Saturday, June 20, 2020

Monitor network traffic for a particular url (or set of urls)

I have a small network, and I am trialling ideas on user traffic. I would like to completely block certain sites, but I would like to see if particular sites are being accessed first.

Is there a way I can monitor network (lan) traffic from lets say, one of my servers?

Ideally I'd like to write something up that monitors traffic and sends me a notification of the ip address and when that url was accessed? I'm sure that can be done with either a python or shell script, but I'm not entirely sure where to start. I was thinking of using slack for the notification service but I'm open to better and easier options.

Double use IPv4 addresses for assignment and SRCNAT

Our upstreams route some public IPv4 addresses for us (1 /28 + 1 /29) and we have been using all of them for SRCNAT Internet traffic as well as some of them assigned to some servers, routers and customers for inbound connectivity.

It works and you can use Internet even being NATted to an address that's assigned to something else, but I wonder if there may be issues or if there are already some that we just have failed to found related to this practice.

I can think on something like both NAT and server/customer eventually using same source port for their own connections and response data from remote end getting lost due to wrongly receiving by NAT router or server/customer. Does Linux's connection tracking (we're NATting on MikroTik routers) help somehow NAT to not use a source port it saw in use for a connection just routed for that same IP address?

If happening, source port conflicts tends to get more possible as we get more customers and after deploying CGNAT. I also don't like leaving scarse public IPv4 reserved and unused, neither would want the headache changing CGNAT everytime we need to free up some address for another usage. That's why I am asking advices on this and because it seems to be an interesting thing to deeply understand better :)

Don't mind, we are already getting our own ASN, /22 IPv4 and /32 IPv6, but there will still be CGNAT.

When you already have a secure web gateway/proxy, what value does adding in DNS-layer security provide? (IE: Cisco Umbrella/OpenDNS)

(crosspost from /r/netsec)

From my perspective, the main value that DNS-layer security adds is that it could reduce the load on your web proxies and firewalls - since traffic flows to unwanted domains would, in effect, never be generated. With that being said, I'm not sure I that I see any other value that could be offered. It would seem to me that an SWG service combined with an NGFW would be able to enforce policy much better since they actually inspect content inline.

What do you think?

Can I Use a router to create a Test environment?

Hey everybody, I have some basic networking knowledge and am studying for my Net+ but wanted some advice on an issue. In my org I’m just a technician. I have essentially zero decision making power in my organization. However I do have the power to run scripts across the computers in the sites I manage. Additionally I’m trying to increase my knowledge on MDT.

I’ve asked for a test environment in order to be able to test across multiple devices. However our current network admin has an aversion to this idea for some reason and won’t permit it. So the easy option of a new Vlan and a few firewall rules work work.

A thought I’ve had is to create a router using some old equipment we have and PFsense. My thought is that if using the router to create a network with a different subnet than our primary subnet then I could essential do what I’m trying to do. This sounds like a plan that would work but I’m curious to hear what problems this could have if it would even work at all?

Why doesn't HTTP have Packet but messages?

In Ethernet, IP, TCP/UDP we can see they have packets. But HTTP or Layer 5 (TCP/IP suite) protocols don't have packets. Rather they have textual representation called messages.

Why is that? Curious

Interview preparation questions

Lots of people prepare for job interview in the computer networking field. How about creating a post or thread here that will have all the questions from different sources or companies that can help others in preparing for interviews or at least for learning purpose.

Please post all great questions on networking.

Thanks

Cisco Anyconnect

I dont know if this is the right subreddit to ask this question

but i have a question about cisco anyconnect, is there a way to open a certain url in a browser automatically once the user connects to anyconnect

Routing all traffic from one interface (LAN) to another (WLAN)

Hi there,
Does anyone know of a way to route the traffic from a wired LAN connection out to the WLAN connection on the same device, and back?

More specifically, I'd like to create a VPN connection to the WLAN network.
However, the WLAN network is a mobile LTE hotspot and thus I cannot access port forwarding to open up a connection for Wireguard.
A helpful member on this subreddit provided a useful suggestion to get around this; VPN into the wired LAN connection (where I do have access to port forwarding) and then route that traffic to the WLAN since it's all connected to the same device.

I'm using a RaspberryPi4 as my device with Raspbian (linux) as the OS.

Thanks a lot for your help.

Doubts with fan cooler replacement for Cisco Catalyst 2960

Hello! I need to change a fan cooler for switch production usage purposes, I would like to tell you the model is a Catalyst 2960-48-TT-L.

The corresponding cooler is this:

https://www.delta-fan.com/Download/Spec/BFB1012M-A.pdf

The one that an official representative of the brand offers me is this down here, unaware of whether it will serve me or not:

https://www.delta-fan.com/Download/Spec/BFB1212HH-F00.pdf

I find differences between voltages and slight differences in dimensions, both of switches used on devices of the same brand, but the last cooler corresponds to a Cisco 2960 24 PoE ports.

Who can advise me, and if possible, I can make sure that the purchase is useful to replace one model with the other??. Thanks

Automation has spooked me and i feel sticking to technical line will make us less vulnerable. What's your opinion?

I am a L2 network engineer (R & S,Security) with 7+ exp. I see automation begining to reduce the headcounts and i am reading articles which predict big impact of automation on job security in coming years(such as 50% of PM positions predicted to be eliminated in 7-8 yrs due to automation, etc).

So i feel sticking to technical line and not moving to non-technical/mgmt positions and upskilling myself with several in-demand skills like python scripting, wireless,etc might make me more indispensable for the employer. I feel automation may be able to do L1/some L2 tasks but can't replace you if you possess high level skills. But iam wondering if the same thing can be said about a non-technical management position (with few exceptions) whose skills are more commoditised?

What are your thoughts on how we can make ourself less dispensable in the face of massive automation in coming years?

Anyone used/using Microsoft Network Monitor?

Has anyone ever used this before? I'm using it right now to capture some packets. What I've set up is as follows: my Android mobile phone acts as a Wi-Fi hotspot and my laptop is connected to it. So I'm capturing packets on Microsoft Network Monitor and the signal strength values are... positive... wtf?

Like, when I put the phone right next to the laptop, I get values of upto 77... and then when I move the phone away, the values drop to 50s and 40s... Shouldn't RSSI values be negative? What is causing this? And how can I fix it? Are the units not dBm somehow? What am I missing?

I don't know how else to capture packets on Windows and measure the signal strength. Wireshark doesn't work. Unable to find anything about this particular issue on the internet.

If this is not the right subreddit for it, please tell me where to post it instead. Thanks.

Need help with guest vlan/wifi solution on local LAN

Hello guys,

I am looking for an advice here.. I am kind of lost tbh.

I am managing small network in my free time and I am trying to create guest wifi on the floor of a building which would be using different VLAN than the local LAN other devices are using..

Some solution that would make the internal network (vlan1) secure from clients using guest wifi/vlan99

This is the diagram of how it is connected and how I'd like it to work.. however, it doesn't :)

https://i.imgur.com/UYhcQB8.jpg

RV325 residing in the server room on the bottom floor has two vlans created and untagged vlan 1 and tagged vlan 99 on the port where switch on the floor is connected, inter VLAN routing is understandably disabled.

The RV215W simply cannot access the vlan99, however, when I am connected to internal network, I can ping the dhcp server running on RV325 for vlan99...

The RW215 has only one ethernet cable connected to it's lan port, I set up two vlans with same numbers 1 and 99 and same subnets as on the main router RV325 of course, fixed IP for both were set up for the router in unused range by dhcp server (150+).

Both vlans had DHCP relay set up so the wifi clients would get an IP from RV325 directly.

The internal wifi worked fine..

But the Guest wifi clients connecting to it never got an IP in vlan99 and therefore couldn't access internet.

I tried also connecting it to WAN port, which effectively made the guest wifi to work but also understandably made it possible to access LAN devices..

Router on a stick

I’m looking for some help build a router on a stick for my ITNW class, using packet tracer. Can anyone help or explain how to build the following?

2 router with serial ports

2 switches

3 end devices

Network address 172.16.20.0/22

Configure network for 60 devices

On Leg A IP address is 1st subnet

On Leg B IP address is 2nd subnet

create static route from Leg A to Leg B.

Thanks (:

LAGG Port Static IP address for Edge Switch ES-12

I actually have the pfSense Firewall, Unifi EdgeSwitch ES-12 and a TP-Link Jestream 2600G-52TS devices.

In my pfSense box I bundled 2 gigabit ports and added a static IP addr of 10.10.10.1/24 but when doing LAGG Ports on Edge Switch I did add the LAGG Port but unable to add static IP address. Is it possible?

I need the IP address to set a dynamic routing protocol OSPF between my pfSense box LAGG Port and Edge Switch ES-12 to advertise my Switch Virtual Interfaces. I'm trying to use the EdgeSwitch L3SW as the Relay for the pfSense DHCP Server.

Please help Thanks!

Can I set Static IP on a LAGG Port EdgeSwitch ES-12?
Can I setup OSPF protocol between pfSense Box and the Edge Switch?

If your using WSA can you give me feedback

Having read a whole bunch of documents recently about how the WSA operates, it seems to me like there is so much messing-around to get it to work properly (for any given environment), and there seems to be a fair few scenarios where you need to bypass authentication to get things to work, or just so many little work-arounds to get it configured right for an organisation. I've never used WSA (I'm just reading how it works), so can someone tell me if this is the case, is it just the biggest ball-ache that just isn't worth it? I feel even more strongly now, that just using an NGFW is far more simpler and achieves 90% of the task that the WSA will do without the bs of setting it up and maintaining it (the other 10% will be the reporting/decryption offloading that the WSA can do).

How do switches identify traffic belongs to a certain vlan?

Hello, in terms of networking experience I am a newborn child, I've just started learning about vlans and they're making my head explode

Since I've started learning I've been told several times that switches are layer 2 devices so the idea that they have anything to do with logical addresses kind of melts my brain

How does the switch know how to send stuff to the correct devices when it doesn't route?

Clarification would be appreciated

Has anyone build a medium enterprise 5g network?

I was wondering about how much it would cost to build a small 5g network (base tower + several 5g routers). I started with a simple google search and found a lot of generic articles about companies building 5g networks but nothing really specific.

On the homepages of ericsson, Huawei, etc. I found a few products for carriers, but nothing close to "buy these 3 devices and you are good to go".

Is it feasible to build a small scale 5g network for <$100,000? Which devices would you need for that? Has anyone of you done it?

Question about wireless bridges and ip

I am helping a friend out with all the IT relegate stuff at their bmx Track that they've been working on. And we've had some struggles getting good internet speed and more specifically good upload speeds from the local wisp (too expensive to run new coax/fiber, city has denied multiple pathways for it) mainly for remote viewing of security camera but also will be used for guest access on occasions. So we've had the idea to beam internet with something along the lines of a ubiquiti airfiber 60, the gigabeam or even the 60ghz ptp building beam (distance is roughly about 550m from the main track office to the house and we have clear LOS) from a friend down the road and we will pay for their Gig fiber from century link which they will also use for their own network. My main question is what's the best way to set the network up so that we can essentially have 2 networks and they can be on network with their own IPs and we have a complete separate set of IPs for out network and both are invisible to each other. I need to be able to have ports forwarded and also maybe the option to control the ammount of bandwidth per network. For example I allocate them with 150/50 and then have the rest available to us. Theyre a slightly older couple and wouldn't likely need a ton of speed themselves. Hope this makes sense and is allowed. Still learning networking. I have a pretty good grasp on it but somethings I'm still learning a bit here and there as I go.

Friday, June 19, 2020

How do clients decide which DNS server to use from the list of DNS preferences?

Hi all,

So to summarize my current network setup, I have a Unifi USG gateway/router, and I currently have two pi-hole servers running as DNS servers (yes two). Long story short, I found my old raspberry pi and decided to run it on a new IP along with my existing pi-hole which was running on a Hyper-V virtual machine. Both have the same uptime, ~24/7.

Being the experimental person I am, I decided to run them both side by side, obviously with different IP's. In my DHCP Server preferences in my Unifi USG, I have set my DHCP nameserver DNS preferences as follows (yes, there are 4 server preferences that can be entered):

DNS 1: IP of pi-hole-1
DNS 2: IP of pi-hole-2
DNS 3: 1.1.1.1
DNS 4: 1.0.0.1

Now for the interesting part; Pi-hole 2 actually receives some lookups as it's logs are slowly becoming populated. pihole-1 certainly captures the vast majority of traffic, however some is being directed to the second pi-hole. This is not a problem per se, however I have a few questions about this. They are as follows:

If some DNS lookups are being referred to the second pi-hole server (DNS preference 2), then how much traffic is being sent directly to DNS preference 3, or even 4?
Most importantly, what makes a client decide to use a second preference? My understanding was that the next preference would only be used if the previous one was entirely unreachable? Is the preference system more like a load balancer as opposed to a fail-over?

Just looking for someone to demystify this if possible. Thank you for your time!

Network monitoring

What tools/softwares are you using the most when you're being told that the network is slow?

What is your thought process and where do you usually start when you're troubleshooting? Where are you looking?

Smallest router for use in a compact live sound touring rack?

I'm in the market for a small, compact router that I can place in a 19" rack (doesn't have to be rack mountable), to connect to a Behringer X32 for wireless mixing on an iPad. The specs don't have to be great, I will only be connecting 1-2 devices in a short range. The main priority is small size and form factor to fit in the rack! Any recommendations appreciated!

Does using my IPSEC VPN I have setup on my Edgerouter encrypt my network traffic while I'm on unsecure wifi?

I'm away from home stays at a hotel and I was wondering if using my VPN to my home router would make my traffic secure.

Restore from backup or remove the created objects

Hey everyone. I had a quick question about what could be a good practice when a person is performing a change on a firewall and all of sudden things do not go the way they were planned and the engineer decided to take a step back and put the configuration as it was. In this question, I am taking Palo alto firewalls as an example. After discussing it with the team, I found two opinions, some argue (and they are the most) that restoring from a backup could not always be successful and go smoothly and there is a risk that you might affect the configuration on all devices managed by Panorama, and therefore they suggest to remove the objects, rules, etc you created and then make a commit on that device. Other people say it is much easier to restore from a backup taken before the change than having to delete objects, nat rules, etc. I was hoping to see your thoughts on which do you feel could be more appropriate especially for a MSSP who is following the change management process and try to ensure there is minimal impact or risk to the clients managed devices when such cases occur.

Looking for suggestions... I need a new router for our small restaurant. Thanks!

We're currently using a TP-LINK n600 which is giving us a lot of problems. The connexion drops every now and then forcing us to reset the router. Connected to it, we have a bunch of ikea bulbs (with a hub to manage all of them), 2x Sonos speakers, 4x Wyze security cameras, 2x led strip lights, and an iPad to use our point of sales (connected to a mini server which is connected through an Ethernet cable to the router). Of course, every time that my wife or me (or both at the same time) are at the restaurant, our iPhones and my wife's iPad are connected too. That's quite a lot, isn't it? 😰 Our internet connection is Cable 15 Unlimited (15 MBPS Max.Download Speed + 10 MBPS Max.Upload Speed) which can be upgraded. Could you please recommend a decent router based on your own experience? I'm locate in Quebec, Canada. Thank you very much for your time!!

Tunneling into Mobile Hotspot

Hi there,
I've been looking for a solution to this problem and I've come short of a meaningful answer.
I'd appreciate any insight into this.

I'm looking for a way to connect to a mobile LTE hotspot connection remotely using any means necessary. I'm using a service that only allows me to authenticate when I'm directly connecting using the hotspot, thus the need to share the hotspot's IP remotely.

Originally, I had intended on setting up a Wireguard instance on a computer that is connected to the hotspot so that I can connect to it from anywhere. However, I quickly realized that most mobile networks block all UDP ports and thus the Wireguard instance won't be reachable.
I could technically move the hotspot with me but I'm trying to avoid that all together and create some sort of tunnel between wherever I am and the hotspot connection.

Would anyone be able to point me in the right direction?

Thanks for your time, I appreciate it.

Can any router capable of sending and receiving information be used as a wireless extender?

I understand that a router and extender serve different purposes but is this distinction made through the software or the hardware? In theory, could you use a router as a wireless extender without the use of any cabling?

Need some help configuring Quanta LB4M

So Iv bagged myself a bargain quanta lb4m 48 port sfp+ 10Gbe switch.

I have two virgin cable modems and I want to setup

Lacp / link aggregation load balancing

Does anyone have an idea how to do This via CLi Iv no idea what to do.

Help would be much appreciated

HFC vs WAN MAC

Hello. Newbie here. I'm just wondering when registering a MAC with my ISP which one I should use. I see conflicting information online and I just want to be sure I get it right. Thanks.

what does constant delay, constant data rate means for voice traffic (video traffic, and data traffic)?

i mean why does voice traffic needs constant data rate, constant delay, what does that even mean?

and why does voice traffic requires low data rate? only 64kbps? does that means it can produce good results on less sampling? or what?

and why does video traffic can work with both constant and variable data rate(if compressed)...why is more data rate needed(256 kbps)..

and why video traffic can accepts the loss of data? does it means losing fps?

(latency and sequencing are important, i see).

and why is loss of any data cause bit errors in data traffic? (what is data traffic in real life), i get that latency is not important(normal surfing of internet)..

Would you please provide any type of knowledge you have about Cisco's Exablaze Ultra Low Latency network gear?

I would like to learn more about their products. I can't find much at all.

Thank you, guys.

https://exablaze.com/

Cisco DMVPN: Using Two Crypto keychain and two isakamp profiles on one Hub router

Ok, let me simplify this some.

I need to connect my DMVPN router to another DMVPN router that is not part of my network.

Since my network is smaller, the changes will be made on my 2951 router.

I will need to add a 2nd crypto keychain profile with CompA pre-shared key password and another crypto isakamp profile to my 2951 router.

Also we will be adding a tunnel to my 2951 and to their router. This is a phase 3 DMVPN network.

My current keyring is below:

crypto keyring dmvpn1_keyring vrf dmvpn1

pre-shared-key address 0.0.0.0 0.0.0.0 key abc123

Is the solution as simple as just creating another keyring with CompA PSK?

crypto keyring CompA_keyring vrf dmvpn1

pre-shared-key address 0.0.0.0 0.0.0.0 key compA4567

Can the two keyrings share the same VRF (dmvpn1) without issues?

Will there be disruption when 2nd keyring is added? Hopefully the 2nd keyring won't interfere with my existing nodes that are using my original dmvpn1_keyring.

Not too worried about the 2nd crypto isakamp profile, that is just a statement applied to the new Tunnel interface.

StrongSwan and phase 2 (PaloAlto)

Hi friends

I have Linux Ubuntu Trusty here, with strongswan 5.1.2 installed in it.

That the ipsec.conf:

config setup
       charondebug="all"
       uniqueids=yes
       strictcrlpolicy=no

conn BOT
     keyexchange=ikev1
     ikelifetime=28800s
     keylife=28800s
     ike=aes-sha1-modp1024,aes128
     esp=aes-sha1
     xauth=client
     left=yyy
     leftid=%any
     leftsubnet=left-subnet
     leftsourceip=%modeconfig
     leftauth=psk
     rightauth=psk
     right=xxx
     rightsubnet=right-subnet
     auto=start

The ipsec.secrets has this format:

left_ip right_ip : PSK "mypassword"

When I use ipsec sart, I get this in /var/log/syslog:
Jun 19 09:41:22 servidor charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-170-generic, x86_64)
Jun 19 09:41:22 servidor charon: 00[CFG] disabling load-tester plugin, not configured
Jun 19 09:41:22 servidor charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Jun 19 09:41:22 servidor charon: 00[CFG] dnscert plugin is disabled
Jun 19 09:41:22 servidor charon: 00[CFG] ipseckey plugin is disabled
Jun 19 09:41:22 servidor charon: 00[CFG] attr-sql plugin: database URI not set
Jun 19 09:41:22 servidor charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 19 09:41:22 servidor charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 19 09:41:22 servidor charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 19 09:41:22 servidor charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 19 09:41:22 servidor charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 19 09:41:22 servidor charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 19 09:41:22 servidor charon: 00[CFG] loaded IKE secret for xxx yyy
Jun 19 09:41:22 servidor charon: 00[CFG] sql plugin: database URI not set
Jun 19 09:41:22 servidor charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jun 19 09:41:22 servidor charon: 00[CFG] eap-simaka-sql database URI missing
Jun 19 09:41:22 servidor charon: 00[CFG] loaded 0 RADIUS server configurations
Jun 19 09:41:22 servidor charon: 00[TNC] MAP server certificate not defined
Jun 19 09:41:22 servidor charon: 00[TNC] TNC recommendation policy is 'default'
Jun 19 09:41:22 servidor charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Jun 19 09:41:22 servidor charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Jun 19 09:41:22 servidor charon: 00[CFG] missing PDP server name, PDP disabled
Jun 19 09:41:22 servidor charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Jun 19 09:41:22 servidor charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Jun 19 09:41:22 servidor charon: 00[CFG] no threshold configured for systime-fix, disabled
Jun 19 09:41:22 servidor charon: 00[CFG] coupling file path unspecified
Jun 19 09:41:22 servidor charon: 00[LIB] loaded plugins: charon test-vectors curl soup unbound ldap mysql sqlite pkcs11 aes rc2 sha1 s
ha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem ope
nssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown ea
p-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-1
1 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock unity
Jun 19 09:41:22 servidor charon: 00[LIB] unable to load 17 plugin features (9 due to unmet dependencies)
Jun 19 09:41:22 servidor charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 19 09:41:22 servidor charon: 00[JOB] spawning 16 worker threads
Jun 19 09:41:22 servidor charon: 06[CFG] received stroke: add connection 'BOT'
Jun 19 09:41:22 servidor charon: 06[CFG] added configuration 'BOT'
Jun 19 09:41:22 servidor charon: 08[CFG] received stroke: initiate 'BOT'
Jun 19 09:41:22 servidor charon: 08[IKE] initiating Main Mode IKE_SA BOT[1] to xxx
Jun 19 09:41:22 servidor charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jun 19 09:41:22 servidor charon: 08[NET] sending packet: from xxx[500] to yyy[500] (216 bytes)
Jun 19 09:41:22 servidor charon: 09[NET] received packet: from yyy[500] to xxx[500] (136 bytes)
Jun 19 09:41:22 servidor charon: 09[ENC] parsed ID_PROT response 0 [ SA V V V ]
Jun 19 09:41:22 servidor charon: 09[IKE] received XAuth vendor ID
Jun 19 09:41:22 servidor charon: 09[IKE] received DPD vendor ID
Jun 19 09:41:22 servidor charon: 09[ENC] received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
Jun 19 09:41:22 servidor charon: 09[ENC] generating ID_PROT request 0 [ KE No ]
Jun 19 09:41:22 servidor charon: 09[NET] sending packet: from xxx[500] to yyy[500] (196 bytes)
Jun 19 09:41:22 servidor charon: 10[NET] received packet: from yyy[500] to xxx[500] (180 bytes)
Jun 19 09:41:22 servidor charon: 10[ENC] parsed ID_PROT response 0 [ KE No ]
Jun 19 09:41:22 servidor charon: 10[ENC] generating ID_PROT request 0 [ ID HASH ]
Jun 19 09:41:22 servidor charon: 10[NET] sending packet: from xxx[500] to yyy[500] (76 bytes)
Jun 19 09:41:22 servidor charon: 11[NET] received packet: from yyy[500] to xxx[500] (76 bytes)
Jun 19 09:41:22 servidor charon: 11[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jun 19 09:41:22 servidor charon: 11[IKE] IKE_SA BOT[1] established between xxx[xxx]...yyy[yyy]
Jun 19 09:41:22 servidor charon: 11[IKE] scheduling reauthentication in 28251s
Jun 19 09:41:22 servidor charon: 11[IKE] maximum IKE_SA lifetime 28791s

ipsec status results:

ipsec status
Security Associations (1 up, 0 connecting):
BOT[1]: ESTABLISHED 21 minutes ago, xxx[xxx]...yyy[yyy]

So, apparently is connected but the other side, signalized that phase 2 doesn't never took place.

I wonder if there's some misconfugration in ipsec.conf.

Thanks a lot

Servers/Networking.

Hello everyone

Currently I've been working in data center (server support role) which includes configuration and troubleshooting servers, activities like hard disk replacement,firmware upgradation,OS installation and maintaining datacenter. I've amount idea of servers but do not have in depth understanding yet and also I have completed CCNA Routing and Switching.

I would like to know the learning techniques for the new role and career opportunities in these fields. Can someone please help me with the below questions running over my mind.

Should I need to get in depth into servers world or take up the new role/responsibilities like routing and switching.
What are the considerations to be taken while deciding which one to choose.
Any other suggestions and recommendations are also welcome .

Thanks in advance

Cisco ASA VPN ASDM question

Hey all,

Relatively new to Cisco ASA's (mainly a fortigate person) and had a question.

When I look in the monitoring of VPN tunnels I see this here. One line says IKEV1 IPSEC and the other says IKEV1. Both VPN Tunnels appear to be working correctly as far as I can tell. Is this cause for any worry?

Thanks!

Web scrapping a website that uses edge servers

Hello, I am trying to scrap a website that uses Cloudflare edge servers, but since their edge servers are far away from my area I have resorted to using a VPS. I have optimized my web scrapper code enough so that it has very minimal effect on the post request RTT, however since the request is dynamic it is not cached by the edge servers which means that RTT includes the trip between the origin and the edge server. So what specifications of the server should I be looking at to reduce the delay time between the VPS and the edge server?

I am trying to improve the RTT by milliseconds so even the slightest differences are important, I have a couple of ideas that I would appreciate if anyone would confirm if they would make it faster.

-Using a server with large bandwidth

-Geo location of the server as close as possible to the edge server

-Having a private peering with the edge server data center

-Locating my VPS to the edge server nearest to the origin server.

Thanks for your time.

Limitations of Meraki SD-WAN offering

Hi,

I've been searching for information about Meraki SD-WAN and I've found that there are complaints about a few limitations. In particular:

You can't have the same device acting as firewall and VPN concentrator; this means we'd have to use two different devices, one for edge firewall and another one for Auto VPN
If you establish a VPN with a third party in a branch, you can't export the route to other branches
No native VPN client, just the one native to Windows (L2TP/IPSec)

The information I've found was usually several months old at least, so these limitations may not be a problem today. Does anyone know if this is so?

Thanks in advance!

Issues with Windows Domain Network and foreign sites

Hello,

Apologies in advance if the terminology I use is not correct, I'm a junior sysadmin that got propelled to senior sysadmin through lack of personnel.

I'm having a hard time trying to figure out the fault in our domain network as the network is not entirely available across multiple offices. To simplify here's the route:

Me (on site 1) > local core > Datacenter and main DC > Datacenter's ISP > Site 2 ISP > local router > local DC with DNS and DHCP > client PC

The site 1 DC is on a 10.200.10.0/16 subnet, site 2 DC is on a 10.25.1.0/23 subnet. Both DCs can communicate and the DC2 is correctly joined to our domain.

However once I start dealing with client PCs on both sides and other non-DC servers, I get nothing. The local domain controller itself can't even communicate with other domain controllers on the network. It sees the records thanks to the DNS but it can only communicate with the primary DC. Some examples:

Site 1 PC on 10.200.81.0/16 > Site 1 DC1: OK

Site 2 PC on 10.25.1.0/23> Site 2 DC: OK

Site 2 DC > Site 1 secondary DC on 10.200.10.0/16: Not OK

Site 2 DC on 10.25.1.0/23 > Site 1 app server on 10.200.10.0/16 subnet: Not OK

Site 2 Client PC > Site 1 app server: Not OK

Site 1 Client PC > Site 2 client PC: Not OK

As long as I use the local DC2 as a bridge I can work on client PCs, but other services, notably the client access to our other servers is starting to cause a lot of issues. At first we discovered a rogue DHCP that was messing up the domain connection on the client side (since then removed and cleaned up) but fixing that has not fixed anything other than the local DHCP configuration.

I have a suspicion that I missed a step or did something wrong when configuring the domain controller with DNS/DHCP since we have 3 other sites with an almost identical setup who are correctly connected to our domain network and can be reached between any 2 sites, which makes me doubt our datacenter provider missed something when creating the rules and routes for the new site.

Any ideas ?

Pulse Split Tunneling

Some users complaining of unable to access some shared drives once connecting via PULSE CLIENT VPN. This has started to be reported since split tunneling was enabled. Split tunneling was only enabled for Skype , Teams and WebEx.

Help me understand how this is possible?

They are saying they get better results via mobile tethering

How can I upgrade my router and modem to perfectly match my ISP service with 100mgps???

Sorry! I'm getting very frustrated because the internet has the answer HIDDEN AND BURIED, so you have to practically become an expert at wi-fi to buy a router and modem.

IF my isp gives me 100mgps, AND I'm trying to spend the MINIMUM I possibly can on a router and modem, AND we have 10+ devices connected, AND I don't want to learn any more networking than I have to...

What specs should I look for when buying a modem and router? Is there a number I can look for, like the router and modem should equal the mgps from the ISP?

My main goal is not to have a bottleneck anywhere.

I've spent hours on google and youtube, and also got several monolithic responses on Quora, i'm just looking for a straight forward answer so I know how much I have to spend on a router and a modem.

switch requirement SYN-flood protection

Hi guys,

I had a customer requesting switches with "TCP-SYN flood protection" and "DoS protection". I argued that these are more of a firewall feature and no switch can do it, but he kind of insisted that his switches need that.

Now, am I missing something? I mostly work with Aruba switches and I know there are some features, like broadcast limits, DHCP/ARP-sniffing or things like that, but TCP-SYN flood and DoS protection are firewall features, right?

[via /r/WireGuard] High throughput Site to site VPN on commodity hardware - an adventure with WireGuard, bonding and ECMP

http://blog.muthuraj.in/2020/06/high-throughput-site-to-site-vpn-using.html

Using LACP and ECMP on 1G links, which makes it interesting.

Intent Based Networking capabilities

Can someone help me map the evolution of IBN and its capabilities in a s curve or similar tools like innovation matrix.

P.S. I am a non tech person this would help me a lot securing an internship

Thursday, June 18, 2020

Nozomi Networks - OT SIEM experience

About to evaluate this product in terms of OT + IOT environments

https://www.nozominetworks.com/

as we are struggling to get human resources who can pull together this information for us.

Anyone willing to share their experience with this product and was it value for money+time spent?

Inter vlan help on SG series

I am embarrassed but desperate. Switch is in L3 mode. My PM was ready for this yesterday. I’m given 1 IP from an OTA modem that I want to turn into our own network but the SG won’t let me use standard IP route commands. It keeps telling me that I can’t re-use a gateway. No default route command for example. I set an IP route 0.0.0.0 0.0.0.0 and just grab everything on the network. Help articles keep pushing me into a router on a stick or my solution but with both networks a /24. I’ve given all the vlans an IP. Switch can get out to the internet. Our dhcp network I’ve created cannot. Trouble is I can’t change the modem from handing me vlan 1 with a specific IP(mgmt) and vlan 5(data /32) with a specific IP. I only have 1 switch and 8 ports on the switch. I’d be super grateful for any ideas or direction! https://imgur.com/a/Yj6HBHa

Wifi Range extend????

Hello, My friend has a fibre connection of speed maybe 200mbps, he's on the opposite building,we share the connection through a repeater but the speed is very low, we have a line of sight with no obstruction in between and also we have satellite dishes ( not used now) on top of building which has coax cables that used to be connections for the TV channels now not needed. Is there any way to use them now to extend the fibre connection.

Juniper SRX won't accept ISP DHCP Offer due to Unicast Transmission

Title.

I have an SRX that won't accept a DHCP offer due to it receiving a unicast DHCP Offer from the ISP instead of a broadcast.

Are there any hidden knobs or configuration files that I can change in the unix shell that'll have it accept the offer?

Thanks!

Cisco ISE - Approach Problem

I was hoping anyone who was in this situation before could talk about it a bit.

Basically I joined a company that bought ISE 4 years ago and let it sit there. Its HA and on 2.6 but doing nothing. I was asked to get 802.1x working for Wireless and Wired Authentication. But with the ability to check the computer for Cisco AMP installed before joining the network.

I want to go Native 802.1x using the windows based stuff. To maybe ease the deployment via group policy. But then I also dont want to lock myself in and not be able to do posture assessment. Do I need to use the NAM to check for basic things down the road? Would I lock myself in by using the 802.1x native suplicants in Windows 10?

Any information is helpful. Dont want to go down the wrong path.

PacketBomb live stream starting at 6 PM PST (sorry short 20 min notice)

https://www.youtube.com/watch?v=Mw7QsjuAjhY

If you are interested in packet analysis, join for some fun where Kary goes through some stuff.

** I am not associated with PacketBomb, other than being a fan.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Out of work CCIE, 20 years exp, what certs are worth pursuing to increase my job opportunities?

I'm solid on ISP protocols/tech but need to start picking up some of the newer shiny skills to compliment the core skills before I end up homeless.

If CCIE's were as valuable as they were a decade ago I'd pursue another. *tears in eyes* Sadly, they are not and Cisco is going to be flushed down the toilet like the rest of the turds. That's my bet.

I'm looking at AWS certs right now and am planning on doing the AWS certified solutions arch associate. Should I take it further than this? I looked over the network specialization cert which is supposed to be the most difficult. It looks easy but is it worth my time?

How about Google Cloud certs? Is there by chance some better opportunity here than say Azure? I'm still pissed off about Microsoft removing POP from Hotmail after I signed up in the 90s. Bastards. So I probably won't do any of the Microsoft certs.

I'm after the stunner effect. That look of fear/admiration in people's eyes when they find out you are a CCIE, basically a god on vacation hanging around with mere mortals in the IT department. That's long gone but I seek to replace it. LOL

I'm also looking at the Palo Alto which looks straightforward. No weird cloud crappy abstractions here. I likey. Me likey.

Firepower is an option but I get a bit nauseated when I think about taking another Cisco certification. Bad investment. I'm also hearing from security pros that Firepower is pretty crappy vs Palo Alto in terms of usability.

SD-WAN looks a little interesting but seems to be mostly baby stuff, clickity click, drag drop type work. Ok, to be honest it looks... BORING
Any ideas/advice for an old fart trying to hang with the youngsters for a few more years?

Cradlepoint Carrier LAN IPs

Hey guys, Looking for some guidance on how to setup a 4G carrier provided public LAN block on a Cradlepoint CBA850. Backstory is I purchased 4G service with a static IP address and a carrier provided public /29 LAN block that is statically routed to the WAN IP. I gave the first usable IP address of the LAN block to the LAN1 interface, disabled IPv6, IPv4 DHCP and disable NAT by changing the routing mode to ‘standard’. I can ping statically assigned devices on the same /29 LAN subnet and can ping the WAN interface address on the Cradlepoint (assuming because it’s a physically connected interface), however, I am unable to ping the internet from the LAN interface. Is anyone able to provide any guidance on what settings to check or what to try next in order to get my LAN block on the net without NAT? P.S. I have no issues grabbing a NAT’d IP and getting online but that completely defeats the purpose of getting that public LAN block.

Google search Not Secure ?

Hello, I was recently searching the web on Google and as far as I know Google is always supposed to route through SSL port 443 since it has signed certificates and well, it's Google. Has anyone encountered such an issue, ever? This has happens some other days as well but today it happened on Google images, Chrome said Not Secure but the certificate was valid until 8/18/2020. Could it be DNS poisoning? I tried Googling for my answer but Google itself was confused with my query.

I Googled for pictures of Rhode Island for anyone wondering ...

Thanks in advance and help is immensely appreciated.

Network closet labeling

Hi everyone, I wanted to see if anyone had any suggestions or best practices on labeling network closets for a building with multiple floors and closets. We are currently building a new location and I wanted to get the labeling right so it's not super confusing. Any help is appreciated, thanks!

Help Wanted with FreeRADIUS, OpenVPN and dot1x

Hi All,

We have FreeRADIUS running on a pfSense, currently serving OpenVPN for MFA. This all works great!

We also have a Ubiquiti EdgeSwitch, on which we would like to use MAC based dot1x port authentication and dynamic VLAN assignment, served by FreeRADIUS.

It works if we create a user on FreeRADIUS with the MAC as the username and password. However this is of course no use from a security perspective as then someone could sign into OpenVPN using that MAC as the username and password. FreeRADIUS, does have a MAC specific config though, presumably designed to circumvent this (yet to be successfully tested, looking at the config files I'm not so sure!).

The problem is when we setup the MAC in the MAC config it will not authorise. It will only authorise when it is entered as a user. Not sure if this is a FreeRADIUS problem or an EdgeSwitch problem, I'm assuming FreeRADIUS from the below log entries.

(1) authorized_macs: --> 3c-18-re-m-ov-ed (1) authorized_macs: users: Matched entry 3c-18-re-m-ov-ed at line 2 (1) [authorized_macs] = ok (1) if (ok) { (1) if (ok) -> TRUE (1) if (ok) { (1) update control { (1) Auth-Type := Accept (1) } # update control = noop (1) } # if (ok) = noop (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "3C18removed", skipping NULL due to config. (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: No '\' in User-Name = "3C18removed", skipping NULL due to config. (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 22 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [forever] = noop (1) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (1) ERROR: Failed retrieving values required to evaluate condition (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = Accept (1) Found Auth-Type = eap (1) ERROR: Warning: Found 2 auth-types on request for user '3C18removed' (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x89bf8bc989be8f93 (1) eap: Finished EAP session with state 0x89bf8bc989be8f93 (1) eap: Previous EAP request found for state 0x89bf8bc989be8f93, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data EAP-MD5 digests do not match. (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Freeing handler (1) [eap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user Login incorrect (Failed retrieving values required to evaluate condition): [3C18removed/<via Auth-Type = Accept>] (from client EdgeSwitch48 port 8 cli 3c-18-re-m-ov-ed)

Has anyone any helpful pointers? From a management perspective it'd be really nice to use the package in pfSense and not to require a dedicated RADIUS server.

Many thanks in advance!

Dell N1XXX, 2XXX, 3XXX Stacking

I am trying to figure out if you could stack the Dell N series switches together across generations with the rear mini sas stacking ports. Say we have a Dell N2048 and want to get a Del N3048 or N1048p and stack them together can you with no issues?

Cisco ASA: ACL for allowing all traffic to outside (internet access), but ONLY outside - not any -> any

Hi, I'm configuring an ASA and I cant seem to find an answer to this question:

How would I go about making an ACE allowing "any" traffic from an internal interface to the internet without it being a permit any->any rule?

Thank you

Network printer question(s)

Howdy everyone!

So the company I work for has a Konica Minolta Bizhub C658 printer that’s on our network, which is working fine.

Come the end of July, the company is moving into a new building about 30mins away.

Since we still have a 2yr contract on these 2 printers, we have to keep them.

Now, I’m not a total networking nerd, but I know some things, so I ask this:

Once in the new building, we’ll have all new pc’s as well. Once the network is setup and the pc’s are setup properly to use these printers on the network, do we still need a small “printer server”? I’m in the belief that we don’t, but I’d like some clarification on this. I wanna make sure the IT company we contract with isn’t trying to pull one over on us. I already have had issues with the one guy and I think he’s an idiot and I know more than him.

Anyway, essentially what I’ve already done to prepare for the move is taking all our files from our server and created a Sharepoint, so we’re getting rid of the server and using Sharepoint instead.

Ultimately we’d love to scan from said printers directly to the Sharepoint, but that’s a different post altogether.

Any help I can get is much appreciated!

Moving an exsiting BGP peer to a different interface on the same device without downtime, possible?

We have an upstream bgp peer on our ASR9001 that is connected through a vlan provided by a third-party provided transport. We will now change this transport provider to someone else. The vlan ID, as well as the PtP IP address of the BGP session will not change.

The only thing that changes is the physical interface (e..g te/0/0/1 to te0/0/2). Unfortunately the ptp subnet is a /31 so it is not possible to setup a secondary bgp session.

Is it possible to migrate the config to the new interface without causing the bgp to drop?

We will be able to keep the vlan active on both the old and the new link but I am not sure if that will help as we would then have to put the same IP address on both interfaces.

Cisco DMVPN: using two crypto keyrings and ISAKAMP profiles on Hub router

We have two different company DMVN hubs (phase 3), that need to connect to provide connectivity.

Each company needs to preserve the crypto keyring and crypto isakmp profile on each Hub, to maintain connectivity with their existing "spokes".

What is the best practice to for CompanyB to add Company A's crypto keyring and isakamp profile to the config?

Can't seem to find anything that points how to do this. Found something close, but it was 8yrs old using 12.x code, so no thank you.

Anybody have links, examples ?

Will adding another keyring and profile "disrupt" our existing CompB endpoints?

Running Cisco IOS 15 code, not IOS-XE code on CompB dmvpn hub.

yes we will be creating another "tunnel" on CompB router. Also ACL's will be used to limit routes passed between the two endpoints

Recommendation for APs supporting WPA2-TKIP?

Would the community please recommend wireless access points that support the WPA2-TKIP standard based on positive experiences? It doesn't matter if they're no longer available in the retail market.

Cisco Sup 720 - Minor Error - "TestQoS" Failed

Anyone have any idea what the "TestQoS" function does on a Supervisor 720 card for a 6509? It says it's a minor error if it fails. We don't use QoS on the 6509, and I see the risk/reward ratio tipped more in the risk favor of replacing this SUP card due to the environment this 6509 is in.

Mod Online Diag Status

---- -------------------

1 Pass

2 Pass

5 Minor Error

6 Pass

7 Pass

8 Pass

SWCoreMSDC-6509#show diagnostic result switch 2 mod 5

Current bootup diagnostic level: minimal

Switch 2 Module 5: Supervisor Engine 720 10GE SerialNo : SAL12448F5S

Overall Diagnostic Result for Switch 2 Module 5 : MINOR ERROR

Diagnostic level at card bootup: minimal

Test results: (. = Pass, F = Fail, U = Untested)

1) TestOBFL ------------------------> .

2) TestTransceiverIntegrity:

Port 1 2 3 4 5

-------------------

U U U . .

3) TestLoopback:

Port 1 2 3 4 5

-------------------

. . . . .

4) TestSynchedFabChannel -----------> .

5) TestDontConditionalLearn --------> U

6) TestNewIndexLearn ---------------> U

7) TestCapture ---------------------> U

8) TestTrap ------------------------> U

9) TestMacNotification -------------> .

10) TestFibDevices ------------------> .

11) TestIPv4FibShortcut -------------> .

12) TestIPv6FibShortcut -------------> .

13) TestNATFibShortcut --------------> .

14) TestMPLSFibShortcut -------------> .

15) TestL3Capture -------------------> U

16) TestL3VlanMet -------------------> .

17) TestIngressSpan -----------------> U

18) TestEgressSpan ------------------> .

19) TestAclPermit -------------------> .

20) TestAclDeny ---------------------> .

21) TestQos -------------------------> F

22) TestNetflowShortcut -------------> .

23) TestFibTcamSSRAM ----------------> U

24) TestAsicMemory ------------------> U

25) TestEobcStressPing --------------> U

26) TestFirmwareDiagStatus ----------> .

27) TestAsicSync --------------------> .

28) TestUnusedPortLoopback:

Netflow

Hello,

I am playing around with Solarwinds Network Traffic Analyzer (NTA) but I am having difficulty understanding how to interpret the traffic statistics being presented from Netflow.

As a test, I uploaded a 1GB file to an SFTP server on my LAN. This traffic traverses two Core Switches which have Netflow enabled (Ingress) on the intermediate links e.g.

Client -------> CSwitch1 -------> CSwitch2 -----> Server

My expectation was that Solarwinds NTA would show 1GB of traffic between the Client and the Server on port 22 . Instead, Solarwinds NTA reports a total of 2GB, which I presume is 1GB going in to CSwitch1 and the same 1GB going in to CSwitch2, before reaching the destination.

Is that how it is supposed to read or have I misconfigured Netflow?

FortiGate DOS Policy

Hi All,

Iv recently started looking at the DOS policy on the Fortigate firewalls, I was wondering if anyone had any good articles or learning resources which cover this area?

Iv taken a look at this link and my current employers DOS configurations:-

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Examples/Example-%20DoS%20Policy.htm

I was wondering if DOS configuration would largely be the same in most organisations and if the default values should be left alone or (as i would think) if it depends on the amount of traffic currently being handled by the firewall.

Has anyone known DOS policies causing problems for legitimate traffic and given the Fortigate options seem quite basic, would it be recommended to have a dedicated appliance to handle this/have your ISP provide the service as I have done in previous roles.

Thanks for any help you are able to provide.

Budget Wired Router Showdown

Which of these routers would you buy?

TP-LINK TL-R600VPN
https://www.tp-link.com/us/business-networking/vpn-router/tl-r600vpn/

RouterBoard hEX
https://mikrotik.com/product/RB750Gr3

Ubiquiti EdgeRouter X
https://www.ui.com/edgemax/edgerouter-x/

OR maybe none of these?

How Wi-Fi Works: From Electricity to Information

What is Wi-Fi? Where did it come from?

Wi-Fi is a brand name for wireless networking standards. Wi-Fi lets devices communicate by sending and receiving radio waves.

In 1971, the University of Hawaii demonstrated the first wireless data network, known as ALOHAnet. In 1985, the US FCC opened the ISM radio bands for unlicensed transmissions. After 1985, other countries followed, and more people started experimenting. In 1997 and 1999, the IEEE ratified the first international wireless networking standards. They were called 802.11-1997, 802.11b, and 802.11a. The technology was amazing, but the names were not.

In 1999, the brand-consulting firm Interbrand created the logo and suggested Wi-Fi as the name. Wi-Fi was a pun on hi-fi, referring to high-fidelity audio. Wi-Fi was easier to remember than 802.11, and we've been stuck with the name since. The official name is Wi-Fi, but most people don’t capitalize it or include the hyphen. Wi-Fi, WiFi, Wifi, wifi, and 802.11 all refer to the same thing. In the early days, Wi-Fi was used as shorthand for Wireless Fidelity, but it isn’t officially short for anything. According to the Wi-Fi Alliance, Wi-Fi is Wi-Fi.

What does Wi-Fi do? How does Wi-Fi work?

Wi-Fi transmits data using microwaves, which are high-energy radio waves. Wi-Fi is more complicated than FM radio, but the basic underlying technology is the same. They both encode information into radio waves, which are received and decoded. FM radio does this for sound, Wi-Fi does this for computer data. So how can we use radio waves to send sound, or information?

At a basic level, you can think of two people holding a jump rope. One person raises and lowers their arm quickly, creating a wave. With Wi-Fi, this person would represent your Wi-Fi router, or wireless access point. Keeping the same up and down motion is known as a carrier wave. The person on the other end is the client device, such as a laptop or cell phone. When a wireless client joins the network and senses the carrier wave, it starts listening and waits for small differences in the signal.

In our example, you can imagine feeling the jump rope going up and down, and then receiving a single motion to the right. That single motion to the right can be interpreted as a binary number 1. A motion to the left would be a binary 0. Chain enough 1’s and 0’s together and you can represent complicated things, like all the data on this webpage.

It sounds like magic, but it’s not only Wi-Fi that works this way. Bluetooth, 4G, 5G, and most wireless transmissions work by manipulating waves to transfer electrical signals through the air. A deeper, better question than “How does Wi-Fi work?” is “How do wireless transmissions work?”

If you want a better answer, you need to have a basic understanding of a few things:

Fundamental physics of electricity and magnetism
Electromagnetic radiation, radio waves, and antennas
How wired networks transmit data

I tried my best to keep this understandable, and laid out in a way that makes sense. This stuff is complicated, and hard to explain. That is why there are so many bad explanations of how Wi-Fi works out there.

This isn't going to be a light and breezy discussion. Each of these topics could be an entire college course, so forgive me for simplifying where possible. Use Wikipedia and other resources to fill in the gaps, or to clarify something I glossed over. As always, corrections and feedback are welcomed.

Let’s dive in the deep end and cover the physics first. If you’re not familiar with fundamental physics, Wikipedia is an amazing resource. The key terms highlighted in blue are links to Wikipedia articles which explain further.

Wi-Fi Physics 101: Electricity and Magnetism

Matter is made up of atoms.
Atoms are made up of smaller particles: Negatively charged electrons, positively charged protons, and neutral neutrons.
A positively or negatively charged particle creates an electric field.
An electric field exerts force on other charges around it, attracting or repelling them.
Magnetic fields and electric fields are related. They are both results of the electromagnetic force, one of the four fundamental forces of nature.
Electrical current is a flow of negatively charged electrons through a conductive material, like a wire.
Electrical current flowing through a wire creates a magnetic field. This is how electromagnets work.
In 1867, James Clerk Maxwell discovered that light, magnetism, and electricity are related.
He predicted the existence of electromagnetic waves.
His equations describe how electric and magnetic fields are generated by charges, currents, and other field changes.
This is known as the 2nd great unification) of physics, behind Sir Issac Newton.
In 1887, Heinrich Hertz was the first to prove the existence of electromagnetic waves. People thought that was so cool, they used his last name as the unit for a wave’s frequency.
Electromagnetic waves don’t need a medium. They can move through the vacuum of space, for example.
Since visible light is an electromagnetic wave, this is how we can see the sun, or distant stars.
This is also how we heard Neil Armstrong say “One small step for man…” live from the moon.
The warmth you feel from sunlight is due to the radiant energy sunlight contains. All electromagnetic waves have radiant energy.
Examples of electromagnetic waves: Visible light, radio waves, microwaves, infrared, ultraviolet, X-rays, and gamma rays.
Wi-Fi is an example of a radio wave, specifically a microwave. Microwaves are high-energy radio waves.

Electromagnetic Waves

Electromagnetic waves come in a wide range of forms. The type of wave is categorized by wavelength and frequency.

Wavelength is a measure of the distance over which the wave's shape repeats. In a typical continuous sine wave like Wi-Fi, every time a wave goes from peak to valley to peak, we call that a cycle. The distance it takes to complete one cycle is its wavelength.

Frequency is a measure of how many cycles the wave makes per second. We use Hertz (Hz) as the measure of frequency, 1 Hz is one cycle per second. The more common MHz and GHz are for millions, or billions, of cycles per second.

Imagine waves on a beach. On calm days the waves are small, and come in slowly. On a windy day the waves have more energy, come in faster, and have less distance between them. Higher energy, higher frequency, shorter wavelength. Unlike ocean waves, electromagnetic waves move at the speed of light. Since their speed is constant, their wavelength and frequency are inverse. As wavelength goes up, frequency does down. If you multiply the wavelength and frequency, you will always get the same value — the speed of light, the speed limit of the universe.

You can graph all the various kinds of electromagnetic waves, with the lowest energy on the left, and the highest energy on the right. We call this the electromagnetic spectrum. I’m not going to cover the entire electromagnetic spectrum, since we are mainly interested in Wi-Fi’s microwaves, and how we can use them to send data wirelessly.

Starting from the left, we have the low-energy waves we call radio. Opinions vary, but I’m going with Wikipedia’s definition that radio waves cover from 30 Hz, up to 300 GHz. Compared to the rest of the spectrum, radio’s wavelengths are long, their frequency is slow, and energy is low. Moving up in energy from radio waves, we have microwaves.

Microwaves fall within the broader radio wave category, and are anywhere from 300 MHz up to 300 GHz. At a minimum, microwaves cover 3 GHz to 30 GHz. The specific range depends on who you ask, but generally you can think of Microwaves as high-energy radio waves.

Microwaves are used in microwave ovens, Bluetooth, Wi-Fi, your cell phone’s 4G or 5G connection, and lots of other wireless data transmissions. Their higher energy, shorter wavelength, and other properties make them better for high-bandwidth transfers than traditional, lower-powered radio waves.

All waves can be modulated by varying either the amplitude (strength), frequency or phase) of the wave. This is what allows Wi-Fi, and any other wireless technology, to encode data in a wireless signal.

Wired Networking Transmissions

Before we cover how wireless data transmission works, we need to understand how wired data transmission works. In wired Ethernet networks, we use the copper inside Ethernet cables to transmit electrical signals. The conductive copper transfers the electrical current applied at one end, through the wire, to the other side.

A typical example would be a PC plugged into an Ethernet switch. If the PC wants to transfer information, it converts binary digits to electrical impulses. On, off, on, off. It sends a specific pattern of 1’s and 0’s across the wire, which is received on the other end. Ethernet is the neighborhood street of the networking world. It's great for getting around the local area, but you’ll need to jump on the highway if you want to go further.

The highway of the networking world is fiber optic cabling. Just like how Ethernet transfers electrical current, we can do the same thing with lasers and fiber optic cables. Fiber optic cables are made of bendable glass, and they provide a path for light to be transmitted. Since fiber optics require lasers, special transceivers are required at each end. Compared to Ethernet, Fiber optic cables have the advantage of having a longer range, and generally a higher capacity.

Fiber optic cabling carries a big portion of global Internet traffic. We have a wide array of fiber optic cabling over land, and sea. Those connections are what allow you to communicate with someone on the other side of the country, or the other side of the world. This is possible because these transmissions happen at the speed of light.

Here’s where things get fun. Just like how Ethernet and fiber optic cabling take an electrical impulse or beam of light from A to B, we can do the same thing with radios, antennas, and radio waves.

Radios, Antennas, and Wireless Networking

Now that we have a rough common understanding of electromagnetic waves and wired data transmission, how can we transmit data wirelessly? The key is an antenna. Antennas30 convert electricity into radio waves, and radio waves into electricity. A basic antenna consists of two metal rods connected to a receiver or transmitter.

When transmitting, a radio supplies an alternating electric current to the antenna, and the antenna radiates the energy as electromagnetic waves. When receiving, an antenna reverses this process. It intercepts some of the power of a radio wave to produce an electrical current, which is applied to a receiver, and amplified. Receiving antennas capture a fraction of the original signal, which is why distance, antenna design, and amplification are important for a successful wireless transmission.

If you have a properly tuned, powerful antenna, you can send a signal 1000s of kilometers away, or even into space. It's not just Wi-Fi, this is what makes satellites, radar, radio, and broadcast TV transmissions work too. Pretty cool, right?

How Wi-Fi Works: From Electricity to Information

An intricate pattern of electrons representing computer data flow into your Wi-Fi router, or wireless access point.
The access point sends that pattern of electrons to an antenna, generating an electromagnetic wave.
By alternating between a positive to negative charge, the wire inside of an antenna creates an oscillating electric and magnetic field. These oscillating fields propagate out into space as electromagnetic waves, and are able to be received by anyone in range.
Typical Wi-Fi access points have omnidirectional antennas, which make the wave propagate in all horizontal directions.
This wave travels through the air and hits a receiving antenna which reverses the process, converting the radiant energy in the radio wave back into electricity.
The electric field of the incoming wave pushes electrons back and forth in the antenna, creating an alternating positive and negative charge. The oscillating field induces voltage and current, which flows to the receiver.
The signal is amplified and received, either to the client device or to an Ethernet connection for further routing.
A lot of the wave’s energy is lost along the way.
If the transmission was successful, the electrical impulses should be a good copy of what was sent.
If the transmission wasn’t successful, the data is resent.
When the information is received on the other end, it is treated the same as any other data on the network.

More Fun Wi-Fi Facts

Wi-Fi has redundancy built-in. If you wanted to send “Hello” your access point wouldn't send an H, an E, an L, an L and a O. It sends multiple characters for each one, just like you would on a static-filled radio or phone call. It will use its equivalent of the phonetic alphabet to send “Hotel”, “Echo”, “Lima”, “Lima”, “Oscar”.
That way, even if you didn’t hear the entire transmission, you are still likely to be able to know that “Hello” was being sent. The level of redundancy varies on signal strength and interference on the channel.
If the signal strength is high, the access point and receiver are able to use a complicated modulation scheme, and encode a lot of data.
If you think about our jump rope analogy from earlier, rather than just left and right, it can divide into 1/4s, 1/8ths, or further. It can also combine the direction of the modulation with strength, or phase of modulation.
The most complex modulation in Wi-Fi 6 is 256-QAM, which uses 16 directions and 16 strengths to have 256 unique combinations. This results in high throughput, but requires a very strong wireless signal and minimal interference to work effectively.
As your wireless signal weakens, complex modulation can’t be understood. Both devices will step down to a less complex modulation scheme. This is why Wi-Fi slows down as you move away from the access point.

Working at playstation?

I've seen they post network engineer jobs every few months, I'm curious if its a good idea to apply (a lot of technologies to learn, looks good on cv, etc.). I have over 5 years experience in Service provider, some data center, a lot of automation not only in networking but also systems. Thanks in advance for your inputs!

Router, switch and router switch?

For old nostalgia sake I watched the short animated film Warriors of the net (1999), describing the principles of networking technology in layman’s terms.

In the film they talk about the “router switch” as in a single separate device. Despite having worked with networking for several years, I can’t recall ever having anything to do with a router switch. I’ve had routers and switches but nothing “intermediate”.

Was or is this a real thing, or did the creators of the movie just confuse things?

Why didn't it become common to write FQDNs with a dot at the end, as in 'google.com.' ?

Wouldn't this make resolving host names more efficient?

Cisco iOS <—-> Juniper JunOS

Trying my luck here. I just want to ask if you guys have any resource materials like a pdf or something that compares and contrasts iOS to JunOS, both in commands and concept? I’m just having a challenge studying Juniper because some things are a tad different from Cisco, but I know that if I can relate the two, things will go smoother. Thanks in advance!

Old Nortel ERS 5520-48T-PWR Headaches - No PoE and can't access backup switch via network

I went back to the office first time since the pandemic and found everything PoE powered dead since earlier in the month. The switch shows PoE as working normally, but no output on any of the ports. I notice that it has suffered multiple fan failures. I'm sourcing some new fans in case it hasn't suffered permanent PoE damage and is in some kind of protected state, but I would like to get things up and running again quickly.
I have 2 fresh backups (ascii and binary) of this switch.
I have another identical switch I hadn't used before, which I have now reset to factory defaults using the UI button on the front (both the 3 second then 5 press etc and 3 second then 3 press etc methods just in case.) I can't access its web UI or telnet to it at the default IP of 192.168.192.168.

The console cable port is damaged on the new switch, although I've bent it back into what I think will be a usable form. I only had access to 'screen' on my mac at the time, and set to 9600 I received multiple lines of gibberish with 2 rj-45 to serial console cable adapters via a usb adapter. With a straight-through cable I had 1 or 2 symbols. I will source a new straight-through cable just in case.

The old switch was running the latest available firmware. The new switch is unknown. Last thing I tried was setting the old switch as base and fitting a cascade cable I had sitting. At least remotely, the old switch is now no longer network accessible, although it is obviously working as I can connect to the network.

Does anyone have any ideas on what I can try next?

Bridge two subinterfaces on Cisco ASR

I have a Cisco ASR 1004 (RP2) running IOS-XE.

I am trying to bridge 2 sub interfaces into one L2 group so any traffic can flow between them just like they were switchports.

The interfaces currently look like this:

>interface GigabitEthernet0/1/2.2000
> encapsulation dot1Q 2000
>interface TenGigabitEthernet1/0/0.2000
> encapsulation dot1Q 2000

Is this possible, if someone could point me in the right direction for what to look for?

Thanks in advance

Wednesday, June 17, 2020

Rogue Access Points - How to find?

I've got two rogue APs showing up with very similar SSIDs

WM517526

WM519d42

Based on their MAC addresses, they are Roving Networks Devices:

00:06:66:51:75:26

00:06:66:51:9d:42

Notice that the SSIDs are related to their MAC addresses

I am able to connect to each of them without a password, at which point I can access the IP address and Gateway/Router address:

192.167.178.87 (Same address for each AP)

How can I best determine what these devices are? My initial hunch was a neighbors IP cameras, but I don't know for sure, obviously.

Advice or suggestions? Let me know if there's a better subreddit in which to ask this.

How is Xml used to communicate over protocols? Why encode the data in an xml file?

So when an XmlHttp request is sent, does the host on the other end un-wrap the HTTP datagram to get an XML file? Or am I completely off the point here?

Any help appreciated!

VPN performance - IPSec faster than WireGuard in a particular scenario

Hey, I'd like to start by saying that I'm absolutely puzzled and do not know what to make from this. So, I've created 2 labs to test VPN protocols - WireGuard and IPSec (with strongSwan). My first lab is purely virtualized and resides on one physical host. My results are as follows:

- Non-encrypted link reaches around 3 Gb/s

- WireGuard gets around 1,4 Gb/s

- IPSec with ChaCha: 1,2 Gb/s, IPSec with AES-256: 1,8 Gb/s

I thought: well, I guess that AES-NI is playing a huge role here since IPSec with ChaCha20Poly1305 (the same algorithm that WireGuard uses) is performing worse than WireGuard.

But I've created a second lab, which consists of 2 VMs in Azure. I've used exact same configs and my results are as follows:

- Non-encrypted link reaches around 1 Gb/s

- WireGuard gets around 920 Mb/s

- IPSec with ChaCha: 700 Mb/s, IPSec with AES-256: 680 Mb/s

What can I make of this? I have absolutely no clue how to interpret these results. The only real difference between these 2 labs is the fact that my first lab did not use NAT, whereas the second one did. But the difference in performance is huge. It also looks like CPUs in Azure VMs also have AES-NI so I guess that argument is out of the window... Could it be that my CPU is simply quicker? However I'm not sure about that either since these VMs use Intel XEON ® E5-2673 v4 CPUs which have better single-thread performance than my CPU (Ryzen 5 1500x). What could be the issue here?

Cisco and their stupid USB console port

Long time network engineer, and I've always just utilized the RJ45 ports on Cisco equipment.

We are now utilizing some IOT stuff out in the field for utility distribution and monitoring using IR1101 routers. Unfortunately these only have the ability to use a USB console connection and I cannot get this damned thing to work.

Pardon my ignorance here but can you utilize any USB to Mini cable?

After plugging it in it shows Silicone Labs CP210x USB to UART Bridge (COM7) inside device manager. I have tried SecureCRT and Putty with the proper serial settings just like any other piece of equipment you're using the RJ45 connection and all I get it gibberish on the screen. I've tried changing the COM port to COM2. Unfortunately I cannot seem to get connected to this router.

I do not have a 'Cisco USB to Mini console' cable here but ordered one and it will be here on Friday.

Anyone else have any advice for this rather rudimentary issue? Kind of hard to make any forward progress when you can't even connect to the equipment.

ExtremeXOS MAC Tracking

Hi all,

Currently seeing the following entries in my switches:

<Info:HAL.FDB.ExcssMACMove> Excessive MAC move notification from hardware encountered on slot 1. <Info:HAL.FDB.ExcssMACMove> Previous message repeated 6 additional times in the last 1500 second(s)

However, there is nothing in the logs to indicate where it's actually originating from and what's causing it. I've tried adding a filter containing the following

FDB.MACTracking.MACMove FDB.MACTracking.MACDel FDB.MACTracking.MACAdd FDB.MACMove FDB.MACDel FDB.MACAdd

... and I have enabled mac-tracking on ports 1-52, but it seems to not catch anything. Does anyone have any ideas on how I'd go about finding the source of this?

Thanks!

Edit: Words.

Suppose we have a network address block 128.93.0.0/16. Can we make exactly 80 subnets from it? if yes, How?

Hi, my question is simple. Can the number of subnets be other than 2,4,8,16,32,64,128 etc. Like 80 or 90.

Dellos 10 ansible command module issue !

Hello Team,

I have been facing an issue while performing ad-hoc command on dell switches (dellos 10)

ansible testing -m dellos10_command -a "commands='show version'" -i testinven

Above is the command im trying to perform

Error_msg : unable to decode json from response to exec_command

And the thing I'm getting ping - pong response and ansible facts just fine Can anybody explain ?

Need to upgrade Cisco devices over DMVPN but struggling

Hey all,

Trying to write a script to copy new code to devices out in the field but it is going poorly. TFTP copies always throw in 0s (!!!0!!0!!! for example) and never complete. SCP will work fine but takes 2+ hours. I tried increasing the block size but no dice. I am not maxing out WAN circuits on either end but understand I am at the mercy of the internet. The only thing I am thinking about doing is doing it overnight but does anyone have experience with this? I know it takes ~30 minutes or so over an MPLS connection but 2+ hours is unbearable

CoPP Confusion

I'm having trouble understanding how traffic is matching on a class-map that doesn't have a match condition.

ip access-list extended EIGRP-CUSTOM permit eigrp any any ! class-map match-all EIGRP-CUSTOM match access-group name EIGRP-CUSTOM ! class-map match-any class-copp-mcast-punt ! class-map match-any class-copp-mcast-v4-data-on-routedPort ! policy-map TEST class class-copp-mcast-v4-data-on-routedPort police rate 10 pps burst 1 packets conform-action drop exceed-action drop class class-copp-mcast-punt police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop class EIGRP-CUSTOM police cir 200000000 bc 31250 conform-action transmit exceed-action transmit control-plane service-policy input TEST

I've inherited this configuration (it's a subset of a larger config that I can't share). But essentially, I can still see traffic being matched on the class-copp-mcast-v4-data-on-routedPort class. How is that possible. Please see the below, as I have an increasing counter on the "exceeded packets" section .

show policy-map control-plane input class-map: class-copp-mcast-v4-data-on-routedPort (match-any) ..output omitted cos it's irrelevant Earl in slot 2 : 633577 packets 5 minute offered rate 0 pps aggregate-forwarded 2 packets action: drop exceeded 633575 packets action: drop aggregate-forward 0 pps exceed 0 pps

I'm assuming that this is some sort of auto-generated policy, thats then been inheterited into a new custom policy, and this auto-generated policy is somehow in the background matching the traffic or something, I don't know. Can someone explain?

PoE budget on Cisco SG Series switches

I have a question that's gone unanswered on the SG350X-48P

Consumed Power vs Actual power

I'm trying to figure out if "budgeted" power will limit the number of devices I can power up with a SG350X-48P switch.

When I "show power inline"

The consumed power is showing whats been cumulatively budgeted by each device connected on the switch.

For example, 2 x 802.3at WiFi APs - budgeting for 25.5W each, but only consuming 9.8W each.

I'm worried that as IP-Phones get added, the PoE on the switch will go "over budget" and stop powering up additional devices while the actual power usage will be less than 50% of what's available. Make sense?

I've seen commands posted on forums that relate to the catalyst line using 'consumed power' instead of budgeted power for deciding whether to turn up another PoE port, but nothing on the SG series switches.

Output below has been edited for brevity.

show power inline
Power-limit mode: Class based
Usage threshold: 95%
Trap: Disable
Legacy Mode: Enable
Inrush Test: Enable
Class Error Detection: Enable
Unit Module Nominal Consumed Temp SW PSE chipset
Power (W) Power (W) (C) Version HW Revision
---- -------------- --------- ------------ -------- ------------- -----------------
1 SG350X-48P 375 52 (14%) 44 23.190.18.3 PD69208 - 0x4A02
~

Interface Admin Oper Power (W) Class Device Priority
---------- ---------- ----------- ----------------- ----- -------------- --------
gi1/0/1 Auto On 9.800 (25.500) 4 high
~
gi1/0/25 Auto On 9.600 (25.500) 4 high
gi1/0/26 Auto Searching 0.0 0 high
gi1/0/27 Auto Searching 0.0 0 low
gi1/0/28 Auto Searching 0.0 0 low

SD-WAN

Can someone explain SD-WAN to me like I’m an idiot child? I need to understand how it is implemented and in what cases is it used. I work in a large hospital with dated equipment I’m trying to bring out of the dark ages (when I took the job most of the closets were still running on 2950s for example).

Help with login issue on new Nexus 9000 switches

So we have and are currently installing new Nexus 9000 across our environment. Now we have an issue that the first login is invalid and closes the ssh connection, we then have to reconnect and login a second time. This happens everytime we try to log into a device. Anyone know the fix?

Does anyone know of any ISPs that are having/had trouble connecting to COD:Warzone servers?

I work for an ISP and right now our customers just can't connect to COD: Warzone but they can play the other COD multiplayer modes just fine. We can't seem to figure out what's going on right now. I would like to know if anyone has any knowledge about this issue to know if it is widespread or not. Thanks

ISE not authenticating PCs

Hello all,

I have a problem regarding ISE, there was a device that was connected to the network, but suddenly ISE disconnected it. I got this log from ISE:

24486 Machine authentication against Active Directory has failed because the machine's account is disabled

I check the Active Directory, the device account is still registered in it.

I have tried to restart and authenticate, but I got the same problem.

Any help, please

thank you

How to download latest eNSP ? ent. network simulator

MD5 Hash required

Hey everyone,

I've got a device to upgrade to c870-advipservicesk9-mz.124-15.T12.bin.
My problem is this, I have no idea what the checksums are.
The IOS isn't on Cisco.com and Cisco feature navigator is down for maintenance.

Does anyone know the MD5 checksum for the IOS?

Thanks in advance

Cisco RESTCONF mac-address-table

Hello everyone,

We are going to buy some Cisco Catalyst C9300 and C9500 for our network. We want to provision them with the RESTCONF protocol.

I'm currently able to configure the VLANs, QOS, interfaces, ... But I cannot get the mac address table from the switch...

I tried to make a GET request on * 'data/Cisco-IOS-XE-native:native/mac-address-table' * 'data/Cisco-IOS-XE-native:native/mac/address-table'

but both returns nothing (HTTP return code is 200). When I run the 'show mac address-table' on the switch, I see multiple entries.

Can anyone had the same issue or I'm making my request on the wrong path ?

Thank you for your help and have a nice day !

Juniper Mutiple GRE tunnel using one source IP

Hi,

I have an mx series router, planning to establish 2-3 GRE tunnels between sites, will it work if I only use one or the same source IP for each tunnel?

Thanks in advanced.

IPX with Cisco Catalyst 2900X?

Hi, we're done replacing a few old switches and now some old machine that's running IPX no longer can communicate with each other. So the questions is do anyone know if it is possible to switch IPX traffic through a Catalyst 2900X-series switch or do we have to build around the problem using old gear? We're running IOS version15.2(7)E2.

That's a question I really thought I never would have...

Tuesday, June 16, 2020

Comcast outage - Minneapolis MN

Going on about 90 minutes of hard down at our primary data center.

Our troubleshooting/backdoor VPN firewall is on Comcast coax, which is also down.

We are dual BGP homed with GTT, but most of the Tier-1 looking glasses that I took a peek at are preferring Comcast... which tells me something is jacked on their core routers and still advertising our ARIN space even though I have the interface completely shut down.

GTT can hit us just fine. I feel powerless.

Time to go brew a pot of coffee.

Aruba poe power utilization

We are in the process of going from aruba AP225 to new AP515. The problem is the new ap515s are asking 30w from our cisco switches (which now are running out of watts for poe). I have tried many changes on my switches including lldp-med power management and setting static power on the switch. Nothing seems to be working. The actual power utilization from the ap is around 10w. Any suggestions?

Most Reliable Setup

Hi all,

I’m looking at redoing the networking at my local fire company. We already have new Aruba APs installed, but the backhaul is a mess.

Currently we have one HP 48 port poe gigabit switch, a netgear 24 port gigabit, and a unifi 24 port poe. None of these are in full use and its all the same subnet. Honestly confused as to why so many but whatever before my time. We’re running a cisco 5510 currently.

I’m going to UPS the setup (because whatever genius installed all this didn’t put one in) but I’m looking for some more opinions.

For cost I want to do a USG pro, and unifi switches, since the udm pro isnt stable enough yet.

For reliability i want to do cisco.

I also have experience with PF and Untangle.

I think untangle is first to go due to its costs, but PF might work well for cost and stability.

Thoughts?

Device is sending 1K identical IGMPv3 messages per second, and device is offline

I have a medical device that will try to join a multicast group. I have wireshark running on a pc on the same vlan and can see the IP address of this device sending ~1000 igmpv3 membership report/joins frames per second.

Ok, could be defective, but I'm told the device is powered off and I am not able to ping it.

These igmpv3 messages appear to be exactly the same.

It seems these huge amount packets are being bounced around in a loop. Is there such a thing a multicast loop? Other devices are fine.

Thanks

Working at a school cant use wifi

I'm connected to the wifi but cant use my apps and I don't have data since the school is way out in the country is there a way to bypass the blocks

N

No text found

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Adding new VLANs across trunks with etherchannels configured?

So I am bringing bringing over VLANs to the core. The interface is configured as a trunk, as well as the port channel.

If I add the VLANs to the physical trunk, will that not cause a spanning tree loop due to the Etherchannel configuration?

If I add the VLANs to the port channel on both sides, will that be sufficient enough to broadcast the VLANs? Or do I need to add them on the port channel and physical interface?

Int port-channel 8 Switchport trunk allowed vlan add 106-117

And/or

Int gi1/1 Switchport trunk allowed vlan add 106-117?

Thanks

Cisco Wireless 802.1X Authentication per WLAN?

Hi Guys,

We have a wireless network with a centralize Cisco WLC and AP's in flex connect setup. The WLC is located in different site and AP's in site A connects via a private line.

At site A we have a WLAN with 802.1X Authentication enabled and the radius server is located also in different site. Now, We recently noticed that the volume of traffic increases and sometimes cause congestion and with that, I think it affects the issue with Client wireless connection since they're saying that they encountered or have issue with wireless connection.

It is still under investigation whether this Congestion affect the currently client connected to WLAN or it's just the new client that want to connect to WLAN.

Sample topology:

WLC & Authentication server <--------- Private line ---------> Site A AP's and Client

Note: That we have multiple site connected to WLC and Authentication server but only site a having this kind of issue although the issue is not consistent.

Question:

Does the authentication between client and the authentication server happens only during the time that client connect to the ssid? or this authentication still being performed even though client is already authenticated/connected?
Does the congestion affects the connected client connection to the Wireless not work or specific ssid?
The only port being used by client and authentication server is 1812(udp)?

Thank you

Cisco LIVE Discussion Thread: Day 1

Since Cisco LIVE is free to everyone and online this week I thought there might be some interest in a discussion thread.

Mods, if this isn't OK, feel free to remove it.

Bulk Upgrade Dell Switches

Our network consists of mostly Dell 2048 switches (around 200), every time we need to upgrade it we go through a painful exercise in manually upgrading the firmware one by one. What management software do you use to bulk upgrade them?

Cat6 vs Fiber

We're wanting to clean up one of our locations. The school was wired before we consolidated and all the runs are piggy backed. We're looking to purchase some pre-terminated fiber and at least make some of the closets home runs. The building has 7 closets, including the MDF. We're thinking of going home runs with at least three of them. Is there any benefit of doing fiber between closets (say max of 200 feet) if there is already existing Cat5e or Cat 6? One of them is a computer lab that is less than 60ft from another closet, but there is a patch panel and switch in lab. The guy there has run all the cable himself, but half the switches are less than half full. We've added access points, 4-5 laptop carts, video surveillance, ip phones, and extra building outside that we moved another school into (our Adult Education). I'd love to rewire the whole building, but right now, we don't have it in the budget. I have a surplus of fiber and copper gbics, so it's just the fiber that's gonna cost a few grand.

Stick MAC on one port but need to use second port sometimes

ugh, meant sticky obviously...

Pretty straightforward situation, we have port security enabled on the "public" facing ports in our office (ports that could be reached without needing to swipe a card) with sticky static MAC addresses. We have a few people who sometimes rotate to the front desk but still have their own desk at another location. The entire first floor of the building runs on the same switch stack.

The issue arises when a user's MAC address is statically assigned to the front desk port via sticky and later they go back to their desk and try to connect via ethernet. Having a MAC address exist on two different ports on the same switch obviously causes problems.

To try to head off some obvious solutions:

I know we could assign one of the ports to a different vlan but we're trying to avoid that because we have a vlan layout and IP design that we're trying to stick to.
We could have the user in question stick to wifi at their own desk

These two solutions are perfectly valid and I'm aware of them so I'm hoping to avoid those replies.

What I'm asking is if there is some way to keep all the ports on the same user vlan and make this work. i.e. is there some way to have a MAC address sticky to one port while at the same time, dropping off that port's config when it's disconnected?