Cisco CML2 lab for ISE

Hello All,

​

I really want to learn how to use ISE since eventually we might get this solution at my work. If I wanted to lab this at home on CML2, how would I go about doing this?

I use CML2 with VMware Fusion.

So I went to Cisco software download and grabbed the ISE 2.7 trial ova file so I can put it onto a server. At this point I'm lost on how I can boot this image up in my CML2 lab so I can network it in my lab and start connecting switches to it. Would I need to start 2 different Virtual machines in VM ware fusion and somehow bridge the NICs so they can see eachother on the same network.

I'm not able to find much documentation on this, so if someone could point me in the right direction, I would really appreciate it. Thanks in advance

Is there one platform that can configure / manage any major switch vendor?

I'm looking for a single platform that can manage the configuration of any switch from the major players. (HP, Cisco, Dell, Juniper, etc.

Is there ONE utility or platform that can allow me to set up things like vLANs, trunks, etc. regardless of the 2-3 different switch types we have deployed?

s4048on 9.14.x OS download?

Hey all,

I've bought a few used s4048-on's recently. They have Pro Support on them, but I can't get the Dell Force10 support people to respond with my request to access the downloads. Is there an alternative location where these can be downloaded?

Thanks!

Looking for experiences with 10Gig Copper and NBASE-T networking...

Hi all,

I'm in the pro-av market and I'm putting a system together that will connect two switches (Netgear M4300 / M4200) over 10Gig SFP+. What I am undecided on is how robust of a cable I really need for a link under 25ft. They aren't in the same rack.

I realize that CAT6A is recommended for 10Gig... but, I've been reading that CAT6 would be fine for between 37-55m. Also, I'm a huge fan of the super slim CAT6A cables that Monoprice and other retailers have, and while they're super convenient, it's hard for me to believe they can handle 10Gig... though I realize they're only designed for a single device-device link.

I'm not considering using slim run CAT6A for 25ft either, but I am considering unshielded CAT6A, mainly because I have it.

I am generally used to shielded CAT6A and even shielded CAT7A for digital video applications (HDBase-T), but I am thinking that I don't need to go that route for this. This 25ft run isn't in a ceiling or wall or anything so I'm not worried about interference.

Also, the whole CAT6 and CAT6A varieties are driving me nuts. Surely, 23AWG CAT6A is not the same as 26AWG CAT6A, but I suppose if they can both do 500Mhz they both qualify?

I'm looking for your experiences and practices right now...

Really need some guidance. I wanted to better understand and learn networking and what better way than to get stuck in.

Edit: This post had a lot of information that I have since made irrelevant, by changing my setup and thus narrowing down the issue.

So, that leaves me with a question. I have a server running ESXi -> pfsense and pihole.

I have the LAN port from pfsense coming into my pc and I have internet access and access to my servers.

I purchased a physical switch and literally just moved the LAN from PC to switch and from switch to PC. Then added a WAP to the switch.

Then my connection became unreliable until it just ceased.

So my question is how do i add a physical switch to pfsense and make one port the input and the rest outputs?

I want to learn about Networking Protocols.

Hi, I’m a 2nd year student pursuing a Computer Science degree. I have been given an assignment that involves creating an HTTP client and a HTTP server using C. This is research based and we haven’t been taught much about this. The assignment expects us to learn more about networking protocols, mainly HTTP in detail. I’m looking for sources that can explain it well in detail and can be useful for a beginner. Thanks!

Any suggestions for hands-on networking experience?

I've recently passed CCNA so I guess you could say I know the basics of networking. I'd like to develop my networking skills e.g. configuring/troubleshooting cisco devices, but I'm currently not getting any exposure to this at work. I'm only 20 so just starting out my career but was wondering if there were any websites out there that offer practical experience such as building labs with certain routing protocols etc. Any suggestions from people who have been in a similar situation to me would be great. Apologies if a similar post has been made and answered. Thanks

Fortinet firewall similar to Cisco's ASA 5545

Hello guys and gals,

My manager asked me to find a Fortinet firewall similar to Cisco's ASA 5545 in terms of features/capabilities. I searched online, but when it comes to firewalls I'm a total noob, so I couldn't find or decide on one.

Can you guys help me on this , and suggest a fortinet firewall model?

Your help is appreciated!

Thanks.

Onsite "side arm" laptops?

I've always carried a second laptop on me for onsites. There's multiple reasons for this and I'm sure a lot of your do the same. Traditionally I've used a MBA since battery life is great, it runs the apps I need (Wireshark and bash/homebrew) and is easy to have in hand when I squeeze behind racks.

What are you using as your "side arm" laptop? Really curious if anyone is using a Chromebook using ChromeOS + Linux app support because that seems like a perfect low cost solution here, I just can't find any information on people using Wireshark and serial adapters with one.

Adding packets to speed up failure

Hi all – If you've got a small payload situation where the payloads always fit into a single 1400-ish byte UDP/IPv6 packet, there's no explicit way to know about packet loss. It seems like timeout is the only way you know, by default. In fact, AFAIK this is how DNS is – a one-packet request that simply times out.

What if we want to know about packet loss sooner than a multi-second timeout? Would it be smart to string out the send into a couple of packets, and get a fast notification when one is missing? How would the math work on that solution? I mean if a packet has a 99% chance of arrival, the chance that one of two gets through should be higher than 99%, but I don't remember the formula. That's assuming independent probabilities, but two packets that are sent together are unlikely to be independent in that sense – the failure of one is probably going to correlate at least slightly with the other's chance of failure, but I don't know if there's a general rule here.

The chance of some kind of failure (like one of the two packets lost) goes up if you string out a one-packet send to two or more packets. Worst case is .99 * .99 = .98, assuming independent probabilities, but it should be better than .98 since these aren't fully independent. But maybe the slightly greater chance of some level of failure is worth the hit to us if it helps us detect a failure sooner than a timeout would. What do you think? Would breaking one packet into several smaller ones make sense? (We could get fast notification by switching to TCP instead of UDP, or maybe something out of band.)

Relatedly, does TCP have any solution for the one-packet use case in terms of notification of a lost packet? Do you just have to do something out of band in that case? ICMP?

Thanks.

Windows devices on a LAN

I have a stupid question. I’m 99% sure the answer is yes but let’s say you have a network with a few Windows computers on it. You want to map a device as a network drive or connect to one of the windows computers for a shared printer or access shared folders you work on with that person or whatever. When you connect to it you can specify who you’re connecting to by hostname or internal IP, correct? As in, I could map something as //DESKTOP-12345/path to whatever you want or printer or 192.168.0.123/path to whatever you want or printer? I basically know for a fact you can because I’ve done it at home and it works and I can’t see why it wouldn’t still work since the hostname and IP both point towards the same device but I just need a sanity check.

Any hands on lab group or links with answer?

Hey guys i’m finding the cisco practical labs which include both answers if capable

Ubiquiti AC PRO install help!

Hi there, I feel like a fucking idiot right now but anyway... I have a AC Pro hooked up and im trying to install it via UNIFI and IT CANNOT FIND THE DEVICE. It is on glowing blue but it cant see it. cant find it or anything! Please help!

Suggestions on Cisco DNAC

Our network infrastructure is 100% Cisco. Now,we are planning to deploy DNA Center into our infrastructure without SD-Access for now.

So what value will it add to the existing network? Will it worth to us anything? Need any suggestions and recommendations before presenting solution to the senior ICT management.

SVTI's Supporting Routing Protocols

I would like to understand the reason why SVTI's can support routing protocols and multicast. In the old-school way that I'm used to, we use to use crypto maps for IPSec traffic. IPsec doesn't natively support multicast and broadcast traffic (it supported only unicast), which is why a tunnelling-protocol was invented (GRE) to carry another IP payload that did support multicasting (thus hiding the multicast routing-protocol hello's behind a GRE header, allowing you to tunnel multicast traffic over an IPSec tunnel via a 3rd IP header). But digging into a packet capture of an SVTI, which I know does support multicast traffic, I find that no additional headers are added at all. So how is it then, that IPSec only supports unicast traffic, but if you shove it down a virtual tunnel interface, multicast works (thus routing protocols work)? What has changed to allow the use of multicast down this IPSec tunnel with an SVTI?

Patch antenna from virgin superhub

So id like to extend my wifi outside using a 14db patch antenna and im looking for advice on how to go about it.

The virgin superhub 3 seems to have the sma port required but is occupied by the input. Can i use an sma pigtail y splitter to have the input and also the patch antenna going to the router.

Will this work and is there anything else i need to take in to consideration.

USB mains sockets for home networking.

Hi folks, I have seen these mains adapters for Ethernet networks in the home but they are a bit expensive in my opinion. I was wondering... I have mains sockets with 2 x USB sockets, could the USB's be used to carry data around the home? I would run a USB cable from my router into the USB mains, the copper wires carry the data around my home and I would use the USB's on the other sockets to connect devices in other rooms. Would this work? Ethernet adapters with pass through are around £30 - £40 each whereas a new mains socket is £10 each.

LACP + SRIOV

/r/sysadmin/comments/hgre4d/lacp_sriov/

Moving external DNS from on-prem to hosted

Hey all,

I have never setup a DNS before and our current on-prems are running on Webmin/BIND DNS. register.com hosts our domain name and they offer a free DNS service. This whole thing has sort of fallen into my lap since the person who originally set it up is gone. We are K-12 so not a whole lot of money (hence the free route). On our BIND DNS server we have several DNS zones. These consist of a handful of subdomains. I'm overall confused about where the translate to the register.com web console. Any advice would be appreciated. I realize this is a long shot and I'm probably missing important information.

Do you guys think i should send a follow request to my former supervisor from my placement?

To give some background, I completed my SSW Program and my placement ended early due to COVID 19. I liked my former supervisor, as she was kind and encouraging.

I do have a prof on Facebook, as well as my supervisors friend on Instagram. Her friend was doing some volunteering. If I send the request, my fear is that she will get very uncomfortable and she will message me about keeping boundaries. In addition, I still need to give my goodbyes to the staff.

Network Maintenance/ Hourly Rates

Hi Folks.

Please help me with the hourly rates of Network Engineer. Activities will be like IOS upgradation , port configuration, Routing configuration of a larger Network.

Regards K.D

Should Cisco licenses be pre-installed?

Been a while since I've been involved in the purchase and setup of new kit, so this could be a dumb question.

My department at work (generally non-technical) bought an ISR 4331 and performance license for an internal project, purchased from a Cisco distributor in Japan. The router arrived with an EVAL license installed, then we got a separate email from the distributor about adding/activating the real license in our Cisco smart account (which we don't have).

Does this seem normal for a router to ship with an EVAL license, then require the customer to screw around seting up the proper licence later? Seems strange to me, but I must admit I've never purchased an IOS XE device before.

Is there any way to block certain telecom providers?

In the country I live in there are three main mobile data providers (sorry if im using wrong words for wrong things) and I have a subscription with one of the providers where I get unlimited data when connected to their mobile data. The thing is that my phone connects to the fastest one at the time, so im wondering if I could block the signals from the other providers. Im talking about 4G

Sorry if this is the wrong subreddit to ask this

Seeking a sanity check regarding switch behavior and mac limits...

What is the expected behavior of a switch that recieves a frame sourced from an unlearned mac when the switch has a mac address limit on the interface, assuming that this limit has not been reached?

My expectation is that this frame will be forwarded, and this certainly is the case with some switches.

However on some Juniper el2s models, the switch drops frames sourced from unlearned macs. Am I crazy in thinking this is unacceptable? In my experience, this breaks shit.

Whats the best way to connect to an ESXi server if I can't run Cat cable to it?

/r/homelab/comments/hgfo9y/whats_the_best_way_to_connect_to_an_esxi_server/

Cisco N9K and WLC 8540 question

I will be moving Cisco Wireless Lan Controllers 8540 (v.8.10.121.0) from Cisco 6509s to Nexus 9504s this summer. I want to be proactive and ask engineers if anyone encountered any issues with these two devices and if you did, how you resolved them. I encountered an issue with Firepower and N9Ks 1gig connectivity, which took a very long time to resolve, so I want to prevent the same from happening again since we have a very short maintenance window and lots of sensitivity around any downtime.

​

thank you in advance

Birtnichie

iSCSI design question (same subnet but not really)

Hi all,

I'm in desperate need for some advice. I have one NAS, two Hyper-V servers and two Cisco L3 switches stacked.

Cisco ports are on a VLAN which subnet is 172.21.3.0/23

I don't want to use LACP for iSCSI but read that two subnets are needed, one per "path".

The question is:

Could I set up one of the iSCSI interfaces to 172.21.3.50/24 and the other to 172.21.4.50/24 ?

Would that count as the two subnets needed for multipath iSCSI?

It "feels wrong" but in theory it should be ok? I just don't know the Layer 2 implications of this.

Thanks

​

Edit. typo

What is the difference in Cisco routers at the enterprise-scale?

Armed with CCNA, I am about to jump into the corporate world and, while reviewing the profiles of Network Engineers on Linked I came across their work ex statements like " Configuration and troubleshooting of Cisco 2500, 2600, 3000, 6500, 7500, 7200 Series routers. "

So, it will be great if someone from the corporate world could elucidate if there is major difference in these router series or like iPhone they just have minor updates with every other series.

Thanks in advance.

What is a dirt carrier network?

I work as a network engineer (technically I’m kind of a junior engineer, but I’m the only one we have) for a small ISP that peers with a handful of carriers and we have our own 10G dark fiber ring around Columbus, OH. One of our DF links is through Crown Castle, and we’re looking at getting another through them to a new office space in the next few months. We’ve been super happy with their DF and had little or no outages in my 2 and a half years with the company. Our CEO is looking at moving into the Pittsburgh area as well, and was asking CC about their offerings and footprint there, and they started trying to sell their bandwidth to us. I don’t know that we necessarily need it, but I don’t think it could hurt. I asked a network consultant that we use what he thought, and he said don’t buy bandwidth from them, their network is dirt. He’s said that or a variation of that (routes are dirt) before about a couple carriers, but I’ve never gotten a clear answer about what that means exactly. I looked at their BGP peers according to Hurricane’s looking glass and it looks like they have 3 direct peers. Is this what he means? If not, what would be considered a bad carrier network and why?

Getting Scp running on an out of band management interface

Hello. I'm an old time cisco guy who is used to the ease of TFTP. (Port 69 eeeyyy). Things have changed recently as they have blocked this port for obvious reasons. I'm forced to use SCP. I'm having issues getting it to work. I've validated the SCP sever is reachable via the management vrf...so that is good. Any tips would be a great help.

EIRGP K Values

Does anyone know the default equation and the legend of the K values and what each represent.

Finally, Why are default values K1=1, K2 =0, K3 =1, K4=0, K5=0?

If you just answer the first two, I can prob deduce the default values.

AWS VPN w/2 tunnels UP

Setup VPN for customer about a year ago. Config was as expected, one tunnel UP, the other DOWN. Customer has Cisco ASA, not sure which version. Recently started doing additional work and checked the status of the VPN - 1 UP, 1 DN, as I expected. I get a console notification saying that my VPN connection is not redundant since both tunnels are not UP. Support says there is no problem with my VPN but recommends both tunnels are UP. Is my understanding of VPN tunnels incorrect? I've always thought if one tunnel goes down, the other tunnel will become active. Is there a way to configure both tunnels UP in the CGW with the Cisco ASA?

Vpn monitor

Does anyone know of a vpn monitor software. Since covid we are 99.9% working from home. We have a call center and if they have the slightest problem they blame the vpn and are not working but still getting paid. Its not their fault they aren't working. I need something that can monitor users connection and disconnects, and bandwidth or usage. Cisco shop here. Asas are 5525s. Ise 2.7, anyconnect 4.7, and Umbrella.

Best way to connect four switch to a firewall

Hello,

Suppose there would be a network with 4 1G stackable switches (SG350X), one firewall (FortiGate 60E) and one router (ISP-provided). Router would be in bridge mode so the firewall would take care of routing.

I'd like to know the best way to connect the 4 switches to the firewall. They would share the same vlans and would also have the same amount of traffic. 99% of traffic would be HTTPS to the Internet.

I thought of making two stacks, each stack would have two switches (since there would be two switches on each floor).

Then I would connect one stack to the other, and then connect one of the stacks to the firewall.

The way I plan on doing this is:

The stack that would be connected to the firewall would have two interfaces going from each switch of the stack to a LACP interface (trunk1) in the firewall, which would have 4 aggregated interfaces.

Then, I would connect the stacks between each other (trunk2) using two interfaces for each, with LACP as well (8 total aggregated ports).

Optionally, I would also connect the other stack to the firewall the same way I connected the other (except one interface per switch instead of two) for extra redundancy (trunk3), but I don't know yet how to make it so if trunk1 fails, trunk3 would take over, since I suppose trunk3 would have to be a different LACP interface.

Does this look good or is there a simpler and / or better way to accomplish this?

Thank you!

HP 1920 48G Switch

Hi,

I have a project with this switch, any good configuration manual for him?
I need basic commands, VLANs , port security and other stuff.

Restart oxidized service without backing up the switches config

Hello !

I've got about 50 switches in oxidized but I want to make changes to my config file.

The only issue I have is that to check if my new config file works correctly I have to restart the service and every time I do that, oxidized backups all the switches config (which takes some time...).

Do you know how I could restart the service without backing up the switches config ?

​

Thanks a lot, have a wonderful day ! :)

Cisco ASA ikev2 policy priority

Is there a way to change the priority number without removing the ikev2 policy on ASA?

HPE 5700/5900 Switch alternative

Hello,

seems like my google skills are very poor.

I'm looking for HPE 5700/5900 (10g downlinks) alternatives that has shorter back. These has around 80cm deep back. Looking for 40-50.

Any recommendations?

Cisco ACI: Move L3out physical path to other leaf

I'm figuring out how to move BGP peers to another leaf. At the Fabric tab I can move the Leaf Interface Profile to another leaf, but I can't test this at the moment. Will this also change the path in the L3out (sub-interface)? Or will it be necessary to reconfigure these L3outs after the LIP has been moved?

Anyone in HR that I can briefly talk to?

Hello Internet! I'm a college student and I have a class that is requiring me to speak to with someone in the field that I'm considering. There's no industry that I'm particularly focused on so anyone who works in Human Resources is welcome to answer.

a. How did you get started in this field?

b. What is your educational background?

c. What are your major responsibilities?

d. What is the most/least rewarding aspect of your job? e. Would you choose this career again?

f. What advice do you have for a person attempting to break into this career field?

What other obligations do you have besides your day-to-day work functions?

j. What are some lifestyle considerations for this career field?

k. What are some common entry-level positions in your field?

l. What kind of salary range and benefits could an entry-level job candidate expect to receive?

m. What type of individual (skills/personality) would be best suited for an entry-level position?

n. What are the most important factors used when hiring?

o. What is the best educational preparation for a career in this field?

p. Which classes and experience would be most helpful to obtain while still in college?

q. How do people find out about open positions in this field?

r. What is the future outlook for this career?

s. What are areas for potential growth/decline?

t. How do you see jobs changing in the future?

u. Which professional journals/organizations would be most helpful in evaluating the field?

v. Who else do you recommend I talk with, and may I have permission to use your name?

w. Can you recommend other types of organizations I might investigate or contact?

Enterprise ISP choices - Cogent, Zayo,...?

I manage a facility in Los Angeles, and we currently are connect to One Wilshire via dark fiber where we connect to Zayo and Cogent as primary and backup 10gb ISP's

​

The problem is the dark fiber provider is not capable of providing reliable uptime service and is riddled with outages

​

I have Cogent available on-net at my facility, so now i just need a secondary ISP as well.

I have priced out Zayo, and they are significantly more expensive for a direct run, so my question is what other 10gb ISP options do i have?

How do you draw effective network maps?

Working on an audit for a company at the moment and they have requested a network diagram for all their S2S VPN’s etc.

I’ve tried both Visio and Draw.IO but everything I make just looks like a 10 year old did it! In my head I know how I want it to look but trying to make something look professional is something I’m struggling with. It’s mostly the scale of the items and text while trying to make it look clean that’s the issue. It’s probably I just suck but would love some tips or insights from people who do this on the regular.

Anyone getting down with Cisco SecureX yet?

I'm having Firepower flashbacks. It's quite the nightmare. But with anything that is challenging... at least hopefully I'll feel accomplished when it is all over.

C6807-XL SUP2T-10G QOS dcsp to specific queue mapping

I'm familiar with Cisco mls qos, nexus qos, and router qos but I don't get how you map a specific DSCP or COS value to specific queue and threshold on C6807-XL SUP2T-10G platform. What am I missing ? I've seen ways of doing it at the interface level but that seems a bit retarded. There must be a way to configure a global map of DSCP values to Queues and thresholds ...

Need help with pinging from a network behind a router(the router is running lan-lan ipsec VPN) to any network beyond it.

The router that I'm talking about is R3.

So I'm trying to set up web VPN from a client(Client PC) behind the router to an ASA but for some reason I cannot even ping any networks beyond the router(I'm assuming my ipsec config is somehow doing something to those pings), will be attaching pics and configs, on the figure you can see that the client PC is on the 192.1.100.0/24 network, so whenever try to ping from this network to anything beyond R3 (say to 192.1.23.10 or 192.1.20.10(interface of ASA itself)) the pings fail, I did create a standard acl so that R3 can allow traffic to be passed from network sourced from 192.1.23.0/24 as you can see in the running config which does send out the echo request packets out of the g1/0 interface of R3(I did a packet capture for that link between R3 and R2 which is how I know that the echo request packets are being sent out) but it does not receive any echo replies! No idea why! So pings from the client PC fail to the ASA as well since for web VPN I need to be able to reach that interface (gi 0/0) of the ASA from the client PC and it fails.

http://imgur.com/gallery/SdE2ItW

Also I can ping to the ASA from R3 and can ping R2 from R3 as well(if it's sourced from gi1/0 or loopback 0 of R3, tried sourcing from gi2/0 and it fails).

So I'm guessing there is something in the config of my R3 which is causing issues, look at my comment for the config of R3.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

IPSEC VPN or port forward with specific source IP - why is one better?

Been meaning to ask this for a while, so here goes.

I have 2 sites, completely independent of each other, and the HVAC company wants to put in monitoring from one location to another. They require one port to be forwarded for monitoring, and both locations are static IP.

Conversation around this ensued around the ‘proper’ way of doing this, just port forwarding the port to the specific IP only, or setting up IPSEC Tunnel and doing it that way.

From ease - port forward would be quick and easy, but I really wanted to know what the whole story is here to both sides.

Thanks,

Networking 101

Hi Everyone,

I'm a year into my first tech job, as a Level 1 Support Engineer.

My troubleshooting knowledge is workable (PC Hardware, Software, very general IT literacy)

But my networking knowledge is practically not existent.

What are some of the best (cheap) ways to educate myself on networking and network architecture?

Thank you in advance

Data Center migration to Hyperconverged Infrastructure

Our organization is building multiple data centers using hyperconverged infrastructure. Right now we have a traditional setup using spine/leaf and VPCs to connect to our Core. We are flooded with work on planning and preparation to migrate to the hyperconverged data centers.

I am concerned that once we are fully migrated to this new data center that the need for pure network engineers/admins will be reduced on our team. Obviously we will still have our distro/access equipment to worry about and perimeters but the data centers will now be completely virtualized.

Has anyone adapted to a situation like this before? I feel most of the duties will be turned over to system administrators and the number of network personnel will be reduced. Will I be able to offer much as a network engineer if I adapt? Any advice moving forward is greatly appreciated.

STP & link aggregation doubt

Hello,

Given this: https://imgur.com/TW7jR9P

(sw 1 and 2 are one stacked switch and sw 3 and 4 are another stacked switch)

The plan is to have trunk2 and trunk1 connected to the same aggregated interface (2 physical interfaces per sw, 4 total) and then a fiber link between sw2 and sw4 for redundancy.

So in my head it works like this:

If sw1 fails, sw2 can use sw4 then sw 3to access the fw

If sw2 fails, no problem

If sw3 fails, sw4 can use sw2 then sw1 to access the fw

if sw4 fails, no problem

I'm obviously not expecting more than two sw to fail at once or the fw to fail, that's a risk I'm willing to take.

Now my doubts are:

1.- With STP, I assume either trunk1 or trunk2 will be disabled until the other fails, but is there a way to prevent sw3 from going to sw4 then sw2 then sw1 to reach the firewall instead of using the trunk2 directly? same with sw4.

2.- The fiber uplink (trunk3) will also be disabled by STP until one of the other trunks fail, right? How should I configure that trunk? just a regular trunk with all the required vlans tagged on it?

3.- Do I really need two physical interfaces for each trunk (trunk1 and trunk2) or just one per switch would do it (gigabyte ports, Cisco SG350X)? They would be connected to an aggregated interface (which would have 4 ports, 2 per switch, or 2, one per switch if I dont need to physical interfaces per switch) on a fortigate fw which would do the routing to the Internet.

I've thought of MSTP but since both stacks share the same vlans that wouldnt solve anything for my particular case

Thank you!

To stack or not?

Looking here:
https://www.reddit.com/r/networking/comments/5kqxpu/stack_core_switches_any_benefits/

It seems like the majority of people stack, however I did see someone talking about stacking switches (especially core switches) as "playing with fire" I imagine in part due to the fact that it acts as one logical unit, and the entire stack could go down, which is perhaps why FHRPs are mentioned quite heavily in the CCNA

The biggy I guess is the issue of resiliency
https://blogs.arubanetworks.com/solutions/stacking-network-switches-why-and-why-not/

Do you stack your switches? If so, which "tiers" do you stack at? ie: core, distribution, access. Do you do it differently in the DC than locally too? What are your reasons behind it

FRR BGP not advertising routes.

Ok, Im at a loss with this...

Trying to advertise routes between 2 frrouting "routers" via GNS3.

I've created a pastebin with all the details from the two routers here: https://pastebin.com/EzDkWRez

The frr/daemons file is correct and is the same for both frrs.
/ # cat /etc/frr/daemons

# This file tells the frr package which daemons to start.

#

# Sample configurations for these daemons can be found in

# /usr/share/doc/frr/examples/.

#

# ATTENTION:

#

# When activating a daemon for the first time, a config file, even if it is

# empty, has to be present *and* be owned by the user and group "frr", else

# the daemon will not be started by /etc/init.d/frr. The permissions should

# be u=rw,g=r,o=.

# When using "vtysh" such a config file is also needed. It should be owned by

# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.

#

# The watchfrr and zebra daemons are always started.

#

bgpd=yes

ospfd=yes

ospf6d=yes

ripd=no

ripngd=no

isisd=yes

pimd=no

ldpd=no

nhrpd=no

eigrpd=no

babeld=no

sharpd=no

pbrd=no

bfdd=no

fabricd=no

vrrpd=no

​

#

# If this option is set the /etc/init.d/frr script automatically loads

# the config via "vtysh -b" when the servers are started.

# Check /etc/pam.d/frr if you intend to use "vtysh"!

#

vtysh_enable=yes

zebra_options=" -A 127.0.0.1 -s 90000000"

bgpd_options=" -A 127.0.0.1"

ospfd_options=" -A 127.0.0.1"

ospf6d_options=" -A ::1"

ripd_options=" -A 127.0.0.1"

ripngd_options=" -A ::1"

isisd_options=" -A 127.0.0.1"

pimd_options=" -A 127.0.0.1"

ldpd_options=" -A 127.0.0.1"

nhrpd_options=" -A 127.0.0.1"

eigrpd_options=" -A 127.0.0.1"

babeld_options=" -A 127.0.0.1"

sharpd_options=" -A 127.0.0.1"

pbrd_options=" -A 127.0.0.1"

staticd_options="-A 127.0.0.1"

bfdd_options=" -A 127.0.0.1"

fabricd_options="-A 127.0.0.1"

vrrpd_options=" -A 127.0.0.1"

​

# configuration profile

#

#frr_profile="traditional"

#frr_profile="datacenter"

​

#

# This is the maximum number of FD's that will be available.

# Upon startup this is read by the control files and ulimit

# is called. Uncomment and use a reasonable value for your

# setup if you are expecting a large number of peers in

# say BGP.

#MAX_FDS=1024

​

# The list of daemons to watch is automatically generated by the init script.

#watchfrr_options=""

​

# for debugging purposes, you can specify a "wrap" command to start instead

# of starting the daemon directly, e.g. to use valgrind on ospfd:

# ospfd_wrap="/usr/bin/valgrind"

# or you can use "all_wrap" for all daemons, e.g. to use perf record:

# all_wrap="/usr/bin/perf record --call-graph -"

# the normal daemon command is added to this at the end.

/ #

Interestingly if I run an ospf instance, using the following config:

router ospf

network 0.0.0.0/0 area 0

!

​

I can ping both loopbacks.

Am I missing something? Cheers in advance!

Security Scanning of remote vpn connected laptops failing

We have a Nexpose security scan engine on our inside network. It typically scans inside PCs - all works OK.

With hundreds of users now working remotely our security team want to scan remotely connected laptops. They connect via Checkpoint vpn client to a Checkpoint 6900 firewall.

Best practice dictates that a scan engine should not traverse a firewall - the suggestion is that the engine reside in the dmz / network for the clients it wants to scan.

We do have additional Nexpose scan engines residing in a dmz - and that works ok also.

But that's not possible here for vpn clients user devices - or is it ???

The clients get inside ip addresses - but their vpn sessions terminate on the firewall - so scan traffic traverses the firewall.

I ask because even though i've allowed source Nexpose scan engine and destination vpn clients to any port - and disabled antispoofing for the vpn network - i'm still getting traffic drops - i'm working thru that - but its a pain.

OSPF/BFD Sanity Check on Leased Circuit

Hi folks, I just wanted to get your input on an issue I am seeing -

I operate an MPLS network. (Diagram Here: https://i.imgur.com/i4jTQpE.jpg)

Both the SiteA and SiteB "P" Routers are connected to their peer router by a 1Gbps Ethernet leased circuit, of which each uses a different service provider. Each Circuit returns pings at around 11-12ms. I have been having problems with the top provider and enabled BFD last week to try and achieve faster failover.

BFD Config snippet:

key chain BFDKEYCHAIN key 1 key-string MySecretKey exit exit ! bfd-template single-hop MYBFDTEMPLATE interval min-tx 300 min-rx 300 multiplier 3 authentication sha-1 keychain BFDKEYCHAIN exit ! interface GigabitEthernetX/Y/Z bfd template MYBFDTEMPLATE ip ospf bfd exit ! end 

I am now seeing sometimes 20-30 OSPF up/down events on that circuit over several nights starting at around midnight and usually lasting only an hour or two. This lines up with what I have been seeing prior to enabling BFD, and is why I enabled it in the first place.

I checked my traffic graphs and we are not even close to exhausting our CIR, and the service provider is telling me that they don't see any issues with that link.

The bottom link, which shares the exact same BFD configuration does not exhibit any of this behavior.

I just wanted a sanity check here, as I think the Service Provider is full of shit, but I wanted to get some input from you folks on my BFD configuration to make sure it looks reasonable before I start raising hell.

Has the format for email addresses changed after RFC 5322 and is RFC 5322 a minimum requirement?

I’m currently working on a project and part of this project involves parsing email addresses to make sure they are of a valid format. As far as I know, RFC 8391 was published in 2018. Has the format for email addresses changed since RFC 5322? And if so, is RFC 5322 a minimum requirement for today?

identifying users of cisco SBL vs VPN after logon users

Hi guys, is there a way anyone knows of to differentiate connections to a cisco anyconnect box between users who are using sign in before logon vs those who login to the vpn after signing into their win10 accounts?

How can I span VPN Traffic to Record Calls with an on-prem recording server?

Hi

We have some users at home using IP Phones.

These IP Phones connect back to the office with VPN and are assigned static IP addresses on the VPN subnet.

Phone conversations are recorded by use of SPAN ports/vlan sending traffic to the recording server.

Is it possible to also SPAN the VPN subnet so that the on-prem recording system can capture the calls?

(Cisco IP Phone->VPN TUNNEL->Cisco ASA->Cisco Switch->Recording server)

A question for fellow engineers on work-life balance

Hi everyone!

I am a junior engineer, and I am currently pretty satisfied with both my work and my life in general.

However, I get often complains from colleagues (network engineers in both junior and senior positions) regarding their work-life balance. What is your experience on that?

Do you ever think you don’t have enough time to cultivate your personal relationships or other things?

Curious to know your perspectives!

Cheers!

Using SD-WAN to enhance data between Asia and Europe

We are hosting a free webinar session on 30 June with Aryaka to demonstrate better ways to enhance traffic between EU and Asia - Interactive session where you can submit questions and our panel will answer live on air: you can register to attend here: https://www.sdwan-solutions.co.uk/news/connectivity-to-asia-webinar-signup-page/

Undertanding IPSec AH transport and tunnel mode

Time to drill into understanding the difference between the two. I can't understand why people are saying that in AH transport mode that "it just adds an AH header after the IP header", but in tunnel mode "we add a new IP header on top of the original IP packet. This could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet" . Ok so I labbed it up as per below, and used transport mode. :

(R1) .1-----13.0.0.0/24------.2 (R2) .2-------23.0.0.0/24-------- .3 (R3)

Note: for testing, I've confugred # ip telnet source-interface lo0 on R1. Tunnel runs between R1-R3.

##Configs R1# ip access-list extended TEST permit ip host 1.1.1.1 host 3.3.3.3 ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key TEST address 23.0.0.3 crypto isakmp peer address 23.0.0.3 crypto ipsec transform-set TEST ah-sha-hmac mode transport crypto map test 1 ipsec-isakmp set peer 23.0.0.3 set transform-set TEST match address TEST ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 interface GigabitEthernet1/0 ip address 12.0.0.1 255.255.255.0 crypto map test R3# ip access-list extended TEST permit ip host 3.3.3.3 host 1.1.1.1 ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key TEST address 12.0.0.1 crypto isakmp peer address 12.0.0.1 crypto ipsec transform-set TEST ah-sha-hmac mode transport crypto map test 1 ipsec-isakmp set peer 12.0.0.1 set transform-set TEST match address TEST ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 interface FastEthernet0/0 ip address 23.0.0.3 255.255.255.0 crypto map test 

I sent a telnet packet from the source of lo0 on R1 to lo0 on R3, and took a capture as shown in the link below:

https://ibb.co/yVcNtbM

So yes, the AH is inserted after the IP header, and the idea of AH is that it authenticates/verifies interity of data behind that. But.. In my capture, I still have another IP header, which aparently is supposed to only be there with tunnel mode. Ok, so then what is the difference between transport and tunnel mode. I will enable tunnel mode and capture another telnet session:

R1(config)#crypto ipsec transform-set TEST ah-sha-hmac R1(cfg-crypto-trans)# mode tunnel ! R3(config)#crypto ipsec transform-set TEST ah-sha-hmac R3(cfg-crypto-trans)# mode tunnel ! R1(cfg-crypto-trans)#end R1#clear cry isa R1#telnet 3.3.3.3 

The capture for this telnet session is in the screenshot below:

https://ibb.co/Lgdd34k

If you compare the two screenshots, you will see that they have the same headers in both. Thus, I can't see the difference between tunnel and transport mode. Can someone explain?

Given that the internet says in transport mode another IP header (the inner header) is not added (as its a feature of tunnel mode), I was expecting the communication to fail because its not supported. I expected that transport mode would just be useful when speaking between direct public IP endpoints, as it doesn't add the necessary inner IP header to communicate the internal private RFC1918 traffic on either end. However this is not the case. In transport mode, it does add another IP header, and you can still communicate/operate in the way that is described in tunnel mode. Thus I now don't understand the difference between the two.

Slow internet speed

Hello guys,

So we changed our ISP, we got a new ISP with a 5g modem. We have 2 cisco router, so I connected the ISP modem to a switch and those 2 cisco routers are connected also to the switch. The cisco routers are connected to each other via NHSRP. So i confirgured the interface of the first router to be in the same subnet to the ISP modem and that on both cisco routers. And also configured the standby IP to be the same on both routers and on the same subnet. But with all this, when i do a speed test on the network, the speed is about 200Mb/s, but when I want to open websites the speed is very slow and it is not consistent. I need help!!!! Thank you all

EVE-NG - vSRX Image Not Loading

Hi Guys, I am trying to install Juniper vSRX3.0 on EVE-NG, however no matter what I try I can't come right... I come to a point where I start the vSRX on EVE-NG and then it loads, after a couple of minutes it says "Rebooting in 15 seconds". I am using a qcow2 vSRX file which has been downloaded from the Juniper Website. Can anyone help out please?

I am running VMWare Workstation 15 Player on Ubuntu Linux. My EVE-NG Lab has an allocation of 6GB and x4 CPU's.

When running the vSRX I have also allocated 2GB of RAM and 2 CPU's. The vMX is working perfectly, just getting the vSRX to work is a problem.

If you need any further information, please let me know! Your assistance would be much appreciated!

NS3 installation error!!!

Please help. I have already installed all the packages but when I type /.bake.py show it says that some of the packages are missing and tell them to install even if I install them again it says the packages are missing

Nexus HSRP High Latency on 2nd switch

Hello,

I am moving routing from a 4507 to pair of nexus 9372TX setup in VPC. I am configuring HSRP on all of the interfaces but noticed that my latency has been horrible since the move. When i do a direct ping to interface IP of switch1 i get under 1ms while the 2nd one i get 1000ms+. Anyone have any ideas?

on both i have for VPC

vpc domain 1

peer-keepalive destination 10.10.x.1 source 10.10.x.2 vrf keepalive

peer-gateway

auto-recovery

​

interface port-channel1

switchport mode trunk

switchport trunk allowed vlan 1-x,x,x,x,x,x,xx,x,x,

spanning-tree port type network

vpc peer-link

​

switch 1

interface Vlan5

  no ip redirects

  no ip proxy-arp

  ip address 10.10.5.253/24

  hsrp version 2

  hsrp 5

    authentication md5 key-chain HSRP-KEY

    preempt delay minimum 180

    priority 120

    ip 10.10.5.1

exit

switch 2

​

interface Vlan5

​

no shutdown

no ip redirects

ip address 10.10.5.254/24

no ipv6 redirects

hsrp version 2

hsrp 5

authentication md5 key-chain HSRP-KEY

priority 90

ip 10.10.5.1

​

10.10.5.254 would have a huge amount of latency and the 253 is fine, happens for all SVIs

the reason i am looking into this is because its affecting certain traffic such as internet bound traffic but its weird traffic going to my site to site vpn is fine and its going to the same firewall.

Will cisco certifications become less valued (relatively) in 3-4 years?

Iam hearing cisco is fast losing market share in several domains (in firewalls, they are in 3rd or 4th place. I heard majority of Apple data center switches are not that of cisco. software based devices are supposed to be emerging as competitors to cisco hardware, etc). So iam wondering whether Cisco certifications will become less valued in next 3-4 years time?

If so, what other vendor certifications are becoming highly valued now (assuming one's domain is R & S, security)?

Looking for the end and all be all (high end) physical network testing toolkit

Hey guys so getting towards end of fiscal year for us so waiting for the big pools of money to play with. Currently my small team doesn't have our own dedicated network testers. I have to either steal a netally LRAT-2000 kit from our tier 1 team, or the good fiber tools like the OTDR from our fiber team. I am really tired of using other peoples tools (also harder to when they lose all their stuff) and also dont want to lug around a bunch of tools. I am looking for something to cover as many of my use cases in one tool if possible. I admit I would probably need multiple tools to cover everything but want to get as close as possible.

So right now I am the main person installing equipment on site without any specialty, but I work any project that can present a challenge. A single project can have me working with up to 40g fiber and 10g ethernet on switches, servers, wireless ac, media converters, VOIP, and so on. All your typical enterprise equipment in one go. I was looking at the netally etherscope nxg which covers most of what I want but it looks like its only limited to 10 gigabit. I was wondering if there is anything from enough vendor that supports similar features but can do 40 gig+ connections or any other useful features? I do plan to reach out to one of our normal vendors to see if they have suggestions but figured I would ask here first. If that is a feature-filled as you can get with one device I might start looking into getting a seperate fiber tester thats compact enough to fit both in a single bag.

NATING or Static route issue

Hi all, long time lurker but starting to get stressed and not really sure where to turn for .. well any semblance of help on this on any steps I might be missing ..

This is all to add another internet line to a specific department, which includes a new firewall to go with current due to switching throughout of our current firewall

I'm currently at a point where my static routes work THROUGH the transit vlan I made, that is I can ping the VLAN interfaces for the 190 net and the firewall transit networks, but my Asa is not sending it as NAT.

I can ping Google from outside interface, but can't from inside.

This is using a transit lan... So for example 192.168.190.0/ 24 routes to 172.16.17.1/29 (This is on a 2960x enabled to do static routing)

The key thing is I copied EXACTLY my natting setting from the one not working to a test interface port on firewall and made it a flat network... And it worked

Is there a missing step because the 190. Net doesn't actually have a physical point on firewall? Like i set a static route to use the 172 net, but does the firewall need something?

For testing purposes all internal interfaces are currently allow all

The end goal is to have a default route to firewall, but the have some static routes to our core switch (cisco 4500) for DHCp server, printers access, mangemtn VLAN etc

I'm almost tempted to just make the 2960x back to l2, and drag another cable from a few interface to our 4500 for printer, management and other vlans, but I feel like that would be giving up....

I have configs if you like, I just ..need to rant out and bounce something off somebody..

Agent to Engineer

Hello all,

I’m a Internet/Voice repair agent for a ISP in the area-my long term goal is to be a network engineer or analyst-what are key things you guys think I should focus in on the let’s say the next 1-2 years. I’m 23 with my A+ and Network+ certification and an unrelated (business) associate degree.

Recommendations for a building to building wireless link

Hi,

I'm looking for some recommendations on kit to buy to create a wireless microwave link of some sort to connect the LANs together of two buildings. The distance apart is about 30 to 50 meters.

Ideally something where both ends would be PoE and would offer gigabit speeds with little to no latency across the link and would have no issues with VoIP Traffic. The ability to support VLAN tagging would be desirable not not essential.

Thanks

Looking for input on a 10g Ceph storage network

Hello!

Not a network admin or certified network guy in any way but I like to think I have a decent network understanding. I work at a smaller game dev studio and we are looking at upgrading from our current NAS to a Ceph cluster and as part of that replacing the networking in our rack. Most of our devs have 10g NICs in their workstations and we have a LAG connection coming from that 10g 48 port Netgear switch into the server rack.

In the rack we aim to have:

• 4x compute hypervisors
• 3x Ceph OSD hosts

Each of those hosts should have 4 10g ports. Probably in the form of 2 NICs with 2 ports each. That allows each host to have 2 bonds in mode 1 (active+backup) that has 1 port from both NICs giving each bond redundancy over not just 2 switches but 2 NICs. For the Ceph nodes 1 bond would be public traffic and 1 bond cluster traffic. For the hypervisors 1 bond for the Ceph public traffic and 1 bond for the VMs public traffic.

With that in mind we then want 2 10g switches. With each host, Ceph or hypervisor, using 2 ports on each switch thats 14 ports on each switch just for the hosts. I assume we want a LAG connection from each of those switches to a switch above them and also a LAG connection between the switches. The switch at the top would be were the LAG connection from the Netgear comes from and where our pfsense box plugs in. I am less worried about the workstations or WAN going down or losing connection to the rack. The most important thing is the hypervisors connection to Ceph and Cephs internal cluster network.

So thats the general idea in my head. I would love any thoughts people have on that along with any suggestions on specific switches to use. Most my experience is with Ubiquiti gear, either Unifi or Edgerouter. I love the idea of being able to centrally manage the devices but their biggest 10g switch is 16 ports only. :(

Any thoughts or suggestions? Thanks in advance!

SRX logs are not showing locally in the monitoring

Hello,

​

I'm not able to see logs in my J-web even though I configured event mode and a file, I'm seeing in the J-Web the message: : "currently logging is not enabled , to view data configure stream mode".

even though if you need to see logs locally you have to configure mode event !!

​

root@SRX-1# show security

log {

mode event;

}

​

​

root# show system syslog

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

file traffic-log {

any any;

}

​

Did anybody face this issue and resolved or I'm missing any configuration?

​

thanks

Why Startups Need a Project Manager?

Startups are not an easy thing to plan and implement. Every startup needs a person who will track all the missing parts and solve any occurring issues ASAP. Find out more about the role of PM for your small business.

Why Startups Need a Project Manager?

H112-370 Options missing Firmware. (expanded question)

Got a new 5G Router: Huawei 5G CPE Pro, H112-370

According to screenshots found here: https://www.4gltemall.com/blog/huawei-5g-cpe-pro-web-ui-setting-options/ ...there should be a "Static Routes" page, however, my router doesn't show this link. I tired to navigate to this potential missing URL by constructing a URL in the same format as the other pages, but get logged off and doesn't appear to exist.

I am on the latest firmware. I can't seem to find any reliable source of information regarding firmware for this device.

I wondered why Huawui would have removed the static routes option as I want to avoid unnecessary hops over the wifi network. I thought I'd open up a discussion to see if anyone else has spotted this on their H112-370 router or if there is a way to add a static route.

Hardware version
WL1H112M Ver.A

Software version
10.0.1.1(H312SP1C00)

Web UI version
WEBUI 10.0.1.1(W2SP27C03)

Configuration file version
H112-370-CUST 8.0.1.3(C233)

Thanks

Is there a limit to the physical size of a layer 2 broadcast domain?

I feel like this needs to go into a weekly no stupid questions thread, but not sure you guys do that here.

Let's say you had two locations that are reasonably far apart and you wanted to connect via ethernet and all you had was a bunch of unmanaged switches. Assuming you could physically run ethernet from point A to point B and could put a switch every 100 meters, is there a limit as to how far you could go?

Question: I'm working with adtran's TA 5000 devices and I need to change the local admin password on all the units. Does anyone know how without manually logging into every unit?

I've got like 70+ nodes and need to update the local admin password on every unit. I have aoe and full access to everything but I don't really want to log into every unit manually, does anyone have a good way to do a mass update?

Domain-based split tunnel on Palo Alto

How has everyone's experience been with domain based split tunneling on Palo Altos? I have been going nuts trying to understand why some workstations are able to do it, and some are not, on the same gateway configuration. On workstations where it doesn't work, I see the TCP SYN trying to leave my local NIC and PAN support verified the DNS query for said website is being intercepted by the gateway and sent back to the GP client as an IP exclusion, but the 3 way handshake never gets to the SYN ACK stage. As far as I can tell, there is something on non working workstations preventing the SYN from ever really leaving the local NIC as I captured upstream and never find it. PAN TAC noted that WFP (windows filtering platform) may be interfering but that is a rabbit hole I do not intend to go down. I'm ready to write it off due to inconsistent results. Thoughts?

How did a DirecTV DECA Ethernet Adapter crash an entire network?

Hi all,

I'm a pro-AV integrator and one of my clients has a 3Com 2024 Baseline Switch. Yes, it's unmanaged and I didn't specify the model. Customer called and apparently some of the network was not functioning. My remote laptop on the switch had no Internet. A Crestron touchpanel was able to communicate with the Crestron processor.

Once I got remote access from guest WiFi, I discovered that the laptop could not ping any devices on the network. So, right off the bat, laptop can't ping any Crestron equipment, but the Crestron equipment continued to work.

When I got on-site, I systematically began troubleshooting. I fired up Wireshark and from my laptop on the switch did see some traffic incoming from the switch.. just some ARP packets and such. Then, I started a continuous ping to a device, and began unplugging network cables from the switch one at a time. When I got to the DirecTV DCAU1R0-01 and unplugged it, all traffic came back immediately.

This DECA bridge puts all DirecTV boxes on your coax network on your Ethernet network with a single cable. I have never seen a problem with them.

After this, I power cycled the DECA bridge, and plugged it back in and it functioned like it is supposed to.

My questions to you all are:

1. Any ideas what exactly happened to this little brick that would cause the switch to stop functioning? It wasn't even like a packet storm or at least I couldn't see it coming in on Wireshark.
2. I've actually seen a similar issue... In my office, when I got my first USB-C ultrabook, I bought a USB-C dock with PD. I plugged network into the dock. The problem was if the USB-C wasn't plugged into my laptop, the NIC in the adapter remained powered up because of the AC adapter, and it locked up my office network! Similar problem?
3. Is there protection in a managed switch that would have prevented this? I'm not new to managed switches but I'm not familiar with protections from this sort of thing. I've seen Cisco switches that don't activate ports when PCs are rebooted and you have to unplug/replug the cable or disable/enable the network connection.. What is this called?
4. Why was the Crestron equipment still able to function? After I left I thought about this and is it possible that the switch worked in groups of ports, like the logical chips or modules that make up the full 24-ports?

I'm trying to learn more about what happened 1) so I can better explain the problem to clients besides "DirecTV adapter got dumb and locked up, crashing the network" and 2) so I can prevent the problem in the future or at least be able to troubleshoot.

Thanks!

Cisco Catalyst 3750 issues

I was given a Cisco Catalyst 3750 switch by a previous coworker as they were decomissioning them at work. He set it up with 2 VLANs and then configured the routing table (?) to be able to have traffic go to both. Ports 1-4 are in VLAN 100 which gives 192.168.x.x IPs from my wireless router and the other 20 ports were in VLAN 10 which gave 10.1.1.x IPs. Long story short, my modem didn't have some feature (cascade networks?) and didn't support that. So any port I wanted to use I had to move to from VLAN 10 to VLAN 100. Since the switch also seemed to be in VLAN 10 whenever I wanted to change something on it I had to hardline to a port and then make changes.

​

I reached out to my coworker and he had me run a command to move all the ports from VLAN 10 to VLAN 100 so that they could all get internet and also allow me access to the switch without a hardline. Well this broke all connectivity to the switch for me. I can't SSH via the hardline or by being on the WiFi network. I can see what I believe is the switch on my wireless router settings but it has an IP of 10.1.1.22.

​

Is there anything I can do without having to purchase a serial cable to fix this?

​

Also, as I guess another second question. It seems that something in my network is limiting the amount of devices that receive IP addresses. Every day it seems we have something new with a self-assigned IP and no internet and every time I check my wireless router (Netgear Orbi) it shows a max of 50 devices connected. Could the switch be doing this?

​

FWIW my network looks like this:

ISP modem is on port 1 of Cisco 3750

Netgear Orbi is on port 2 of Cisco 3750 in AP mode - all wireless devices connect to this.

Misc Raspberry Pis on ports 3-6

Huawui H112-370 static routing

Upgraded to 5G router. There are some online screenshots showing a menu option for static routing, but it’s not on mine and i’m on the latest firmware. It’s a Chinese import to save £100. Any thoughts?

Router getting spammed with "DNS name resolution failure (eth0)" every 15 minutes.

My router is getting spammed with these errors every 15 minutes in the log.
I've tried several different DNS servers in the router settings, same results.
I've also disconnected all computers from the network and still get the same results.
I've reset the router to factory defaults and still get the same results.

I use a unique SSID & password and I don't broadcast the SSID publicly.
I use mac filtering and i have all devices labeled.
Of course I use a unique password for the router firmware as well.

My ISP requires me to use this router for the gigabit connection and they can only update the firmware from their end.

Anyone know how I can fix this?

Cisco ACI hardware woes

We installed an ACI network about 18 months ago. We've now, as of today, had 4 spine failures on an infrastructure of 4 spines. Has anyone else had similar experiences or are we just particularly unlucky?

FIBER LAYOUT LOOP

Hi everyone,

Ive seen on the design of our company that we have primary and backup fiber line from each racks going to datacenter rack. I believe this one is ok. But I noticed, there still fiber line coming from rack going to each rack (loop) until the other end reach the data center rack. Do you think do we need to terminate this 3rd backup line and I want to ask if this is the best practice and the setup will work?
Image is show below for your reference. THank you

​

https://imgur.com/VYUBHkA <<<< IMAGE of the design

Is it Normal for link-state changes on switchports connected to EXI hosts?

I've just enabled logging of interface state changes on one of my campus switches and noticed one in particular is making state changes frequently, at least once an hour and more frequently, like this:

Jun 24 08:14:31: %LINK-SW1-3-UPDOWN: Interface GigabitEthernet1/8/21, changed state to down
Jun 24 08:14:32: %LINEPROTO-SW1-5-UPDOWN: Line protocol on Interface GigabitEthernet1/8/21, changed state to down
Jun 24 08:14:33: %LINK-SW1-3-UPDOWN: Interface GigabitEthernet1/8/21, changed state to up
Jun 24 08:14:34: %LINEPROTO-SW1-5-UPDOWN: Line protocol on Interface GigabitEthernet1/8/21, changed state to up
I discovered it connects to an EXI host but I know nothing about these. Is it normal for interfaces connected to EXI hosts to change a lot?

SDN: Industry standard opensource networking os for router/firewall/vpn

Hello,

Guys, I want to ask what are todays trends in networking os field. I am looking for some networking os for router/firewall/vpn. Of course I am aware of pfsense, etc, but I am looking for something that is "more enterprise ready" and modern. ( openmetrics, shippable logs, API for automation, etc )

I heard about:

- DANOS ( vyatta fork probably )

- Cumulus ( too bad that netq is enterprise only product )

- vyOS

Any ideas?

Thanks

Gigabit speeds over cat 3 cable

So I had an old cat 3 cable laying around and thought it would be fun to make it into an ethernet cable. My internet speed is 950 down on a regular cat 6 cable down, and with that cat 3 I made I got that full 950, but cat 3 unshielded is only rated 10 mbps.

What does it mean for HTTP to be stateless?

I'm currently trying to learn networking using

James F. Kurose, Keith W. Ross - Computer Networking_ A Top-Down Approach

In the book, the author asserts that,

Throughout a session, the FTP server must maintain state about the user. In particular, the server must associate the control connection with a specific user account, and the server must keep track of the user 's current directory as the user wanders about the remote directory tree. Keeping track of this state information for each ongoing user session significantly constrains the total number of sessions that FIP can maintain simultaneously. Recall that HTTP, on the other hand, is stateless-it does not have to keep track of any user state.

We also login into the websites, if HTTP is stateless (I don't exactly understand the meaning of the word), how does HTTP remember that user.

PS: I'm an EE undergrad, I don't know much about networking, so kindly bare with my naive doubt :)

A good place to learn about Ericsson Cloud Manager (Orchestration)?

Coming from a Cloud networking background but new to 3G/4G/5G — are there any good resources go lean about Ericsson Cloud Manager (now orchestration)?

You ever been the ONLY network guy?

Hey all,

I posted a while back about a couple of jobs I've been deciding on after realizing how much I don't enjoy my current role in a large NOC.

One of the companies presented an offer to me. The company seems great. I'll have engineer and design input and be able to make most of the calls I want. Nice bay bump and good benefits... However, The catch is I'd be the ONLY networking guy in the business!

This seems weird to me, but wanted to know if maybe it's better than it might seem. For one, they've been working without anyone filling this role for 2-3 months. The sys admins have been handling the load on their own. This seems like a good sign because it shows their network is probably stable, just a bit of a mess... On top of that, they've said they really have only had 2-3 major outages in the past couple of years and they were due to ISP issues.

Honestly guys, I'm just worried I'm a little underqualified and afraid I'll hit a point where something major happens and I won't know what to do. I have a CCNA (ENCOR exam booked in a couple of weeks) and 5 years of experience which include 3.5 of technician work and 1 year of junior engineer work in the NOC.

The new role would have be designing and making business decisions for the company. They have 18 remote branches and about 3,000 employees.

Tl;Dr

Have you ever been the ONLY networking guy in a company? Did you love it? Hate it? I really want high level design and engineering experience, but nervous I'm underqualified .. at some point you just got to take a dive right?

Cannot get my ipsec tunnels to go up on my Cisco 7200 routers in gns3, please help!

Running lan to lan ipsec VPN between 2 Cisco routers (7200) on gns3 running image C7200-ADVIPSERVICESK9-M, version 15.2(4)S5

Can someone tell me why I cannot get my packets encrypted for my lab to lan ipsec tunnel that I have setup between R1 and R2(look at the network diagram in pic attached), I have my running configs of R1 and R2 shown below as well.

Network diagram-

http://imgur.com/gallery/M5KKSic

On running "show crypto isakmp sa" no tunnel shows up and also on running "show crypto ipsec sa" shows zero packets encrypted, I tried pinging several times from both routers to both remote networks, pings were all successful but cannot understand why the packets do not get encrypted.

R1 config- R1#show running-config Building configuration...

Current configuration : 1812 bytes ! ! Last configuration change at 01:03:16 UTC Wed Jun 24 2020 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model no ip icmp rate-limit unreachable ip cef ! ! ! ! ! ! no ip domain lookup no ipv6 cef ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 192.1.20.1 ! ! crypto ipsec transform-set TSET esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map CMAP 5 ipsec-isakmp set peer 192.1.20.1 set transform-set TSET match address 101 ! ! ! ! ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex full ! interface GigabitEthernet1/0 ip address 192.1.10.1 255.255.255.0 negotiation auto crypto map CMAP ! interface GigabitEthernet2/0 no ip address shutdown negotiation auto ! interface GigabitEthernet3/0 no ip address shutdown negotiation auto ! interface GigabitEthernet4/0 no ip address shutdown negotiation auto ! interface GigabitEthernet5/0 no ip address shutdown negotiation auto ! interface GigabitEthernet6/0 no ip address shutdown negotiation auto ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 10.2.2.0 255.255.255.0 192.1.10.2 ip route 10.5.5.0 255.255.255.0 192.1.10.2 ! access-list 101 permit 10 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end

R2 config-

R2#show running-config Building configuration...

Current configuration : 1812 bytes ! ! Last configuration change at 01:01:45 UTC Wed Jun 24 2020 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname R2 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model no ip icmp rate-limit unreachable ip cef ! ! ! ! ! ! no ip domain lookup no ipv6 cef ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 192.1.10.1 ! ! crypto ipsec transform-set TSET esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map CMAP 5 ipsec-isakmp set peer 192.1.10.1 set transform-set TSET match address 101 ! ! ! ! ! interface Loopback0 ip address 10.2.2.1 255.255.255.0 ! interface Loopback1 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex full ! interface GigabitEthernet1/0 ip address 192.1.20.1 255.255.255.0 negotiation auto crypto map CMAP ! interface GigabitEthernet2/0 no ip address shutdown negotiation auto ! interface GigabitEthernet3/0 no ip address shutdown negotiation auto ! interface GigabitEthernet4/0 no ip address shutdown negotiation auto ! interface GigabitEthernet5/0 no ip address shutdown negotiation auto ! interface GigabitEthernet6/0 no ip address shutdown negotiation auto ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 10.1.1.0 255.255.255.0 192.1.20.2 ip route 10.5.5.0 255.255.255.0 192.1.20.2 ! access-list 101 permit 10 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end

R2#

Please do help!

Have you guys seen anything like this capture: Client: SYN, SYN (retrans), SYN (retrans)...about 12 seconds total flow...and then the SERVER replies with a TCP reset?

Happens with multiple, unrelated servers and web sites. Server always sends the reset.

I'll stand up a web server tomorrow to get a capture from that side, but wanted to ask this question here now so that I can be more prepared for a customer tomorrow morning.

edit: if the title isn't clear, there is only the syn, retransmissions, and then the reset in the flow; no other packets

9800 WLCs in HA

Hi everyone!

I configured 2 9800 WLCs in HA that were supposed to be on the same racku nit but unfortunately people on site change the location of WLC-2 to a "redundancy" site on the same location. Now the 2 WLCs are on the same LAN but not on the same rack unit, as they were connected each other in the redundancy port.

Now as it's not an option to to have HA by SSO, what can be a solution to redundancy?

I thought since APs can have a primary a secondary controller, maybe leave both controllers with the same config with different IP addresses, in that way APs should look for WLC-2 when WLC gets down, right? Is this SSO? What configuration I should have in the second WLC?

Both controllers are on same LAN but far from each other. Thanks for the help!

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

10G router replacement for the EdgeRouter Infinity?

So it seems like all the EdgeRouter Infinities in America have just disappeared, I haven't been able to get a hold of one in over a month. All of my normal vendors are out, and so I'm wondering if there's another 10G router that would work as a decent replacement. Hopefully one under 2k.

Cloud wireless alternatives

Hello,

I am planning to build a proposal to replace our current WiFi system used as a remote access VPN.

We currently have 2 solutions; a Cisco enterprise AP solution for the office and a cheaper, non-Cisco lightweight AP solution for remote workers. The remote worker solution is supposed to be cheap, support maybe 2 SSIDs, have a zero-touch or almost zero touch provisioning capabilities, and be used as a VPN client replacement.

I am proposing to replace that with Meraki, but it would be nice to compare it with other brands as well. I have just stumbled across Ubiquiti, but it does more of a SoHo solution than an enterprise one. I probably need to study the product more.

Has anyone worked with Ubiquiti or other Meraki alternative brands?

Monitoring, Alerting, Config backup, and IPAM all in one programs?

Hello folks, Recently I've been asked to find something that can manage all of our Cisco equipment. We currently use PRTG to monitor MIB libraries and switch up/down states and were looking for something with a little more.

In the past I've used solarwinds NPM to backup configs, push minor config changes, monitor links for bandwidth contention, and send alerts for up/down states. I don't remember their MIB library or whether or not it was able to alert on bad power supplies or switches in a stack going down. Solarwinds would have the added benefit of also being able to monitor our checkpoint firewalls.

I've also used Prime, but I've never used Prime for alerting or bandwidth. Only for backup, config automation, and maintaining WLC/APs.

What I'm wondering is, if either of these solutions could provide for my needs and if so, how are your experiences with them?

Permit ip any any on ASA firewalls

I'm not sure how common this is, but I have the fortune of working for a place that has permit ip any any rules on ASA firewalls, and we've been afraid to tackle that because we don't want to break anything.

Is there a methodical way to see what traffic is hitting the explicit permit on an inbound ACL so we can slowly create explicit rules and eliminate the explicit permit?

Aruba NetEdit - does anyone here use it?

Hi all - recently had a meeting with an Aruba rep, about replacing my Catalyst 2960s with something like Aruba 2540s, and he was really pushing the CX 6200 series. The analytics and automation of configuration does sound appealing, but I wanted to search for a little Real World feedback before going down that wormhole. Many thanks in advance for any feedback :-)

Layer 3 switches and routers

Currently learning about networking and layer 3 switches and routers.. I don't understand when you decide to use layer 3 switches opposed to routers and vice versa. Although I've read switches are supposedly better at handling vlan's in terms of performance compared to router on a stick, so I guess that is a deciding factor.

But if this is the case, then technically you can get away with not having any routers because layer 3 switches can link to the firewall? Unless you are using the router given by the ISP?

So a network could look like: ISP > Firewall > Layer 3 switch > access (layer 2) switches ?

However I have seen some network designs go with ISP > Firewall > Router > Layer 3 switches > layer 2 switches... But what would the need be for the router?

RPKI and Route Origin Attestations

I am trying to understand why RPKI is insufficient to secure BGP.

The second paragraph below doesn't make sense to me. Why aren't the BGP UPDATE messages ignored if they are not signed?

From https://www.scion-architecture.net/newsletter/RPKI.pdf

" By itself, RPKI provides keys to ASes and certificates for the IP addresses they own and are therefore allowed to announce through BGP, so-called route origin attestations (ROAs). This process is done through multiple steps following the delegation of IP addresses starting from the Internet Corporation for Assigned Names and Numbers (ICANN) and regional Internet registries down to individual ASes. When an AS announces that it owns a particular IP prefix through BGP, other ASes can check if it has a valid ROA; if not, the recipient of this announcement can conclude that it is fraudulent and reject it.

Unfortunately, ROAs only prevent the simplest form of BGP hijacks. A malicious AS trying to hijack a particular IP prefix can still send a BGP UPDATE message claiming that it is directly connected to its legitimate owner. Recipients of such an announcement would accept it as the legitimate owner of the addresses is noted as the last AS in the BGP message and would then start sending traffic to those IP addresses to the attacker, who can then inspect, reroute, or drop it."

Segregating unsecure devices

We have a number of devices on unsupported/unsecure OS that we are being told won't be updated and we need to continue to be allowed on the network. We are trying to come up with a solution to segregate these devices and was wondering what people think (we have already said they should just update them but you know how it is). We have layer 3 access switches and separate VLANs for all different types of devices but we don't really make use of ACLs other than some basic ones on the access switches currently as we have a large estate and it would be a lot to manage for our team. The requirement should really just be internet access but they already talking about loads of internal servers and services the machines will still need to communicate with. Management just say 'put them on another VLAN' but that doesn't actually solve the security issue, just like putting the problem in the room next door to you but leaving the door open. We have looked at trunking the VLAN back to our firewalls and handling access from there but it occurs to me that negates any benefit of having IP routing up to our access layer and depending on how many areas these devices cover will mean we are connecting a large area together which is the opposite of our current design which tries to avoid large L2 failure domains. I was thinking VRF as we do currently make use of VRFs on our network but 90% of our access devices don't support VRF and only core of our network does so that isn't an option. Am I missing an obvious solution to this? I don't have huge amount of experiencing designing. Cheers.

Replacement for Cisco 24 port 3750Gs?

Hi,

On the back of this post:https://www.reddit.com/r/networking/comments/hdtasy/48_port_access_switches/

We have four x 3750G 24 port switches for the core switch/distribution switches. What would you recommend as a vendor, given the below details? Again, there'll be budget constraints and Cisco is known to be very expensive. I'll probably end up using either fs or Aruba switches for the access layer dependent on price.

Looking here:https://blogs.arubanetworks.com/spectrum/aruba-recognized-by-gartner-as-a-leader-in-2019-magic-quadrant-for-the-wired-and-wireless-access-infrastructure/

It certainly appears that Aruba is "up there" with Cisco but I can't find anything for 2020 and that may even include Aruba's excellent WiFi which helps edge them that far, but I'm not so sure if they'd be a good fit? Would Aruba 2930s be any good? Or any other model? Or even Cisco if there's not a huge price difference. Coming from a Cisco background, I'd want a Cisco like CLI. That's the case on Dell switches and apparently also on the fs switches too. We will probably move to Aruba WiFi too in the end.

I've noticed that Aruba have the ARUBA 3810M 24G 1-SLOT SWITCH (JL071A) model. I can't imagine why we'd need anything higher when we're not a data centre, and this wouldn't be used in our data centre either tbh (for backup) In the DC, we also have another 3750G switch which would be replaced, but I believe it's just there for DR purposes so nothing beefy is needed even though it's in the DC.

We have around 80 members of staff. Our requirements are fairly simple. The distribution switches merely have port-channel aggregations to our access switches. SVIs are here, and OSPF is here too.

Tbh only 14 actual ports are being used here, not 24 but I figured that's probably cheaper than their 16 port modular model? ( ARUBA 3810M 16SFP+ 2-SLOT SWITCH (JL075A) )For the core, right now it's a mess as the firewall goes back into the core, to go out to the internet but the switches also route to the firewalls, however, the aim is to essentially have the core connected to the firewall and push most of the network into there regarding routing. Then the switches swill switch as per the traditional layer three models.

Regarding switching capacity, there are around 80 users in the office and we're currently using gigabit links with I believe 10Gb/s fibre uplinks too. There's no need for 10Gb/s on either of the core/distribution switches across all ports unless of course there's a very little price difference. I can't really see a need for Aruba 8320 switches despite it being marketed as a series for "Core switches"

We have OSPF configuration running there, and we're going to remove the ACLs and push it into the firewalls tbh. Besides, we'll probably move most of the routing into the firewalls too. We have no MPLS/VPN requirements either. I believe the Cisco C9500-24Q-A would also be a good fit? As well as possibly an FS S5900-24S4T2Q but I might want to steer away from them for core/distribution

Regarding support, very little technical support would be required other than timely firmware fixes so we're not vulnerable to CVE issues. There's also an argument to be had for using multi-vendor equipment too on that basis. There are extreme switches that I haven't considered too.

I should note, we resell HPE care packs so we could get that relatively cheap too.

Any help would be appreciated

Thanks

I hate NPS

So we just moved all of our devices into an isolated management network. Updated our NPS with the new ip addresses of the devices and now authentication does not work. All I have done is change the ip address... why is NPS always such a twat!

Academic question regarding public multicast.

Hi all,

I have had this question for a while now and I cannot seem to get it out of my head.

Why has multicast failed on the Internet? Why isn't a service like a TV channel where you can join their public IP address/FQDN and watch live streaming? I mean with all the public videos going on in youtube/facebook/instagram, you would have thought that this would be the norm by now, but its not.

Wouldn't multicast be cheaper and more efficient than unicast in that situation?

And if ISPs could configure multicast addressing, wouldn't it make it easier to watch IPTV everywhere? Why isn't this a thing yet?

Linux DIY inline network tap?

I'm looking for a DIY alternative to an IOTA 1G which I evaluated for work, but it's been floating around in waiting-for-PO-approval hell.

Summary of the IOTA's features:

• 1 management port
• 1 inbound tap port (can be used to tap a span, as well)
• 1 outbound tap port
• Tap ports are linked, in 1 out 2, in 2 out 1.
• Tap is 1 GB speed
• 1 TB of onboard SSD storage
• Tapped traffic is used to generate logs, which get turned into graphs in grafana
• Grafana generates on-demand links to pcaps of the displayed data which can be downloaded for additional analysis

Usage for this would be to ship to branch offices, plug and play install for non-technical person.

• Primary: Short term deployment - Capture a months worth of traffic for analysis.
• Secondary: Short term deployment - Near real time analysis for troubleshooting live issues.
• Tertiary: Long term deployment.

Honestly the IOTA does more than I would want, better than I'll be able to copy, and cheaper that it will cost me to develop. I'd prefer it if I could just get my PO signed. But in the mean time, actual work is mostly dead, and I enjoy tinkering with stuff like this, especially when it comes to networking specific stuff.

---

I think I have everything mostly figured out, but I'm not sure how to setup the tap ports.

On the logging, charts, and graphs side of things; I think I'll be able to generate syslog data from the inbound tap port, and then forward that into ELK or Graylog (on the same box) and work on charts and graphs from there. I'm probably also going to enable Netflow and SNMP. I'm not sure if it's possible to easily generate the log/chart data from pcaps, but if so I'd prefer it, and I'd probably scrap the syslog/snmp/netflow data.

On the hardware side of things I'm looking at building something like this, at least as a POC. I may beef up the specs a bit if the POC works out, and I see a potential for benefit.

On the capture side, I'm planning on a rolling capture. Initially I was thinking hourly, but I think I may need to do a short time frame like 5-15 minutes to allow data analysis as close to real time as possible. Maybe small duration for the rolling capture, and then merge them into hourly pcaps every hour. I'm only going to be capturing on the primary tap port.

I'm not going to bother trying to integrate the log/chart webGUI filter into the pcap filter directly, but I think I'll be able to setup a script to generate a temp pcap by combining the archive pcaps based on timestamp constraints, and then apply filters against the temp pcap to generate the desired filtered pcap result.

The part I'm really not sure about is how to setup the two tap interfaces. I don't want either interface to do anything to the traffic. I just want it to flow in one port and out the other and vise versa. The terms I've been googling haven't been leading me to any good results.

Aruba vs Cisco vs Arista Switches

Hi,

On the back of this post:
https://www.reddit.com/r/networking/comments/hdtasy/48_port_access_switches/

We have four x 3750G switches for the core switch/distribution switches. What would you recommend as a vendor? Again, there'll be budget constraints and Cisco is known to be very expensive. I at least know that I can look into fs.com or Aruba switches for the access layer as they just need to be there for VLANs, possibly PoE and that's it

Thanks

RSTP Question Unifi/UBNT Network

Hi All,

I'm a bit of a noob with networking and am setting up a network for a small business for the first time. My configuration so far is as follows:

Unifi Security Gateway --> Unifi 48P Switch --> UBNT 16 Port XG Edge Switch

​

I have connected an SFP+ port on the Unifi 48P Switch to the 16 Port XG switch. In the future I will also connect another 48P switch to the 48P switch. The XG switch will have connections with different servers aside from the uplink.

My question: For RSTP, does it make sense to set the root bridge on the 48P switch? Additionally, does it then also make sense when I add the 2nd 48P switch to set the 2nd 48P switch and the 16 port XG switch as the same priorities? Also, is there a typical standard to follow for the root bridge priority (4096?).

Sorry if these are quite basic questions. My previous experience was that we had the root bridge on two Cisco 10G switches using HSRP, so I just am not sure if I should be using the 10G switch as root.

possible subnets, NOT HOMEWORK

You have a classful IP of 15.22.34.92 with 10 subnet bits. How many hosts and subnets are
possible?

PS: ADMIN, IT IS NOT HOMEWORK, I AM STUCK ON THIS ISSUE, I AM LEARNING NETWORK OPERATIONS

Can VLANs fix my horrible network configuration??

Hello! I am currently switching to Ubiquiti and I would like to change the way my network is set up. I currently have 1 fiber modem giving signal on 2 ports. One for internet, and one for VoIP. Each port has its own router and own switch. This is hard for me to manage because whenever there is a VoIP issue, I cannot use the switch dashboard due to the fact that the VoIP router only can work on Polycom phones and doesn't support browsing through WAN on other decices. As a small business IT manager working in a growing environment, I am unfimiliar on how VLAN are supposed to be configured and how to properly utilize them. Is it possible to use 2 uplink ports on the UDM-Pro (Ubiquiti's router/switch) and use VLANs to seperate the 2 networks apon the 2 switches? I will be using 1 UDM Pro and 2 48 Port Pro switches. Everything will be connected via DAC. I am willing to modify the setup or to get another piece of equipment to get this to work. Thanks in advance!

Opinions on Orhan Ergun CCDE Training

Hi I am thinking about gettind CCDE cert, apparently Orhan is one of the few content creators for CCDE cert.

Has anyone taken one of his trainings or bootcamps? I have been looking for reviews all over the web with no luck.

Investigation Tutorial: How I uncovered a Russian Scam Group on Dark Web

Hi Guys, thought to share my Research about How I uncovered a Russian Scam Group on Dark Web. This contains a number of techniques which would be helpful for you on your investigation.

link.medium.com/LeyxfeW2i7

PBR Blocks Other Subnets

I'm trying to troubleshoot some problem I'm having at my work environment. In my work environment I'm implementing a Guest network which I want completely segregated from the production environment even using a different ISP gateway. I implemented a PBR policy on the interface VLAN of the Guest network which redirects all Guest traffic to ISP 2. The only problem I have is that the UniFi controller can't communicate with the Guest Client and the client won't get the Guest portal which the client needs in order to use the network.

Is there a way I can allow the UniFi controller to communicate with the Guest client? Does PBR perform a block somewhere there? The controller can ping any client on the Guest network if I take out the PBR policy, but without the PBR the Guest network will use the production gateway (ISP 1).

The guest client can ping the controller but the controller can't ping the client.

I use a Paloalto firewall, and have configure 2 Virtual Routers, 1 for production which handles everything, and a 2nd one for the guest traffic.

Reimage 1120 to ASA Code

Repost from /r/Cisco

Hi. I am having a rough time trying to move from FTD to ASA code on a new 1120 firewall. I am following the online guide and have downloaded the image to a usb flash drive. I plug the drive in and issue commands: scope firmware download image usbA:imagename.spa When I issue the show download-task detail, I get an error stating the USB is not mounted and the download failed. I have tried a few different USB drives without luck. USB is formatted as FAT. Not sure what I am missing. Any thoughts or help would be appreciated. Thanks

FastNetMon DDoS detection tool has got binary packages for all top Linux distributions

Hello!

I'm Pavel from FastNetMon and I'm happy to announce that we've finished CircleCI integration for FastNetMon Community and prepared binary packages for following distributions:

• Ubuntu 14.04, 16.04, 18.04, 20.04
• Debian 8, 9, 10
• CentOS 6, 7, 8

We've selected these distributions according to installation statistics for last 6 months.

These binary packages are based on upcoming FastNetMon Community 1.1.6 and they include number of nice features such as bundled BGP support (based on our favourite daemon GoBGP) and management command line interface.

To install FastNetMon you can use following steps (don't be scared, this scrip just detects your distribution and installs proper package):

wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl

sudo perl fastnetmon_install.pl --do-not-track-me

In addition to these steps I would recommend checking our official install guide.

If you are not familiar with our project let me introduce it in few sentences. FastNetMon is a open source threshold based DDoS detector with support for Netflow, IPFIX, sFlow and SPAN capture. It can detect your own host which is target our source of attack and trigger some action (typically, RTBH).

I'll be happy to answer any your questions!

Scratching my head solving a VPN problem

Hello,

​

First of all I am sorry for my English. It is not my primary language but I am doing my best to make everything as clear as possible. If I miss any information, please ask!

Unfortunately I am spending my latest few days trying to solve a strange with I think is a VPN problem. We've got a location which is using a Unifi USG Pro router connected to a 'central' Fortigate firewall. This firewall has a separate tunnel to to our datacenter which hosts a terminal server (2008 R2) and a check out server (2008 R2), which uses a SQL connection to/for all our locations.

​

When connecting to the terminal server it prompts for the login credentials. You can supply any credential and it seems to process it, but after about 15 seconds it shows up a 'Cannot connect to remote computer' screen. This is while other locations can connect to the same server perfectly fine. Sometimes we're able to make a single connection about every 3 hours, but once disconnected and attempting to reconnect it shows the mentioned error message.

We also experience a problem where the checkout server cannot make a SQL connection to the central checkout server. It is able to connect to it, but it just fails to stay connected for over 1-2 seconds.

The checkout server is running Windows 7, the same goes for all other clients attempting to connect to the terminal server. I know we have to upgrade, but a request to do so is denied by management so we're forced to ride this train..

​

I've tried the following things:

• Factory reset USG Pro Router.
• Update to the latest version of the Unifi router, switch and AP's.
• Enabling TLS 1.0, 1.1, 1.2, 2.0 and 3.0 on the client computers.
• Editing the local host file so it connects directly to a terminal server instead of connecting to the broker.
• Reconnecting/reconfiguring the IPsec VPN tunnel.
• Lowering the MTU packet size/enabling Jumbo frames.
• Using another DNS server which also resolves the central checkout/terminal servers hosted in our datacenter.

If someone has any idea's on how to troubleshoot/solve this I would love to hear it. I'm really out of idea's..

​

Thank you in advance!