IPv6 Proxies: 2020-08-02

Saturday, August 8, 2020

Thinking of moving from Palo Alto to Cisco Firepower

Hey guys,

As the title mentioned, i`m planning to move away from Palo Alto to firepower, due to horrible support in my part of the world.

Plus the pricing is pretty high, we are already going Cisco ISE, Cisco DUO, Cisco AMP4E and Cisco Umbrella. I saw a lot of post on /r networking about issues facing FTD. So I am a bit worried

But I def think id rather Cisco support over PAN for my card data environment, we had the 3020`s from Palo Alto, but it`s time to upgrade to the 850`s, however i`m tired of the horrible support esp the wait times, it has reached to a stage where we fear having to call support, we even went Fortinet for our edge due to a proper SD-WAN at the time of consideration, along with cost and webvpn support for other protocols other than http/https and i`m having better support from them in my region. And we got the best support contract from Palo Alto atm so this really hits home.

Our CDE has a lot of point of sale, international credit cards, international debit cards, card holder info and local ATM cards thus I need a strong support service with strong PCI-DSS support.

As for skill set i`m comfortable with both PAN and Cisco FTD as I have PCNSA and CCNP security.

If we do go Cisco I plan on getting FMC (any feedback on this as well)

I have been lurking the pan vs cisco threads 2 weeks now haha.

Juniper EX220 factory defaulting on reboot

So I am trying to knock out my JNCIA, and running into issues. I bought an EX2200 that has JUNOS 12.3R12.4. So when I make changes, commit the candidate config, they are all lost on reboot as it reverts to factory default. Does anyone have any experience with this?

Any one here work for Spectrum?

Looking for some insight into their office culture/politics. I'm taking a position in their network engineering team, and I'm coming from a Small/Mid sized ISP. The entire NOC dept I'm currently in is 1/3 the size of just the neteng team I'll be joining, so looking for some insight or advise on normal politics/etc. Thanks in advance! P.S. I'm hoping this isn't against rules 5 or 7 lol

UniFi Dream Machine Pro and Switching IGMPv3

My customer uses IPTV which requires IGMPv3. Do the Dream Machine Pro and the non-pro model support that protocol? I know that the Software running both machines is build on EdgeMAX and EdgeRouting but coulnd't find any information about UniFi solutions. I looked at the datasheet but couldn't find any information at all, am I missing out on something?

China VPN traffic Issues

Hello,

I am currently having issues with corporate traffic using Cisco anyconnect and S2S from router in China to another country in Europe. Currently there are lots of performance issues and it is hard to know which solution to implement.

I have tough:

1 - MPLS from Beijing to Singapore or maybe Hong Kong and from there a solution such as DMVPN to forward the traffic back to Europe.

2 - I heard about using government VPN but not familiar how it works and not sure if it can be used for S2S.

Based on your experience what would be the best solution?

Thank you in advance

Brocade ICX-7250-25P no console question

Using XP laptop with serial port just fine with Fortinet and Extreme equipment with a variety of console cables. I have the 2 cables(rj45 to mini usb) that came with the Brocade devices, and have tried 2 differnt rj45 to db9 dongles but no luck. I am not sure if this device is a brick or what. Only green LEDs for power and port 1 are on after the boot process. I even tried holding reset until the lights are suppose to change amber, but no luck. Only thing I can think that I have not tried is getting a db9 to usb and trying on a newer laptop, but I feel like this should work because putty/hyperterminal work fine for fortinet/extreme.

Any suggestions? Thanks!

So I have the Luxul XWR-3100, anyone know which VPN can be installed onto it?

As I understand, it has the capability of adding an embedded VPN to protect all devices on my network, I have tried a few different ones that always wound up being incompatible. I can't seem to find one that is PPTP, IPSec, or L2TP/IPSec.

Is mesh system same as MU-MIMO

I wanna understand the main differences and the pros and cons of both set up’s

CASB Solutions

Has anyone implemented a CASB solution yet? Care to share experiences? Which mode of deployment did you implement (API-based, forward proxy, reverse proxy)? How did settle the final CASB solution?

How to make a computer have 0 outbound connections and only a few (at most) inbound

Forgive me if this isn't the right place to post.

I would like to figure out the easiest way to set up a computer (generic, could be any platform) in such a way that it can't access the internet and can't access any other computers on the network but can be accessed by only a few other computers.

We're using Cisco AMP which has a nifty feature called "endpoint isolation" in the event it becomes infected. This will effectively close any and all network ports so traffic can't get in or out. We can configure isolation so that it can see a single IP (or range I suppose). So before we start playing around with this feature, we want to make sure we can still get to it in some way to investigate/turn off isolation. Thus the computer above. So the infected computer will be able to see it, but it can't do anything. I (and a few others) can see it so we can use it to access the infected endpoint.

Replacement for Comodo Internet Security

Hi,

I've been using Comodo Internet Security for quite some time, and in general, are rather happy with its functionality, and the (perceived?) security it provides (together with Win10's builtin AV features).

Anyway, recently I've been increasingly having problems with some applications which Comodo seems to block without actually reporting any problems (e.g. Python for PlatformIO in Atom), making it hard to pinpoint where a problem is actually coming from.

I was wondering if anybody could recommend a decent replacement? I definitely want the outgoing application-based firewall control I currently have (I hate when programs "phone home" without my knowledge and consent), and possibly better AV than M$ Defender (albeit I've read that in comparisons, it's one of the better free solutions out there, so possibly a decent SW-FW is all I need...)

Thanks!

Python based game which is working on LAN, how to make it accessible via Internet?

Hello,

I've made a multi-player python based game using sockets and thread. It is working well over LAN. I would like to know what should be done to make it work over internet such that one of the player is the server and the remaining are clients. The clients can connect to the server by providing the public IP address of the server. (It is given that, the player(server) who started the game communicates his public IP address to remaining players (clients) by SMS/Mail/WhatsApp etc). Following are the other details:

Python 3.8
Windows 10 OS
Used PyQt5 for GUI

Thanks for reading through, and providing any help if possible. Thanks a lot for your time.

Reliable but affordable SFP aggregation switch?

Hey Gang,

I do some work for a small ISP who deploys a free service sporadically across the city. Due to it's widespread sporadic deployment, everything is fibre based. It's historically a Cisco shop but starting to branch out a bit. We've been using repurposed old ME3400s for this free service but have found some odd traffic behaviour, lots of dropped frames and unreliable performance. From what I'm told, it just an old buggy platform.

They have expensive routers for paying customers but reluctant to eat up ports on these for the free service. Perfectly happy to spare 1 or 2 ports to trunk down into some kind of aggregation switch, but we still need the SFP based interfaces for all these last mile fibre connections. Wondering if anyone can recommend an affordable platform that won't kill me on support/frustration :)

Does Armis really do what it claims?

We are looking at Armis, which looks like a good product but does it integrate with Cisco switches?

IGMP Snooping vs Querier

I am a Valcom Intercom Technician, we have a local High School as a customer. The remote network cards keep dropping multicast. It seems to work fine for months but then it always quits. I'm not sure what to tell the head of IT. Honestly, I'm not sure if its my equipment or his network. All I know is every time I bring the two cards together and patch them with a crossover they work fine.

I have heard that one of the two types of IGMP could be the problem... Is there one method that stays enabled, wether or not multicast traffic detected? I think this is the root of my issue. I've noticed a pattern that if the school is on break for a while, then comes back the cards never seem to work. I have to come out on site and power reset them. Is the network disabling multicast traffic because it's not being used at that time?

Any help will be appreciated. Thanks

China Intercontinental traffic

We have an office a China with a 20Mbps Internet circuit provided by GTT.

Local traffic works as expected but as soon as it leaves China, its usually totally unreliable, packets dropped, time out,...

We have an Intranet running on Azure in the US, and it works 1 time out of 10. I have been told it is mostly caused by the great Firewall of China and I was wondering, since we run a Meraki MX firewall there, if setting up a VPN with one of our VPN hub could help so we could redirect the traffic. I also read a while ago on this sub that you could try to setup a site to site VPN from a Chinese location to another office abroad but that you need to fill in a request as a business. Anyone got more info?

Thanks

EVE-NG can't connect to the internet

i have vmware workstatiionn installed on windows ,i added eve-ng and configured the network adapter to be bridged than i connected a cisco router to the management(cloud0).when i ping to my pc the ping succeded put i can't ping to google dns 8.8.8.8

Friday, August 7, 2020

Need some help with Eve-NG please

Good evening,

I am in need of some serious help, any ideas or suggestions would be greatly appreciated. I am working with 2 separate pods on EVE-NG through cloudmylab, on my 1st pod I have an entire network topology built that is running and communicating well, with DHCP setup and some GREtunnels etc.

On my 2nd pod I have a bunch of Windows servers, on this 2nd pod I am trying to get it connected to my 1st pod which has the network topology built. I wan't my servers to be able to connect to this first pod so it has a networking, and that it can communicate with the 1st pod. I am building an AD, DNS, mail servers etc. on the 2nd pod with the servers to emulate a running company environment.

I know it has something to do with the Cloud net to connect the 2 however I am not sure about the routes, IP's and other configs to get these 2 pods connected together. So any help would be greatly appreciated to get these 2 separate pods connected together so my server pod can connect to my network pod. Thank you.

TL;DR

2 pods on eve, 1 has network topology built 2nd has servers, trying to connect both pods so the servers can be connected to the 1st pods network.

Do I need an L3 Switch?

Okay, so I have two appliances each with their own Public IP and they talk to each other over their WAN IP's. Let's say IP A is 123.456.7.8 and IP B is 123.456.9.10. Currently, they are on both on the same WAN L2 switch and in order for them to route they obviously must go back to my ISP and do the switching on their end (because my WAN switch is obviously only a L2 switch). I would like to make this more efficient by seeing in I can route it at my WAN switch level rather than my ISP's upstream one, would an L3 switch be the appropriate way of going about this and how would I configure such a thing if this were to be the correct route to pursue? (Obviously barring L3 switch manufacturers but just kind of a basic understanding of it)

ISE/ClearPass cloud hosted alternative for BYOD wireless?

Does any kind of hosted SaaS/PaaS service exist where you don’t have to manage and maintain your own hardware/software on premises?

Cat6a s/ftp prep for termination

Can someone please tell me the proper way to ground and prep cat6a s/ftp cable? I can't seem to find the right way online. Thanks in advance

PTP - Recently installed equipment by ISP, what is it?

Can somebody identify the equipment that was installed on my tower?
https://imgur.com/a/7aWmWzT

Backstory to why I'm asking

I live in the country and as such am stuck with PTP internet, I found an ISP and after installing an 85ft tower I have internet! Recently they came back saying they needed to upgrade it. Originally there was one little dish and a rectangle lower down, nothing more. Now the tower seems FULL of devices.

Ive been told there are 12 other people on it and has offered me a 50% discount (which I question but a topic for another time). All in all I want to be aware of what is on my property and what it's being used for if I can. Especially if it's a power suck, all I have inside is a tiny 3x2 receiver that plugs in to an outlet with a blue light for my own ethernet cord.

Wireless AP lifespan

How many years do you expect to get out of wireless APs, before it's time to ugrade to the latest generation? Switches and routers we'll ride until they're EOL and out of support, but with APs I have the impression the optimal lifespan is something less. We can't be chasing standards and replace the fleet every 2 years of course, but it's a rapidly developing arena.

Anyhow, curious to see the range of opinions?

Load balancer speed and NAT throughput

Hii, I want to know if NAT Throughput showing in the load balancer specification will limit my internet speed. For example if my internet speed is 800Mbps and the NAT throughput of the router is 500Mbps will my internet speed be limited to 500Mbps?

Even though I will disable the NAT in the load balancer since i have router before it and i will use it in bridge mode.

AWS VPC with publically routable IPs direct connected and announcing those IPs back to the internet?

Complete AWS noob here.

If I assign my public IPs to a VPC and then use a hosted direct connect to the Equinix Cloud Exchange, can I then announce that IP space to the internet or a subset of other peers?

Is there any advantage or disadvantage to doing that instead of using the AWS internet gateway?

ISE, NAD question

What happens if I change the hostname of a switch that is already configured as a NAD? I’m assuming all dot1x authentication request will fail because the switch hostnames don’t match what’s in ISE’s network device list database.

For example: I change a switch’s hostname from A to B (IPs remains the same, 1.1.1.1). ISE has an entry for A-1.1.1.1 and no entry for B. All dot1x authentications will fail.

Cisco SDWAN

Is there a public document stating what public IPs Cisco uses for their cloud managed vmanage/vbond/vsmarts?

EVE-NG viosl2 mac table goes crazy when connecting to external network

Running into a very strange problem on EVE-NG and can't quite figure out what I am doing wrong, I've even rebuilt my server just to be sure it wasn't environmental. Used two different versions of the viosl2 switch image

I am at a loss for ideas. Here's my setup:

I have an EVE-NG instance running on an ESXi host (promiscuous mode is enabled for the vSwitch).
I have 4 FortiGate VMs that I connect to a viosl2 switch which is in turn connected to the cloud 1 interface (which is mapped to the VM's eth1) here's the config in /etc/network/interfaces for the interface in question
iface eth1 inet manual
auto pnet1
iface pnet1 inet manual
bridge_ports eth1
bridge_stp off
show mac address-table looks fine as long as the viosl2 isn't connected to cloud1, the instant that port is enabled ALL MAC ADDRESSES show as coming from the port connected to cloud1.
port g1/3 down:
Switch#show mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 5000.0002.0003 DYNAMIC Gi0/0

1 5000.0003.0003 DYNAMIC Gi0/1

1 5000.0004.0003 DYNAMIC Gi0/2

1 5000.0005.0003 DYNAMIC Gi0/3

Port gi1/3 up
Switch#show mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0050.5692.1aa0 DYNAMIC Gi1/3

1 5000.0002.0003 DYNAMIC Gi1/3

1 5000.0003.0003 DYNAMIC Gi1/3

1 5000.0004.0003 DYNAMIC Gi1/3

1 5000.0005.0003 DYNAMIC Gi1/3

1 5000.0006.0007 DYNAMIC Gi1/3

Needless to say this is driving me bonkers, and affecting reachability to the instances behind the switches. Have any of you seen this? Am I doing something wrong? Any help is apprecaited.

How do you test 64B throughput?

Hi there, what's the go to memthod for measuring 64B throughput over a router? Tried using iperf3 although this seems to give low results as I can't seem to saturate a 1 Gbit link this way, tried using parallell connections also this doesn't seem to scale linearly. I don't appear to saturate the CPU of either the host or sever. Anyone has any experience with this?

Thanks!

Cisco EVPN+VxLAN Multi-AS eBGP issue

I am labbing to learn eBGP underlay for EVPN so i did create following lab

Spine: 65000

Leaf-1:65001

Leaf-2:65002

## spine

router bgp 65000 log-neighbor-changes address-family ipv4 unicast redistribute direct route-map TAG-UL address-family l2vpn evpn nexthop route-map NH-UNCH retain route-target all neighbor 10.1.1.1 remote-as 65001 address-family ipv4 unicast neighbor 10.1.2.1 remote-as 65002 address-family ipv4 unicast neighbor 10.255.1.1 remote-as 65001 update-source loopback0 ebgp-multihop 3 address-family l2vpn evpn disable-peer-as-check send-community route-map NH-UNCH out rewrite-evpn-rt-asn neighbor 10.255.2.1 remote-as 65002 update-source loopback0 ebgp-multihop 3 address-family l2vpn evpn disable-peer-as-check send-community route-map NH-UNCH out rewrite-evpn-rt-asn

## leaf-1 and leaf-2 pretty similar except router-ID and peer IP

router bgp 65001 log-neighbor-changes address-family ipv4 unicast redistribute direct route-map TAG-UL neighbor 10.1.1.0 remote-as 65000 address-family ipv4 unicast neighbor 10.255.255.1 remote-as 65000 update-source loopback0 disable-connected-check ebgp-multihop 3 address-family l2vpn evpn disable-peer-as-check send-community send-community extended rewrite-evpn-rt-asn ! evpn vni 10010 l2 rd auto route-target import auto route-target export auto

## I have two server connected to leaf in 10010 VNI and spine BGP can see them in routing table

spine-1# show bgp l2vpn evpn BGP routing table information for VRF default, address family L2VPN EVPN BGP table version is 475, Local Router ID is 10.255.255.1 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i njected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b est2 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 10.255.1.1:32777 *>e[2]:[0]:[0]:[48]:[5254.0014.e6b8]:[0]:[0.0.0.0]/216 10.254.1.1 0 65001 i *>e[3]:[0]:[32]:[10.254.1.1]/88 10.254.1.1 0 65001 i Route Distinguisher: 10.255.2.1:32777 *>e[2]:[0]:[0]:[48]:[5254.0019.9dcb]:[0]:[0.0.0.0]/216 10.254.2.1 0 65002 i *>e[3]:[0]:[32]:[10.254.2.1]/88 10.254.2.1 0 65002 i

## i am getting BGP update error on leaf saying RT policy reject and its not installing routers in FIB

leaf-1# show bgp l2vpn evpn BGP routing table information for VRF default, address family L2VPN EVPN BGP table version is 175, Local Router ID is 10.255.1.1 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i njected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b est2 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 10.255.1.1:32777 (L2VNI 10010) *>l[2]:[0]:[0]:[48]:[5254.0014.e6b8]:[0]:[0.0.0.0]/216 10.254.1.1 100 32768 i *>l[3]:[0]:[32]:[10.254.1.1]/88 10.254.1.1 100 32768 i

## BGP error on leaf-1 (10.255.255.1 is spine Loopback)

2020 Aug 7 13:52:29.759596 bgp: [14564] (default) UPD: [L2VPN EVPN] 10.255.255.1 Inbound import RT check action deny 2020 Aug 7 13:52:29.759906 bgp: [14564] (default) UPD: Received ESI 0000.0000.0000.0000.0000 for route type 2 from peer 10.255.255.1 2020 Aug 7 13:52:29.759957 bgp: [14564] (default) UPD: [L2VPN EVPN] Received rd 10.255.2.1:32777 prefix [2]:[0]:[0]:[48]:[5254.0019.9dcb]:[0]:[0.0.0.0]/112 from peer 10.255.255.1, origin 0, next hop 10.254.2.1, localpref 0, med 0 2020 Aug 7 13:52:29.759987 bgp: [14564] (default) UPD: [L2VPN EVPN] Dropping prefix [2]:[0]:[0]:[48]:[5254.0019.9dcb]:[0]:[0.0.0.0]/112 from peer 10.255.255.1, due to attribute policy rejected

When testing fiber connections on layer 1, is a mandrel and test reference chords required? Can I set my reference with a standard lc lc fiber cable?

Couldn't find any answers to this, I don't have a mandrel. I have a fluke testing kit with no reference chords. Can i set the reference with a standard LC fiber chord?

Recommend Canadian Supplier for Trays/Ties etc..

I've tried cabletiesandmore up here in Canada but the cost for shipping is almost 2/3rd the cost of the products itself. I guess since they are manafacturing/importing it from the US? . They won't even allow me to do self pickup. Looking at mounts/trays (ie. 10' L + T juncts.)

Tia.

HP - IPv4 routing (HP 5500 (formerly A5500) )

I'm trying to figure out a weird issue where users have intermittent timeout errors when visiting the internet. So far I've excluded DNS, firewall, antivirus, ... Except for a third party change some longer time ago (most likely culprit now) combined with some historical unnecessary routing, I'm running out of ideas.

To understand why it's intermittent, I'd like to know more about the IPv4 routing.

is the preference/priority value handled first; or does the switch processes the rules according to their submask if there's some overlap?
I'm always confused by "priority". Sometimes lower number is more important/preferred, sometimes higher. What's the case with this switch?
is there a difference in processing order between 'static' and 'dynamic'?

[HP A 5120 - Comware 5] Remote mirroring issues

I'm trying to make a remote mirroring working but I'm not sure if I'm doing it right.

First, let me explain if I understand monitor-egress vs reflector-port

As I understand it, monitor-egress is my trunk/uplink to my remote switch and reflector-port is only use if I'm doing local mirroring. I'm right or wrong?

My pcap only show broadcast from the network I'm monitoring not the client I'm monitoring even if I generate traffic like icmp or http. In this case, the client is a network printer.

Configuration on the source switch:

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 99

mirroring-group 1 monitor-egress g 1/0/52

interface GigabitEthernet1/0/16

stp disable

mirroring-group 1 mirroring-port both

Configuration on the destination switch:

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 99

interface GigabitEthernet3/0/14

stp disable

mirroring-group 1 monitor-port

ACS + TR-069 companies

Hi,

I am doing research on companies that do ACS. My goal is to map and analyze the market. I have found: Axiros, Friendly Technologies, Incognito, AVS system, Relution, and Dimark. I would be very grateful for any other companies or at least sources like forums and articles about this topic.

Thank you!

Thursday, August 6, 2020

Need solutions in creating a wired connection.

Hello!

Pardon my lack of jargon, as I'm new to this.

I am looking to set up a wired Ethernet connection to my computer, as my wireless connection is unstable. Simple request, right? Wrong. My internet modem would be around 15-20 meters away from the master bedroom with no way of moving it closer, and I really don't want to run an Ethernet cable across my roof.

Is there anyway I can create a stable and fast network bridge where I can get a fast Ethernet connection? I've already tried a wifi extender, which has poorly impacted my speeds although it's fairly close to the modem.

If you need more information, don't be afraid to ask!

Thankyou in advance, Daniel.

Computer Tech Degree: Network or Cloud Computing?

I’m currently headed to get a degree in computer technology, my school currently offers a concentration in Networking or Cloud Computing which one would benefit me the most?

AirBnB Internet Problem

I am staying in an AirBnB and there is a wall-socket for an Ethernet cable that I had been using. It was working fine for a few days until today. Every 45 seconds it times out for exactly 5 seconds. How do I fix it? Heres a pic of my terminal ping:https://imgur.com/a/mTeutcA i have 2013 macbook air running mojave

What is IP Address

Hi Group Members, if you want to learn about What is IP Address then it can be good blog for you.

http://blogbells.com/networking/what-is-ip-address/

So I have a optimum smart router and a archer A5 router that my brother put up and ever since my Xbox been lagging every game. Any advice of what to do? I’m new to this btw.

No text found

What DNS servers do you use and why?

Fiber optic strand life expectancy?

Ran into a situation today. Users were not able t connect to the network. Nothing wrong with the switch. As a matter of fact, the switch didn’t even register the connection. All I had available was a visual fiber optic tester. The kind you shine a light down the strand to see if it comes out the other side. Anyway, the fiber strands had gouges in them and the light poured out. The strange thing is, these strands haven’t been touched since the day they were connected to the back of the patch panel. The gear is located in a locked closet in a dry and fairly clean environment. No dust, no excessive heat or cold, etc. Could the individual fiber strands just physically broke down? Like dried out or something due to age? Unless someone was messing with that wire over the past week, this is all I can come up with at this point.

Does fiber breakdown over time? If I am not mistaken the fiber is from the late 90’s and early 2000s.

Cisco ASA 5516 AnyConnect VPN + RIP Route issue

Hey all,Wondering if you guys have ever experienced this. I'm on day 2 of working w/ TAC Support on it and they seem stumped.

We have an HA pair of ASA 5516s that handle our site-to-site and AnyConnect VPNs into our network. Recently I decided to upgrade to FW version 9.13.1.12 from 9.13.(1) to patch the AnyConnect vulnerability that was seen out in the wild. And by doing this I uncovered an issue on our Primary pair member.. I say uncovered because I am newer here and cannot think of any time in which we have failed over, so I can't confidently say if this issue has always existed or is new w/ this firmware...

The issue is this: users can AnyConnect in succesfully. I tested w/ 9 users. 8 of them got in no problem, got IPs, traversed the network. #9 connects to AnyConnect, gets an IP, and suddenly can't do anything on the network. No traversing, DNS is broken, can't ping anything...

Troubleshooted the hell out of this w/ TAC and it's just that SOME IPs designated from that pool for some reason are not getting advertised in the Routers RIP.

For example: PC7 might get 172.16.0.4, PC8 gets 172.16.0.5, PC9 gets 172.16.0.6
ASA advertises RIP Route for 172.16.04, 172.16.0.5, but NOTHING for 172.16.0.6
If we destroy the whole Group + Pool and just start w/ a Pool w/ 1 address, 172.16.0.6, issue still occurs...

Scheduled to get on with yet another tech. One wanted to try a different FW version, but others from the VPN team said they want to keep looking first because there are no known bugs w/ this FW. Ever see anything like this?

Authenticated Vulnerability Scans in FIPS mode for Juniper Gear?

My company uses Juniper gear in an environment that requires FIPS to be enabled. When performing authenticated scans (currently using Tenable.sc) the scanner can successfully authenticate using the service account credentials we provide, but all of the subsequent checks fail because the scanner is unable to identify the operating system of the device. Doing a little digging through logs, we discovered that the scanner is not using the correct command - the command used to show operating system information is usually “show version”, but when FIPS is enabled, the command is “show version local”. Apparently the nessus plug-ins don’t know this. We’ve also done a PoC of Rapid7 Nexspose with the same results.

I refuse to believe we are the only people using Juniper gear with FIPS enabled that are also doing authenticated vulnerability scans... has anyone else successfully scanned FIPS-enabled gear? If so, what scanner was used?

Thanks!

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

HP ProCurve 6120XG Blade Switch - Cross links

What is cross links in HP c7000 blade 6120XG and what is the use of it, so just connect port23 and port24 cross connect with second switch so what is the advantage of doing that here? you can do that with any regular port why do you need specific shared port?

https://h20195.www2.hpe.com/v2/getdocument.aspx?docname=c04140206

New VLAN not traversing and interface configured as REP alt port. Really in a bind, no documentation is clear on this.

Hope it's a quick answer. Should I just shut/no shut the interface? There has to be a command where I can allow the VLAN?

I am adding a new VLAN to a previous ring in my network. We are using REP on the ring. It is being blocked on the REP alt port.

What can I do to allow the new VLAN to pass its data? It is defined in the VLAN database and allowed on trunk.

Could you suggest me some books on networking?

I’ve recently discovered how fascinating networking is and I would like to learn more about the subject. As the title says, could you suggest me some books? Thank you all in advance

Resources for understanding virtualization concepts - please share

Sorry if this comes across as a low quality post but having a hard time understanding how virtualization in general works and network virtualization in particular - can experts here share some generic resources explaining concepts in detail to help build confidence when someone talks about "virtualization" next.

Will this server side 10Gb card by intel work on a Cisco 9k via SFP's and fiber?

Intel X710-DA2 dual-port 10G SFP+ NIC

Might be a dumb question, but I can't really find definitive information here is the link...

https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ethernet-x710-brief.pdf

We are going to through this into a windows box and connect it to a nexus 9k via SFP's and fiber.

"We've rebooted the router" rant

I swear to christ, I don't know what it is, but every time I hear a helpdesk monkey tell me that they had the site folks reboot the router i want to strangle them.

There's no onsite router that we control. There's an L3 switch that also handles all access layer, and CPE router. Sometimes they mean they unplugged an AP. Sometimes they mean they actually powered down an entire rack. What the fuck is wrong with people that they can't ID anything when we have Netbox, PRTG, site pictures in sharepoint, and supposedly a CS degree and certs? Learn your damn job and for all that is holy ESCALATE THE TICKET IF YOU CAN'T UNDERSTAND THE POWER OUTAGE DRAINED THE UPS.

Downloading or exporting the network map created in a Fluke Network Analyzer

Hello. I have been asked to provide a network diagram to our new corporate bosses. We use a Fluke network analyzer and there is a great layout right there...but I am having trouble finding out if there is a way to download it or, print it or export it? Anyone have any experience with this?

thanks.

CCNA Materials Help

Hi Guys!

Hope this is okay to post here but I was wondering if anyone had any decent materials or recommendations on materials to study for my CCNA? Every Job I look for at the minute wants me to have CCNA, I have a few other qualifications like CompTIA Net+ and Sec+ but they don't seem to be getting me in anywhere.

I've got the "CCNA Routing and Switching 200-125 Official Cert Guide Library Hardcover – 8 July 2016" but wondering if you guys know of anything better

Thanks in advance!

QFX5100 : QinQ with routed/IRB interfaces?

I'm trying to setup a QinQ interface where the S-TAG will remain the same popped/pushed but the inner C-TAG can be a VLAN from 1000-2000.

That bit's fine but each of the C-TAG VLAN's need to have an associated IRB/SVI interface on the same QFX for routing IP traffic.

When I setup the QinQ interface the eassociated IRB interface stays in a down/down state.

I'm guessing as the C-Tag is an inner VLAN tag the Juniper doesn't see it on an interface so leaves the routed interface in a down state?

If I setup a spare port as an access port in that VLAN it comes up fine.

I may be missing something really obvious or maybe it's not actually possible and it has to traverse the QFX5100?

Thanks

What would cause a Ciena switch, or any switch to stop responding but still be powered ON?

We use Frontier's ELAN to connect our offices. After this recent hurricane, we had a power outage. Several days after the outage, SolarWinds shows one of our offices is down during the work day. Staff say there was no power outage nor flickering going on. Walking into the server room, all systems are running, then checking Frontier's Ciena switch it is also up. I'm not sure about the activity lights as I wasn't in the room. We pulled the power and rebooted the Ciena switch and SolarWinds was able to see the office again. I'm wondering, what causes a switch to stop responding but look like it is ON? Just curious if it is power related since we had an storm related outage or, the current work being done on the lines outside after the storm?

Opnsense firewall behind Mikrotik router and all clients are on the same level as the opnsense firewall, will it work?

I am new with opnsense firewall, so i need some help with my home setup,

Here is the diagram

Based on the diagram, my DHCP server is on Mikrotik router, so all the routing is for the Mikrotik to handle. I put DMZ rule on Mikrotik with the target to Firewall WAN address which is 172.16.200.2.

all the servers are on the same level as the firewall. the server's traffic will go to opnsense because i set the gateway to opnsense address which is, 192.168.0.104

i did configure the nat firewall on opnsense, the problem is when I tried to access the server from outside my network, the traffic are passed by the firewall, but it failed. for example, i tried to access the ftp server on port 21 (im using plain ftp) with a website called ftptest.net, when i started the test, the connection was timed out, but when i checked on the firewall log, it says it was passed.

other problem is, when i tried to block ICMP from inside the lan through the internet. it didn't work. (i am using this for testing the firewall)

OSPF wrong area packets being received

My Nexus 5672 is receiving OSPF packets from a remote switch on the wrong area. Somehow packets for area 210 are being sent over area 0. The configuration looks right to me and it is only this one switch that has a problem. We have been experiencing brief outages to the switch for the past few days and I am worried this could be a reason. Error message:

2020 Aug 4 16:24:36 SEC-S5672-A %OSPF-4-AREA_ERR: ospf-110 [4619] (default) Packet from 10.210.215.1 on Vlan2180 received for wrong area 0.0.0.210

This repeats all day multiple times a minute. I can't find anything like this on Google and there is no Smartnet on these switches.

Receiving switch is a Cisco Nexus 5672 and sending switch is a Cisco 3850. VLAN 2180 is the VLAN connecting the two switches through Cogent's network.

3850 OSPF config:

router ospf 210

router-id 10.210.215.1

auto-cost reference-bandwidth 40000

area 210 range 10.210.0.0 255.255.0.0

passive-interface default

no passive-interface Vlan212

no passive-interface Vlan215

no passive-interface Vlan2180

no passive-interface Vlan2184

network 10.1.0.0 0.0.3.255 area 210

network 10.2.2.0 0.0.0.255 area 210

network 10.2.8.0 0.0.0.255 area 210

network 10.181.20.94 0.0.0.0 area 0

network 10.210.212.0 0.0.0.255 area 210

network 10.210.0.0 0.0.255.255 area 210

I'm new to OSPF troubleshooting so I'm not sure how to fix this. It's a remote site so I am wary of screwing myself and losing access to them by making a mistake.

Issue with IPSEC tunnels over Telstra LTE

Hey everyone been bashing my head against a wall with this one.

I have a HA pair of Fortigate 300E's trying to connect a few Teltonika RUTX11 via IPSEC dial-in over Telstra LTE.

I have no dramas getting both the P1 and P2 up but cannot pass any traffic. sometimes I can pass traffic one way but that is random.

Now I've tested this by taking the LTE out of the picture and put the remote dial-in device RUTX11 on a public IP in our WAN and the traffic works perfectly.

I'll admit I have not touched IPSEC in over 10 years and have previously used OpenVPN but wanted to use IPSEC in this new environment. I wanted to iron this out perfectly as 90% of our traffic is hub and spoke from these remote RUTX11's.

I'm currently at home so will have to include some pcaps, and diag logs tomorrow but just wanted to see if anyone else was having similar issues.

From my troubleshooting so far Telstra is running CG-NAT and using private IP's. I've changed the APN on the RUTX11 to telstra.extranet which gives me a public IP and has no CG-NAT and I was hoping this would be the fix but it's still acting strangely. I've googled for hours found a few blogs on Telstra running policy-based routing but was hoping if anyone else has any idea of the issue and some steps to take to get to the bottom of this.

If I cant sort this out in the next week or so ill have to fall back to OpenVPN.

Unencrypted satellite services like it's 1990

I always assumed satellite-to-endpoint communications were encrypted... but apparently not. Leonardo Nve Egea snoops the planet, infrastructure, aviation, marine, the super rich...

Ars article: https://arstechnica.com/information-technology/2020/08/insecure-satellite-internet-is-threatening-ship-and-plane-safety/
Blackhat Slide deck: https://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-slides.pdf

Question: Is there a way I am able to remove multiple Profile V6 folders on a server?

Hello Reddit, usually I am the one who would help people out when I can but this time I could really use your help.

In our business, we use roaming profiles where they can log onto any machine with there logins on any machine connecting to our domain. Within these roaming profiles, there is something called ProfileV6. Sometimes we need to remove the profile V6 to reset their profile.

I was wondering if there was a way to bulk remove this folder from multiple user profiles?

An example of the file path would be:

\\user-server\Users\Staff\Jsmith\profileV6

I have a feeling a script/batch file would need to run but I am the worst when it comes to scripts.

I could imagine this is some very beginner level scripting but I can't see how it can logically work. Perhaps have a script that locates to a usernames.txt? Within the usernames.txt I would have all the usernames that I wish to remove the profile V6

Any help would be most appreciated!

Catalyst 1000 Series DHCP server possible?

Hi gang,

I'm planning to deploy a small amount of 9115 APs(5 APs) with EWC, and going to use 8-port C1000 switch. I've heard that EWC AP cannot give out IP addresses, so an external DHCP server seems to be necessary.

Is it possible for C1000 to act as a DHCP server? (w/ DNA-E license)

Wednesday, August 5, 2020

Fortiswitch stability

Hi!

Have some customers that already have fortigate, and now need to upgrade network switches.
Today they have cisco smb switches without any problems for 7-8years.

Looking into fortiswitch, easy to manage via fortigate etc.
How is stability and hardware quality? are they any good? or is it better to go with Cisco new business series og Aruba?

Pulse VPN Passwords Leaked

Hopefully all of you are patched up and unaffected

https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/

Remote Connectivity at Branch Site for Outside Vendor... Best Solution?

Hey all,

So I just started a role as an engineer at my new company. One thing that's weird though is I'm the only guy, so bouncing ideas off co-workers and getting config proofread really isn't a possibility. I'm hoping maybe someone else has ran into this scenario and might have some thoughts.

Situation:

Outside facilities vendor sets up a monitoring system for HVAC equipment at one of my remote sites. They want network connectivity to the device to be able to login and view HVAC stats and what not. The traffic has to be isolated from the rest of the network. My site has an MPLS and DSL DMPVN outbound link. My goal is to bring the traffic in over the DSL link's public IP, and then port it down into the private VRF for this traffic and have it connect.

What I've done so far:

The VRF is created and is natting correctly. I know this because when I'm on site I can login to the HVAC PC I obtain the correct IP addresses in the small VRF subnet and can communicate with the other HVAC device on site. I can also browse the internet and do basically whatever internet services I'd like.

Except, when the vendor tries to connect over two specific ports (lets say, 1111 and 2222) they are unable to reach through to their node. This is making me think some kind of L4 issue. The vendor has a "port forwarding detection tool" that they reference that shows the ports closed. However, it also shows 443 and 80 are closed too which I know can't be the case because the device is able to access the network? (not sure if thats relevant....

ANYWAYS....

So far to try to fix this I applied two ACLs. Verified that they are placed correctly and the IPs are correct and the customer still cant connect:

330 permit udp any host 10.1.1.1 eq 1111

340 permit udp any host 10.1.1.1 eq 2222

I'm wondering if maybe I need to perform port forwarding as well on the device? I'm thinking of adding this configuration:

ip nat inside source static udp 10.1.1.1 1911 int gigabitEthernet 0/0/2 1111

ip nat inside source static udp 10.1.1.1 1911 int gigabitEthernet 0/0/2 2222

I got this from a Kevin Wallace guide that seems to be doing something similar (but with SSH in his case):

https://www.youtube.com/watch?v=5_9DaAcZqtY

---------------

The only other thing I can think of.. (keep in mind I just started in this role and am still learning traffic flows and the network layout), is that the public IP address on the remote site gets routed to via DMVPN and then I need to look at the DMVPN hub and firewalls at our internal data center... I wouldnt think this the case though since the router is NATing successfully and having connectivity and it appears to not be crossing the DMVPN channels at all...

Thanks for reading! I'm sure someone out there has had to do something similar to this before. Hoping to maybe get some assistance on where to go next.

Advice on new Core/Access Switches for Small Non-Profit Foundation

My company is moving locations and I'm still using a Cisco Catalyst 3560-X that I bought in 2011 as the core switch. Only have 5 vlans (user/printer, server, voice, private wifi, public wifi). The Cisco switch handles inter-vlan routing like a champ (full wirespeed), never has been an issue.

I want to move to 10gb connections (I prefer 10gbase-t as that is what I am using now through a Netgear XS716T trunked into the core that my Hyper-V boxes, backup appliance, nas, etc are running on), and have been looking at the SMB versions of the Cisco switches (SX550X-52 specifically).

Has anyone here used these in layer 3 mode with static routing and know if they are able to handle inter-vlan routing at wirespeed? I know they get a lot of hate but the CLI seems to be really close to iOS now and they've at least raised the packet buffers in this particular switch to 10mb.

If not these switches, does anyone have a recommendation of what I should use? Trying to be reasonable with the budget as well. I would spend the money on a Catalyst model if one existed with 48 port 10gbase-t, but unless I am a complete idiot I've looked through the 3650, 3850, 9100-9500 models and can't find one.

I'm not doing anything crazy, VLANS are all just static routing, I use QoS set for DSCP throughout for the voice VLAN traffic, that's about it. I do have old Polycom phones that use Cisco Discovery Protocol to automatically set the Voice VLAN so sticking with Cisco would be most advantageous.

Thanks in advance for any advice or feedback you are kind enough to offer!

My existing tech environment:

My existing core switch is a 48 port gigabit 3560-X. I have two other 48 port gigabit 3560-X switches with PoE+ for phone/desktop connectivity. I need to replace all three switches as I move to a new location.

Switch getting wrong IP Address

I am having network issues that just started randomly. All of a sudden the internet stopped working, I checked my rack and unplugged everything (power wise) and plugged it back in with no success. When I disconnected my network switch from the router and plugged a couple things directly to the router they worked fine. When I tried plugging them back into the network switch I was getting an IP Address of 169 rather than the usual 192. Since if things are plugged directly into the router they work fine, is the switch the issue? Or is it possible that it is something that is plugged into the switch that could be causing the issue? If that’s the case, how to I track it down? It’s a 24 port router and is my in-laws house so not sure where all the wiring goes.

In an IPSec tunnel, what is the purpose of having 2 separate secured channels (the ISAKMP SA and the IPSec SA), instead of just 1.

I understand that the ISAKMP SA is used for control traffic, and to setup the subsequent IPSec SA. And that the IPSec SA is used for the actual data transfer from the tunnel end-points. But assuming the initial ISAKMP SA communication channel is already secure, then couldn't it also be used for data traffic as well?

I guess I just don't understand the logic behind using a secure channel to negotiate another secure channel. It seems like both support the same types of encryption as well, so it's not like the ISAKMP SA is weaker from a security perspective, right?.

Is it as simple as more tunnels = more security? Or is it just because that's how they decided to do it?

When exactly does an address of the form http://:3838/ go from being local to being on the internet?

I'm very new to server administration, and I'm trying to deploy a web application (in particular, an R Shiny web app) from behind my company's firewall.

I've succeeded in getting the app set up such that any computer on the same network as the hosting server can enter http://<server-address>:3838/sample-apps/hello/ into their browser to access the app. (I used a program called Shiny Server for this, which runs on any Linux server but is only supported for Ubuntu)

My confusion lies with how to extend this so that machines not on the network can also access this page. Which leads me to the question:

When exactly is something like http://<server-address>:3838/ only accessible locally? I've had to access webpages like this before, i.e. with just an IP address, but sometimes the IP was something on my local network and sometimes the IP was something on the internet. How exactly do I set up the latter situation?

(P.S. the default port is 3838 but that's not vital to my question I suppose, I should've left it out of the title)

Having trouble understand a traffic graph

This is the graph

I have an office with an ASA 5505 connected a Charter cable modem. Latency to anything on the internet appears to be cycling between a 30ms and up to 500ms latency about every 30 seconds.

I've verified this is actually occuring by pinging from an internal server to the first Charter hop. The graphs are from a Vultr server in nearby Atlanta. I have 4 other latency graphs running from this same server to offices in the same town using Charter, and they look fine.

The middle graph is to the outside ASA interface, and the bottom is over a VPN to an internal server - that's to take "ASA control plane too busy" out of the mix, although the CPU looks fine. The Vultr host is a new thing - I was running the same server from my office before and seeing the same curves.

I thought about a saw-tooth from policing, so I've set up traffic shaping on the ASA at 10Mb which is what the line tested at. The traffic graphs don't appear to show any correlation to the problem though.

The bizarre thing is that stopping my collectd daemon doing the measurement seems to reset the base level of latency. On the ASA log I see it building and tearing down a new ICMP session, so I don't think anything is sticky there.

The only thing that I can come up with is that I'm actually seeing a much faster oscillation, and the peaks I'm seeing are an interference pattern between my sampling rate and the actual frequency. So in that case restarting the monitoring server could pull the sampling cycle in or out of phase with the underlying phenomenon. That seems like a zebra explanation though.

Back-plane stacking vs Front plane stacking

So im having this discussion with a fellow engineer trying to decide what kind of stacking would be the best for a project

Context im suggesting using the new 6300 series with

Aruba 6300M 24-port SFP+ and 4-port SFP56 Switch (JL658A)

24x 1G/10G SFP+ ports
4x 1/10/25/50G SFP ports

he is arguing the back-plane stacked 3810 is more stable and gives better HA

3810M 24SFP+ 250W Switch (JL430A)

24 SFP+ fixed 1000/10000 SFP+ ports;

i just need to fact check my arguments the Key focus is having HA in the event one switch goes bad.

We cannot do a ECMP design due to unknown reasons, they wanna keep the current Collapsed core design.

back-plane stacking

Pros

Can reboot individual switches with minimal interruptions (Depends on the topology)
Easily replace a switch with minimal configs
Simplified management and provisioning
80 gig stacking bandwidth between the switches

Cons

Older SKU (Still not EOL)
Back plane stacked switches wont give you the HA the way you think it would, both share the same control, management and Data planes. if there is a crash or a software related issue it will effect both.
Another module that can fail (rare but happens)

Front plane stacking

Pros

Can reboot individual switches with minimal interruptions (Depends on the topology)
independent control, Data planes, GW fail-over with VRRP
Simplified management and provisioning
New Aruba CX OS
More flexibility with Switch placement in racks (Not restricted by the stack cable length)

Cons

replacing a switch is a little bit more involved but can be template'd out using a playbook
Lower stacking bandwidth compared to back-plane stacking (not a huge deal breaker based on the traffic patterns)

What do yall think am i on the right path if else what am i missing?

Why is traffic to a smartphone causing traffic to drop on independent switches.

I know that subreddit is generally for enterprise networking discussion, but this once has really stumped me.

https://imgur.com/a/j2U5dwH

On a fairly small office network, we have been having the entire network drop intermittently (about 5 seconds at a time at 30 secondinterfals). Last night, I unplugged everything in the office, except for a few computer, a wireless AP, 3 24-port switches, and a VM that runs a web server, and tracked it to transferring files to a smartphone over wireless.

Files are stored on a ZFS array (NAS), and served to VM A that runs Nginx and a NextCloud instance.

Computer B can happily saturate its gigabit connection while downloading from VM A, without causing network outage. A laptop can download at gigabit speeds via the wireless router, from VM A. Everyone is happily pushing Gigabit traffic throughout the network.

Whenever the Android smartphone is used to download files from VM A, the entire network drops, including communication between Computer B and Computer C, which are the only 2 devices I had connected to Switch C.
The NAS can no longer reach the Router.
Router doesn't lose connectivity to the Internet.
Switch A is an unmanaged 24-port Netgear JGS524 switch.
Switch B and C are unmanaged 24-port TP-Link switches.

What is going on with this? How can one smartphone take down the entire network? I even suspected that something weird was happening to power, and tested with 2 computers in a cubicle, uplinked to Switch A, and they also loss connectivity to each other for 5 seconds.

Juniper SRX : Allow traffic back in on a different WAN?

Other than disabling the firewall on the SRX is there a way to allow traffic sourced from the LAN out of a WAN interface but then with the return traffic coming in on a different WAN interface?

I know the question must be why would you want to but there is a good reason I promise.

It's enabled in the security zone but it's not working and I think it's because the Juniper is statefull based so it's still got the session for the outbound traffic and it doesn't like seeing it return on another interface although I could be wrong.

Thanks

Asymmetric links, EIGRP algorithm

I've always used bandwidth/delay to influence routing decisions w/ EIGRP, and typically had symmetric links so I never really thought to configure BW receive on an interface. At this new job we use internet links that are asymmetric, so I'd like to start using "bandwidth" and "bandwidth receive" so my NMS can alert on link utilization properly.

That being said - I can't seem to find any docs that specify how "bandwidth receive" influences EIGRP routing decisions (if at all). Does anyone use "bandwidth receive" and eigrp, that can shed some light?

ISPs, how is your network handling the Call of Duty update this morning?

52GB update! What kind of increases are you seeing?

Anyone here use Gartner? What do you use it for?

So I work for a federal agency and our director just recently purchased all employees individual licenses for Gartner. We had a kickoff meeting with them yesterday where they went over everything they offer and all that. But after the kickoff I was still a little confused at what I can get with my licenses.

My understanding is that they are there for tech support. If I have an issue with anything IT related, whether it be configuring a new cisco device feature or setting up something new in our server lab, they have a technical expert in any department that could guide me through it. They are also there for guidance and reviews on new devices, whether it be a server, router, switch, firewall NGFW, whatever. They have someone who is an expert on it and can answer questions and make suggestions.

My boss seems to think it is solely for suggestions and guidance with devices and design. More like a consumer reports for IT equipment.

Does anyone here also use Gartner? And if so, could you tell me what you do with it? Are they more for helping with troubleshooting, advice, or a mix of the two?

Generate Cisco Config for Hardware Not On-site

Does anyone know of a product and or solution to let you generate new Cisco configs without having the hardware up and running? For example, we have new generations of Cisco C9407R and Cisco C9300-48U-A's at construction sites waiting for power and cabling to be completed. However, we would like to have the devices up and running and generating our configs and the nuances that you face with new hardware. This isn't ideal as these would be sucking in drywall dust and getting paint all over them and such. I am looking for something that might be a VM or other product/solution that might help with these kinds of scenarios. Does anyone know of such a thing?

F5 - irule to rewrite "Location" header from server

Hi all,

I'm not even sure if this is possible but here we go.

I am trying to get an F5 BIG IP to rewrite a http response "Location" header. Client requests are having their host headers rewritten, and I'm trying to rewrite the location header that the server sends back.

If I use Chrome or Firefox dev tools I can see the server sending the Location header back. I'm able to statically rewrite this in an irule using HTTP::header replace Location "https://blar.com"

My issue is this, the location header the server send backs will obviously vary, sometimes its https://blar.com/blar, other times its https://blar.com/doubleblar

The crux of the issue is I'm struggling to expose this info to the F5. I have tried logging all request and response headers but I don't see the "location" header in the logs, yet I see it when inspecting it in Chrome on the client.

My idea was to get the location header, extra the URI part and then rewrite it dynamically.

Any assistance much appreciated.

VLAN Support...of course

Hi all

I have some vlans set up with all my l3 routing happening at the core switch the vlans are as follows:

Core Switch: 20.11

1 - Default : Untagged A1-A23,B1-B9,B13-B22,B24,C1-C24,E1-E8

5 - Voice : Tagged E1 - E3, E5 - E8 Untagged B2340 - Student Wifi: Tagged: A1-A24,B1-B9,C1-C24,E1-E3,E5-E8 Untagged B10,B12

172 - Cameras: Tagged A1-A23,B1-B24,C1-C7,C9-C24,E1-E8 Untagged A24

200 - Guest Wifi: Tagged A1-A24,B1-B9,C1-C10,E1-E3,E5-E8, Untagged B11

I'm having issue with a switch that has uplinks from Core C8 and E4-

EDIT: Apparently Primary VLAN on this switch is set to 5 - Voice

E4 to SW2/49

C8 to SW2/50

Switch 2: 20.79

1 - Default : Untagged 1-24, 50-52

5 - Voice : Untagged 25-49

40 - Student Wifi : 1-13, 49

172 - Cameras: NONE

200 - Guest Wifi: 1-24, 49

Problem: Obviously the VLANs are a mess. But everything is working except when I tag or untag VLAN 172 to plug in a camera... That takes everything but 5- Voice Down.

I want to plug this one camera into port 13 and have it work on vlan 172.

What do you recommend?

Crown Castle BGP Community Policy ? 33132:100 33132:123 33132:1103

Hello, we now peer with Crown (AS33132) and AT&T (7018), it was only AT&T before. Advertising two /24's with x5 prepends for the back up and the appropriate community for the AT&T side.

Crown Castle mentioned they don't have a community policy changing local pref like AT&T does (7018:70, 7018:100 ect) and that they just simply honor prepend's and that's about it.

But when I check the looking glass for 2 of Crown's upstream providers, I am seeing community values of 33132:100 33132:123 33132:1103 on one of our public prefixes and I am seeing sub-optimal routing post migration from the Crown side.

Anyone know what these are doing ? The AT&T side is fine. Is it safe to assume it's Crown sending the community since they begin with 33132 ? Can't find much info online on Crowns site.

Thanks.

ECMP Minimum Link

I configured ECMP among two tunnel ipsec. Is there a way to configure minimum link?

What can I do being victim to DNS Amplification attack?

Hello,

First post here hope I’m not breaking any rules.

We’ve being victim of the attack mentioned in the title. Our router can block most unwanted replies but this traffic is clogging our bandwidth.

ISP is asking us money to deal with it... is there something one can do at the consumer level, or is our only chance getting ISP to stop forwarding this traffic?

Redundated routers how you do the upgrade?

Hi, currently I am tasked to work into downgrading the ios XR version on some NCS5504 we got, all of them have 2 RP. I learnt that if you try to downgrade, if the standby RP is running with a more updated image, it will just push that back onto the master.

So right now the way I do it is to take one RP out, downgrade one, remove it, insert the other one downgrade that aswell and then finally put them both back in. It is consuming more time than I'd like though, so I was wondering if there's a way to speed up this process

Redundated routers how you do the upgrade?

Troubleshooting SRX reth interface with a cisco trunk port

I have an SRX connected to a cisco switch. The srx is configured with reth interfaces with VLAN-tagging and without lacp enabled. From the cisco side, the port is a normal trunk port.

The ping between SRX and cisco is not coming up, after troubleshooting and researching it doesn't seem to be any weird requirement for cisco switch.

did anybody face this issue and resolved it?

PS: all security zones and policies are properly configured.

SRX:

root@SRX-Active# show interfaces reth0

vlan-tagging;

redundant-ether-options {

redundancy-group 1;

}

unit 10 {

description Servers;

vlan-id 10;

family inet {

address 192.168.1.1/24;

}

Cisco Switch:

interface GigabitEthernet1/0/24

description **Link to SRX1 ge-0/0/6**

switchport mode trunk

end

Nintendo face palm

Saw this in another thread here on reddit, figured you might get a kick out of this one:

https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272/~/how-to-set-up-a-routers-port-forwarding-for-a-nintendo-switch-console

Who wrote this!?

*Just add 20 to your computers IP and use that as your static IP

*subnet mask 255.255.255.000

And the best:

*”Within the port range, enter the starting port and the ending port to forward. For the Nintendo Switch console, this is port 1 through 65535”

Tuesday, August 4, 2020

Dell Switches best practices

Hi, just wanted to get some insight and advice on interface configuration on a Dell switch.

Scenario is configuring an interface for data and voice.

I can achieve this by

- enabling the voice vlan function globally

- configure the interfaces with

switchport mode general

switchport general pvid 25

switchport general allowed vlan add 25 untagged

switchport general allowed vlan add 35 tagged

switchport voice vlan 35

Is it bad to configure "switchport mode general" on all interfaces on a switch? Or should this only be used on uplink ports to another switch etc?

ddos prevention

I was playing around with Nmap and I tested my own, and my friends ip and I seen that all 100 most common ports were filtered for him, but for me, most were open. Is there a way I can also filter mines so I can't get ddosed?

edit: added for him

Dropping packets on specific VLAN only

I'll preface this post with the fact that i am a sysadmin, and not a network engineer. I'm pretty comfortable when it comes to switching, but rarely deal with configuring or troubleshooting routing.

I have an issue where only my server vlan, VLAN 100, will drop traffic to the internet, or our VPN clients (VPN users). If i do a continuous ping, in the course of 5 minutes it will drop 30% or more of the traffic. It will ping 8.8.8.8 4-5 times successfully, then fail, sometimes twice, then another successful ping, then another fail. It only does this from devices that are in VLAN 100. If i take a test laptop, plug it into one of our Rack Switches (Cisco 3650) and put it on VLAN 100, i get the packet loss i described above. If i switch that same laptop to VLAN 42 (our client VLAN) on the same switch port, no packet loss to the internet.

Does anyone know what would cause traffic from a specific VLAN to drop this much out to the internet, but not internally?

I can ping from VLAN 42 to any of our servers in VLAN 100 with no packet loss internally. Same goes pinging from VLAN 100 to VLAN 42, or VLAN 20, or any of our other internal VLANs. No packet loss. The only internal VLAN where i get packet loss is VLAN 9. This is our VLAN for VPN connected users. When they get an ip address internally once successfully connected, it's on VLAN 9. If i ping from VLAN 100 to clients in VLAN 9 on the VPN, packet loss (30% in 5 minutes). However, i can ping VPN users from VLAN 42 to VLAN 9 with 0% packet loss. Same thing in the other direction.

I did not configure any of the routing being done on our core switch. This was done by my parent company. They are in another country though, and have been completely unresponsive going on a month now due to COVID.

The issue first presented itself as slowness and locking up of email while on VPN. I noticed it got worse for users that i migrated from Exchange 2010 to Exchange 2016. I believe this is because Exchange 2010 uses MAPI for communication, and Exchange 2016 uses HTTPS for it's communication, which appears to be much more sensitive to dropped packets and broken communication.

i narrowed it down to VLAN 100 by pinging to the mail server from the VPN clients (VLAN 9). I noticed packet loss (30% in 5 minutes). Then i pinged other servers in VLAN 100, same packet loss.

Things i have tried so far with my limited skills and abilities:

tested our AT&T ISP connection. No dropped packets when plugged directly into the AT&T router. No dropped packets when pinging from my workstation on VLAN 42, our normal client VLAN. VPN client's don't ever get disconnected from the VPN itself.
Packet captures were done with our 3rd party vendor on our firewall. Packets on the server VLAN out to the internet are being discarded before they are even reaching the firewall.
This lead me to believe it's the core switch. i sent "show Technical-info" outputs to my 3rd party support for our Cisco gear, but no responses back on what the problem could be. It's been a full week since i have heard from anyone.

It's my firm believe that the core switch is discarding these packets from VLAN 100 to the open internet for some reason or another. It shouldn't be link saturation. We have dual Cisco 6880 switches in a VSS cluster to handle the traffic. We have about 80 Vm's, most of them single app servers not doing much. Plus our monitoring isn't throwing any flags on throughput. Plus it ONLY affects VLAN 100. That's what blows my mind.

What would cause a switch to discard packets on a specific VLAN but only out to the internet?

Thanks for reading. I had to get this out there. I have felt pretty alone in dealing with this issue.

Local internet breakout options for sd wan

Just started a new gig they have just implemented Cisco sdwan and currently use Palo Alto’s at each site. The palos are mostly coming eol and support is up in a couple months. Replacing all the palos at all the sites is looking costly and seems overkill seeing as they will only have to handle web traffic. What are you guys who have implemented sd wan doing? Backhaul, local fw or cloud based fw?

Remove Login Prompt

Hello partners

I need to know what is the way to eliminate / deactivate the login prompt from the HP FF 5945

It would be very helpful if someone would help me with that

Love u

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Any VPN that can work on application basis?

Say App1 can only be accessed by Server1 and app2 by server2.

If someone wants to use both the apps, is there a solution where I can activate VPN (individually) and to only these two apps?

So rest of the PC apps work normally.

Is there any solution, open source or otherwise that has such/similar implementation?

PS :: I am aware it is possible with stunnel to have multiple connections but these apps work by VPN only.. Just tunneling not enough as they are too complex.

Found the cause of the outage

ENNI went offline. This is in a secure carrier hotel.

https://i.imgur.com/rDpgBRu.jpg

How can I route one VPN to another VPN?

We have a VPN for WFH capabilities. We also have a VPN from our office to our cloud environment (Azure). We are able to reach the office resources from home and the Azure resources from the office, but we aren't able to reach the Azure resources from home. Would I need to configure this on the Firewall (Azure VPN), or the Office VPN?

Information:

WFH VPN:

Windows VM
192.168.0.0/24 subnet at office
SSTP with IPSec for MACs

Azure VPN:

Fortigate <-> Azure Gateway
192.168.50.0/24 subnet in Azure
IKEv2
Route-based

If you can tell me anything about how I get WFH traffic to Azure that would be really helpful!

Question about setting up old router as an AP

I upgraded my fios router from an G1100 to G3100 that is set up on the second floor of the house. The first floor doesn’t get a good signal so we want to use the G1100 as an AP and place it on the first floor. In the settings of the AP I was told to disable the DHCP. Is it possible to change the SSID of the AP to same name as the new router? Hypothetically speaking will a device know which signal to choose on the first floor? Will it automatically choose the stronger signal? What is the best practice for setting up a router as an AP? Thanks!

TCP congestion window and round trip time

I have a question about TCP congestion windows. If the round trip time is highly variable, for example if there is a baseline of 30ms for most packets, but spikes every few packets to 50 or 60 ms and occasionally more, would that cause the congestion window to stay very small,limiting speeds? I believe this is what I am seeing, and it seems to make sense based on how it is calculated, but I'm not finding anyone mentioning a link between these, which makes me think I might be misunderstanding it.

L3 Roaming + DHCP Renewal - (Cisco)

Hey

Host associates to WLC - A. Gets IP 1.1.1.1/24

Host L3 roams to WLC - B on same WLAN. Gets IP 2.2.2.2/24

WLC-A will then forward traffic received for 1.1.1.1/24 to WLC-B's host of 2.2.2.2/24

When either of the leases of these two IP's are renewed via DHCP, does that impact the Anchor/Foreign status of the host? Basically will the renewal of DHCP transition the anchor to WLC-B?

Fiber question - multimode fiber - Can i use 1 strand vs 2 strands?

Hi,

I have a 6 strand multimode fiber which was terminated & works great.

The 6 strands give me 3 'connections' but i am outgrowing those 3.

Would it be possible for me to use a single leg of the multimode as a single connection?

My thought is: Can I take 1 of the connections (2 strands) and use them as 2 connections assuming a slower speed?

Thank you - JD

Load Balancing of Campus Network through EBGP advertisement

I am trying to utilise my both ISPs links to access my network from outside. Assuming my DC network IP block would be 203.XXX.XX0.0/23 with total 510 possible hosts, My requirement is to advertise 203.XXX.XX0.0/24 as best in ISP router 1 and 203.XXX.XX1.0/24 as best in ISP router 2.

From outside network when my DC applications and servers are accessed for 203.XXX.XX0.0/24 they have to come through ISP 1 and for 203.XXX.XX1.0/24 they have to come through ISP 2

aspath prepend didn't help in achieving this, Please suggest alternative method to accomplish my goal

Attached my simple network architecture

Looking for full 10gb switches with 24/48 ports

Hello everyone,
I'm looking for full 10gb switches for a network design I'm making, and it's proving incredibly difficult to find them.
I've spent a full day on this, and all I've been able to find is the NETGEAR XS700 series, surely there must be more out there, right?

We had a PON drop over the weekend. Dispatched a tech and this is what he found.

I've never seen a patch panel connector just snap off like this. I just found it amusing and thought I would share. The jumper was just hanging there with the other half of the connector on it.

https://imgur.com/lvu8s6F

Hardcoded APN into SIM?

Hello,

I'm currently deploying a new mobile 3G/4G product into our network, the main aim is to have zero-touch provisioning on the service so the end-user can simply plug-and-play.

We've got our supplier to dynamically map the MSISDN into the PPP auth request which we are using to authenticate each unique SIM, although, the end-user still needs to configure the APN.

My knowledge is quite limited and I'm learning on the project, but I was wondering if it is possible to hardcode the APN into the SIM, or alternatively, have the SIM pickup the correct APN required for the service? The APN is a custom APN provided.

Problem with eve ng

I have a 8 gb ram pc. My eve vm contain 8 gb ram also, i added multiple image like fortigate and nexus 9k and cisco iol but neither of that won't work The only vm work is the vpc Can any one help me?

Best place for cheap used Network Tester

So my job has no budget, and I'm tired of shit tools, so I'm just gonna buy my own, I should have my own tester anyway.

Looking for the most affordable place to snag either a Fluke (or NetScout/NetAlly) LinkRunner MS2-100 or AT-2000. Or comparable, but I know those will do what I need and I'm familiar with them.

I'm mainly concerned with a Wire Map, PoE status, Split/Crossed/Open, and Tone Generator.

Thanks in advance, tired of looking like an idiot because they won't cave for the proper equipment.

Cisco lead times blowing out

Is anyone else having trouble getting any equipment out of Cisco lately? Fully understand we’re in a pandemic but I’ve been waiting months for equipment like C9200Ls and basic branch routers with no ETA in sight. No amount of complaints to my AM or VAR is getting me anywhere. I’m in Australia but curious if this is happening anywhere else?

Network access control using face recognition. Is it possible?

Hi all!

When talking about NAC, we all think out Cisco ISE, Aruba ClearPass, ... The problem is, they are all expensive and sometimes they are hard to implement.

I have only been around the industry for a few months, so maybe i don't know what technologies they are using to control their network.

I will do my Graduate thesis next month, my project is about "User Profile checking using picture recognition". I am thinking that i will integrate my project with networking. Maybe it will add another layer of security in the application level.

Let's talk about Cisco ISE, a few months earlier, i assisted my team to implement Cisco ISE for a customer. I noticed that Cisco ISE has some features like:

- Auto Profiling

- Auto change policy that applied to a supplicant when it compliant.

- Check Windows version and Softwares installed on the supplicant

...

Maybe thre are so much more features that i don't know about ISE, but most of the function of ISE, i think i can replace it with python.

For example:

- Auto Profiling => Check Mac Address of the endpoints and classify it.

- Check Windows version and Softwares installed on the supplicant => Checking Services or Registry.

- Change Policy applied to a supplicant when face recognition success => Server will exec a python script to auto change Access-List on the Network Device interface.

Do you guys have any suggestion?

Any input is appreciated!

Supermicro SSE-F3548S/FS N8500-48B6C opinions (25Gb switches)

Hi, currently looking for full 25Gb and some uplinks with 100Gb option L2 switches. I came across to Supermicro SSE-F3548S. It has everything except for stacking options am I right ? What blow my mind is price ~ 4.7k €. Do you have any experience with this switch ?

Also found FS N8500-48B6C with cumulus worth ~ 10k €. Still cheap compare to with Cisco/HP/Extreme Networks

What are your opinions as champions of networks admins ?

Help a beginner out

I'm currently studying for a job in networking , I'm an electrical power engineer which makes network not my cup of tea but also not that far I got the basics under control but I feel I need to go an extra mile since I'm out of my depth here. Can anyone clue me in how to do so " resources , refrences , certain courses or skills " ??

Monday, August 3, 2020

Trying to wrap my head about the following Viptela scenario

Hey guys,

I am not that savvy on Service Provider stuff, and I'm trying to study a little bit of Viptela (Cisco SD-WAN) using their documentation. The question is not really on the product itself but in the way private WAN's work, because the following section on " Allow Data Traffic Exchange across Private WANs" is throwing me off:

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.1/04Segmentation/03Segmentation_(VPN)_Configuration_Examples_Configuration_Examples)

If I understand correctly, a data tunnel cannot be formed between two edge routers on the same private transport (MPLS, for example) IF THE NETWORK SEGMENT that connects the two routers to the transport is NOT advertised over the Service Provider network. This makes sense to me because if the two subnets are not advertised, both routers are not able to reach each other, fine.

The solution, however, as per the document, is to use a loopback interface instead? It reads:

" Because the loopback interfaces are advertised across the overlay network, the vEdge routers are able to learn reachability information, and they can exchange data traffic over the private network. "

But why does the loopback get advertised when the physical interface did not? The article doesn't explain well why by using a loopback, both routers are now able to reach each other's said loopbacks, and it does not mention those loopbacks being advertised through the MPLS network.

Am I missing something here?

Cisco CML strange issue with cisco ASA trunk

I am seeing very strange issue and now i am losing my mind so thought ask you folk. I have following two components connected point to point on Cisco CML 2.0

[nxos-9000v]--------------------[ASA]

9000v config

interface Vlan10 no shutdown ip address 10.10.10.2/24 ! interface Ethernet1/3 description connected to ASA switchport mode trunk switchport trunk allowed vlan 10

ASA config

interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.10 vlan 10 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0

I can't ping 10.10.10.2 from ASA

But if i configure 9000v e1/3 interface switchport and ASA side if i remove VLAN config and put direct IP on g0/0 interface then everything works. Am i missing something to configure cisco ASA vlan config?

Console Server Recommendation

I am going to be configuring new core and distribution Cat 9500's (6 switches total) and am mostly working off site. I would like to have serial console access to them (I am connected to the site over VPN while remote) while I am working on getting the configuration done and am looking at this:

https://www.get-console.com/shop/en/device-servers/119-airconsole-ts-12n-port.html

Anyone used this and have any good or bad experiences?

JUNOS BGP Route-Map

Forgive me, I'm from Cisco land, and I'm bashing my head into my desk trying to make this work.

I have 2 datacenters, each with 1 circuit to a vendor, and configured with BGP. I'm trying to advertise routes from DC A primary out of DC A, and prepend routes from DC B, and vice versa. On a Cisco router I'd do this with a route-map, that route-map would have 2 steps, first step would match prefix list with DC A subnet, and second step would match DC B prefix list and then set an AS prepend. I have all the routes in my routing-instance from OSPF already.

Here is what I had originally on my Juniper SRX when only advertising DC A.

set policy-options policy-statement routes-out term primary-out from protocol ospf set policy-options policy-statement routes-out term primary-out from prefix-list primary-out set policy-options policy-statement routes-out term primary-out then accept set routing-instances datacenter protocols bgp group dc-out neighbor Z.Z.Z.Z export routes-out

Worked great long time and everyone was happy. Then I added another term

set policy-options policy-statement routes-out term secondary-out from protocol ospf set policy-options policy-statement routes-out term secondary-out from prefix-list secondary-out set policy-options policy-statement routes-out term secondary-out then as-path-prepend "100 100" set policy-options policy-statement routes-out term secondary-out then accept

And that would not work. So I added this before the secondary-out term

set policy-options policy-statement routes-out term primary-out then next term

Still wouldn't work. I created another policy statement and applied that to the BGP neighbor and that didn't work. I'm honestly pulling my hair out at this point. I'm sure this is way simple, I just can't figure out how the JUNOS syntax needs this formatted.

Difference between /64 prefix and /48 prefix on GUA's?

Most of the time, I see IPv6 prefixes as /64, but once in a while some configurations show /48. I understand that this prefix is essentially telling you that the first 64 bits are the network portion of the IPv6 address. When you see /48 prefix, is this just telling you the network portion of the address without incorporating the subnet into it? When you see a /64 prefix, is this there not subnet included in that network portion, and with a /48 prefix, can you assume that there are multiple subnets for that network?

(Oracle?) Sun Microsystems 42U Server Rack - What Screws?

Hey guys,

I need a quick bit of advice from the experts. Would you happen to know which screws I need to secure things to the rack instead of the M4/nut combo that I've been using...? I'd like to get things secured properly, especially as I am going to be adding at least three or four more units in the coming days and may even end up filling the rack with servers/storage arrays as my operation expands.

Many thanks in advance! :)

First Meraki network, potentially

Hey guys - total noob to Meraki. I've used Ubiquiti almost exclusively but am considering installing a basic Meraki WAP in a client office. Is there anything I need to know with respect to equipment licenses, etc?

I really like using the Ubiquiti products for pricing simplicity's sake and my past experiences with their PoE switches, EdgeRouters, WAPs.. has been positive.

Would a Meraki WAP play nicely with a UI EdgeRouter? Any helpful thoughts, comments?

How Do I Get Data From Console Port In Catalyst AX9115?

Just got a AX9115. Pretty sure its in CAPWAP mode since we didn't get the EWC version. But need to convert to EWC. Do I plug in the other ethernet port for power? What serial settings? Are there drivers required? I tried serial direct to the back of a desktop then with a serial to usb adapter to a laptop.

Need help with infuriating dedicated fibre line setup

Hello, we have a bit of an issue with a leased line (a dedicated fibre to the premises line) which has been setup for our client.

The provider has run the line into the comms cupboard and they've provided a box which is the edge of the network. We have no access to that box, but there is an SFP+ port where the line from the outside world comes in, and a little green light to indicate that it's live, and an SFP+ port for the internal network access which also has a little light which is red to say it's not happy (this is the infuriating part).

They did provide a transceiver already in the slot, but there was some confusion about that so I've also ordered several other options, some of them customised from fs.com for that specific model. Anyway, on the other side we've got a Draytek Vigor 3910 which we want to use to run that WAN connection via it's SFP+ port, and also a second connection which will be a failover.

The leased line provider has given me the following details:

WAN Subnet xxx.xxx.xxx.0

or 255.255.255.252 depending on who you ask from their team

WAN Subnet Mask /30

WAN IP xxx.xxx.xxx.2

WAN Default Gateway xxx.xxx.xxx.1

Routed IP's Network Number xxx.xxx.xxx.44

Routed IP Mask /30

Routed First Host xxx.xxx.xxx.45

Routed Second Host xxx.xxx.xxx.46

Routed Last Host xxx.xxx.xxx.46

Routed Broadcast Address xxx.xxx.xxx.47

DNS servers xxx.xx.xxx.12, xxx.xx.xxx.6

Now I'm a total novice in this particular area, and I can't figure out if I'm doing something wrong, but the access light on their box will not go green. I'm confident that it's not an issue with the transceivers as I've tried so many different options, and in every case the light on our Draytek is green, it's only red on their box.

In terms of the network settings, on the Draytek I've configured WAN 1 to use the SFP port with the following details:

IP Address xxx.xxx.xxx.2

Subnet Mask xxx.xxx.xxx.0 and/or 255.255.255.252

Gateway IP Address xxx.xxx.xxx.1

DNS servers, as above or 8.8.8.8, 8.8.4.4

And it just doesn't work. But then there is something else that worries me, all that stuff about the routed IPs network number with the 2 usable hosts, what's that even for? Is that where I'm going wrong?

The providers support has been less than useless, honestly the worst I have ever experienced. They really don't want to help troubleshoot the issue, basically they're happy for the line to never ever be used and apparently that's the end of it because they're confident that the issue is on our side, because they've run the same stupid test over an over which shows that the access status light on their equipment is red. So I implore anyone who actually knows about networking, have I actually used the details that they've provided correctly, or is there something really obvious that I'm missing, or is it all about that second set of details with the routed IPs?

Thank you so much to anyone who can shed some light on this.

Install vs Bundle Upgrading Cisco 9300 Stack

Hi All,

I do not have access to a lab at the moment as I am working remotely. I have a question regarding upgrading a cisco 9300 stack that is on 16.6 code in BUNDLE mode.

I want to upgrade to 16.12.3 but am concerned about doing the install mode command. Will the other members of the stack convert to the new mode or will I need to manually convert each switch to install mode? If that is not clear, please let me know and I can answer any questions.

Current stack is in bundle mode. Looking to upgrade direct to new code using the install activate method to have the switches in install mode. Do the other members of the switch automatically convert to the new code and install mode?

Thank you!

Barracuda Cloudgen in VirtualBox or VMware Player

Has anyone here successfully run the Barracuda Cloudgen in VirtualBox or Vmware Player? I wanted to have it on my PC for training purposes, but I failed miserably. I followed the guide here, but that’s for ESX. It seems like I can’t get any network connection in the vm.

Decentralised Network Latency Reduction Question

Hello,

Bit of a noob when it comes to all things networking! For my comp sci degree I've been tasked to come up with an experiment to test and evaluate a latency reduction method for a decentralised network, the full problem is below:

"Reducing Latency in Decentralised Connectivity for the Internet of Things in Distributed Systems"

I've been doing broad research into the topic, latency reduction methods, centralised vs decentralised for IoT, etc (even stuff like fog computing and edge computing). But honestly? I'm not really getting far with it at all. I'm struggling to pinpoint something I can investigate, test and get results from. I just can't get my head around it and find a good foothold.

Is there areas I should be looking into more? And are there emulators / programs / algorithms than could be useful in undertaking this?

Looking for Reviews/Experiences with GPON Equipment Vendors and Support

We are going to be looking into rolling FTTH and I'm needing to find more vendors and what their offerings are. The only two I have experience with is Calix and Ubiquiti.

Calix has some pretty decent support but it does take them quite some time to get someone on the phone. Their equipment does appear to perform well. Rarely have issues with any of their stuff. I absolutely hate their CLI (Both AXOS and EXOS). Also, their CPE products look and feel really old and dated. Even their brand new router.

I have used Ubiquiti's hardware but not their GPON Offerings. I've also never had to get them on the phone for any kind of support. It was easy stuff to figure out. Also, the vyatta based interface is something that I am used to. They products look very good and something I think our customers would be impressed with when they see it. Cannot say the same with Calix's stuff.

BGP - Peering/Neighbor IP best practices?

Hey all,

As I more more locations over to MPLS with BGP peering, I'm wondering what the best practice for peering IP addresses is. For the last site I just used 192.168.1.2/24, with the provider using .1.

Wondering what other people are doing here? I suppose it doesn't really matter what IPs I use for BGP peering?

Any tips for learning new stuff?

I've always been a quick learner when it comes to understanding how things work. Lately I noticed I'm having difficulties learning new stuff - new technologies, preparing for exams, etc.

Since networking is a field which requires constant learning and a sharp mind, it's really affecting my confidence and stressing me out.

Has anyone found a way to improve their ability to learn?

Maybe it's related to stress? Or perhaps it's just age? :(

I'm a 36 yo male.

Log in and logging ssh from the Linux CLI - user script

So, network security engineer here. I use Linux as my primary OS and ssh from the CLI for every session to FWs and routers and wanted to share how I manage my sessions. Sure I could use .ssh/config, but I have 2 additional requirements - 1) MFA login to RADIUS servers; 2)Full session logging.

install oathtool (for MFA) and xclip

set shell var $PW=to_your_passowrd

set script name to whatever (like edgefw) - I have 81 different ones - with tab completion, it's real fast.

#!/bin/bash

oathtool --totp -b <SEED> | sed -e's/$^.*$$/'"$PW"'\1/' | xclip

sleep 2

ssh <IP_OF_DEVICE> | tee >( ts > /home/<YOUR_USER_NAME>/ssh_logs/<RELEVANT_NAME>-\date +"%d-%b-%Y-%H:%M"`)`

Then, put it in your path, execute and middle click to paste PW on prompt. The logfile is saved to your ssh_logs dir and each line is timestamped.

I found it handy and you might too.

Avoiding single point of failure with only one ISP handoff

Currently the network I maintain has two firewalls for HA failover, but only 1 hand-off from our fiber ISP. We are able to use the HA pair because we have one Brocade (for Internet 2) in front of the pair which splits the SFP+ hand-off. So if one firewall dies, the other can takeover with no intervention, simply using its own WAN SPF+ connection from the Brocade. This leaves us with the Brocade being a single point of failure. Even if the brocade could fail-open, that wouldn't solve the issue as the firewall WAN ports are configured to use the Brocade IP and not the ISP hand-off directly.

My question is: if we were to remove the Brocade completely from the setup and we STILL had a single hand-off from the ISP, what could we put in-between the single hand-off and the HA paired firewalls that wouldn't introduce a single point of failure? Is there some type of dumb switches which we could mirror and/or fail open in such a way that the live switch could still use the ISP hand-off plugged into the dead switch? Is there any solution which wouldn't require intervention (like having to go and move the single hand-off from one box to another in the event of a failure)?

I'm not sure if our ISP would be able to give us two hand-offs which were mirrored (whether it's possible, or without incurring a large monthly cost). Of course two hand-offs would eliminate the need for anything in-between the ISP and HA paired firewalls.

SSH KEY Cisco switch

For Cisco switches (2960, 3560x, 3750), instead of doing this command "crypto key generate rsa modulus 2048" to enable SSH.

Is there a certificate out there in which will automatically distribute the RSA keys? Or do i just need to do this command manually? There's a quite a few switches and was wondering if there was a better way of doing it.