Connecting two different switches without dhcp

I have a task to configure connection between two different switches. 1 is d-link on the first floor and the other one is cisco on the 2nd floor. Both can be managed.

Right now we have connected a fiber cable between them but what is happening is the dhcp server on the first floor is assigning dhcp to the computers on the 2nd floor. How can I block it? Both are configured with different subnets.

Both the floor have its own pabx server, but I need to have some extensions to be connected on the 2nd floor from the pabx on the first floor.

We have a biometric server on the second floor which we need to access from the first floor and connect a fingerprint device.

We don't have a firewall atm and we use tplink routers.

Requesting you to share some ideas.thank you all.

OVH is very fucking shitty

there new motto needs to be "Bad service and Fucking everything up since 1999"

Dorado Cruz Operations Center (CruzOC) for managing switches

We are looking at new switches and were comparing Aruba against another vendor. This vendor doesn't have a management platform for their switches and has suggested Dorado CruzOC as an equivalent to Aruba Central.

I'd never heard of CruzOC before, nor did I find and results on this sub for it and was wondering if anybody had experience managing switches with it? Or if there were other better solutions?

We've got monitoring covered and probably don't need much config management. We'd use it for firmware updates, setup and potentially troubleshooting.

Ethernet connecting and disconnecting

After resetting my laptop to factory settings I am suffering some Ethernet connection issues which weren’t happening before the reset. The Ethernet injection connects but it suddenly disconnects and when on Chrome it displays messages such as connection is not private and goes onto my router settings (the ip thing you search in google)

I thought it could be due to some WAN miniport so I deleted those. I have also reset my network settings.

Could the issues be due to a virus? Does anyone have a fix?

URL filtering for restricting access

Hi All

We are looking at some options on how to perform URL TLD filtering for example \.office365.com*

The customer does not host their own DNS server and would rely mostly on corporate DNS.

The issue with doing URL filtering is mostly around the fact of DNS TTL. If the dns resolution of a domain changes the A record, while the client still has the old cache, the traffic in some cases may be denied if the filtering application has dynamically updated the A record in the policy set.

​

Anyone else able to share some alternatives on what can be done to provide some options to perform URL based filtering.

​

I've seen the URL's that the customer would connect to have TTL of 59 secs.

Say the corporate DNS keeps the cache normally at 300 secs.. then we have a potential disruption for 5 mins. Don't think we can make changes on corporate dns as that's used for the wider business.

​

Thanks in advance for any advice.

Office 365 and no local DNS on remote site

Hi,

Need internal DNS for AD but that gives slow paths to Office 365 for remote sites with local breakout and no local DNS.

Ex all clients will get a US "connection" to Office 365 even if the site is located in UK

Any way to get around this?

Thanks :)

DHCP IPv6 issues?

Having issues on my networking assigning IPV6 Adresses. Things I have configured are the scopes, in my Vlan interface DHCP relay destination which is my Server 2019 machine and yet my home client still gets nothing. Any suggestions as I'm stuck

Aruba releases the CX 8360 Switch Series

Here is the data sheet.

Traffic Shaping in MetroE/ELAN

I'm looking for guidance for how to properly design a traffic shaping policy for the following scenario:

WAN based on ELAN offering from telco. The hub site has a 300Mb/s connection into the ELAN and spokes are at 20Mb/s. Traffic pattern I'm concerned about is from Hub to spoke only as that constitutes 99% of the traffic in the ELAN. The challenge I have is that some of my traffic is latency sensitive and I'm running into issues. Checking with the telco they are showing inbound policing drops at the 20Mb/s sites, and are suggesting that the site is trying to pull down more than the subscribed 20Mb/s.

To combat this problem, it seems like I need a two-level shaping policy at the hub site: 1st level limits each remote site to the subscribed rate of 20Mb/s so they stop hitting the inbound policer, 2nd level gives the low latency traffic XMb/s, in this case 10Mb/s. To do this, I can create access-lists to match the subnet allocated to the remote site. I will create 2 access-lists: 1 for the low latency traffic, and one for everything else that is destined for the remote site's subnet.

I've put together the following configuration on the hub site router, which is a Cisco ISR4431:

192.168.127.0 = Remote Subnet 10.30.1.0 = Source of low latency traffic ip access-list extended acl-REMOTESITE-SHAPE20MEG permit ip any 192.168.127.0 0.0.0.255 class-map match-all cm-REMOTESITE-SHAPE20MEG match access-group name acl-REMOTESITE-SHAPE20MEG ip access-list extended acl-REMOTESITE-PRIORITY permit ip 10.30.1.0 0.0.0.255 192.168.127.0 0.0.0.255 class-map match-all cm-REMOTESITE-PRIORITY match access-group name acl-REMOTESITE-PRIORITY policy-map pm-Child-REMOTESITE-PRIORITY class cm-REMOTESITE-PRIORITY priority 10000 policy-map pm-QOS-Parent class cm-REMOTESITE-SHAPE20MEG shape average 17825792 service-policy pm-Child-REMOTESITE-PRIORITY class class-default shape average 267386880 interface GigabitEthernet0/0/2 service-policy output pm-QOS-Parent 

Will this accomplish what I'm looking for? Is there a better way to do it?

Thanks in advance for any suggestions!

Cisco SD-Access segmentig VNs with a non Cisco Firewall

Hello

Normaly i would nod ask such a question. But damn i couöd not find anything about this online!

I have read the CVD sd-access segementstion guide, sd-access integrating firwalls and so on.

But all those guides talking about cisco firepoeer or asa and using them as a SGFW working with SGTs.

I want some guides telling me how i can do SD-Access with a palo alto, fortigate or others. Like how do i stretch the VN to the firewall so o can get granular logging capabilities.

As far as i understand, i can handover the VN on a fusion (l3 router) to other L3 devices to a normal vrf? But where the hell is this documentated.

I have been an Ethernet frame and I cannot figure out what format is it in. Help?

Here is the frame minus the preamble and FCS -

https://imgur.com/a/XDlsw9R

Can anyone please tell me how to figure out what format it is in?

Would a VLAN mismatch cause IP errors on my 6500?

I noticed a couple weeks ago that I am getting errors on my core switch. It is a cisco catalyst 6500. When typing in show ip traffic, i am getting "not a gateway" counters and "bad hop counts". They are increasing daily, I ran a quick debug and noticed that they were coming from a certain subnet (192.168.50.X).

Here it how the previous engineer set it up:

Core - VLAN 50

SVI GW - 192.168.50.245 (it is trunked over to a couple distro switches which composes of the .50 subnet)

On the disto switches for the .50 network, the previous engineer didn't set up vlan 50 on them. When checking these devices, i realized they are programmed like this;

Distro - VLAN 1

IP: 192.168.50.1. 192.168.50.2, 192.168.50.3, etc.

GW For each switch: 192.168.50.1

Would this mismatch be causing all the errors in the core? Im assuming the core is associating 192.168.50.X to GW 192.168.50.245? Is it only working due to the Native VLAN?

Extreme WiNG Licensing?

Anyone have experience getting these licensed?

They apparently won't allow anyone without a company email to sign up for an account, which is leading to a headache, since I use a Tutanota email for my contracting.

Calling their support, it seems that they're pretty much all scripted offshore agents.

They do state that they support used devices (but without the warranty) on their site, but it seems like they really don't want to sell outside of their partner network.

Even the CLI documentation doesn't seem to be open and available.

A huge tragedy too, since their devices seem completely reasonable when compared to everyone moving to subscription models.

Just wanted to try them out as an alternative to UniFi/Aruba/Cisco, but it's not looking so good.

I contacted a partner, but it seems I need to register the device first.

[Help] I really need someone to help me with some questions about Windows credentials

I need to connect some PCs and make them visible to each other, and I'm quite new about this.

So I thought the best way was to create a user in each in netplwiz screen, then use it in the other PCs to connect.

Is this actually how this is done? Is there any other way to correctly achieve this?

Does this connection store in the windows credential?

Also, I have seen in W.Credentials something like

address: RobertPC

Name: Someword\user

Password: *****

If the pc name is RobertPC and the user is user, what is Someword?

Aside, I remember some time ago that I accessed a Windows screen where I could even choose that the user password would never expire or something like this but I can't tell how I got there.

Question about using a media converter to do fiber capture / TAP.

Hello,

I am currently troubleshooting an issue with packets being lost on the wire. We are at the point of losing trust of SPAN port accuracy and looking to split the fiber signal in two for capture.

I am wondering if I can use a PLC splitter on one of the two strands, send that in to an optic in a media converter, and use that to capture to a standard copper port. My concern is that the link may not come up or have issues on the media converter since only one of the two strands will be connected.

If that works, I will probably replicate this setup for each direction, and just use the receive side of the optic.

Thanks!

(If fs links are still not allowed here I will remove all of the links). Part of the difficulty is most of the worlds pre-assembled fiber TAP hardware seems to be made for APC or multimode. We are running UPC duplex single mode.

Here is my plan:

1. Buy a few Bare 1x2 PLC fiber splitters
2. Fusion splice LC UPC OS2 pigtails to each end
3. place all of that in a tray with LC UPC passthrough connections on it.
4. Feed the strand I am using to send data in to the above solution, then have one of the splits go back to our provider and tap the other.
5. Send the second one in to an SFP in a media converter.
6. Send that copper connection to a computer running wireshark for the capture.

NSP/MSP/DC/WISP/Anyone else I missed: My new worst enemy, Geological IP Databases

Fellow Networking Professionals,

​

What is your "Process" for getting the geoip data for your ranges correct and up to date. I have been submitting my requests to maxmind but it doesn't always "work across the board".

​

Does anyone have a list of places you submit to everytime or can list me other places i should be making these requests to aside from maxmind?

​

Thanks,

Google Docs and Meet Randomly Unreachable

Hitting a brickwall and looking for fresh eyes to see something that I am not. We are having an issue with our network 3 days in a row where randomly in the day Google Docs, Sheets, etc. will randomly be unreachable. It usually clears itself up in 10-30 minutes, but since we are a school that is kind of not an option. Google has confirmed it is not them. We cannot ping docs.google.com during that time.

Our set up: Fiber internet with Spectrum Backup>PFSense Firewall on the most recent version of Firmware>HP Aruba 2920 Switches on version 16.09.0009>Extreme (formerly Aerohive) AP 230

Separate VLANS for Students and Teachers broadcast via wireless.

Issue still occurs on the servers and when plugged in directly. Can ping the site via our firewall directly.

Confirmed that both Google Docs and Google Sheets both NSLookup to the same IP, the reachable Google Apps go to differing IPs.

Any ideas on what could be causing these issues or where to go from here. I have Wireshark recording/logs of event, but nothing looks out of the normal.

Thank you for your help!

Mikrotik vs Cisco

Hello,

This question about two specific routers That meet our specific budget and port requirements, this mostly about performance question, i am fully aware of the software drawbacks

Cisco RV345-K9-NA vs Mikrotik RB4011iGS+RM

Questions:

1) there seems to be an issue with amazon site, where they mixing up 16 port with 8, this model line has either 4 or 16, but still kinda scares me

2) which one would you choose?

The company is very small around 6 ppl, the set up is mostly vanilla from the start, with some VLANs, a bunch of NAT rules, the general issue here is internet, if we end up getting 1gbps , Cisco advertizes around 900mbps whith just checking the state on the firewall, i kind of feel that if you add other things and maybe some qos for voip that will go down real fast. On the other hand Mikrotik looks like its going to chug all of that with no issues.

Whitebox support experience

I just wanted to provide some data to those of you that are considering whitebox solutions, I won't get into the good or bad technical details, but one thing I appreciate is their TAC.

Yesterday I was turning up a 10gbp IPv6 peer and could not figure out why it was not establishing. I call into TAC and the person on the other end answers "Hello?"

TAC: Hello?

Me: Hi, uhm is this ___ TAC?

TAC: Yes.

Me: Uhm, I am having an issue bringing up v6 BGP peer, can I get some help?

TAC: Yes, what is your email? I will send you an invite.

Me: _____

TAC: Sends email.

Me: Joins screenshare to find a 5 people connected. Couple engineers, programmers and a technical lead. This wasn't an outage or high priority ticket. It was a request to help bring a v6 bgp peer online.

The issue was found to be on the upstream providers configuration. Conferenced the upstream in, they made the change, peer up, good to go.

We have ran into some very hard to troubleshoot quirks with whitebox, but I have to admit that the support for trouble tickets sets quite a high bar.

F5 Big IP - Get Source IP's of all clients for a VIP

Hello,

I need to get a list of the source IPs that are accessing a VIP. The VIP is not setup to pass thru the client IP, it only shows the IP of the F5 on the end point devices. Is there a way to export all those IPs as a csv or text file?

​

Thanks for any help!

unicast Reverse path forward, how usefull is it really and do you use it?

every now and then the question of unicast reverse path forward comes up at work, and I kind of question how useful it really is as a security tool.

​

I can see carefully placed strict mode rules being useful, particularly at network trust edges like the internet or hand offs to 3rd parties so that say some one couldnt spoof an internal network inbound (though, we wouldn't let that through our ACLs any ways at an internet edge).

​

internally, facing networks maybe to prevent an owned host from spoofing when you dont have an ACL in front of the network (most of our networks have a firewall interface infront of them and the rules are written that only traffic from that network or individual hosts are allowed for the source)

loose seems largely defeated once the default route comes into play.

i guess im just curious where the use really is if you have a well segmented network to begin with. and even in a network with out alot of segmentation, you either have to make sure traffic will work with strict mode, or use loose mode, which circles back to the default route defeating it in most cases (yes i know you have to explicitly allow the default route with loose mode, but i would imagine you would any ways to allow for internet traffic to function)

is there something im missing here? how do others use it in there network that they feel it adds to security. i totally get that security is an onion with layers, but it just seems to me this doesn't have alot of applications that dont just induce bigger headaches.

Upgrading from Firepower 6.2.3.15 to a current release (crosspost from r/cisco)

Hi all,

Have an environment with (3) FTD HA Pairs: One for Internet termination (VPN, DIA), and two LAN firewalls for internal segmentation.

We're be on the 6.2.3.X train, currently which has been working pretty flawless for the last 2 years. We bumped up to 6.2.3.15 earlier this year to fix some issues and no real issues since then.

Right now, we have to upgrade to remediate some vulnerabilities reported by a penetration test. No real option in avoiding this as the only fix is to upgrade past 6.2.3.15.

I did a bug scrub on the releases and had a few questions about release newer than 6.2.3:

• 6.4.0.10 only has 1 impacting bug (CSCvv81801) -- is the snort crash really that bad? We've done deployments all day long and snort restarts have never been an issue - I have to imagine a snort crash (on HA failover) isn't that much worse
• 6.5.0.4 seems to have a ton of bugs (nothing seems a major show stopper though) and the last release was back in March this year -- did Cisco stop development on this train?
• 6.6.1 has only 2 impacting bugs for us (CSCvu84127 & CSCvv46490) -- I've heard other people were complaining about other issues on 6.6, has anyone had any luck with this?

Just curious to see what people are running right now and if any of the above bugs have really affected anyone.

Point to point link advice

I’m currently putting together a wireless network in a very wireless unfriendly environment, and was hoping to pick peoples brains on my plan and its pitfalls.

Basic setup

I’ve a small network setup (unifi kit) and I need to bring a few devices into it from a distance (200-500m approx). Looks easy. Unfortunately, it will be completely relocated regularly, line of sights are unreliable or non-existent and there will be a LOT of RF interference (think sports stadium levels).

My plan/idea is to use Ubiquiti AirMax as a point to point, with some wifi/ethernet bits on the far end for last hop. The NanoBeam ac Gen2 seems like the best bet for the link. Unfortunately, I’m not up to speed on point to point kit, so don’t know how well it will perform. Hopefully someone here has played with the kit and can take me beyond the basic sales claims.

Main questions

• First, does anyone know anything better for the job, preferably in the same price range?
• How well does the AirMax kit deal with blocked lines of sight?
• How finicky is it to set up in practice?
• What else have I likely missed?

802.1x auth. azure AD

Hi!

Anyone have a good solution for 802.1x auth on wifi with computers in azure AD?

normally I use windows NPS, checking if computer is member of AD domain, but I cannot find any options to check with azure AD

Calculation requires bandwidth / data rate

Hi all,

Thank you for reading my question.

Most of times when putting the requirements to serve a certain customer, the first question comes to my mind what is the minimum bandwidth needed to be reserved so services can be entertained. Say you want to connect a certain customer via VSAT, then one needs to specify the minimum bandwidth. I can think of certain bandwidth of some services as such:

Voice in the order of 8 kbps Video in order of 2 Mbps

I don’t know if these numbers are correct. Would someone explain how to calculate this from experience?

Much appreciated

Fortigate LM75 temp sensor explanation

Hi Guys,

I need to know what these temperature sensors are for.

Typically you have fan intake, fan outlet and CPU temps.

For the FortiGate they are not showing this easily. What are the LM75 sensors measuring?

​

​

This is my output for "Execute sensor list"

19 DTS CPU alarm=0 value=67 threshold_status=0

20 CPU Core 0 alarm=0 value=65 threshold_status=0

21 CPU Core 1 alarm=0 value=68 threshold_status=0

22 TD1 alarm=0 value=52 threshold_status=0

23 TD2 alarm=0 value=41 threshold_status=0

24 FAN_TMP_3 alarm=0 value=48 threshold_status=0

25 LM75 U72 alarm=0 value=44 threshold_status=0

26 LM75 U65 alarm=0 value=44 threshold_status=0

27 LM75 U62 alarm=0 value=48 threshold_status=0

Why do most queue management algorithms do "tail drop"?

There are lots of queue management algorithms (Blue, tail drop, WRED, RRED, SFQ etc.).

They all seem to drop packets on entry to the queue (ie. the tail), rather than dropping a packet about to be transmitted (ie. the head of the queue).

This seems suboptimal - if a packet has to be dropped, you would rather it be one about to be forwarded, because then the remote endpoint gets information about the drop as soon as possible. That then allows the transmission rate to be adjusted as soon as possible.

The extreme example of this is in bufferbloat - if a home router has a massive buffer, for example 4 megabytes on a 8 Mbit ADSL connection, then it takes a full 4+ seconds for the dropped packet to reach the far end, the ACK (or rather lack of) to get back, and for the transmitter to slow down to avoid more losses. If the router had dropped the head of its massive buffer, then the slowdown would be much faster, preventing more loss for not only this flow, but all other flows sharing the same network link.

Radius Server not responding + Hotspot Authentication problems, please help!

Hello Networking dudes and dudettes!

I am hoping that some Networking (Mikrotik) Guru would glance upon this post and help this Networking (Mikrotik) noob with his dilemma. Here is my current situation:

Configurations on the HAP AC Lite:

• Ether1 = DHCP Client
• Ether2 = (192.168.X.X/24) for friends and myself! Connected to a switch!
• Wlan1 = AP Bridge, (10.10.X.X/24) for a hotspot

DHCP:

• Ether2 has pool for friends and myself!
• Wlan1 has pool for hotspot (10-20 users needs/wants wifi)

NAT = srcnat out to Ether1

Hotspot = I set this up okay and I know it works for an admin and a test profile/user

Radius Server:

• IP is the same as WLAN1 (some say 127.0.0.1, other say same IP as WAN interface I do not know which is “right”.)
• Incoming is set to accept

The Dilemma

· If I make a user via RouterOS, it works! The hotspot login works and it shows the limits, uptime etc… all that beautiful jazz!

· If I make a user via the Radius server (/myWanInterface/userman), the login spits the message “RADIUS SERVER NOT RESPONDING”

· Reason I want to use the Radius server is it can add users as a batch! I would like to just allow 10-20 users to use the hotspot with their own login and passwords (authentication) etc…

P.S. I can provide a pastebin of my configuration via PM. Please drop a reply or message me directly! It would mean the world to me if someone would just spend a few minutes helping me with this as I am lost! All of the tutorials from youtube and mikrotik sites are not helping with this issue ☹

MPLS using same labels along the path?

Hello guys,

Hopefully this is the right thread for my question!

Im trying to learn MPLS and what I thought in the beginning that every router use different labels. Let say for example, R1 label of 10, R2=20, R3=30. I configured MPLS and saw that I used the same label, in this example it was label 18 on two different interfaces. How come? Should it not be different labels? What is reason behind it? I tried to google this but did not find any particular good explanations.

Appreciate your help.

Ignitenet? Anyone ever used them?

for a little background: (feel free to skip to the Bold TL;DR in paragraph 6)

I've been using Ubiquiti gear for the last few years (I know, eye-roll. I'm finally there too). I'm becoming less and less happy with their hardware, software, and support quality. Simple stupid bugs that shouldn't exist go ignored for months or longer and if you actually need support, there is no one to call about it you have to post in the forums or submit a ticket that goes widely ignored by their nonexistent support staff. As an MSP I'm able to fix the majority of the issues on any site within a few minutes but the issues are becoming more painful with each software release, some of my sites are significantly negative on the paid out hours for service vs income from the MSP contract and its getting worse and worse. Frankly I've been sick of it for a while and have started shopping for alternatives.

Meraki, no. I've worked with it, I'm not a fan. Mediocre hardware at best, ridiculous price point on said hardware and recurring licensing costs with kill switches. Many of my existing clients already decided against Meraki before I ever entered the picture so its not a good fit for me.

I initially discovered Datto Networking but i saw a LOT of negative feedback about their Product line here on Reddit so I've nixed that unless things have significantly changed...

I also discovered Aerohive / Extreme A3 platform but at $10,000 base + $7000 for a 1000 device... $17,000 a year is upside down without renegotiating every contract i have. also a little too steep for me right now.

Aruba has a cloud platform. but it seems Meraki-ish in how it prices yearly device licensing. I'd prefer something that i wouldn't need to foot the bill on if my customer is late paying me. While a kill-switch is a motivator, it also makes clients hate you (loop back to why most of my customers despise Meraki).

TL;RD:

That's when i stumbled on Ignitenet Fusion Switches and Sunspot and Spark Access Points. Their hardware is not unreasonably priced, and their EC cloud subscription is on an MSP level rather than a customer or device level and priced actually really reasonably at that. I've set the cloud up as a trial to play with the feature set and I'm not unimpressed with the offering... however I've been unable to find a single review online for their equipment, or their cloud platform. While the offering looks nice on paper id be interested in hearing some actual feedback before buying any test units to bench and play with at the office.

The predominant usage is SMB WiFi and Switches with the switches being used to backbone not only the network, but Camera and Phone Systems as well, so POE reliability is essential and traffic metrics are key for problem tracing.

I am open to other solutions as well and would appreciate any feedback on the other listed platforms or others i have not considered.

Thanks in advance.

Mikrotik vs Cisco

Hello, In my reasearch of routers i got to these two: Cisco RV345-K9-NA vs Mikrotik RB4011iGS+RM

Questions:

1) there seems to be an issue with amazon site, where they mixing up 16 port with 8, this model line has either 4 or 16, but still kinda scares me

2) which one would you choose? The company is very small around 6 ppl, internet 500 to 1gbps didnt decide yet.

Best Enterprise 40/100GBe switches for home lab

What are the recommendations for 40GBe and 100GBe?

i've seen alot about Arista, but would love some solid recommendations.

​

Thank you!

Small Biz VPN options

Hello

I do work for a small non-profit (read no money) and they need to add a VPN for mobile users. They have a AD backend and just a cable internet connection. Their ISP does not do VPN solutions so they asked me.

I checked out WatchGuard and a couple from Amazon but was wondering if anyone had any preferences. Are there any that don't require license renewals every 1-3 years?

thanks

Multicast routing only working one direction

So a while back I was getting multicast routing setup on my Cisco Nexus 7k and an ASR 920 for audio over IP. I got that all setup and working great, but only in one direction and I cant figure out why it wont work both ways.

This is the basic setup

Mcast Sender & receiver <-->nexus 7k <--"private wan"-->asr920<--> mcast sender & receiver

I can get multicast to go from the nexus site to the asr site, but NOT from the asr site to the nexus site. Im sure it is some really simple config issue that I am just missing, but these ASR routers are not what I am used to so Im not surprised.

Here are some config snips

nexus pim config

!Command: show running-config pim !Time: Fri Nov 13 03:09:13 2020 version 6.2(2) feature pim ip pim rp-address 172.xx.x.2 group-list 224.0.0.0/4 ip pim ssm range 232.0.0.0/8 interface Vlan300 ip pim sparse-mode interface Vlan3001 ip pim sparse-mode interface port-channel300 ip pim sparse-mode interface port-channel2000 ip pim sparse-mode interface port-channel2000.2 ip pim sparse-mode 

nexus pim neighbor (the ip is the expected neighbor ip)

PIM Neighbor Status for VRF "default" Neighbor Interface Uptime Expires DR Bidir- BFD Priority Capable State 172.xx.x.2 port-channel2000.2 04:36:06 00:01:44 1 no n/a 

nexus pim RP

sh ip pim rp PIM RP Status Information for VRF "default" BSR disabled Auto-RP disabled BSR RP Candidate policy: None BSR RP policy: None Auto-RP Announce policy: None Auto-RP Discovery policy: None RP: 172.xx.x.2*, (0), uptime: 13w5d, expires: never, priority: 0, RP-source: (local), group ranges: 224.0.0.0/4 

ASR PIM config, its enabled on all appropriate interfaces just didnt show that here.

ip pim rp-address 172.xx.x.2 ip pim ssm default ip multicast-routing distributed 

ASR pim neighbor (the ip is the expected neighbor IP)

Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode 172.xx.x.1 BDI2002 04:39:01/00:01:19 v2 1 / G 

ASR PIM rp mapping

PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 172.xx.x.2 (?) 

Feel free to ask for more info, I'll be fiddling with this for a while tonight

​

Thanks in advance!

What is the most comprehensive wireless site survey equipment on the market today?

If this isn't the best sub for this please let me know. I see that Ekahau is highly recommended but as far as I know that only measures wifi. Is there a product available today that can detect other wireless technologies like Bluetooth, Zigbee, GSM, and more all on one platform? Now I HAVE seen a product like this but unfortunately, it is not commercially available.

If one doesn't exist I'm thinking of making one.

how arp work on cumulus?

Hi all, I ran into a weird (I think) issue recently with cumulus and wonder how they do arp. One server is connected to our cumulus switch on access port, lets say vlan 100. The svi for vlan 100 is 1.1.1.1/24 for example and the server has IP of 2.2.2.2/24.
Somehow cumulus learn the IP of server. Is it normal?? Am I understanding arp wrongly all this time?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Cradlepoint WiFi as WAN Connection - Can't Connect When There is No Encryption

We use Cradlepoint routers for our remote users (they work at client sites). In the event that there is no working ethernet port, we use the WiFi as WAN feature with cellular failover. Although it is not common, a couple of our sites have guest WiFi with no encryption. When we try to make the connection, we are unsuccessful. Anytime the security is set to None, we get the following message:

Your settings could not be applied.

Invalid field: wpacipher

Reason: Invalid Option

Is there something that I'm missing or some way to get this to work? This is on the IBR1100LP6 router.

Route-Map Odd Behavior

We have a Cisco 1921 running IOS 15.4(3)M4 that lands a tunnel to a cell carrier that we have a private APN on. We were having an issue where a specific device was attempting to communicate to a server on the internet and RST packets were reaching our firewall but no SYNs. Packet captures on the 1921 shows that RST from this device were egressing to our internal network (gig0/1), but SYNs from this device were egressing via the 1921's connection to the ISP (gig0/0). Adding a new entry at line 1 of the ACL in the route map fixed the problem, but as far as I can tell, this traffic should already have been caught by the ACL (and indeed RSTs were... but not SYNs). Does anyone have any ideas what might have been wrong? I've been staring at this for hours and can't see the problem.

Interesting traffic is 10.70.81.114 -> Internet on tcp/80, tcp/22221, and tcp/22222

Here's some of the config:

show ip route 0.0.0.0/0 via <ISP on gig0/0> 10.0.0.0/8 is variably subnetted, 121 subnets, 6 masks 10.0.0.0/8 via 10.192.1.2 <various /26-30s in 10.70.73.0-10.70.82.255> show route-map route-map CELL-MOBILE-INET, permit, sequence 10 Match clauses: ip address (access-lists)L CARRIER-MOBILE Set clauses: ip next-hop 10.192.1.2 Policy matches: lots show access-lists CARRIER-MOBILE Extended IP access list CARRIER-MOBILE 1 permit ip host 10.70.81.114 any 10 deny ip 10.70.81.128 0.0.0.15 10.0.0.0 0.255.255.255 20 deny ip 10.70.81.128 0.0.0.15 172.16.0.0 0.15.255.255 30 deny ip 10.70.81.128 0.0.0.15 192.168.0.0 0.0.255.255 40 permit ip 10.70.81.128 0.0.0.15 any 50 permit ip 10.102.100.0 0.0.0.255 any 60 permit ip host 10.70.81.147 any 70 permit ip 10.200.0.0 0.0.255.255 any 80 permit ip 10.70.74.128 0.0.0.15 any 90 permit object-group VENDOR-SERVICES object-group VENDOR-DEVICE-NETS object-group VENDOR-SERVERS 100 permit ip 10.70.81.112 0.0.0.15 any object-group VENDOR-DEVICE-NETS 192.168.20.0 255.255.255.0 10.70.73.48 255.255.255.240 192.168.110.0 255.255.255.0 10.70.79.160 255.255.255.224 10.70.77.224 255.255.255.240 

Need VPC for backup server. Have old VPC would like to change. SoP?

Basically gonna vPC two 10Gb ports on our 9K's, 1on A and 1 on B into a VPC.

There is an old vPC from our old UCS that is disconnected. How would I go about changing the VPC? Change the PO interface on each 9k, change the actually single interface on each 9k, or both? Do I need to shut them down first?

What's the best SoP to do this?

EVPN+VxLAN Anycast-gateway question

I have EVPN+VxLAN (Including vPC for VTEP) network without Anycast Gateway. My all VLAN/VNI are pure L2VNI because of legacy design. my all VLAN hosts gateway is Centralized Cisco ASA firewall (for security reason). Now i am planning to enable suppress-arp feature but Cisco Document saying you need to have L3VNI/Anycast gateway otherwise it will create unknown issues. for testing i have enabled arp-suppression and found very strange issues with DHCP packet it created broadcast storm. (so cisco was right)

For more experiment i have create Anycast Gateway with foo ip address like 10.0.0.4/24 to just satisfied cisco L3VNI requirement for arp-suppression. (My all VLAN host gateway is still Cisco ASA).

Look like it works, i am not seeing any flooding in network which i have noticed earlier.

Question: is it ok to have anycast gateway on any foo ip address and host still pointing to Cisco ASA.

Best way to automate retrieving config data for facts that Ansible modules currently doesn't support?

What is a good way to automate retrieval of network device config/state details? In some cases Ansible network modules fall short, like reporting the VRFs interfaces are bound to.

Alternative to Confluence for IT documentation.

Atlassian is moving its Confluence away from smaller self-hosted servers into the cloud. Leaving the customers that for some reason do not want to move their documentation into the cloud or take the self-hosted datacenter Confluence route.

Reason I liked Confluence was for its WUSIWUG editor, Wikis have a tendency to be a bit difficult to use. e.g. pasting images was a nice feature of Confluence, in addition to pasting all type of rich content (pdfs, draw.io, mindmap and so on), easily making web-grids / columns to organize the content, templates for new articles, and all the other nice features of Confluence.

I am left with the question of what to do next, since we don't want to move our documentation into the cloud and self-hosted DC Confluence is a bit too expensive.

Do you guys know of any good self-hosted easy to use alternatives to Confluence?

Edit: I can also clarify that it is the onenote feel of Confluence that I also liked. I felt Confluence used to be a perfect match between "OneNote"-ness, and "Wiki"-ness. The domain to our installation is "note.domain.net", because you can go in there and make a "note of things", which can become good documentation given time.

INTERNET-CORE-ACCESS

Hi to all,

I have a weird experience on my network setup.

Below link is the image.

https://imgur.com/DJoEYj6

I wonder why if i conenct my router isp to core, internet is working, but if i connect it to the access switch, internet is not working.

Im not getting any ip from the dhcp in the router. if it is connected to the access switch. hence I cannot connect to the internet.

Thank you

Short ~10cm OM3 fibre

Does anyone know of a vendor selling short LC-LC patch cables for connecting switches 1U apart?

What Access Points would you use

I work in a small enterprise environment. 10 locations all within the same state. ~450 employees total. We currently utilize Aerohive (now extreme). We have ~90 access points with 20 of them being utilized outdoors.

As we prepare to budget next year, I'm curious if we should look to other vendors. We're due to replace 1/3 of these APs this year due to them going end of life/support. We are also due to renew licensing for all ~90 of them this year as well.

For reference, ~20 of these are outdoor APs covering storage lots. ~30 of them are in Warehouse/shop space with high ceilings. Those that remain are in normal office space areas.

If you were in my shoes what would you look into?

We're obviously trying to shave operational costs down due to COVID. Would you even remotely consider going the Unifi route? Are their AP's stable enough to run in production at this quantity? Would a single management server be enough to handle this many Aps? I figure even with the lack of support, I could buy extras to have on the shelf for replacements. We currently have several of their wireless bridges in place without any issue over the last couple of years.

Point-to-Point (logical) Connection from NY to London

Hey all.

Want to pick your brains here. If you worked for a company in New York and just acquired another company in London, and wanted to get basic connection into their network, barring any costs and being vendor agnostic, what technology/'s would you utilize to make that connection?

[BGP] Usecase for as-path ignore?

So I'm currently going through some INE labs for CCNP/CCIE and I've come across the BGP Bestpath Selection - AS-Path Ignore lab. I am struggling to think of a real-world use case for using this command, can anyone share some insight as to when you would use this?

SFP+ question.

What is the difference between SFP+ ports and regular copper ports? I'm asking this question because I want to buy a switch with 10 gig ports, but don't know if only SFP+ ports are capable of 10 gig or if I can get it with traditional copper ports.

Recommended open source knowledge base?

Hello networking peeps!

​

Can you please recommend to me any open source knowledge based platform that can be installed on-prem? Would be better if you can share to me your experience with it

​

Currently on my list would be:

- Wordpress with WIKI theme (last option)

- Confluence

​

P.S I work in an ISP environment so a knowledge base with built-in diagram/map tools would be ideal.

​

Thanks!

Ssh-1 from Cisco nexus

I want ssh to a Cisco ASA (ssh1) from a nexus9000(ssh2). Is there a way to specify ssh version on nexus? Tnx

ASR1004 and license

Dear community,

I have small question here concerning the ASR1004 and the bandwith.

I'm willing to have at least 20G bandwith on this chassis and I wonder if a simple config with an processor RP2 and ESP20 would do or if I need to implement any license? In the bundle the Advanced i inculded.

Thanks in advance for your answer,

Future of networking

Just wondering what the future of networking jobs are going to look like. I'm talking about 5-10 years from now. With things like cisco DNA center, automation in general, ... everything is getting easier to manage and control. In the near future this wil become better, cheaper, easier, faster, more widely adopted, ...

Just trying to start a debate about what the shift in daily tasks will be.

Catch 22 Routing with IP SLA tracking?

Hey there, I'm currently faced with a paradoxical issue where we want to monitor a link for its service/connectivity availability. However when the service is down, the route to it will be removed so it can failover to a different network.

The situation however, is that, by default. The network in question (let's assume 8.8.8.8), is not reachable unless a static route to it is configured.

But this same static route configured is supposed to be deleted if the route comes down. (there's static routing redistribute in the L3 switch here, hence it the route change propagates through the entire network).

This leads to a situation where without the route, it cannot do an IP SLA check on its availability, hence the route will never be installed.

Is there a solution for this? Thanks!

TL;DR -
We want this:
ip sla 1 up - install route
ip sla 1 down - remove route

But we have this:
ip sla 1 - forever down, because route not installed, ip sla 1 cannot reach tracked route.

LAN NETWORK SLOW

Yello Everyone.

Have been having an issue for a while now at our branch site. I am an I.T administrator and have been tasked to investigate what could be making our site LAN network slow. I have a monitoring system running and everything is running optimally on the network. no red flags as such. I have been trying to narrow down what could be causing the network to slow down. Have done the following:

1. Removed all users from accessing the internet. Users access the internet via mpls connecting to our head office.
2. monitored traffic closely in case of any hiccups.
3. captured traffic and analysed the traffic using a packet capture tool. using both Wireshark and colasoft

Have tried to check on all aspects above but cannot seem to find what could be causing network congestion in that users cannot access SYSTEM.

Would appreciate any input.

​

Regards.

Intra subnet traffic forwarding

Hi net mates,'m losing a considerable amount of my mind on this:

https://imgur.com/hAcdzdU

I need to send all the traffic to the Customer app server, for this to be processed (analyzed, policed, shaped... ) . Let's say customer terminal-01 talks to customer terminal-02.A PBR is applied on VRF-A customer-ce. This brings traffic to VRF-B. Here a route lookup is performed and communication between the terminals would not reach the server. I would have no landing interface on VRF-B where to apply a pbr to push traffic forward.
I see a solution using half-duplex vpn, but this would double the vrfs and links between them to separate the two forwarding planes (forward and return).

Do you have any suggest?

How do Wix and Squarespace manage their SSL certs?

Hey guys, a friend recommended me to post here to ask about what the best practice is for managing huge amounts of SSL certs for a CDN outside of our cloud service.

I currently run a SaaS that's similar to things like Wix, Squarespace, etc. and want to change CDNs from CloudFront as soon as possible due to their pricing. However, we realised that issuing and managing SSL certs at the scale we want would be a huge problem.

How do players like Wix/Squarespace do this?

MikroTik

Hello,

My question is quality related about Mikrotik RB4011iGS+RM

I am interested to know about failure rates, stability, quality etc of the device

What do you use automation/python for and what do you use CLI for?

Hi, around March this year I spent about 4/5 months teaching myself python and all the libraries that goes with it for network automation (requests, netmiko, nornir, napalm etc...) and have since incorporated it into our devices we have across our sites. I mainly use it for collecting information using the equivalent of the "show" commands on the CLI either through netmiko/json or a rest api and json output. I have also written a couple of neat little applications that interact with our devices but I find myself for the most part using the CLI to build an actual new switch/router/firewall from the ground up if we get new equipment in (or a GUI if its something like Firepower). Or if I'm doing a sensitive job like changing the allowed vlans list on a trunk link that could go down and cause massive failures for the company if that portchannel is misconfigured. I almost always use the CLI on the devices for this and not an API call and piece of code. Mainly for peace of mind and safety reasons and because its usually quicker and you have all your show commands and log messages on screen straight away if needed. I do use automation more and more for things now, but for bigger builds or bigger config changes I will almost always use the CLI.

Is anyone else in the same boat or are some completely different?

Thanks 😊

BGP Routing and Physical Interfaces

I’m running into issues where addresses in the public prefixes we announce upstream were used on point-to-point interfaces between router and firewalls. This is looking to potentially cause issues with adding additional interfaces and withdrawing prefixes when certain interfaces go down.

I slightly remember a general guidance to use a separate prefix for infrastructure (ex. point-to-point router interfaces, point-to-point firewall interfaces) and route the separate prefixes for “user traffic” using static,ospf,ibgp, ebgp over that.

Does that make sense?

What do you guys do?

Question a new Netflow type of solution

I want to improve visibility of flow type traffic information on our network, such as what network traffic and protocols are in use, top talkers etc. We are just a single large campus with, from the Internet edge inwards, two standard Cisco ISP WAN routers (HSRP), then a checkpoint firewall cluster that sits behind those two routers, and then two Cisco core switches that sit behind the checkpoint firewall cluster. I'm only interested in deploying a solution for this at the edge of our network, and ideally as close to our WAN links as possible. We've never had netflow or anything similar previously, so starting from scratch I'm wondering what's the best tools to use you'd recommend? That's my first question.

My second question is where would you normally deploy these tools? I don't have any management access to the ISP routers, and I don't know if it's recommended whether it's worth pursuing a solution which involves polling those? I've No idea! ...Or would it be more common to deploy something a little further inside the perimeter, on the firewall cluster for instance?

Thanks as always.

connecting through multiple public facing IPs

Hi all,

I'm having a problem; I have three honeywell fob panels, two of which are on the same public facing IP and another on a second public facing. What's going to be my best option for getting the two panels to talk to the other? DMZ through comcast modem? I feel like I am lost! lol.

Python to generate ISIS ISO ID

Hoping to save myself some headache and not recreate the wheel here. Has anyone found or created a script to take an ivp4 address and generate a ISIS ISO ID from it?

Example would be:

192.168.1.1

to

192.168.001.001

to

1921.6800.1001

to

49.000.1921.6800.1001.00

​

Split & replace method is pretty straight forward for most of this, the only part I am trying to wrap my head around is filling in the leading 0's when the octet is shortened.

The exploded method in the ipaddress library doesn't work with ipv4 address only ipv6.

Advanced tcpdump packet inspection question

Hopefully someone here is wiser then me with analyzing raw packets.

Here's what I'm trying to do. I have traffic coming to a web server via a reverse proxy. So my server only sees the IP of proxy, not the original client IP. For that, I'm using proxy protocol v2, so in my application I'm able to get the raw client IP.

That means somewhere in the packet header the original client IP is contained. I'm trying to "Spot" or find that client IP in realtime using tcpdump. Probably is I dont exactly know what to look for. For example, say I know of a client IP of 5.6.7.8, what would that look like in tcpdump?

The reason for this is I'm trying to implement iptables to block "bad" traffic. Since iptables only sees the IP of the proxy server, I thought I can use the string match to drop packets that match the client IP as specified in proxy protocol, but I dont know how it looks or is formatted.

Could someone give me a sanity check on this advice I just gave to a colleague/friend?

They have a fibre optic connection from a local ISP, going into a media converter with a Unifi UDM-Pro. It is then connected to an antenna then send a signal ~2km to the other Antenna which then connects to the WAN port of the router doing PPOE authentication.

Equipment setup is ubiquiti Rocket Prism 5ac Gen2, wireless connected to a PowerBeam Gen 2 > connected to a WAN port of Unifi UDM-Pro. He needs access to the private IP's "on the WAN side" .

First off I've never dealt with Ubiquiti equipment, or a setup like this.

My initial suggestion since he asked me about NAT was using NAT overload, but then as I read more carefully and saw I may have had this setup backwards, other thoughts of mine would be a VPN to access the private network or static route on the destination router.

The antennas need to communicate with Ubiquiti Servers for UNMS to function and he says he needs management access locally as well.

Crude topology diagram I was provided https://photos.app.goo.gl/pMu4itgoXmeUSnyt8

Macfee KB Article

Could someone with a Mcafee account please copy/paste what is in this KB article? I'm trying to troubleshoot an issue on a IDS which I think is related to this update.

Signatures: UDS for Multiple Vulnerabilities.

KB55447

Cisco 1001x Firewall

Greetings All, We usually use Palo Alto firewalls for our remote offices but it seems one has gone down. I know the router there, a Cisco 1001x, has a firewall license attached to it. I have little experience with Cisco firewalls so I apologize if this is a silly question but that is that a virtuazlied firewall or is the a cli firewall? There is no gui and has to be administrated via the cli? Is that correct? It does not matter either way as we need something up and running before we can get a replacement PA box. Thanks and cheers!

100% Packet on ping plotter under asymmetric routing?

Hi All,

I'm currently experiencing an issue right now with Ping plotter detecting 100% packet on two of the hop within a minute.

> Just to give a concise details, Setup has 2 Private lines connected to different service provider. From source IP 172.8.96.100 to Destination IP 10.63.3.14 we are forwarding the traffic toward to the MPLS circuit on provider #1 while the return traffic goes to the other line/provider.

> From the ping plotter result we've detected packet loss on Hop 6 and Hop 7 and from the topology you can see the ping plotter result is just a forwarding result while the return traffic may route to different path which mean the routing flow is asymmetric.

> Limited to capture the reverse trace from destination to source IP since I have no access to the destination server and other networking devices.

> From Site A - CE1 not disconnection noticed on it routing protocol facing hop 4 and hop 6.

View the topology ad ping plotter result here: https://imgur.com/AVBIUrq

Question:

1. How does ping plotter work? Does the source IP in which the app is installed sends a ping on every hop and each hop sends a reply back to the source IP to determine the packet loss and latency?

seem like the issue falls on the return traffic, for now I just need to understand how this ping plotter works so that I can defend our network in which traffic is being forwarded from scr to dst ip.

Thanks

VDSL Vectoring

Hi everyone

Recently I discovered the my router (that is acting as a bridge) does not support vectoring. I would like to purchase a new one, but I got confused a bit..

What VDSL2 standard should I look for if i need my router to support vectoring? Also... I need it to support G.993.2 35B profile. At first I thought that G.993.2 is vectoring, the I discovered about G.993.5 that is G.vect...

What do i need to look for? Just 993.2 or 993.5?

Thanks

Looking at Ditching Cisco Firepower

So we currently have a Cisco Firepower 2110 with a FMC. But lately we have been having problems with the Firewall crashing randomly. I have had call after call with Cisco Tac two levels of engineer and the developers cannot figure it out. So my boss suggested looking at another brands. I am a CCNA and have been brained washed by Cisco so I do not know much about outer brands. I am needing suggestions on brands (Fortinet, Palo Alto, Sophos, etc.) what do y'all use? We currently have a 1 gig connection but are looking at maybe increasing it to 2 gigs so it would need 10 gig SPF+ to do that. I work for a k-12 school district so money is a big factor and we only have about $20 to $25 k to spend. I have herd good thing about Palo Alto but I don't think they are in our price range. FortiGate looks good but I need something that is easy to setup and configure. What do y'all think?

Fortigate slow SSL VPN throughput

Hi there,

We have some very slow SSL VPN throughput with our Fortigate 60E. I get less than 1 mbit download speed from our storage. I tested the download through the LAN and get the full Gig. Checked the uplink to the Fortigate but it's sitting at less than 100 mbit/s. Checked my own internet connection and get 20 mbit/s for downloads. There are only 10 SSL VPN users connected currently.

Is that slow speed over SSL VPN normal for the small Fortigates?

WLC 2500 problem

Hi to all,

We are using cisco WLC 2500 Series in our network.

However, I noticed that everytime that the WLC reboots the time will change to year 2000 and the association of AP will disconnect to the controller. The configuration of the WLC still remains even it boots except for this time and date settings which needs to manually set back again. I havent set any NTP yet on this.

These are the information:

Software Version- 8.3.143.0

Field Recovery Image Version - 7.6.101.1

Decommissioning Riverbed WAN accelerators.

Hi all,

Company is decomming the old Riverbed WAN acceleration appliances. We are starting to get some minor complaints.

Does anyone know any cheap alternatives for those exceptions? Something like a web browser extension that compresses packets or a Cisco IOS WAAS equivalent? There must be a solution out there I am not aware of.

Load balancing over two ISPs

Diagram: https://i.imgur.com/Xuox0p9.png

I'd like to balance traffic from the clients over two ISPs, so I'm wondering if the design in the diagram is valid or am I just over engineering it. I'd like to be able to use bandwidth of the both ISPs, but also get traffic locally on the correct firewall (two groups of the devices are in different cities). And to send traffic to different SaaS services etc. depending on which ISP has better response time. Seems that for example ISP 2 has smaller latency towards sharepoint.com.

Idea is to advertise first /24 with shorter AS path to one ISP and longer to other, then vice versa at the other city. ISPs advertise default + specific routes and the plan here is to import/export the default route between our VRFs. In the upper city I'd prefer the upper city ISP 1 default route over the ISP 2 default route. So that in the event that ISP 1 router is disconnected, I would still have default route in the ISP 1 VRF.

Firewalls are Fortigates so I can bundle both ISP uplinks to a single "SD-WAN interface" (as everything needs to be SD-WAN nowadays) and then apply rules to direct clients over ISP 1 or 2 depending on the traffic / response times of the ISPs and NAT the clients to those two /24 networks depending on which link is selected.

Other option is to just use single VRF and get routes from both ISPs and then just throw a coin which one to prefer by default (the one with lower latency towards M365 services probably). Simpler design but I'd lose the ability to direct traffic over best links and to utilize both ISPs. In the event one goes down we could activate stricter shaping policies to visitor network / windows updates / etc to keep the traffic below what a single ISP could handle.

​

Any thoughts?

Recover a putty password?

So.. I basically changed my PuTTY password but it doesn't work. I'm 100% sure that I'm 100% sure that I am setting it right but it keeps denying me access, and I've even tried with the old one. Anyone know how to recover the password?

Layer 2 Stretching Options..

Massive panic this morning after my server engineer has changed his tune on whether or not we need to stretch our VLANs...

We have a multi-vendor setup, Arista cores in 2 buildings, Cisco core in the other and a Fortigate FW for internet breakout. I somehow need to stretch a few (but not all) VLANs that currently terminate on our 4500-X core across to another building with an Arista core.

Here is a super simplified, paint-powered topology of our L3 devices: https://imgur.com/a/RRlxxB0

Ideas I've had:

• VPLS on one of the 10Gb circuits (prov'd by ISP)
  • But then what to do with the OSPF full-mesh? Do I just prune a trunk between the sites to only allow the VLANs I want, and use the OSPF network for everything else??
• Put another Fortigate in at the far-side and do VXLAN over IPSEC
  • Can I even do this if the VLANs dont terminate on the Fortigate?
• Replace the 4500-X core with something that can x-connect/l2vpn
  • Thats a lot of extra cost, and time that we don't really have...

Any other ideas, or thoughts on which idea of the above is best, would be highly appreciated.

ISP set BGP local preference for our peering. Is it normal?

Hi,

we are in process of building new site, where we have 2 different ISPs, that we have BGP peering with. One of them (ISP1) setup Local Preference for our BGP neighbors, which effectively force the traffic to our prefixes that arrives to their AS use their exit point to our site. If we want to engineer inbound traffic with AS prepending, it has no effect (again, only for this ISP ASN), as LP parameter is more important.

Now, that applies only for this ISP1 AS, but as it's major local Internet and mobile provider (Tier 2 ISP), there is a good chance, that majority of our clients will be connected only to their network. If we want to go around this ISP1 and use the second one, we can influence our outbound traffic, but returning traffic from clients connected to ISP1 only will always ISP1 exit point to us, resulting in asymetric routing.

I talked about that with ISP and they made very clear, that they will NOT route our traffic to some upstream and if want to use different provider, we should stop advertising the prefixes to them.

While that is an option, it's not a good one, in case of failover manual intervention is required etc..

Is this normal? I would expect they will be "neutral" and let us engineer or own traffic as we see fit.

PEER TO PEER on cisco wireless controller

Hello all,

I have enabled the peer to peer block for my guest WLAN, so that all the users connected to this wlan will not be able to comunicate to each other.

Is there any way in order to do somw kind of exception that I can choose some users to comunicate to each other?

Thanks all.

GNS3 with VMware workstation and 2 VMs, getting really slow bandwidth between VMs

Hey all,

Need some help on this one. Im running GNS3 with a cisco switch and two VMs on workstation. I connected the two VMs to the same switch and gave them each an IP. I am able to ping between the two and SSH as well. (linux boxes).

This all started when I tried doing wireshark training and got wireshark to open in one VM but do processing on the other - kinda like a raspberry pi running on site and then be able to open it over a terminal.

Anyway, i noticed it was really slow. I started iperf on them and Im only getting barely 2Mbps between them.

What should I start looking in to?

Cisco Catalyst network module, do I need it to uplink 2 switches?

what's the pros to using a network module to uplink 2 switches? what's the downside of just using 2 access ports and configuring them as trunks? I come from a fairly small network.

Looking for pointers to troubleshoot IKEv2 routing issue

Hello guys,

I am having issues with the VPN I am using and I am unable to pinpoint the issue. I am looking for pointers for fixing things, doesn't matter the direction. I basically do not know where to start.

The short version is:

When using OpenVPN I only get 10% of my usual speeds. When I use IKEv2 I get about 65% of my usual speed.

However, when using IKEv2 there are multiple services which are not working anymore. Means that I am unable to connect to their servers. For example https://statista.com won't load anymore, it does not matter which server I use. If I use the same server with OpenVPN, it works again. There are other services like Signal, CDNs of Reddit (which is extremely bothersome) and so on. I fail to see the connection here.

Alternatively, I tried to figure out what's going on with OpenVPN. I used a lower encryption method which improved the speeds a little bit but not drastically. I used SSH to create a HTTP Proxy from the VPN and reached similar speeds as I did using IKEv2 but since I would like to tunnel all my traffic through the VPN I think this might be a wrong approach meant for other use cases.

Anyone got any input for me? Thanks in advance.

BGP Route Advertising Question

This is going to be a stupid question I think to a number of you but I want to make sure I fully understand this as I need to explain how this works to someone else to avoid a fight on basic theory/best practices.

So I have router A and router B. Router A is going to eBGP peer to Router 1. Router B is going to do the same to Router 2. This is not setup yet but will be.

We control router A and B and someone else controls router 1 and 2.
Router 1 and 2 are only connected to A and B as there only any access to anything outside there ASN. Ie its there only gateway to the rest of the world.

We leased a /25 to the controller of router 1 and 2 that is part of a larger /22 block.
We are using 2 /30 blocks to peer between routers A and 1 / B and 2.

The controller of router 1 and 2 wants me to advertise the /25 to him so he can then advertise it back to me. But if I advertise the /25 to him via bgp and then he send it back to me I believe that will create a routing loop at his router then back to me etc etc.
Is that correct or am I missing something?

If thats correct then from my understanding he should advertise the /25 to me which I'll accept and that will be entered into my table and I'll summarize the route to a /22 to the rest of the world. How he gets the /25 into his table to send to me is up to him.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

SPAN / Trunk Port Simultaneously?

Currently trying to find a way to SPAN traffic into a VMWare environment. My physical host only has one NIC, which is currently attached to my switch and acting as a trunk.

So the question is, can that switchport act as both a trunk port and continue passing traffic from my VM's, as well as a SPAN monitor port for sending SPAN traffic into the server port from the switch?

Everything I've found says no, this is not possible, save for a few obscure arguments in some Cisco forums. I'm like....99% sure you either get regular switchport or SPAN monitor port, but not both. Once you set it as the SPAN monitor port, that's all it's going to be. It will no longer serve as a trunk port and pass traffic, it will only pass along the SPAN traffic.

How do DPI boxes classify network traffic?

And what do they do with unknown traffic? Does the average box flag unknown protocols specifically?

IPv6 Security - Preventing Malicious DHCP Servers

Long story short, I am currently working a finding identified by the pentest company we hire annually to check both our external and internal vulnerabilities. One such vulnerability reported to us this year was that a bad actor could set up an IPv6 DHCP server to maliciously reroute such traffic through their server and perform man-in-the-middle attacks. We're a relatively small shop that only uses IPv4 (that's a discussion for a different day) and current IT leadership doesn't want to implement IPv6. Our DHCP servers are IPv6 capable, but nothing is configured. That said, they want this remediated so we can perform a rescan soon to verify we've fixed the issues identified. All of our network infrastructure is Cisco Catalyst hardware so any changes I am looking at are strictly IOS.

I will admit that while I have a degree in CIS, my career path since college diverged from that and has taken me more into SysAdmin and leadership than the nitty gritty networking security I thought I'd do. As such I am adept but anything IPv6 is still wayyyy above my head, and I have to balance time on this with all the other daily tasks I have to help run the business.

Anyway - I recently found some info on RAGuard which, to my understanding so far, should do the trick. I've watched some videos a redditor sent my way and at least feel like I understand the concept of what it's doing. The commands I have found are:

#ipv6 nd raguard policy SomeName #device-role host #int [interfaceID] #ipv6 nd raguard attach policy SomeName 

Where I am struggling to understand is how this should be applied to our infrastructure and where. The examples I saw were focused on policing a specific port where the "bad actor server" was, but didn't really tell me how it'd work in a more generalistic way with how our network is laid out. At a high level, our networking is pretty linear, with a single ISP going through a Cisco 2921 router, a pair of HA PaloAlto firewalls, which are portchanneled to a 4-switch Cisco 3960 "core stack (where all our servers/VM clusters are patched in). From there, we have two edge stacks of Cisco 2960X switches which each have two portchanneled fiber connections to the 3960 core stack.

With all of that said... my questions are:

1. How is RAguard applied to the three stacks of switches so we're adequately protected? The examples I've seen focused on applying it to a host, but I see that device-role has other options. I'm not really sure what they functionally do and whether any would apply to my example.
2. Do I need to configure our DHCP servers for IPv6 in any way? And if I do, could that negatively impact production traffic? As mentioned, we have direction to not use/configure IPv6, but my understanding is that I need to configure RAGuard to trust somewhere...

I am sure I am forgetting crucial details here so feel free to ask. I can provide anything that might help you better understand what's going on and what I am trying to do.

Appreciate the help!

Port Forwarding Security Question

I have a dedicated PC running Blue Iris (IP camera NVR software). It has a local web server interface that you can access to view your cameras. How insecure is it to forward a port to that web server? I know the other option is setting up a VPN, but not sure the best approach (I don't have a router with VPN built in). And also, if I setup a VPN, not sure how that works for mobile devices (for alerts and stuff). Will my iphone connect automatically when I'm away from my LAN or what..

Aruba CX ugly SSD bug, patch now

Heads up, there's an ugly Aruba CX bug which will kill the boot SSDs.

https://www.theregister.com/2020/11/09/aruba_6300_6400_switch_os_upgrade_urgent/

The most suitable network marketing company that I found

I found the most suitable network marketing company that actually trains and assists new sign ups with recruiting downlines.

The interesting part is, your first earning drops in your DTC in a month and you can actually make the initial amount you signed up with and far much more in just a month when you follow the activities outlined (no physical prospecting, it's basically online and there's no product selling involved)

More info regarding this tomorrow.

Wifi direct accessability to data

Hello i have a question about the wifi direct data accessability. You can use wifi direct in 2 ways. 1 way is: when both devices use wifi direct which is a private connection. The other way is 1 device uses normal wlan and the other wifi direct to exchange data. I use the internet connection hosted by a person. But i have my own router with password to create wlan for me. Now to my question: If you send data with wifi-direct and the device which send the data is connected to the normal wifi-internet and the other device which receives the data just uses wifi direct, is it possible for the internet owner to have access to the data send by this exchange. I think the owner can see what i did in the internet in generall (like which sites i visited) but can he see the data i send with wifi direct when i used his internet for it, or is the data locked somehow? I mean i didnt upload the data, right i just send it to a device but i used his internet for it. I send the data by mistake that is why i used the wifi direct to wifi connection unintentionally.

Best regards

Debug general question

Disclosure: I don't have much exposure to debugs for fearing of crashing a device.

I know you can redirect output to a file, but wasn't sure if I ran the elusive "router destroyer" command "debug ip all" and redirected it to a file if it would cause the same havoc. documentation below seems to indicate, based on my interpretation, that the printing the actual content itself on the screen is the issue. I am pretty sure that this is due to the return of the information to a singular variable in memory (I have a slight background in programming). Then again if that was the case, I would think there suggestion of redirecting to a log buffer would not be advised, as I can imagine a log buffer is also a singular variable in memory storing the output of the debug.

In the end, my question simplified is the following:

Is it the CPU/Memories processing of the debug command that causes the router issue's or is it the output of that information to a user in the CLI session that causes issues?

per cisco documentation: https://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html#warn

📷 Warning: Excessive debugs to the console port of a router can cause it to hang. This is because the router automatically prioritizes console output ahead of other router functions. Hence if the router is processing a large debug output to the console port, it may hang. Hence, if the debug output is excessive use the vty (telnet) ports or the log buffers to obtain your debugs. More information is provided below.

Pearson vue pharmacy exam

Im not sure if this is the right place to post but has anyone taken their final pharmacy exam or any other major qualification with Pearson vue?

In the Uk the pre registration exam for pharmacy has been switched to online and they will be doing it with pearson vue so im just wondering about peoples experience using it.

Other questions i have for anyone who has ever use pearson vue

How do they prevent cheating? For example do they have webcams or tracking? I have no clue so if anyone has an experience to share please do so

promiscuous Mode on server 2019

I am having trouble finding a good way to enable promiscuous mode on server 2019. Found some script and such but no luck. Anyone know of a way?

Thanks

Choppy Audio/Video on Zoom/Go-To/Teams/etc

With the whole COVID-19 thing going on this year, our company has decided to basically cease all traveling in favor of telecommuting. We decided to go to Zoom first and then, due to our Microsoft licensing, ended up migrating everyone to Teams. When we had Zoom, I only had 21 users in North America (we operate in CA, MX, and US), but with Teams we have many more users with licenses, but not much more using them to schedule meetings. It's still generally the same people scheduling/attending meetings.

Lately I've put together the amount of complaints and it seems the users are having to call into the meetings with their cell or desk phones to get intelligible audio. And this issue worsens if people are using their cameras. Many users are still working from home and we notice a decrease in choppiness when no attendees are on site and using their home Internet. Thinking it was a bandwidth issue, we pulled our utilization report from the ISP and they confirmed we were indeed hitting our cap at times, so I doubled our bandwidth. I'm still waiting on a new utilization report to confirm if that was enough, but based on the low amount of times we were hitting our cap, I was hoping that would do it. We also had our wifi installer out on site to resurvey and test the access points and he found nothing of interest save that our switch connecting to the Internet is older and should be replaced. The switch was replaced, but we just haven't finished the migration and one of the few things still left on the old switch is that Internet connection as below:

Juniper stack >>>> fiber>>>Cisco core switch >>Ethernet>>>>Spectrum

All of the users, APs, and desk phones are in the Juniper stack, and have been for about a year. We're in the middle of removing that old Cisco switch this week, I tried to move the Internet over last night to the Juniper but there was a typo in the config so we have to try again tonight.

Assuming we get the Internet connected directly to the Juniper stack and we have Internet access this time, what else should I be looking for to solve this choppy audio/video? Should we start implementing QoS for 30-50 users on site with 200M fiber to the Internet?

Configuration policing thoughts..

A little bit background.. I'm working on making the configuration (esp access lists in Cisco and firewall filters in Juniper) consistent across 1000s of devices. Along with other configurations to be desired.

Tools I came across but limited in one way or the other, either I'm doing it wrong or that I'm less skilled in making them work..

1. Batfish: my thoughts are this looks like an overkill for the task that I'm doing.

2. CiscoConfParse: it seems this needs alot of upfront effort, but seems the right one.. heading this way currently..

Am I heading the right direction? Or is there a simpler approach..

Did you already came across this problem? How did you solve it?

Cisco IP NAT to Single External IP Address solution

Since it took me many hours to find this solution, I figured I would post it in as many places as possible for posterity.

TL;DR

For NATing to a single external IP address, don't configure a pool of a single address, even though the router allows it. Use this approach instead:
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface gigabitethernet 0/0/0 overload

At work, we have been a big Cisco shop for decades, so I have worked on IOS, IOS-XR, IOS-XE, etc, etc. For our lab connectivity needs, we have used NAT a ton. It is simply to allow private internal networks to reach the internet for housekeeping needs, no need for CGN. Simple IP NAT with overload has served us well for years. Until the ASR.

This started about 5 years ago when we stood up a new lab. We put in beefy Cisco Switches for internal switching and beefy Cisco ASRs for our relatively minimal routing needs. Frankly it was overkill, but we were replicating a 4G LTE packet core, so why not leverage it for our internal needs as well. But we had a consistent problem with what we thought should be simple NAT. It would work for a time, then stop working. The NAT translations were there, but no traffic would flow. This was true for both static and dynamic NAT. Sometimes a reload would solve the problem (temporarily), sometimes not. But as a colleague was administering those routers, I didn't think about it too much...wasn't directly my problem.

Recently I setup another lab for testing of industrial controls. I'm using a small ASR 1001-X for my routing needs. As I need my internal workloads (VMs, containers, etc) to be able to pull from public repos, I setup NAT on the ASR, following the documentation, such as this. The classic example of "Using NAT to Allow Internal Users Access to the Internet".

ip nat pool net-208 172.31.233.208 172.31.233.233 netmask 255.255.255.240 <------
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool net-208 overload
interface gigabitethernet 1/1/1
ip address 192.168.201.1 255.255.255.240
ip nat inside
!
interface gigabitethernet 0/0/0
ip address 192.168.201.29 255.255.255.240
ip nat outside
!

The examples all seem to show the same scenario: using a small range of external IPs to which to translate the internal IPs, and in this case with overload for port translation as well.

The command requires a startIP, a stopIP and a subnet (evidently to not accidently NAT to the network or broadcast address). So I just put the same IP address into both the start and stop, essentially a pool of a single IP address. The CLI accepted it and the NAT worked...for a day or two. Then stopped.

Now, I'll admit, I'm not one to read every word in documentation, but after extended searches the only reference in the docs to the correct solution is a similar solution is in the context of VRFs.

After hours of searching, I found this post. The answer, it seems, is simple, if not clearly documented.

For a single outside IP address, you don't use a pool. You use a slightly different command:
ip nat inside source list 100 interface <outside interface> overload

So the resultant example would look like this:

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface gigabitethernet 0/0/0 overload <---
interface gigabitethernet 1/1/1
ip address 192.168.201.1 255.255.255.240
ip nat inside
!
interface gigabitethernet 0/0/0
ip address 192.168.201.29 255.255.255.240
ip nat outside
!

As soon as I made this change, NAT worked perfectly. Now, it has only been about 12 hours since the change, and it worked for a bit using the previous approach, but I suspect this will stick.

I hope that helps someone else pulling their hair out trying to figure this out. I find it odd that A) this doesn't appear to be documented well, and B) that the original pool definition approach is not rejected by the CLI. Even more, I find it super odd that my previous approach worked for a while, then stopped, never to work again.

Superscopes and gateways

If a DHCP server is configured with a superscope and starts handing out leases from the first member scope, when it runs out and moves in to the second member scope, do clients with IP addresses from that second scope effectively start using the gateway from the first scope?

I'm trying to figure out how clients with IP addresses from the noncontiguous ranges in a superscope, each with it's own gateway address, access the network if there can only be one gateway address associated with the vlan interface (typically the gateway address of the first member scope).

I'm in the process of setting this up and I'm happy with DHCP, vlans etc. but this specific point has me stumped. I'm not sure what I'm missig here and I can't really find anything that explains it.

Many thanks

wan p2p two redundant active links best aggr method?

goodmorning,
I have request to my carrier an L2 p2p redudant connection (from my hq to my branch office).the offering is about two distinct paths p2p l2 wan connections.

Now the problem is, how can i aggregate/loadbalance the traffic?
it is a good idea to do lacp on geofraphycally distant sites (100km) ?
better use l3 in some sort (thinking about rip/osfp and levereging ecmp) ?

thank you,

ISP Start Up Goa/India

Hello guys

Few of my friends and my self are thinking about starting a ISP service in a local area as we have veteran and people of interest on reddit If you guys have some time to spare I would really appreciate having some of your advice about what should be done and what isn't what's good and what's bad suggestions and stuff like that

Thank you

1 device needs to failover between two ISPs on a Nexus Switch

Hi all,

I have one host device (video decoder appliance) that needs to have high availability. It receives data from the internet and I want to allow the device to receive data from either of our two ISP connections. The decoder only has the ability for one ethernet connection and a single IP address.

Obviously I could you use a firewall or ASA to do the WAN failover and NAT in front of the decoder however I’m wondering if instead I could use a Nexus 93180YC layer 3 switch that we have.

Note: I’m fine with the decoder living on the public internet if need be, it can be assigned a public IP.

After some research here... Here’s my guess how this would have to be setup, but I’m by no means positive... nexus would need to have a SVI connected to ISP 1 and and an SVI connected to ISP 2. Public IP’s assigned to the SVI’s themselves.

Then, I would need some form of NAT for the decoder? This is where I get very blurry.

Any advice or guidance here would be super helpful. Really appreciate it!

Ruckus - possible to move from one VSZ to another?

We are a Ruckus partner and wondering if anyone has ever been able to do this?

Im trying to imagine the lowest impact way to transfer from one VSZ to another or from a VSZ to a ruckus cloud controller.

Azure VNet overlapping with onsite Subnets

If my onsite Subnets are say 192.168.15.XXX, 192.168.16.XXX, 192.168.17.XXX and my Azure VNet is 192.168.0.0/19 (192.168.0.0 - 192.168.31.255) with Azure subnets of 192.168.18.0/24 and a gateway subnet of 192.168.19.0/27 this wont clash with each other will it? As long as I dont use overlapping subnets on the Azure side (192.168.15.XXX, 192.168.16.XXX, 192.168.17.XXX) Thanks!

Grab iPhone VPN IP via DDNS app?

As the title suggests, I am trying to use an app (VPN Walkie app) that needs the VPN IP address which on our network of course is dymanic. The server only supports static addresses or host names. Hoping there is a nifty app that will take the Cisco AnyConnect VPN IP and update it to a DDNS entry. Happy to pay for such a thing. Need it for like 10 years. Any ideas?

Does Imposter Syndrome ever go away?

I passed my CCNA R&S before the deadline this past January and my employer immediately promoted me off of the help desk into a new role as Network Administrator. Previously, my manager was the only person performing the networking functions for our company, but with my promotion he has passed most of those responsibilities on to me.

In the past 10 months I have been successful in implementing several projects, however, our network is pretty complex (at least to me). We have dozens of routers, some are from various vendors, several firewalls, and of course many switches. Our company spans across a small geographical area using direct fiber as well as VPNs. Ive tried to learn the network, but it just feels so overwhelming. We have ACL's and routes pointing to all sorts of devices and no real documentation besides a generic network map. I just feel like I am constantly in a battle to keep up with what is requested of me.

Lately I have had doubts that this position is really for me. I enjoy networking, but learning on the fly like I have had to so far has me feeling lost and inadequate at times, especially when dealing with vendors. I know imposter syndrome in IT is a thing, but will this feeling ever go away?

openflow manager

how to create a blocking flow using MAC address between two hosts in openflow manager ?

Need help with network design

I am tasked with designing ASA/ACL rules for a theoretical network to make it more secure. I want to redesign the network topology as well to be more secure, am I overthinking my firewall deployment?

I can place as many assets as needed.

Initial Design

https://www.imgpaste.net/image/IjROs

My modified Design

https://www.imgpaste.net/image/IjgMq

DHCP relay and server on same network

I am trying to figure out what happens when a DHCP relay is on the same network as an active DHCP server. I want the relay to point to a different DHCP server (at a remote site), but only if the nominally active one goes down. How would the client choose between the local DHCP server and the remote one via the relay?

Cloud Proxy Print services

Anyone out there using cloud proxy print services? I have to maintain a number of S2S VPNs, and NATs and FW rules to enable printing from business partners and their solutions (for example, customers' SAP residing in Hong Kong, printing labels to my printer in Idaho). In doing research I found a lot of cloud print management, but that's not what I'm looking for. I'm hoping for something like a custom DNS name that my customer can send a job to, an engine in my network that downloads said job, and processes that job. Or anything close. Open to suggestions. TIA. OneLove

Reliable traceroute (GUI) tools

I'd like to gain some global visibility on where packets come from/go to.

Can you "see" when a packet goes through some major carrier, across a border or through the ocean? I tried some tools like visual traceroute but I think the results are not that reliable. I did a traceroute from AWS france to different locations (russia, UK, south east asia) and each time traceroute went to the same place in the US then sometimes coming back to the Netherlands and then for example going to Russia. Could this be correct? I guess maybe just the geoip database has some error where one of the intermediate routers is wrongly located in the US.

Are there any better tools?

Home brew to keep switches updated and backed up.

I don't want to pay for the Aruba.. whatever they call it so that I can manage my switches which would solve this issue. (We are primarily an Aruba shop these days).

But I don't mind spending some time setting up something that will help me to better manage and backup my switches. Right now its a manual process to make sure they are updated, to update them, and to back them up. Which is fine, but looking to make it a little better.

Any thoughts, case uses?

Azure ASA Virtual - VPN Subnet Routing

Hello All,

A great thanks again to all the wonderful help I've gotten in this subreddit. I've leared a lot here! I have another one that I'm stuck on, though.

I have an ASA Virtual in Azure. That ASA Virtual allows clients to connect on an SSL VPN for access into the environment. I want those VPN Clients to be able to route to my on-prem, which is facilitated via Azure Tunnels and BGP.

The inside interface of the ASA can ping all those on-prem resources fine, and that connectivity works great. However... I can only get the SSL VPN Clients to be able to talk with on-prem resources if I NAT their IP to the inside interface of the ASA. The problem there is that the communication has to be initiated by the client of course. I want devices in my on-prem to be able to initiate the conversation (for stuff the IT team does) to an SSL VPN Client device.

If I tracert to a client IP Address from an on-prem device, I show it going through my core switch and into the Cisco ISR I use for the Azure tunnels, but I never see the traffic hit the ASA in the logs (I can see ICMP hit the inside interface if I choose to ping that instead).

I'm starting to think this is due to Azure not knowing where to send traffic for that subnet. So I created a static route in my ISR pointing to that Client VPN subnet with the inside interface of the ASAv as a next-hop. I also made sure there is a route to the VPN subnet in every single Route Table for the ASAv (all 4 interfaces).

Still no luck, and I can't see anything hitting the logs. I've enabled all the logging I think I need to from this page (https://community.cisco.com/t5/network-security/asa-real-time-logging-viewer-gt-not-seeing-icmp-from-acl/td-p/2664850) and again, I see ICMP hitting from on-prem to the inside interface, and even see route lookup failures if I try to ping the Management interface (not meant to be routable) so it seems like the logging should pick it up if the traffic was actually making it to the ASA.

Has anyone come across this issue when using the ASA Virtual in Azure?

What opensource NOS for SDN datacenter is "trendy" now?

What opensource NOS for SDN datacenter is "trendy" now?
Lets say that I have two ISP, how should I build HA WAN stack with opensource and with lets say OpenStack ?

I am aware of Cumulus, not sure if is out there any RedHat product.

Will Cumulus + Openstack ( Neutron ML2 plugin + FWaaS ) work ? Or do I need any other components ?

I am just curious.
Thanks

Blocking Parler App for Students

Hello all, I have been asked to add Parler to our social media blocking policies for our schools. It is easy enough to block the url, but I am not sure how to block the apps for ios and android. I am using a Palo Alto firewall and they do not have an app-id for Paler yet. I could possible create an app-id myself, but I don't really know how to capture the packet info for an app. As far as I know I can't run wireshark on my phone to capture the packets needed to fill in the policy. Anyone have any creative ideas on how I can do this.

Updating MAC Access-Lists on Cisco Catalyst Switches

I am looking at what would be the right way to edit an existing MAC ACL by adding entries above or below a particular entry. If I edit a MAC-ACL (unlike IP ACL which uses sequence number to sort rules) - it always puts the newly added rule to the end of the list.

Second question is if I delete an existing MAC-ACL that's already applied on some L2 ports, and recreate it with the same name, what would be the behavior ? Does it destroy all the TCAM entries after ACL delete or would it still keep them because some interfaces are referring to it ??

Any performance downside to running VPI versus ETH mode on Mellanox SwitchX-2?

For an Ethernet network, is there any tangible downside to running my Mellanox SwitchX-2 (i.g. SX6036G) in VPI system profile mode versus ETH only mode? In the future I may want to play with Infiniband for GPU / RDMA stuff, but not if it significantly compromises Ethernet performance.

HP Comware SSH issues

One of our customers recently bought some HP 5900 Switches and I'm having some issue with SSH I just cant quite figure out.

I updated to the most recent firmware(R2432P06), set up the user and ssh server and ... well, I just doesnt quite work.

The authentication using password actually succeeds but then I get an immediate disconnect.

%Sep 11 01:23:04:051 2020 HPE SSHS/6/SSHS_LOG: Accepted password for nl from 192.168.128.135 port 64981 ssh2.

%Sep 11 01:23:04:448 2020 HPE SSHS/6/SSHS_DISCONNECT: SSH user nl (IP: 192.168.128.135) disconnected from the server.

We do have some other HP Switches at that particular customer(not same model but some firmware rev) and I've compared the configs and everything looks exactly the same.There are no ACLs or other access restrictions in place(and if they were the login shouldnt succeed or I shouldnt even be able to connect).The very same user can access the Web interface on the switch just fine.

Here's how the user looks, looks pretty right to me:Device management user nl:

State: Active

Service type: FTP/PAD/SSH/Telnet/Terminal/HTTP/HTTPS

Access limit: Enabled

Max access number: 1024

Current access number: 1

User group: system

Bind attributes:

Authorization attributes:

Work directory: flash:

User role list: network-admin, network-operator

Total ssh users:1

Username Authentication-type User-public-key-name Service-type

nl password all

​

Turning on debugging on the switch didnt yield any usable results and the client using -vvv just tells me everything fine until it gets disconnected from the server.I'm really at a loss here to what might cause this. As I said, the switches are pretty much virgin in their configs other than the management interface being configured and the users created. Did this step-by-step as per the HP documentation.I know on any linux machine this would point to some issue with permissions on directory or files but here ... ????

​

EDIT:
here's the client side of things in verbose mode...

debug1: Authentications that can continue: password

debug1: Next authentication method: password

[nl@192.168.128.231](mailto:nl@192.168.128.231)'s password:

debug1: Authentication succeeded (password).

Authenticated to 192.168.128.231 ([192.168.128.231]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: pledge: network

debug1: Sending environment.

debug1: Sending env LANG = C.UTF-8

debug1: channel 0: free: client-session, nchannels 1

Connection to 192.168.128.231 closed by remote host.

Connection to 192.168.128.231 closed.