How to set the CWR flag using hping?

Any help appreciated.

Good learning sites for Nexus

Hi, does anyone know any really good sites that teach the Nexus OS from scratch? I have bought a series that I'm watching on uDemy for it which isn't bad but it is spoken in broken English sometimes and the videos can be 6/7 mins longs with the one or two commands in them each time. I've always learnt better reading and seeing it explained properly infront of me. A site I've always loved is Networklessons.com. That site taught me so much but sadly doesn't have a Nexus course on it. I also came across a site called dclessons.com which seemed promising but in the end looking like it was sometimes written in broken English for the pretty decent sized monthly fee to it didn't look worth it unless anyone can attest to it being good?

I find that unless you're on Nexus switches often its hard to nail down the OS and learn them properly indepth as possible without other learning materials.

Thanks everyone

MTU question across site

Hi, I have recently been looking at upping the MTU across all our switches and devices across one of our sites to 9000+ jumbo frame sizes. After studying the effects of it I don't really see a downside until packets go to be sent to the outside and public Internet were they will hit a brick wall and suffer from fragmentation. I was hoping that PMTU path MTU would kick in on either our edge firewall or router which would tell the original sender to lower the MTU to what can be sent across but will it behave as it should, I don't know yet. Clearly a jumbo frame network wouldn't suffer from fragmentation if all the devices MTU's are synced up on site but its the inevitable brick wall it'll hit on the edge device if it sends a jumbo sized packet that direction.

Anyone any thoughts?

Using Vyos

Are there people currently using Vyos in their network as router? Currently looking into some different whitebox router software to replace some pre-historic fortigates.

Currently using them to announce a bgp subnet which the new box would take over.

Also tesing with Tnsr at the moment but having used vyos extensively in the past (before it went subscription based) I kind of want to test that as well.

Which make/model probe for checking voltage in a wire without cutting it?

Probe end has a contraption that punctures the wire sheathing to access metal.

Looking for a set that can do this for a wide range of wire diameters ranging from thinner than CAT5 wire to which as thick

Need to actually access the metal as contactless method doesn't give accurate results.

Cisco Catalyst Support for Precision Time Protocol Version 2

Google isn't very helpful in trying to give me an answer as to which switches (or OS) are compatible with Precision Time Protocol Version 2. I'm implementing some A/V devices that need this capability, and google results show IE and 9300 switches with compatibility. Anyone have some insight as to what other devices support this? I'm specifically looking at our existing 3750-X, 3650 or 9200 series. I'd like to not use the recommending luminex switches the A/V supplier is recommending.

Moving from 2 data centers to 1 - need advice on network topology

We're currently still a smaller business and have been running our sites in 2 data centers with 4 servers in each running about 14 VMs at each data center. We've had nothing but problems with one data center and so we need to leave it.

Our "good" data center has 4 ISPs and 4 separate power sources. Until we're ready to shift our DR into the cloud we were thinking of combining all servers into a single rack, but configuring them with 2 ISPs and 2 power circuits to each set.

So each network would have the following:
- Sonicwall firewall
- Cisco switch
- 4 Windows 2019 Datacenter servers

What we're not certain about is the best way to facilitate activity between networks while still maintaining some level of separation for independent failover. Do we configure 3 subnets? 1 for each stack that is accessible through the firewall, and a 3rd for background communication between the networks, or is it better to completely isolate them and have all traffic between the two go over a VPN tunnel between the firewalls as though the data centers were still separate?

Routed ISCSI

What is the current bast practise when it comes to ISCSI and layer 3? We’re building a SAN between the buildings in our campus to allow replication between some SANs.

My thought process is to have a vlan and subnet in each facility and distribute the routes via OSPF. We have Nexus 9k and Nexus 5k switches to do this on. Each facility will have a SAN and server(s) in the same subnet that access the SAN, and the SAN with replicate to a SAN in a different building/subnet. The subnets will belong to VRFs on the switches so we can trunk LAN and SAN to the servers (mainly ESX).

Does anybody have any experience with this sort of setup for ISCSI. I really don’t want to stretch layer 2 between buildings.

TP-LINK SG2424P VLAN Setup

Hi all,

I am having an issue with VLAN setup on that model. Try to migrate our school business network to a new design.

I am setting port 12 vlan 10,15,20 on switch as tagged port which comes from the vlan interface from the firewall/gateway. The rest of the ports is on vlan 1 (untagged) which is from the previous firewall/gateway interface. Now I wanted to make the rest of the ports carry vlan 1 as untagged and 10,15,20 tagged, but by setting this the switch just crash. require hard reboot to recover.

Screenshot-2020-10-24-131524.png

Is there a way to make this happen for the TP-Link model? Should setting PVID vlan number on a tagged port would make that vlan number native vlan?

how to switch users between two dns servers using iptables ?

i have two dnsmasq running on port 53 and 5053 on my ubuntu server and there is two users X and Y

X's ip :192.168.1.2

Y's ip :192.168.1.3

both have my dns server on their settings .by default they use the dnsmasq on port 53 how i can switch one of the users to second dnsmasq (on port 5053) using iptables ?

Reassembling raw packets then re broadcast

I have a bit of a unique ask. I'm using a home grown packet sniffer in my company to capture all public traffic and feed it to an analytics (AI/ML) system. So I have the Layer 2/3 raw TCP specific packets. This is all HTTP payloads.

The problem is I'm sniffing them off the loopback (used to prevent unencrypted traffic from hitting the wire). The problem is that the lo has an MTU of 65535, and we're using AWS ECS/Fargate, so I can't control the MTU in fargate to make it smaller.

The original packets are currently re-broadcasts on a VMware cluster where the analytics runs, but VMware MTU is max of 9000. Since I'm just broadcasting a raw packet at layer 2 no fragmentation is occurring and since the packet exceeds my MTU it fails.

Below I describe what I think I want to do, but if someone has a better idea (maybe to force this raw packet to be fragmented again, I'm all ears.

So I'm thinking can I reassemble the payloads of each packet into a single large payload for each HTTP session request? I think this is fairly easy. If I use the high port # to identify each unique session then once I have all of the packets, I should be able to drop any empty (payload len=0) then verify the sequence # ordering and concatenate the results into one large block of payload, right? I don't think there's any gotcha's here.

Next I now have a 30k block of memory (size chosen arbitrarily) representing the payload of the original HTTP request or response

Now I need to broadcast over a private VMware network so the analytics sniffers can properly ingest the traffic. I need to verify with the vendor, but I think all they care about is the HTTP headers, cookies and data. If the original TCP/IP/Ethernet headers are gone I don't think it matters. Although my current solution maintains all of that and works on EC2 where I can control the MTU. It just doesn't work where MTU is larger than 9k

Therefore, I'm assuming if I properly broadcast this 30k packet the network will chunk it up into a munch of 9k packets and send it through

So my questions is how to setup the network so I can broadcast this to anything on the network running in promiscuous mode to ingest it? Mind you I'm a generalist, not a deep dive network programmer/engineer. I know enough to be dangerous which usually gets me in over my head, but I'm very resourceful and technical and will eventually come up with some solution.

​

Thanks all, I really appreciate it

MSS vs MTU

Hi!

In a Cisco environment, why would we use ip mtu instead of ip tcp adjust-mss under a tunnel interface?

Let's say we have IPsec over GRE tunnels. It looks to me that ip tcp adjust-mss is a better option because it tells hosts in a communication to lower their packets so they don't get fragmented.

If we use ip mtu 1400 for example, how would the hosts know to send smaller packets ? If they send 1450 bytes packets for example, they would get fragmented because of the 1400 mtu on the interface.

Thanks

Had to prove that no light was going through a strand of fibers. I will be using another company after this ordeal

Telco representative didn't believe that the fiber link was broken, said it was the end connection not plugged in btw.

Needless to say, I had to run up and down stairs at 2 remote locations and send pictures/videos proving that no light was going through the fiber.

Good luck buddy now you gotta find where the cut is im the 4 mile underground 🏃‍♂️run 🏃‍♂️

nd since you were rude AF, we will not be renewing our contract

Improving BGP Convergence Time with FRR

I am trying to wrap my head around BGP route reflectors such as FRR.

Lets say I am multihomed with Level3 and Cogent. Normally I would have the BGP session on the border router facing the upstream providers. Is it possible to have the FRR as the BGP peer with the upstreams while its located behind the router? and FRR distributes the learned routes to the border router? Thanks!

Any experience with Cisco RV260 routers?

So, quick question to all: what do you think about the Cisco RV260? Do you have any experience with it? Is it nice to work with? What are the ups/downs?

​

I looked around for good reviews, but I couldn't really find any... (except the ones from amazon).

​

This is for a small office with basically:

• a couple of servers that need to be accessed from the internet
• a couple of workstations
• a guest network
• some smart lighting
• site-to-site VPN to the main office and the cloud (AWS and Azure)

The above mentioned router and model checked all the boxes and included logging and port mirroring which are needed for security purposes.

Zyxel ZyWall USG50 - doesn't reliably boot (boots maybe 25% of the time), can't seem to update firmware - can this be fixed or should I toss it?

I got a ZyWall USG50 for dirt cheap (so I won't be disappointed if I just have to recycle this), but I'd like to get it to work if possible. Here's what's happening (I have it hooked up via serial port to monitor the console):

• Plug in power from cold state.
• Boot 01: Segmentation fault, froze at App. Patrol Daemon. Failure to boot.
  • Unplug, wait five seconds, replug.
• Boot 02: LOTS of file errors. Boots successfully.
  • Log in, reboot via reboot command
• Boot 03: LOTS of file errors. Boots successfully.
  • Log in, shutdown via shutdown command. Unplug, wait a while, replug
• Boot 04: zysh terminates by segfault. Failure to boot.
  • Unplug, wait five seconds, replug.
• Boot 05: Segmentation fault, froze at App. Patrol Daemon. Failure to boot.
  • Unplug, wait five seconds, replug.
• Boot 06: Froze at App. Patrol Daemon, no segfault. Failure to boot.
  • Unplug, wait five seconds, replug.
• Boot 07: System hang, automatically reboot
• Boot 08: Freezes at ZyWall system daemon...

There seem to be a lots of different errors: of the times it does not boot, only one of the conditions is repeated. When I try to upload the firmware via console and ftp, I get a message about invalid firmware format (and I've tried all three .bin files on the Zyxel website).

Any ideas for how to salvage this? I'd like to get it into a working state (where it will at least reliably boot most of the time), but I'd also be happy if someone tells me there's a way to put a custom OS on it. If I can get it to work with some functionality I'll get use out of it. Thanks. (Sorry if this isn't the right subreddit for this.)

Campus Network, Infrastructure, DC, SP Managers and Leads.

Managers,hiring and technical leads of campus networks,service provider networks and data centers, what kind of skills and experience are you looking out for in entry-mid level recruits?

In terms of skills, certifications, vendor knowledge etc. that you'd need the applicant to have to hit the ground running. I know this will vary widely between different organizations, but there will invariably be a common thread running through all.

Cisco SD Access

Hi Guys,

Q1 Anyone here deployed Cisco SD Access without of Cisco ISE. I like the network fabric element and centralized control plane but wanted to find out how much of a viable product SD Access without of Cisco ISE is.

Q2 Apart from dcloud are there any providers out there like INE that provide access to SD Access labs out there?

Thanks,

Pre Sales?

Hi

I work as a network engineer currently. I've seen this

https://www.reddit.com/r/networking/comments/1yu2rf

And this

5 Reasons Why Network Engineer → Sales Engineer Is A Great Career Move https://www.linkedin.com/pulse/5-reasons-why-network-engineer-sales-great-career-move-james-meehan

Would it be a decent thing to move into? I imagine sales pays more too?

May I ask what your experiences are?

Thanks

Modifying payload/padding size for packets

For $application I'd like to modify traffic so each packet is a constant size. MTU size would be ideal. For that I want to zero pad the packets, the zeros then get stripped off on the other end so it looks like the normal packet again.

UDP and TCP has padding but I guess when changing the value to MTU I won't have space for data left since padding comes before data (correct me if I am wrong)

Any other ways to do that? Some easy way to rewrite the payload in user space? It does not need to be efficient, I don't need to push packets at gbits. I found the QUEUE target for iptables which could be useful. Any alternatives or maybe already existent tools?

Can you please suggest some books for beginners? Please.

Thank you.

Modernization of the network in a medium-sized company

Hello, I am a novice IT specialist and I plan to modernize the company's network in which I work. The company has 40 PCs and a few network printers. These computers are connected to the server room with two switches. The symphony server and router are also connected to the switches. Computers are in the office and in production, but unfortunately there are no vlanes set up. The DHCP server is on the router. The internet speed from ISP is 100Mb / s UP and 100Mb / s DOWN.

The problem is that she has been dropping connection to the server and the Internet recently. I suspect that the equipment is very old and keeps breaking down.

I got approval from my boss to buy a new 48-port switch and router. The switch I bought is WS-C2960G-48TC-L. When I was about to buy a router, my lecturer recommended that if I already have a Cisco, I would buy a firewall instead of a router, I suggested CISCO ASA. That is my question. My question is which CIsco ASA model should I choose for such a switch and the number of computers? Let me remind you that a maximum of 2 remote users can work with us, but it is very rare. Another question is is it really worth buying a firewall instead of a router?

What to do if you need to pluck a cable out, out of the middle of an excellently cable managed bunch of cables with zip ties?

My pet peeve is when people do good cable management but their one mistake is that they forgot to plan for removing or adding additional cables.

Has anyone seen this before? Could a consumer device hoard all of the IPs in the subnet?

I had a network today that ran out of DHCP addresses because the scope filled up with BAD_ADDRESS because it detected a conflict. I cleared some of them, and the real devices were able to successfully get a lease. I took over this customer a couple months ago, and immediately migrated their DHCP server from their ASA firewall to their Windows server a couple months ago because they've been having intermittent issues with IP Conflicts for at least over a year, and wanted a bit more control and logging that I'm good with. At first I thought it was because they just had a computer or two static'd within the DHCP range, but today something must have been responding to pings to all IP's on the subnet, right? Maybe this has been their problem the entire time. The ARP table on the firewall, since it's a DHCP relay for this network, shows entries for all of these BAD_ADDRESS IP's were a MAC address registered to Netgear. I haven't visited in person yet, but I'm thinking it could be like a repeater or something, since this is a wireless network. Anyone seen anything like this before?

Cumulus Linux mess

Cumulus Linux 4.2 will be the last release to support Broadcom ASICs. That means that after release 4.2 there will be no new features and no bug fixes and basically no sensible path forward.

Since almost all whitebox switches use broadcom with exception from mellanox, what's the next favorite whitebox NOS?

Microsoft Sonic?

Fibre connection not initiating on powerup until un-plug/re-plug

Hi all,

We are purchasing new network switches for use in live theatre shows. These are mainly simple networks with fibre interconnects due to 100M+ distances and 1 or 2 VLANS to separate network traffic.

We have made purchase of FS switches which I understand are cheap'n'cheerful units but at least on paper meet our very basic requirements at a good price point. We have 1 unit so far and in basic testing have installed an SFP and hooked it up to another dumb Alloy brand switch (another cheap'n'cheerful switch) in our fleet using just an LC patch lead. All systems work and I can happily connect between the switches.

​

However when I power off the switches and then power them back on (an important test in our world as systems are powered down weekly at the end of a week) the fibre link does not come back. The FS switch shows conna ection on the SFP indicator light/management port but the B switch does now show connection. If I un-plug the fibre patch lead for a moment and plug it back in, we are all good again.

This issue seemed only limited to the Alloy B-switch. A different switch (a dumb Netgear switch) with the same SFP and fibre cable, was able to power up and connect with no issues.

​

I have contacted the vendor to try and get some more info here, but I just wanted to ask those far more experienced if this is a networking 101 thing I'm missing or something else?

I imagine my post is probably missing critical information but I thought I'd at least put out the intial question!

​

Cheers

Outage week

I just survived an outage week. All of our internet facing software in a particular data center had issues due to an ASA overrun. 3 days later the thing pegging our asa stopped. I am buzzed. I am tired. Happy weekend.

Here's to root cause analysis for the next weeks.

Side note: flor de cana 12 year old is probably the best thing ever.

Vpn aggregation ( wan link )

I figure I'll ask here because my Google Fu has gotten me nowhere, does anybody have any experience or maybe could even point me in the right direction of bonding vpns? not load balancing per say, however actual VPN or wan link aggregation. My usage example looks something like this: User side ( my semi truck ) Er3 lite ( or any layer 3 router ) To support physical / virtual bond of >> Modem "a" ( public ip dynamic ) Modem "b" ( public ip dynamic ) 2* separate vpn tunnels Eg ( tun1 on modem a, and tun2 on modem b.

Datacenter ( or my friends house with 3 static ip's )config: ( ip addr 1 & tun1 to modem "a" ) , ( ip addr 2 &tun2 to modem "b" ) ip addr 3 to internet ( dmz / bridge ect. )

So many people SAY they have done it, but no one EXPLAINS how...

The commercial solution as i have found seems to be A ) speedify, ( expensive ) B ) mlppp? Bonding ( only isp side, internal, and not supported by verizon [ or any cellular data carrier / provider ] )

Just hoping maybe someone on here has some experience, or could at least point me in the right direction. Thank you for your time.

[cisco] P3DMVPN SA's Dropping between two spokes - NHRP Peer session stays up

Hi all,

Out of the blue yesterday two of my spokes in my P3DMVPN stopped being able to communicate between themselves. All other spokes are still able to communicate with each other AND communicate with the two spokes having the problem. The Hub is still able to communicate with both spokes as well.

Let's call the spokes Tom and Jerry

Tom and Jerry learn about each other through NHRP and share routes using iBGP, as do the rest of the Spokes.

After a bunch of troubleshooting various possibilities, I've narrowed down the symptoms a bit:

If there is no NHRP peer session between Tom and Jerry and I send some packets (ping) from Tom through the tunnel, the Session establishes, and ~15 pings will go through until they stop. From there on out, no communication between the two will work over the tunnel until I clear the dmvpn peer session. Then the same pattern repeats. Pings work for 15 frames or so, and then they stop until I manually clear the session or the timer hits and they clear on their own.

#debug cryp ikev2 error
#debug cryp ipsec error
#terminal mon

Shows the SA go down when I clear the dmvpn peer session

Tom#clear dmv sess peer Jerry 

%IKEV2-5-SA_DOWN: SA DOWN

And then comes up after I start a ping

But without fail, a few seconds in, the SA goes down again, with a few errors I can't make reason of.

Tom#ping Jerry repeat 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to Jerry, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 24/24/24 ms Oct 23 17:18:51: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request Oct 23 17:18:51.267: IKEv2-ERROR:Failed to retrieve Certificate Issuer list Oct 23 17:18:51.275: IKEv2-ERROR:Failed to retrieve Certificate Issuer list Oct 23 17:18:51.279: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb Oct 23 17:18:51: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: Tom-Tom Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: Jerry-Jerry 7 Protocol: 47 Port Range: 0-65535 Oct 23 17:18:51.451: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id Oct 23 17:18:51.451: IKEv2-ERROR:Error constructing config reply Oct 23 17:18:51: %IKEV2-5-SA_UP: SA UP Oct 23 17:18:51.451: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id Oct 23 17:18:51.639: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id Oct 23 17:18:51: %IKEV2-5-SA_UP: SA UP Oct 23 17:18:51.639: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id Oct 23 17:18:51.651: IPSEC: sa null Oct 23 17:18:51.651: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 23 17:18:51: %IKEV2-5-SA_DOWN: SA DOWN 

This is ONLY happening between Tom and Jerry and I'm worried about the rate of hair loss I'm currently experiencing....help.

Anyconnect 4.9 Single User Testing?

Does anyone here know of any method to test a new Anyconnect deployment to a single user from the ASA?

Background: Tasked with the project of pushing anyconnect 4.9. I crashed coursed on ISE set up a client provision to restrict a single user and force the deployment of Anyconnect 4.9. Fast forward to the end of a long tac case it was determined that when attempting to provision a remote user from ISE the installer will fail due to the nature of the connection. Something with the VPN dropping purposefully which kills the connection to the internal ISE server.

So now the org is still wanting to test this deployment to a remote user. Does anyone have any ideas how I can single out a user to pull the Anyconnect 4.9 web deploy package from the ASA while still allowing all other users to utilize the existing 4.7 client.

I have already bumped my pc to 4.9 and have exhibited no issue but they are wanting a deployment test completed before moving the package to priority 1 on the ASA and force feeding it to all users.

Any ideas are appreciated, I had never screwed with Anyconnect prior to this gig so I am playing catch up.

FMC/FTD RA VPN client to client communication

Hello, recently configured remote access vpn. However I have a requirement where I need to allow communication between anyconnect clients, meaning client vpn to client vpn. I have tried to search this on Google extensively however I find links to that configuration on ASA devices. Does anyone know how to accomplish the same on an FTD device? Thanks in advance!

Questions about an OLT and a router

We’re setting up a small data center for providing FTTH internet services to our subscribers. The costs are the biggest concern at the moment. I have a few technical questions about an OLT and a router.

Is there a difference of the hardware of an OLT and a router?

Can we use a PON SFP and a 10G SFP module along with OLT features on a router? Are we required to buy an OLT as well as a router?

OLT features such as:

• Ability to specify every ONU to get a different VLAN

• Ability to specify ONUs to be on the same VLAN

Also would that be possible via ONUs’ MAC address?

• Ability to specify different bandwidth for every ONU

• Run DHCP server to assign static IPv4 and IPv6 prefixes to the consumer

• QoS, dynamic bandwidth limiting for specific ONUs

Is this Sane. pt2.

I really want to thank everyone for their help with my previous post.

Based on further research spurred on by the comments, I'm changing up some things, mostly by not going with some of the Ubiquity equipment. I looked at myself and decided I was getting to hung up on familiarity, turnkey deployment and that single pane of glass; instead of taking the time to learn something new.

I've been giving 2nd and 3rd looks at Mikrotik for switching/WiFi, and the CCR2004 as well as OPN/PFSense options for the router.

Which leads me to some questions for those in the Mikrotik camp, mostly because once you start looking at wireless options; slogging through their site is kind of confusing. So, looking at the layout from my previous post (ignore the subnets, I'm updating a number of things based on that post):

- Residences will need WiFi, some with probably mesh for good coverage. Would the cAP ac be pretty much the equivalent to the UniFi nanoAP's? It doesn't look like the cAP has mesh support though. In fact, only the Audience seems to have this, but that makes no mention of management, and sounds like it's mobile app only for configuration, which I don't want; also looks like it functions like any normal consumer gateway, again, something we don't want because NAT.

- What would be a good choice for a light usage router to use at the "edge" of each house. (No NAT, just routing from the house's subnet, to our subnet.) Ideally, something with and SFP cage so I don't need a media converter for the fiber. Something in the hEX series, it looks like?

What is the most flexible patch cable that will reliably carry gigabit?

After many years of neglect I finally had my home wired up. I've been dealing with cable management angst and I'm looking for some very flexible patch cables that will reliably carry gigabit (I know I won't get true 1Gbps througput).

I bought a bunch of Cat6 patch cables on Amazon, and they work but they are really stiff and had to manage.

Any recommendations?

Thank you!

Redistribute BGP learned routes into OSPF Area, Dell NSeries CLI

We have a Dell N3048 switch that is BPG neighbors with a cisco router, and the BGP relationship is operating normally. However, this Dell switch is in an OSPF area with other devices, and we need this switch to advertise the BGP routes into the OSPF area. Currently the config line item in the switch for this is:

router ospf

router-id-10.61.124.66

redistribute bgp

exit

But according to documentation (n series cli guide, page 1725), there are other items in the syntax for this command that I am missing (but also don't fully understand their use) https://downloads.dell.com/manuals/common/n-series-v663_cli_en-us.pdf

redistribute {protocol} [metric metric-value] [metric-type type-value] [tag tag-value] [subnets]

Can anyone shed some light on these other line items? Or if I'm missing something else/need to provide other config lines? Thanks.

Computer networks college project

So, my 7 friends and I have been assigned a project in our computer networks course that basically counts the number of hops a packet makes between source and destination ( just like traceroute). It seems very simple and we have around 3 weeks to implement it. We were thinking if we could add some additional functionality to it, that'd be very cool. We're comfortable with coding in python , C and C++. We also know a little bit of machine learning.

What're some cool things that can be done in this project?

Juniper QFX5100 IRB Limit

Hey All,

I've been scouring the internet and I can't seem to find any documentation on the limits for IRB/VRRP on a QFX5100. I've found the limit for the 3500, but that's a vastly different platform.

Does anyone know what the limit for L3 interfaces is on a QFX5100? I'm seeing some strange behaviour that looks like it could possibly be caused by this - and that's looking like around 509 interfaces with VRRP (ie. around 1500 L3 interfaces).

Automation Friday

Hello fellow Networkers!

Happy Automation Friday! Tell us all - what network automation did you work on this week? What problems did you run into? What solutions did you find? How much time will it save you in the future?

Where is this trace route failing?

Backstory - we have a demo site hosted in AWS. This is accessible from everyone and is not restricted at all, but recently it stopped being accessible from inside our office (from our office IP address), but is still accessible everywhere else. . I haven't made any changes in the firewall, in fact I have no rules really, but the AWS guy I've been talking to says it's fine on his end.

So I did a traceroute to try to troubleshoot this a little bit, and this is what I got. I'm somewhat new to this level of troubleshooting, but if I understand correctly, all traffic is leaving the office just fine in route to AWS, but is failing once it hits AWS' IP Addresses.

Am I understanding this correctly? If our traffic internally is failing at AWS, then would that imply there's a rule within AWS that's blocking just our traffic? Or can traceroutes just stop when they hit firewalls? I suspect there's something in AWS, not in our office firewall, that's causing issues, but I need some help.

​

Traceroute has started… traceroute to demo.meetingsmaker.com (52.7.237.8), 64 hops max, 72 byte packets 1 10.0.0.1 (10.0.0.1) 43.226 ms 12.179 ms 6.643 ms 2 50-207-232-161-static.hfc.comcastbusiness.net (50.207.232.161) 3.616 ms 6.062 ms 5.261 ms 3 50-203-1-61-static.hfc.comcastbusiness.net (50.203.1.61) 6.982 ms 31.028 ms 572.186 ms 4 68.86.176.141 (68.86.176.141) 8.925 ms 5.873 ms 4.315 ms 5 ae-30-ar02.goodslettvll.tn.nash.comcast.net (162.151.94.205) 361.102 ms 6.322 ms 7.403 ms 6 be-33132-cs03.56marietta.ga.ibone.comcast.net (96.110.43.89) 80.712 ms 22.120 ms 26.217 ms 7 be-2304-pe04.56marietta.ga.ibone.comcast.net (96.110.37.106) 12.562 ms 12.701 ms 18.736 ms 8 50.208.232.30 (50.208.232.30) 13.388 ms 17.378 ms 14.361 ms 9 54.239.105.83 (54.239.105.83) 16.163 ms 16.084 ms 13.377 ms 10 54.239.104.37 (54.239.104.37) 12.721 ms 13.197 ms 12.470 ms 11 * * * 12 54.240.229.217 (54.240.229.217) 79.129 ms 363.520 ms 159.322 ms 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 52.93.28.216 (52.93.28.216) 35.887 ms 26.084 ms 25.962 ms 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * 37 * * * 38 * * * 39 * * * 40 * * * 41 * * * 42 * * * 43 * * * 44 * * * 45 * * * 46 * * * 47 * * * 48 * * * 49 * * * 50 * * * 51 * * * 52 * * * 53 * * * 54 * * * 55 * * * 56 * * * 57 * * * 58 * * * 59 * * * 60 * * * 61 * * * 62 * * * 63 * * * 64 * * * 

Cisco ASA & Router - GRE over IPSec

Hello my networking fellows,

I need some experts to look over my Topology and Configuration because i am exhausted of not being able to find the problem.

So im trying to configure GRE over IPSec. IPSec is configured on the ASA (which works fine) and the GRE Tunnel terminates on the router behind. The tunnel is up/up but there is no traffic going through it. Wireshark captures show that GRE packets arrive at the ASA on the inside interface but dont leave on the outside interface.

I permit all traffic from inside as well from the outside.

We have following Topology: https://imgur.com/a/VDSjb3B

ASA1 interface GigabitEthernet0/0 nameif OUTSIDE security-level 0 ip address 10.0.1.1 255.255.255.0 interface GigabitEthernet0/1.1 vlan 10 nameif inside security-level 80 ip address 10.0.10.1 255.255.255.0 object network REMOTE subnet 10.0.20.0 255.255.255.0 object network LOCAL subnet 10.0.10.0 255.255.255.0 access-list LAN1-LAN2 extended permit gre any any access-list LAN1-LAN2 extended permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list SPLIT_TUNNEL standard permit 10.0.10.0 255.255.255.0 access-list OUTSIDE_access_in extended permit gre any any access-list OUTSIDE_access_in extended permit ip any any access-list inside_access_in_1 extended permit gre any any access-list inside_access_in_1 extended permit ip any any access-group OUTSIDE_access_in in interface OUTSIDE access-group inside_access_in_1 in interface inside route OUTSIDE 0.0.0.0 0.0.0.0 10.0.1.2 1 route mgmt 20.0.30.0 255.255.255.0 20.0.20.1 1 crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map CMAP 10 match address LAN1-LAN2 crypto map CMAP 10 set peer 10.0.2.1 crypto map CMAP 10 set ikev1 transform-set TSET crypto map CMAP 10 set security-association lifetime seconds 3600 crypto map CMAP 10 set trustpoint MY_CA crypto map CMAP interface OUTSIDE crypto isakmp identity address crypto ikev1 enable OUTSIDE crypto ikev1 policy 10 authentication rsa-sig encryption aes hash sha group 2 lifetime 3600 

​

Switch3 interface Loopback0 ip address 128.0.0.1 255.255.255.255 #SW4 Lo0 - 128.0.1.1/32 ! interface Tunnel0 ip address 100.0.0.1 255.255.255.0 #SW4 - 100.0.0.2 ip mtu 1400 ip tcp adjust-mss 1360 ip ospf 1 area 0 tunnel source Loopback0 tunnel destination 128.0.1.1 #SW4 - 128.0.0.1 ! interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan10 ip address 10.0.10.2 255.255.255.0 #SW4 - 10.0.20.2 ! router ospf 1 network 128.0.0.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 10.0.10.1 #SW4 - NH 10.0.20.1 Switch3#show ip rout Gateway of last resort is 10.0.10.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.10.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.10.0/24 is directly connected, Vlan10 L 10.0.10.2/32 is directly connected, Vlan10 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.0.0.0/24 is directly connected, Tunnel0 L 100.0.0.1/32 is directly connected, Tunnel0 128.0.0.0/32 is subnetted, 1 subnets C 128.0.0.1 is directly connected, Loopback0 

ACLs and Dell N3048P Switches, halp!

Hi guys, after a little help here please.

I'm using the Dell N3048P switches, I have various VLANs configured and Inter VLAN Routing enabled. All is good.

I've added a new VLAN (50) with the subnet 10.23.1.x/24. I would like to lock down this VLAN so it's unable to route to any other VLAN.

I'm not very versed in ACLs, can anyone recommend a good way to this please?

Cisco FTD and monitor Site VPN

Hello,

is there a smart way inside the system to monitor all Site to site connection just in a up/down scenario ?

Looking for gigabit rackmount 24 port switch with power plug on ethernet side

Hello

​

I'm looking for a network switch that has the power plug on the same side as the ethernet.

Something like this: https://cdn.etb-tech.com/media/catalog/product/cache/68250b5260b930b2300bcc8422ca32a1/a/s/asr-920-24tz-m_front_zoom.jpg

​

All I can find on eBay are 10/100 or cost 1000's

The brand does not matter, needs to be managed so I can set up QoS and vLans.

Any recommendations?

Best router for proxy and/or blocking web traffic?

Right now my family and I are having a hard financial time because of CoronaVirus. Also we are spending more time at home therefore increasing web traffic. We are getting throttled like crazy and I was just wondering if there is a way to hide my data usage with a certain router or router that accepts custom firmware.

Also, I have a VPN but heard those still aren't that safe so I would rather figure out how to set up a proxy eventually. Any tips? Thanks in advance.

Splitting a network and using a firewall as gateway

I got my first job as IT administrator in a relatively small company (around 120 users), working alone both on the system and the networking part. My problem is that I haven't done much networking, I only have some basis.

The company's LAN infrastructure is as follows : two /24 subnets, one for the VoIP equipment, and one for everything else. Also, everything except the VoIP uses the VLAN 1. The firewall is the gateway. There are three Aruba L3 switches stacks, but they are only used as L2, no routing is really used.

I'm thinking of splitting this network into several networks, at least one network for the users, another one for the servers, so I can create policies on the firewall to restrict accesses. I was planning to create VLAN interfaces on the firewall, and use each interface as a gateway for the corresponding subnet.

Is there any downside for doing this ? Is this a good idea at all ? I also looked at light VRF, so I can do the routing on the L3 switches and still use the firewall policies, but that seemed overkill to me (maybe I'm wrong).

New Network Design Insight/Sanity Check

Hello r/networking,

We will be designing a new network for our new building and just wanted to run this by the community for any additional insight. I am a bit rusty as I've spent less tme in in-depth networking for the last 4 years.

Design:

The network will be following a collapsed core/dist design. The core switch is a pure SPF+ Full L3 while the access will be L2 stacked, connected directly to the core via SPF+ fibre. The core switch has redundant PSU's and I will be pushing for another one next year to allow for further redundancy.

Each location will have dedicated DATA/INFRASTRUCTURE/VOIP VLAN with Interfaces for each on the Core. There will be 2 WIFI (internal / guest) VLAN's shared across all access switches (we do not plan to tunnel clients at this stage at the AP level).

There will be a separate SERVER VLAN (loc 4 in the diagram) which will house all our virtual host and related hardware. there will also be a separate vlan for management interfaces (oobe,idrac,etc).

ACLS:

• Guest can only access the perimeter firewall (for internet).
• MGMT/INFU can only be accessed via SERVER VLAN or specific IP's
• All data/wifi VLANs can access each other, as well as SERVER VLAN.
• All VoIP VLANs can access each other, as well as server VLAN (PBX)

Wiring:

• Stack members will have 20gbps between themselves.
• Loc 1,4 will have 4 uplinks SPF+ each (2 top, 2 bottom of the stack)
• Loc 2,3 will have 2 uplinks SPF+ each (1 top, 1 bottom of the stack)
• Perimeter will have 4 uplinks SPF+ (2 to each UTM in active/passive)

QoS:

• VoIP VLANs will be tagged appropriately, followed by management, then best effort for everything else. Will consider doing PVST to split traffic across links.

Diagram: (it was pretty rushed, need to draw a better one later): https://imgur.com/a/KA91Wpo

A possible change (due to the VoIP system possibly being moved cloud, they might need to be on the same VLAN to talk to each other directly, so I might have to span that VLAN across all switches, which won't be great i think, but we have decent backhaul).

Now I know the question will come up "why not L3 at the access/edge?". At this stage, up high requested they would prefer everything routed through a central point (we also have mpls which will be wired into that core, currently passing traffic along via static routes, which I plan to move to BGP in the future)

Apologies for any bad terminology/explanation (rusty) and thanks for any insight/advice.

edit: fixed formating abit

configuring a network with 1/10 experience

im looking for someone who could help me out. Ive got 8 workstations connected to a cisco switch single vlan that i want to connect to a server stack with its own switch. i dont know much about networking and only know enough cisco commands to do a very basic configuration. Ive created the vlan and assigned it an IP. Ive enabled switchport access on the ports im using, set my speed and duplex. Ive built the network in packet tracer and it works fine but when I try to ping across the vlan it just times out. I can ping the switch. When i run a pathping to another workstation it dies at the originating workstation. Any help would be greatly appreciated

VTY Line 0

Hi,

I setup a remote switch, however only configured line vty 0 for ssh access. Now I can't ssh into my switch, and it is on the other side of the world!

Is there a way to target a specific vty line when using ssh?

Thanks,

Ollie

Help with netconf Cisco IOS 12.2

Good Evening,

I am looking for help using netconf on a router running Cisco IOS 12.2. I know it is super old but it is what i have to work with.

I am trying to pull a list of vlan interfaces to so I can collect all the subnets the router is handling.

I am using python. So far I can connect via netconf and get the hello message from the router, but I am not able to send anything over. I keep getting RPC failed to respond.

​

Most of what i can find is more for IOS-XE.

​

Thanks!

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

How to bridge into programming networking operating systems

I have a decent background in Unix, network and programming and a bachelors in CS. I currently work as the lead network and systems admin for a medium sized ISP. I have about 7 years of experience in networking and a bit more in programming, but mostly higher level languages. Ruby, Python, PHP, bash, c#, etc. I’ve always wanted to dive in and learn to work at a low level in a way that could be complemented with my current knowledge. By that I mean I’d like to work on a network operating system. Cumulus, IPI, DANOS, FRR, SONIC, etc all seem like good candidates, but I can’t find a good starting point. I’ve looked over some code from FRR and it’s just difficult to dive in on such a complex project. I’m highly driven and a very fast learner, I just can’t seem to find much information on where to start.

For those of you in this environment, how and where should someone with advanced networking and decent programming start on the path to writing code for NOSs?

Shortcut to identify to which switch a particular MAC is connecting?

I am trying to trace the route of a client with a specific MAC address.

Is there an easy way to query all of the Ubiquiti switches under UniFi control to see which one has that client connected, or do I just have to knuckle down and connect to each one individually and search like that?

How many hosts on a class C network?

Please bare with me, I'm a complete newb to networking and I'm going to try and explain my doubts to the best of my abilities.

So, to start off, I know that classful networks aren't a thing anymore and what used to be a class C network is now called a /24 network, but I had to include it in the question because I didn't really know any other way to clarify these doubts:

1. If a network starts with 192.168, is it then automatically a /24 network? meaning, would the subnet mask be 255.255.255.0?
2. Is the maximum amount of usable hosts in a "Class C" network 254? for example, if I assign 254 hosts in a 192.168.1.0 network, have I assigned the maximum amount of hosts or can I go to 192.168.2.0 and assign 254 more hosts until I reach the 192.168.255.0 network?

Even as I'm asking this, I can understand how dumb this might all sound but I legitimately don't know how to phrase my question better. I've been going through so many Youtube videos on subnetting and I still can't seem to clarify the doubts I have.

Trunk/Access Question

Quick question I've been unable to find the answer for. If I have two switches connected to each other and the upstream switchport is configured as a trunk, and the downstream switchport is configured as access, what occurs? Does the link function as access rather than trunk? Or is the link down? It may be worth noting that the trunk port is only configured as trunk, not also access (as I understand both can be applied to the interface simultaneously).

Need a high quality radio to transfer a gb connection over 3 kilometers, without breaking the bank

Im planning to make my own ISP, and I need a good recommendation for a high quality radio, the distance is less than 2 kilometers, cheapest one available with decent quality.

VRF routing question

Posted this in r/AWS as well. Tgw equals VRF TGW routing tables equals routing domains.

We have a multi VPC environment with all VPCs attached to a TGW. One of the attachments serves as as the default route to the internet 0.0.0.0/0.

Basically we have a few core VPCs that would have a tgw route to all attachments. Then other VPCs that would only need to route to the core VPCs.

Since all VPCs would require the default route to the internet, is the only way to restrict east west communication with individual tgw route tables for each attachment with black hole routes?

Would the packet get dropped if it routed to the default route attachment (that vpc would have a route to all spoke VPCs)?

monitoring bandwitdh and latency over L2 p2p leased line

hi to all,sorry for my not tech terms but i'am quite new to this, i had bought a L2 1Gbps leased line with my current carrier service provider, connecting my two offices.

I want to monitor its quality (meaning bandwidth and latency mainly).

I actually have their "black box" switch (under their control) with one eth cable terminating inside my switch (under my control).

without blindly trust my csp or using other external solution (software probes/vm with iperf tool running forever in background/other) i am thinking about a smart way to check bandwidth use and latency and interface crc errors (just to name a few values i think should be good to graph historically).

do you think that it should be enough to check via snmp my switches ports on the two sides (officeA and officeB) on that values? do it make any sense? how do you do this kind of stuff?

thank you,

Bridge EVE-NG to EXSi LAB

Hi

I'm running a CCIE SEC Lab on ESXi. I have a Server VLAN where all of my servers are deployed (ASAv, FTD, FMC, SMC, FC, ESA, WSA etc.)

My topology includes three branch offices connected using CSR Routers. Instead of installing these in ESXi i would like to deploy them in EVE-NG as it's easier to manage and quicker to deploy new routers. Utilizing EVE-NG i would also be able to use IOSL2 Images for L2 Switches to configure Switch Security.

Does anyone know how to bridge together my EVE-NG environment with the rest of my LAB Network?

EVE-NG is installed on the Server VLAN along side rest of the servers. I have a simulated "Internet Router" deployed in EVE-NG to route the Branch sites together with the HQ site. So what i really need is a connection from the Simulated Internet Router to the "Outside" VLAN which is a Port-Group in VMware where my Firewalls etc. are assigned.

So the essense is that i do not want the connectivity from EVE-NG to my Lab network to be through the VLAN that EVE-NG is deployed on, but the simulated "Outside" VLAN.

Cisco AP issue - affecting entire estate

My organisation is having an issue with Cisco and I'm a bit stuck.

Essentially the issue is that AP's will allow clients to connect and then after 2-5 mins they will disconn clients and the LEDs will go red.

They will then come back on, rinse and repeat.

We are unable to update the firmware to 27.1, when we update form 26.8.1 it carries out the update, shows up to date and remains on 26.8.1.

Has anyone had a similar issue? Any suggestions for troubleshooting?

Trying to setup EEM on ASA to send emails

Hi, I'm trying to setup an EEM script on an ASA to send an email when someone ssh's into the ASA to see whos logging into them. Unlike Cisco IOS i cannot find a way to do it. Surely there is a "mail" action on them like IOS to?

event manager applet LOGIN

event syslog id 113012 occurs 1

action 0 cli command "show logging | i AAA user authentication Successful : local database"

output none

Above is the only way so far i can think of doing it. There is no mail action (unless I'm looking in the wrong place) and the "output" doesn't give a mail option either and only seems to give you options to create a file local on the ASA.

Could anyone shed some light on this?

BGP Neighbors & Their Interfaces

Hi all, I'm looking for some insight into identifying which interfaces specific BGP neighbors can be reached out of. I receive email notifications with networking devices that have had BGP neighborships go down. The info provided includes timetamps, IPs for BGP neighbors, as well as VRF and AS numbers.

​

What would be the most straightforward way of determining what interface the BGP neighbors are being reached on?

​

This would be for the purpose of identifying circuit IDs (based on interfaces affected) so an inquiry can be made with the service provider regarding possible performance degradation, etc.

Detecting new MAC addresses using ARP?

Context: I work in a Data Center and use an online resource for updating MAC addresses whenever NICs are replaced in servers. I'm wondering if running the ARP command from within the server will achieve the same result and detect the new MAC address from the new NIC and add it to its table.

Need help tunnelling UDP packets

Hi!

I have been trying the last week with no success to forward udp packets, specifically OpenVPN ones.

My setup is like this.

OpenVPN client (let's call it host A)

Intermediate server with public ip (let's call it host B)

OpenVPN server behind a NAT (let's call it host C)

On host C I can't port forward any port, so what I'm trying to achieve :

Initiate a tunnel from host C to host B which will be where UDP packets from OpenVPN come through.

Make host A OpenVPN client connect to host B (make it look like it is the OpenVPN server) and then host B through the tunnel redirect to the OpenVPN server on host C.

I've been trying setting this up with socat and a ssh tunnel between host B and C but no luck.

Do you guys have any ideas on how this could be done?

SRX320 cluster with LTE mini-PIM failover

Hello guys!

Also posted on r/juniper
I really hope you can help me!

We have an SRX320 cluster with LTE mini-PIM on a remote location.
Node 0 has an EVPN (L2 link) to our hosting in port 3
Node 1 has a LTE mini-PIM with random public ip simcard and ipsec to hosting

What we want:

Cluster running active/active instead of active/passive as it currently is.
When node0 loses link and access to the internet through the EVPN it should failover to the LTE.
It should also failback to node 0 if connectivity is restored.

Currently we have a kind of failover:
set interfaces ge-0/0/3 unit 0 backup-options interface dl0.0

But this only happens if physical link is down, which is not usually the case.
It also takes a while for the LTE mini-pim to turn on and connect - which is why i want it to always be active.

Research says rpm probes and ip monitoring, but i cannot find anyone with this kind of setup.

Hope you can help :)

Cisco C9364C output errors

Last Friday one of our core switches in the data center started showing output errors on all interfaces.

It is the secondary in a vPC pair with another C9364C. The other C9364C showed errors during this period.

This has happened on and off since Friday.

The error counts aren't high but I do notice them and get alerts via my monitoring tools.

I also noticed the CPU going up by about 10% and it has stayed that way since. This is however has bought it inline with the over 3 C9364C in our environment. So before this it was the odd one out......

I have logged a case with TAC and their response was 'Maybe something in the network barfs garbage periodically'

I find it weird that we are getting output errors on physical interfaces that would be caused by a device somewhere within the network.

What generally do others see as the cause of output errors?

We have had a lot of issues with 100Gb SFP's in these switches with links flapping a lot and the only way to fix it has been to RMA the SFP's. But I find it hard to beleive all SFP's would be stuffed at the same time.

I just remembered we had a interface eth1/12 that started flapping during this period, looks like another failed SFP. I wonder is this interface with input errors would then populate through others via outputs?

2 LAN connect networks help! Much appreciated

I have two LAN networks in a large building which are connected and are where communicating but there is a problem with one of the networks which brings the whole network offline. Yesterday I went around plugging the switches in one by one and managed to get one of the networks back online by completing removing the other network, but I was wondering if there was a way to implement a system or price of hardware which will prevent both networks going offline if one network goes down?

Many thanks, any help us appreciated x

(shot in the dark) WTB: Cable Matters (brand) CAT6 plenum cable (CMP), bulk, in grey/gray color

I'm trying to match an existing installation where I used this brand and color of cable.

It turns out Cable Matters now only sells this cable in blue and black:

https://www.cablematters.com/pc-314-161-ul-listed-plenum-jacket-cmp-cat6-bulk-ethernet-cable-1000-feet.aspx
Model: 160016-GRY

I haven't been able to find stock in grey anywhere.

I'm thinking maybe some IT department or IT installer (or even home installer) might have some old leftover stock from a previous installation somewhere. Of course, a full box would be ideal, but I'll gladly take a partial box of this stuff (50m/150ft or more would be useful).

---

^{I know I could get custom cable made, but while I care to match the color if possible, the project is not big or expensive enough to justify the cost of a custom cable.}

^{I also know I could just forget about matching colors and by another brand in grey, but this project is not very urgent, so I can take my time and try to find a match, and I would rather match the color exactly. I've done a lot of cable installs and "grey" is not nearly consistent at all across different brands. The Cable Matters "grey", for example, is definitely "yellower" or "beiger" than most I've seen.}

---

I hope this kind of post is allowed here. Forgive me if it's not.

ISP Handoff

I've been involved in networking for a few years but am defiantly not an expert and I've never been involved with ISP/Carrier networking. I'm curious as to the application of the way that our ISP has configured the handoff / the equipment provided.

We have a dedicated fiber line with Lumen (CenturyLink) - due to our location, this is the cheapest because we are right by part of their backbone network. They have a switch that is doing the conversion from fiber to copper, that is then feeding a Lumen provided router, and then they handoff the connection and we run it into our routers.

What is the application of the ISP having both the switch and the router?

Thanks for indulging my curiosity.

I am new to Networking. Can you please suggest some books or resources to learn ? Thank You.

Thank You.

Dell PowerConnect W-AP175DC

Has anyone ever used one of these? I bought this at Goodwill for $15 with plans to install it at my buddies house to provide WiFi in his yard. He lives on roughly an acre. It appears to be brand new in the box with the mounting hardware.

Just curious if anyone has any experience with these and would be willing to share past experience.

Here are some pics.

Looking for hardware tap/redirector

I am looking for a tool that could intercept traffic between a host and the network (essentially a network tap), with the ability to send (clone) all traffic to a remote network.

Use case: Server at a site in one state with a custom application - pick up that traffic without affecting production workloads - and push a copy of the traffic across the WAN into an isolated lab network for analysis (testing with a NIDS/IPS/IDS solution).

I think this could be implemented with Linux, a tunnel, and a couple of Raspberry Pi’s - but the customer is looking for a commercial solution.

Thoughts?

FS AOC SFP+ not detected by 3850 NM-2-10G or NM-8-10G

Pulling my hair out with this - Have a ton of FS stuff without any issues, but none of these Cisco compatible AOCs seem to work.

Both 3850s are running 16.9.6 and connected via DAC - I replaced one DAC with an AOC and it doesn't even see the SFP+ transceiver, except for this:

*Oct 21 20:28:29: %PLATFORM_PM-6-MODULE_ERRDISABLE: The inserted SFP module with interface name Te1/1/4 is not supported

Any suggestions what I'm doing wrong, or are the AOCs just not compatible?

djc-tmp-sw#sh int te 1/1/4

TenGigabitEthernet1/1/4 is down, line protocol is down (notconnect)

Hardware is Ten Gigabit Ethernet, address is 08cc.a7ef.7638 (bia 08cc.a7ef.7638)

MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

Auto-duplex, Auto-speed, link type is auto, media type is unknown

input flow-control is on, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 4 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

djc-tmp-sw#sh inv

djc-tmp-sw#sh inventory

NAME: "c38xx Stack", DESCR: "c38xx Stack"

PID: WS-C3850-48P-E , VID: V07 , SN: FCW2048C09W

​

NAME: "Switch 1", DESCR: "WS-C3850-48P-E"

PID: WS-C3850-48P-E , VID: V07 , SN: FCW2048C09W

​

NAME: "Switch 1 - Power Supply A", DESCR: "Switch 1 - Power Supply A"

PID: PWR-C1-1100WAC , VID: V02 , SN: DTN2050V2XJ

​

NAME: "Switch 1 FRU Uplink Module 1", DESCR: "2x1G 2x10G Uplink Module"

PID: C3850-NM-2-10G , VID: V01 , SN: FOC20460Q6P

​

NAME: "Te1/1/3", DESCR: "SFP-10GBase-CX1"

PID: SFP-H10GB-CU5M , VID: V02 , SN: F1940161068-2

​

djc-tmp-sw#sh idprom interface te 1/1/4

djc-tmp-sw#

problem with packet tracer V 7.3.1 0362

Hi guys, i wanna know if someone else have problems with this version, i'm using the command dial-peer and from one networking to another i can call but i cant call back from that other network, the only phone that can receive the call is the analog telephone. Both routers are configurate and every other thing is ok

Need some help - I am out of ideas. FortiGate < - > ASA VPN P2 rekey issue

As described here - tried to cross post but the app wouldn't let me:

https://www.reddit.com/r/fortinet/comments/jfmfa3/crazy_behavior_with_fgt_asa_tunnel_p2_rekey/

Thoughts on LogRhythm 's SIEM?

I'm currently evaluating SIEM solutions for my team. I've got some colleagues who swear by Splunk, and I understand the value, but I also appreciate that LogRhythm is a dedicated security solution and isn't as cost prohibitive. Any input is welcome... my team has been looking at QRadar, Exabeam, Rapid7, Splunk, and LogRhythm.

VxLAN arp-ether TCAM carving question

I have Cisco nexus 9300 platform for leaf switches in vPC spine-leaf design, now i want to carve arp-ether tcam size. I have two option take slice from VACL or RACL (currently i am not using none of them) so what would be the best option to reduce RACL or VACL and why?

In google i found some people saying take VACL and some saying RACL but not no explanation.

DMVPN configuration question

I have a spoke site I want to add a new wireless connection to. The hub network is 10.x.x1/24. The spoke is the same, 10.x.x.14 /24. Can I break the Tunnel0 subnet on the spoke into /27s and still have them peer with the hub?

Need help setting up edgerouter with all in one gateway that cant disable NAT

I went shopping for some networking goodies today ( Edgerouter X-SFP and a UniFi AP AC LR). My wall mounted modem is a very restricted ISP provided Siligence TCG-300 shitbox. Currently the Siligence is transmitting 2 SSID's right now with NAT and DHCP enabled. I cannot turn off NAT on my modem, neither does it support MAC pass through nor does it have a bridge mode so I cannot use it as modem only. the Diligence DHCP is handing out 192.168.0.xx IP's.

​

I want my setup to resemble something like the following:

​

Modem in -> Edgerouter -> Unifi AP

​

The Unifi AP can transmit 1 SSID as far as I am concerned but I need two VLAN's.

One VLAN should have three devices to it:

​

- My wired PC (I'm thinking I should wire this to my edgerouter right?)

- My wired Raspi running HASS (I'm thinking I should wire this to my edgerouter right?)

- My laptop which should connect through the AP

​

Second VLAN should have some insecure IOT devices linked to it and needs to be able to have some firewall rules tied to it.

The raspberry Pi needs access to the second VLAN so I can control my smart stuff from it.

​

Online I find a lot of guides how to set up edgerouter but they all assume that the modem is in bridge modeor mac passthrough with NAT disabled mode and DHCP disabled. How should I go about this? I dont need access from outside my network to any hardware nor do I need VPN access,

Cisco extended ACL troubles

Using a Catalyst 9300. VLAN's for each department with a SVI for each. ACL's control 's VLAN communication as you might expect.

I thought I had a better understanding of this than I apparently do. I've learned most of what I know with regards to ACLs/VLANs from what was configured when I started working at this company. Tweaking things as needed. I'm a sysadmin that does "all the things".

​

I'm implementing "NAC" with dynamic VLAN assignment. This is working fine but I want to have partial access to the "holding/isolation" VLAN where machines are placed when not authenticated.

​

VLAN7 needs access to VLAN80 for ICMP, remote desktop or dameware. Basically if something goes wrong and we need remote access right now, as most of the office is still working from home. Helpdesk included.

​

VLAN7 - 10.10.7.0/24

VLAN80 - 10.10.80.0/24

​

So here's what I've got going on so far which all works as expected.

​

interface Vlan80

description IT HOLDING

ip address 10.10.80.1 255.255.255.0

ip helper-address 10.10.14.55

ip access-group VLAN-80 in

​

​

Extended IP access list VLAN-80

15 permit udp any any eq bootps

20 permit udp any any eq bootpc

30 permit icmp 10.10.80.0 0.0.0.255 10.10.7.0 0.0.0.255 echo-reply

35 permit icmp 10.10.80.0 0.0.0.255 10.100.7.0 0.0.0.255 echo-reply

90 deny ip any any

​

​

The machines get assigned an IP address from DHCP server without issue. They will also reply to a ping without issue.

​

​

What I cannot get to work or I'm not understanding how to make it work is to allow VLAN7 to RDP or Dameware in. Ports 3389 or 6129.

​

What permit's do I need for this and where do they need to be? I would assume something like.

​

permit tcp 10.10.7.0 0.0.0.255 eq 6129 10.10.80.0 0.0.0.255 eq 6129

​

This doesn't work at all in the ACL above. Can I even do that? VLAN7 source in the VLAN80 ACL? I'm having a hard time finding a simple answer to that question. I've also tried creating a VLAN-80-OUT outbound ACL with that permit line and I am still unable to connect. Actually in my testing it wasn't a specific port, but a permit ip 10.10.7.0.

​

Is there a simple solution I'm missing here? Did I leave something out? Is this even possible? Apologies as this is not my area of expertise but I've been messing with it off an on for two days and it's become increasingly frustrating.

no internet connection on my LAN through opnsense

so on my network I have a DNS server, an IIS server and a windows 8, all connected to OPNsense. My windows 8 is not getting an internet connection through my DNS server. Fairly new to this so I know my description is not the best I can try and answer any questions you have

Config Help: Simple stretched fabric between Arista and Juniper EVPN/VXLAN

I can't for the life of me figure out how to do a very basic l2vpn between Arista and Juniper (assymetric irb, l3 terminating at leafs). This is a lab environment for the time being, and I just can't figure out the Juniper side of things. Does anyone have a very basic example?

Here's what I have that's working. (for lab, using ospf underlay which is excluded).

Arista Spine:

peer-filter LEAF-FILTER 10 match as-range 1-4294967295 result accept ! router bgp 65000.0 bgp asn notation asdot router-id 1.1.1.1 maximum-paths 4 ecmp 4 bgp listen range 2.2.2.0/24 peer-group LEAF_EVPN peer-filter LEAF-FILTER neighbor LEAF_EVPN peer-group neighbor LEAF_EVPN next-hop-unchanged neighbor LEAF_EVPN update-source Loopback0 neighbor LEAF_EVPN ebgp-multihop 5 neighbor LEAF_EVPN send-community extended neighbor LEAF_EVPN maximum-routes 12000 redistribute connected ! address-family evpn neighbor LEAF_EVPN activate 

Arista Leaf:

vlan 3304 interface Ethernet2 switchport access vlan 3304 interface Loopback0 description "router-id" ip address 2.2.2.2/32 ip ospf area 0.0.0.0 interface Loopback1 description "vtep-source" ip address 9.9.9.2/32 ip address 69.69.69.69/32 secondary ip ospf area 0.0.0.0 ! interface Vlan3304 ip address virtual 192.168.104.1/24 ! interface Vxlan1 vxlan source-interface Loopback1 vxlan udp-port 4789 vxlan vlan 3304 vni 3304 ! ip virtual-router mac-address 00:1c:73:00:00:99 ! ip routing ! router bgp 65000.2 bgp asn notation asdot router-id 2.2.2.2 maximum-paths 4 ecmp 4 neighbor SPINE_EVPN peer-group neighbor SPINE_EVPN remote-as 65000.0 neighbor SPINE_EVPN next-hop-unchanged neighbor SPINE_EVPN update-source Loopback0 neighbor SPINE_EVPN ebgp-multihop 5 neighbor SPINE_EVPN send-community extended neighbor SPINE_EVPN maximum-routes 12000 neighbor 1.1.1.1 peer-group SPINE_EVPN vlan 3304 rd 9.9.9.2:3304 route-target both 1:3304 redistribute learned address-family evpn neighbor SPINE_EVPN activate router ospf 1 router-id 2.2.2.2 max-lsa 12000 

This works great, for a simple L2 stretched fabric. No issues with Arista leafs to Spine, to another Arista Leaf.

On the Juniper the following config seems to establish peering with no issues to the Arista Spine:

set protocols bgp family evpn signaling set protocols bgp group evpn type external set protocols bgp group evpn multihop ttl 5 set protocols bgp group evpn multihop no-nexthop-change set protocols bgp group evpn local-address 2.2.2.3 set protocols bgp group evpn family evpn signaling set protocols bgp group evpn local-as 65000.3 set protocols bgp group evpn multipath set protocols bgp group evpn neighbor 1.1.1.1 peer-as 65000.0 

And then the basic config:

set routing-options router-id 2.2.2.3 set routing-options autonomous-system 65000.3 set routing-options autonomous-system asdot-notation set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode access set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN3304 set interfaces irb unit 3304 family inet address 192.168.104.2/24 virtual-gateway-address 192.168.104.1 set vlans VXLAN3304 vlan-id 3304 set vlans VXLAN3304 l3-interface irb.3304 set vlans VXLAN3304 vxlan vni 3304 set vlans VXLAN3304 vxlan ingress-node-replication 

and the part that is NOT working (where I think my config is falling apart) is where I tie VXLAN into EVPN:

set switch-options vtep-source-interface lo0.0 set switch-options route-distinguisher 2.2.2.3:1 set switch-options vrf-import EVPN-VRF-VXLAN set switch-options vrf-target target:7777:7777 set switch-options vrf-target auto set policy-options policy-statement EVPN-VRF-VXLAN then accept set protocols evpn encapsulation vxlan set protocols evpn multicast-mode ingress-replication set protocols evpn default-gateway do-not-advertise set protocols evpn extended-vni-list all 

​

The Arista spine is both receiving and sending evpn routes:

spine1#show bgp neighbors 2.2.2.3 evpn advertised-routes BGP routing table information for VRF default Router identifier 1.1.1.1, local AS number 4259840000 Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP S - Stale, c - Contributing to ECMP, b - backup, q - Queued for advertisement % - Pending BGP convergence Origin codes: i - IGP, e - EGP, ? - incomplete AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop Network Next Hop Metric LocPref Weight Path * > RD: 9.9.9.1:3304 mac-ip 001c.7300.0099 69.69.69.69 - - 0 4259840000 4259840001 i * > RD: 9.9.9.2:3304 mac-ip 001c.7300.0099 69.69.69.69 - - 0 4259840000 4259840002 i * > RD: 9.9.9.1:3304 imet 9.9.9.1 9.9.9.1 - - 0 4259840000 4259840001 i * > RD: 9.9.9.2:3304 imet 9.9.9.2 9.9.9.2 - - 0 4259840000 4259840002 i * > RD: 9.9.9.1:3304 imet 69.69.69.69 9.9.9.1 - - 0 4259840000 4259840001 i * > RD: 9.9.9.2:3304 imet 69.69.69.69 9.9.9.2 - - 0 4259840000 4259840002 i spine1#show bgp neighbors 2.2.2.3 evpn received-routes BGP routing table information for VRF default Router identifier 1.1.1.1, local AS number 4259840000 Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP S - Stale, c - Contributing to ECMP, b - backup % - Pending BGP convergence Origin codes: i - IGP, e - EGP, ? - incomplete AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop Network Next Hop Metric LocPref Weight Path * > RD: 2.2.2.3:0 auto-discovery 05fd:e800:0300:000c:e800 2.2.2.3 - - 0 4259840003 i * > RD: 2.2.2.3:1 mac-ip 3304 0000.5e00.0101 2.2.2.3 - - 0 4259840003 i * > RD: 2.2.2.3:1 mac-ip 3304 0000.5e00.0101 192.168.104.1 2.2.2.3 - - 0 4259840003 i * > RD: 2.2.2.3:1 mac-ip 3304 0050.7966.6807 2.2.2.3 - - 0 4259840003 i * > RD: 2.2.2.3:1 mac-ip 3304 0050.7966.6807 192.168.104.102 2.2.2.3 - - 0 4259840003 i * > RD: 2.2.2.3:1 imet 3304 2.2.2.3 2.2.2.3 - - 0 4259840003 i 

​

My best guess, it's probably something to do with the virtual-vtep (69.69.69.69) and the virtual router mac (001c.7300.0099).

I can ping my real-ip gateway 192.168.104.2, but can't ping the other host nodes (192.168.104.100, 192.168.104.101, and 192.168.104.102)

I've tried a few things, such as:

set interfaces lo0 unit 0 family inet address 2.2.2.3/32 set interfaces lo0 unit 0 family inet address 9.9.9.3/32 primary set interfaces lo0 unit 0 family inet address 69.69.69.69/32 set switch-options vtep-source-interface inet preferred 9.9.9.3 

But I can't seem to figure it out. I'm trying to keep everything inside the global route table for the time being, as this is a learning exercise.

iPhone "frys" router

So my mom's internet went out. Typical for the company and area she lives. She calls cable company after the usual unplugging and waiting, reset button, power cycle easy stuff. Cable company tells her someone with an iphone logged into her wifi and fried her router/modem combo. First I've heard of something like this. Then again, I keep my network pretty tight. Thoughts? Comments? Experiences?

Reverse Engineer ACLs

Hi Guys,

I'm performing a network hardening piece of work and have installed a pair of Cisco 5508's on each of my production sites. I'm migrating Gateway addresses of a dozen or so VLANs to sub-interfaces on the ASAs in order to restrict traffic- all dandy.

All of our large suppliers have provided us with port requirements and I've written ACLs for 90% of our prod systems. The remaining 10% are undocumented and I've been asked to reverse engineer ACLs based on their current traffic flows.

My current working theory is to write a script that integrates the syslogs and gives me a count of connection events to certain IPs, I'll then take a good guess at what to put in the ACL. For example if there's an oven monitor that uploads SNMP data to an app server once an hour, I can allow that traffic and block everything else. Not tidy but gets the job done.

Has anyone ever done this before and has any tips? Anyone know of any existing programs/scripts to help me generate a top down view of traffic flow from syslogs? Anything that can help me keep my sanity?

Cheers guys, you've always been a great help in the past.

Can you selectively apply what uses a VPN connection?

I'm not very techie and like a lot of people I'm working from home.

I use a work computer (macbook air) and log into our corporate network via VPN. I need to be on the VPN to use corporate skype, access outlook, shared drives, etc.
But...sometimes I find myself on facebook, or ...reddit, etc. Probably technically violating the acceptable use policy.

Is there a way I can set it up so for example Chrome goes through the vpn, but Safari does not?

Or is it like when you're on a VPN everything you do has to go through that connection?

Please give me some feedback, suggest things to google, etc.

Thanks so much.

Ansible outputting multiple variables to a file.

Im gathering information on cisco switches (specifically the interfaces without acls and the hostnames of the switches) and im able to do that just fine but where I run into issues is with outputting that all into a csv file. I want it to add every interface it finds, not just the last one. And I want to be able to have multiple variables appear in the csv files.

How would I go about doing that? Here is my current code.

InterfacesWithoutACLs.yml:

---

- name: 'internet failover'

connection: network_cli

hosts: allPrimarySwitch

pre_tasks:

- name: 'gather ios facts'

ios_facts:

gather_subset: min

gather_network_resources:

- l3_interfaces

tasks:

​

- name: 'get interfaces'

ios_command:

commands: 'show ip interface brief | exclude unassigned|Interface'

register: get_interfaces

​

- name: 'set interface variables'

set_fact:

interfaces: ""

​

- name: 'import configuration role'

with_items: ""

include_role:

name: configure_dhcp_helper

vars:

interface: ""

​

- name: Generate report

local_action: copy content= dest=/etc/ansible/dev/Bradley/InterfacesWithoutACL.csv

changed_when: False

run_once: true

​

​

main.yml:

---

- name: 'get interface config'

ios_command:

commands: "show running-config interface | sec interface"

register: get_interface_config

​

- debug:

var: get_interface_config.stdout_lines[0][0]

when: get_interface_config.stdout is search('ip access-group') != 1

​

- name: 'get hostname'

ios_command:

commands: "show running-config | sec hostname"

register: get_hostname

Forwarding SNMP Poll

Hello all,

Been dropped into a networking project with no background.

I need to poll a server using SNMP every 2 seconds. The information that is returned from the server (MIB I believe), needs to be forwarded as a trap.

I believe i need a NMS, I was considering using Zabbix. That is all i have worked out so far but I'm unsure if Zabbix is able to poll and then forward the MIB.

Does anyone have any advice if/how this is possible?

Also what are the hardware requirements of Zabbix? (obviously dependent on use case but for polling one server every 2 seconds)

Thanks.

Pros and Cons Network equipment refurb vs New [open debate]

Dear community,

I'm creating this post in order to have a constructive debate about the topic above.

I'll be totally honest, I'm a Senior Account Manager in an European company and can be referred as a ''Broker''. To summarize, we buy and sell Cisco/Juniper gear and we deal on a daily basis with major telcos and end-users worldwide. Specifically network equipment ( ASR/MX/Nexus/QFX/Catalyst/transceivers..)

Personally I'm aware to when or not offering refurb equipment but I'd like to get some extra perspectives in order to give some more input to ours junior trainees. I'm aware that for some situations were direct support from Cisco is needed and not replaceable by some spares on site the question is not even on the table. The idea is to deepen the subject and it won't be published anywhere.

To summarize, I'm after yours Pros and Cons/Opinions/ fear(s)/ awareness/... ofc questions are welcome too!

Don't hesitate to give your honest opinions, critics are welcome when said in a constructive way.

Cheers,

Thomas

Convertible Notebooks for drawing diagrams

Hi all,

this is not directly a networking question, but this community seems appropriate for it.

I work for a VAR and like many companies we currently do a lot more remote sessions and webinars than before 2020.

One problem we encountered is that we often drew fast network diagrams for the customer when explaining a problem or feature, which we can't really do now anymore. Now we often rely on Paint and a really ugly mouse painted diagram. And Visio is often too much to quickly draw a diagram, we probably throw away after the day.

So I wanted to ask if some of you use convertibles or drawing pads for web sessions to quickly show customers what you're talking about.

I don't necessarily need it to draw the real network diagrams, mostly for quick sketches.

what are your thoughts about using convertibles?

Do you think this is a gimmick that won't be useful after a few tries?

40G break out into 4x10G

I got a Nexus 93180YC-FX switch with 40G QSFP ports. Now I want to connect a server which is 200m away from the switch placed in another room. There is an MMF running between two rooms.

The server got an SFP+ card on it.

So can I connect this server to the Nexus switch using QSFP-40-CSR4 transceiver and 4x10G MPO connector cable?

Any issues with this setup or distance limitation?

Thanks and Cheers

VLC to watch videos from tablet on phone (android) is this the best way?

Need some help figuring out how to set up my SD card in my tablet to be discoverable by VLC or another video app to watch on my phone. Is this the best way of handling that?

Any help about video servers would be helpful, android only.

Anyone running dual Ethernet cables to APs?

I have an area that is going to get Aruba AP-555 APs next year after a renovation. Those require 802.3bt power. I’m weighing my options, do I spend the money on a 60W PoE Aruba switch, or just run dual Ethernet to ever AP and stick with the cheaper 30W PoE switch.

Anyone experienced with Migrating Palo Alto HA Pair to Panorama Management and Templates

I have somewhat of an idea on how to do this and have a plan to go about it but I could use some extra advice. A couple things:

• We have some older devices that are only capable of 8.1 and a bunch of newer devices on 9.0. Is there a big difference between them when converting to Panorama Templates?
• I have had some recommendations to upgrade to 9.1 that it is more stable and I can utilize Policy optimizer along with BPA prior to converting to Templates. Is this a good idea?
• My biggest challenge right now is converting a close to standard FW to different template stacks. How granular would you get with templates and stacks? Would it be best to create a separate template for each set of things i.e. a template for Global Address Objects, A template for Global Service Objects etc. ? My goal is to create a fairly uniform Global Stack (2 VR, 1 for each ISP, Standard GP setup, Global Rules and Objects etc) that I can use with variables to convert each HA pair to get them as uniform as possible and then apply some regional and/or site level templates to the stacks as needed. Our sites are pretty similarly setup so this should be possible even the current standalone configurations are slightly different.

How does a RADIUS server match a request to a RADIUS client?

When a RADIUS server receives an access request, how does it identify which RADIUS client it is coming from? My question is specifically about Windows NPS, but I imagine it would apply equally to other RADIUS servers.

For example, in my environment a FortiGate firewall authenticating for admin access sends its host name as the NAS identifier in the access request, which matches the friendly name of the client in NPS. However, an Aruba AP instead sends its IP address in the NAS identifier field, and in fact the packet does not contain the RADIUS client name (the AP's host name) anywhere.

So therefore I don't believe there are any attributes sent by the RADIUS client in the request packet which the server could reliably use to match that request to that specific client.

This might be a dumb question with a super-obvious answer. I don't have any RADIUS issues, everything is working well. I'm just not sure how/why, and that bothers me. :-)

Study materials to pass F5 101 / 201

Like the title is saying, I wanna get my F5 BIG IP certificate but I cannot find any study materials related to them.

I am more a video guy than a book guy and I couldn't find any study material that prepares me for the exam. I was wondering if you guys could give me any tips?

So far I've found one course on uDemy and that's it. The ones on INE/CBTNuggets only explains stuff about F5, but doesn't prepare you for the 101.

*I've already got F5 appliances working in EVE-NG and have CCNP knowledge.

Thanks in advance!

Unable to Open Public Wifi Login Page

Hello,

I’m trying to connect my laptop to the public wifi on the fishing vessel I work on. The public wifi requires us to each login with a personalized username and password, however I can’t get to the login page on my laptop.

Typically, going to 2.2.2.2/login.html opens the login page without any problems, as it did on my mobile device, however when I attempt to do so on my laptop, I am redirected to the following URL:

2.2.2.2/login.html?redirect=www.gstatic.com/generate_204

This displays this webpage: https://imgur.com/a/07Inzvr (apologies for the terrible quality)

When clicking on ‘Connect’ it’s just a dead click, nothing will open.

Things I’ve tried: Restarting PC Rebooting Wifi Removing Popups Flushing DNS Chrome and Edge browsers Disabling firewall

Not really sure what else I can try. Will attempt to get a Firefox browser installed tomorrow, but I’m pretty much out of ideas from google, and that’s the last thing I could find. Any information or suggestions are very much appreciated. I’m heading to bed so I likely wouldn’t be able to try/reply for about 8 hours.

Thanks again.

About to get a second ISP Palo Alto

Here's the lowdown simplified:

Two sites connected with mpls. One site has the internet connection with a static default route.

The second site is about to get an internet connection.

What I would like to have happen is each isp just advertise a default route and let bgp deal with it.

Is it that simple?

Edit: both sites have ip ranges assigned by the isp. So no true multihoming. Private asn on my side.

Networking + tips

Hello all. I have been working in the IT field for about 3 years now as a tier 2 technician. My company is now requiring me to my networking + certification. I have taken the class and do a lot of networking on a day to day basis. The issue is that I can't seem to pass any practice exams. I have taken about 6. Do you have any advice on how to pass this?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Having trouble understanding SSL, PKI, certificates.

Hello,

I'm currently learning about firewalls and I'm having some trouble learning the details of SSL and Public and Private keys/ PKI/ certificates.

I have looked at Christof Pear's 1st and 24th lecture in youtube but I don't think I have time look at all his lectures and I also have his book, Understanding Cryptography but there just so much more topics about encryption that take time to understand. I have looked at the SEC+ book about PKI, countless cert authority websites that talk about how SSL works but It's still not clear for me.

Especially when authenticating clients with certificates, I'm having some trouble understanding that too.

Are there any courses in Udemy, or Linux Academy or an easier book to understand? Labs?

​

Any resources you guys recommend?

Thank You.

DHCP DNS equivalent for SLAAC?

So, under IPv4 most equipment from pfSense to Mikrotik allowed you to create DNS entries for local machines when they requested a DHCP address. However, with IPv6 you don't have DHCP, or at least, you don't have to. So, if you're using an RA and SLAAC, is there any sort of equivalent for local DNS resolution?

INE Almost 'All Access Pass'

INE Came out today with their Cyber Security branch of instruction videos. Im glad to know that my 'All Access Pass' doesnt include access to that, but for a meager $1999/year I can get access....

Calling it an All Access Pass doesnt seem right...

What reasoning would there be to do inter-Vlan routing on a router vs just doing it on the switch?

I’ve been learning more and more each day and I just went through a few labs of a “router on a stick”, I’m trying to figure out why you would do inter-Vlan routing on a router, is there any specific reasoning for doing so?

Is this sane?

I work for a company that never had any structured IT. I've been hired on to handle this now, and step one, they need a new network... 10 years ago. Seriously, they have about 100 client devices, servers, VoIP phones, etc, all on one, flat, single network; interconnected with an unmanaged 10/100 switch.

I'm a jack of all trades, without specialization (and hey! They're willing to pay for training, certs, etc., and let me learn), so I'm just looking to see if what I'm planning is sane and looking for any advice/gear changes I should consider. Thus, an early revision of my network plans.

Oh. And the internet is a Frontier SDWAN that connects via aggregated copper pairs pushing Metro Ethernet. I also need to really look over their SLA, because my gods. Despite having "Premier" managed services, they never return calls (it's been 9 days since they were "supposed" to have gotten in contact), have total control of the SDWAN, and after two weeks, we're still waiting for them to give us a VoIP phone number for my new office..... I'm not impressed. Anyone with suggestions for dealing with Frontier (I know there are some of you out there stuck with them too!), I'd love to hear it.

Key questions:

- Why do we have the RAD, it was part of the old 5MB connection, and takes a fiber line from the ML648, and outputs Cat5 to the SDWAN device, but the ML648 already has four unused ethernet ports on it. A Frontier thing? Something that just came for the ride? Or is this common for something like M-Ethernet?

- I don't know why they have an SDWAN, we have no external buildings. Despite the network map showing a "Satellite Office", this is just for obfuscation, it's just a cat5 cable running in conduit to a building next door. I figure this is for Frontier to handle the phones, but they have everything locked down, so no one but they can make changes. I'd rather be rid of it, unless there is a good business case for it. I can't even turn off the DHCP server. We have an actual IP address (static). Again, looking for any advice about how Frontier handles this stuff.

- It's a family owned company, and the buildings, as well as their houses, are all on a massive plot of land, like, hundreds of acres. So they ran fiber from the business to the three houses on the land for residential internet. I'm going to VLAN these, and each house on a separate subnet. What I'm unsure of, it is a better practice to use a /30 subnet, and put a gateway there (Unifi USG is planned); or let the Edgerouter just handle it all and just put a UniFi switch and wider /24 subnet for each house? Double NAT is a concern here, I would believe?

I really appreciate an input and sanity checks here.

​

Next... setting up something like Jamf to handle these unmanaged Mac all over the place...

IPS alerting and reporting

My sysadmin asked if we received alerts when IPS detects a threat or logs anything. We don't.

Just curious as to how yall other admins handle IPS alerts?

WiFi network size - is broadcast traffic an issue?

Hello,

it is a common design goal for wired networks not to create too large broadcast domains. As a rule of thumb I once learned not to exceed 1.000 hosts (or /22 network) at maximum.

What I would like to know is: does this also apply to wireless networks and to what extend? What happens if let's say a /24 network that is used for wireless clients is beefed up to a /23? So does that broadcast domain problem apply to wireless networks or is it even worse having for the mentioned scenario?

Thanks in advance!

What is the risk of decreasing the STP timers?

What can one screw up if he plays with STP timers Max_Age and Forward_Time? What are the possible problems?

Multihomed Edge Design

Hello. Last year ago we moved to a multihomed BGP solution for our internet utilizing our own ASN and /24. This was the first time I had implemented a BGP solution and although the solution seems to work well, I feel it can be better and more efficiently designed.

Currently we have two Juniper SRX340 devices in an Active/Passive HA pair. Both ISP’s are plugged into the “single” SRX340 stack. We advertise eBGP to the providers of course and the SRX340 devices connect to two Palo Alto firewalls also configured as an Active/Passive HA pair. The Palo Alto firewall (9.9.9.2) has a static route pointing to the SRX340 (9.9.9.1).

Reading a few deployment guides I’ve seen where they break out the edge routers and have one go to ISP1 and the other going to ISP2. They use iBGP between them and OSPF is used from the edge routers to the firewalls. Is this the better design? It seems like it’s a no brainer, but I wanted to get other opinions. I know separating the edge routers will allow two separate control planes to prevent a single control plane error from taking down the WAN.

For simplicity sake I have the HA pairs showing as a single device on the diagrams since they are Active/Passive. There are two physical links from each ISP going to both devices in the HA pair even though they are not shown. There is a network switch not shown that breaks out the single ISP Ethernet handoff into two so the new design will also eliminate the need for that.

Current

New

Wired internet connection works on 1 computer but not others.

Hello everyone, I’m not entirely sure this is the right place to post this but my searching on google has gotten me nowhere and I need help. I have quite a strange issue happening, only one computer seems to be able to connect over Ethernet on a wall port. First some background on the site. Connection is offered over WiFi through access points as well as wired connections. Wired connection requires no authentication, in other words you should just be able to plug any computer to any Ethernet jacks and be connected.

The issue is the wired connection from an RJ45 wall port stopped working for a MacBook using an Ethernet to usb-c adaptor. And when i say stopped working i mean suddenly it shows there is no wired connection at all. However, my windows laptop still gets connection just fine on the same wall port.

Here is my process to figure out only one computer gets internet on this specific port. My initial thought was the adapter or cable was the issue. So I grabbed a known good cable, and connected my windows laptop to the same wall connection using the new cable, and everything works just fine. Now thinking it was the cable or adapter I connected the MacBook to a pass through port on the access point in the room using the original cable and adapter, to my surprise this works just fine. I then grab another windows laptop and connect it to the original port that was not working for the Mac, and this laptop also doesn’t work. Same issue as the Mac, Ethernet shows it connected.

I am at a loss as to what the issue might be and would appreciate any help. Please let me know if you need any more clarification and I will answer to the best of my ability.