Troubleshooting a 10GBase-T Link

Hi all,

I have a Netgear M4300 connected to a Netgear M4200 via 2x 10Gtek ASF-10G-T SFP's. The link is CAT6A UTP and is only 45ft. It isn't shielded but I do not believe that is the problem here. It's also not near any common interference sources.

The connection is stable *most* of the time. Occasionally, I will notice devices connected to the M4200 are offline. When I pull up the Monitoring page of the M4300, it will show hundreds of Link Down Events and it will count up at about one additional per second. All it takes to fix the problem is pulling either end of the CAT6A and replugging, or rebooting either switch. It's not a loose connection or a bad termination. It will work again stable for up to a day, and then act up again.

Th M4300 logs "SFP interrupt received on the unit" every time this happens. What does this error mean?

Given how much it DOES work, it doesn't seem like a physical wiring problem. The link works fine on two gigabit ports.

Right now I am suspecting one of two things: 1) a bad SFP module, or 2) one of the SFP modules is overheating? I took out the one from the M4200 and it was VERY hot.

The setup is used for AV production multicast video (NDI) and the link is actively delivering around 800 Mbps continually. I'm not sure if throughput increases a module's likeliness to fail. But, 800 Mbps on a 10G link shouldn't be breaking a sweat, right? I understand that link speed is not the same as throughput.

Before it is mentioned, fiber is not a good idea for this setup. It will be connected and disconnected several times a week and I don't want the client to have to clean fiber ports every time. Also, industrial/tactical fiber connections like Neutrik OpticalCON are pricey.

Any pointers for troubleshooting this would be great.

geolocation innacuracy?

We have centralized internet egress points per-region, and we occasionally field complaints from users about various internet services incorrectly identifying their location.

My first gut reaction to this is to call it purely cosmetic and "not a problem", but several of them are deeply insistent that it's a real problem for them. Some of this is stuff like incorrect language defaults for our european users, and other times it's just the local bugbear that certain groups of users will point to as evidence that "the network is slowing them down".

And honestly I'm not very well informed on the REAL impact here. I mean, if a CDN accidently directs you to the wrong cache that could certainly lead to unnecessary performance hits, etc.

Can someone shed some light on the relative importance of geo ip accuracy, which sources are used in production by real web services, and to what extend you can even do anything about one of those sources being innacurate?

What's a good "rule of thumb" for BGP convergence time across the internet?

Let's say I add, withdraw, or make a policy change to one of my prefixes. How long do you suppose it would take for the update to propagate across the internet? I've generally heard "a couple of minutes" but nothing more detailed than that. Also, does most of the delay come from the advertisement interval, or are there other factors that cause BGP to be quite slow to converge?

Are there ASN/Prefix/Routing information dashboards/tools? (medium to long term data)

Hopefully this is an appropriate topic for discussion here. If not, read me to filth in the comments :)

Are there any tools similar to bgp.he.net that cover a longer span (example: more than 10 years) of data for ASNs? I've been building my own dashboards for this using route-views2 rib data, and want to see if there are resources to :

1. Compare to my own to make sure my results are not crazy (I mean, I'm pretty sure they are good, but you never know)
2. See if there are any improvements I can make on interpreting/representing data, and inspire me to write more (and hopefully better) code

I've put a couple of screenshots up here of example grafana dashboards I've created with the data:

https://imgur.com/a/molN6mA

This currently isn't publicly accessible, and is more to further my own understanding, learn how to write better python, and understand time series DBs (influx/prometheus) and play with grafana.

Anyone have experience with termite tenting/fumigation and networking hardware?

Hey everyone, newbie here.

My company is doing a termite fumigation for our office and I’m not sure whether or not I can leave our network hardware in place while we do. It’s not a lot — just a firewall, switch, server, and a few APs. Anyone have experience with that? If I can leave the stack in place while they fumigate, can I leave it powered on? Thanks for your help.

Using a VPS as a public IP

Hello,

I am currently looking to run a service on a local Ubuntu machine that requires a public -IP unfortunately, service providers don't give more than one IPv4 to home users, I am wondering if I can rent out a VPS and forward traffic to my local machine.

Needs: I need my local machine to think that its IPv4 address is the same as the VPS!!

Any guides, tools, or Softwares that might be useful for this case?

Back to basics - best ways to trace a cable

I have been tasked with overseeing a project where we trace out all of the cables in a datacenter. There is a total of 10 racks that are filled top to bottom. We will not get console access to any of the equipment, so no "show cdp neighbor". Plus some of the stuff doesnt go through switches anyways, so that would help in end. Literally the project is to manually trace each cable. The most important part is this customer does not want any disruption. So no accidental disconnects.

With all of that said, has anyone come up with any neat tricks to simplify the process?

How to deal with congestion

Whilst I'm waiting for Fibre to be trenched in our neighbourhood (hopefully it's live by October), I'm currently using LTE / 4G (unlimited data, advertised as up to 30mbps) to serve my internet needs at home. DSL have already been discontinued in the neighbourhood.

So basically it works early mornings pretty well, as I get 20-30mbps up & down.... then by late morning / lunch time it would gradually drop to below 1mbps and would extremely slow (read dialup) till very late at night and then eventually gets faster again as people go sleep. After numerous complaints, the ISP say the "tower" is heavily utilised (meaning congestion) and it doesn't sound like they're interested in solving this issue, which I think would be investing in more towers / additional spectrum, etc.

So my knowledge around ISP stuff is limited as I'm a software engineer, but it got me thinking and reading up more about networks, etc. If you were an ISP / network engineer, what would you do to improve the network, on a very busy tower?

Looking for rj45 socket

Hi guys, need help looking for part number for the socket I have in hands or a place where I can buy it in Europe.

https://ibb.co/svvfSXn https://ibb.co/qnVcdvx

In the back it says legrand mosaic but when searching for it, what I find doesn't match.

I'm in need of at least 8 units.

Thanks in avance

Uplink connections

Hi!

We have a project to upgrade a remote site and I was wondering what would be the best architecture for it.

There are 2 IDFs connecting to a MDF. Each IDF have a stack of 2X C2960-X connected to the Core. Our Core is basically 2X C3850s in HSRP with a layer 3 link between them. First stack will have VLAN 100 and second stack VLAN 200 so no loops.

Now we need to run some fiber between both IDFs to the MDF (length is about 100m). We have 2 options with the contractor, 6 or 12 strands.

Initially I thought :

STACK1 G1/0/49 - - - - - CORE1 G1/0/49

STACK1 G2/0/49 - - - - - CORE2 G1/0/49

STACK2 G1/0/50 - - - - - CORE1 G1/0/50

STACK2 G2/0/50 - - - - - CORE2 G1/0/50

So I would go with 2 runs of 6 strands (much cheaper).

Or should I go with 12 strands and do the following on both stack :

STACK1 G1/0/49 - - - - - CORE1 G1/0/49

STACK1 G1/0/50 - - - - - CORE2 G1/0/50

STACK1 G2/0/49 - - - - - CORE2 G1/0/49

STACK1 G2/0/50 - - - - - CORE1 G1/0/50

I think second option is overkill (over-subscription).

Thoughts?

Thank you!!

5ghz antenna

Hi , i had question about wifi antennas

does 5ghz antenna works on 2.4ghz wireless card ? i mean does the chipset matter or its working on any wireless cards ?

MikroTik CRS354-48G-4S+2Q+RM

Hi All.

I’m considering the purchasing a MikroTik CRS354-48G-4S+2Q+RM

The feature set for the cost seems to be the way to go and gives me the majority of what I need. 48 Gigabit Ethernet, 4x SFP+ and 2x QSFP+ gives me plenty of 10GB connectivity. PoE ports would be a bonus - I see they do one with this but at double the cost I’d be fine with a smaller switch dedicated for PoE.

Anyone aware of a switch with the same features as the CRS354 for comparison, or does nothing come close ?

Thanks.

Is it possible to optimize T-carriers for Transmission of Bursty Data?

I was going through the disadvantages of X.25 and one of the disadvantages was X.25 doesn't support bursty data.

Basically, bursty data are the data that require long connect times but low data volumes. Eg-: data traffic/internet traffic.

Quoting from Fourouozan book-:

T1 and T3 lines assume that the user has fixed data rate all the time.

For eg-: A t1 line is designed for a user who wants to use the line at a constant 1.544 Mbps. But, today users want to send bursty data.

i.e

Say we have a time interval of 10 seconds.

User wants to send-:

1) 6Mbps for 2 secs.

2) 0 Mbps for 7 secs.

3) 3.44 Mbps for 1s

Although it is basically, 1.544 Mbps(when averaged dividing with 10 seconds). But, T1 line cannot accept this type of demand because it is designed for a fixed data rate, not bursty data.

My question-:

a) So, can we use T-carriers for bursty data?

b) And does frame relay uses T-carrier? What else does it uses?

c) What was the last technology to use T-carrier?

Platinum Tools Net Prowler or Fluke Linkrunner 2000

Im looking at purchasing a networking tester for our company. After a lot of research, I'm leaning between these two tools. Can you help sway my decision? Any other recommendations?

These two network testers are very comparable to what I am looking for. IPV4/6 addresses, Bandwidth testing, DHCP, Ping, POE load testing, VLAN ID, Cable length/fault distance.

I don't need Coaxial testing at all. Fibre testing is not a need, but we are using premade fibre patch cords and runs at our clients. Fibre testing feels to me like I am also future-proofing the purchase of the tool.

We would be using the tool once or twice a week. We've lived without this tool, but with what we can troubleshoot and verify, it would save us a lot of time and make for a better experience for our clients.

My background: I come from 7 years as a cable repair tech and 7 years as a mainline cable tech. I know the value of narrowing down the issue with the proper tools. I now run an MSP company.

​

TNP850K1 Net Prowler - This kit has the bits that I would feel comfortable to do what I need.

Pros - Cost ($1300 CAD). It does most of what I'm looking for.

Cons - I read about lan speed testing, it maxes out a 100 MB on some switches because of its hardware limitations. Does not do fiber.

Quote about the lan speed testing: " Contacted their main distributor and they said the hardware in the tester can only negotiate at 100mb but the software can detect link capacity to gigabit. However, since the Cisco switches will throttle down based on negotiation speed, the tester will only show 100 mb."

​

Link Runner 2000 Kit - I like the capabilities. The basic version is what I can work with, but with the kit, the extra cable reflectors might come in handy.

Pros - I like a lot about its capabilities.

Cons - Cost (basic: $2300 CAD, Kit $2800 CAD). the Basic kit does not have simple cable identification connectors, I'm stuck identifying/testing 1 cable at a time.

​

​

Look forward to your comments.

What is the difference between a network engineer and a telecommunications engineer?

Hello, can someone break this down for me? What is the difference between the two, because I want to become a network engineer, but my university only offers telecommunications, not networking. If I pursue telecomm, can I become a network engineer with that degree? Or would I have to also take electrical engineering classes to back it up? But solely for my question, what are the key differences? Thank you.

Are certs worth it ?

College student in network technology and tele/data communications here.

So i am currently in college for my AAS in network technology and data/telecom communications. I was currious are certs looked at that much? Im not a great test taker so worried about if I should spend money on comptia certs.
My school does the testout certs (security pro, network pro and the hardware pro) That leads me to the question are the above testout certs worth anything in the industry?

Switching performance of virtualized firewalls (PAN)

Wondering if anyone has experience with running VM firewalls and what kind of switching performance to expect from them.

We're currently running a PA-850 HA stack and routing everything on it (except virtualization clusters and server storage, run on their a ToR Mellanox 100G), with honestly great results. It's super easy to manage and performance is currently sufficient.

We were looking to upgrade to PA-3260s to prepare for future expansion but a thought came to mind... how do VM firewalls perform at the switching level? Would a top of the line VM (in PAN's case that would be a VM-500 or VM-700) running on recent hardware (we just got some new dual 64 core/1TB RAM hosts so we'd be able to reserve plenty of resources to the firewalls) be capable of routing a couple dozen subnets at a physical production site, with everything from latency-sensitive industrial equipment to wifi to hundreds of endpoints?

Or should VM firewall still be relegated to fully virtualized cloud environments?

Gpon Network Quality Assesment

Hi, i Just installed a Gpon and i noticed there are latency spikes now and then, what does this tell about my connection quality. Appriciated.
TX Optical Power: 2.27 dBm ( 0.5 to 5 dBm) Reference
RX Optical Power:-21.74 dBm (-27 to -8 dBm ) Reference

To the Australians here — Need Some advice on MIS degrees, job prospects, etc!

Hello MATE!

This is mostly for the IT folk, but I'm open to all suggestions and advice...

I am deciding between moving to the US and Australia for my master's.

I am 29 and have 4.5 yrs of experience with F5 bigip, Palo alto firewalls, Symantec proxy solutions, etc. Basically a very hands-on networking/network security role.

I am thinking of going for Masters in information science (MIS) /Masters In Technology Management (MITM) sort of course with a decent focus on both tech and business and also because eventually down the line, after a few years, I would love to work in a more project mgmt sort of role instead of a very hands-on tech role.

With the US the drama around the H1B visa is crazy but with Australia now, I got questions along the lines of:

• the IT industry on whole and cybersecurity specifically are very small (compared to the US economy)
• and citizens and permanent residency visa holders are going to be preferred over me with whatever student visa I will be on once I am done with master's
• how is the overall job hunting experience for international students and the entire procedure with getting the right visa and eventual PR/citizenship?

Social Distancing and Installations

Is anyone currently using anything that eases the process of physical installation of chassis switches in space-restricted environments during this time of social-distancing? For instance, a Catalyst 6807 is "a little" difficult to install alone, and installing it with a co-worker prevents adequate social-distancing. I am assuming masks are imperfect in mitigating the current risk.

Thank you for responding!

Any software that can show analysis for home router usage, downloads and sites?

I need any software program that can show me if someone is downloading something with its size and type if possible, what sites are being entered and average usage for home router. Thanks in advance.

GPON - Switch SFP directly to ONT, without OLT

I know that in a GPON network, multiple ONTs are connected through optical splitters to an OLT.

However, is it possible to connect an Ethernet switch SFP port directly to an ONT, without using an OLT or any spiltters? One ONT per SFP?

To be precise:

Ruckus ICX7450-48GF switch ( specs ) -- SFP ( specs ) -- Fiber -- Alcatel-Lucent G-010G-A ONT ( specs )

I know it's an unusual design. I'm just wondering if it could work, or if the ONT will only connect to an OLT.

Thanks!

MSTP issues on Brocade

Hi,

I recently inherited a poorly managed wireless internet network, I had a mentor type person tell me what I needed to do was get mstp set up on all my switches(mostly brocade with some tough/edge switches and a couple dells mixed in). Over the span of a couple of days I was able to get all the switches configured with mstp, the propery priorities, name, region, vlans all set right, but after it was complete all I've been getting is my logs spammed with bridge tc events. now from my understanding these events mean there was network topology change detected on that port, this was causing all sorts of issues with my Wimax and LTE towers. So I went through and set all the basestation ports to no span, which fixed most of those issues, still getting bridge tc events from every port that leads to a switch. mostly no issues except for 3 switches where seemingly randomly the switch will declare itself as the root switch causing my link to the other switch to reset killing my towers temporarily, and then reinstating the old root switch as root. NBD except in that instant of resetting the link to the other switch, the Wimax and LTE towers die for the splittest of seconds, forcing customers to reboot in order to reconnect. Any thoughts on what might be happening here? I've tried to follow the bridge Tc events but they all lead to nowhere. theoretically if i follow a tc event to another switch it should show a tc event from the next down/upstream switch but it flows in all directions making it seemingly impossible to track.

Thanks

IT Documentation

What is your solution for in-house documentation of your infrastructure? Looking for something like IT Glue, but not MSP focused. Something I can host myself would be great, but paid services are OK too.

VLAN's and Access Points

Trying to get my head around this, so I have a switch which has a Marketing VLAN and a HR VLAN. In each of the rooms (Marketing and HR) there is a AP, the two AP's are connected to this switch too. A wireless controller will be used to manage the AP's. I want each vlan to connect to an AP using it's own SSID. So for instance, the Marketing AP will have a Marketing SSID. How do I go about achieving this? I've read about trunking and tagging but slightly confused how this works.

Also, how would this work for a guest, say a guest comes to the Marketing department, does a Guest VLAN need to be set up the switch too?

Viewing DSCP markings on ingress on sub interface : MX routers?

I have an interface with multiple sub interfaces. If i do 'show interfaces xe-1/1/0 extensive' then i can see the queue counters for the interface as a whole but is there a way to see just the individual sub interface queue counters?

i've tried 'show interfaces xe-1/1/0.1234 extensive' but it doesn't list the queue's for the sub interface itself.

I just want to make sure a specific sub interface is receiving DSCP marked packets. I'm guessing the answer may be a filter to count the packets on that sub interface instead.

Thanks

Thoughts on Dell N2000 as L2 access switch

Hi!

Can you tell me your thoughts about Dell N2000 switches? Are you using those in production environments?

I had Dell 5500 for a while and they have been quite solid. I am ONLY using Layer-2 features on them.

Core switches are Aristas and I want to have switches with similar CLI (which Dell has for me).

​

Have these devices been stable for you?

​

Thank you for your thoughts

ITStril

A disturbing trend in IT...

Something I have seen in a few places now... “knowledge guarding.” A guy knows how to do something. A new guy asks how. The question gets avoided. Why? Because the first guy is afraid to lose his job or something.

Okay. If it works that way, then you’d see a lot of movies where the following people get canned: Mr Miyagi, Master Yoda, Splinter, Dumbledore, Gunnery Sergeant Hartman.

In fact, the ability to teach new people makes you look like a true master, and helps your career. If you look at any situation where a mentor is involved, very rarely does a student even come close to replacing the master. Masters who can teach are just way too valuable. But people who guard and hoard their knowledge? Sometimes they get fired because their boss and peers don’t even know what they’re doing and/or don’t appreciate their selfish attitude.

New Office Networking setup(best Practice)

hey, i will like to get more ideas about a project we are working on. we are moving from our current office to a new office. the IT Director wants to have a wireless-only shop(we use cisco waps with 802.1x cert based auth). if we do this there will be no wiring of patch panels of any sort. I will like to get an opinion on best practices.

Recommended literature on Infiniband

Hi,

I work in genetics and my lab has recently bought a few DGX-A100 which will be connected together through the Mellanox CONNECTX-6 cards, I do not yet know the details of the physical view of the system.

Are there any resources you would recommend for learning about infiniband? I already had college classes on networking and read a few whitepapers.

My learning aims would be:

- Understand the protocol stack

- Best practises for storage systems (1 PB-ish)

Books and Courses about cabling and labelling networks.

Layer 1 question here, I'm a bit curious and I'd like to learn a bit about properly installing the physical part of a network, so I'm looking into books or free/cheap online courses about cabling and labelling a network up to the relative standards (TIA-942,606, etc), tips and tricks about structured cabling, cable routing, etc

Any suggestions?

Downstream ASN with BIRD?

Hi,

I am trying to downstream one my own ASNs in BIRD, but none of my configurations seem to be working.

AS1 - ASN providing Transit.

AS2 - ASN recieving transit. (Redacted my own ASNs)

(All prefixes announced are mine so nothing about destroying the internet hopefully, plus my upstreams and my config filters everything under my AS-SET, which is only these 2 ASNs)

protocol bgp as1

{

local as 1;

source address 2a0x:xxx:xxxx:xxxx:5400:2ff:fed9:4b42;

export all;

import filter {

if net ~ 2a0x:xxx:xxx::/48 then accept;

reject;

};

graceful restart on;

multihop 2;

neighbor 2a0x:xxxx:xxxx:xxxx:5400:2ff:fed9:47b4 as 2;

password "asdf";

}

protocol bgp as2

{

local as 2;

source address 2a0x:xxxx:xxxx:1355:5400:2ff:fed9:47b4;

import all;

export filter {

if net ~ 2a0x:xxxx:xxx::/48 then accept;

reject;

};

graceful restart on;

multihop 2;

neighbor 2a0x:xxxx:xxxx:xxxx:5400:2ff:fed9:4b42 as 1;

password "asdf";

}

My static config is also just set to allow that IPv6 prefix.

With this config, I think everything looks good to me, the session establishes, but the prefix is still unreachable. What am I doing wrong? IRR and RPKI is valid for both ASns

Cisco/Aruba Tagged vs Untagged

Hi,

If I had a port on an Aruba switch configured with:

tagged vlan 10,11
untagged vlan 1

and a port on Cisco configured as a trunk, what would Cisco do with untagged traffic?

What is the largest equipment you have done in one go?

Im curious at what kind of scale and crazy stuff other people had to order. First I was surprised that I managed to get a $2 million refresh budget approved without almost any questions- with only 18 months of experience. Right now I'm pushing through a $6 million request. My biggest one was when I pushed for a ISP contract renegotiation to meet some of the requirements I created and without knowing it added a $1.5 million/month bill with plans to increase it again in a year when possible. As someone in their early 20s and very "early career" it's crazy anyone will take my recommendations at face value with this much money on the line. I'm sure alot of you have some crazy stories of much higher budgets being pushed through without pushback and would love to hear them! Waiting for that datacenter engineer to come on and say they do 11 digit upgrades every few years.

Tacacs-Server Directed Request For Juniper

Hello, we are using two tacacs+ servers and would like to be able to select which server to authenticate to on our Juniper switches. I know Cisco has "tacacs-server directed request". I'm not seeing a Juniper equivalent or anything mentioning being able to select a certain tacacs+ server on Google/tech forums/Reddit. Does anyone know how to configure this on Junos?

Meraki MS425 vs Nexus 3172PQ Collapsed Core

A couple years ago I took a new job that was in the middle of planning a replacement for their 6509E core and 120 2960 building access switches (spread across around 25 buildings). They were sold on replacing the 6509 with a stack of 4 Meraki MS425's and using the MS350 in the buildings. I got the joy of implementing the 425 stack first and after some headaches we finally got things working and it was surprisingly ok. We have purchased and installed about 70 of the 100 MS350's as well which are just being used as layer 2 access switches which they seem to be fine for. All layer 3 routing (170 vlans) happens on the 425 stack.

The honeymoon phase is over with the 425 stack. Firmware with massive bugs and issues with upgrades taking the whole network down because of issues with ARP table getting out of sync in the stack etc. have made me want to replace it but I don't know if there is going to be budget to do so for a couple years. I have access to two brand new Nexus 3172PQ's that were bought for a different project that never happened. My thought was to set them up with vPC and replace the 425 stack but keep the MS350's for building access switches.

I know the port buffers aren't that great in the 3172 but everything will be connected to it over 10Gbps. The highest I ever see the port usage go on any of the MS425 ports is around 350Mbps. I only have static routing on the 425 and that is only a default route that points to my PA5220 firewall pair. I also absolutely hate that I have access to zero logging on the core stack (thanks Meraki).

Am I crazy for thinking about doing this? Long term I would probably replace this with an appropriate Nexus or Cat 9K.

EIRP Measurement: dBm or dB?

Hello, r/networking!

I'm trying to learn about basic RF Math. I've found some calculators to calculate EIRP but I'm unsure of the unit of measure.

https://www.pasternack.com/t-calculator-eirp.aspx states EIRP as dB

https://www.everythingrf.com/rf-calculators/eirp-effective-isotropic-radiated-power states EIRP as dBm.

I've inputted the same information, and get the same answer. Just not sure of the unit of measure.

What could cause a UDP packet to be blocked until a ping is sent?

I have a device that sends UDP packets every 5 secs directly to the IP address of a Windows Server machine (unicast/udp)

Running wireshark on the server show no incoming udp traffic...

Until I ping the device from the server.

first ping always times out, other 3 pings get a reply, then UDP packets start coming in!

Any ideas?

Thanks

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

S4048-ON Unsupported Transceiver

Until I receive my “Dell Qualified” optics I’m at a stand still with error “unsupported transceiver”. My unqualified SFP’s seem to work just fine but it doesn’t accept my QSFP’s. Is there a way around this, possibly a command to allow unsupported optics?

Hidden Nerwork Worm

Okay guys. You can say whatever you like, but this is real.

I actually believe it is a nefarious version of carnivore. Yes, THE carnivore.

This worm is being used by the radical left and has been installed on every smart TV, security camera, computer, and smartphone I own. I am certain you all have it too. Every cell phone in my city has it installed, streaming audio into the cloud. I have maybe a dozen devices containing the worm, and am looking for help reverse engineering it.

Please contact me if you are interested in helping, or have a lab where you would like to work together. This isn't for the faint of heart. This is for real, and working on this will get your face and voice imprinted in the cloud and tracked by every device with a microphone or camera (that has the worm.. which is presumably everything).

Now. I will mention a little bit here. The worm hides its traffic by overwriting the software radio firmware and kernel drivers. This thing is pretty awesome, but also insanely dangerous.

Feel free to comment or message me. Also, cross tweet if you prefer. Not sure how I will find you tho..

For the uninformed.. We (the US) are in a technology/information war. This is their weapon. Truth is, associating with this will make you a target. It will also make you a hero (when we nail them).

How to stop advertising a prefix to a BGP peer if the route to the prefix goes down?

I have a prefix advertised out of two different sites. The prefix is only in use at site A. There is a p2p link between the sites. Site A uses that p2p link as it's primary default route.

If that p2p link goes down, how to do I get the router at site B to stop advertising site A's prefix so site A will be reachable via it's backup ISP.

Link to simple diagram

I have OSPF running between R1 and R2.

If I shutdown the p2p link, R1 keeps on advertising SiteA prefix to both ISPs. I don't have a static null route for SiteA prefix on R2. I was hoping that when the OSPF learned route dropped, it would stop advertising it via BGP as well.

Would this work if I dropped OSPF and used iBGP instead?

Sorry if I boiled this down too much. Please let me know if I can clarify anything.

Analyzing QoS impact over time

Could someone give me recommendation/guidance on how to determine if the currently implemented QoS on a couple of Cisco Catalyst 3750 switch stacks is working as desired?

The output of "show mls qos interface statistics" is about 30k lines for each switch stack. I collect these logs every work day around the same time. (I am currently working on a script to automate this process)

DCI interconnect datacenter to stretch L2 domain

These days i am reading about large datacenter deployment and how technology getting used with modern deployments, I am hearing over and over about DCI where you can connect two geo datacenter using VxLAN and stretch L2 domain or you can vMotion your VM etc. but question is why someone do to just move VM to different geo location and how magically it will work, you need to move all dependencies storage, LB or if any public IP associated with those VM then how they will get migrate from USA to EU region.

Just trying to find who and how people taking advantage of this kind of L2 domain stretch across datacenter?

Cisco Nexus 5000 switches

Good morning

I have a set of Cisco 5596UP switches. There are a bunch of systems that only support 100/1000 speeds. Are there any compatible 1Gb SFP devices with copper pigtail that will work with the Nexus 5000? I've picked up a few that claim they do but when plugged in they come up invalid.

TIA

Mike

10G switch recommendations?

Hello,

Can anyone recommend any switches that support x2 10G SFP+ and traffic shaping (not policing) port density isn't a requirement.

Budget is around £600.

Firewall recommendations and needed opinions

Hi everyone,

I've spent days reading documentation and pricing and all sorts of other stuff for a new firewall that is needed in my company's branch office.

Got many vendor offers, but i'm stuck between these:

• Checkpoint 5100 NGTP

• Sophox XG 310 rev. 2

• FortiGate 100F

• Cisco Firepower 1120

Honestly, for me, i would choose the Cisco Firepower 1120. It's mid range in price, but also pretty fulfilling with the requirements that are needed, but i'm curious about your choice.

What are your opinions on these firewalls? Which firewall would you choose?

Regards

Debian 10 based IoT gateway setup?

Hello everyone! Here at the company for where I work, I have ordered an IoT gateway (Compulab iMX8) to connect Fanuc robots to a Fanuc server wirelessly (Wifi 6) instead of using a hardwired solution. The gateway that we have purchased runs on Debian 10. This may be a relatively easy question, but I would love to have some support to set it up correctly. To understand the situation, each Fanuc robot is set up with a static IP address and use FTP, HTTP, & RPC to send data to the on-prem server. The robots and server are on a dedicated VLAN and use the following network: 10.17.2.0/24. What is the recommended way/command/configuration to set up this Debian gateway to basically just forward the data from the robots to the server wirelessly? Thank you so very much in advance for any help that you can provide!

RSTP prioritization

Say I’ve got a single 16 port fiber switch that uplinks to 4 more 16 port fiber switches. Those 4 fiber switches each uplink to 8 more 48 port switches (32 total). Also on the 4 - 16 port fiber switches are where I’ve got about 15 servers plugged in using 10 gig SFP+ fiber.

It’s basically a large hub and spoke setup.

How would you setup your RSTP prioritization for broadcast storm and flood protection?

What is best repeater wifi to buy in 1000-2000 INR range ?

What is best repeater wifi to buy in 1000-2000 INR range ?

Will 802.11ax BSS Coloring help if the neighboring stations are AC (Wifi5) only?

So I have read about how BSS coloring will help with dense and congested wifi settings. Other neighboring stations will use another color and therefore not block a transmission on my network.

However, what if I only have AC neighbor networks, that dont support BSS and do not send color codes? Are their packets treated as "different color", therefore not blocking my network, or will they render my BSS feature useless, and it will only work if everyone on the frequency uses AX?

DHCP relay over MPLS

Hi, guys!

I need to setup a single dhcp server to manage 5 different sites over MPLS.

I'm unsure if it is even possible to relay 10 different scopes to different Vlans on each location. Note that no VLAN is sent over MPLS as it is only layer 3.

Any one have good intel on this?🙃

dhcp strange behavior : un authorized users can access network

I have MAC/IP binded network. Where devices have unique IP address. Only users with MAC/IP combination in dhcp.conf should be able to access internet.

But recently we have noticed, if new devices connected to our WiFi and if dhcp assigned random IP which is already assigned to MAC/IP, that new device can access internet.

/etc/dhcp/dhcpd.conf File has

```

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.254;option domain-name "dhcp.local";option routers 192.168.1.1; option broadcast-address 192.168.1.255; max-lease-time 7200;option domain-name-servers 192.168.10.1;}

subnet 192.168.2.0 netmask 255.255.255.0{} subnet 192.168.3.0 netmask 255.255.255.0{}

include "/etc/dhcp/dhclient.d/dhcp_clients.conf";

allow booting; allow bootp; option option-128 code 128 = string; option option-129 code 129 = text; ```

Hello im trying to configure Freeradius whit LDAP and 802.1X

Hello i have ldap and eap configured , im using the FreeRadius to Login in my switches , i have EAP working whit computer certificates im able to authenticate whit the cert .My problem is im trying to dynamically assign vlans to the computers in the different organizational units(OU) but i cant match Computers host name to the OUs .FreeRadius version is 3.0.17

This is my Users File configuration :

DEFAULT LDAP-UserDN == "sAMAccountName=%{Stripped-User-Name},OU=Administators,OU=Computers,DC= Domain,DC=local"

Tunnel-Type = "VLAN",

Tunnel-Medium-Type = "IEEE-802",

Tunnel-Private-Group-Id = "1",

this is my Hints configuration for removing the suffix and preffix ,the preffix part is not working i think this is part of my problem since im using ldap as database the computer user-name is host/PC1.domain.local but im unable to strip the "host/" part

DEFAULT Suffix == ".domain.local", Strip-User-Name = Yes

Hint = "domain.local",

Auth-type = LDAP

DEFAULT Prefix == "host/", Strip-User-Name = Yes

Hint = "host",

Auth-Type = LDAP

here is some of the Freeradius debug :

User object found at DN "CN=PC1,OU=Administrators,OU=Computers,OU=domain,OU=local"

(8) files: EXPAND sAMAccountName=%{Stripped-User-Name},OU=Administrators,OU=Computers,OU=domain,OU=local

(8) files: sAMAccountName=host/PC1,OU=Administrators,OU=Computers,OU=domain,OU=local

im having almost the same result if i use sAMAccountName=%{mschap:User-Name} insted of "sAMAccountName=%{Stripped-User-Name} :

sAMAccountName=PC1$,OU=Administrators,OU=Computers,OU=domain,OU=local

Can a power surge kill a single Switch port?

I just got back from uni this summer to find one of the 5 ap's int he house powered on (POE) but not connected to the controller. After looking into it it tuns out that the port being used offers no connection to the network anymore despite still supplying POE.

Now ive heard of power surges killing whole switches or multiple switch ports but never a single port? After hours of googling i cant find a cause for why the single port wouldn't work bar power surges, am I missing something?

VLAN or No VLAN

Thoughts on using a VLAN for video conference rooms? The conference rooms contain VOIP phones which are already on a VLAN, a Guest VLAN is also used, and there is 1 AP in the room. My thoughts are, if a VLAN is used for video conferencing then this would help with streaming high quality as the traffic would be isolated from the other traffic in the building, but at the same time I'm wondering if it is actually necessary?

Testing UDP vs TCD

Hi guys.

First of all, sorry if this is bad sub reddit, but figured here I will probably get some straight forward answer, since I saw here are more tech related people with this kinda stuff.

Issue is, I think that my ISP is throttling my TCP protocol (if I said this correctly) and it's about month old issue and so far I can tell it's EU based.

I noticed it basically by using (game) stream services like Shadow and GeForceNow. On Shadow, at least you get and option do you want UDP or TCP (always use UDP cause TCP base on it's nature can cause "lag")

Now with an issue. With TCP selected, I can only get ~15mbps and huuuge package loss, like 6-8% With UDP I get normal speed and some negligable P loss (<1%)

So, is anyone familiar with this issue? Or know how can I test my network with TPC vs UDP?

I would contact my ISP about this, but would know more before I rain fire on them.

So any help would be welcomed.

Transitioning from L2 + FWSM to L3 + Palo Alto

I inherited a large, ancient infrastructure that was half-migrated from L2->OSPF (from the core routers to the TOR switches). The remaining half is critical infrastructure and is all routed through an FWSM(...) that sits a hop behind the WAN, homes all the VLANs to the TORs, and provides very basic firewall services between LAN/WAN--as well as between the LAN subnets it hosts.

I came into a hand-me-down pair of Palo Altos and realize I need to finish that L3 migration in order to reasonably set them up in an active-active config.

There are no stupid questions, but this is probably a stupid question:

I'm used to all the "critical infrastructure" traffic routing through the FWSM. I get that the L7 inspection is more than capable of handling traffic if it passes through the Palo Alto, but I'm not so sure the traffic will route through them without doing OSPF metric fuckery? That seems like a bad idea if the routes wind up "misconfigured" down the line.

The racks themselves are all heterogenous in terms of subnet/function. Could reorganize. Either way, am I looking at adding a firewall on top of each TOR just to control the inter-VLAN traffic currently handled by the FWSM?

Is it safe to include ip addresses in emails between network teams?

Just wondering if there was a better way for two teams to interact with each other over written communication without exposing ips.

Given that: * Both teams are in different companies * Both uses corporate emails * ips and network designs and discussions to link two networks are in being discussed.

When by mistake an outside recipient was added to the newest email containing the whole thread of ips and networks.

With cyber attacks on the rise; just being paranoid here. But then again even if ips and designs are to leak it is still our cyber security that will stop potential attackers.

Any ideas on how to avoid this and still get both teams to easily interact with each other?

Comcast EDI Static IPv6 Provisioning

One of my clients moved to Comcast EDI and they pulled a new circuit to the building last week. They sent over the static v4 and v6 blocks today for the order. I have worked with DHCPv6-PD for a number of years for all my clients, and any that used static addresses have only used v4. This is the first who used a static v6 allocation.

Comcast provided two pieces of info: a "P2P IP /126" allocation and an "A IP /48" allocation. They said the upstream gateway is at xxxx:1 of the /126 block and that I should configure our firewall to be xxxx:2 of the /126 block. When I setup DHCPv6 on the internal networks for the client devices, what would I set the IPv6 Gateway/Subnet to? Obviously, the clients need to be on the /48 block. The /126 block is outside of the /48 allocation. Shouldn't there be a gateway for the /48 allocation too? Should I just assume it's at yyyy:1/48?

ASA FPR2120 Only 4 to 8mbps on Gig line

Hey Everyone,

I've got a pair of FPR2120s and am doing dynamic split tunneling for stuff like youtube and other high bandwidth sites. I've started getting complaints about slowness and I know that VPN in general is slow and things like file transfers will be slower etc. But when I run a speed test I'm only getting between 4 and 8mbps. Our connection is a Gig and we are only using about 200mbps in total according to Netflow.

I'm running TLS only and haven't had a change to try DTLS as when I enabled it briefly I would a reconnection screen at exactly 1:04 so I didn't have time to figure out why and set it back. Would you happen to have anything else I can look into to try and speed up the connection?

We are using the latest 9.12.2 code and only using it as a VPN and nothing else the basic IDS / IPS stuff is turned on from out of the box but I wouldn't think that would make a big impact. We have 500 or so users at most during the day and the only bottle neck I've been working with Cisco is our CPU pegs out at 80% through the day I've had a ticket with them for over 3 months as to why as the unit is rated for 3500 connections.

Appreciate you taking the time to read.

Learning networking in detail and by example.

Hey guys. I've been interested in networking for a while, and have tried learning various things to some extent, mostly concerning the OSI model and the TCP IP protocols, but I just don't feel like I really get it. I have a general vague idea of how stuff works... but I don't really get it.

For computing basics there's things like the nand2tetris course, and if you're more interested, there's projects out there that are focused on teaching you to make your own OS. Is there some sort of equivalent of this for networking?

Something where you start of with a simulation of a wire, and you can see how 0s and 1s go across. Then you add some simple computer/device on both ends, that somehow figures out when the message begins and ends. Etc.

I'm sorry if this is vague, I don't really know how to explain it better - I'd just like to understand stuff from the bottom up and with concrete details. I'm sure there's various simulations you can do for general networking (configuring routers, seeing how the packets travel etc.), but is there something that let's you see the lower levels than that? Something where you really see the most basic signal of 0s and 1s. Or maybe even how exactly the analog signal gets converted into that, etc.

recommended 40G or 100G transceivers for connecting 2 cisco catalyst switches (C9500s)

What 40G/100G transceivers (that support MMF) do you recommend for connecting between 2 cisco switches (C9500s).

for 40G MMF, will any of these do?

QSFP-40G-SR-BD

QSFP-40G-BD-RX

QSFP-40G-CSR-S

and for 100G MMF, which one of these is recommended...

QSFP-100G-SR4-S

100GBASE SR4 9 (this uses MPO connector tho, how would you patch this since my patch panels are only LC ports))

QSFP-40/100-SRBD

​

thanks

What was your most scuffed set up?

A family member o’ mine is leading a warehouse for their shipping business but didn’t realize until it was too late that they only got DSL in their building. Very VERY spotty dsl. Drops around noon, is slow af the rest of the day all that jazz. Their solution? Buy a 2 hotspots from 2 different carriers to go to when the DSL goes down. They’ve tried satellite but it craps out in their warehouse. ISP won’t run cables to their place due to some civil dispute. But even the hot spots themselves are only so fast in the building they’re in since the walls are all brick.

So what did I get called in to do for this family member that lives across the country from me? Put the hotspots on the roof, wire it to an access point and configure them separately (office, warehouse) while the DSL runs a server they have someone else configuring.

Did I argue? Yeah a bit. Did I do it for them begrudgingly? Yep. Did it work? I hate to admit it but so far it seems to have worked fine but it feels so...Jank. I’m not a network guy but I’m the family’s “computer guy”

What’s the jankiest set up you’ve ever seen? And got any recommendations for fixing my families issue before I leave and go back home?

Best SDWAN in the market

Hi,

I am trying to get opinions on the best SDWAN service in the current market.

I am looking for advanced routing (BGP, OSPF etc), Security UTM, CoS, intelligent routing based on best available WAN, device Analytics and a good user friendly GUI.

Please share your thoughts and experiences. TIA

Certified Refurbished?

Hi,

For a home lab, I don't mind buying used equipment or refurbished ones, however in the enterprise, I'd rather have certified refurbished if we're getting refurbs, and honestly it's way better for the environment to do so

I've noticed that Juniper have officially recertified switches, which come with the necessary support ie: firmware, and other support

I've found Aruba "refurbished" switches, but I've not seen anything that suggests that they're certified refurbished by the manufacturer, which is a bit of an issue when it comes to general support. Cisco require you to login I believe, using your Cisco account, and I don't believe that they have certified refurbished ones too

Does anyone know of any places (other than Juniper) where this is possible?

Seamless Wi-Fi 5/6 Connectivity with Cisco Catalyst 9200 Series Switches

Wi-Fi is used for various purpose like in business or individual work. Now a days, Most of people who work individual or business owners can’t work or live without him. With the help of Wi-Fi channel can be allocated more effectively to permit multiple transaction at the same time

ASR1004 and available features

Dear Networking community,

I'm reaching because I encounter some difficulties to find out if some features are included on the ASR1004.

Basically the idea is using a couple of ASR1004 ( ASR1000-RP2 16GB +ESP20) hooked to few ISPs and run some IPV4 and IPV6 full tables. In the meantime what I don't find is the features available on those routers and if I need to add some license to get it done. I would need to do BGP (IBGP and EBGP) , OSPF and GLBP.

Does someone know or have relevant experiences about this specific router? if I should pay attention to any license such as AES or IPBASE in this case?

thanks in advance,

EVPN+VxLAN IP scheme for underlay

Folks,

I would like to hear some stories from expert about what IP scheme folks prefer for EVPN+VxLAN design, I am sure its all depend on case to case but just like to hear something from you. i am planing to use 192.168.0.0 range for underlay so my overlay can be on 10.0.0.0/8 range (totally isolated). how do you guys doing it?

What are some serious issues that might occur in this configuration?

Background :

We are about to start working alongside a company who is installing some equipment on a client's site which will interface with our software and our client's network. We already interface with the client, so it's basically a love triangle of sorts. This part of the design is just handling communication between the new company and our networks.

I have two firewalls for two separate units/subnets on site - their server will need to communicate with two of our servers, one behind each of our firewalls. I was intending on provisioning an interface on each firewall to connect to their router/firewall and then just build the routes from there. Easy done, right.

Issue :

Turns out their network design relies on a server that has multiple NICs, two of which are for our firewalls. Their side of the network has 5 subnets with multiple NICs in each of the devices as each device needs networks.

Apart from the terrible design that is really out of my hands, what are some worst case scenarios that will allow me to push back on allowing this? I know I could make it work on my end with some NAT, but this is a standard that I do not want to allow to be set.

WLAN - placing external antennas of an AP far away from each other

If you operate a modern AP (802.11ac/ax, e.g. Aruba 518) with external antennas and the antennas are 50m away from each other, what are the consequences?

Let us assume that the connectors and the cable length do not cause too much attenuation.

​

Background:

A customer wants to provide the outside of a house with WLAN. He thinks that an AP with 4 external antennas is a good solution. One antenna at each corner of the house.

I contradicted him out of intuition.

But I can't really justify it technically, except that it wouldn't be a good idea to lay antenna cables next to power cables.

My main argument to the customer was that the cost would be almost as high as just taking 4 cheap APs. Which would allow a higher client density.

Vendor keeps saying port is closed but its showing open and I can connect?

Hey,

Our vendor keeps saying X TCP port is closed and they can't connect. We have a cisco ASA 5506.

I've tested by setting the source to any and I can telnet on the specified TCP port from multiple locations....

Canyouseeme shows the port is open

ISP confirmed their IP is not blacklisted

Im not crazy right? If I can telnet in on X port from multiple locations and port websites show its open, there's nothing more I Can do on my end?

Build a Foundation or Focus on Specialization

I'm planning out my career path but am uncertain about what route I should take. It might be that I'm overthinking it or that it doesn't matter either way but I'd like some input.

Currently, I've worked as a Network Engineer for ~1.5 years with about 3 years of network experience in my previous role, have a network-oriented Bachelor's, and have CCNA, CCNA Security, and CCDA.

I'm currently thinking about specializing in automation but obviously want to know the fundamentals as well. I plan to get my CCNP Encor (w/ enauto and possibly enarsi concentrations), CCNP Devnet, and CCNP-DC. My question is one of order: should I focus on the CCNP encor first and then specialization or would it make more sense to get a start on my specialization first such as learning Python, Ansible, etc since thats what I will, hopefully, be spending most of my time doing. Or does it not matter? Either way will take a somewhat significant amount of time to really focus and get good at.

Thanks in advance.

Finding IP address of piece of hardware

I have been given a piece of hardware from our production line which has a network port. I know for a fact that this has been assigned a static IP address previously, but I have no idea what it was.

How can I find out what it's on? I can't do an angry IP scan as my computer would have to be in the same subnet.

If I plugged the network cable directly into my computer and ran a Wireshark capture would anything in there give me any clues?

Backpack for metwork engineers

Not a real networking topic - but it targets exactly this audience.

Im looking for a new backpack for work. And im curious if there are some good recommendations.

I took a look at targus citypro, or the caturix one. But they seem to be a little to big for hands-on luggage.

I need to transport my 15" notebook, charger cable, airconsole, usb console cable, books, pens, probably a tablet, headphones.

New Internet Provider, ISP hardware

Hi all,

At my work, we asked for a new circuit with more bandwidth and to get it from our broker we had to switch provider (from Verizon to a new one).

The new circuit has been installed so we need to connect our router to the new circuit.

I have a basic understanding of networking but not so much with ISP hardware. I have a few pictures of what Verizon put in place in the past and I am trying to reverse engineer it just to learn a bit about how ISP stuff is connected together:

1. There is an Overture demarc: https://i.imgur.com/QvxZ7LN.jpg
2. There is a device that looks like a Cisco router: https://i.imgur.com/b9Ri7J5.jpg (looks like my EPC 3925 at home) I am reading it is used for Ethernet Virtual Connection for point-to-point to the ISP
3. And then there are 2 blue devices (no clue what they are and the only pic I have is not great): https://i.imgur.com/fNcdrbl.jpg

On our side we have a Cisco Router 1941 that is set up as a spoke in a DMVPN network

Could you please help me figure out what the ISP hardware is, how it connects together and just confirm what usually ISPs put in place?

I would have thought our router would connect directly to the Aperture (demarc is supposed to be the last piece of equipment at the ISP side but it doesn't seem to be the case, at least that's what they show here: https://enterprise.verizon.com/support/customerreadiness/equipment/

I will get local hands help but to be sure I am talking rubbish when contacting them, I would like to understand what I need to connect my DMVPN router to on the new circuit.

Advice for Reconfigure Network Topology

Hello Everyone,

I am a fresh graduate who get a job as a network administrator. I am assigned by my manager to involve in re-engineering company network. I am needed some advices about how our network topology currently running is already appropriate or there should be some changes to better administering in term of performing and security. as a glimpse, here is our network topology.

https://ibb.co/6NxWJJ6

Here is my thought:

- I am thinking about suggesting to add distribution switch to core switch at building A, so VLAN can be managed at distribution level.

- I am thinking about to change VLAN for each building so they have their own VLAN.

- If i change the VLAN, should i keep NX-7K on each building as layer 2 or change it to layer 3 routing ?

Due to my lack of experience i am reluctant to share my thought or give advice to my manager.

any kind of advice or help will be appreciated, and thank you very much.

I haven't researched hardware in a while. Netgear cm600 and Asus ac68u still decent hardware?

We've got 2 phones, 3 TV's, 6 Nest Mini's, 4 security cams, a sprinkler controller, 2 thermostats, 8 outlets and a garage controller. I'm sure I'm forgetting something(s)

I know these are older pieces of hardware, but they've been solid. I haven't looked in to this sort of stuff in probably 2 or 3 years now. Are there any newer pieces of hardware that are a must have when you get in to a while bunch of always connected things?

Port in networking / Microcontroller i/o port

What is difference between port ( example port 80) in networking and microcontroller.

Is this, a subroutine/function number inside (say port 80) inside program.

Please, simple explanation w, as if to a 4 year old( comparison to real world ).

iBGP multipathing through route reflectors - is there any reason not to use the additional paths feature?

For those of you who don't know, the BGP additional paths feature allows RRs to send additional paths on top of the one that they select as "best". If you have a higher ibgp maximum path value set on your routers, they can actually install these additional paths in their routing table. I'd like to know if there is any reason why this shouldn't be enabled, and if it is common in service provider environments.

New Cisco Licensing/DNA rant for this sub

Disclaimer: I realize part of this may come off as sales-y. I do not sell products. I build networks. I don't work for any manufacturer, vendor, or VAR. I'm just an engineer that's in this sub.

First up, can we somehow get like a commonly asked questions wiki page for this sub that links to threads with answers to various questions?

Second, if so can we add a thread about the "new" Cisco access layer licensing to it?

Third, and more rant-y: I don't understand the general vitriol the new Cisco licensing. It isn't that complicated, nor earth shattering.

• LAN Base -> 9200 with no special license
• IP Base -> 9xxx with Network Essentials/DNA Essentials
• IP Services -> 9xxx with Network Advantage/DNA Advantage
• Bundled Stealthwatch ETA and ISE SDA analytics with IP Services -> DNA Premier

If you want Network Essentials or Advantage, you buy the appropriately named DNA license level for at least a 3 year term, and your perpetual network E/A license is included as a 0 cost line item. Maybe it's because we're network people, but if you think 3(4) license SKUs are complicated, Microsoft/Oracle have spreadsheets to show you.

If you don't like smart licensing, that's understandable. There are ways to work around it: Local server, offline licensing, or license reservation, but I can understand that's more complicated that it historically has been. If that was the straw that made you leave Cisco, please go and hopefully we can stop the entire tech industry trend. I doubt it will make a difference in the end though, and the recurring revenue beast will consume us all eventually. Maybe that's just me being defeatist.

However, if your big hang up is the "DNA" part of the license, get over yourself. If DNA scares you, don't use it. No one is forcing you to use it. Cisco would like you to use it, which is why they make you buy the 3 year DNA license to get your forever license; but there is no increase in price or reduction of feature set when you compare to the last generation. And hey, if you buy enough stuff at once, they'll give you a fairly loaded server you can throw whatever the hell you want on.

• Note: I think a Prime license being tied to the DNA Advantage license might be a change. I honestly don't know if buying Prime licenses was a thing in the past.

Finally, on a related topic, let's talk about DNA in general. DNA != SDA. DNA Center itself, in its recent releases is fine. Not great, not terrible, but fine. It's essentially Prime with a facelift. If all you want is maps and reporting for wireless, and a templating engine for routing, switching, and wireless DNA Center is perfectly serviceable for that need (with at least a DNA Essentials license depending feature need).

Cisco SDA on the other hand is...also fine...recently..if you fit the use case. If you don't fit that use case, you will hate every minute of your existence working with it. So what is that use case?

• You will generally have more than 2,000 access ports
• You will want to do Stealthwatch ETA on your access edge
• You want to do NBAR based QoS tagging on your access edge
• You want to segment your network in macro and micro segments (Macro would be Marketing and IT as separate groups, Eg: VRF. Micro would be Janet's workstation vs the accounting printer, Eg: VACL/PVLAN)
• You want flexconnect/insert term for local handoff wireless here, with faster roaming
• You have a need to use your IP space as efficiently as possible (Instead of 8 closets in your facility each having a /22 - /24 because of the port count, you provision shared subnets for Macro segments. That would reduce you from a /20 for that facility to maybe a /21 or smaller)

If some combination of these sounds like your needs, you might be a candidate for SDA. Maybe. But for the love of all that is good test it first.

SDA is definitely not for everyone, and currently it fits a very specific use case. If you need it, you kind of already know you need it. If you don't, you will most likely fall into one of two camps:

• The implementation and ongoing maintenance will be more complicated and intensive than doing it manually or with some other automation tool of your choice.
• The current feature set of LISP/VxLAN will break more things in your environment than you are willing to fix for the features you gain.

That's all I have for now. I'll probably incur some wrath for this, but I feel like this needs to be said at this point. I'm not a Cisco fanboy, until my current position I'd never really touched it much because the cost was more than those companies wanted to pay. I am a firm believer that there is a correct tool for every job though. Where I am we feel it fits a need, and we'll continue to use their products/ecosystem until it no longer does. I feel like people are just angry/confused about a product that was never meant for them, and that colors the opinions of people who could actually use it.

Edit: Grammar/Spelling Fixes

OSPF route

I had seen this question; so you’ve two networks discovered by OSPF, 10.0.0.0/16 and 10.0.0.0/30. Which one is added to the routing table?

Ways of crypto mining

You got to get this now.

TLS 1.2 to TLS 1.3 Forward Proxy?

Hi. I'm a Linux sysadmin needing a bit of help understanding this is from someone with deeper networking knowledge.

We have a fleet of Red Hat 6 and 7 servers and RH onll provides TLS 1.3 in RH8.

We have app servers that need outbound TLS connections. Our app admins want a comprehensive upgrade to RH8 because of the better performance from 1.3

I don't want to have to upgrade many servers for this so I wonder if we could do a TLS 1.2 -> 1.3 forward proxy to avoid a sweeping upgrade.

Are there solutions and/or appliances that could do this? We have Citrix Netscalers, FWIW.

Can you provide some context where this is undoable or a bad idea. If you have better solutions, I'm all ears.

Thanks admins and engineers.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

How does a network toner work?

Hi, I'm not sure if this is the right place to ask but didn't see this as a verboten topic, so if it is, please delete this and please direct me to a more suitable sub.

I'm trying to slowly learn more about networking as it's not my strong point, and I'm curious if you can tell me how a network toner works.

I've got a small bit of experience with them and know what their function is, however I'm curious as to why it works and helps you detect the right network ports and makes a sound when you probe the right one.

I tried a Google search and after a while found a plethora of toners for sale and explanation of how to use them and why to use them, but I haven't a scooby doo as to how it does what it does.

My best guess based off of the absolutely nothing I know about electronics and networking is that the toner emulates a computer and the receiving and sending of a signal is in a distinct pattern that the probe recognizes and uses to produce that effect. But that guess is pulled firmly out of my ass and I'd like to at least have a cursory understanding of the inner machinations.

Additionally, if anyone has any resources they'd like to recommend as I get my feet wet into networking for large organizations, I'd gratefully accept them to look over.

Thanks in advance.

D-link DGS-15xx series CLI assigning multiple interfaces to a vlan

Unfortunately i have a D-link DGS-15xx series switch which i need to configure. I just want to assign multiple interfaces to a vlan like you would do on Cisco/HP but for I can't seem to figure out how for more than a single interface at a time, example:

Switch(config): interface ethernet 1/0/1-1/0/24 ^ Switch(config): Invalid input detected at ^marker 

Anybody have any ideas?

Odd network disconnect issues on corporate network, I think I know what's wrong but don't know how to explain it to higher-ups.

Hi all,

I've been trying to track down a very infrequent network-based issue, and we all know those are the worst type of problems.

We have two buildings (A and B) on a single subnet bridged by a Cambium wireless PtP device. The router/firewall/WAN connection is all located in Building A. Users in Building B are complaining of file access issues to a server in Building B. The main symptom reported is an Access database (on Building B's server) left open on any computer in Building B throws a random error "unable to access file, network problem" (paraphrased) after "a while".

The PtP device mentioned above I have noticed over the past year or so has slowly been lowering in signal level (makes sense with growing trees/new housing developments in close proximity). The wireless statistics page shows there's at least 10% "retransmitted packets" over the wireless link between buildings B & A after resetting at night and checking the next morning.

To me, the above mentioned issue makes the PtP suspect numero uno for the network cutout problems - however, higher-ups are telling me that since Building B is having problems with a server at Building B, that the wireless link has nothing to do with it and it must be a configuration on the file server or one of the switches. I've looked over as much as I think I can (server logs, switchport logs/statistics) and I haven't identified anything else that could cause issues.

From what I understand, if your devices already have IPs (through cached DHCP or statically assigned), you can still connect and communicate with some devices across the layer 2 network if your layer 3 access drops. However, if we're working with protocols at higher levels (DNS, AD, etc.), random packet loss can cause temporary connection problems to those services since they're relying on I guess what you could call "keep-alive" packets in a way. Am I incorrect in this assumption?

I guess what I'm asking is: I'm 99.9% sure I know what the problem is, however I'm getting some pushback to look for other issues since others are claiming my theory is incorrect or needs more data to back it up. Any recommendations? Maybe I'm completely wrong that the wireless link is the issue? Should I be looking at other devices on the network first before I make the claim that the PtP is to blame exclusively?

Thank you everybody :)

Wireshark flatpak version is updated

https://flathub.org/apps/details/org.wireshark.Wireshark

VIRL or CML for CCNP homelab ?

Hi all,

What do you advise me for home labs for preparing CCNP cert ?

Can you confirm there is switching capabilities ( etherchannel, mls etc) on those simulators ?

Multicast Lab - EVE-NG/GNS3

Hello All!! Just wondering if any of you happen to have a EVE-NG/GNS3 multicast lab or working on one? Possible if you might also have a pre-build multicast server that I can add to the lab?

Or any suggestions for alternatives are also very much welcomed. Thanks!

Firewall Recommendations

I'm looking for a firewall can be opensource or commercial to help my friend. He owns a hotel and offers free wifi to guest. Well he just got his first DMCA letter from his ISP. He reached out to me because I am a system administrator. So I'm familiar with some networking but not a lot. I'm looking for a good firewall that can handle about 200mbps or more throughput. That's the easy part but this firewall would need to be able to prevent users from downloading and uploading torrent and streaming illegal content. This is fairly hard since most torrents now use any port that's open and are encrypted. Another alternative is for him to just go to his ISP and say that they are technically just a provider like them and fall under Safe Harbor and they do not store the illegal content. Another alternative was to use a simple firewall and use a VPN service.

3 DC shared layer 2 setup question

Hi reddit network guru's,

I've got a question for you network geniuses on the topic of datacenter networking. At the company I'm currently working we have 2 datacenters situated fairly close together, around 5KM apart. In each datacenter we have a cisco switch stack that connects the DCs with 2 fiber pairs.

This setup has worked for us for some time but has it's drawbacks as it is possible to get a split-brain which is very bad as you guys know. In our current setup we have shared VLANs over the datacenters, this is great for our applications we are running. This is our current setup in huge overview

So we got talking within our team and we are thinking about a 3 DC setup but we are not sure how to do this setup. We would like to keep our setup with the shared VLANs over the datacenters. After discussing it internally we are seeing some problems with a setup that has the same VLANs shared over 3 DCs. This is how we would like to connect our 3 DCs

Does anyone have an idea if this is possible and if so what type of networking hardware would be best fit this type of setup.

Greetings

How is overhead and signalling data calculated for T-hierarchy?

While calculating data rate/speed of T-carrier system/T-multiplexer output, we add some overhead and signalling data rate. How are they calculated?

eg-:

​

1) T1-multiplexer ouptut-:

24 channels of 8-bit PCMed voice signal sampled at 8000 samples/sec are multiplexed into one T1 carrier system.

So,

24*8+1=193 bits in 1 frame.

speed=193*8000

=1.544 Mbps (OK)

​

2) T2-multiplexer output-:

4 T1 carrier signals are multiplexed. i.e-:

​

1.544*46.176 (should be this, according to my calculation) BUT the speed is 6.3120 Mbps(0.136 Mbps extra for overhead and signalling data extra).

​

3) T3-multiplexer ouptut- -:

7 T2 carrier signals are multiplexed into one T3-carrier signal. i,.e

​

7*6.312=44.184(should be this, according to my calculation) BUT the speed is 44.736 Mbps(0.552 Mbps extra for overhead and signalling).

​

4) T4-multiplexer ouptut--:

6 T3-signals are multiplexed into one T4 carrier signals.

6*44.736=268.426 Mbps (should be this, according to my calculation)

​

BUT the speed is 274.176(5.76 Mbps extra)

​

My question-:

​

How are they calculated? How are these overhead and signalling data rates calculated?

and

​

Why are they calculated? While calculating 1.544 Mbps as a T1 multiplexer output,we have already added a synchronization bit. Isn't it?

Help with Cisco Router/Switch setup with Virgin Media router

Hey all,

I have purchasedn a Cisco 1841 Router and Catalyst 3560 switch to practice learning for my CCNA.

Since i am currently using basic Netgear equipment i figured moving to Cisco would be helpful for learning while making use of the equipment.

I am not replacing my virgin media router, but instead trying to set the cisco router up with a second subnet as per the image here: https://imgur.com/yGI2nu1

i have managed to connect the Router to the virgin media hub and configured a trunk on my switch to get the internet connection. with the configs here (router): https://pastebin.com/G7nU7h3A and here (switch): https://pastebin.com/8vMhg9Nx

​

For some reason, i AM able to ping the Cisco router (10.0.0.1) from the test machine (10.0.0.2), and the virgin router (192.168.0.1), but CANNOT ping any device from the first subnet, e.g. 192.168.0.2

there is an internet connection to the test machine but i cannot directly connect from machine to machine across this router.

​

is anyone able to help with this? I would like to keep my lab servers on a different subnet if possible but still be able to RDP to them etc.

Thanks in advance :)

ASA5505 Host Limit Question

Hi All,

I have an ASA 5505 with a 10-host limit I need to send out to the field in an emergency. The site has 5 PC's, 3 Printers and 2 Scanners, so right there is 10 hosts. My question: Do AP's, Switches and the ASA itself count towards the host limit if my SNMP server in the data center polls it every minute?

Cisco licensing madness, "DNA Advantage" vs "Network Advantage"

I recently asked a question about Cisco 9300's and got some great answers, I've gone to my VAR and gotten pricing back for the C9300-24UX-A and he's included "C9300-DNA-A-24-3Y".

I thought the "-A" suffix covered the network advantage licensing (which I need to do stacking and some OSPF features).

I was confused more as there are line items for:

C9300-NW-A-24 Cisco C9300 NETWORK ADVANTAGE 4 £0.00 

My question is - do I need "C9300-DNA-A-24-3Y" ? Or is getting the base hardware itself enough for what I need?

OSPF with redundancy

https://ibb.co/108c8Jx

I have configured GRE tunnel between all routers to each other router except those in the same network (sales 1 to sales 2 for example). I have also configured all interfaces for OSPF in all routers and did DR/BDR election with making the 1st router of each segment the DR. However, OSPF forms neighborship between Sales 2 and Main 2/Admin 2 and Main 2. Admin 2 and Sales 2 do not form a neighborship also. I have also segregated the ospf into 3 different areas being,

Area 0
Tunnel 1, Tunnel 2, Tunnel 5, Tunnel 6

​

Area 1

Tunnel 3, Tunnel 4, Tunnel 7, Tunnel 8

​

Area 2

Tunnel 9, Tunnel 11, Tunnel 10, Tunnel 12

​

​

I do not understand why this is happening

​

I have attached the configs

​

MainRouter1#sh run | section ospf

ip ospf priority 200

ip ospf priority 200

router ospf 50

router-id 1.1.1.1

log-adjacency-changes

redistribute static subnets

network 172.16.1.192 0.0.0.3 area 0

network 172.16.1.196 0.0.0.3 area 0

network 172.16.1.200 0.0.0.3 area 1

network 172.16.1.204 0.0.0.3 area 1

MainRouter1#sh run | section ospf

ip ospf priority 200

ip ospf priority 200

router ospf 50

router-id 1.1.1.1

log-adjacency-changes

redistribute static subnets

network 172.16.1.192 0.0.0.3 area 0

network 172.16.1.196 0.0.0.3 area 0

network 172.16.1.200 0.0.0.3 area 1

network 172.16.1.204 0.0.0.3 area 1

​

​

MainRouter2#show run | section ospf

router ospf 50

router-id 2.2.2.2

log-adjacency-changes

redistribute static subnets

network 172.16.1.208 0.0.0.3 area 0

network 172.16.1.212 0.0.0.3 area 0

network 172.16.1.216 0.0.0.3 area 1

network 172.16.1.220 0.0.0.3 area 1

MainRouter2#show run | section interface

interface Tunnel5

ip address 172.16.1.209 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.18

interface Tunnel6

ip address 172.16.1.213 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.19

interface Tunnel7

ip address 172.16.1.217 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.34

interface Tunnel8

ip address 172.16.1.221 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.35

interface GigabitEthernet0/0

ip address 172.16.1.179 255.255.255.248

duplex auto

speed auto

standby version 2

standby 1 ip 172.16.1.177

standby 1 preempt

interface GigabitEthernet0/1

ip address 172.16.1.188 255.255.255.248

duplex auto

speed auto

standby version 2

standby 2 ip 172.16.1.185

standby 2 priority 110

standby 2 preempt

interface GigabitEthernet0/0/0

ip address 200.200.100.6 255.255.255.240

interface FastEthernet0/1/0

switchport mode access

switchport nonegotiate

interface FastEthernet0/1/1

switchport mode access

switchport nonegotiate

interface FastEthernet0/1/2

switchport mode access

switchport nonegotiate

interface FastEthernet0/1/3

switchport mode access

switchport nonegotiate

interface Vlan1

no ip address

shutdown

​

​

AdminRouter1#show run | section ospf

ip ospf priority 200

router ospf 50

router-id 5.5.5.5

log-adjacency-changes

redistribute static subnets

network 172.16.1.200 0.0.0.3 area 1

network 172.16.1.216 0.0.0.3 area 1

network 172.16.1.96 0.0.0.31 area 1

network 172.16.1.224 0.0.0.3 area 2

network 172.16.1.232 0.0.0.3 area 2

AdminRouter1#show run | section interface

interface Loopback1

ip address 172.16.1.197 255.255.255.248

interface Tunnel3

ip address 172.16.1.202 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.5

interface Tunnel7

ip address 172.16.1.218 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.6

interface Tunnel9

ip address 172.16.1.226 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.18

interface Tunnel11

ip address 172.16.1.234 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.19

interface GigabitEthernet0/0

ip address 172.16.1.98 255.255.255.224

ip ospf priority 200

duplex auto

speed auto

standby version 2

standby 1 ip 172.16.1.97

standby 1 preempt

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface GigabitEthernet0/0/0

ip address 200.200.100.34 255.255.255.240

interface Vlan1

no ip address

shutdown

​

​

AdminRouter2#show run | section ospf

router ospf 50

router-id 6.6.6.6

log-adjacency-changes

network 172.16.1.204 0.0.0.3 area 1

network 172.16.1.220 0.0.0.3 area 1

network 172.16.1.96 0.0.0.31 area 1

network 172.16.1.228 0.0.0.3 area 2

network 172.16.1.236 0.0.0.3 area 2

AdminRouter2#show run | section interface

interface Loopback1

ip address 172.16.1.178 255.255.255.248

interface Tunnel4

ip address 172.16.1.206 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.5

interface Tunnel8

ip address 172.16.1.222 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.6

interface Tunnel10

ip address 172.16.1.230 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.18

interface Tunnel12

ip address 172.16.1.238 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.19

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

interface GigabitEthernet0/1

ip address 172.16.1.99 255.255.255.224

duplex auto

speed auto

standby version 2

standby 1 ip 172.16.1.97

standby 1 priority 110

standby 1 preempt

interface GigabitEthernet0/0/0

ip address 200.200.100.35 255.255.255.240

interface Serial0/1/0

no ip address

clock rate 2000000

shutdown

interface Serial0/1/1

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

​

​

SalesRouter1#show run | section ospf

ip ospf priority 200

router ospf 50

router-id 3.3.3.3

log-adjacency-changes

network 172.16.1.192 0.0.0.3 area 0

network 172.16.1.208 0.0.0.3 area 0

network 172.16.1.128 0.0.0.15 area 0

network 172.16.1.224 0.0.0.3 area 2

network 172.16.1.228 0.0.0.3 area 2

SalesRouter1#show run | section interface

interface Tunnel1

ip address 172.16.1.194 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.5

interface Tunnel5

ip address 172.16.1.210 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.6

interface Tunnel9

ip address 172.16.1.225 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.34

interface Tunnel10

ip address 172.16.1.229 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.35

interface GigabitEthernet0/0

ip address 172.16.1.130 255.255.255.240

ip ospf priority 200

duplex auto

speed auto

standby version 2

standby 1 ip 172.16.1.129

standby 1 priority 110

standby 1 preempt

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface GigabitEthernet0/0/0

ip address 200.200.100.18 255.255.255.240

interface Vlan1

no ip address

shutdown

​

​

SalesRouter2#show run | section ospf

router ospf 50

router-id 4.4.4.4

log-adjacency-changes

network 172.16.1.196 0.0.0.3 area 0

network 172.16.1.212 0.0.0.3 area 0

network 172.16.1.128 0.0.0.15 area 0

network 172.16.1.232 0.0.0.3 area 2

network 172.16.1.236 0.0.0.3 area 2

SalesRouter2#show run | section interface

interface Tunnel2

ip address 172.16.1.198 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.5

interface Tunnel6

ip address 172.16.1.214 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.6

interface Tunnel11

ip address 172.16.1.233 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.2

interface Tunnel12

ip address 172.16.1.237 255.255.255.252

mtu 1476

tunnel source GigabitEthernet0/0/0

tunnel destination 200.200.100.3

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

interface GigabitEthernet0/1

ip address 172.16.1.131 255.255.255.240

duplex auto

speed auto

standby version 2

standby 1 ip 172.16.1.129

interface GigabitEthernet0/0/0

ip address 200.200.100.19 255.255.255.240

interface Vlan1

no ip address

shutdown

Pulse Secure VPN traffic disruption when queryring logs

Have you guys experienced VPN traffic disruption when querying logs on Pulse Secure Appliance ? The CPU of the appliance gets to 100% when doing a log queries. I would have thought there was some priority scheduling preventing problems from occurring but many client experienced connectivity issues at the same time that one of the admins was making queries. From what clients told me the tunnel stayed up but the traffic would not pass. More precisely traffic originating from the VPN client seemed lost (one way voice).

Latency or something else as IGP metric?

If you run a global network with a backbone connecting all sites around the world, what would you use as the best “value” for your IGP metric?

Currently we use latency in ms multiplied by 10 to give us a metric to assign to OSPF. Eg a link between locations with 60ms of latency would be assign a metric of 600.

I don’t mind this approach as it generally results in traffic taking the lowest latency path, but it can become annoying to manage as latency can change depending on the circuit type (eg wavelength vs L2 service) and is also a bit tricky to automate the config for

So curious what others do for large global backbones

Differences between T-hierarchy and E-hierarchy?

I have tried to make some difference among them but I am not satisfied with my learnings. I feel, that I am missing some concepts, and just mugging up.

Here is the information what I have collected till now-:

E-hierarchy-: 1) Used by Europeans.

2) Data rate is 2.048 Mbps.

3) E1 comprises 32 simultaneous channels.

4) Although, E1 has same frame interval 125 micro seconds a s T1,E1 transmits 256 bits.

T-hierarchy-: 1) Used by Americans and in Japan.

2) Data rate of T1 is 1.544 Mbps.

3) T1 comprises of 24 simultaneous channels.

4) But, T1 transmits 193 bits within the same interval.

If you don't want to explain, I would be happy to get some books to read about this. :)

Routers standby

Hello all,

I have 2 routers connected togther with a switch. On both routers i configured standby one of them has a priority highet then the other one, but they are both acting as active routers. Any help?

Regards.

Is it possible to use Tacacs+ with SSHCA?

Hello,
I would like to know when using Tacacs+ instead of using password, use user SSHCA within Tacacs+ server, not in the network device.

So that, avoid password being expired or authentication being failed. User will use the SSH Certs within Tacacs server to be authenticated.

Thanks

Linux running on Amazon Workspaces has discrepancy with IP addresses

In my AWS console, it lists a particular IP address. I see this same IP address listed as one of the addresses listed when I do ifconfig -a. However there are a lot of other addresses listed so I'm not sure which one is the "right" one. And then finally when I do one of those online "what's my IP address sites", I get an IP address that I have never seen before. Just trying to understand these discrepancies. What am I not understanding? Thanks.

Linux running on Amazon Workspaces has discrepancy with IP addresses

In my AWS console, it lists a particular IP address. I see this same IP address listed as one of the addresses listed when I do ifconfig -a. However there are a lot of other addresses listed so I'm not sure which one is the "right" one. And then finally when I do one of those online "what's my IP address sites", I get an IP address that I have never seen before. Just trying to understand these discrepancies. What am I not understanding? Thanks.

WAN Aggregation Desgin

We had a Cisco stacked 3750 as our core/distribution in a collapsed model and we replace it wit 2 Cisco Nexus with vPC/HSRP/OSPF/static ip route summarization taking over the core/distribution role and also hosting our ESXi and SAN. However we never move our WAN/VPN and internet edge routers backbone connection to the new Nexus core/distribution switch. Our edge WAN/VPN internet routers consist of Cisco, Vyos (on DECISO hardware) and UBNT Edge Router Pro.

Recently we had power issue with the primary device in the stacked Cisco 3750 and we loose connection to some device connected directly to it. So to eliminate single point of failure I want to move the backbone connections of all our edge WAN/VPN internet routers to the Nexus and have redundant backbone connection distributed to the two Nexus with VRRP and HSRP configured on the edge WAN/VPN internet routers

What other advantages will I gain from this and is there any disadvantage of aggregating the WAN to the core/distribution ?

DataCentre Internet Router - Alternative to Cisco ASR1001/2-HX?

Hi all,

I'm in the need for a replacement Internet router. I'm currently sporting an end of life ASR1000 series. It's happily supporting my 1Gb/s Internet connection. If it goes "pop" I'm in trouble (see end of life).

I wish to replace it with a 10Gb/s capable model, as my next Internet speed upgrade will need to go beyond 1Gb/s. I also wish to be able to peer with a couple of providers. (eg. my ISP plus Megaport). Behind this router is a HA pair of Fortigate 500E's which can talk 10Gb/s if we use the X1/2 ports.

I am in New Zealand and we only get summary routing advertised to us so I don't need to house the full Internet routing table. I do run my own AS number, dual IPv4/6 stack and other "normal" things that you need a front end router for.

I've received quotes for both dual/resilient ASR1001-HX and ASR1002-HX models and they blow my budget out of the water. Either my expectations are wrong, or I've spec'd it wrong.

A 3rd option is that I should stop looking at Cisco and broaden my horizons.

Ideally I'd also build this front end in a more resilient way (HA?), but I need to be realistic with risk vs. budget too. I'm co-lo'd in a tier3/4 DC so about as good an environment as possible in terms of stability and proximity to services.

What other options should I be looking at?

All pointers gratefully received.

Cheers.

Best online training that takes CLCs?

Hello - We've got some CLCs that we'd planned on using for Cisco Live that are expiring soon - can anyone make any recommendations as to online training partners that we should look at using them with? Areas we're looking to focus on would be switching/routing & datacentre.

Anyone work for an Ivy league school?

Harvard, Yale, Princeton, etc. Obviously don’t disclose your identity but I’d be interested to know if their network is more or less the same or different than your typical public colleges. Is it more complex? Less? Does the hardware get updated more often? Do you get fun fancy “toys” to play with? Do you get a bigger budget? Finally, how’s the culture compared to other workplaces?

UniFi Security Gateway, 2 gateway IPs on one subnet???

I'm a low level tech that is lucky enough to be mentored through real experience. Bear with me, I have a year of experience and most of the networking i've done was internal on one subnet- so basically between switch and clients/servers.
I have a customer that currently has 2 external static IPs, one from ATT and one from Comcast.
It basically looks like this:
ATT router->Cisco router1->Switch1->Clients
Comcast router->Cisco router2->Switch1->Clients

The clients are all static, with sales on one gateway (say comcast side) and production on another gateway (say ATT side)

Internally, these two gateways (cisco router 1 and 2) are in the same subnet. They are overlapped.

The goal is to replace both Cisco routers with a UniFi Security Gateway without changing other network properties beyond that. This would work if I could assign LAN 1 as one gateway and LAN 2 as another gateway on the same subnet, but the UniFi GUI will not allow this. It gives an error due to the second gateway being on the same subnet.

How can I make this work without defining a new subnet for one of the LAN ports and statically setting half the clients to this new subnet???

How important are sequential faceplate labels?

My work affects yours. I'm a cable installer for large construction projects. Currently we try to maintain a serialized/organized faceplate scheme. For example, in the hospital we are currently working on, one patient room will have outlets 1-6, the next room 7-12 etc. With those groups being terminated in that same order in the TR.

However, it causes a lot of headaches trying to accomplish that and I don't see the benefit to doing it that way. I want to more or less run the cables from the outlets into the TR without worrying so much about keeping them sequential. Instead, dress it nice into the TR and label the faceplates with whatever port it so happens to get terminated in. This would mean one outlet could have U46 port 32 and U21 port 12 next to each other in the same outlet. To me it doesn't make a difference. As long as both ends are well labeled and neat, does it matter to you?

PF Sense in virtualbox - How to?

Hey everyone!

I'm wondering if this is possible and if anyone has experience

Host: Ubuntu 18.04 - 1 NIC - 1x Public IP 144.x.x.x ETH0

Guest: PFSENSE
Guest: PC1
Guest: PC2

i'd like to see if I can do the following:
HOST -- Pass through all traffic to PFSENSE device to act as a firewall.

PFSense accepts that traffic on the 144.x.x.x. IP and then I run Internal Nat for 192.168.x.x on my PC1 and PC2 (Or any additional servers).

I've done the following:
1. Created a bridged adapter EM0
2. Created a NAT Adapter EM1

I would assume the bridged adapter would be sharing the hostip but I can't get it to pick up on that address - and setting it statically fails to ping anything.

Do i need to forward all traffic to a secondary, internal IP such as 10.x.x.x and then use that as my WAN or is it possible to share the 144.x.x.x IP?

I've been looking through docs but have been unsuccessful so far.
Can provide additional details if needed.

Thanks in advance