this means. The switch is an Aruba 2540.

Is this a problem? I don't have any other issues present. Is this something I should look into fixing (and how), or should I just disable alerts for this? What sort of long term issues could come up if I don't fix the issue?

Port/Ether Channel in IOS XE

Hi all, been working on this for a day and not sure where I'm going wrong.

I have 2 switch stacks comprised of 2 C3850 switches each. I want to build a port-channel between the two, using a single 10Gbps interface on each switch. To configure this, I issue the following:

Stack 1

interface port-channel 1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk interface tengigabitethernet 1/1/1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk channel-group 1 mode active interface tengigabitethernet 2/1/1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk channel-group 1 mode active 

Stack 2

interface port-channel 1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk interface tengigabitethernet 1/1/1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk channel-group 1 mode active interface tengigabitethernet 2/1/1 switchport trunk native vlan 100 switchport trunk allowed vlan 100,103,140-142,150 switchport mode trunk channel-group1 mode active 

The link comes up, but only on interface tengigabitethernet 1/1/1 on each switch.

I issue the following commands with the following results:

show interface port-channel 1 Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel, address is XXXXXXXXXXXX Description: Uplink to MDF Switch Port-Channel MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 10Gb/s, link type is auto, media type is N/A input flow-control is on, output flow-control is unsupported Members in this channel: Te1/1/1 ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 30537000 bits/sec, 2892 packets/sec 5 minute output rate 2501000 bits/sec, 1612 packets/sec 453062012 packets input, 614047590188 bytes, 0 no buffer Received 1514778 broadcasts (1299317 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1299317 multicast, 0 pause input 0 input packets with dribble condition detected 238858799 packets output, 44184312356 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out show ethernetchannel detail Channel-group listing: ---------------------- Group: 1 ---------- Group state = L2 Ports: 2 Maxports = 16 Port-channels: 1 Max Port-channels = 16 Protocol: LACP Minimum Links: 0 Ports in the group: ------------------- Port: Te1/1/1 ------------ Port state = Up Mstr Assoc In-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Te1/1/1 SA bndl 32768 0x1 0x1 0x136 0x3D Partner's information: LACP port Admin Oper Port Port Port Flags Priority Dev ID Age key Key Number State Te1/1/1 SA 32768 c4b9.cd05.8200 21s 0x0 0x1 0x136 0x3D Age of the port in the current state: 1d:21h:43m:14s Port: Te2/1/1 ------------ Port state = Down Not-in-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = null GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Te2/1/1 SA down 32768 0x1 0x0 0x236 0x4D Age of the port in the current state: 1d:21h:57m:01s Port-channels in the group: --------------------------- Port-channel: Po1 (Primary Aggregator) ------------ Age of the Port-channel = 1d:22h:02m:54s Logical slot/port = 12/1 Number of ports = 1 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Port security = Disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 00 Te1/1/1 Active 0 Time since last port bundled: 1d:21h:43m:14s Te1/1/1 

So it's only using port Te1/1/1, instead of using both ports for 20Gbps total hypothetical bandwidth. Te2/1/1 on both sides show down (notconnect) and ports aren't lighting... but they are both connected. On port state in the etherchannel config port state is "Down Not-in-Bndl."

Is there something I need to do to the port-channel to config to tell it I want both ports to be active, or is this a media problem and the link between the Te2/1/1 ports is actually not good?

Thanks for the help, as always!