Why CSMA in Wifi? Why not CDMA?

Noob question here. I was reading about IEEE 802.11, and I could not understand why when we talk about wifi we have to deal with csma/ca and hidden and exposed terminal problems ? If something like code division multiplexing is used then all hosts in a infrastrcture based wifi network can access the access point at the same time? Am i missing something or not? I am talking about non MU MIMO wifis.

CPU for running EVE-NG or GNS3

I plan to build a desktop rig. What CPU would be recommended to use if I want to run EVE-NG or GNS3 on it? Intel? AMD?

​

This would be for labs and testing.

Exploiting VRF

Question for my fellow nerds that enjoy looking under the hood.

Goal

New VPN Hub for terminating hundreds of site-to-site VPNs.

Design

Due to budget constraints, use existing 2x Cisco ASR1K as the hub VPN routers. Existing VRFs are for a handful of internal segments (interconnects). You make 2 new VRFs for this to work:

corporate-vrf: for decrypted, internal traffic.

FVRF: aka ipsec-aware VRF. Internet facing, for ipsec terminations.

As each remote site has static IP, you only have /32 static routes in the FVRF. No default route.

ACLs are configured to only allow the remote sites' IP addresses, and only ipsec related protocols (esp, Ike, nat-t, ICMP echo and echo-reply).

Palo Alto firewalls sit between the FVRF and Internet, fully loaded with IPS capability, AppID, etc. They also only allow required ipsec protocols.

The hurdle

You pass your design to Infosec Team and they reject it. Reason:

"The FVRF could get hacked and give the attacker direct access to the corporate network."

They are willing to approve if you put physical firewalls between the corporate network and the ASRs, which of course impacts the other VRFs. However, you have no budget, so new firewalls or routers is out of the question. You decide your only hope is to prove the risk is acceptable.

Determining risk

I believe the risk is extremely low, maybe even impractical, of having the ASR get hacked from the FVRF. Nevertheless, I suppose it is possible under these conditions:

1. The attacker must hijack one of the remote site's public IP.

2. The attacker must know a zero-day that exploits VRF and IPsec enough to gain full access to the router.

3. The attacker must do this undetected by internal monitoring systems, especially when the victim remote site is down due to the IP hijack.

4. The attacker must go undetected by the Palo Alto firewalls. The only way for this to happen is for attacks to ride in ESP payloads and/or for a zero day to also be exploited on PANOS. Sending attacks via IKE, NAT-T or ICMP should be nearly impossible because of AppID.

The real concern

I'm wondering in particular about how VRF could be exploited. How are packets going from FVRF to corporate-vrf, electrically? I believe the VRF technology is based on Linux LXC containers, or something similar, in which protected memory copies happen or some crazy shit like that. I just can't wrap my head around this design being hacked.

Of course, if a government entity is the attacker, I suppose they may have some crazy way of getting in, but at that point, if your attackers are government entities, then no solution is sufficient

Thus, I believe the design is solid, without needing an extra set of internal firewalls for the decrypted traffic. What do you think?

My Linksys WRT3200acm router won’t let me connect to my 2.4ghz network that I use for cameras and smart home devices anymore.

When I put in the correct password it claims it’s incorrect and all my smart devices no longer are connected. Any thoughts would be great, thanks.

struggling with port forwarding

hoping someone can help who understands this stuff better than i do. i’m trying to game with my friend and in order for me to create sessions within the game apparently i need to do port forwarding.

i went into my router and set the ports according to their instructions. my friend cannot see my server in the list. i know that the server is working because i have a start server bat file and i’m able to see it but only in the LAN section. when i join, it tells me on the server exe that my username joined. i can also kick myself. but it will NOT do anything outside of LAN.

i thought maybe it was firewall related, so i went into the windows defender firewall tool and added rules for outbound and inbound on those ports to allow everything.

i know it’s really hard to diagnose like this, but i’m just curious if there are any basic principles i may be forgetting? i’ve read all the forum posts and things that i can out there. it’s just not working.

thanks for any help.

tl;dr is there anything other than adding port forwarding in my router settings and changing windows defender firewall input/output rules that i could change to allow my server to be seen outside of LAN only?

Thoughts on ZScaler?

I sat in on a recent sales pitch and was quite impressed but a tad bit skeptical.

The solution appears sound and the problem it hopes to address is very real. That said, how much of it is marketing hot air and can they truly delivery?

It just seems to good to be true.... route us all your internet bound traffic and we will take care of proxy, ips, dlp, ssl break/inspect. Ditch traditional VPN architecture and let us be your be your remote user network SaaS to compliment cloud based apps/data.

If only they knew my org just spent millions in any-connect licensing for the huge work from home ramp up. Then again maybe that is why they are talking to us... cue sunk cost fallacy.

Are there any side hustles being a network engineer?

Given that we're in a niche and you can't mess around with live networks or even do anything on the cloud, wanted to ask are there any ways to provide services on a gig basis? Would like to hear some ideas on how to try and branch into getting freelancer roles. Guess devops or programmers are in a better position for this. Or need to find a completely different path off from IT. Haven't done anything else other than just work on networking for the last couple of years.. aside from studying AWS/GCP.. need to pay bills and stuff so was looking to get some ideas on this.

Thanks in advance for any suggestions.

Badge reader software recommendations for door/physical access.

I'm looking to switch badge reader software at my company. My current vendor is moving onto the cloud, and is expecting us to pay three-times-a-year what we paid before as a one-time fee (their new hardware won't work with the old software, to push people into migrating.) Is there an open source option or a "good" software that you recommend? Thanks!

Network book - not certification oriented

I’m looking to find a book to study Networking, I’m a cloud engineer, I need learn more about networking, but I’m not focused on networking certifications like CCNA or Networking+ for now, it’s just to learn more about the networking.

I was looking certifications books as reference, what do you suggest guys?

It’s hard to find a book not focused on certifications, probably I’ll buy a cert book because it’s complete and go deep. People are talking about new CCNA Odom’s book.

Thanks for the advice.

Help with a WiFi/wireless design

Hello folks. I don’t know if this is the right place to ask but I need some help to design a wireless network. Maybe some people here have come across something similar and can point me on the right direction.

Here is the scenario.

I have a base where there is a laptop. Also I have 3 distance rack ( around 200 feet away from the base). Each rack has 4 device managed via network from the laptop.

I need to setup 1 access point on each rack and connect the access point to the devices using Ethernet. All 3 access point should be on the same network/SSID so that I could manage the 12 devices (4 devices per rack 4*3 = 12) with the laptop on the base. All being wireless.

The AP don’t need access to internet. I just need to interconnect the laptop to all the devices through APs like it is 1 network.

Is this posible to do ? What approach would you suggest follow. ?

I though something line outdoor mesh AP with enough Ethernet ports for the devices or using APs 1 like master and other like repeater bringing the LAN to the wireless on each AP.

I hope I explained well what I want to design and sorry is there are any mistake. English is not my mother language.

Notes. Be well and stay safe!

Network/cable tester tools and hardware

Hello everyone

Long story short is that my Pockethernet broke (again), the first time being the charging circuit dying which is a known issue for PE and they gave me a replacement. This time the wire mapping functionality is damaged in which the tester believes that all cables has the same broken conductors. Sad to say I can no longer trust Pockethernet in a professional environment because having 2 testers die in less than 2 years is not to my liking. Not to mention their support is basically non existent, real updates haven't happened in years, and from my reverse engineering of the android software and the hardware, there is underlying firmware bugs which are scary to say the least.

I am currently making due with a klein scout pro 2 but it is missing features that I use on the regular maintaining multiple locations consisting of over a thousand drops. My role is to run new drops and to identify, label, troubleshoot, and find any other drops in the buildings.

With that being said I am looking for a tool that can do (In a sub $1500 price range):

• Wire mapping, fault finding, etc (with a remote end. Wire map ID's optional)
  
• POE testing (voltage, class, etc)
  
• TDR
  
• Link establishment
  
• CDP/LLDP/VLAN discovery
  
• DHCP polling
  
• Port Blinking

Optional features would be:

• Built in Toner (Analog and/or digital)
  
• Ping, external IP, network tests
  
• Reporting (PDF)
  
• Bit Error Rate tests

I've been eying a few tools but they either don't have a KIT that has everything I need, or I would need to purchase multiple tools to do the job that the Pockethernet did by itself.

For example the Platinum Tools Net Prowler seems to have everything I need, but I've seen reviews that it can only negotiate up to 100BASE-T, and that 1000BASE-T is software discovery. This is kind of useless when you need to make sure all your cabling can actually handle gigabit and not just assume it can. I have also looked at the Platinum Tools Net Chaser, but I haven't found much information on it other than that it is the net prowlers bigger better version. Another option was the klein VDV Commander which is a rebrand of the Platinum Tools Cable Prowler, and it does not actually have any network testing functionality besides link establishment.

I have also looked at the FLUKE MS2, FLUKE CIQ-100 and FLUKE LRAT-1000 (and 2000). The first and second tester is great if I was only interested in copper terminations, but it lacks any networking testing other than detection of a switch on the other end of the cable. The second tester seems to be well rounded and exactly what I want, but I can't find any KITS that has all the essential pieces. For example the FLUKE LRAT-1000 does not come with a wire mapping end from what I can see. The FLUKE LRAT-2000 has a kit with a single wire map end, but it is not available off amazon. I did manage to find a complete kit including multiple wire map ends plus the digital tone wand (https://www.amazon.ca/Fluke-Networks-LRAT-2000-Kit-LinkRunner-IntelliTone/dp/B007FR6T6A), but the price is a bit steep for me.

Can anyone suggest a tool that meets these requirements? It seems like I may just have to keep on using my klein scout pro 2 and purchase a secondary tool for networking troubleshooting such as a fluke linksprinter or the like although I wish to only have to carry around one tool.

Thanks for any suggestions

Does disabling network security protocols with MAC filtering increase network performance?

A friend of mine and I were discussing this scenario. If I disable networking security protocols (such as WEP, WPA or WPA2) and enabling MAC filtering - would it boost network performance for the connected machine while protecting the network from bandwidth attackers?

Here's the scenario - we were wondering if adding security protocols since they add extra processing to encrypt & unencrypt information, as well as adding extra bits for the encrypt itself takes compute cycles to resolve. If we remove those, we assume we also remove the compute cycles it takes to handle that security.

But then that leaves the network open for anyone to connect. So if we added a MAC address filtering, that only we know - it could potentially help avoid that attack.

Would that speed things up for the connected machine, even if negligible? Has anyone tried such a configuration before?

Subnetting question

I have been going through some CCNA Questions about Subnetting, and I've found this question with a weird answer to it.

https://prnt.sc/sqttsr

The D answer has subnet 225.255.255.252, which is weird i don't think this is possible.

Is it a typo? or am i missing something?

Need help connecting IACS to the network

Hey guys,

I am a network newbie and am in real need of some help. I am more of a sysadmin that covers the network at decently sized manufacturing facility so please bare with me. I am just learning all the Rockwell Automation\Cisco terminology for these devices aswell.

We just recently got a IACS that has a Stratix 5700 inside it. We were asked to hook it up to our network for VPN access and connection to the SCADA system. But are not sure how to do it.

Our goal right now is to isolate the internal IACS network from the already vlan isolated industrial network. Then connect up only specific devices within the IACS (like one or two PLCs or the HMI) to the rest of the industrial network.

All of the other IACS were connected to our network by a past employee with little documentation. From what I could tell the other IACS do not have switches as robust as the Stratix 5700 most of them are the Allen-Bradley 9300 Rades.

After reading through the Rockwell/Cisco CPwE documents we think we have a good grasp on the theory but not the actual configuration.

​

How would we configure the switch ports and vlans to get this configuration:

NETWORK DIAGRAM

​

With:

1. There only being 1 "Machine".
2. With the inside network being on vlan1.
3. Inside devices configured on 192.168.1.0\24 on vlan 1
4. Outside devices configured on 10.10.20.0\24 and vlan30
5. No etherchannel, one single uplink. Stratix port: gi1/1 -> 2960x port: gi1/0/40
6. The layer 3 switch is a Catalyst 2960x

​

We know that we should be using NAT to translate the IP addresses from the inside network to the network outside of the IACS but dont know specifically how.

Would we configure the switchport on the stratix 5700 as an access port on vlan 30? But apparently NAT does not change the vlan tag so that would not work right? No traffic from vlan 1 would come out interface gi1/1?

Should we change the vlan identifier for on all the stratix's device ports from vlan 1 to vlan 30 then just use NAT to translate (IP address and Gateways) across the subnets 192.168.1.0\24 -> 10.10.20.0\24?

Or should we be using NAT at the layer 3 with PAT and a routed interface?

​

Has anyone else implemented this sort of configuration with the Stratix? Any help would be greatly appreciated.

​

References:

https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_-en-p.pdf

https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Stratix 5700 Switch Configuration

Help Connect home router to zxyel nwa1123

I have a virgin media(internet provider) provided router.

I've connected a zxyel nwa1123 using a long a cat5 cable

For the life of me I can't get the shagging thing to do what I want.

Which is to in my noob terms extend the wifi signal to the other side of the building.

I've been reading the manual. Fiddled with zxyel settings. No joy.

Any advice or help appreciated

Ntc-templates on windows 10

Hi guys,

I'm following along Kirk Byers' python course. (Amazing shit!!)

I've just got stuck trying to use the "use_textfsm=True" aregument. It says that ntc-template isnt install and I should install it from github. I've installed pip and ran "pip install ntc-templates" and I can see ntc-templates in my library.

Kirk doesnt explain how to make this work with windows.

Would really appreciate some help. Let me know if I've explained the issue enough that you understand.

Thanks

ERSPAN to VVMware ESXi VM

Hello,

I have a project to migrate our ESPAN sessions from a physical server over to a VMware virtual machine.

Currently we have remote sites with Cisco ASR 1001x that we setup as the ERSPAN sources with their destination being our Cisco 4510 core switch back at our main branch. We have a physical server plugged into that core switch and have monitor sessions pointing to the port it's connected to, everything works fine.

I curious about the setup for the virtual machine. I only have access to the networking side, the ESXi hosts are managed by a different team. Does VMware support ERSPAN? Is there a certain version/feature/license required for it to work? Curious for my own knowledge on how this is setup on the ESXi side if it is supported, and to make sure I'm asking the ESXi team the right questions.

Thanks

TCP/IP Illustrated Vol.1, which edition to read?

As the title says, I want to buy the book but there are two editions of it. One is from 1994, and the newer one from 2011.

Also, the first edition if I'm correct is around ~600pages, and the second ~1000. Why there is so much of page difference or I'm seeing something different?

---

TCP/IP Illustrated, Vol. 1: The Protocols (Addison-Wesley Professional Computing Series) 1st Edition

• Hardcover: 576 pages
• Publisher: Addison-Wesley Professional; 1 edition (January 10, 1994)

TCP/IP Illustrated, Volume 1: The Protocols (2nd Edition) (Addison-Wesley Professional Computing Series) 2nd Edition

• Hardcover: 1056 pages
• Publisher: Addison-Wesley Professional; 2 edition (November 25, 2011)

Plain and simply which one should I read?

Cisco HQoS licensing

Dear community,

I'm looking to purchase an ASR9K (rsp440-tr, fans,pwrs V2). The LC I'll use are 24x10G TR. However I just encountered this license: s-a9k-hquos-rtu-10. I need to run QoS feature, do I need to purchase this as well? or is only for premium feature?

Thanks for your help,

Gateway Sometimes Pings

Full disclosure! This is related to my job. I completely understand if you feel that this is free consulting and discourage this behavior. I do welcome any help though!

​

Happy Weekend Everyone. Or I wish it was!

​

Pings fail to this gateway on this device for > 90% of packets. It takes until sequence 50 or so for a packet to comeback. This is obviously no good for internet traffic. Other hosts on the same subnet do not have this issue. Other Networks appear to be able to hit the device. They are in a 192. address space compared to this hosts 10. That is second hand information, so feel free to disregard that.

​

Troubleshooting steps that I have tried:

1. Changing switch ports.
2. Ensuring routes are fine (to my knowledge they are fine, but check it out below!)
3. Changing the cable from the host to the switch.
4. Unplugging the cable from the switch and pinging the ip the host is assigned. There appears to not be a duplicate IP
5. Rebooting the firewall.

​

Routing table:

ip route 10.56.99.0/24 dev eth1 proto kernel scope link src 10.56.99.101 169.254.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 10.56.99.1 dev eth1 

​

SaltStack FrameWork Vulnerabilities Affecting Cisco Products

/r/Cisco/comments/gt6czu/saltstack_framework_vulnerabilities_affecting/

Extend wifi area connection without using an extender

Hi guys. I'm new to networking and was wondering how would I go about extending the signal of my wifi without using a wifi extender. The dsl cable is too short to move the router around. Any thoughts? Thanks

Advice Wanted for a Newbie

A friendly commentor on r/HomeLab sent me here, so here I am. (I'm in a bind as for whether this question suits r/HomeNetworking or here more and decided that given the gear I'm looking into is enterprise-grade decided here was the better option)

Over there I asked for recommendations regarding inexpensive networking hardware for to learn networking fundamentals on in addition to upgrading my network setup from my ISP. Now I want to learn the fundamentals to take the CCNA, my plan was to purchase some cisco switches in the future and use them in tandem with GNS3 and use Packet Tracer in the meanwhile. And the equipment I was looking into was the Ubiquiti USG, Switch, and AP. Do you guys have any recommendations, pointers or general tips for me? And hell, why don't I ask here too? Do you guys have any hardware recommendations? (Or maybe some hardware I should avoid at all cost?)

Thanks in Advance

VRF Route Leaking Configuration

Hey Reddit,

I am having some difficulty in configuring route leaking between VRFs. I have looked through multiple examples of this online and cannot understand why the routes between my two test VRFs are not being added to eachothers routing tables when the route targets appear to be being imported correctly.

Does anyone have any ideas, I get the feeling I am missing something really obvious?

ip vrf Test1 rd 65001:991 route-target both 65001:991 route-target both 65001:992 ! ip vrf Test2 rd 65001:992 route-target both 65001:991 route-target both 65001:992 ! interface loopback1 ip vrf forwarding Test1 ip address 192.168.1.1/32 ! interface loopback2 ip vrf forwarding Test2 ip address 192.168.2.1/32 ! router bgp 65001 ! address-family ipv4 vrf Test1 redistribute connected no synchronization exit-address-family ! address-family ipv4 vrf Test2 redistribute connected no synchronization exit-address-family ! 

sh ip bgp vpnv4 all

Route Distinguisher: 65001:991 (Default for VRF Test1) *> 192.168.1.1/32 0.0.0.0 32768 ? *> 192.168.2.1/32 0.0.0.0 0 32768 ? Route Distinguisher: 65001:992 (Default for VRF Test2) *> 192.168.1.1/32 0.0.0.0 0 32768 ? *> 192.168.2.1/32 0.0.0.0 32768 ? 

sh ip route vrf Test1

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area Dc - DHCP Client [*] - [AD/Metric] * - candidate default C 192.168.1.1/32 is directly connected, loopback1 

Switch: FS S5800-8TF12S

Setting up VPN to allow RDP to RDP

So I have been using VNC over the net to remote into my home PC, which I know is pretty stupid, so I want to create a VPN network and/or server to accomplish this securely. In short what I want to achieve is, an RDP connection from my work computer, or any public computer, securely to my home PC (what I am using now) via VPN.

This is what I have available at the moment:

1. WAN ISP connection at home, with a shitty ISP router that doesnt have VPN server functionality (Sagemcom)
2. ExpressVPN account (which doesnt appear to allow port forwarding?)
3. OpenVPN server setup on my home PC (to act as a server) with the manual config provided from ExpressVPN
4. Windows 10 Pro PC

I am at home now currently connected to the OpenVPN server with a dynamic 10.xxx.xxx.xxx address, and getting a dynamic 45.xxx.xxx.xxx address from ExpressVPN, My ISP WAN address is 42.xxx.xxx.xxx which for the most part is static (maybe changes once every 2-3 months).

I have countered all these dynamic addressing issues with DDNS that I have been using for years successfully with VNC.

I believe I may have all the tools necessary, correct me if I am wrong, but having alot of trouble in which ports to forward, where to host the VPN server (can I host the VPN server AND use it as my home machine to RDP to?)

For example, I forwarded port 3389 on the home router, ran a test over the net, and it was successfully opened. Does this just open the port? I can't see how then it would know to 3389 to my personal PC?

Any help is much appreciated.

Neighborhood Surveillance System

I am hoping to get suggestions. Our private neighborhood of 9 homes are looking to install an outdoor network system technology to link 3 or 4 IR, HD cameras with solar panels. The cameras will be installed on entry point homes and street lamp pole at the fire road, etc. The cameras are not in the line of site with each other and can be 300-500 ft between cameras. Is there a robst network system you can recommend? We do not want to hire an expensive serveillance company. We will either purchase an standalone internet , tie into a home interent via repeater or satellite and use either DVR or cloud for storage. Any and all suggestions are greatly appreciated

CMX (non-rated) outdoor/direct burial cable inside on an ATTIC. NEC allows 50 feet but the cable must be terminated in an "enclosure" or "primary protector"?

I'm looking to install POE security cameras. Due to the long runs outdoors the cable needs to be UV resistant. This usually means that cable has to have a sheath that is unrated (CMX) and can't be run for long distances inside a structure. NEC allows for 50 feet indoors provided its terminated inside an "enclosure" or "primary protector".

https://www.mikeholt.com/instructor2/img/product/pdf/11LE-968-sample.pdf

I believe the logic behind this all comes down to fire. If lighting or a large voltage is applied to the exterior of cable it could ignite the sheath and start a fire inside the home. However, I don't know how i'm able to reasonably terminate multiple runs coming into a structure from various sides/distances all in enclosures grounded enclosures.

In my state that involves a low voltage 06 licence which means your basically an electrician. 4000 hours apprenticeship + certs, licence, bond all of it.

This could get pretty expensive and is well beyond the scope of what most home owners are expecting for security camera installs.

That said, I want to do these jobs right and was wondering what common practice is here.

Thanks.

Looking to automate host IPs etc from vSphere to various network equipment...notable the FW.

Anyone point me in the direction of if this is feasible? If they did the general premise behind how they did it?

I'm fairly certain I can setup and use Checkpoint or others API's to do this, but not sure in vmware land...

Had an incident the other day that got me thinking about this. (Someone re-ip'd a host but wasn't updated in the FW)

1. Create less work... It's already enough (not hard work mind you, but can be time consuming from other task.) work to spin up a new vm. Then add it as an object in the FW.
2. Help with the human error portion.

I don't need it to place it inside any ACL (yet) just update the object in the FW as host objects are tied to singular IP's or inside greater network objects.

Thanks.

Python for Network Engineers, free course starts Tuesday (June 2nd)

Once a quarter (roughly), we run a free course on Python for Network Engineers. The next session starts on Tuesday, June 2nd.

This course is an online course and covers Python Fundamentals from a network engineers perspective.

The course is delivered via email and consists of eight weekly lessons.

Course details and sign-up are here:

https://pynet.twb-tech.com/email-signup.html

About me...basically, I work at teaching Network Automation (Python, Ansible, Nornir). I am the creator and maintainer of the Netmiko library. I also work quite a bit on the NAPALM project and a little bit on the Nornir project.

I will be lurking around if you have questions on the course.

Zoom app ports

I have a issue that needs to be solved for a client, I've opened all the ports I see listed for Zoom yet it still cant get threw the firewall.

protocols allowed: TCP + UDP

ports open: 3478 3479 3480 3481 443 80 8801 8802

Can anyone list addition possible port that might block it?

iosfw 0.9.6 - Automatic Cisco IOS firmware upgrades in native Python

I shared this project a while back. With C19 and another summer upon us, it's time for a refresh.

https://github.com/austind/iosfw

From the changelog:

• New platform: ASR920 support
• New platform: ISR 4331 support
• New feature: Control creds in config.yaml
• Bug fix: Unrequested debug output
• Bug fix: Several issues in schedule_reload()
• Refactor: move connection to open() method

Looking for help with:

• Supporting other platforms
• Better logging
• Adding Nornir and/or Ansible support. That's the big milestone before v1.0 release.

Cheers!

-Austin

Cisco Modeling Labs 2.0 - Password Recovery

Is there a means of recovering the password for the login or am I doomed to reinstall it all over again?

Why are ISPs such a royal pain in the ass?

https://i.imgur.com/d1XnZ0i.png

We have a 400Mbps commit and 1Gbps burst from Century Link in Seattle. We also have access to a 1Gbps “business” line from Comcast at the same building.

We noticed a problem when systems on the CL circuit were taking a LOT longer to run updates and pull data from online compared to the Comcast circuit.

The above link is a table of test http results from various data centers in seattle and across the US.

The CL circuit is basically garbage to every single site.

I setup a iperf3 server on vultr in seattle and on the Comcast circuit I got 800Mbps. On the CL circuit I got ~180-200Mbps. I captured wireshark of the transfer. The Comcast connection looked stable. The CL circuit looked like a jagged sawtooth with >13k dupe acks.

https://imgur.com/a/HPiwf6v

We escalated to CL. Their response “we ran a L2 test and got 488Mbps on the circuit, the problem is on your end”.

1) We plugged directly into our Cisco 1002-X router with it straight to the CL circuit and nothing else. Local test to another client on router is fine. 2) how do you conclude that a 488Mbps circuit test result is “good” on a 1Gbps burstable line?

Like wtf? I don’t typically work with ISPs much. I just help run the network for our labs and interface with our enterprise networking people which are mediating and investigating with CL.

But holy f%*%. Why are ISPs alway such a PITA when trying to help diagnose issues when you present them with all kinds of data that there is a problem? They just balk at it, look to see if it auto negotiated to 1Gbps or something stupid and say “line is good”. Like what in the hell.

Our enterprise networking is escalating the issue with CL right now. So hopefully we get someone that isn’t a compete derp. Maybe I’m completely wrong...but just annoyed frustrated and mainly wanted to rant.

Catalyst LanLITE and how to set up 1:1 public IP to VLANs? BVI maybe?

Hi all -- been trying to research something and coming up short and could use your help.

I use a Catalyst 2960X with LanLITE as my perimeter switch. Recently my network levelled up by adding an SBC, but the telcom folks and SBC maker are stuck and I'm not sure if I can do what they are asking.

They want me to take a new, second public IP block my ISP provided and split its IPs into individual VLANs that we can push out a single trunk port to the SBC. e.g.:

public-ip-1 = VLAN 210
public-ip-2 = VLAN 211
... and so on

Traditional subnetting wouldn't work because we'd consume too many IPs for broadcast/gateway.

Then I started googling. I find lots of details about Cisco IRB (integrated routing and bridging) but I don't think I have that available on Catalyst IOS LanLITE.

BVI is supported, I think? But would that work? I've never messed with BVIs before.

Thanks for any pointers or helpful links or explanations!

Anyone run Cisco AMP Threat Intelligence Cloud on your network? What all do you do with it and what is your experience with it?

Just learning about it and want to know some real world use of it.

BGP preference to a preferred path

Hi fellow networkers :-)

I have a BGP question!
I have not worked much with BGP, so i'm trying to find the best solution to configure the following:

We have 2 switches connected to an external AS# (eBGP). When using multipath connectivity to an external AS we are looking for the best way to use path selection. currently we use prepending AS to prefer a route to one of the 2 switches. But my feeling does not agree with me somehow. I cannot explain wy it is just a feeling, At first I thought "Weight" is the way to select the preferred the path.
But then is readed someware the following: "The Weight attribute is local to the router and is not advertised to neighboring routers" currently we advertise 2 subnets (In the future this will be more).
In the document is also found that MEDs (Multi-Exit Discriminators) can be used to assign a preference to a preferred path. but this is also true with as prepending.

So why should I chose Prepending over MEDs. MEDs can be overwritten with route-policy`s by the neighboring network administrators. where-ass prepending can not be adjusted.

What do you think is the best cause of action?
If you need more information please let me know. I'll try to explain as clearly as possible.

Thanks for you help
Palermo

Does all coax cable support docsis 3/3.1?

My apologies if this is a stupid question, but I'm totally new to this.

I need to replace the coax cable coming from the ISP modem on the roof to mystic internet box as a neighbor accidentally cut the cable thinking it was theirs.

In a bid to future proof, I want to make sure the cable supports docsis 3/3.1

My question is, do I need a specific type of coax cable, or will all support this?

NANOG79 is next week and you can attend for free

With all this working from home, my sense of time is completely off and I didn't realize that NANOG is coming up next week. It is going to be online and it is free to register for - https://nanog.org/meetings/nanog-79/

While biggest value of these kind of conferences for me has always been meeting people and sharing experiences, there still is lots of value in presentations and panels that happen.

So if you are like me and completely forgot about it - here's your reminder.

Can I trust LACP to deal with an online but suddenly unconfigured switch properly?

Hey everyone,

I’m trying to avoid an outage on a site with minimal local support and need clarity on one point.

The background to the question is that today I was upgrading my Cumulus linux switches and lost contact with the them through our VPN box (pfSense) which is connected to the switch pair (one link per switch) in a master/slave configuration (we previously had it in LACP, but had major reliability issues with it).

When you do a major upgrade on Cumulus you basically have to re-image the device completely and restore all your settings. When I rebooted into the fresh configuration, it provided link-beats to the connected devices. The pfSense box saw the link-beat, figured everything was OK and used that link as it’s master. The problem is that, as a fresh device, the switch goes nowhere and my remote access vanished.

I managed to recover this with some modest on site help (“please remove the cable in port 1”). Going forward I can fix this by modifying the pfSense LAGG to only use the switch I am not about to do maintenance on.

So, the next switch pair I have to do is connected to single Cisco switch via LACP. The internet runs on a VLAN through this trunk. I don’t want to get this one wrong.

My expectation is that Cisco's LACP will be smart enough to realize that the switch on the other end isn’t configured properly and won't blackhole half or all of my traffic, but “should” is kind of a nebulous deal.

Is my instinct that LACP will do the right thing correct, or should I force the matter by disabling a physical interface in the LACP trunk on the Cisco side to force all the traffic down to whichever switch I am not updating? Should I even do that, or is there some better approach that I am missing?

Thanks,

2inch

Cisco A9K supporting QOS + Hardware supported release

Dear Community,

I'm reaching out because I'm seeking clarification here.

We have an ASR9006 ( all kit powers, fans, V2)

with a config 2*A9K-RSP440-TR +1*A9K-24X10G-TR + 1*A9K-2X100GE-TR.

The router needs to support QOS -> police/shape/BW/queue. Problem is: We are currently breaking our heads trying to find out which release should be implemented on the device in order to do so.

Also as the A9K-2X100GE-TR is getting older we are seeking a way to know which is the latest supported release on the LC in order to avoid any problem with the IOS XR.

Any feedbacks, advices or even links towards the right Cisco's Datasheet are more than welcome!

Thanks for your help!

ISP change for business with remote branch and peering

Hi all,

I am looking into changing our ISP in our office in Switzerland. We also have a branch in Argentina and now I am a bit confused regarding the peering. the ARG office has a dedicated line from the office to their ISP.

What is important in regards of "good" peering between the ARG ISP and the new Swiss ISP? I checked the PeeringDB and found both AS-numbers but I am struggling to make sense of it really...

The ARG ISP has one exchange point in moscow, which is MSK-IX Moscow and I thought maybe I could check the peers of this point to see if it matches the peers in any of the Swiss ISP exchange points, but I am not sure if this is the right approach since I couldn't really find anything that matches?

I also saw in the PeeringDB that our current ISP's scope is global and one of the possible new ones has a scope for Europe. is that already an indication that the new ISP might not be a good choice?

thanks for the help!

RDP and QOS

Hello everyone,

I'm working as a tech support for an ISP. A client, only on 1 site, has issues when RDPing. They connect to servers inside their MPLS VPN provided by us. On their 8Mbits/s link, the QOS in place reserve up to 30% with a shape at 7800kbits. Everytime they download a 15Mo file from a mail, RDP sessions are dropped tills it ends.

The class where the RDP is doesnt have any drops in it, I only have some in the default class. Still my sessions are dropped.

Where can i look at further ? I want to try everything before escalating the ticket.

Thanks in advance for you inputs.

Tethering Subnet sharing Android USB/Hotspot

I am trying to configure my raspberry pi which is tethered via USB to my android phone (192.168.42.X) so that it can be remotely accessed (xrdp or ssh) via a device connected to the hotspot of the same android device (192.168.43.X).

_____________________________________________

Basic structure:

rPi<-----usb0-(42 subnet)---->Android phone<-----mobile hotspot(43 subnet)------>Remote client

_____________________________________________

My research has only come up with a solution to ssh from the android phone providing network access rather than accessing from a device on a different subnet.

Can anyone point me in the right direction to access a device USB tethered device from a device tethered on a different subnet?

advice with some site to site vpn configuration

okay so we have two sites.

site a: dynamic ip, remote worker. soho device installed

site b: office, static ip, sonicwall installed, has a site to site connection with our aws.

​

we need to join site a to aws, and ideally that would be how we do every other site, but it lacks a static, and aws doesnt support agressive mode vpns?

​

so the idea is do a site to site from a>b . route all traffic thourgh site b, and in the process share the connection to aws.

​

now i have it setup so we route all traffic, and it works, ppublic ip even thinks traffic comes from office. this all great... but aws doesnt connect. any adivce on making this work? weird NAT rules maybe?

Windows 10 speed = 360 down Ubuntu = 850 down??? - Internet speed issues

So bit of a puzzle on my own system, 850 Mb/s down when booted into Ubuntu but only 360 Mb/s down in windows 10 (consistent), speeds are not caped (As in change +- 10 Mb/s)...

I have tried:

Setting adapter to full-duplex

A gigabit Ethernet to USB adapter, no change (same speeds in Ubuntu and Windows)

Looking at task manager (Nothing using the internet during the test)

Safe Mode (With Network)

​

Note:

I have a 2 VPN software (Express and Open) (Express was installed after the issue was there)

I have Oracle VirtualBox installed (Network related software)

The same cable used for all testing, no network changes during.

​

Any ideas/suggestions?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Cisco VG350 reboots

Should a Cisco VG350 be rebooted on regular basis?

802.1x Packetloss

I recently got a TP-Link T2600G-18TS. Today I wanted to give 802.1x a try so I set up freeradius and some very minimal configuration to begin with. Authentication seems to work fine and the Device connects to the network. The switch shows the device as authenticated and freeradius seems happy as well but what I noticed is that I get 20-50% packetloss. As soon as I turn 802.1x off for that port it's fine again. Logs on the switch aren't saying anything helpful as well. Anyone got any idea what could cause that?

ERSPAN appliance

Hey guys,

We are running virtual NACs and are in need of a device that can locally collect all SPAN traffic, and send it to multiple destinations (via IP).

Does anyone know of any appliances, or could recommend anything?

Public Private Speedtest

The name contradicts itself, but I wanted to know if it’s possible to use a self-hosted speedtest.net system and restrict the access to that site.

Is there a way for only authorized clients to use the public/private speed test? We don’t want unauthorized pseudo clients consuming unnecessary amounts of bandwidth.

Furthermore, I’m not too familiar with Apache or nginx to build a login system. It would be nice to pull AD credentials which would then give authorization to perform a speedtest.

Does this idea sound feasible? Any advice is much appreciated.

BGP subnet managing tool

I have multiple BGP subnets registered in multiple different registries, is there any tool to manage all of them from one place?
Basic need it to look for the whois database and make sure the locations are mentioned properly based on the datacenter(where it is announced) location.
The number of subnets assigned to a particular datacenter.

Planning to implement VLANs on a flat /16 network- is my strategy the best way forward?

Hello,

I'm in the planning phase of implementing VLANs onto our network. We have all Cisco gear, about 10 switches in total.

Since this is my first implementation, I wanted to get some professional eyes on my plan to make sure I'm not missing any steps.

• Create scopes in DHCP for new VLANS

• Setup DHCP helper

• Create all planned VLANs on ASA (separate interface so I can move to the non VLANd interface if things don't go right)

• Backup all switches with Unimus before implementation

• Start with a single switch- set to trunk all VLANS and slowly roll out access port settings to switches

• Hyper-V Servers get trunks for the VMs

• Management IPs are inaccessible my other VLANs

• Move interface from ASA to the VLANd interface

• Hope everything works!

And that is the basic roll out. Am I missing any crucial steps in my process?

Thank you!

MPO/MTP Fiber between switches - Do I need crossover?

Or will straight through work as well? Not sure if that applies as it used to with copper. Thanks in advance.

We'd like to support dual stack ipv4/ipv6

We're a Cisco shop. Routers, Switches, and ASAs.

We'd like to support customers who want to run IPv6, but our customer base currently is IPv4 (hence IPv4 core network). Other than making sure our team has a solid understanding of operating IPv6 network, what sorta gotchas should we be looking for to make sure we're ready to operate dual stack.

Anything related to equipment compatibility, IOS/ASA versions compatibility, protocol compatibility, anecdotal information, or recommended reading material is appreciated. Thanks in advance for your thoughts!

ASR9k: Does interface status "Up" confirm a cable is plugged in?

I'm remotely connected to a switch. one of the interface status' is set to 'Up' (as is protocol).

Is that enough info to show that a cable is plugged into that interface?

Need ACS 5.5 ISO

Hello,

Long shot here, but does anyone happen to have an ISO of ACS 5.5 (I'm running 5.5.0.46.10) I can download from somewhere? It's not available on Cisco's site anymore.

I need to do a CLI password recovery and so far none of the other versions I've tried seems to keep the recovery. They lets me recover it, but I stil can't use the new password. Some posts say you have to use the same version ISO?

Surveying network security solutions – from firewalls to SASE

A brief survey of network security solutions and where we are headed.

Confusion over Azure express route and availability zones

I posted this question on the Azure reddit forum but didn't get an answer so I thought I would give it a try here. If I choose to deploy the zonal redundant express route (ErGw1AZ for example), does that automatically create a second redundant express gateway in a different zone? or does it somehow spread the gateway instance across all 3 availability zones? Or do I need to create 2 express gateway instances? I've done a fair amount of googling but can't seem to find the answer. When you create a virtual network gateway, it seems to automatically create a second standby instance.

radius authentication for user from router with qos and ip pool template

Hi all,

Does anyone know how to configure windows NPS(Radius) or any other free software that would authenticate a radius packet coming in from a router and then the radius software would assign QoS and IP Pool from a template depending on the user parameters?

Outside calls from specific phone model keep cutting out.

I'm running CUCM 10.5. I've got most of my offices with cisco 7821 phones. However, a few spots have 7965 models. The 7965 internal calls are fine, but external calls are extremely choppy. Not packet loss choppy, just like I would call Microsoft and the automated system would sound more like "Th--k -ou f-r ca-l-in- Mic-o-oft" like every couple syllables cuts out.

I'm trying to rack my brain on any solutions. I'm not amazing with cucm, but it almost doesn't sound like something rtmt would be able to diagnose but I'm not extremely experienced with it.

​

Anyone ever see anything like this happen?

POE vs Non-POE switches and surges

Hi!

Out of curiosity, does anyone know, and this may be a stupid question, if POE switches are more prone to external electrical surges than non-POE switches? (This is under the assumption that they are not connected to a surge protector)

any Webex admins having issues with admin.webex.com?

The admin login page is stuck for some of our admins when they're connecting on a RAP or at some specific office locations but it's working fine at other locations.

Question about channels.

Hi, I was casually looking for a firmware update in my routers GUI and came across a "channels" setting. I have a brief understanding of network channels (I think they are kinda like frequency blocks or ranges rather centered around a specific frequency). My question is simply if the only purpose of channels are to avoid interference. For example if i were to live in a remote cabin out in the forest would it at all matter which channel the access point transmitted at? I'm sorry if my understanding is completely wrong. Any help would be appreciated. Thanks in advance!

Aggregate 48+ 10Gb services with one or more 100G uplinks

In your opinion, what would be the best vendor/device to aggregate these many 10G services with at least two 100G uplinks?.

We are trying to avoid making our PEs (MX480) part of the aggregation layer (one option was to add 10G boards to our current MX480 and bring all 10G straight to them) and instead use a single layer 2 device connected via 100G to our main and backup PEs

Our current plan would be to upgrade our MX480 to support 100G and connect one (or more) Ciena 5171 so we can aggregate many 10G on it and keep it layer 2 from CPE->AGG->PE

I want to know if there is anything else out there around the same price (under 35k), or if our solution was the wrong one to start with.

SFP Tx power - is it static or dynamic?

As many of you know, SFP's have their Tx signal powers specified as a range. For example:

Minimum: -6 dB

Maximum: 1 dB

​

I have two identical SFPs, which currently run at very different Tx power and Current.

-1.51 dBm vs -3.46 dBm

37.00 mA vs 21.32 mA

​

Since the one with -1.51 dBm also has much worse Rx signal than the one with -3.46 dBm, I started wondering, if (some) SPFs dynamically re-tune their Tx power based on Rx measurement or some other parameter.

Or is it just a coincidence and it's just a lottery, how powerful SFP you get? Anyone know for sure or can maybe link to some in-depth article?

Need help for a large number of 4G WiFi Routers

Hi Guys, been a long time lurker, first time poster!

I'm looking for a reliable 4G WiFi Router for a widescale rollout of somewhere around 2000 small retail stores. I'm looking for something with the following features

• Hardware must be remotely managed
• Must be a small and reliable device
• Once we configure needs to be plug and play
• Whitelist Capability (Only certain domains and IPs should be allowed)
  

Not sure if I'm missing something obvious but I can't seem to find something like this that isn't hideously expensive! Thanks in advance for any help you can provide!

Primary and secondary VPN ASA

Hello everyone, I need to set up 2 VPNs from a ASA to 2 remote locations, primary (normally in use) and secondary (standby, used if needed). The issue is that I also need to NAT the traffic from my internal network going out of the VPN to a specific IP for primary VPN and to another IP for the secondary VPN. Any suggestions any how to implement this scenario???

 ____ NAT IP 1 ---- Primary VPN / 

LAN ____ NAT IP 2 -----Secondary VPN

Thank you all in advance

Cisco SSH rsa key question

Hi All,

So my layer 2 network is about 300 Cisco 2960 switches and 400 Cisco autonomous AP's.

Part of my standard rollout is to enable ssh with 2048 modulus ---> crypto key gen rsa mod 2048

After that, I check the key --> show crypto key mypubkey rsa.

What comes up is the 2048 key I created, but also a 512 key and a 768 key.

If I crypto key zeroize rsa then recreate the 2048 modulus key, then show crypto key mypubkey rsa, THEN it shows me only the 2048 modulus key.

Question: Why are the 512 and 768 keys present when I created a 2048 key? And more importantly, which of the three keys is used when the device is SSH'd to? If the 512 and 768 keys will never be used, then I'm good. But if there is a chance they will, I'm going to have to go through all 700 devices manually, zeroize the RSA's, then recreate them as 2048's.

Does EIGRP loadbalancing affects the forwarding for specific destination address?

Hi,

Seems like I'm having this weird issue on my network that a specific IP block under switch1 vrf cust instance experiencing some delay or issue when accessing/connecting to a public proxy server and sometimes this cause delay when browsing using the said proxy server.

Updated Diagram: https://ibb.co/XFV0JMT

To make the story short, Did some isolation, check every segment interface etc.

From the above diagram you can see from the left part our current setup and core switch1 doesn't have any eigrp neighborship between R2(internet router) and we just use the Port-channel eigrp between HC2 using SVI 700 & 701.

​

Using this setup(left) , Client is experiencing slowness when accessing website using public proxy. Here's the routing from SW1 to proxy server.

SW1#sh ip route 123.1.1.1 Routing entry for 123.1.1..0/23 Known via "eigrp 1", distance 170, metric 2563072 Tag 100, type external Redistributing via eigrp 1 Last update from 3.3.3.2 on Vlan701, 00:03:07 ago Routing Descriptor Blocks: 3.3.3.2, from 3.3.3.2, 00:03:07 ago, via Vlan701 Route metric is 2563072, traffic share count is 1 Total delay is 120 microseconds, minimum bandwidth is 1000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 Route tag 100 * 3.3.3.6, from 3.3.3.6, 00:03:07 ago, via Vlan700 Route metric is 2563072, traffic share count is 1 Total delay is 120 microseconds, minimum bandwidth is 1000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 <---- Route tag 100 

Technically the routing looks good and since this is a slowness issue then it means Client can still connect to the public proxy to access websites. So EIGRP is doing loadbalancing between SW1 -> SW2 (SVI 700/701 eigrp adjacency).

​

I tried forming EIGRP adjacency between SW1 and R2(internet router), note that this is still via the same port-channel link between SW1 & SW2.

Now, Shows better result from client side (no delay when accessing website using public web proxy).

SW1#sh ip route 123.1.1.1 Routing entry for 123.1.1.0/23 Known via "eigrp 1", distance 170, metric 2562816 Tag 100, type external Redistributing via eigrp 1 Last update from 172.1.5.5 on Vlan999, 00:22:04 ago Routing Descriptor Blocks: * 172.1.5.5, from 172.1.5.5, 00:22:04 ago, via Vlan999 <- R2 INTERNET ROUTER Route metric is 2562816, traffic share count is 1 Total delay is 110 microseconds, minimum bandwidth is 1000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 <---- Route tag 100 

Seems like using the EIGRP between HC1-HC2 SVI 700/701 somehow affects the forwarding towards to the proxy server, The thing here is why only specific destination is affected? The difference is the HOP from previous we are seeing 2 hops and now we are just 1 hop away to R2(internet router) because of EIGRP neighborship between SW1 and R2.

TRACE COMPARISON: W/ ISSUE SW1#trace vrf CUST 123.1.1.1 1 3.3.3.2 3 msec <---- SW1-SW2 EIGRP USING SVI 700/701 3.3.3.6 3 msec 3.3.3.2 4 msec 2 172.1.5.5 2 msec 2 msec 2 msec <---- R2 (INTERNET ROUTER) 3 * * * W/OUT ISSUE #trace vrf CUST 123.1.1.1 1 172.1.5.5 2 msec 2 msec 1 msec <---- R2 (INTERNET ROUTER) 2 * * * 3 * * * 

Note: technically SW1 is using the same physical link to forward the traffic between eigrp neighbor via Port-channel (refer to the diagram)

​

Question:

1. Does EIGRP load-balancing mechanism affects the forwarding to public proxy server? Note that other application works and it is using the same path.
2. Does the given next-hop affects the forwarding and why? We can see that from previous setup that route exist toward to public proxy(123.1.1.1) and the difference now is just before we are receiving the 123.1.1.0 public proxy block from HC2 (SVI 700/701) and now only R2 is selected as best path.
3. Please see the comparison between trace route, we can see that both trace able to forward the traffic to R2.

​

Seeking your technical inputs about this behavior?

LAG between WLC/Core Switch

Hello,

​

What are your guys thoughts on LAG between the WLC/Core?

Pros/Cons, etc

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-wireless/1223-how-to-configure-wlc-lag-and-port-channel-with-nexus-catalyst-switches.html

Question about new capabilities: Opengear OM1200 and OM2200 (Console Servers)

Opengear has announced new OM1200 and OM2200 devices in a press release for today May 27th, 2020. There are already Opengear (and other brands of console servers) that offer NetOps, Docker containers etc.

From the press release I can gather that the only unique features are the x86 processor and "secure boot process". Is this correct?

I realize these are new devices, but I am looking for information or product comparisons on these new features. I suppose I might have to wait a few weeks for some good reviews.

Looking for a cellular interface device

Hey all-I'm in the unfortunate position of needing to setup a wifi network in a location with no access to landlines. Cellular coverage is excellent, though, so we're looking into that for an uplink. In doing some googling, though, there doesn't seem an obvious standard. The plan was just to go with a local provider and hope they supplied a router with an RJ-45 out, but none of them seem to, so I'm looking for any suggestions in that department. Forwards compatibility to 5G (in Europe) also a bonus, but seemingly no providers at present offer that, so 4G is likely going to be our best choice. Internal to the router will be a PFSense box, so I could do dual uplinks but I'd probably need a second upstream router to make that work. I'm normally a Unifi guy, so I'm a bit out of my element here-any suggestions would be appreciated...

Oxidized schedule backup (at 6:30 e.g.)

Hello !

I'm brand new to Oxidized (and not a UNIX expert ngl) and I was wondering if there was any way to set an hour instead of an interval in the config file so the backups happen during the night.

Thank you ! Have a good day.

Troubleshooting DHCP issues (Windows Server) after server migration. I want to change lease times as a troubleshooting step. Can you help me understand the effects this will have?

My question is a relatively simple one, but for context I'm going to post my scenario, what I'm trying to do, and the issues I have in doing it. However, feel free to skip to the bottom for the questions I have.

The Setup

We have two forests with their own primary domain, which we'll call DomainA and DomainB. DomainB is in the process of being migrated into DomainA. The ultimate goal is to do away with DomainB's forest entirely. Currently there is a shared trust between them.

Parallel to this project, we're also doing our Server 2008R2 upgrade project. In this scenario, I have a Windows server at all our retail locations which hosts File Share / Printers / DHCP. My issue in particular is with DHCP.

For these migrations, the old 2008R2 server is on DomainB, and we're replacing it with a 2019 server in DomainA. Note that all workstations and nodes at the location are still on DomainB.

The Process

On the old server (which is on DomainB), I run netsh dhcp server export [filename] all to export settings to a text file, and copy that to the new server. I then rename the old server from Servername to Servername-old and change it's IP to something different. I then disable DHCP Server.

On the new server (which is on DomainA), I change it's IP to the original one that the old server had, so that way I don't have to change the helper addresses. I import the settings file using netsh dhcp server import [file] all, and now I have all the scope settings and leases from the old server. I authorize the new dhcp server. I add an A record on DomainB's DNS that point's the old server's original (without the -old) to the IP address that's now inhabited by the new server. Finally, I plug in credentials from DomainB onto the new DHCP server to allow it to write DNS records in DomainB.

The Problem

In some cases (~30% of the time) the new DHCP server will have an issue where devices aren't getting DHCP, which either results in having to reboot the DHCP service or roll back the changes entirely. This issue usually isn't discovered until days later, which likely ties into the expiration date for the leases. Oddly enough, even though we're following the same process for every server, this issue hasn't affected every server.

So with all that, finally

The Questions

There's some basic principles about DHCP that I'm not super clear on. Any guidance would be helpful.

• I want to change the expiration times for leases to an hour as a troubleshooting step, so I can observe that leases are getting renewed correctly. Is this a good idea? How would changing the expirations on the server affect the leases that are already assigned? Would those expirations be updated, or would the leases have to be refreshed first?

• What affects would it have if I migrated DHCP without migrating the leases? What affect would that have on machines that already have a lease when this migration occurs? Should I or should I not migrated the leases with them?

• Is there a reason to not have IP conflict detection turned on? All these servers have no conflict detection. I would to bump that to check a couple times before leasing. Any considerations I should have before making a change?

• Finally, what would a good test method be to confirm that DHCP is working properly? I'm remote, so usually what I do is run a bat script on a workstation via RDP that releases and renews it's IP address. I can monitor the DHCP server and see that the device picks up a new lease. However, it may still have an issue with the natural expiration comes up and it needs to refresh.

Thank you all in advance! Sorry for the wall of text. I just wanted to make sure that I provided all the context I could in case that changes things.

Has anybody used 2N (owned by Axis) camera/intercom combinations? If so, what are your thoughts?

We’re looking at a new video intercom for a couple projects made by 2N that has been highly recommended and has a full featured camera that can be put into Exacqvision with a lot of upgrades from the current devices we're using (Stentofon), full resolution camera, IP69 rated, modular so we can later add additional features later like a keypad or additional buttons. This eliminates the need for two devices and has a higher water intrusion rating so I think it looks like a good option to go with. Not to mention it should integrate with Cisco CM for video phone and door/gate opening. Of course, most of the information we've gotten so far has been from sales teams, so I take a lot of that with a grain of salt.

Thoughts? Experiences good or bad? Thanks!

How can ASA code 9.8.4.15 fail external security scans for critical remote code and DDOS that Cisco says fixed in 9.8.2.20 ?

Had an external pen test done against my ASA.3rd party company said I have this CVE show up:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Cisco released code fix in May of 2018, my code (9.8.4.15) is Oct 2019. Why would this code show as positive critical CVE on a security scan? It's been almost 2 yrs, security scanners should have correct signatures by now, right?

I can't believe that this CVE is still in the code?

Anyone have this hit them on security scan? I don't know the scanning tool the 3rd party is using. I have asked them to investigate.

Network capacity management

Is anyone using Solarwinds to help with capacity management, specifically around ISP connections?

Just wondering if this is a good tool to help.

Help with Cisco Meraki Z3 and WFH home phone

Hey everyone - I've got a WFH system setup at home with a terminal and office phone. Our internet is wired through an outlet from the wall and plugs into the Meraki Z3 which then goes out to the terminal and the phone. Everything is working just fine, however I want to buy a standalone PC and get rid of the terminal but keep the phone.

Would it be a good solution to have the internet from the wall come into a switch, then from that switch have one cable go to the Z3 and phone, and one go straight into the new PC?

Sorry if my terminology is wrong, my networking expertise is fairly limited.

Connecting to Bridged Modem/Router Web Admin Page through WAN PPPoE

My current setup:

ISP Router (Bridge Mode) connected to WAN Port of Unifi UDM Base, then connected to the internet with PPPoE.

ISP Router IP 192.168.1.1/24.

UDM IP 192.168.0.1/24.

Since the router is in Bridge mode I can no longer access the settings for the router through 192.168.1.1. I’ve looked at many threads here that had the same problem as me but I couldn’t find a solution that works. Can anybody guide me on how I can connect to the ISP Router GUI control panel again through the UDM?

Thanks in advance.

Server Farm as a DMZ zone?

At my company we are currently changing our firewall from old ASA to new FTD version of Cisco, and I wanted to follow best practices on the design.

Right now we have our DMZ the right way, but our server farm comes through INSIDE network interface. I get it this is usually the right way, because you trust your INSIDE network, and traffic from INSIDE to Server Farm will not be filtered.

I wanted to sepearate SrvFarm from INSIDE, but im not sure if this is a good aproach. One problem i think it will have is, I will need to create a lot of access rules from In to Srv.

Is this worth doing so, or should I work more and try and "clean" my INSIDE network, trust it and leave it on the same interface?

Thanks!

Can you suggest an introduction to computer networks course/book ?

The course my professor gave us in University is a bit outdated (probably was made in 2000), so I want something to learn on my own

New Xfinity Modem - Wifi network not showing on my list

Good morning all

Xfinity sent me their latest modem they could to help improve my quality. I installed it yesterday, changed the SSID to what the prior network was named and it connected to every device but my work laptop. I was on the phone with my support team for a couple hours and got nowhere.

I check the drivers this morning, and they are enabled. I've disabled and re-enabled the device times. I've hard cycled my modem 7 times, and restarted my computer about that number as well...still nothing. I even tried to manually add my network, forget it, rename it, then forget it again and still nothing.

Any thoughts on how to get this working?

Looking to buy an Arista 48 port PoE access layer switch

The models are even more confusing than Catalysts...

We are looking for a new access layer switch (LAN-base in Cisco terms). Like a 9200 Catalyst or HPE Aruba 2530.

Not asking much:

• 48 ports, can be all copper
• standard PoE
• Can be pure L2-switch

What model would that be in the Arista portfolio?

ASA Hairpin error "Unable to reserve ports"

I'm having trouble creating a hairpin NAT on an ASA running 9.12(2).

First of all I have this configured for internet access.

object network INSIDE-SUBNET

nat (INSIDE,OUTSIDE) dynamic interface

Secondly I have NAT statements like this for a few internet accessible services on different public IPs.

object network OBJ-FTP-SERVER

nat (INSIDE,OUTSIDE) static 123.123.123.123 service tcp ftp ftp

access-list OUTSIDE-IN extended permit tcp any object FTP eq ftp

But when I try to add a hairpin like this I get an error saying "Unable to reserve ports"

nat (inside,inside) source dynamic INSIDE-SUBNET interface destination static OBJ-123.123.123.123 OBJ-FTP-SERVER service OBJ-SERVICE-21 OBJ-SERVICE-21

The service object looks like this.

object service OBJ-SERVICE-21

service tcp destination eq ftp

Does anyone know what I'm missing here? This very configuration has worked fine for the last 2-3 years.

Cisco MDS Syslog to ELK

I want to forward Syslog messages generated by Cisco MDS switches to ELK. I'm unable to send via the default Syslog port (514) since ELK already listens for messages on that port for other devices. No problem, I can alter the default port via:

logging server <IP> 6 port 6599 facility syslog

However, this command only seem to work on newer MDS 9700 hardware. On older MDS 9500, it looks there is no option to specify a port and thus using the default one. MDS 9500 runs on 6.2.23 image. Could this be solved by updating the firmware? I noticed the newest version is 6.2.31.

I went through the release notes of each version but didn't saw anything mentioned regarding adding a port option. PS: this is al running production so unable to test.

What's connected to my Switch?

Hey guys,

I've got a Dell Force Ten S60. This is a 1 gig switch with a couple of ten gig SFPs installed as a module.

So back in April, I got a notification that the interfaced shifted to 100Mbps instead of 1Gig. These type of things usually fixed themselves, as it was just a laptop going to sleep or something that would toggle the interface port to shift down in speed, then when the computer wakes up it would toggle back to full 1gig speeds.

However, I still see traffic on port 0/23 which has been set at 100Mbps for months now. I pinged all the systems we have connected to that switch and evertyhing appears good. So I've done a show arp, a ping 192.168.222.255 and a show mac address table. Still i don't see anything on port 0/23 but the interface is up and there is traffic.

Again whatever is connected to port 23 doesn't show up on any list to correspond to a mac address or an IP. But I see little tiny bits of traffic on port 23, but I guess nothing with a Mac address is communicating with the switch. So whatever is connected to the other end, maybe it's a sleep?

I'm working remotely so I can't just go tone out the Ethernet line. Wondering if there are any tricks you guys use to figure out what is plugged into the other end of a Dell switch. Or even a Cisco switch, maybe they use similar commands anyhow.

Why would the MSRP for a perpetual NX-OS Essentials license be lower than the 36-month subscription equivalent?

So I'm poking around in CCW here looking into licensing options for different N3K models, and the perpetual NX-OS essential license ends up having a slightly lower cost compared to a 36-month subscription for the same license. Why is that? Why on earth would anyone pay more money for a license with a lower term?

Cisco 3560 fresh config - Vlan1 is up, line protocol is down

This is my first ever experience with a piece of networking equipment of this scale and it's all foreign. I have a C3560G-24PS-S with v.15 IOS installed. I did a factory restart(is that what you call it?) and started fresh. I'm just trying to get it configured as a usable switch at this point. After that I'd like have it take over NAT, DHCP, etc, so that I can convert my wireless soho router into just an AP. This is all in the name of science and learning btw.

I'm following along with this youtube video. All was well and went accordingly until after we set the IP Address and issued the command "do sh int vlan". In the video the guy gets "vlan is up. line protocol is up." I'm not getting that however. I'm getting "vlan is up. Line protocol is down". Unfortunately I haven't the slightest idea what a line protocol is.

I should mention that I have the switch plugged into my Debian server via console cable/serial port and I have nothing plugged into any of the RJ45 ports on the front of this machine or the sfp ports. Further, the switch is in "STAT" mode as shown by the lighted indicator on the left side of the face of the switch.

Where do I go from here? Thanks!

One solar panel/cabinet and split two 4G systems

I want to install a solar system high up on a hill where I get good 4G signal and beam it back to two different locations. I plan to use a ubiquiti rocket ac.

I need the two locations to be separate from each other, in that they use their own 4G router up in the solar cabinet. At each location they will have a unifi connected to a powerbeam gen2.

What would be the best way to configure to make sure they are using their own data?

Would this work?

Solar system:

• 2 X Huawei 4G Modem Routers with 2 Ethernet Ports
• 1 X Netgear 5 Port Switch

Huawei modems and Rocket connect to switch. One Huawei is 192.168.1.1 and the other is 192.168.2.1

House 1:

Unifi gateway is 192.168.1.1

House 2:

Unifi gateway is 192.168.2.1

Can the switch manage that?

I know what I've written is very basic but will it work that way or is there a much different way that I should be doing it?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Port Scanning

Hello guys. Sorry if i broke any rules and missed a Megathread but i am kinda panicing right now and i appreciate all the help i can get right now.

I wanted to play terraria with some friends and had the idea using an old laptop as a server. I followed every step on the setup guide and opened port 7777. After 20 minutes or so i looked at the cmd promt and noticed an ip that tried to connect but couldnt. So i googled the ip :45.143.220.94 and saw the first entry was abuseipd and it had multiple entries. i dont know much about port scanners. but it is listed as malicious. am i at high risk now? i have other computers on my network. i have closed the port and the laptop. What do i have to do? Thanks for helping me out >.<

idle beerquestion/speculation on how to detect a wireguard tunnel?

so we use palo alto firewalls, for better or worse, and I have a couple of pfsense boxes in my not-this-client's space. So let's say someone has set up their wireguard to use a common udp port, say 53/DNS. or 443/https. or 853/dns-tls. or whatever. (tho I'm not sure that 443 or 853 will apply to this thought train because the protocols are TCP. But anyway, you get the idea)

there's not a palo alto app-id for wireguard (that I saw anyway). So how will I be able to definitively determine if some person is using wireguard from my inside to their outside?

or even not definitively...maybe just a heads-up warning that doesn't get lost in the noise?

disclaimer: it's probably obvious I haven't dug into wireguard much. Yet.

thanks!

Stacking Cisco 2960X switches?

Hi this is a question for VAR engineers.

If I stack two 2960x switches do I only need to buy: C2960X-STACK= and will that come with both modules and the cables or do i need to buy 2 of those and then some additional parts for the cables?

Router ACL question: why are outside source addresses only working on an outbound access list?

This should be a pretty simple question, but I just can't seem to figure it out. Network diagram is here. I've made an ACL that should allow packets incoming to Server A, from Server B, and drop all other incoming traffic. I do not want to restrict any outgoing traffic from Server A, and no other ACLs exist on the network.

This is an Extreme/Enterasys router, but the syntax and logic for ACLs is the same as Cisco. Here's the ACL:

Standard IP access list Vlan25-Inoming 1 permit host 10.1.18.123 log 

When I apply this ACL to the Inbound side of interface 10.1.25.1, Server A and B cannot communicate. When I apply it to the Outbound side, it works as expected.

The format for the ACL is permit [source], so how does it make sense that Server B's address could be a source outbound from 10.1.25.20? My understanding is that a ping from Server B would hit the Inbout interface of 10.1.25.1, and the Source of that packet would be Server B.

What am I missing here?

Thanks!

connecting 2 pc each with intel pro 1000 pt quad nic cards without a switch

Hi,

My 16port unmanaged dell switch has died.

I need help configuring my network settings for connecting 1 workstation with a quad port nic to another workstation with its own quad port nic (same exact cards on both machines)

I also need to have internet accessibility for both machines.

both machines have additional ethernet ports aside from the quad port nic.

I was experiencing greater network speeds this way before my switch died.

I had to then use a 4port unmanaged switch to connect both workstations with a single ethernet connection each, but this is slow and frustrating.

just looking to see if I can connect both workstations together and connect them back to an unmanaged switch for internet.

​

-- my topology

​

gateway > router > 8port unmanaged switch > 2nd 4 port unmanaged switch > both workstations

thanks

Cumulus Linux Nclu vs vtysh

So I’m just starting to play with cumulus and in some of their documentation they have two options for configuring stuff; nclu or vtysh.

For those of you who work with cumulus in a production environment, which do you use and why?

Thanks!

Automation on systems without Python installed

I have been learning Python as I see lots of posts about how valuable it is to learn a programming language in regards to automating tasks.

I work for an ISP and can certainly see the benefit of being able to automate a lot of my day-to-day tasks, but what I can't figure out is how I'm supposed to use any python scripts when I don't have any admin-rights on my physical work laptop (Windows) to be able to install Python, let alone run any scripts in the first place.

On top of this, we have a linux server that we connect to all our nodes from, and this server doesn't have Python installed on it either, I think it was either removed/disabled, or my user account doesn't have permissions to be able to use it.

Is there something I'm missing in regards to how python scripts work? Can scripts be packaged in some sort of way so once it has been written all I need to do is transer the file on to my work machine and then it can be executed?

I should mention this is the second ISP I have worked for, and the previous one did not have python already installed on any of their systems, and users did not have any admin-rights on their local machines. I just can't seem to find the motivation to learn how to script if I can't actually apply it anywhere.

How do other people do it?

Cisco SG300 - cannot ping across WAN, interferes with SNMP from other devices.

So we moved a branch office to new space. I added two new Cisco SG300-52 switches to boost the number of data connections, they are connected to a pair of older Adtran 1335 POE switches which are reserved for VOIP phones.

I can ping devices hooked up to the SG300's; but I cannot ping/telnet/SSH to the switches except from inside that office LAN. Also noticed that our APC UPS network cards cannot send SNMP data back to a PRTG monitoring machine in main LAN. Other than that, networking is up and active for all devices.

The branch office is connected via Comcast fiber link at 100MB. Nothing changed on HQ side, same switches and Ciena gear. Comcast brought a new Ciena switch to branch office with same programming. Everything is routed through a pair of Cisco 1921 routers on each side of the fiber link.

Each individual LAN subnet works and I can access gear in branch office from HQ side. Except for the SG300 switches, cannot ping them or remote to them to grab configs using TelnetScriptingTool.

My Google-Fu has not come across anything like this regarding the SG300's. They are set up same way as HQ side (where we have three of them providing data connections to whole office). They are in L3 mode with super-basic configs thrown on them.

================== CHI-SW003#show running-config config-file-header CHI-SW003 v1.3.0.62 / R750_NIK_1_3_647_260 CLI v1.0 set system mode router file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! vlan database vlan 2,80,85,90 exit voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ bonjour interface range vlan 1 hostname CHI-SW003 no passwords complexity enable username <user01> password encrypted <pass01> privilege 15 username <user02> password encrypted <pass02> privilege 15 ip ssh server snmp-server location Chicago clock timezone CST -5 clock source sntp ip telnet server ! interface vlan 1 ip address 172.16.32.44 255.255.255.0 no ip address dhcp ! interface vlan 2 name Voice ! interface vlan 80 name WiFi ! interface vlan 85 name "Guest WiFi" ! interface vlan 90 name Smartphones ! exit CHI-SW003# ================== 

So we have

HQ Adtran --> Cisco 1921 --> CienaHQ --> Comcast Fiber --> CienaBranch --> Cisco 1921 --> Adtran 1335 --> SG300

And the reverse is true for branch office - can see/use/ping gear behind the SG300; cannot ping the SG300's in HQ from Branch office.

I'm stumped - if the routing in the 1921's was wrong we'd have no connection. Setup could have been out of whack since 2016 when the HQ office SG300's were installed; frankly I never needed to telnet to them from Branch office. I'd like to be able to contact these switches from either side of the fiber link, and also get SNMP traffic flowing without crazy issues from the APC network cards in branch office.

Ideas?

Need to learn how to convert a mobile hotspot to a n Ethernet connection

Hello there! Just as a disclaimer I know nothing about computers..

My problem: I am working from home. My work PC requires an Ethernet connection. DSL is my only option for internet and it's horribly slow. I've looked up a WISP in my area and none of them provide in my location. I'd rather not buy expensive satellite internet. I read that I can convert my phone's hotspot to a wired Ethernet connection, but it's tricky..

I just need some pointers on this process please. My phone provider is Verizon if that matters.

What would be great if someone would be kind enough to post links to exactly what I need to buy, and maybe a quick tutorial on how to set it up.

Thank you all in advance!

Newest ASA OS without smart licensing

Hi there,

Can someone point out what the newest ASA OS version is that you can get with classic licensing?

We have some boxes in dire need for an upgrade but as they are EOL we can't renew the service contract. Also we are still completely on classic licensing.

WD My Cloud Home vs AirPort Extreme with External HDD

Hi,

I currently have an AirPort Extreme with a 1TB Hard Drive connected for Backups and Storage.

I am running out of space and so think it is time to upgrade.

After looking into it, my choices are to either buy a WD My Cloud Network 4TB storage and connect this to my network, OR I can buy a 4TB HDD and use this instead.

The main difference would be that I could access the WD NAS from outside the house, but I have managed without up until now.

Has anyone had experience with one over the other and can anyone think of any benefits or cons to either?

Any answers welcome.

Cheers!

New technologies

I finally discovered what CASB is recently. We're now looking at putting either Netskope or ForcePoint in. I feel like I've missed the boat on this though. What other new technologies and products are you putting in place that people like me may have missed?

Data Center to Data Center Dark Fiber or Wavelength? - Chicago

Hello All,

I'm doing some research on getting connectivity between to cabinets in different data centers, in this case, one in CoreSite's CH1 (427 S. LaSalle), one in Digital Realty's CHI1 (350 E Cermak).

​

What notable providers offer Dark Fiber or Wavelength between the two DCs for this purpose, and what are fair prices for 10/40Gbps WDM or Dark Fiber?

Large VDI deployment. 10gbps to access switching?

Looking for hands on experience with large scale VDI performance on 1gbps to access layer.

Datacenter would be solid (dual 25gbps for member servers, quad 40gb to core) for an environment to support several thousand concurrent sessions.

VMware blast says it would only need 150-200kbps per knowledge worker even with dual 1080p displays which my customer is using to say “hey we don’t need to upgrade to 10gbps down to access layer.”

Their aggregation isn’t bad (dual 10gbps to distro, dual 1gbps to 10-12 48port switches) but I have trust issues with VMware saying they don’t need much bandwidth.

Am I overly concerned? I understand that traffic patterns would rapidly change as only VDI display scrape goes to thin client where standard traffic would stay within the VDI environment.

Thanks everyone

F5 BIG-IP - primary and backup nodes in a pool possible?

Hi all,

On a BIG-IP LTM, is it possible to have members of a pool that would act as "primary" and others that would act as backups?

I want to have a pool that will have at least two members and I'd like all traffic to be sent to a particular node (or nodes) when they are online and only to use other nodes if the "primary" nodes are offline. Is this possible? I looked at the weighted options but it seems there are still instances where traffic can be sent to other nodes even if certain nodes are online.

Thanks

Firewall for sites that are remote sites on SD-WAN?

Let me start off by saying I am very new to SD-WAN..

I was wondering what type of architecture is recommended from a security perspective for sites moving to SD-WAN. If we have remote sites that will tunnel all their traffic back to the data center do we need to have a firewall in place at the remote sites? What if we decide we want to route some traffic straight out to the internet like O365, should we have a firewall on it in that situation?

Right now the current plan is for 2 SD-WAN routers at the site (for redundancy) and tunnel everything back to the data center but wasn't sure if this was going to be sufficient from a security perspective.

Thanks in advance!

Label printer for cables.

Hello everyone,

I am sure a lot (if not all of us) have a Dymo label printer in our toolkit.

Although it is the most well known label printer brand, i have recently discovered that its labels do not stick well in cables. They tend to peel off, especially when there is a constant warm breeze blowing at the cables.

Does anyone have a cheap solution for a cable specific label printer?

DNS over HTTPS

What is everyone doing about DNS over HTTPS?

With the recent announcement of Chrome soon supporting this, we are having to look into it, as we dont want internal sites being sent externally, and since we also run all our queries through a DNS service (which thankfully support DoH).

Weve comeup with GPO deployment, and probably will do FW blocks for the cloudflare IPs that are auto-used.

Netbox multi-tier

Our enterprise is looking at deploying Netbox. We have some requirements around high availability, DR and continuity. I am interested to see anyone has deployed Netbox in a multi tiered approach with separate DB's (clustered or standalone) and multiple web/app servers. It would be really helpful if you could share some details around your architecture?

I am also interested to know if anyone had considered this approach, but opted for a single tier deployment and the reasons why?

Need Aruba devices training

Is there any instructor led online training/courses for Aruba devices/controller/clearpass/APs available, please let me know. I searched on internet but didn't found any.

Noob networking question (NAT)

Probably going to get a lot of rolled eyes for asking such a basic question here. I'm about to take my Net+ exam next month and am trying to fill in the gaps in my knowledge.

Here's an instance:

Say a PC on a LAN tries to access a webpage on port 80. The PC sending the request assigns the packet's source IP/port and destination IP/port. When the packet hits the router, NAT translates the private IP to the public IP and reassigns the source port to a brand new source port along with the IP. I understand why the IP address needs to be translated, but why does the source port number NEED to be reassigned to a whole different number? Why can't it be kept as the same source port that was assigned by the local PC? Does it have to do with the possibility of the same source port number potentially being assigned by another PC on the LAN? In other words, the NAT table ensures that the source port doesn't end up in use by another PC?

Sorry for the basic question. I can't stand knowing small details sometimes and it distracts me from moving forward.

Cisco firewall for fully redundant LAN to WAN to topology

Hi everyone,

1st time post for me, been reading networking sub for a while and love it.

Fairly new to networking in comparison to most of you on here so please be patient with me if i'm not using the correct terminology etc.

https://imgur.com/a/wnPKyys

I'm trying to scope the correct hardware to create the following LAN to WAN topology whilst using all Cisco equipment. Looking at about 600Mbps throughput and I'm trying to keep the price down as much as possible as all the pricing I've seen(not a Cisco partner too btw) has been insanely expensive, talking each FW being 15k+ for it to do what we want(Web filtering, IPS, AV etc). The protocols i would use would be either STP(if possible), LACP or Redundant Interfaces(my preferred protocol because it seems like the easiest to use). I've done a fair bit of research and have found that i can't seem to find any ASA's under 20K that can do it(5525-X or 5516-X) and if they can the throughput is way too low, looked at the Firepower series and looked really promising but then came across a spec sheet that said they don't do STP, LACP or Redundant Interfaces. So I'm just wondering am i missing a range that would be able to do this within a reasonable budget? Am i using the wrong protocols to achieve the amount of redundancy i need? The model i would use for this topology from another vendor would be a Fortigate 60F.

Appreciate any feedback you may have.

Help in Designing Microwave Communication System

Hi guys, for our final project, we are asked to design a microwave communication system.

DESIGN REQUIREMENTS 1. A point-to-point digital microwave communication system design between Batangas State University Main Campus I and Main Campus II

1. The line-of-sight transmission is the basis of the design.

2. The transmission mode is full duplex, digital transmission using any type of network topology working at 13GHz frequency band

3. The microwave communication system that can be used as a reliable data communication link between two main campuses.

4. The link must have a minimum packet link capacity of 4Gbps.

5. Design reliability is 99.999998%.

Any help on where can we start and what antenna can we use to satisfy these? Just any help would be appreciated. Thank you so much

do we need a dedicated firewall device for a company?

i am a mikrotik user, so i was going to check my friend's church network because they have an internet problem, they are using SonicWall as firewall, never touched this system really, so my question is, do we really need a dedicated firewall device or system, can't we just use mikrotik firewall for the job? what is the pros and cons if im just using mikrotik firewall or using dedicated firewall device, THANK YOU

ipsec vpn issues

i recently swapped out a fortigate firewall for a cisco meraki mx64 and i setup a client vpn. when i connect to the cisco vpn it will not connect. my local network is 10.0.0.0/22 and vpn is 10.0.50.0/24. from my understanding is that the vpn is it's own dhcp server. with that said i shouldnt have to add anything to a local dhcp server on the local network right? im using the hostname for the meraki vpn.

do i need to add the hostname to the dns server?

Network Rebuild Bids - Please Help!

I wanted to get the groups opinion on some recent bids we have received to provide a rebuild to our network infrastructure.

Each bid has an SDWAN element but from 3 separate providers.

BigLeaf Fortinet Meraki

From the group's experience, which one would you reccomend? Can you provide some insight into each provider if you have worked with them?

Our requirements are very simple and I listed them below.

Manage and monitor 2 circuits per site Aggregate and prioritize traffic across those circuits Manage connections to our cloud based software Monitor QoS for both data and voice traffic Alerting for QoS issues and down interfaces.

I know this can be a very subjective topic, so just looking for the groups opinion.

Thank you all!

Tagged frames onto untagged port w.r.t ieee 802.1q spec.

I have been trying to understand ingress behaviour on untagged port, specially w.r.t tagged frames. On going through ieee 802.1q doc, i found this (8.6.2) : "Each Port may support an Enable Ingress Filtering parameter. A frame received on a Port that is not in the member set (8.8.9) associated with the VID shall be discarded if this parameter is set. The default value for this parameter is reset, i.e., Disable Ingress Filtering, for all Ports. Any Port that supports setting this parameter shall also support resetting it. The parameter may be configured by the management operations defined in Clause 12." It only speaks about VID of incoming frame . From that, My understanding is, incoming frame (whether it is tagged or untagged / irrespective of port type ) must be looked upon VLAN database and forwarded /discarded accordingly. Furthermore, the doc mainly defines functionality of a port in terms of a Bridge, and only classifies them as VLAN aware and unaware types (Here again , i assume, trunk and access type respectively). It also specfies that an untagged traffic is associated(assume tagged) with PVID of that particular port. It doesn't effectively specify the scenario of tagged traffic on to the untagged port. However, most of online forums say that a untagged port should discard tagged frames, (some say with exception of native vlan). !! I am confused a bit, since the standard doesn't specify this kind of behaviour. So can anyone clear up some air on this!!?.