Saturday, August 1, 2020

Rough CPU requirements for gigabit throughput with IPS/IDS on?

So I've been using a UniFi USG-Pro4 in conjunction with a UniFi 24 port(with 250W for PoE) switch for some time now, and while I like it for the most part, I'm not happy with how I have to do some really off-cuff things with jsons to set up multiple IPs on the WAN interface(I have a static block of IPs from my ISP), and I'm at the point now where I need to have an IPS/IDS that doesn't hamstring my throughput, and I'm not a fan of UniFi's new approach (in the new UDM) of forcing you to associate your network with a UniFi account.
So at the moment I'm looking at building a pfSense router(which solves most of my config problems), that will be able to run Snort, and be capable of at least 1Gbps throughput(using snort), for a network with only 4 users(and 2 VPN users), and 4-5 servers on the network.
As I asked in the title, I'm looking for some guidance on how powerful of a processor(without going full overkill), and to a certain extent how much RAM(though I'm guessing I shouldn't need any more than 8GB of ECC, and that's probably overkill) I need to manage that 1Gbps w/ a full featured Snort or Suricatta ruleset.

Internet help

My internet has been crying in the fetal position lately, ive got excellent internet strength, and 72 mbps, i should be able to stream 720p video, right?

Unique cable labels & as-builts

I do cable installs for large construction projects (hospitals, hotels, arenas etc). As an installer I'm trying to find a happy medium between my job and the networking guys that come after me. I've heard labeling each cable with a unique hexadecimal number is encouraged because it makes for easy and accurate identification of cables. However, I could also imagine it would be a bit daunting to look at an as-built to find a cable as it would be seemingly random numbers with no particular order. Is it better to stick to traditional 1,2,3,4 etc since their order on an as-built would be more intuitive and easy to find or are as-builts not really referenced that much and most of the tracing/ID work is based on faceplate/switch/panel labels anyways

Cannot Get Device Hostnames from Command Line Even Though Multiple Networking Scanning Apps Can Do it Just Fine

Okay, I'm probably doing something really dumb here, but nothing I can find online explains how to do. this.

I want to run a command and get a list of devices connected to the same network as the device running the CLI command. This list should include

The IP address of the device
The MAC address of the device
The hostname of the device

The first two are really easy. A simple arp -a command will get me the first two. However, nothing I have tried will get the hostname of the device. I've tried nmap, I've tried host, I've tried ping -a. Nothing works.

nmap gets me something like:

? (192.168.11.1) at aa:bb:cc:dd:ee on en0 ifscope [ethernet]

Now, I know that the question mark at the front their means it wasn't able to find the hostname. But here's the thing: when I run an app like Angry IP Scanner, I can see the hostname of nearly every device on my network: from my laptop, to the apple tv, to my phone. It even gets the name of all my smart plugs.

What the hell are these apps doing under the hood that I'm not doing on the command line? It can't be the fact that these devices don't want to give me their hostnames due to some kind of configuration: other apps are able to get that info just fine.

What am I doing wrong? I am running on OSX

Small network share help

Dear all and sorry for my noob question.

I have a computer that’s acting as a server. On this machine im sharing the WiFi internet with the Ethernet (that’s connected to a switch). Simple enough and it works.

1) I’d like to share two folders from this machine that should only be accessed to the 5 persons connected on the Ethernet/switch only, and not to persons connected to the WiFi network. Can this be done?

2) One of the folders that I want to share should only be accessible to the two managers (connected to the Ethernet/switch). Is there a way to share this folder and only allow the managers to gain access?

I’m helping out a nonprofit for abused teens which this so the purchasing of equipment is not recommended. If there are affordable software that I can purchase I’ll take the recommendations. All computers are windows 10 (including the server)

Many thanks for the tips/assistance.

DHCP Help Part 2

Sorry this is again a bit of a noob question. Im getting stuck on a networking concept relating to DHCP. How does one implement a DHCP server spanning multiple subnets? My understanding is that routers will drop any broadcast frames sent to them so i wouldnt be able to drop in a DHCP server connected to my central router. Does this mean my DHCP server has to have multiple interfaces for each subnet/VLAN I am trying to run DHCP on? If not how would I configure the routing table to send all DHCPREQUEST packets to the DHCP server?

Career based question, how do I maximize my income?

So I consider myself very lucky where I am at the current upper echelon of pay for a network engineer, 125k. I dont believe certifications are the right move for me in terms of the commitment of time and resources vs what I will get out of it. What are your suggestions, if any from personal experience to maximize income.

Please note, I am a FTE and I have no intentions of moving to a lower income area where my money will go further due to family. However the thought has crossed my mind about, FTE + contract side work, does anyone recommend that?

Port scan large number of IP Addresses

Here's the use case:

Total number of IP Addresses to scan in the environment across different subnets: 2000 IP Addresses.

System available to me: Kali box with the most up to date release. The system has 2GB of RAM, 80 GB of storage and 4 CPUs allocated. This is a virtual machine. The virtual machine has access to all 2000 IP Addresses.

The objective is to port scan all 2000 IP Addresses in order to find out the status of TCP and UDP across all 65,535 ports.

My initial thought is to use NMAP but I do not know which certain switches are good for such a scan. And this is the cake topper. I have only 6 hours to complete the scan since my change window is limited.

What would be the suggestions from the community as to the best approach to accomplish this project and would your recommendations support the ability to complete in time safely? I would like to output to different outputs such as -oA outputfiles and after that my plan is to use xsltproc to convert the xml output to html. This is if it is NMAP. I was thinking Masscan but I could get false positives. Looking forward to responses. Thanks in advance.

Help Me Wrap My Brain Around a Home Lab Plan

Hey everyone, I posted something similar over in /r/homelab, but I think the networking part is the bigger part that's throwing my brain for a loop, and it's definitely where I'm weakest.

I could hopefully sort out the VM side.

Anyhow, here's the plan. I've been doing System Administration and Helpdesk work for about 7 years now. I'm looking to move into something I find more interesting, which is Security.

Anyhow, I've got a homelab right now that is comprised of my R710 Server. I've got a Netgear 6400 router that is just switched to AP mode, as I went ahead and virtualized my router with a PfSense VM just for fun.

But here's my new plan, and where I'm running into the mental roadblock, and the networking side quickly gets over my head.

My plan is to make a segregated pen testing lab just for fun, and to hopefully move into that area after going through Security+ and likely Networking+ to bump the understanding level up.

I ordered a Cisco Small Business switch because the old Cisco one I've had that I grabbed off of ebay isn't fast enough for the internet I actually pay for, and likewise, I went ahead and grabbed a new Ubiquiti AP to use as well for better coverage and speed in the house. That got me thinking about sectioning off a network portion as a relatively open Pen Testing lab. I would be behind the Netgear router, and would allow me to leave the wifi/router portion as open as desired to test things, which could lead to a handful of VM's placed on that network as well, segregated in their own VNIC network.

Here's an illustration, and here's what I was curious about. Would I be able to take the line from the Modem, and go to port 1 on the switch (red cable), then plug the Netgear router (orange cable) into Port 2 for the WAN access, while having my PfSense router (blue cable) on the server connect to the switch on Port 5 for it's WAN access?

I was thinking it might be achievable if I used VLANs for the ports that I wanted for my internal "safe" network, and then used a separate port for the pen test network.

I guess what keeps tripping my brain up is having technically two routers, but one entry/exit from the network. I think I might be overthinking things, but I figured if there's any group of people who could look at this and make sense of it without breaking a sweat, it's the group here. I'm giving myself brain cramps.

Thanks, everyone!

J4858A vs J4858D Aruba Networking SFP Modules

I wanted to buy J4858D SFP modules from FS, since that was the model given to us on an official quote from HPE. However, they are only available from the Asia warehouse and will take 3 weeks to get here. The J4858A can get to me by Tuesday. Will the J4858A work with an Aruba 5406R zl2 Switch? We bought the 20x1Gbps and 4xSFP+ module to put in it, so this transceiver would be plugged into one of those. Thanks for the help! Still new to fiber networking.

Port scan large number of IP Addresses

Here's the use case:

Total number of IP Addresses to scan in the environment across different subnets: 2000 IP Addresses.

The objective is to port scan all 2000 IP Addresses in order to find out the status of TCP and UDP across all 65,535 ports.

Secure deployment of MSCHAPV2 wireless?

Is it possible to configure MSCHAPV2 using AD credentials securely by using MFA?

Help with business VPN

Good morning! Crazy problem here. Our site to site VPN at our place of business quit working when we changed our primary site's internet connection from Spectrum to an AT&T Wireless Broadband device (4G cellular) using the Nighthawk MR1100. After connecting the new internet at the primary site and changing the interface, the internet works well. The only change we make at the remote site is to change the gateway IP address that points to the main site to the new public static IP address assigned by AT&T. After making this change the tunnel shows active but no data is exchanged. It appears that the Phase 2 negotiation stalls out when the tunnel tries to come up. Here are some relevant details. Hoping someone here has run into something similar or could provide us some suggestions on what to try. Our current thinking is something is different about this network traffic being sent out over the nighthawk modem (cellular network)

Firewalls on both sides = Sonic Wall 250

Remote side makes a vpn connection to the primary site

Nighthawk is set to IP passthrough and VPN passthru is enabled.

Nighthawk has a custom APN assigned by ATT to provide the public static IP for us.

VPN connects using aggressive mode, IKE phase 1 is on aggresive mode, DH Group 2, Encryption: 3DES, Auth: SHA1, Ipsec Phase 2 Protocol: ESP, Encryption: AES-128, Auth SHA1

Some notes:

The only thing that changed was the new internet connection and changing vpn gateway IP at the new site. Before that everything was working fine. So all of our routes and access rules should be fine.

After the tunnel comes up, looking at the packet monitor I see Phase 1 looks good. I see UDP Port 500 traffic get received successfully on the remote site from the main site. However it doesn't look like phase 2 completes. Sonic Wall tells me I should see UDP port 4500 next for the ESP but that packet is never received.

AT&T also told me their MTU size should be 1430. The largest packet I can send using ping using "ping -f -l is 1402 google.com" is 1402. I'm wondering if the overhead with IPSec needs a larger packet size than this?

I have tried setting the MTU on the WAN interfaces on both sides to 1430, 1400, and lower.

Many thanks to anyone taking the time to read this and to give ideas. I know enough to be dangerous. This was written up by our trusted friend and IT consultant. We have spent a ton of time reading, researching and trying different settings. We are going to try one more time with a couple more changes today but after today, we have exhausted everything we know to try. We have been on the phone with ATT, SonicWALL, and our IT support company for the last week and putting in lots of hours on this to no avail. Any help is much appreciated!

Thank you!

Security of wifi with hidden SSIDs?

I know that hidden SSIDs are easily found with third party network scanning tools. So, they add little security, but do they do anything to decrease security?

Some have said that, if a device is configured to connect to a network with a hidden SSID, it constantly broadcasts that it’s looking for that network and that can be used to aid attackers. However, doesn’t that happen anyway for any wireless network the device is configured to connect to whether hidden or not?

Pce 56 5g problem

I've installed this card in my pc, it connects well to the 2.4 ghz but when I connect it to the 5g, it says that there's no internet connection even if the connection is secured. When I run the windows network diagnostics, sometimes it says that my card don't have a good Ip adress or the gateway couldn't be found.

Can someone tell some tips over what to do please.

Cost of bringing fibre to the entire US?

I thought this would be the best place to ask this sort of question.

I was trying to come up with a estimate of how much money it would cost to to bring fibre to the entire country.

I guess the cost would consist of material cost, labour and hardware plus a bunch of other stuff i dont know about.

Doing a bit of research I have come up with 800 billion.

How accurate do you think this is? I didn't account for laws or licensing or anything like that.

Cogent Communications co-location and connectivity to Cox Communications network

Hello,

We just started to co-locate our equipment at Cogent Communication's datacenter in Phoenix. Prior, we had co-location at Phoenix NAP (right across the parking lot actually!) with a 3rd party who has multiple carriers (GTT, HE and more).

Cox is in the meet me room at Phoenix NAP. Our Phoenix NAP co-location had excellent connectivity to the Cox network. I can reach Cox Business fiber optic customers at 3.5 ms latency on average.

With Cogent however, this latency has gone up to 24 ms average.

I called tech support and opened a ticket and they said their routes go to their DC in LA, then over to CoreSite and then back to Phoenix. I asked them if this could be optimized. They said no.

Are they telling me the truth? Or do I have to accept this now? I don't see why they can't connect to Cox, right across the parking lot at Phoenix NAP. I am sure I'm missing something here but it seems ridiculous for traffic to make a trip to the west coast, turn around and come back to Phoenix.

What are your favorite virtual networking tools for playing with ACI/SDN

Hey guys, I am a software engineer who just accepted a role on a networking team. I'm being brought on to help them get the ball rolling with SDN and ACI automations. I have a very limited background in networking (my employer is well aware) so I wanted to get my feet wet by playing around with some virtual networks.

What are your favorite tools? I am looking at GNS3, Ciscos ACI Simulator, etc. Are there any others you would recommend? I have a halfway decent server to run a virtual network on. 64 gb ddr3, 12 cores, 14 TB raid 5 storage.

Edit* Wanted to say thank you for all the help on this thread! Thankfully, my old company decided to not keep me for the extra two weeks although that was my intention and now I have a whole week free to prepare and study!

Need some PIM-SSM multicast information

I have an issue with my PIM-SSM multicast configuration using ISR4431s. I am wanting to forward broadcast data from an application from one VLAN in on the multicast source to another VLAN on a multicast router on a small network. The method I am using is PIM-SSM. I have a multicast source R1, a multicast transition router R2, and a multicast receiver, the R3 device. Any insight into why the broadcast data is not forwarding is welcome. Here is the topology:

R1—R2—R3

R1 Config (Multicast Source):

hostname R1

ip multicast-routing distributed

ip pim spt-threshold infinity

ip pim ssm default

no ip igmp snooping

vtp mode transparent

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 100

interface GigabitEthernet0/0/0

ip address 10.194.234.226 255.255.255.252

ip nat outside

ip pim sparse-dense-mode

interface GigabitEthernet0/1/0

switchport access vlan 100

switchport mode access

interface Vlan100

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip pim sparse-dense-mode

ip multicast helper-map broadcast 232.1.1.1 bcast-to-mcast ttl 50

ip forward-protocol udp 3205

ip nat inside source static udp 10.1.1.71 3205 10.194.234.226 3205 extendable

ip route 0.0.0.0 0.0.0.0 G0/0/0

ip access-list extended bcast-to-mcast permit udp any any eq 3205

end

R2 Config (Multicast Transition Router):

hostname R2

ip multicast-routing distributed

ip pim spt-threshold infinity

vtp mode transparent

spanning-tree extend system-id

vlan internal allocation policy ascending

interface GigabitEthernet0/0/0

ip address 10.194.234.225 255.255.255.252

ip pim sparse-dense-mode

no shutdown

negotiation auto

interface GigabitEthernet0/0/1

ip address 10.156.51.225 255.255.255.252

ip pim sparse-dense-mode

no shutdown

negotiation auto

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1

end

R3 Config (Multicast Receiver, NOTE: 192.142.1.99 is not the device that is receiving the data. Other devices on vlan 600 need the data):

hostname R3

ip multicast-routing distributed

ip pim spt-threshold infinity

ip pim ssm default

no ip igmp snooping

vtp mode transparent

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 600

interface GigabitEthernet0/0/0

ip address 10.156.51.226 255.255.255.252

ip pim sparse-dense-mode

ip multicast helper-map 232.1.1.1 192.142.1.255 bcast-to-mcast

ip igmp version 3

negotiation auto

interface GigabitEthernet0/1/0

switchport access vlan 600

switchport mode access

interface GigabitEthernet0/1/1

switchport access vlan 600

switchport mode access

interface Vlan600

ip address 192.142.1.1 255.255.255.0

ip broadcast-address 192.142.1.255

ip directed-broadcast

ip pim sparse-dense-mode

ip igmp join-group 232.1.1.1 source 10.194.234.226

ip igmp version 3

ip forward-protocol udp 3205

ip nat inside source static tcp 192.142.1.99 61000 10.156.51.226 61000 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

ip access-list extended bcast-to-mcast permit udp any any eq 3205

end

Edgerouter X firewall configuration to prevent communication between ports.

Hello all,

I am new to networking and have decided to buy the Edgerouter X as a router. I have 3 diffrent switches connected to eth1, eth2 and eth3. I want to configure the router to prevent devices on each eth port to communicate with one another. But I still want all these switches to be able to access the internet.

What firewall rules and settings would I need to change to achieve this? Any help would be appreciated!

VLAN, Amplifi HD, Cisco Switch and Fortigate

Hi,

i got 3 networks on my Fortigate 40C - Internal, VLAN1 and VLAN2. Behind my Forti works CISCO Switch. The problem is if I connect Amplifi HD as an Bridge to the untagged (VLAN2) port on the switch, i can't see any DHCP Device connected to Amplifi HD. If I connect Amplifi HD directly to internal port on Forti, all devices connected to Amplifi are visible. For testing I created an policy that allow all traffic.

What am I missing?

Thank you for any suggestions.

Friday, July 31, 2020

Patch Panel Help Requested

I moved into a condo unit and was disappointed to find that only 1 Ethernet port was the WAN for my gigabit fiber ISP - the rest are not usable. I’d like to hardwire components in various rooms that are pre-wired for Ethernet.

What do I need to do to enable that, in a basic patch panel? I assume I need to add a router w/ an adequate number of ports next to the patch panel (a switch might be overkill) and to the various Ethernet cables that are terminated at the patch panel. For this, I would need to hire an electrician to add a power outlet in the closet, I think, for the router. The existing patch panel box is small, I’d imagine I’d need to switch to a larger box that can neatly fit a router w/ a decent number of ports and the additional wiring. Then just add a WiFi access point via one of the various Ethernet ports throughout the house.

Man, this seems like a PITA for home owners. Why do builders do this? Don’t pretty much all home buyers want a turnkey solution in place. My setup basically means I have one working Ethernet port, a WAN port, for my ISP, and a box with a patch panel that is too small to do anything with - and lacks a source of power - that seems so dumb.

I’d probably want to hire this out, to appease my nanny state HOA. What would this sort of work cost, ballpark? Would I hire an electrician to do it?

Having gigabit speeds neutered by Netgear Orbi WiFi means I see like 150 Mbps in other parts of the house, vs the 900ish that I get when hard-wired to the router. Would Wifi6 solve my problems cheaper?

Thanks!

Cheapest/smallest server for simple script hosting?

I'm exploring options for a super cheap home mini server setup so I can setup some scripts on the server and just let it run

The script itself is stupidly simple and doesn't require much processing power at all, and will simply be a cronjob that will run some Python scripts every few hours that makes a web call to some API. It's stupidly low calculation.

Now my question is -- what is the absolute cheapest way to do this?

Yes, I have thought about using something like AWS or Digital Ocean (the smallest droplets), but even the cheapest is at $5 a month, which I absolutely do not need at all considering how small the jobs are

Can you recommend me a cheap mini low-power system? I was thinking I can get an Arduino with a WebShield: https://www.arduino.cc/en/Tutorial/WebServer

Another method, which seems better, is a Raspberry Pi with Apache/NGINX installed.

Are there any other options available?

How to set up a fake LAN?

Hey guys. Sorry I'm kinda a noob. I'm trying to help my friend connect to my laptop thru steam link. Normally I think you need to be on the same network to set it up. How can I make his phone think it's on my network?

I've port forwarded for RD client, I've tried using logmein hamachi but that's just another RD client. How can I make his phone think it's connected to my router?

Random IP address

I have a tp link ax1500 for starters and whitelist all current devices. Now there a device with my Ethernet Mac address but different IP address that I can’t find the source from and when I check my tp link site to see who connected I don’t see that device I only see the device that are accounted for. Eset and advast pick up this device as well. Am I going crazy? Thanks for any home guys.

Cisco 3650 cancel upgrade install mode

I just staged a upgrade on a 3650 running 03.07.04 w/ 16.12.03a however I am wanting to back out of it.

I had ran the following command:

software install file flash:cat3k_caa-universalk9.16.12.03a.SPA.bin new force on-reboot

I was thinking the easiest solution would be to rename the packages.conf.00- back to packages.conf. Then run a software install clean However, is there a better way to do this?

A couple VLAN questions

I inherited a mess of cable spaghetti in a multi tenant building (mostly shared internet) and I'm in the process of cleaning up the wiring and configs and had a couple questions.

The core consists of managed switches for distribution (Cisco 2960) and a layer 3 switch (4503) doing the routing.

Regarding the configs: On the distribution switch side, are there reasons to designate switchport modes as trunks (or access) and specify allowed VLANs per interface, versus allowing them to auto-negotiate? Seems to work fine when I added a new switch with minimal configuration, the trunk was recognized from the core switch with all VLANs allowed. Just needed to set VLAN access on the proper ports. On the existing switches, I would need to set the allowed VLANs on the trunk interface on both switches for it to work properly.

Part 2: There is a subleasee that has their own internet and network. The patch cables for their rooms had been removed from the main distribution switches and connected to a unmanaged switch that's nesting in the middle of all the wires. If I created a VLAN on the managed switches and did not assign that VLAN an IP, would those ports assigned to that VLAN effectively act as a dumb switch isolated from the rest of the network?

The normal configuration for tenants is that they have their own VLAN and subnet, but are not isolated at layer 3, so they share the common internet. Would connecting a second internet connection/router to the distribution switch on a VLAN with no IP assigned cause any routing problems or conflicts with the existing internet connection?

Weird issue.

Hello All,

Sorry if this doesn't belong here. But, i"m having a weird issue that I hope you all can possibly shed some light on.

I have a user that has his laptop and wireless printer connected to his home modem/router a PACE 5268AC that he got from ATT. I confirmed this by walking him reconnecting his printer to the wireless network.

The problem is that his laptop is getting a 192.168.xxx.xxx address while his printer is getting a 10.0.0.xxx address. I made sure that his printer and laptop are both using DHCP. The fact they are getting assigned to two different network segments is making to where they can't talk to each other.

I also tried to program the printer with a static 192.168.xxx.xxx address but that didn't work.

Has anyone ever seen this?

10/25Gb Switches with a GUI

We're replacing the top of rack switches and have been looking at Dell S Series switches as we have some N series 10GB switches now which are good.

Sadly (ridicule me if you wish) it's an issue if they don't have a GUI. The S series don't seem to have a GUI (The older N series ones do). Are there any options that I'm not aware of?

Help - Public library wifi access

My daughter just became the director of a small municipal library. The previous director has disabled the wifi as they were getting DMCA notices for torrenting. The library has no $ in the budget for an IT professional, so I volunteered to make an attempt at getting their wifi functional again. However, my experience is in home networking, I don't know anything about public access wifi.

Right now the library is using the ISP-provided gateway that feeds their 6 computers via ethernet. Wifi is simply disabled in the gateway control panel.

I'd like to re-enable the wifi and simply block torrenting, but I don't know if that possible or if that's even the right way to handle it.

Your thoughts and advice would be greatly appreciated.

Best TCP congestion control for wireless devices

Quick question: what's the best TCP congestion control algorithm that someone could use on a wireless-only device (from a client perspective)?

I've seen that Veno has been developed especially for this use, but maybe that's something even better

How do ISPs route traffic geographically within their AS?

Sorry if this question is to basic for this sub. I was looking at AS6939 route servers and noticed that on the westcoast (Fremont) the best route to 1.1.1.0/24 would have a MED 15 but that same route in Toronto would have MED of 614. How do ISPs go about changing the MED or local-pref of routes on only certain routers in their AS? I guess when that route in Fremont gets reflected to Toronto the router knows that route is far way and changed the MED? How do they do this? Communities?

Why does TP-Link tend to make its wireless adapters not supporting monitor mode after they were supporting it, when upgrading it to new versions?

https://i.ibb.co/NpDQ5nP/image.png

Wireless Bridge Recommendations Needed

I have read a few other similar posts but I figured that I had enough unique requirements that it made sense to make a new post.

I work for an IT department for an organization where we have a few locations that are not on our fiber network. These are mostly locations with a few cameras and such. We have an existing wireless network that is aging out and needs replacement. My biggest issue is that most of these devices are installed on a 100' aerial at their origin. This makes maintenance and replacement an issue as this requires we hire a professional to climb the tower to get to the hardware. There is a mix of makes and models that span years.

I have worked with and we have a mix of Ubiquity, Mimosa, Ruckus, and Mikrotik. I prefer an easy to use UI but in the end its all the same.

I would like to replace this aging hardware with a single manufacturer and model if at all possible.
I do not have a preference with manufacturer but I lean towards enterprise grade.
budgets are flexible but I would like to stay below ~$500 per location and the lower the better.
I was thinking that it would benefit me to have a model that allows me to place the radios in our shed and the antenna on the aerial. This will allow me to readily replace the hardware in the case of a failure. Really expensive to hire a pro to climb the tower and replace equipment.
Some locations are located in harsh environments/ocean exposure.
I don't have a minimum bandwidth requirement. 1Gbps would be nice for future proofing but I can get away with a solid 250Mbps.
Most are 1-1 but there is the need for 1-many in a couple spots.
Most locations are under ~2 km with the possibility of ~7 km in a couple spots.
I have some locations where there are trees in the way.
we are in a busy WiFi area so I am not sure if 5Ghz is what I need. I might be able to get access to a licensed frequency but the permit process can take a while so I need to move forward before that.

All in all; I want to unify our wireless bridge network with easily accessible, reliable, and robust equipment.

Thanks for taking the time. I am far from a wireless expert and am relying on the community to help out a fellow sysadmin.

help me understand a simple layer 3 firewall scenario

So I was thinking about this the other day and it somewhat confused me, probably because I do not truly know routing in depth, and I feel somewhat silly even asking this question but here it goes:

say you have a router and network A 10.0.1.X and network B 10.0.2.X and your firewall is set to block traffic from incoming 10.0.2.x to 10.0.1.x and your rules end in ANY ANY. Would it ever be possible for someone to put a router in (on LAN B) and add a different subnet and it would go around the deny rule as the packets would be coming from a different network? I understand if the traffic came through as nat'ed it would get blocked, but don't route protocols just automagically populate route tables. I apologies if this is a dumb question but it just had me thinking.

Thanks!

.UK DNS Resolving Issues

Does anyone know what is going on with the.uk TLD and DNS resolve issues?

I notice I started having email issues yesterday and found that my domain was only listed on only a handful major DNS servers.

At first I thought it was an issue with my name servers, so I shifted them over to Amazon.

However, out of curiosity I start exploring other three letter.uk domains and saw that it is more widespread. It’s not universal, but I found a handful

https://dnschecker.org/#NS/Adf.uk

https://dnschecker.org/#NS/QWERTY.uk

https://dnschecker.org/#NS/Aws.uk

https://dnschecker.org/#NS/Abc.uk (OK)

C9500 Switch Architecture, ASICs, and TCAM MAC capacity

Hey Gang,

I've been away from switch route for a long time and heavily focused on WiFi for most of my career. I have an implementation which relies heavily on centralized forwarding where all the client MACs end up getting dumped into a single switch port, or port channel.

A fellow network engineer tipped me off that the specs on a datasheet for most switches regarding the mac table size, is usually a little more convoluted than what they're telling you. If a switch has a table size of 56K, that may be further split up and restricted to certain groups of ports. So I've gone down the rabit hole to understand a little more about switch/router architecture.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.html

Looking at the C9500 Datasheet, "Table 11. ASIC template descriptions" i see that based on which template I apply I can get either 82K or 32K of capacity for MAC table entries. That looks pretty straight forward to me, but my friend's tip got me digging a little deeper.

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/white-paper-c11-741484.html#Switchdesign

Looking at the "Figure 3. C9500-32QC/48Y4C/24Y4C board layout" I see 4 ASICs total, appearing to be responsible for different groups of ports below them.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKARC-2035.pdf

Scouring around I found a random slideshow with a hint that the UADP 2.0 XL has a 54K TCAM table size. So this must mean the numbers above are sliced and diced (L2, L3, Sec?) then added up to make up an aggregate of some sort, but I haven't found anything that clearly indicates the MAC table size for specific groups of ports associate to each of these ASICs in the switch.

Why am I digging into this so deep? 32K is a lot of MAC addresses, but 32k / 4 ASICS = 8K which will likely be a problem for my deployment. Definitely not today with COVID isolation measures, but definitely some day when things normalize.

How to access from home-office/openVPN client(pfsense) -> to device at site (Mikrotik/IPsec)

Hi!

I'm a kinda beginner all in one IT guy who is trying to give an access to clients to devices at sites throught VPN. Hope I get help from here because I couldn't find the right info from Google.

How to access from PC1 openVPN client (pfsense(office network)) -> to PC2 at site (Mikrotik(ipsec vpn between office-site))

I also tried to make a diagram

What I tried to do:

Made an IPsec P2 entrys (pfsense-Mikrotik at site) in Pfsense for 10.117.1.0/24 network.

Added FW rules into Mikrotik which is at site.

What else should I try/do? Thank you for your attention!

Have BGP track active VRRP in Cisco vPC with DCI

Hi guys, I hope I can explain my situation correctly.

I currently am tasked to connect two DCs to Azure via ExpressRoute.

They currently run the following:

 DCA DCB vrrp master > SW01----SW03 < standby || \ / || vPC link > || X || < vPC link || / \ || vrrp listen > SW02----SW04 < vrrp listen

Switches are Cisco Nexus
SW01 and 02 form a vPC
SW03 and 04 form a vPC
DCA is the VRRP master. All routing is done on SW01 and 02 unless there is a failure.
All four switches will have their own links to the ER and run BGP
The customer prefers to have all traffic flow over the active side

My question is as follows: If SW01 stops being the VRRP master, fails I'd like to have BGP advertise a more preferred route via DCB. However, I can't think of a way to have SW02 automatically change its metrics to become less preferred when SW01 isn't the VRRP master anymore.

I'm probably missing something really simple or not seeing the obvious, so any help is appreciated!

Building Managed NOC (ITSD) & ITSD

Hi all... Due to increase demand for managed services, I'm planning to pitch to my company to start a managed NOC & Services desk for our customers, for now start with 100 nodes and hire resources accordingly.

Appreciate if someone who has experience in such domain can guide me on best available solutions and we may hire consultant/Architect to deploy it as well.

Thursday, July 30, 2020

MTR/Trace/Ping docker container WebGui

Does somenone know if there is an Docker container with a WebGui to execure an MTR, TraceRoute and Ping?

This will make troubleshooting our network more easy because I can place it on all our diffrent locations and networks.

VXLAN - Migrate VM holding same MAC and IP

I have some doubts when it comes to VXLAN, I'm learning about the world of Data Centers & something that caught my interest is on some YouTube videos they talk about being able to migrate a VM from one physical server to another, now I don't have a lot of experience on Data Centers but I'm curious on what can be accomplished by this. So would it be possible to transfer a VM to another server from a LAN to another LAN while still having the same IP address??? I'm having some problems trying to solve this since LAN A would be say 192.168.100.0/24 for the servers and 192.168.101.0/24 for the users, but if we go through the WAN to LAN B there will be 192.168.200.0/24 for the servers on that site and 192.168.202.0/24 for users and both LAN's connect to a core switch and promote their network via EIGRP, how would it be possible to move a VM from LAN A to LAN B with still the same IP address and still being able to contact that VM through the entire network? Or is this VM migration possible while having the servers on the same LAN?

I have 2 sites, one MDF with our servers and another site with other servers, just wondering if migrating a VM from a LAN to another LAN will be possible or if I can only migrate a VM within the same LAN

Any help on this or if someone could refer me to a forum or resource to learn this will be greatly appreciated.

Addresses/techniques to ping/mtr/whatever specific geographic areas

I'd like test addresses to reach various geographic locations. At the moment my best idea is to search for "<location> ip address" which ends up with some random IP in geo IP web tools, but you know this doesn't smell good.

Networking is a bit out of my wheelhouse so apologies if there's some low hanging fruit or tribal knowledge I'm missing here.

(maybe ?) Dumb question about SFP+ switches

Hi everyone, I'm getting in the next few days a new router which has an SFP+ port (so 10Gigabit speed) and my ISP is offering 10Gbps Fiber. If I buy a switch made of 10 1Gbps ports and 1 SFP 10Gbps port, then connect computers to each 1Gbps port, does it mean that I'll be able to get 1Gbps speed of network bandwidth, on each of the 10 computers at the same time ? Or is there so kind of bottleneck in the switch I'm not aware of ?

I know for some it can be a dumb question but I want to make sure that my plans are correct before buying any (expensive) hardware.

Have a nice day/night !

(sorry for bad English this is not my native language)

Routing VLANS SW Dell N1524

Hi, I would appreaciate your Help to find the solution with a setup issue on a Switch Dell N1524

I have Created 4 Vlans

Vlan 18 Servers / Vlan 24 Cameras / Vlan 23 Others

I have setup everything as the manual indicated, Port membership as been configured properly.

My problem is that I cannot make the devices configured on different vlans communicate each other. For example:

Device on switchport 8 which is on vlan18 configured with 10.1.18.5/24 gateway 10.1.18.1 is not being able to communicate with device on switchport 10 which is on Vlan 24 configured with 10.1.24.11/24 gateway 10.1.254.1

Here is the config I have on the Switch.

*SwitchPort 24 is configured to be connected to the router

console#show running-config

!Current Configuration:
!System Description "Dell Networking N1524, 6.3.3.14, Linux 3.6.5"
!System Software Version 6.3.3.14
!
configure
vlan 10,15,18,23-24
exit
stack
member 1 1 ! N1524
member 2 1 ! N1524
exit
ip routing
interface vlan 15
ip address 10.15.1.10 255.255.255.0
exit
interface vlan 18
ip address 10.1.18.1 255.255.255.0
exit
interface vlan 23
ip address 10.1.23.1 255.255.255.0
exit
interface vlan 24
ip address 10.1.24.1 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 10.15.1.1
username "admin" password 9e9df680772a01af39ae21b6b5ff4bfb privilege 15 encrypted
!
interface Gi1/0/1
switchport access vlan 15
exit
!
interface Gi1/0/2
switchport access vlan 15
exit
!
interface Gi1/0/3
switchport access vlan 15
exit
!
interface Gi1/0/4
switchport access vlan 24
exit
!
interface Gi1/0/5
switchport access vlan 15
exit
!
interface Gi1/0/6
switchport access vlan 15
exit
!
interface Gi1/0/7
switchport access vlan 15
exit
!
interface Gi1/0/8
switchport access vlan 15
exit
!
interface Gi1/0/13
switchport access vlan 18
exit
!
interface Gi1/0/14
switchport access vlan 24
exit
!
interface Gi1/0/18
switchport access vlan 15
exit
!
interface Gi1/0/19
switchport access vlan 15
exit
!
interface Gi1/0/22
switchport access vlan 24
exit
!
interface Gi1/0/24
switchport mode trunk
switchport access vlan 15
switchport trunk allowed vlan 15,18,23-24
exit
!
interface Gi2/0/1
switchport access vlan 23
exit
snmp-server engineid local 800002a203684f641ba25f
eula-consent support-assist reject
eula-consent hiveagent reject
exit

console#
console#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel, S - Static
B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area
E1 - OSPF External Type 1, E2 - OSPF External Type 2
N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2
S U - Unnumbered Peer, L - Leaked Route

* Indicates the best (lowest metric) route for the subnet.

Default Gateway is 10.15.1.1
S *0.0.0.0/0 [1/0] via 10.15.1.1, 01h:50m:19s, Vl15
C *10.1.18.0/24 [0/0] directly connected, Vl18
C *10.1.23.0/24 [0/0] directly connected, Vl23
C *10.1.24.0/24 [0/0] directly connected, Vl24
C *10.15.1.0/24 [0/0] directly connected, Vl15

Hat are some things I can do to a computer at work to test a co-worker.

Title: What*

Background: I work helpdesk and we recently hired a new tech. My boss has asked me to “break” a computer and have the new guy troubleshoot and fix it. Today, I set a static IP that I knew was a duplicate to the IP on my computer. After some troubleshooting and a little help he figured it out and got it fixed. He enjoyed it and I found it fun too. I think I’m going to take out the RAM next and let him troubleshoot that.

I’m still new on helpdesk as well, though. So my base of ideas are small. What are some other things I could do that could make him think and help both him and I learn?

single mode fiber light detection

So, i've used my camera to look for light when i troubleshoot SM fiber. Im trying to bring up a circuit, and im having a hard time bringing up L1. I see light via my camera on my Xenpak 10 gig optic, but i don't see light on the fiber drop. The colo guys can test it with a fluke and see signal, but i can't see it via my camera, even though i can see the Fiber module on my 6500. Any ideas as to what could cause SM to SM fiber not to come up? My TX and RX are correct and i've flipped them just to verify.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

ISP to Modem Speeds good; Client to Modem Speeds Poor. Why?

Photo of the speed test below.

https://imgur.com/Cvlfibo

It's a fibre optic drop. Just using the modem as a gateway in to a switch. Only 5 clients on this one network.

Any ideas why?

Packet Filtering Ruleset for Network

Absolute newbie here, I have to write a filtering rule set to block all inbound connections to a Web server (IP address = 200.1.2.3), an external e-mail server (IP address = 200.1.2.4), and some internal workstations with network address of 192.168.1.0/24. Here's my attempt, but I'm not sure if I'm on the right path. Here's my table:

Action	Source Address	Dest Address	Protocol	Source Port	Dest Port
Deny	Any	200.1.2.3	Any	Any	80
Deny	Any	200.1.2.4	Any	Any	25
Deny	Any	192.168.1.1/24	Any	Any	Any
Deny	Any	192.168.2.1/24	Any	Any	Any
Deny	Any	192.168.3.1/24	Any	Any	Any

Recommendation on a Fusion Splicer?

Hello, fellow packet-poets and WAN-warriors!

I work for a WISP and we have been getting into more fiber lately. So much so that have a fusion splicer on-hand seems like a good idea. I’ve done some homework and it seems like there’s a lot of options out there.

Looking for something in the $2k-$6k range. We only use SMF. Relatively short runs (a few miles at most, but mostly will be for terminating fiber on the tower).

Any recommendations would be appreciated. Thank you!

IPS Recommendations

Currently run an ASA 5545-X with firepower services managed via FMC. Wanting to keep ASA but replace firepower. I've already looked into pfsense, palo alto, fortinet and meraki. All of them would be a firewall replacement just to replace our IPS and I am not wanting to do that. I am looking for a dedicated IPS solution, not a firewall with an IPS unless the IPS can be ran on its own until I migrated to the firewall.

Also looked at Barracuda however there a bit pricey like Cisco.

I've considered suricata however, going from an FMC to linux command line ( I know firepower is linux) is a big shift. Still looking into this however I dont see this being a practical replacement as no support is offered.

Looking for recommendations.

Scan ISP network for cisco devices

Hello, Hoping to get an advice here.

So I work at ISP company and now we want to scan all our hosts and filter out cisco devices.

at the moment i’m thinking just to ping all of our possible IP addresses and if its responding run snmp to check if it is cisco device. And if yes just put it somewhere.

How would you try to achieve this task?

How to workaround a software that only resolves the hostname once and then never again?

I have to use a software that only resolves a machines hostname once, so when the client switches from LAN to Wi-Fi/VPN the software can't reach the client anymore as it doesn't ask DNS for the new IP-address.

I was thinking to give the software one completely separate IP-address that isn't used yet and then just NAT the clients real IP-address, which I can get from the hostname, to that "virtual" IP-address that the software knows.

If that sounds doable, how would I accomplish this?

If you can think of different solutions, please do let me know.

Verbiage for AnyConnect Second Factor Prompt

Hi all - Kind of embarrassed to ask this because I thought this would be a simple endeavor and I'm tearing my hair out.

We're testing out Okta's RADIUS agent behind our ASA for AnyConnect. We have 2FA enabled on Okta accounts. Password prompt and second factor auth works perfectly.

All I want to do at this point is change the verbiage which appears when the second factor prompt appears. By default, it's "Enter a passcode. Enter '0' to abort." I want to customize this to something my less-tech-savvy users can digest.

I've scoured the Internet and cannot for the life of me find out whether this prompt is customizable and if so, where it's stored.

Anyone have any idea?

Anyway to find out the vlan id that isp is using?

I want to use bridge mode but for that i need a vlan id, which is not mentioned in the gateway's UI. I even contacted the local head engineer, but he doesn't even have idea about it and nor does he know about setting up the bridge mode. Any help would be appreciated.

Static route - best practice

Hi,

So we have a network that I want to simplify and use static routes. Essentially, it just needs internet breakout ie: various VLANs need to go through to the firewall and go out that way hopefully

I'm thinking that if I put in a route of IP route 0.0.0.0 0.0.0.0 <exit interface> that'd catch everything, but not sure if that's really a "best practice"

That's certainly what they've done here:
https://www.pluralsight.com/blog/it-ops/ip-addressing-routing-default-static-routing

Network engineers in Insurance, what are you doing for IFRS17?

Hey guys, the company is starting to implement IFRS17. What was your involvement in making it happen from a network perspective?

Best large scale wifi solution?

I need to provide wifi to a large area that can support around 10k users. We've mostly used unifi in the past but I'd like to find other options for this. Aruba seems promising but I wanted to see what others thought.

OpenSource NMS for some older HP switches

Hey guys,
Do you all have any recommendations for an Open Source NMS for mostly HP 5412-96G zls and Aruba 2620 48s? Have about 20 of them in a very segmented environment... trying to get some smarter alerting/monitoring. Unfortunately our budget is $0.

Thanks!

Continuity test on fiber optic cable

I've recently found out that in our rented office space we have a fiber that terminates in the office next door.

I want to test to see if it's intact. So i tried shining light from a bright flashlight, but none comes out the other end.

Is this because the fiber is broken somewhere, or is it because only IR light will propagate through the fiber?

Any help would be greatly appreciated.

Microwave router?

So I'm coming from years on multiply tier levels of support for helpdesk. Have moved to a network admin position at a new utility company and one of the more confusing things for me is they have several "Microwave routers" set up a different sites. Have not found anything helpful online, can someone help me understand what these are?

VPLS Spanning-Tree Advice

Hi all,

I could do with some advice please on the best way to configure spanning-tree on a VPLS network we are migrating to.

We have 2 sites - Birmingham and London - and we want VLANs available in both with the default gateways being hosted on the set of redundant ASA firewalls in Colo. This is with the aim of long term active-active VMWare environments with cross site vmotion. For reference both our sites are using HP Aruba 3810 switches uplinked to on-site provider Huawei equipment with a VPLS Cisco ASA firewall

Anyway the provider can map nearly all of VLANs fine except VLAN1, which is our main DATA VLAN (I know we should migrate away from it, but that is a longer term goal than what we need to achieve right now). So from this our network provider is putting VLAN1 on a separate ether-channel to the other VLANS, untagged our side and then tagging it their side 1405 until it gets either site and back to untagged.

I have no real training in VPLS technology and wanted to understand it better, so with some spare HP Procurve 2810's I lab replicated our network environment and am playing around how it all works. My confusion is around spanning-tree, I think it is working correct but I wanted to check with more knowledgable people before I go ahead and implement this in production when we migrate. We have the option of MSTP or PVRSTP on our Arubas - I am currently playing around with MSTP.

Our provider said that they will not be replicating our spanning-tree regoins on their equipment, so we will be handling it per-site ourselves. I've got it working two different ways on my lab, one where our Birmingham core switch is root for all MSTP instances, and one where each sites individual core switches are root for their instances and wanted advice on what would be best?

I am also thinking that my lab is probably going to act differently to how it will work in production as I do not fully know every part of VPLS technology Huawei or Cisco ASA provide compared to my pure HP lab, so if I am wrong about any of this I apologise!

For reference Trk4 will carry all of our VLANs on one ether-channel except VLAN1 and Trk10 will carry just VLAN1 on it's own ether-channel

So below is method 1 where Birmingham is the root bridge for just two insances with both London and Birmingham on the same region:

Birmingham Core Switch

spanning-tree config-name MSTP spanning-tree config-revision 1 spanning-tree instance 1 vlan 1 spanning-tree instance 1 priority 0 spanning-tree instance 1 trk4 path-cost 100000000 spanning-tree instance 1 trk10 priority 1 spanning-tree instance 1 trk4 priority 4 spanning-tree instance 2 vlan 2-4094 spanning-tree instance 2 priority 0 spanning-tree instance 2 trk10 path-cost 100000000 spanning-tree instance 2 trk4 priority 1 spanning-tree instance 2 trk10 priority 4

London Core Switch

spanning-tree config-name MSTP spanning-tree config-revision 1 spanning-tree instance 1 vlan 1 spanning-tree instance 1 priority 1 spanning-tree instance 1 trk4 path-cost 100000000 spanning-tree instance 1 trk10 priority 2 spanning-tree instance 1 trk4 priority 5 spanning-tree instance 2 vlan 2-4094 spanning-tree instance 2 priority 1 spanning-tree instance 2 trk10 path-cost 100000000 spanning-tree instance 2 trk4 priority 2 spanning-tree instance 2 trk10 priority 5

Method 2 I had separate regions per site with separate instances to ensure spanning-tree stays local to each site

Birmingham Core Switch

spanning-tree config-name BHX spanning-tree config-revision 1 spanning-tree instance 1 vlan 1 spanning-tree instance 1 trk4 path-cost 100000000 spanning-tree instance 1 trk10 priority 1 spanning-tree instance 1 trk4 priority 4 spanning-tree instance 2 vlan 2-4094 spanning-tree instance 2 trk10 path-cost 100000000 spanning-tree instance 2 trk4 priority 1 spanning-tree instance 2 trk10 priority 4

London Core Switch

spanning-tree config-name LDN spanning-tree config-revision 1 spanning-tree instance 3 vlan 1 spanning-tree instance 3 trk4 path-cost 100000000 spanning-tree instance 3 trk10 priority 1 spanning-tree instance 3 trk4 priority 4 spanning-tree instance 4 vlan 2-4094 spanning-tree instance 4 trk10 path-cost 100000000 spanning-tree instance 4 trk4 priority 1 spanning-tree instance 4 trk10 priority 4

Any advice would be much appreciated on the best method forwards! or if I have my thinking totally incorrect and should be looking at it differently.

Allied Telesis x220 firmware

Hi! I'm searching for Allied Telesis x220 latest firmware (also with web GUI). Can anybody help me? Do you have it?

Fiber Optic networking

Hello all!

My workplace is interested in installing two fiber optic runs between three different buildings, to bridge an existing Ethernet/wireless network. My experience with fiber optics is limited, so I would like to ask for your opinions on this proposed set up, and if I'm missing something it would be greatly appreciated if it could be pointed out.

One run is direct burial, about 150M. The other is planned to be run through a pvc pipe, about 100M. Existing Ethernet network is Cat 5e/6. The ~100M run is expected to have much heavier use than the other. Since we don't have the tools to terminate our own cable, I'm looking at pre-terminated cable on LanShack.com. Budget is "cheap."

I'm thinking OM1 should work for both -- I understand it won't work at "optimal" 10G speed over either distance, but it should manage 1G, which is already faster than our existing network.

Single/multimode... I know single mode is better for long distances, but I'm not sure if either of these runs would be "too long" for multimode. I'm tentatively looking at multimode.

And then either StarTech or TrippLite media converters at either end of each run, to connect to the Ethernet network.

Suggestions are wholly welcomed! Thank you for your time!

Wednesday, July 29, 2020

I’m dreading setting up (upgrading) my home network, I know I’ll have issues and making threads is slow and a pain. Where could I get some live help for one night?

My work depends on an internet connection, so when I begin I can’t really let it fail and have to successfully set it up that night.

Basically I have a Comcast modem, and I have an aftermarket Unify Access Point Pro router which I actually use for spitting out my WiFi signal, and have my modem WiFi signal disabled.

A colleague set it up for me and I don’t necessarily know how.

I got a new modem from Comcast and I’m ready to upgrade, but I imagine when I plug in the new one it will mess up my existing Unify access point stuff, that’s the part I know I’ll need help on. I’d kinda like to set up a whole new network which means hard resetting my Unify stuff, and now I have two of them I’d like to place somewhere. My colleague downloaded my network software, but the computer that had the admin system is gone and I forget the password now. So I’m guessing I basically need to hard reset and start everything from scratch but I’m not even remotely a network expert.

Making threads is slow, I’m sure I’ll run into questions. Is there some way I could find a network specialist who could answer my questions as I try to go through it? Where would I look?

How pevalent is Equal Cost Multi Path (ECMP) BGP? Is it enabled by default?

I wonder how prevalent is ECMP. Do operators use it when they have equal-cost paths, such as in the case of parallel links: https://www.noction.com/blog/equal-cost-multipath-ecmp

Or it's something that is not enabled by default, e.g. due to operational complexity?

Why is router throughput quoted in half duplex? (Eg: 96Tb/s half duplex capable)?

I've been seeing a lot of high end enterprise routers quoting their abilities in half duplex, who cares about half duplex in any setting outside of wireless?

Guys I want to network my Home computer to office computer.

How can I achieve that without loss of speed. I used hamachi server but its way to slow. i want something direct.

How to configure for EIGRP

Hi all, im doing this assignment and was wondering if could get some help configuring EIGRP on a packet tracer assignment. or help with the following

This is a Network configuration for multiple routing protocols; EIGRP and OSPF. The EIGRP is configured ONLY for the External Website Server 209.165.100.0 network.

The OSPF is a multi area network with 3 networks; Area 0 10.1.1.0 and 10.2.2.0.

Area 1 is 172.168.100.0 and Area 2 is 192.168.200.0.

There are 2 VLAN(s);

VLAN 10 on the 172.168.100.0 network. Name for VLAN 10 is Students and VLAN needs to support 100 devices.

VLAN 40 on the 192.168.200.0 network. Name for VLAN 40 is Faculty and needs to support 100 devices.

Thank you!

I'm needing some help proving that it's ATT's fault.

Hey everyone.

I manage a couple Cisco ISR 4000 series routers that are connected to ATT's ciena service switches that they use to provide their ASE service.

My customer's internet was upgraded, so I went to go double check the duplex settings.

They were 100 megabit/half duplex that were gained from autonegotiation.

Since I was directed to set the settings to 1000 megabit full duplex, I did. All of a sudden, traffic on that interface ground to a halt, and I gained a whole host of network problems. So I set it back to what it was, thinking it was a duplex mismatch that caused the problem, and the traffic was fine.

I thought that ATT had statically set their duplex settings, which was why my router interface had so many issues when I changed the settings. But when I reached out to the customers IT department, they refused to do anything about it and said I was uninformed and they are refusing to open up a ticket with ATT.

Am I utterly wrong? Is there something I'm missing?

If not, how can I prove that ATT statically set their duplex settings?

Server guys bought a back up server without consulting me. Has a Rj45 Cat 6 10 GB port. Our Fexes are 1gb, which hook up to 9K's with only sfp slots. Will a 10GB sfp to RJ 45 connection in the 9k work?

So believe or not. Cisco doesn't make this part anymore according to this community thread.

https://community.cisco.com/t5/optical-networking/does-cisco-have-any-10g-copper-sfp/td-p/3807140

But there are aftermarket parts that seem to do the trick. I've never been one to do this considering you can just go twinax with a hba/fiber card, but do you think this aftermarket part will work

https://www.fs.com/products/66613.html?currency=USD&paid=google_shopping&gclid=Cj0KCQjwvIT5BRCqARIsAAwwD-RqZ0hKHHvTS4yAIIrobJZYT1LhehsITUSo_7bZ9M8BydKycUjX7JkaAj4kEALw_wcB

Century Link CBRAS

I have what is described here: https://www.reddit.com/r/centurylink/comments/b9u6mj/centurylink_cbras_what_it_is_and_how_it_works/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

I am trying to use my static IP on a pfsense box but can’t figure out how to do this. I get a DHCP address and the internet is up and working, but without “LAN subnetting” I can’t use my static. Help?

BOSON Tests (350-401)

I just bought the BOSON 3-pack of exams and I'm almost through the first one. Holy shit, there is a ton of information they ask that is not in the 350-401 ENCOR blueprint. I actually got a question about how IS-IS works, and it literally pissed me off. This is just one example, but IS-IS is clearly NOT on the exam.

There are several other topics that are not on the blueprint. It seems like BOSON just left half of their old questions on the exams and added a few new ones. BOSON does offer a very detailed explanation, which I do appreciate. But if they can't get the material right, then this isn't much help.

I found a promo code and bought the exam 3-pack for around $75, and it's still not even close to worth it. You may as well just use the OCG from CiscoPress as they have 400 or so questions included. They aren't perfect, but at least they are all on the 350-401 blueprint.

I also bought BOSON's 350-401 lab pack a few months ago and was highly disappointed in this as well. The CBTNuggets videos all come with labs which are 10x better than this junk.

BOSON, fix your expensive, poorly constructed shit!

Beautiful labelling

Hi,

I've always liked "beautiful labels" created by software where you can see a shit tonne of detail on a relatively small label whilst still being legible. The label also has been designed so that there is some white space where you can flip the label over, and make it a lot stronger ie: where you can see the detail on one side and the length on the other side

I've created the following labels for people to use as a design template. I created this using Brother's P-touch Editor Software but it may well work for other vendors like Dymo too

I've got a couple of example labels there too. If there's anything I've taken from the first company I've ever worked for it's damn good labelling. I personally have a Brother PT 750W label printer using 12mm Tze231 compatible label tapes. This again is not a plug for Brother and may well work for other brands but I made this using a Brother printer years and years ago

The link where you can download this is at:

https://www.dropbox.com/sh/jckkscf15di3dji/AACFQTBoHbmFSeXguT6hYHLCa?dl=0

BOSON Tests (350-401) a Joke

I also bought BOSON's 350-401 lab pack a few months ago and was highly disappointed in this as well. The CBTNuggets videos all come with labs which are 10x better than this junk.

BOSON, fix your expensive, poorly constructed shit!

Netgear S3300 Auto-Voip Tagged ports getting reset

Sorry reddit foo is failing me this morning I'm trying to cross post since I didn't get any response in the r/NETGEAR channel.

Hey everyone I'm looking for some help on a Auto-Voip on some Netgear S3300 switches.

I have several S3300 switches (not stacked) throughout my facility linked together with "trunked" vlans. The problem I'm having is that previously with Netgear switches I've set up my tagged ports to link switches together, then enabled OUI based Auto-Voip on the ports where I expect to have phones and everything just works.

On these switches that does work, however if you try to update tagged ports after enabling Auto-Voip it throws an error. And if the switch reboots or you backup and re-load your config the switch no longer has the port(s) marked as tagged that we use for the trunk between switches.

My first thought was that I must not be following the way this stuff is supposed to work, however I cannot find any documentation on how the "Right" way is to set up auto-voip with multiple vlans tagged over a backhaul link to core infrastructure. Can anyone explain how this is supposed to work or link me to Netgear docs on the topic?

thank you in advanced

https://www.reddit.com/r/NETGEAR/comments/hzk1ap/s3300_autovoip_tagged_ports_getting_reset/?utm_source=share&utm_medium=web2x

Recommendation for 10G SFP+ to 10GBASE-T transceiver for Mellanox switch

Howdy folks: I have a storage/compute cluster that is tied together with a Mellanox swith: Mellanox Model MSX1016X-2BFS 10 GbE SX1016 64-port SDN with SFP+ ports.

I have an opportunity to add a NAS to this network, however the NAS only offers a 10GBASE-T port.

After doing some research I have come across a transceiver that appears to adapt from SFP+ port to the 10GBASE-T: https://www.hpcoptics.com/Mellanox-MFM1T02A-TX

I am wondering if anyone has used such a device in the past and if you found it works and indeed connects at 10 Gb/s.

The NAS and the switch will be in adjacent server racks. Are there any specific cabling issues I should be aware of?

Thanks in advance for any suggestions.

Replacing VPLS with EVPN on Juniper MX

We currently provide public diverse DIA datacenter connectivity on access ports using VPLS and VRRP on an IRB interface. We have two MX960's running MPLS to do this.

I'd like to switch to using EVPN for this instead, with IPv4 becoming more expensive we'd also prefer not to waste IP's doing VRRP.

Does anybody have a basic config for doing this with EVPN? We'd also like to handoff the two ports to the customer on two seperate EX4200s running virtual-chassis. Each EX4200 VC has 10G to each MX960. Does this sound sane?

Anyone here good with Ansible? Trying to connect to some cisco switches and getting errors

Wrote my first playbook and when trying to run it, I am getting some errors.....

Fatal: [x.x.x.x]: FAILED!=>{"ansible_facts": ["discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "msg": "Failed to authenticate: Private key file is encrypted"}

Can anyone point me in the right direction on what I need to do? I assume its something with the RSA key, just not sure how to fix it, not having much luck searching on google.

Thank you, I'm shutting down

Hi guys,

After almost 7 years of operations, I'm shutting down my ISP. the good folks here have always helped find a solution for me challenges and I'm grateful to have interacted with you all.

Good luck to all of you

Moving company fiber modem, not sure what cable I need

I manage the IT systems for my employer and we are in the process of moving all networking and server equipment to one location in the office. Until now there were 3 separate locations where switches were located. We would like to move the existing fiber modem to the new server/networking room as well since the room it is in now will soon be used for storage. I will need to order a cable roughly 100' long but I want to make sure I order the correct type of fiber and one with the right terminations. It will run through conduit in the ceiling that we have already installed.

The modem is a Sumitomo Electric FTE6083 and it has what appears to be a single link fiber connection to the Spectrum demarc.

I tried to figure out what type of terminations were installed but there seem to be quite a few different kinds. Please let me know if any pictures would help.

Thank you

Network Design - SVIs on Firewall or Core Switch?

I've seen this:

https://www.reddit.com/r/networking/comments/f80v5r/gateways_on_core_switch_vs_firewall/

Where one person says make them on switches for speed, and firewalls for security (assuming you VLAN an interface off)

But another person says "It depends on what your firewall can handle"

On Spiceworks, people are equally split on this:
https://community.spiceworks.com/topic/754553-should-i-build-a-vlan-between-firewall-and-core-layer-3-switch

What would you recommend? For Scalability too

Pass Through the Firewall

The Topology looks like this The goal is make W-client connect Firewall, and can browse the website and use DNS service cannot connect with DC and Sales-PC The problem I encountered is I use Iptables and block W-client on Firewall. However, Firewall can only protect itself. W-client can acess DC and Sales-PC. Please some one help.

The only comment I use on iptables is blocking the W-client IP(iptabels -A INPUT -s IP-Adress -j DROP)

Do we need to be worried about concentration risk with CDN? eg: Cloudflare/Akamai

As the title says, Do we need to worry about the concentration risk towards CDN? Of course, internally there will be replications and redundancies to handle the failures but the recent outages are examples of concentration risks.

A company "X" which lost millions within the outage duration it makes sense to invest N+1 redundancy across all single points of failures.

If we can summarize the entities which are keeping the internet infra running, What are the top companies "running" the internet? What are my options to keep N+1 redundancy with vendors?

Thoughts?

ASAs stable IOS release

Hi guys,

we have a couple of:

ASAs 5525 running 9.9(2) (asa992-smp-k8.bin)
ASAs 5512 running 9.2(2)4 (asa922-4-smp-k8.bin)

we have to upgrade IOS to address the CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-3452#match-5553983

Can you let me know which IOS versions we should install? THE ASAs are used as VPN concentrators with AnyConnect clients. We have a 5525 master/slave setup in our HQ

Thanks

Improve single stream connection between two site, TCP Window Sizing

Hello,

I have two sites each running pfSense and an ArchLinux server behind the router. Ping from site A to B shows an RTT of about 46ms (0.046s). The theoretical line speed is about 150mbps. If you consider some losses than we can take this to 140mbps.

If i run 20 parallel iperf session betwen the two sites i get line speed.

$ iperf3 -c siteB -p 5201 -P 20 Connecting to host siteB, port 5201 [SUM] 0.00-10.00 sec 185 MBytes 155 Mbits/sec 290 sender [SUM] 0.00-10.05 sec 173 MBytes 144 Mbits/sec receiver

A single stream can only get me 14 mbps

$ iperf3 -c siteB -p 5201 Connecting to host siteB, port 5201 [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 16.6 MBytes 13.9 Mbits/sec 32 sender [ 5] 0.00-10.05 sec 14.1 MBytes 11.7 Mbits/sec receiver

I was hoping to increase the single connection speed between the two sites by adjusting the TCP window size.

The ideal TCP windows size = 150E6*0.046/(8*1024)=786KB.

However I am not able to set it and the maximum i can go is 416KB,

$ iperf3 -c siteB -p 5201 -w 786K Connecting to host siteB, port 5201 iperf3: error - socket buffer size not set correctly

With a window size of 416KB, i still get poor speed,

$ iperf3 -c siteB -p 5201 -w 416K Connecting to host siteB, port 5201 [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 15.5 MBytes 13.0 Mbits/sec 21 sender [ 5] 0.00-10.05 sec 14.8 MBytes 12.3 Mbits/sec receiver

I checked the default window size in Arch Linux

# sysctl net.core.wmem_max; sysctl net.core.rmem_max; sysctl net.core.rmem_default; sysctl net.core.wmem_default;sysctl net.ipv4.tcp_rmem; sysctl net.ipv4.tcp_wmem; sysctl net.ipv4.tcp_window_scaling net.core.wmem_max = 212992 net.core.rmem_max = 212992 net.core.rmem_default = 212992 net.core.wmem_default = 212992 net.ipv4.tcp_rmem = 4096 131072 6291456 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.tcp_window_scaling = 1

The default size is 208KB = (212992/8) which is lower than my ideal window size of 786KB.

Is there anything i can do to improve the single connection speed?

Tuesday, July 28, 2020

Raspberry pi bonding eth0 & wlan0 to route wg0 - help

Wireguard server is currently routing through eth0 only.

Can I create a new bonded interface like ethfi0 by fusing eth0 and wlan0, and route all wg0 traffic (wireguard interface)?

Objective is to use that to 1. Maximize thru put 2. Fail safe, if either eth0 or wlan0 goes down..

Is that possible?

Thanks

Netflow reporting software

Hi all,

Are there any cheaper alternatives that do what Solarwinds Netflow Traffic Analysis does?

Only need to receive data from 1 Juniper SRX550. Has to be able to record data and report on it (Eg top 10 talkers for last 7 days). I tried PRTG but it does not seem to have any reporting ability for flow data.

I think ntop can do this, not sure. Can anyone confirm?

Development vs Networking degree

I am attending a community college and obtaining an associates in Computer Information Technology. We have to pick a focus: Networking or Development.

I am interested in both, but I worry about the job prospects with Development since I have the perception that Programming jobs require Bachelor’s degrees. I don’t know about Networking jobs, though.

I suppose with either I could probably land a basic IT degree though, right?

Critical Secomea, Moxa, Ewon pre-auth RCE vulnerabilities. CVE-2020-14500, CVE-2020-14511, CVE-2020-14498 (crosspost)

Crosspost from https://www.reddit.com/r/PLC/comments/hzrekl/critical_secomea_moxa_ewo_preauth_rce/

Secomea GateManager, Moxa EDR-G902/3 and eWon’s eCatcher have had pre-auth RCE vulnerabilities discovered. Patch ASAP.

The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required.

https://www.claroty.com/2020/07/28/vpn-security-flaws/

How Do Digital Meeting Tools Work

I work in a school as a network admin and I'm curious because of covid how Zoom, Google Hangouts, Teams, etc. work. Sorry if this has been asked before. Do users connect directly to each other sending and receiving audio and video from and to each person in the meeting? Or does everyone connect to a server in the cloud that shares everything to each of the participants? My org is worried about bandwidth issues sending and receiving 1,000s of video streams to and from students. Does anyone know about how much bandwidth per meeting participate is required? Thanks in advance!

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

HP 1920s Link Aggregation

Is HP 1920 able to do link aggregation?

I can have access to a HP 1920-48g, but I would like to know if I can aggregate 3 100mbps link to distribute over the server room.

It's possible to do that on HP?

School HeLP Needed PLS

Hi y'all! I have a school project I need help with. This 10-question research form is where I would LOVE to have everyone give me their input! Thank u :)

https://forms.gle/WgfrBrgg8EFDZjKn9

Data Center Cabling Tips and Tricks - Ideas

Dear r/networking - I am wondering what your current cabling tips and tricks are for the dc.

I wanted to get other peoples setups and make a final combined list of recommendations. I am always looking to test new things that come up. Looking for any new good fiber to cat6 cable labeling.

Recommendations for

-Fiber cabling

-Fiber labeling

-Cat6 cabling

-Cat 6 labeling

What my setup is below :

Patchsee cables for the dc, replacing all panduit for them. The light cables are awesome. Had an engineer join the team about 2 years ago and he recommended them from a big Medical company. They do take several weeks to come but they have been life savers.

Data Center/IDF/MDF

Handheld Labeler LS8EQ-KIT-ACS "Includes LS8EQ printer with QWERTY keypad, one cassette of S100X150VAC self-laminating labels, six AA alkaline batteries, LS8E-ACS, LS8-CASE, LS8-PCKIT,

LS8-IB, LS8-WS, quick reference card, and operator’s manual."

Fiber

Fiber Labels -

"LabelCore"

NWSLC-2Y-AQ Aqua, cable identification sleeve for 2mm simplex cable

NWSLC-2Y Yellow, cable identification sleeve for 2mm simplex cable

NWSLC-3Y Orange, cable identification sleeve for 3mm simplex cable

S100X160VAC White print-on, self-laminating vinyl label 175/cassette. For use with NWSLC-2Y, NWSLC-3Y, and NWSLC-2Y-AQ

Cat 6

Turn-Tell® Label Cassettes R100X150V1C White

Turn-Tell® Label Cassettes R100X150V2C TIA Blue

Turn-Tell® Label Cassettes R100X150V3C TIA Green

Turn-Tell® Label Cassettes R100X150V7C TIA Red

Turn-Tell® Label Cassettes R100X150V8C TIA Yellow

New Building - Mass Port Printing / Jack Etc

TDP43ME-KIT TDP43ME printer kit. Includes: printer, Panduit® Easy-Mark Plus™ Labeling Software, RMEH4BL black hybrid ribbon, AC power adapter with US power cord, USB cable, user manual, quick start card, TDP43ME-RS Roll Stand, TDP43ME-CASE, one roll of S100X150VATY labels, and driver disk; for use in North America.

Cat6/Cat6a Labels - "Turn Tell" IDF/MDF R100X225V1C White print-on area, 8 – 4 AWG wire/cable, Cat. 6 FTP and Cat. 6a/10Gig cable, 75/cassette.

Cat6/Cat6a Labels - "Turn Tell" DC Blue Zone R100X225V2C Blue print-on area, 8 – 4 AWG wire/cable, Cat. 6 FTP and Cat. 6a/10Gig cable, 75/cassette

Cat6/Cat6a Labels - "Turn Tell" DC Green Zone R100X225V3C Green print-on area, 8 – 4 AWG wire/cable, Cat. 6 FTP and Cat. 6a/10Gig cable, 75/cassette

Cat6/Cat6a Labels - "Turn Tell" DC Yellow Zone R100X225V8C Yellow print-on area, 8 – 4 AWG wire/cable, Cat. 6 FTP and Cat. 6a/10Gig cable, 75/cassette.

Cat6/Cat6a Labels - "Turn Tell" DC Red (Security) R100X225V7C Red print-on area, 8 – 4 AWG wire/cable, Cat. 6 FTP and Cat. 6a/10Gig cable, 75/cassette

Can someone help me understand how this telephony networking scenario (might) work?

We are working with a telephone vendor who has a SIP phone switch installed at two of their customer offices: let's call them Headquarters and Branch. In order to facilitate work-from-home the phone company wants the IP phones to first connect to Headquarters phone switch, but also have the ability to connect to the Branch phone switch. The phone system manufacturer (NEC) provided a sample network diagram, which I posted here: https://imgur.com/a/YTCGqGX

In the "real world" case, there is only one router/firewall at Headquarters, not two as shown in the proposed diagram. The single WatchGuard Firebox provides HQ with both its internet connection and establishes the site-to-site VPN between HQ and the Branch. The Branch also has a WatchGuard Firebox.

The vendor tells us that they need UDP ports 20020-20051 and UDP ports 20052-20083 forwarded to the HQ gateway that does the VPN between the two sites. I have two concerns about this:

1) How will the network get those UDP packets to the Branch office phone switch (pictured on the right side of the diagram) ? They aren't asking us to set up any port forwarding on the Branch router.
Does it make sense that these packets will magically end up in the Branch office phone switch?

2) Are we creating a potential security hole by accepting those UDP packets from the internet and sending those packets to the LAN side gateway in the HQ internet router?

We had originally configured the HQ router to send the incoming UDP packets directly to the Branch office phone switch (destination IP 192.18.2.10) but the vendor says that isn't working and we have to do what the diagram says.

Any insight would be appreciated.

Providing COLO with Minimal IP waste?

Howdy,

The company I work with currently offers COLO for its customers in the SMB market. To date the customer would either be provided a small subnet /30 /29 etc. A vast majority of the customers who want COLO only need 1-2 IPs. For this we have a big shared subnet and inform the customer their gateway and usable IPs. This hasnt posed any issues yet although as you can imagine its just asking for future issues with individuals being able to use IPs that are not necessarily their own.

How would you best approach providing minimal IPs without wasting the additional IPs to create dedicated subnets?

vPC Member ports vs Classic LAG

vPC on Nexus devices (Member ports) vs Classic LAG. My question is what is the difference between the two, why is the member id command required (What does it tell the vPC domain, that allows it to properly bond the interfaces and create a singular link and therefore eliminate spanning tree)?

How to troubleshoot unable to PING remove network over VPN

Hi,
We have site to site vpn with a company who manages our in-house software. They have allowed 5 IP addresses to be able to PING & connect to their SQL server (port 1433) on their end over the vpn tunnel. Their SQL server IP is 192.168.20.10.

We use Cisco ASA.

I have added 4 IP to the VPN connection profiles.

object-group network DM_INLINE_NETWORK_10

network-object object 172.24.12.11

network-object object 172.24.12.12

network-object object 172.24.12.13

network-object object 172.24.12.14

object network ExtDev-Subnet-1

subnet 192.168.20.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_10 object ExtDev-Subnet-1

nat (inside,outside) source static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 destination static ExtDev-Subnet-1 ExtDev-Subnet-1 no-proxy-arp route-lookup

The problem is one of our host 172.24.12.12 cannot ping or telnet 192.168.20.10 or their gateway 192.168.20.1. Rest 3 hosts has no problem ping/telnet.

Local Firewall on 172.24.12.12 has been disabled. As a test I have temporarily assigned 172.24.12.12 to a Windows 10 client which also couldn't ping/telnet.

They (192.168.20.0/24) have no problem ping our 4 servers. I have asked them to check their firewall config and they said all looks good on their end and they think its something on our end.

How do I troubleshoot this ? Any help on this will be much appreciated, thank you.

Getting Started with Network Automation

Hello all!

How did you guys implement network automation in your company when you first started to use automation?

For example I have a task that requires to make the same change on numerous devices, the changes are simple and are on a wide range of devices (3850's,2960's, etc). Ideally I can use something like Ansible to do the changes but currently the company I work with does not implement such solutions and it will be very tedious to do these changes one by one

How did you guys first start using automation tools such as Ansible? Did you spin up your own VM and push the changes out that way from your device?

Thanks!

Sierra Wireless AirLink RV50 questions

Hi,
Apologies if this is the wrong sub.. I looked around.
I recently came into possession of one of these RV50's & see they go for over $500 on eBay etc..
What are they for, how are they used?
Trying to see if there's an application in my office (small) or at home or if I should just sell it.
Sierra Wireless AirLink RV50 D 3.0

Thanks in advance

What could be the suitable easy/medium project that i can do during my end year semester

Help...i ran out of idea for my project can anybody suggest something??

Anyone use OpenDNS with CenturyLink CBRAS Static IP?

CenturyLink has begun moving some of our WiFi circuits to CBRAS and I am having an issue getting OpenDNS to see the traffic.

The static Network ID is configured on the modem on ETH1 on our LAN Subnet correctly. The static IP is configured on our Ubiquiti UDM correctly and I have configured the OpenDNS IPs on the UDM. Internet traffic is passing and is being recognized as being on the static IP and not the dynamic IP assigned to the modem. The problem is, OpenDNS is not seeing any of this traffic and the status is "inactive" in the GUI.

If anyone is familiar with how CBRAS works, should I be applying the DNS IP's on our device or somewhere on the CenturyLink modem? I assumed it would be on our device since the modem is technically using DHCP to reach back to CenturyLink.

Thanks in advance.

Dealing with limited satellite bandwidth for a large site?

Any other highly isolated admins here share the struggle of managing limited satellite bandwidth and no chance for fiber? I'm looking at you folks: remote islands, northern Canada territories, desert, polar, big boats, aircraft, etc.

Few questions

Can anyone here claim the fastest SCPC satellite connection here? Geo sat? O3b MEO? HTS beam? Dish size? Band? Transponder BW? Modulation rates? --- how many users?
For those that have dedicated SCPC satellite connectivity, are your modems at fixed modulation or ACM to maximize bandwidth? For those with ACM, are you doing QoS on the modem or on your routers and using SNMP to poll the modem for current negotiated speeds?
For those supporting enterprises - are you using WAN optimization (e.g. Cisco/Exinda/Riverbed) or SDWAN to do TCP acceleration/enterprise SSL decryption?
How happy are your folks with the user experience of high latency and limited bandwidth? how are you limiting bandwidth use? cafe style several GB/day allocations? throttling per client connections? micro flow policing? On site appliance caches for Apple/Netflix/Streaming/etc?
Any other tips and tricks to maximize SCPC satellite connectivity and ultimately get the best user experience?
What is your backup circuit? Another satellite and ground station? Inmarsat? Iridium?

The environment I'm supporting does not have the best QoS policy and it basically lets the 25/12 Mbps SCPC circuit (Geo/10m/Ku band/non HTS/non ACM) for 800+ users become underutilized during off peak hours due to not the best QoS design. Our Riverbed Steelheads can probably be optimized to do more SSL decryption on enterprise content and a holistic analysis of more corporate traffic to decrypt through this. For non work hours - I'm finding that there is too much demand for internet and social media usage for WAN optimization to be useful on personal devices.

I'm waiting for the new constellations from Starlink/OneWeb/O3b mPOWER but it can't come soon enough.

5.122.112.0

someone else thinks those ancient IPs are spooky? like when I see that single number IP address I imagine the router is an ancient spooky machine located in some underground fallout bunker

u ever saw an IP between 1.xxx.xxx.xxx and 9.xxx.xxx.xxx having normal traffic or something?? I bet noo because those are like ancient spooky IPs no one knows who owns them they're like there in the wild being spooky

what are some spooky networking stories

Support for ISE and 3rd Party Firewall VPN Posture

Hello Everyone,

I would like to know, does the ISE support VPN Posture with 3rd Party Firewalls like Sophos.

VPN clients are terminated on Sophos Firewall and I need to do posture verification like Antivirus is installed and updated.

Is it possible with ISE 2.6 and Sophos Firewalls. If not, then would could be other possible solution.

Networking Learning Path

Hey Guys, Am an Infosec Student who wants to learn networking. Currently, I have a premium ItPro.tv Subscription since many networking content creators like NetworkChuck recommend it.

Can you guys suggest me a good Training Path (List of Courses) that I could do on ITPro.tv to improve my networking skills?

I should add that I already took a Network+ Training from Jason Dion.

Help Cabling guidelines

Hi Experts,

I need some help on some cabling guidelines (namely fiber) on which type of fiber to use and to which connector and match to an SFP that is supported by a given device.

I was recently assigned to oversee a new network deployment project, but up until now I was only working on the high level designs, never really caring about the black magic of the physical layer.

I already know the differences between SC/LC connectors, Multimode vs Single mode, etc.

The one thing that I do know know is how to put everything together, from choosing the right module to the right transceiver to the right fiber cable.

If anyone can share some guidelines or tell me where to learn this stuff would be very helpful.

Thanks in advance!

Aruba and PTP (IEEE 1588)

Hey,

anybody have Experience/Knowledge with Aruba Switches and PTP (Transparent) IEEE 1588?

In my case I have some Broadcast equipment need to use PTP in two Racks. I had a look for the 2930M Series Aruba announce them as PTP Compatible but if you have a closer look it says:

¹ IEEE 1588v2 (PTP) is not supported on the following 2930M models: JL323A, JL324A, R0M67A, R0M68A or 2930M modules: JL325A, JL078A, JL081A, JL083A

For the Switches that is OK, I do not need the Smartrate features. But if the Modules (Only way to get SFP+) do not support P2P how are you suppose to operate PTP in the whole Network?

As far as I see it each switch at it own would only handly PTP but will not forward it over the Module Uplink ? In Theory could I "Cheat" and do a Trunk SFP 1Gig? and A trunk with SFP+ 10G and only let the management network VLAN + default VLAN go over 1G (PTP included) and all other VLAN over 10G wouldnt that in theory work?