Independent contractors working for high value residential properties: what factors do you use to estimate labor costs? How does a property's architecture and topology influence hardware choices? How do I avoid getting ripped off?

I am building a custom property of larger size within the immediate future and I would like to know what buzzwords I should be looking for versus those that I should not when hiring someone to build a physical network infrastructure to last throughout my eventual retirement.

I am a DBA by trade, sysadmin (homelab-ish (Synology)) by hobby, and networking "connoisseur" through the basic fact that I know how to read Ubiquiti documentation. That said, I know a decent amount of IT.

However, when it comes to overall networking, I know little - especially at L1 and L2. Past those (and including L3) I still stumble through. My profession lives in a heavily virtual world where VLANs take precedence.

I have never had to consider how to run the fiber lines, or how to set up the physical firewall, or how to run the cable to the access points to the exterior gathering points. In my world, it's just there.

Now that I am building, I am at a loss for what I actually need to be looking for with my contactors.

How do I tell who is going to bullshit me with a cheap upfront cost that requires higher frequency of repair/upkeep versus those that are going to be upfront with the higher cost investment at the lower layers while also leaving the upper layers open for expansion?

I want to wisely spend upfront so that in my old age I can just "plug and play" as much as possible.

How can I determine the people and/or credentials that will offer this?

What is this "ethernet switch board" and what is it used for?

Found this board on amazon while purchasing switches: Link

Name is IBM 16-Port Gigabit Ethernet Switch Board 8JUGS16T-1A1G.

Anyone know what this board is & what can it be used for? Can I directly program it to become a switch (managed / unmanaged) or does it need something else to use as a general purpose switch? Or is it some specialized equipment for some specific computer/stack?

Small office design help

​

I just started working at a small business (not related to IT). I am going to school for cyber security so now I am their IT goto (yay -_-). They recently asked me to look into why their network is slow so often, and intermittently cuts out. I know some networking stuff, but am no pro. I looked over their hardware and services. It seems overly complicated and overkill for what they are using it for in my opinion.

• The business is situated on a single lot with 3 buildings right next to each other not even 100 feet apart. (see pic) There is:

  • a main building with all the offices
  • a second office which is empty but one day wont be
  • and there is a mechanics shop.
  • the second 2 are connected with a warehouse type space

• The main office has 10 users, each with a desktop, and verizon voip phone, the cat 5e cable comes out of the wall into the phone and from the phone into the desktop.

• The internet provider is comcast so there is a comcast modem/router first, which plugs into a verizon router (both of them putting out wifi lol),

• plugged into the verizon router is

  • a meraki which connects to the p2p antenna that shoots internet next door
  • 2 cisco 24 port switches ( it looks like one might be a backup but not sure)

• The 24 port switch goes up into the office

• In the second office the antenna connects to a 24 port switch that is only connected to a small desktop server running the ip cameras.

• That switch is connected to another switch in the same building not doing anything except connecting to yet another switch in the mechanic shop

• The switch in the mechanics shop has

  • lots of poe connections which i believe are for cameras
  • One wifi ap
  • There are only 2 people in the mechanics shop, they only have one desktop and their cell phones.
  • half the ports pull of bird crap

Here’s what I’m thinking.

Main office

• Get rid of the comcast, verizon, and meraki routers
• Get rid of the backup switch
• Put everything in a nice rack with a patch panel (currently on a shelf wired directly lol)
• They don't need backups on backups since all of the data is in GSuite and no critical applications that would suffer from a loss of power or internet
• Add one really powerful router/modem/wifi that can handle all the traffic (should I get separate components for these? like modem, er4 router, and ubiquity ap)

2nd office

• Get rid of both 24 port switches and install one smaller switch that also goes directly to the mechanic shop, with a long cat 5e or fiber?
• Replace the desktop with something nicer

Mechanics

• replace the filthy switch with one of the ones I pulled out of the other office and put it somewhere more protected.
• Wire the desktop directly with ethernet
• Ubiquiti ap

What products would you recommend I replace these with, or tell me if you have a better way to wire it up.

See images for quick diagram and map.

https://drive.google.com/drive/folders/1VADMmCXlyTIVs8jIVcXz7AFtNQjpVXs5?usp=sharing

Anyone using NFV appliances in enterprise?

I have been looking at Ciena 3906/3926 appliances to deploy branch sites on. Is anyone else doing this, or using similar devices? Have you found any downside vs using multiple physical vendor appliances (FW, Router, etc)? Have you had any issues with the added complexity of a virtualized platform and getting people to manage them?

2504 WLC, 27xx & 28xx AP's & Googlecast

Has anyone else had any issues with getting googlecast to work with the 2504 controller? I've configured mDNS as per CISCO's config guide, and I can see the google devices under mDNS domain, but when trying to find devices to cast to from mobile devices / laptops etc, they can't be found.

Each device can communicate fine to the web and can be individually controlled, but the casting aspect is broken.

​

a debug of mDNS from the controller shows the following errors, but I'm getting nowhere trying to resolve it/figure out what it means.

​

*Bonjour_Process_Task: Oct 10 16:08:16.433: Failed to build Bonjour Packet:8

*Bonjour_Process_Task: Oct 10 16:08:16.433: bonjourProcessTask : 477 Failed to process message received in Bonjour Process task : 8

*Bonjour_Msg_Task: Oct 10 16:09:30.562: processBonjourPacket : 1150 Queried service-string : _CA5E8412._sub._googlecast._tcp.local. is not configured in MSAL-DB

*Bonjour_Msg_Task: Oct 10 16:09:30.562: processBonjourPacket : 1150 Queried service-string : _CC1AD845._sub._googlecast._tcp.local. is not configured in MSAL-DB

*Bonjour_Process_Task: Oct 10 16:09:30.563: buildBonjourQueryResponsePld : 6719 Not able to attach any record

*Bonjour_Process_Task: Oct 10 16:09:30.563: Error building the Bonjour Packet !!

​

I also get the following:

​

*Bonjour_Msg_Task: Oct 10 16:09:58.485: No Nsec For Domain Found !!

*Bonjour_Msg_Task: Oct 10 16:09:58.485: No Nsec For Service Found !!

​

I'm struggling to find any info on how best to resolve this

​

Current code is 8.3.150.0, but I get the same issue with 8.3.102.0. I updated to .150 hoping it was an undocumented bug!

802.1BR Port Extenders in the Campus. Anyone actually using it?

802.1BR has been around for almost 10 years. I am curious if anyone is actually using it in the Campus? All the vendors have support for it, but with different focus. Cisco's focus as been on the DC on their Nexus switches. Juniper is flexible with Campus and DC. Extreme and Ruckus have seemed to have focused on the Campus.

​

The concept is interesting. I think I can understand the use case. Management of all edge switches from the campus core. But like all technologies, just because you can, doesn't meet you should because I see a lot of caveats. Looks like you deprecate stacking in the IDF, the switches are just cascading at 10GE. And from what I see most vendors recommend you keep the rings under 4-6 switches. And it looks like both Ruckus and Extreme have an upper limit of ~40 total PE's. list goes on and on.

​

So is anyone actually rolling it out as a campus edge at scale?

Help me start the process of upgrading my network infrastructure

So my manager wants to upgrade our existing infrastructure and I need to start planning. I can hire a consultant, but I would rather propose my own solution before going that route.

Our core is a 6500.

Our core goes to a ring topology of IE4010s. There are a total of 10 racks which makes up the distribution.

So its

Core >> rack 1 >> rack 2 >> rack 3 >> rack 4 >> rack 5 >> rack 6 >> rack 7 >> rack 8 >> rack 9 >> rack 10 >> Core

We have 3 cisco 4010s in each rack separating 3 different networks. Each rack is about 200 yards from each other connected via sm fiber.

3 4010s in each rack=

1> Process

2> power

3> VoiP

They are all connected via 1gb fiber. The utilization on each of these switches is like 10-20% so i was thinking of integrating the 3 different switches into 1 switch, than have another switch under it for redundancy.

Proposed layout:

Switch 1 > Process, Power, Voip networks Switch 2 > redundancy, LACP etherchannels

Instead of having a ring topology, are there better ways i can connect this network? What about using tunnels to connect to each remote location from 1 core?

Help!

Can anyone help me fill in this table.

Ip address i have been provided with: 192.168.100.0/24

Address Class:

Default subnet mask:

Total Number of subnets:

Number of bits borrowed:

Custom subnet mask:

Number of usable host addresses per subnet:

Ruckus cloud license

Hope someone can help me out here. I work for a small ISP in Cape Town South Africa and we are looking at taking over a mall that has a complete Ruckus setup with 52 APs. We normally use unifi on sites but we're trying to work out the pricing on the Ruckus cloud license and how it works, to see if it is worth taking over that equipment or clean installing with unifi.

Can't seem to find much help on pricing online so if anyone has some rough prices that would be amazing

Thanks

Monitor network components from the cloud

Hello everyone,

This could be a silly request. One of our clients wants us to monitor their site availability externally, however we don't have an infratructure ourselves to host any monitoring solution.

Does anyone know of a cloud based solution or a small windows utility that could achieve this? it doesn't have to be anything advanced.

Some idiot is using your tool to mass scan our network

This is downright hilarious: https://news.ycombinator.com/item?id=24728123

MTU isssues: Google works but other sites don't

Why is it that when people are having MTU issues 'Google works but other sites don't' seems to be the key symptom so to speak.

What is Google doing that allows it to work at the lower MTU compared to other sites?

Guestshell on IOS XE (Limitations on CSR1000v?)

Anybody with experience with guestshell on IOS XE? (Specifically on CSR100v..)

Building a script that will be executed with ZTP on c9K-switches to update the software version if incorrect and then download a unique .cfg for that device's serialnumber. We have pretty big configs for the switches this will provision so it would be best if we built the config files with a different script and then download them onto the boxes via TFTP/FTP.

Problem I'm having is that the CLI-module inside guestshell can't parse the copy-function in IOS. I've seen working scripts downloading new software images via TFTP on 9200 and 9300-hardware but I don't have access to the hardware we'll be shipping yet and would prefer working on this with virtualized hardware..

So TL;DR: anyone know if CSR1000v has limitations in guestshell as to what it can access?

Issue:

*Oct 9 07:55:30.355: SHELL-EXECUTION: executing command "python2 >/bootflash/downloaded_script.py " inside guestshell ...918KS0BBJ6X

*** Setting TFTP-settings ***

Line 1 SUCCESS: file prompt quiet

Line 2 SUCCESS: ip tftp blocksize 8192

*** Transfering file.. ***

ConfigError: There was a problem with 1 commands while configuring the device.

Line 1 FAILURE: copy tftp://10.0.10.204/config_files/918KS0BBJ6X flash:/918KS0BBJ6X (PARSE_ERROR_NOMATCH)

**CLI Line # 1: copy tftp://10.0.10.204/config_files/918KS0BBJ6X flash:/918KS0BBJ6X

**CLI Line # 1: ^

**CLI Line # 1: % Invalid input detected at '' marker.

(In)sanity check

import cli

cli.configurep(test)

ConfigError: There was a problem with 1 commands while configuring the device.

Line 1 FAILURE: copy running-config startup-config (PARSE_ERROR_NOMATCH)

**CLI Line # 1: copy running-config startup-config

**CLI Line # 1: ^

**CLI Line # 1: % Invalid input detected at '' marker.

test2 = "wr"

cli.configurep(test2)

ConfigError: There was a problem with 1 commands while configuring the device.

Line 1 FAILURE: wr (PARSE_ERROR_NOMATCH)

**CLI Line # 1: wr

**CLI Line # 1: ^

**CLI Line # 1: % Invalid input detected at '' marker.

​

Speed loss when using punch down boxes

I am currently in the process of re-cabling a new office in preparation for a move, I need to move some ports around the new building. My MD won't authorize running new cat5e cables so I'm looking at using punch down boxes.

Is there a major speed loss when using punch down boxes? The current cables are cat5e UTP and the speed of the network will be gigabit.

​

Thanks.

New to Networking: Reading materials

Hello,

I'm not sure if this is the right sub to ask but I'm pretty new with networking. I am currently a trainee in a network security company. It's a small company with less than 15 employees in total and focusses it's business around firewalls. So everyone here knows everything, and there is no SOP. Pretty much how an individual gets knowledge here by suffering doing projects and experience the hardship itself. It's been a month here, I started to get to know things bit by bit. I felt completely stupid when I came in first, now I could understand little bit when listening to coworkers conversations. But again, as a trainee, I pretty much wont be touching or have hands on the things I learnt, such as VMware, ACC, various firewall brands such as fortigate/paloalto. I understand that, being in a small company, its pretty much would be a disaster having your trainee manage those sort of stuff. So right now im stuck at getting the bigger picture working in a networking company. I don't really know what to read and how to connect things together, like theoritically i know stuff like DNS, Switches, Routers but practically im stupid. So yeah, it would be lovely if somebody out here to guide me what area should i be focussing on from now onwards, because i do feel like networking is for me, its just im having alot of questions on alot of things. I dont know if its right, or if its wrong, why is it wrong or right and so on.

Cisco c3560e firmware

Hi guys,

I'm looking for c3560e-universalk9-mz.152-4.E10.bin firmware. Anyone can share?

Juniper generate route

Hi,

I'm currently exploring Juniper. I've seen this syntax on our mx480.

'routing-options generate route 0.0.0.0/0 discard'

Will there be a routing issue if we deactivate this syntax?

Help understanding very large TCP segment size and IP packet size received from Internet

Hello all. Recently looking at some pcaps of a connectivity issue and noticed numerous packets >1500 bytes. This was a connection from a server on the Internet to a user behind a home wi-fi router. My experience tells me IP Packets received should all be <1500bytes or so when they are coming from the internet.

I know Wireshark can sometimes show larger TCP segments if they are being offloaded to the NIC for fragmentation but this is *received* traffic, and from the Internet.

Can someone please help me understand how this works?

https://i.imgur.com/jKUCgnf.png

Cisco Smartnet for APs, is it worth it?

We are purchasing 14x 2802i APs. My personal opinion is we probably don't need Smartnet for APs. Whats your opinion and why? Thanks!

Source PC sends a RST after trying to access shared folder?

The source PC is trying to access a shared folder on the destination PC

Wireshark running on the DST PC, shows a SYN-SYN-ACK followed by some SMB communication, followed by a RST from the source PC. See here: https://i.imgur.com/DwlMW2v.png

The connection is being made so can't be a firewall blocking it?

Thanks

Stopping intervlan communication

I have a Cisco network with 6880 core and have a vlan that I am trying to stop the rest of my network from communicating with. I need the devices within the vlan to communicate with each other and out to the internet. Can someone look at this ACL configuration and let me know if it looks correct? Am I missing something?

ip access-list extended VLAN8

permit tcp any any established

permit icmp any any

permit ip any host x.x.x.x (DNS Server)

permit ip any host x.x.x.x (management vlan)

deny ip any 10.0.0.0 0.0.255.255

permit ip any any

What is the best way to transition from static routes to BGP?

Hey,

I've got two DCs that are connected via L2 circuit.

They are currently operating via static routes, about 40-50 on each end.

I was wondering what is the best process to transition from these static routes to BGP.

I was thinking about creating a prefix filter of all the private 1918 ranges, applying that as an outbound filter and then redistributing all my connected routes.

This would natively restrict any public routes from being advertised between each DC, as well as advertise any future private range interfaces I create instantly without any input.

Having said that, is there a better way? Should I instead one by one "network 10.0.0.0/29" under the bgp protocol?

Thoughts?

Has anyone deployed Cisco ACI in their environment?

We're about to move forward with everything and I want to hear from some if you how this deployment went. Generally speaking.

Checkpoint R80.20 - arp cache overflowing issue? Need advise from old network/cp rabbits :)

Hey all,

had anyone of you guys in the past problems with overflowing of the arp cache? We had previously a lot of duplicated entrys from different machines and it ended up with over 4k arp entrys(usually 500-600) And it seems that the garbage collector then did his job and flushed also still needed arp entrys of active machines.. Message in the logs when you filter on an unreachable IP was „missing os route“

Any advice would be much appreciated :)

Thanks in advance

Ideas for Comparative Network Management Outsourcing Cost

Has anyone done a recent comparison on what it would costs to outsource support for a Cisco network infrastructure? We have 6 data closets , 21 Cisco 24 Port Gig Switches, 126 Cisco APs and of course a highspeed Internet connection that are all recently upgraded. Does anyone have any ideas one how I can roughly estimate what it would cost a year to have this fully managed by a consulting company. Servers estimates are easier as I can somewhat just go to AWS or Azure and see the prices. I would really prefer not to get quotes from vendors when it is just an estimated number a VP wants. Any thought or ideas would be much appreciated.

[PSA] Android 11's December security update will remove the ability to disable EAP server cert validation

The December security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint!

Visual of what is being removed: https://imgur.com/a/Om9slKo

What this means for organizations: if you're not using strong authentication for network access, aka certificate-based authentication (which you should be), and continue using legacy EAP methods & weak credentials, you need to start configuring supplicants properly. Tunneled EAP methods with weak credentials should only ever be used with managed supplicants (MDM, GPO, etc).

Here is a properly configured supplicant for tunneled EAP methods (EAP-TTLS, PEAP): https://imgur.com/a/qNQg6t0

If you have instructions for end users that tell them to select "Do Not Validate", you should force password changes ASAP, update your documentation, and start working on a migration plan towards strong and modern authentication.

tl;dr stop using weak/legacy authentication methods

Dell X1000 GUI? Need to set up default gateway to reach another subnet.

I am currently working with a Dell X1000, im not too familiar with these models. I am trying to add a default gateway so these switches can reach my NMS subnet.

From what I've read, I need to go into the GUI and enable layer 2+ routing. This requires a reboot which i was trying to avoid

For anyone familiar with these switches. Can i just edit the mgmt vlan in the GUI and add a default gateway this way? Will it still not reach the 10.X.X.X network because layer 2+ isn't enabled?

Not too good with these GUIs. Anyone who's familiar with these switches, can you help clarify?

Thank you!

Packet drop or what?

Hello reddit people,

I am doing a research on telecommunications and technologies. The question is the following: What will happen when packets arrive at the buffer one after the other (without any time delay)? Give me a detailed answer please! Thank you very much!

Help Identifying VPN Issues - Draytek 2862 - Windows 10

Hi everyone,

I'm hoping to try and get some advice on our current remote working situation. We are a small business and currently have approximately 20 people working from home at all times. The users connect to a VPN and then remote into their Work Desktops (much more powerful devices).

I have 5 or 6 users constantly complaining that the VPN is dropping them, it can range from 1 or 2 - 20 times a day.

Most of the users are connected over their home Wi Fi.

VPN is configured on a Draytek 2862 - Our connection speed here is 80/20 (Moving soon and getting 1000/1000).

We are using the built in Windows 10 VPN Utility.

I have got them to disable any Power Saving settings related to their Network Adaptors & Laptops, some users i have convinced to switch to Powerline Adapters, which seems to have solved their problems. Im convinced this is a Wi Fi / Windows 10 Issue.

Would a third party VPN Utility help?

Any advice is appreciated.

Thanks

Keeping track of FW rule base changes (for the human users)

We have a small flock of FWs managed by multiple admins. The configs are automatically backed up but we are looking for a tool that allows human users to keep track of changes to the rule base. Like who did what and when.

Is there something better than simply an Excel sheet?

OSPF&BGP on collapsed core - yes or no?

Hi All,

Hpe you are doing well in those difficult times.

For the beginning, I’m not an expert in routing, therefore my question.

Lets say we have 2 situations, both of them built on collapsed core design what what would be the benefits of routing on LAN side with BGP advertisements

Case A) 2 buildings, 2 core stacks, WAN/internet router in both buildings in active/passive mode with VRRP and OSPF on LAN side. Default route on core to WAN router, on access to core SW

Case B) 1 core stack of 2 switches, 2 WAN/internet routers connected to each stack member, eith direct heart beat connection. Make sense to run OSPF on LAN side and advertise BGP routes in that case? If yes, how eould the network benefit from that?

Cisco ASA suddenly start dropping Anyconnect VPN traffic

Hi

I'm not very good with ASAs. We have one that suddenly started to drop all anyconnect VPN traffic (the command capture pro2 type asp-drop all circular-buffer showed all the traffic that have been dropped).

In order to let the traffic flow again, we had to remove the "sysopt connection permit-vpn" and create an ACL to permit traffic from the VPN ip pool to any, and then we had to NAT all the traffic from the outside interface behind the destination interface. Without this NAT after implementing the ACL, no packet was found with a capture, not even dropped.

Does anyone have any idea of what's happening?

Switch interface naming order, help idea solution

I'm italian sorry for my bad english.

I love cabling with very short cables, all patch pannel ports are link to switch ports. 24 Patch panel port - switch 48 port- 24 patch pannel, and so on.

So path pannel port 1 is link to port 1 interface of switch. Good. But patch pannel port 2 is link to port 3 of switch, and so on, very bad. Patch pannel port 24, link to port 47!!! Very bad.

So there is a 48 port switch that have first line with port 1, 2 3, 4 ... And on second line 25, 26, 27 ... ? (Not 1,3,5,7... 2,4,6, 8...)

Was I able to explain myself? Do you understand the meaning?

App to ID switch port

I was wondering if such a thing exists, an app on a pc that lets me ID the physical switch port i'm connected to. I usually use a fluke tester but at times I don't have it with me.

What are the most difficult questions on networking you had during an interview?

What are the most difficult questions on networking you had during an interview? I remember there was a question I had about different type of networking protocols, and there were multiple answers to that questions among which were "on-premise" and "websocket", but after digging a little I found out that the answers I remembered made little sense in relation to the question I remembered, so I am trying to figure out what the question was, and wanted to know what other types of questions I should expect in the future.

Event Driven Automation

I have been automating against networks for the past year or two now mostly doing config management and deploying new configs. I am getting more interested in event driven automation or some sort of self healing automation. I want to use Cisco DNA to send API calls to Ansible or Argo in K8S and run scripts to try and fix issues before it opens a ticket if it cant. We have the ability to do this as well with Solarwinds. I am curious if anyone else has done anything similar or something different to solve problems in their network?

One problem I am having is APs will go offline so I am running a series of commands to try and get the AP back online.

Also sometimes certain devices get profiled in ISE wrong and a script will try to remediate the issue from the switch and ISE itself.

I don't know about any of you but I miss having this conversations with people around the office. Fuck COVID-19

Opinions on FortiSwitches

Looking for peoples opinions that have FortiSwitches in there environments. What are the good/bad to them. What do you like about them, what are pain points or gotchas.

​

We run Fortigates for our firewalls, being able to manage switches from one interface seems appealing. We have been running a test on a spare firewall and foriswitch and it seems pretty neat how it all works but want to hear from people that have this actually in production.

What do you think about free vpns?

https://old.reddit.com/r/VPN_help/comments/j6skbn/are_free_vpns_safe/

Aruba AP wired port blacklist MAC

Hi guys, I am trying to block a particular device from connecting to a wired port on an Aruba AP but not sure the best way to achieve this? We are on 6.5 and I don't see any guidance on this, only blacklisting which seems to only mention wireless clients. Is it possible to blacklist a MAC on wired AP ports? I know I can admin down the wired ports but this is not ideal as they can just move the device to another port. Thanks!

ebgp neighbor peer private ip class

hi and first of all sorry but not exaclty a senior net eng, so...

i am struggling to understand if it is possible to use a private (ex. 192.168.0./30) class for the dmz network between my bgp router and the isp bgp router, i already own a public /24 all mine and i am an AS and i want to use my isp only as a transit.

the isp insists that i must buy from it a public /28 from them just to assign to that connection (my wan eth side to its wan eth side, it's a point to point)...buy why?

if i use a loopback ip and not annouce that private class inside my net or the bgp, isn't it practically confinated to that dmz link and invisible to the rest of the world?

is it somethink about best practices i am missing?

how to calculate option 121 in dhcp ?

how to calculate option 121 in dhcp ?

like https://ip-pro.eu/en/mikrotik_dhcp_option_121_generator

Huawei router console freeze

Hi All,

I'm trying to configure a Huawei AR500 LTE Router using the console

After the boot, the console just freeze at "Press any key to get started"

The doc says "Remember to disable the flow control (RTS/CTS)" --> https://support.huawei.com/enterprise/en/knowledge/EKB1000049192

But i already checked that it was disabled (I never use it), using Putty and also SecureCRT, (tested with 2 PCs)

​

Any suggestions ?

Thanks

Reinforcement learning for routing problems

Hi all,

Just came across this article - https://ieeexplore.ieee.org/document/8701570 - and I was wondering, are there any practical implications of this idea? Has anyone tried to optimise networks using reinforcement learning instead of "traditional" routing (shortest paths, ECMP etc.)?

Looking mainly for actual code, software I can run or model I can train - but simulations would also be very welcome.

Cheers!

Junior Sys Admin planning to set up a Windows Server with MDT for our techs to reimage some 200+ assets in our network on a time crunch. Need some help understanding the networking behind this.

So the official guides from my organization describe this as a system (talking about the deployment server) that will be physically connected to the network, but not on the domain. It is supposed to be able to deploy this new OS Image remotely to any computer on the campus as long as it is plugged in. As I said, I am very junior, and still learning the ins-and-outs of networking and its particulars. Can someone help me understand how this will work? How can this server possibly communicate with all of these functioning desktops and laptops on the network if it is not on the same domain? Seems to go against everything I've learned and observed about how domains work. I'm not even sure if I am asking the right questions, and there is no "senior" person in my role within the organization at present for me to ask specifics, so I'm kind of leading the charge and working from the ground up for the role.

Bandwidth Utilization on Cisco Devices

I'm trying to verify if our Cisco switches and routers are being over or under-utilized (bandwidth wise). To my knowledge, we do not have any network monitoring tools. I only have local and remote access to each device, and I can not manipulate them physically right now.

I know of some diagnostic commands, such as show processes cpu and show processes memory, etc. Are there any equivalent commands but for bandwidth monitoring?

Portforwarding

Bruh yes i'm actually the worst with networking or my router is just being like nope f u,

Anyways i wanna open port 2020

Cannot be windows it's fault since i disabled my firewall to test that.

How to set up server on your computer and broadcast it all over the Internet?

Hello, I've been recently struggling with establishing a connection between my computer and anyone outside of my local network. As a starting point I've chosen to host a simple http server, and be able to access it from the Internet. (i know there are many easy to run services, but that's not what I want)

I tried to connect to my ip address, but with no result. If I can browse websites or play online games, it means the servers are able to connect to me. Maybe it's only possible after I make a request to them?

I also did some investigation with "traceroute" command and i found that all my requests pass through some server from my internet provider. Also, my computer sees an assigned ip address that is different from the one I see, when i type "my ip address" in google. It means that I am connected to some subnetwork of my internet provider and all requests pass through them. But how the external source is able to connect to my computer, how the subnet knows where to forward their requests?

I need any theoretical knowledge about concepts I described (names), and tools to inspect connections between computers. I know basic stuff about http get requests, I want to know how external sources are able to connect to my computer, even though I am connected to some subnet.

Do you know anything that would help me in some way, or help me achieve my final goal, that is hosting a server to the Internet from my imac? Is it possible?

Cacti Not Graphing

Hi All

I am new to creating graphs in cacti. Following the instructions in the cacti manual I decided to use the template method as this method doesnt require the creation of scripts.

I created a Data Template, then a Graph Template and link the Data Template to the Graph Template. I Then linked the Graph Template to a Host Template.

I added the Host Template to a Device and under the Associated Graph Template the status shows "Is Being Graph" but the Graph is blank.

I have read over the template section in the cacti manual but can see what I am missing.

Hope someone can help.

DFS over VPN. Nightmare fuel.

Ok. I give. Been banging my head against this for a bit now.

DFS shares over a remote access VPN sometimes disconnect. Not all the time, not predictably, just sometimes, and usually not for long.

I've been through logs and pcaps and event viewers and debugs, and I feel defeated.

Server dudes are sure it's the network, because they always are, and it only happens over VPN.

I'm not so certain.

Anyone dealt with an issue like this? How did you nail down the cause, or what did you end up doing?

Cisco Ordered To Pay $1.9 Billion In Patent Infringement Suit

Link to the story.

Looks like Cisco was having meetings with Centripital about their technology to detect malware through unencrypted portions of a packet without requiring the payload to be decrypted.

Centripital used an analytics engine based off netflow, and then tagged network traffic to be processed by stateless filters.

Cisco implemented a similar function in their IOS XE platform - tagging network packets by Group Tag Labels through ISE/Stealthwatch and filtering traffic based off it.

Cisco must also pay Centripetal Networks a 10 percent royalty on the Cat9k, ISR1k, ISR9k, and Encrypted Traffic Analytics (which was only available if you bought Stealthwatch) over the next five years, with that percentage dropping to 5 percent for the subsequent three years.

That's not a cheap punishment.

Another hilarious fact from the trial is that Cisco was forced to use Zoom for VC (Shock! Horror!) after they tried to argue that Webex was more secure then Zoom. From the Forbes article:

The first virtual patent-infringement bench trial was held using Zoom after the judge rejected Cisco's arguments that it posed a security threat and using Cisco Webex software would be the safer alternative.

What an absolutely petty thing to require when you're being sued!

What's your Load Balancer solution/env ?

Hello Networking,

I'll be replacing our load balancers (A10) beginning/mid next year, and I am starting to take a look at the possible solutions.

I'll be looking at something that could do Lbaas as we have a lot of demands for test VIPs, change to health-monitor/probe, etc... that could be done directly by the internal requester.

We have more that 500 VIP, usually pretty simple Http/Https, exposed to the internet for some services that are used by our external clients.

I used to have A10 in my previous job and had many issues (upgrades, routing, bugs, ressources exhaustion), and it seems to be the same here (I joined recently), so I really want to explore other solutions, and possibly account for future scalability, I had an AVI presentation not so long ago and it seemed interesting in terms of spinning up new nodes to scale.

Was wondering what you're using and for which scenarios ?

Thanks !

Gaming on Ethernet vs Wifi

Hey guys,

Question for the technically minded. Am I better off playing on my TV which has a game mode with 21-22ms input lag, or on my monitor with 5ms input lag, but on Wifi?

A speed test on my Apple TV which is connected to Ethernet produced approx 89mb/s down and 34mb/s up with a ping of 7ms and a hitter of 4ms.

A speed test on my iPhone which is connected to wifi produced 81.9mb/s down with 36.7mb/s up, with a ping of 9ms and a jitter of 8.5ms.

Thanks in advance!

Career Advice

Am currently currently working at TAC and am planning to move outside. I have been working at TAC for the past 3 years both in switching and routing, predominantly switching and know AWS to a level of associate.

What are the current expectations outside?

Know BGP/OSPF in depth?

Know Firewall in depth?

CCIE? I have my written completed and havent attempted the lab though.

Am trying to analyse my strengths and fill the gap. Any advice is highly appreciated. Thanks.

Do we still need to look at host based firewall if we are using Palo Alto?

Noted in the CIS Benchmark for CentOS that there's a portion on firewall configuration. As the main focus for host based firewall, do we still need them if we are using Palo Alto firewall? It seems like double work to configure for host based since there is limited defence barrier compared to Network firewalls?

How can I index files from a computer connected via LAN

I have 3 computers connected via lan but I can’t search the files directly from the default search box.

I have two computers with 10 and the third one is 7.

How can I index them ?

Integrate IIS server with personal website

Hello,

I am trying to build personal website to demonstrate my SQL skills. I have one domain. Now I would like to connect organization.org with IIS server and then would like to run report on that organization.org URL. If possible, please give me detail steps for this.

10GB-T / 40G QSFP+ Switch Suggestion

Looking for a 10G/40G low spec switch for our NDI / Studio rack. We have several TriCaster’s, a bunch of NDI I/Os, a few workstations with 10G cards, and a NAS/SAN that’s QSFP connected.

Right now, we are running on a 1G/10G 3650, and need to push the speed up. Of course our IT department is suggesting a $35k Cisco switch, when that clearly isn’t required. I am happy to create an isolated LAN for these devices and keeping the internet / campus LAN separate.

I was looking at the Aristia 7050TX-48 as it seems to have the specs we need, but i am worried about the noise. This is located IN a combined control room, so I can’t have a switch that also sounds like a jet engine.

Open on price, ideally under $15k including support, but open to a little more, but not into the 35k range. Location USA

Anyone have any good suggestions?

(Edited to add location)

Automated VLAN Joining

What are you using for automatically assigning a device to a specific VLAN for those of you that have a solution?

We have some specific devices that communicate over a secured VLAN and currently we have to manually configure each port when or before the device is connected to it. We are looking to have it so that when the device is connected to the switch, the port is automatically changed to the appropriate VLAN. I'm assuming this would be done with the MAC address, but am looking for suggestions.

Additionally for future casting, it would be nice to be able to do this with domain joined computers and guest devices as well. Then we could configure all ports the same and foreign devices get thrown on the internet/isolated VLAN, domain devices on the internal and other devices on their specific VLANs. I know one option might be to use RADIUS. I am working with some older switches so this is not limited to existing hardware. I'm looking for any and all solutions to vet.

​

Thanks

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Luxul XMS-7048P - Which SFP 1000Base-T Transceiver?

Hi all,

I am commissioning a Luxul XMS-7048P (not my choice) and I'm going to need all 52 ports. Ports 51/52 are SFP+ ports but I need 1Gig connectivity. Will generic coded SFP modules work or are these 10Gig ONLY ports? In my experience 1Gig will work in these ports on most switches. I've been a fan of the 10Gtek stuff, and am thinking of getting the ASF-GE-T-OEM model.

Thanks.

This might be a stupid question, but can a 110 block panel run fiber cables, or can only a fiber distribution panel run them?

I'm new to networking, and I don't quite understand patch panels (never worked with one) Shouldn't a 110 block be able to also run fiber cables? But then why are there fiber distribution panels? What's the point with making them? Or does a 110 block only run Copper and Coaxial?

Question regarding Jumbo frames

We're diagnosing a TCP packet re-transmission issue between our environment and a service provider. Our ISP has their switch in our entrance facility configured for jumbo frames. Our Cisco 5000 Nexus switch that hosts our WAN port and forwards the traffic on to our virtual firewall is also configured for jumbo frames. From the firewall back though, it's all MTU 1500.

Is this likely to cause packet loss when traffic picks up, and if adjustments need to be made should I be configuring every part of the network for or against jumbo frames, or can there be a termination point of sorts where jumbo stops and standard MTU settings resume?

Thank you for any insight into this issue. This network was configured before my time, and while it's my responsibility now, as a school IT tech I am responsible for so many different things it's difficult to know how to adjust more sensitive network settings mid-semester.

Enterprise Syslog Solution

Lately our syslog server has been struggling to keep up with the volume of traffic that we are sending it. It’s a home brewed solution that involves not much more than aggregating all of it in one place and then it gets sorted or carved into reports via kron and fancy grep/regex.

Recently we migrated this to a newer, beefier server, but since all of the code is written sequentially, more cores and ram in a VM don’t do much.

I’m between the option of getting someone to write a python application to make this more efficient and getting a purpose made tool to accomplish this (which is my preference), but I’m struggling to identify a good solution for a large enterprise. Most of the marketing materials are either older or can do everything better than anyone on paper. My VAR wasn’t too familiar with good solutions here either.

I had a few friends say I can do some good things with Hadoop, but I’m not quite sure if that’s going to collect everything or just carve up reports from a datastore elsewhere.

Any recommendations out there for both aggregation and reporting? What makes it feel like a good fit for a large enterprise?

Ensuring packet bounds alignment on connection reader

When designing an instant messaging application, I went with what seemed the most obvious approach to consuming variable-sized packets; I put 4 bytes at the start of the packet, indicating the length.

It occurs to me, however, that a client might send a malformed or ‘lying’ packet that has a too-large length. In that case, it’s possible packets could be constructed from misaligned bytes, resulting in a bunch of trash.

My possible solution to this is to have a sort of constant 32bit ‘identifier’ (it would always be the same) after the length so I can pretty much ensure packet alignment.

Is this a good approach? Also, if there’s any useful tips/articles anyone has for protocol design, that would be much appreciated.

What would be network evolving technologies?

Hi everyone!! I’m currently studying CCNP enterprise and i wanna know what would be next coming trend concerning with networking, so that i can study more... Any replies’d be much appreciated!!! With regards,

Is there any easy way to see if a device supports SNMP write commands via SNMP itself?

I don't have HTTP access to a device, but I have SNMP (v1 or v2) access, I want to check if a certain device is set to SNMP Read only but not write, can I do it in some way? is there a specific SNMP OID that I can check?

BGP: route not removed from routing table when a peer is down

Hello, I have EdgeRouter 12P running v2.0.8-hotfix.1 and having an issue with BGP. All works fine and I receive routes from BGP peers ( metallb speakers ) however when one of the peers goes down ( not-graceful ) routes via this peer remain in the routing table which makes traffic arrive on non-working next-hop.My BGP config:

set protocols bgp 110720 maximum-paths ebgp 8 set protocols bgp 110720 maximum-paths ibgp 8 set protocols bgp 110720 neighbor 10.0.0.10 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.30 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.31 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.40 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.41 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.42 remote-as 200914 set protocols bgp 110720 neighbor 10.0.0.43 remote-as 200914 set protocols bgp 110720 parameters log-neighbor-changes set protocols bgp 110720 parameters router-id 10.0.0.1 set protocols bgp 110720 redistribute static set protocols bgp 110720 timers holdtime 10 set protocols bgp 110720 timers keepalive 60 

state before reproducing the problem:

ubnt@EdgeRouter-12P:~$ show ip bgp summary BGP router identifier 10.0.0.1, local AS number 110720 BGP table version is 5 2 BGP AS-PATH entries 0 BGP community entries 8 Configured ebgp ECMP multipath: Currently set at 8 8 Configured ibgp ECMP multipath: Currently set at 8 Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.10 4 200914 0 0 0 0 0 never Active 10.0.0.30 4 200914 1529 2533 5 0 0 00:00:18 4 10.0.0.31 4 200914 1527 2534 5 0 0 00:00:18 3 10.0.0.40 4 200914 1434 2383 5 0 0 00:00:18 2 10.0.0.41 4 200914 1525 2536 5 0 0 00:00:18 2 10.0.0.42 4 200914 1526 2535 5 0 0 00:00:18 2 10.0.0.43 4 200914 1526 2535 5 0 0 00:00:18 2 ubnt@EdgeRouter-12P:~$ show ip route 10.0.8.10 Routing entry for 10.0.8.10/32 Known via "bgp", distance 20, metric 0, External Route Tag: 200914, best Last update 00:01:02 ago * 10.0.0.43, via switch0.100 * 10.0.0.42, via switch0.100 * 10.0.0.41, via switch0.100 * 10.0.0.40, via switch0.100 * 10.0.0.31, via switch0.100 * 10.0.0.30, via switch0.100 ubnt@EdgeRouter-12P:~$ show ip bgp 10.0.8.10 BGP routing table entry for 10.0.8.10/32 Paths: (6 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 10.0.0.31 10.0.0.40 10.0.0.41 10.0.0.42 10.0.0.43 200914 10.0.0.30 from 10.0.0.30 (10.0.0.30) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed, best Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.40 from 10.0.0.40 (10.0.0.40) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.43 from 10.0.0.43 (10.0.0.43) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.42 from 10.0.0.42 (10.0.0.42) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.41 from 10.0.0.41 (10.0.0.41) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.31 from 10.0.0.31 (10.0.0.31) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 

when 10.0.0.40 is force stopped I can see that in the logs:

Sep 28 15:35:17 EdgeRouter-12P BGP[4248]: BGP-6: 10.0.0.40-Outgoing [RIB] : Cleared BGP route table, af=1/1 route-num=2 Sep 28 15:35:17 EdgeRouter-12P BGP[4248]: BGP-6: %BGP-5-ADJCHANGE: neighbor 10.0.0.40 Down Peer closed the session 

it no longer appears in `show IP bgp`

ubnt@EdgeRouter-12P:~$ show ip bgp 10.0.8.10 BGP routing table entry for 10.0.8.10/32 Paths: (5 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 10.0.0.31 10.0.0.41 10.0.0.42 10.0.0.43 200914 10.0.0.30 from 10.0.0.30 (10.0.0.30) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed, best Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.43 from 10.0.0.43 (10.0.0.43) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.42 from 10.0.0.42 (10.0.0.42) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.41 from 10.0.0.41 (10.0.0.41) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 200914 10.0.0.31 from 10.0.0.31 (10.0.0.31) Origin incomplete, metric 0, localpref 100, valid, external, multipath-candidate, installed Last update: Mon Sep 28 15:29:11 2020 

but route still remains in a kernel routing table:

ubnt@EdgeRouter-12P:~$ show ip route 10.0.8.10 Routing entry for 10.0.8.10/32 Known via "bgp", distance 20, metric 0, External Route Tag: 200914, best Last update 00:07:06 ago * 10.0.0.43, via switch0.100 * 10.0.0.42, via switch0.100 * 10.0.0.41, via switch0.100 * 10.0.0.40, via switch0.100 * 10.0.0.31, via switch0.100 * 10.0.0.30, via switch0.100 

Would anyone be able to help debug/fix that problem ?

IP Masquerading and network cards

Hi. I am a second year information systems student. I got an exercise from my university but i am struggling to understand how to complete it, and with covid and not having in person teaching (and tutors and lecturers who dont respond) its taking its toll. I will attach a link to imgur to see the way the requirements are stated.

I need to allow specific traffic on a specified card, with a specified address among other things. All of the filtering requirements for c i understand how to do. eg sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED but i am unsure of how to apply a rule like this to "incoming traffic from the internet". I understand it has to do with the network cards. I have seen lots of things add the " -i eth0" part to specify incoming traffic to eth0 (the external card) but how to i specify that the address of the external card is 192.51.100.42 ? i also thought to add something like " -d 192.51.100.42" which i think means allow all established connection traffic where the destination is 192.51.100.42 (my external card). Which of these satisfy the question, if any?

I also thought it had to do with editing the rules in the nat table, but i cannot edit the policies there. So i cant "block all traffic save for xyz" as that takes place in the filter table. I could just do the rules and add " -i eth0" like i said but since the question gives me the ip address of eth0 i assume i first need to specify it. I also saw on a website to use sudo vim /etc/network/interface but the vim command is not allowed on my linux ubuntu virtual machine.

How would i go about accomplishing the questions b and c? Any help will be appreciated.

link to image to see the way the questions are stated: https://imgur.com/FmESOCe

Dell VLT - Single-homed devices?

I’m new to the Dell S-series (OS10), and I just read a little bit about VLT. It sounds interesting, however there is one thing I can’t find in any whitepaper: How does VLT deal with single-homed devices? Like, when I have Switch A and Switch B in a VLT domain, and one server is only connected to Switch A – will this work, or cause any problems? Also, how about ESX servers, that are connected to both switches, but don’t have Link Aggregation configured in the VMware side?

I know that MLAG in the N-series could not deal with those scenarios.

how to transfer public ip adresses?

Hello,

I purchased 8 public ip addresses from RIPE, I want to transfer some of these IP's , is this possible?

Need a TCP Load Balancer

Hi all

I'm looking for a load balancer that allows me to direct requests to the server that is in the same subnet as the client, this is for an internal TCP port that's not a website. I have tried the following ones and none of them appear to allow me to selectively direct them to a server based on the client's IP

Kemp HAPROXY Nginx Plus

The closest so far is the Kemp which allows content rules but that's only for http/https so that's no good to me.

Hope you can advise on something I don't know about, it doesn't need to be free. Happy to pay for a suitable product

Thanks

Mobile network question

If there is established VoLTE call and one of the users starts to use some web application then the app traffic will share the same radio connection with the voice traffic or new radio connection will be initialised?

how to debugging ethernet protocol stack stuffs

hello, I am programming a bare-metal ethernet frame generator on a xilinx board, with the driver code that xilinx provides. I connected the board to a PC via a network cable and tried to transmit a ethernet frame and capture it with wireshark, but got nothing. The transmission isr in the driver code got trigerred, so it seems that the NIC on the PC side somehow discarded my frame. I want to see what exactly the transmitted frame is like on the cable, so that I can figure out why it is discarded. How can I do this? Do I need some extra devices?

By the way, I tested the tx status reg in the isr code, its 0, so the transmit complete bit(6) is not set, and none of the other error flag bits is set, I am not sure if this means my frame does not get transmitted at all, or I can simply ignore it.

Embarrassed that I don’t know more

Hi all. Please be kind. Using a throwaway account because I’m embarrassed I don’t know more about this. I just started a new gig where I don’t really need to know this stuff but it does come up with the teams around me and I just don’t get it. When these guys talk about IP proxies, servers, cloud computing, VPN, handshakes, tracerouting, routers, firewalls, packets, etc, I really just don’t know what any of that means. My question for all of you is are there any basic IT network type courses you would recommend for me to take to just understand the basics and maybe a little more???What would you recommend for someone who just wants to have a fairly decent understanding of this stuff but not expert level, just enough to have a clue what everyone’s talking about. A book you recommend, specific online course, YouTube video? Thank you in advance.

Creating a new 'sandbox' network that will eventually replace existing production network

Evening r/networking! This is long and will probably be rambling. I'll try and stick to the facts and stay on track. My background is 15+ years as a jack-of-all trades 'computer guy'. Basic networking, end user support, system administration, etc. This will be by far the largest project I've been involved with and I think it can really help me move in to some new areas of responsibility to escape the 'helpdesk' parts of my work and grow. I've really fallen into a new set of roles (networking and security) so I'm learning as I go and trying not to hyperventilate. :)

Our current network is a bit of a mess, and I've been given the opportunity to build a new sandbox with the hope of it eventually being our new home. Our organization is becoming part of a new entity (5-6 divisions combining to 1 new one), so now is the time for planning and testing to get it right.

The current config is a bit of a mess. A 5516 ASA provided by our ISP (who also controls the AD forest our domain is a part of) feeding a Cisco 4507 'core' switch in our data center feeding 3850 stacks located in other areas of the build for access switch. *Lots* of VLANs (closet A, wireless, wireless guest, VoIP, servers, security cameras, management, etc, etc) with 10.x.x.x subnets; IP blocks were provided by our ISP as they route them all over 'their' network to lots of other divisions/agencies.

IP routing is enabled at the core so it is functioning as the gateway for all of our various subnets. No ACLs or firewalling in place to control access between VLANs with the exception of only allowing the IT network access to the 'mangement' network which contains our switches.

Our AD setup is similarly messy; DNS resolution issues, DHCP errors, trouble with GPO propagation, messy share permissions, etc.

We've been given assigned new 10.x.0.0/16 to begin our sandbox build. Part of this build will be a new AD domain (moving from CORP.forest.com to NEWCORP.forest.com) to migrate our users to long term.

What I'm struggling with wrapping my head around now is where/how to start. Our ISP will handle routing the new IP block to the ASA as well as provisioning our new domain.

I would like to keep the new network as isolated from the current mess as possible (direction old to new) with the exception of allowing access from our existing 'IT' network so we can do the build out.

My thought is to get a firewall set up (possibly pfsense or untangle?) to sit between the two systems. I'll give it a couple ports from our core switch on one side and a couple new switches in the sandbox rack (looking to re-purpose a 9300 for data/LAN connectivity and maybe a 3850 to group together 'management' things) to feed our new hypervisors that will form the core of the new AD domain and allow us to build out from there.

I can have our provider route part (or all) of the /16 toward us to get started.

I have a grip on creating the domain/DNS new servers etc. But the networking part has me a struggling. Any random info you might have would be appreciated; even if it's "Hey look through the cisco docs on private VLANs."

DHCP issues on C9300 switches.

Basic diagram is core switch (stacked pair) (where dhcp server is connected to) and edge switches are uplinked to it. DHCP Relay and helper are setup.

Issue is users are set to use default vlan (my hunch where the problems may be). There are several other vlans in play for servers and other devices. Doing a capture i see 1. clients do a DISCOVER packet on default (vlan 1) untagged. 2. Broadcast reaches the core switch (sent to every switch port with vlan1). 3. The uplink port on the core from the edge switch receives the u tagged broadcast packet and sends it out its native vlan of 123 (example server vlan). 4. The dhcp server recieves the DHCP DISCOVER packet on vlan 123 and responds with an offer on that vlan. 5. The DHCP offer stays on vlan 123 since the vlan is tagged from the server. All vlans are tagged on the servers interface. 6. Because the dhcp server sends the offer on vlan 123 and the paclet is tagged it cannot get pack to the pc. Restarting the oc or doing a new dhcp request it gets the correct ip 20% of the time.

This is how the leak happens. I had assumed that the packets would be marked when they arrive at the switch backplane. Appears that this is not the case.

Going forward we'll be moving the user vlan off the default and implementing dhcp snooping. Any other ideas for troubleshooting and or config?

Opinion on setup pros and cons if there are any.

I have three locations that are connected by a layer 2 ring. They have their own networks at each location. I intend on setting up OSPF. Currently one of the three networks does the routing for the others by being extended around the ring. I am working to lesson the scope of the one so it is local to just the one location. Is it better to have just one VLAN around the ring with a /29 that will have one IP for each location and will have some for future growth. Or is it better to have three point to point networks. I am trying to think of any benefit of using point to point over broadcast for OSPF and if one way is more correct over the other.

DataCenter Internet - Please Help!!

Does anyone have suggestions for what I can do to fix the following? Here is my setup:

Fiber from DataCenter (internet) terminated into my UF-24 port switch On SFP2. I can confirm this optical cable is lit and traffic sent and received.

I then mirror this port to switch port #22 which I’ve got patched to my USG Router on WAN1. “Port 22 is operating in mirror mode and is mirroring traffic to/from port SFP2”

I’ve tried mirroring in both directions. SFP2 as mirror of 22, and visa versus.

You could say Im using this as a media converter until my Palo Alto router that has SFP arrives. All of this Ubiquiti gear is going to eBay as soon as that arrives.

On the router I’ve set up a WAN network: A.b.c.d/28 is my address and subnet mask. (Confirmed correct with data center)

D.e.f.g is my router (confirmed correct with my data center)

I’ve got 8.8.8.8 and 4.2.2.2 as my DNS servers and I’m using VLAN ID provided by my data center.

Connected to the Switch, My laptop can hit the USG router, Yet traceroute cannot find the internet provider’s router or internet or any other site.

Any thoughts?

Weird AWS Problem, driving me mad

Okay, so I have about lost my shit trying to figure this out, but here goes.

This isn't anything complicated. I have a VPC with SUBNET A and SUBNET B. To this VPC I have 5 VPN connections to 5 different firewalls across the world.

Today an outage occurred for only devices in SUBNET B, across all 5 VPNS. Everything in SUBNET A worked fine, no issues at all. Then after 2.5 hours all of a sudden all instances in SUBNET B worked as well.

Naturally I started a ticket with AWS and they ask to see flow logs. I check the logs sure enough, I have entries for my pings from my devices through the VPN into the instance in subnet B, I even see the one for the return traffic, but it never reaches my firewall.

I get a brilliant idea to SSH from a host in SUBNET A into SUBNET B. I"M IN! I do a ping from INSTANCE B to my stuff in my office and i Get "destination net unreachable" from an AWS IP of 169.254.255.41. Can you believe this?

Everything is set up the same across us-east-1a and us-east-1b, subnets have same route tables, and ACLS, instances have same security groups.

After 2.5 hours BAM everything is working, and of course I'm all dandy and whatever with AWS, but now the issue is occurring again. I'm on the phone with AWS, but I'm not sure even they can figure it out.

how to make VPN between windows laptop and a linux laptop

I have a working VPN connection to my office on my windows laptop. I would prefer using a mac but I need to be able to talk to some servers on my office once in a while. How do I access the VPN on my windows laptop via another mac?

Things I have tried but did not work: - Himachi

Thanks

Autonegotiation issue with a twist

My autonegotiated connection is going back to 100/Half Duplex and not working at all -- link but no connectivity. If I set the speed of the connection to 1Gbs but keep auto-negotiation on duplex, the connection works and is 1Gbs Full duplex. I'm assuming that this is a wiring issue but I've never seen one in which a forced 1Gbs connection would work where an autonegotiated connection would not. Other connections in the building on the same switch appear to be working normally. No errors showing on the interface. Normally a wiring error would be a bad conductor that would force a 100Mbs and would not work at 1Gbs.

I've got 3 connections in the same office behaving the same way. This is on a Juniper switch.

HPE ComWare Bridge Aggregation Debug

Is there a show/display command that allows you to see which link in a BAG a packet will use based on the hash criteria?

Example: BAG has 3 interfaces, and uses src/dst ip to distribute. Is there a show command where I can specify the src/dst ip and have the switch tell me which interface the packet would be sent out of?

With Cisco there is a command syntax of: 'show port-channel load-balance forwarding-path interface port-channel x ...'

Is there an HPE equivalent?

How does a looking glass / BGP tool know that someone is peered with someone else whenever that peer isn't announcing any prefixes from that ASN?

I've noticed some online tools (bgp.he.net in particular) can show who is providing transit or peering, and I'm wondering how is it that some of these tools can see who I'm peered with via an Internet Exchange when my ASN is looked up. I'm guessing it's happening with Route Reflectors/BGP at some point, but I was curious as to how an outside network can see who is peered point to point like that with no transit or exporting of the routes.

Aruba stand alone AP deployment

I am trying to deploy a stand alone Aruba access point (AP-515) into an environment that already has a few Aruba Instant access points (IAP-315) deployed. I am hitting a wall with it because whenever I point my browser towards the new AP it goes straight to the Instant Controller. Does anyone know a way around this or if I'm missing something here? All of the documentation I've looked at is very vague.

Cox and the IRR: A Tale of Hope

Note to the reader: A random engineer contacted me after having the exact same problem as me. He saw my ASN as being the only one handled properly by Cox's IRR records and upstream filtering, yet Cox was telling him that they absolutely do not, can not, and would not add his prefixes to their IRR records in identical fashion. My hope is that anybody having my issue may find this story before either giving up or going down the rabbit hole as far as him and I did.

​

Late last year I was working on fixing up the Internet Routing Registry (IRR) records for the BGP ASN I operate (AS27580). I was trying to clean up some old records in various IRR databases (RADB, Level3, etc) left behind by the previous owner of 27580, and was getting my IRRExplorer (http://irrexplorer.nlnog.net) table to show up all green (the way us engineers like it).

​

I peer with Cox for upstream connectivity and I noticed Cox had IRR route objects in the Level3 database for my prefixes; objects which Cox had created themselves and which notated an origin of AS22773 (Cox's AS). These are incorrect records (incorrect origin AS) which is why they were flagged by IRRExplorer, but the creation of them is Cox's standard way of provisioning a new BGP customer. By Cox adding route objects with origin: AS22733 it builds a RSPL such that Level3’s filtergen allows all prefixes matching origin: AS22773 to be announced to AS3356 from AS22733, regardless of what the actual correct origin AS might be. This can be seen by running whois -h filtergen.level3.net AS22773. I promptly contacted my Cox rep and opened a ticket to have Cox remove their route records in the Level3 database.

​

November 2019

I spoke with a Cox engineer and informed them I managed my own IRR records in the ARIN database and that Level3/Centurylink (L3CL) should be able to use those to properly filter at their peerings with Cox (which is technically incorrect, since Cox would need to list my ASN in their own records, but I didn't know this at the time). It was their standard procedure to add route records to the Level3 database and the Cox engineer told me my routing may break if they removed it.

I had him remove the route record for one of my unused test prefixes so we could check the result. Sure enough, L3CL stopped accepting my test prefix once the Cox record was removed. I had the engineer leave it that way so I could try to figure out if my own IRR records were incorrect. I did a little bit of research and adjustments to no avail, got busy with other things, and forgot about it for 'a while'.

​

July 2020

A few small world events cropped up (heh), business slowed down a bit, and I finally had some time on my hands to solve this ever-looming issue. Due mostly to the fact I had forgotten almost everything about this problem, I approached it a different way.

My AS only peers with Hurricane Electric (HE) for IPv6 (tunnel broker service) and I noticed HE was not learning my IPv4 advertisements through their Cox peering at all, but instead learned them through L3CL. I contacted HE and asked them why they were not learning my prefixes through their peerings with Cox.

HE told me Cox is not properly adding customer's ASNs to their IRR records and it is resulting in approx 20% of Cox's IPv4 prefixes to be refused by HE along with other upstream providers. HE shot off an email to some backbone contacts at Cox and looped me into the thread. I was able to use this thread, and the pressure coming from HE, to get Cox to agree to add me (AS27580) to their AS-COX-TRANSIT as-set record (a record which hadn't been updated in over a decade).

The AS-COX-TRANSIT as-set is exported in Cox's main AS22773 record, so this should have fixed the issue; and for the HE-to-Cox peering, it did, but not for the L3CL-to-Cox peering.

​

After some more research and tinkering I was able to get Cox to open a ticket with L3CL, only to find out L3CL was not honoring Cox's referenced AS-COX-TRANSIT object for filtering. L3CL fixed this issue and BANG, my test prefix started showing up in L3CL's looking glasses. I had Cox remove all their route objects in Level3's DB referencing my prefixes and I was finally able to get a clean report from IRRExplorer and all the provider looking glasses.

​

Conclusion

AFAIK Cox is still following bad procedure when peering with their customers by adding route objects to the Level3 database with Cox's AS (AS22773) as the origin. It seems like they are doing this as a simple workaround to how Level3 is performing filtering on the Cox peerings.

What I believe Cox SHOULD be doing, which is what HE does by using the recursive and hierarchical nature of IRR, is adding their customer's ASNs (or as-set records if the customer has downstream ASNs) to an as-set object (ie: AS-COX-TRANSIT) which is exported in the AS22773 AS object.

In speaking with other people who have had this same problem with Cox, it seems you just need to contact the correct people at Cox to get this done. Normal support channels such as account managers and support engineers seem to dead end.

​

TLDR: In trying to fix my IRR records, I prompted Hurricane Electric (one of my providers) to escalate my problem to Cox (another one of my providers), then got Cox to escalate to their own upstream Level3/Centuylink (not my provider) and fix Cox's 15-year-old broken and incorrect IRR records; allowing Level3/Centuylink to properly filter Cox's customer (my) prefixes.

Palo Alto OSPF - Filtering

I haven't done much dynamic routing with PaloAlto or any firewall really and I'm wondering now if I'm missing something. I have a PA820 that has learned routes from a router through OSPF area 1 and I now the PA has a new neighbor on area 0. I can't seem to find a way to stop the PA from advertising all routes learned from OSPF area 1 onto area 0. I created a redistribution profile to no-redist OSPF routes but I get an error saying I cannot filter routes sourced from OSPF to OSPF destinations.

​

Does the PA not allow you to stop the redistribution of learned routes from other OSPF areas?

NETWORK SLOW

Need help in troubleshooting our a branch network

We are an organization with 7 branches. One of our branches has been having regular slow network connection on the LAN side. Users cannot access our resources at the head office especially the system. this has hindered the services occurring in that branch. We have 2 cisco switches connected to each other with two links and users connecting to them. I suspect there is something sucking up the bandwidth. cause our wan connection is 100% at normal operational bandwidth.

1. I need help in troubleshooting, to narrow down the machine that sucking up the bandwidth if it is a loop, how to I pinpoint the device that is causing so. can software like colasoft Capsa help in identifying the same?
2. also, what best practices do I need to configure the switches to make them more efficient. we have two 2960 series switches.

will much appreciate any output.

Regards

Switching Anomaly - at my wits end.

Hello all I'm working w/ a network that I'm trying to discover/map out after an emergency.

• The engineer who designed the network is gone.
• No documentation was done.
• There are other vendors that have access to the network.
• None of the vendors have coordinated change management.
• On my day off, a primary switch died.
• Tech who filled in for me, yolo'd the network and unplugged everything w/o documenting it.
• There are 3 primary switches (aruba). switch 2 is the one that died.
• Tech put a temporary switch from another client in place of switch 2.
• The temp switch was configured for the other client as a backup. VLAN setup was incompatible.
• Tech played random mix and match between the 3 switches until "enough" of the network was online to hold them over till i returned. They documented NOTHING of the original config or port/cable orientations.
• When I returned, I managed to get the dead switch functional and pulled the configs and programmed the loaner switch.
• I have zero information on what the network is supposed to look like. I have managed to get 95% of the network functional.
  
• In the process of trying to understand the network, I am mapping it out. I have come across an anomaly that is driving me nuts.

According to the mac address table of each switch, a portion of the network looks like this. Switch 1 is connected to switch 2 via port 1. Switch 2 is connected to switch 1 via port 1. Switch 3 is connected to both Switch 1 and Switch 2 via port 1. Logically im thinking there is a 4th unknown switch, probably unmanaged, in between the 3 primary switches. The tech who was physically on site (not the one who screwed everything up) following my instructions connected switch 1 port 1 on one of the 2 primary switches. He forgot to record which port he plugged it into. I figured when all the dust settled I'd just map the network and be done with it. That's how i discovered this anomaly.

2 questions: Is there a more efficient way to map a network and discover physical layout vs vlan layout? Am I interpreting the mac address table incorrectly and/or what am i doing wrong?

The CEO of our company is furious livid because they do not want us to spend anymore time on this task. I tried to explain that we need to map the network to establish a baseline then work with each of the vendors to understand their needs and design from scratch something that works for everyone. They are not hearing it and just want the solution to magically spawn and already be in place.

help...

What distributor are you using for Netgear Business products?

Hello,

The company I work for is an AV integrator (and Netgear partner). We've been getting Netgear business switches from an authorized distributor but I believe they are a middleman. As a result, we haven't been able to get accurate product availability, tracking information, etc in a timely fashion. We keep having to go back and forth as they check with "their vendor".

I'm looking for another distributor option that can show stock and pricing on their website and also post tracking info as orders ship. Lowest possible prices would also be a plus.

I am looking at D&H, Herman ProAV, Tech Data, or Ingram Micro. If you have experiences with any of those, please let me know.

Linux iptables: Does "established" mean the same thing as it does in a Cisco ACL?

I'm asking a Linux question here because the issue only ever comes up when running Linux as ECMP transit devices, and I expect I'll get lectured about how TCP handshakes work over in sysadmintown.

I'm looking at an ECMP topology with parallel paths through Linux-based routers. Interfaces have some iptables incantations including -m state --state ESTABLISHED associated with them.

So, the question is, is the state module's ESTABLISHED keyword like the Cisco ACL equivalent, where it really means "any TCP segment with ACK bit set", or is the state module maintaining a flow table and matching incoming traffic against established flows?

As far as I can tell, the relevant setting is in /proc/sys/net/netfilter/nf_conntrack_tcp_loose. Enabling the flag here causes the conntrack feature (implicit with the iptables state module, I guess?) to automatically track stray (non-SYN) flows as they arrive. That's close, I guess, but I think I'd rather see truly stateless behavior like the Cisco ACL model.

Thoughts? Anybody been down this road before?

New Switches - Core Layout Question

So our main office is being remodeled and as a part of it I get to deploy five new switches, three in the MDF and two in separate IDFs. They're all Aruba 6200s. Would it be better to ring just the three MDF switches and make them the core or do a full ring of all five switches and have them all acting as a core? What would be the pros and cons?

Static Routing between multiple subnets.

Hi,

Sorry in advance if this is a stupid question, but I have been trying all day to figure this out and have got nowhere. I am not a networking person, but do occasionally get involved troubleshooting these issues on site.

I had a similar issue before, and the way I got round it was using port forwarding on a router. However, I do not know if this is the best way going forward.

To summarise the situation:

• We have a PC which is on 192.168.0.*.
• We want to be able to talk to a variety of bits of equipment which have all sorts of different IP's (e.g. 10.0.124.4; 192.100.4.3; etc).
• We have a layer 3 lite switch (NetGear GS716T)
• We do not just want to open up the subnet mask due to security concerns

You can see the network topology in the following link (sorry for the awful paint skills!): Imgur

NIC 1 on the PC is just used for site/internet access etc. It has a default gateway to the router.

NIC 2: 192.168.0.111

Switch: 192.168.0.239

Device 1: 192.168.2.222

Device 2: Does not exist yet, but could have IP such as 10.0.124.4

Device 3: Same as above

My understanding of this is that I need to create a static route from the PC to the devices (and back again). Currently I am just trying to get it working with one device (192.168.2.222). Here is what I tried to do:

• Static route on Windows so it knows to use NIC 2, rather than the default gateway

​

route ADD 192.168.2.0 MASK 255.255.255.0 192.168.0.239 IF 4 

If I understand this correctly, what I am doing here is saying that if I try to connect to 192.168.2.*, it will instead go to 192.168.0.239 through interface 4 (NIC 2).

• Static route on switch to pass from 192.168.0.* to 192.168.2.*

​

Route Type: Static Network Address: 192.168.2.0 Subnet Mask: 255.255.255.0 Next Hop IP Address: 192.168.0.111 Preference: 1 

My understanding here is that I am saying if the router gets a connection from 192.168.0.111, then pass it on to 192.168.2.*. I feel like I have got something wrong here though.

• Static route back from device 1 to the PC

​

Route Type: Static Network Address: 192.168.0.0 Subnet Mask: 255.255.255.0 Next Hop IP Address: 192.168.2.222 Preference: 1 

Here I am just reversing what I did above. From what I have read, because this is all dumb routing, you need to specify the return route too.

After doing those things, I cannot talk to device 1. I tried doing a tracert to see what's happening, but then I have since read that tracert would not work unless you're on a full layer 3 device.

My colleague has also tried messing around with using VLAN's and routing them together, but he also has limited network experience.

I have no idea where to go from here so any help or pointers would be greatly appreciated!

Unable to change duplex setting on a IE4010. With a duplex mismatch, is it better to just set both ends to half?

There is no way to set duplex to full on my link it is half duplex. On the other side, it is full duplex(which I can change). If I set both to half, would this be better then having the mismatch?

Will there be any difference in performance? The logs are going crazy.

Source IP filtering on PFSense with a Dynamic public IP

Hello all,

I have a virtual environnement:

One ESXi with one VM Pfsense that is used as my core. I also have a WRK (Work) VM that runs W10

Pfsense as a WAN (Public IP the server provider gave me) and one LAN /24 (The one i created on Pfsense)

All this environnement is hosted in the cloud, so whenever i want to access the W10 VM or whatever other Debian VM, i usually go for VPN, and it works perfectly. But when sometimes i'm in another computer (Friend, Wifey, or even Work Computer) and i cannot just simply install Openvpn on those computers.

So i decided to do a port translate of RDP going to my W10 WRK VM. So the port i set to reach my VM is not the default 3389 RDP port. The thing is that i'm very very uncomfortable with having a RDP port open on to the internet without any filtering based on the source IP or the MAC..

I don't really know what is best in this situation ? Choosing comfort over security is not very safe, but may be there's something i can do so that i can access EASILY via RDP a VM from Any computer, and still be safe.. ?

I thought about adding MAC filtering, but PFsense is only a L3 Firewall so it will not care about all the L2 stuff..

After that i thought about setting up a IPS/IDS (Suricata) that would block IPs after too many attempt, but it causes the problem that when i'll try to reach from a new public IP to my infrastructure, i'll get my IP ban.. Maybe the solution is to have a less restrictive set of rules ?

I did a translation and not a forwarding of RDP port so that it is not the default 3389, but still, someone who makes a port scan on my public IP will be able to see that port openned..

​

So my questions are:

Is it safe to have RDP ports open on the intenet (I'm 99% sure, that no) and if not, what could be the best solution to my problem ? Is there a way to do that without configuring a entire IDS/IPS like Suricata, or is this the only solution ? :)

Thank you a lot for your time !

Do I need a different cable instead of UTP for Bridge Mode? Also, can I connect multiple routers?

Hello guys, I'm kinda new here.

So my current setup is: ISP router -> wifi router-> another wifi router.

Wanted to ask if I should change from PPPoE to Bridge mode, since I started being a bit skeptical with ISP tracking and private information.

I am not sure if I need another cable for that, or the UTP cable will work without problems. Also not sure if I can still use the same setup I have right now, if the bridge mode let's you do the same thing. ISP router -> wifi router and from that wifi router, extend to as many as I want using the LAN ports.

ACL to block access to loopback interface

ASR1k. It's an MPLS PE.

It has a loopback in one of the VRFs.

I want to expose the VRF to the internet. Internet would be inbound via another PE router, not a local link.

I can't put an ACL on the loopback itself, we know that doesn't work.

How can I protect that loopback? Sure I can put an ACE on the edge interface to the internet, but that's... imperfect/sub-ideal IMO. I have ACLs on the various mgmt services, but that's not a complete solution. No, the VRF isn't going behind a firewall; it's the VRF that the firewalls connect to.

​

I suppose I could put ACLs on the inbound interfaces to the router; that's SOP... but all the traffic comes in tagged, right? How would I write that ACL?

LTE usb device modem without internal web server for the connection?

Hello.

I need to buy several LTE usb keys to use in a bonding system connection manager for live events.

For this purpose I need to buy lte key without embed webserver that provide the classic web page where the user use to connect to the service....

Fundamentally.. a normal clean LTE usb modem that linux don't see an ethernet adapter..

Any advice? Thank you.

2nd&3rd Router gets always gets disconnected from LAN

(a bit of intro)
So, I have this home setup, 1 router/modem (192.168.100.1) from my isp broadcasting at channel 6. 1 router (channel 11, 192.168.0.1) connected via cat5 on main router's lan1 and another router (channel 1, 192.168.0.1) connect to the main with a cat5 on lan3. all of them have DHCP enabled.

Now I have these 3 network groups that don't need to communicate with each other. I initially tried to make it access point mode or range extender mode. but the main router DHCP Server crashes. I can't connect the whole house to the main due to range issues. it is already placed in the middle of the house, but because of many concrete walls, I had to add other routers

(The Problem)
From time to time router 2 and 3, returns "Request timed out" from ping (connected via WLAN, also can't access the router homepage via local IP) then the those connected to it (via WLAN) will be disconnected and when i try to reconnect, it will "say cannot connect to network". But connecting to the main router(provided by ISP) it connects and has an internet connection. Any solutions or ways to detect the cause of the issue I'm having?

Need Help creating site to site VPN between a cisco router and a Stormshield firewall

Hi there fine people,

I am trying to set up a VPN between a Cisco C1117 LTE and a Stormshield SN510.
Unfortunatly i havent touched a Cisco appliance in many years, and some details of the configuration are escaping my logic. I'm trying to use the Web UI for the VPN setup.

For instance, on the Cisco router I have to create a Tunnel interface with it's own IP address. Where does this address get used in the SN VPN configuration ?

I'm aware informations must be lacking to answer correctly but I'm not sure of what's relevant or not... Thanks in advance for your help !

Campus LAN on budget - used enterprise gear

I am about to design a LAN for a warehouse, more or less 150 ethernet drops for the whole building. It will not go past this number anywhere soon (can reach 200 drops in 3-4 years, maybe) and budget is really a concern. Most of ports will be used for industrial equipment, phones, CCTV and stuff that could be good even with 100mbit… It’s also very likely that I will be able to squeeze anything in a single closet.

I have two alternatives design in my mind: - two collapsed core in MLAG/VPC, maybe Arista 7050 or Cisco N3K (500 to 1000€) + Arista 7048 / Cisco 3750X for access (<500€ each); - one big chassis like a 6513-e with double supervisor, redundant PS etc (anywhere from 500€ to 3000€). I have seen many of them around in the last months.

I know this does not scale and is not current by any standard, but the reality is that as of today the requirements are very simple: a lot of ports, reliability, VLANs and almost nothing else. No server on-premise but DNS/DHCP, 100Mbit WAN link: almost all the traffic will go to the WAN. Nothing fancy is needed and a router could be added anytime on a stick.

The business consideration is that the break-even should occur within 2-3 years, and after that real money will be spent on networking. May sound strange, but I fully agree with that and I consider this challenge a nice design exercise… what do you think about the proposed solutions?

Network idea

Okay take this post down if I have the wrong subbreddit, but I think it would be quite cool if you could get a temporary password that lasts for asking as you set it. So for 10 minutes or so. You could give your friends/customers a password without them knowing your actual password.

To clarify, you would have two passwords, one would always change, like every 10 minutes or so, and then there would be a permanent password always on. I don't know if this already exists, but if not, someone could give it a try? I wouldn't know where to begin.

The End of Traditional WAN?

With the introduction of SD-WAN, I'm trying to think about how this is going to impact traditional WAN engineering in the mid (5 years) to long (10+ years) term. Why would orgs use OSPF or iBGP if they can achieve layer 7 route optimization and path selection through SD-WAN? Is there still going to be a use case for configuring IP SLA to manipulate your routing table? Will internal routing protocols cease to exist? There's a whole slew of technologies that seem like they could just be killed off like policy routes, traffic shaping and policing, ect.

I know right now the use case for SD-WAN is leveraging DSL or non-business-grade circuits for VPN overlays, but couldn't the same technology be applied to 10GE backhauls or private lines?

Please help, really exhausted and need some basic assistance

Okay, so In theory, my problem is a simple one, but it has proven incredibly frustrating to solve.

I need to get internet to my home PC, which is about 15 feet away and one room over from the nearest coax access point for my internet router.

Hardlining something is not an option (please don’t recommend drilling any holes in the floor, as my landlord won’t allow it), so I bought myself a netgear ac1000 thinking that would be an easy way to solve the problem, right? I just get that connected to my main router, put it on my desk, run hardline my PC into THAT and presto change, right?

Well, apparently dumb me didn’t know that you need to hardline the ac1000 into the original modem, basically just duplicating my problem.

I just need an easy solve. My computer DOES NOT have a wireless card in it, as the plan was always to hardline it, and for the last few years, that has worked.

So if anyone has any advice on an easy way to get my PC connected, you have no idea how much I would appreciate it

Cisco ASA virtual Mac address for failover question

I have configured Cisco ASA 5585-x with Active/Standby mode, cisco best practice saying you should use Virtual MAC address on interface to avoid traffic disruption when you do failover. now question is what MAC address i should use so it won't conflict with any other device in datacenter can i use aaa.aaa.aaa.aaa, bbbb.bbbb.bbbb.bbbb OR can i use Burn-in MAC address of physical interface as virtual Mac so i don't need to worry about any kind of conflict (I didn't find in cisco guide saying you can use Real Burn-in MAC address as virtual so wanted to make sure what other people doing here?)

I have Port-channel configured on cisco ASA so do i need to configure Virtual MAC address on port-channel interface also or just VLAN interface like PortChannel1.10 ?

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

Recommendations for WAN Aggregation and Gateway for Small (16-24 server) Data Center Setup

I am setting up my equipment in the datacenter. Currently I have as follows:

• 16 compute nodes, which may expand to 24 in the near future
• 2 WAN networks; one provided by the datacenter (lower-ish bandwith) and another by a 3rd party telecom provider (1Gb connection)
• A LAN network amongst the compute nodes that needs to be segmented off from remainder of the network for reasons that aren't important here
• A LAN network amongst the compute nodes for basic internet access

The equipment that I possess is:

1. (2) Arista Switches (7124x) -- separate for each LAN
2. Ubiquiti Gear: the USG (considering upgrading this to a USG Pro or a Dream Machine Pro), and a Ubiquiti 24 port Gigabit Switch

The issue that arises is that both of my WAN connections arrive on SM Fiber only and thus require an SFP connection. My USG is Ethernet Only and supports WAN aggregation across two WANs. My 24 port Gb Switch has 2 SFP ports. Of course my Arista has 24 SFP / SFP+ ports.

​

My question is: How do you recommend that I configure my WAN connections from the SM Fiber that the Datacenter provides me to the USG? And, do you recommend another product that would perform the role of the USG and would support SFP/SFP+ connections? Ubiquiti doesn't seem to provide such an option but it would be nice to stay within the same product line there since I'm not building out a 500 node datacenter installation just yet.

I have considered:

• Datacenter SM Fiber WAN => Arista [n] => Arista [n+1] => USG WAN, where the Arista [n] and Arista [n+1] ports are on a dedicated VLAN.
  
• Datacenter SM Fiber WAN => Ubiquiti 24 port Switch SFP => Ethernet port to USG WAN. In this case, I may be able to make the SFP and the Ethernet port on the Ubiquiti part of a VLAN but I need to confirm this is possible.
• Purchase some new equipment that would replace the USG and have two WAN SFP connections.

Any help is appreciated.

VLAN advantages

It's considered good practice to put clients and servers into separate VLANs. However, if client and server traffic is not routed through a firewall, and there are no ACLs between them: are there any significant advantages from a security or performance standpoint when you put them into separate VLANs?

Recommended modem and router for my new home

Hi, I'm a first time homeowner and I want to set up a best bang for buck modem/router (flexible on if it's combined or separate). I will have 400 mbps service set up soon. Ill be looking forward to hear some recommendations. I'm not sure I trust website reviews, I feel responses here will be more trustworthy.

WilsonPro booster works for 3g but fails for 4g?

I have a WilsonPro M2M Booster (Model 460119) connected inline between my netgear LB1120 and my outside Yagi antenna. when the booster is off, the netgear shows a signal strength of around -115db for both 3g and 4g. On 3g, when I turn the booster on, the signal improves greatly to around -75 to -80 and is slow but usable. When I switch to 4g, this signal strength also shows around -75 to -80, but after 30-90 seconds drops back to ~-115 and is unusable. If I unplug the booster and plug it back in, the strength again goes to -75 to -80, but again drops back to ~-115 after a minute or so. This is very repeatable, always works after power cycling but quickly stops working.

Anyone have any thoughts or a direction I might be able to go for troubleshooting. As I said, with the booster the 3g is fine but I'd love to be able to get the higher 4g speeds if possible.

Thanks,