IPv6 Proxies: 2020-11-15

Saturday, November 21, 2020

Network Rack Inquiries

I have a few inquiries in relation to mounting gear on a server rack:

What is the more common term used? Network Rack, Server Cabinet, Data Rack? I know it can be interchanged but what is generally used?
I read about M5 and M6 cagenut sizing. Which sizing is used generally? I just got a network rack on its way but it does not have much details on its spec sheet besides max load (150kg). I want to order some nuts in advance to be ready to mount the gear
Do I need special cage nuts for heavier equipment? I have a 30-pound router and was worried it may bend my rack posts
Question for the max load on a 4 post network rack. I have a 2x2 post rack that I bought which has a max load of 150kg. Does this mean that one side must be 75kg and the other must hold 75kg to even it out or is that not necessary? This is a second-hand rack so not much info was provided.

job pivot for senior citizen network engineer - niche consulting

I'm 50 and have worked at an ISP job for the last 10 years. I did a mix of enterprise work prior. I have an active r/S IE. I have my retirement taken care of so am looking to get into work that looks interesting and I'd love to get into consulting work on short-term jobs with a high pay. Travel isn't a problem.

Throughout the years I would meet people that were consultants working on specialty jobs. For example, I ran into some people setting up Arcsight over in Europe who told me they were making 300 /hr 1099 about a decade back.

How does a person get into that sort of work? I imagine the skills required will be new bleeding edge tech so that will be consistently changing.

Is it realistic that the 1099 contractor is actually paid these rates? I've never worked as a consultant and most of the contract jobs I see listed on Indeed/LInkedin are puny, 50-70 per hour jobs asking for a CCIE on for staff augmentation jobs. Crappy pay and no benefits, and often far less than I could ask for in a full-time job.

Are the firms that source engineers to do this work specialty outfits? If so, can someone point to examples? I figure there's a blog or person out there telling every story imaginable today but I've never seen a blog/story of how someone progressed from W2 wage earner to a consultant who can command 2-4k a day or a high hourly rate on short-term gigs.

I know some (if not all?) of this work comes through large integrator deals where the customer needs work done that the VAR doesn't do. I imagine this gets passed off to other firms or individuals with those skills.

I would be happy to get into work like this even if I had down time. I'd rather earn 300 an hour or a high day rate and build labs/research and study for the rest of the year without an income. How did you folks out there get started?

Careers in Networking allow for innovation and long term career growth?

I've been dabbling in a Networking computer engineering like job. Not anything like a technician or setting up equipment, but more actual engineering with writing code for both hardware circuits (RTL) and software applications (Python/C++) to support running a cloud.

Before this, I was involved in cache controller design (just RTL) in a processor for a big named company.

So far, I'm seeing Networking is primarily "old" technology. Meaning it is steeped in a lot of history/standards and I feel like opportunities for new innovation aren't as there vs. some other fields involving machine learning, AR/VR, or AI. I don't think it's a bad field press in terms of maintaining a career, just wondering how others feel. If I start delving into more Networking architecture, is this good for the long term>

For the kind person who would be interested to help me with this network configuration

Hi everyone,

I have this typology and I need:

Topology

1 - Activate the Spanning Tree Rapid PVST on LAN and make sure the SW-CORE assumes the role of Root Bridge

2 - In LAN with network 172.26.60.0/24 make 2 VLANS

VLAN 10: 125 IPS

VLAN 20: 125 IPS

3 - The IP forwarding between the 2 VLANS must be assure in the router with router-on-stick mode

4 - The Router also must be a DHCP server for the VLANS

I've been working on this for the last days and had some troubles...

Routing multiple remote users through single IP address

My org is a consulting startup of mostly developers without much network experience. We now might have a need to set up our own network solution for a particular problem, but we're not really even sure what the different options are for what we're trying to do. If my question is ill-formed or I'm getting key concepts wrong, please correct me.

The problem: We are about to start using a SaaS product that requires us to provide IP addresses for whitelist access. We're thinking we probably don't want to add individuals' home IP addresses (we're mostly remote), so we're wondering what is the right solution if we want to have all our remote developers access this resource through a single IP address. Is this what a vpn is for? I'm familiar with using vpn to access an orgs network resources, but am not sure what actually happens when you're using one. My hope is that we could set up an Azure vpn gateway, any of our devs can connect to that, then we simply provide the vpn's ip for the whitelist. Please tell me if I just said something entirely dumb.

Questions about how IPv6 is routed by ISPs

With IPv6, if one were to have a globally unique address (or /56 or /64 subnet per customer at least) wouldn’t the global routing table be absolutely enormous?

I suppose ISP1 will have like a /16 assigned to them and ISP2 will just have one routing entry/ a list of best next hops for all networks in that range and let ISP1 handle it? Just speculation as my knowledge is limited in this space.

And if a home IPv6 router is assigning addresses to the device level, presumably this will allow an ISP to know exactly what device is using the internet, rather than a household (especially with SLAAC and Mac addresses literally being part of the IPv6 address)? Or do the devices use their link-local to the router and then the sender address in the packet is the global IPv6 of the router, akin to NAT/PAT?

In the above case, what’s the point of a device having a global address if it’s going to behave the same as IPv4? Hosting services should be easier at least.

What routing protocol do ISPs use for IPv6 or are they using IPv4 tunnelling methods?

I’m CCNA level but interested in learning more if anyone has any reading they can suggest. Hopefully these aren’t stupid questions.

Intenret Edge Best Practise for convergence

Hi All,

I hope it is ok to ask this question here. I'm relatively new to network design I have CCNP/about 5 years experience in support but in terms of design & best practise I'm far from knowing what is right and what is wrong due to raw experience.

I work for a company in the UK where we have a small DC solution where we provide services to customers and an internet edge comprosing of multiple circuits over 2 DCs to 2 service providers.

We have a very basic solution whereby we use a primary outbound weighted path by OSPF & inbound is determinisitc by the AS-path length but the primary is weighted favoured for this and typically the path used. This has been in place for many years.

My question is not on this solution as I know can be improved for greater path selection using proper iBGP but on convergence and BFD. Do enterprises/service providers use BFD/or drastically lower the timers down. I know we could utilise dampening etc I'm just trying to understand how realisitic is using BFD or very low timers with BGP. I understand that convergence on the internet has to be taken into perspective also. Is there a best practise/approach to this or recommendation?

Thank you :)

Is there any point to encrypt/use a vpn for a Cloud Server?

Is there a point to buying some random VPN service, installing it on your Ubuntu server, and then using it to serve websites/apps to your customers? What is the point of this? Because I thought originally, the point of using a cloud service, primarily, is to host your app NOT on your PC, since there are many many downsides and risks to it, e.g: possible attacker obtaining your data and such.

But if you're using a cloud server, and if the attacker did get access to it, as long as you didn't save anything personal on there you personally would be fine, your customers may not. But even with a VPN, attackers could still get into it. So is there really any point to use a VPN for a Cloud Server?

Friday, November 20, 2020

Is it a normal SIP traffic ?

Hi team,

I have been having an issue that none of my team or even Palo alto support was able to find a solution for, it is truly a strange behavior that non of us was able to explain and it is currently affecting one of our big clients.

Palo alto firewall in a remote branch has a Cisco VCUBE box. Every time you make a call to the branch number, SIP traffic is passed correctly as per the NAT and security rules and you can see packet captures and traffic log showing you everything is perfectly fine and allowed, however, you see discards for Request INVITE and Status 200 messages that can only be see in the packet capture, yes, show session id will not show any discards for these sessions. There is one thing I noticed that I need your confirmation on, something that is very simple, is it normal for SIP traffic to contain a message body like this assuming the SIP proxy is A.B.C.D

SIP Packet : Src: A.B.C.D Dst. X.Y.Z.A

Message Body

Owner/Creator : IPv4 A.B.C.D

Connection Information: IPv4 A.B.C.X << Yes a different IP

Connection Address: A.B.C.X << Yes a different IP

The reason I am asking as I am seeing Palo alto showing in the traffic log two sessions being created as follows
Session 1: VCUBE > A.B.C.D (The IP in the wireshark)
Session 2: VCUBE > A.B.C.X (The IP in the SIP message body)

that can be seen even though I only made a call from SIP proxy A.B.C.D only

The only thing that I am trying to prove to the client is that the firewall is not the issue but not sure if SIP configuration this way might be where we have the issue .

Thank you in advance for all your help.

SMB throughput optimization over VPN (high latency)

Hello friends,

We are trying to squeeze out every bit of performance from SMB over VPN. We all know that SMB is very chit-chatty so latency really kills the performance. We are digging into optimization for VPN and so far we only tried disabling bandwidth throttling on high latency network (HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\DisableBandwidthThrottling). This helped a bit with performance, but there are still spikes and troughs which we are trying to figure out the reason for.

E.g: This is a test over VPN. We have 10G links on prem and we are testing from a GCP VM which again has over 1Gbps downlink and 7-800Mbps uplink. Latency is around 70-80ms between these two

.Here are the iperf numbers:

single stream: 12-15 Mbps

8 Steams: ~ 90 Mbps

16 Streams: ~ 180 Mbps

And now SMB: Its usually doing around 100Mbps, but there are few spikes going up to 200Mbps. Graph

And some runs go even upto 500Mbps. Graph

But then the very next run is at snails pace barely holding around 10Mbps. Graph

Between these runs nothing changes on network side, same latency (~75ms), same storage (which is backed by SSD flash, no slowdown there at all). So curious where the spikes in performance are coming from. What else can we do to optimize this further.

I've posted to r/sysadmin but posting it here as well since someone here most likely has more experience with this sort of thing. If its not allowed, please feel free to remove it.

Cheers and thanks all for help in advanced.

MPLS Load-Sharing

Hello,

I am looking for some guidance in trying to make use of our redundant MPLS circuits. Currently we have around 20 sites all connected via MPLS and I have two datacenters that have redundant MPLS to an HSRP pair of routers. They are currently set as active/standby and I would like to try to load share, as a 100Mbps MPLS circuit sitting idle makes me sad.

I will be honest in saying that advanced routing is not my strong suit. I have been reading into eBGP and iBGP load-sharing a bit and I was hoping someone could simplify what I am trying to accomplish so that I can approach this correctly, or if I should even be attempting at all. I understand that asymmetric routing would be introduced, but as its internal traffic, I think it would be fine. The traffic does not pass through a firewall.

The secondary routers are prepended.

Here is a quick mockup of what I have going on...sorry, I don't use reddit much and I cant seem to post a picture. It is here https://imgur.com/a/G13iRVd

Nexus 9K - VxLAN EVPN Multi-site - vPC BGW

Is anyone running Nexus 9Ks in NXOS mode with vPC BGW?
If so, I'd really like to hear about your general experience, and also your experience in two specific areas.

Info

VxLAN BGP EVPN Multi-Site seems to fit our requirements, allowing DCI over our L3VPN and also for traffic to be symmetrically routed in/out of each DC.

I'm looking to deploy two 9300s in vPC BGW mode in each of our brownfield data centres, to begin migrating them to a modern VxLAN BGP EVPN Leaf/Spine fabric. So initially, the two switches will be the BGWs, Leafs, Spines, RPs and RRs. Scaled out with separate spines (running RR/RP) and leafs later. This seems very standard looking at Ciscos Legacy DC migration slides on their Cisco Live presentations, so I expect it's a common deployment.

Query 1 - Reliability

vPC, BGW, EVPN, VxLAN, RR, RP, Lead, Boarder Leaf seems like a lot to load onto one box, has anyone had issues with reliability? Any issues with control plane failures on the various protocols?

Query 2 - Failover

Another issue is failover. Each of the two switches at each DC will have two uplinks.

One uplink to an L3VPN for DCI
One uplink for the per-vrf uplink traffic to various production L3VPN WANs.

If the per-vrf uplink fails, a route needs to be available via the switch with the working per-vrf uplink. So orphan hosts on the failed switch can reach the L3VPN WAN.

Initially, this looks simple, add "advertise-pip" in BGP on each of the switches in the vPC. So the routes learned over the per-vrf BGP peering to the L3VPN are advertised as type 5 routes into the EVPN with the physical IP of the switch, rather than the virtual IP.

From a control plane perspective this works, the type 5 routes are learned and installed on the switch with the failed uplink, but when the VxLAN encapsulated packets are forwarded to the working switch, it drops the packets. This looks to be because the source address of the packets is the VIP of the vPC, and there's some sort of split-horizon mechanism. Advertise-pip would work for other VTEPs in the network, but not the neighbouring vPC with the same VIP.

I thought this was a bug, but apparently not. Cisco's docs show this as expected behaviour, and the recommended solution is per-vrf BGP peerings or static routes between the vPC peers, each on a separate point-to-point VLAN link between switches, for each tenant. So the solution seems to be to bypass the VxLAN EVPN fabric.

This seems a bit untidy but does work in the lab. Is anyone running like this, and has failover worked as expected?

Polycom Phone Issue

TLDR: Polycom Phone NTP Breaks Inbound calls.

So I've got an interesting discovery to let Everyone know. After calling polycom and failing to get anyone to speak with me about anything ( no support contract) I made an interesting discovery and managed to fix the issue my self.

The issue I was having is the polycom soundstation ip 6000 which connects to voip.ms would make outbound calls just fine but when an inbound call was placed to the phone it's would ring on the polycom but you couldn't answer it. Almost like the buttons just stopped working. What's weird is that the person making the call would not hear any dialing on there end. Just silence.

After resetting, updating firmware, moving networks, checking firewall rules etc etc. I came to the conclusion the phone was broke.

I reset the phone once more and did the bare minimum to set it up, all I did was enter in the line info for voip.ms and that's it. Called the phone and poof it worked. Put it back in the conference room and left it working just fine.

I go back in a few hours later and my boss asks me to set the time on it, so I enter Google's ntp server and the time updates. Try calling it again to make sure it's still working and would you guess what it doesn't work again. I wipe the ntp server, reboot the phone again and hey look it works again.

NTP best practice?

Just wanting to start a discussion on how everyone manages or uses NTP now days and any real world best practices they use or found to work well.

I manage a 9 campus community college with over 150+ switch stacks/routers.

Our NTP is all over the place and I'm looking to standardize it as my next work from home "covid project."

We currently have a mix of our Core device acting as a server and a linux box acting as a server. All down stream devices either use the Core, the linux box, both, a public NTP server, locally set clocking, or no change from default boot up.

High-level overview our network is hub and spoke: Core -> Campus distribution -> building/access. Nothing fancy.

This came about though because a coworker was asked to look at critical errors on a switch and his final report was "the logs show it's from 2016 so we don't have to worry about it."

40Gbase-LR4 over OM4 ?

I've got an installed based of OM4 between floors. I do not have enough strands available to use MTP to 8xLC type patch cables.

I know it's not spec'ed to work. I know that no equipment vendor will support it.

But... has anyone actually tried running 40Gbase-LR4 over OM4? Or seen any test results for it? What sort of distances might work?

I know any such functionality might get better with offset-launch patch cables. But, for the hassle and expense, I'll just lobby management to get SM fiber installed. That'll happen regardless, eventually. And at that point in time, I fully expect to populate things with 40Gbase-LR4 optics.

In the interim, I'm wondering what sort of distances I might get over OM4.

Anyone try it?

mesh wifi that's not also a router?

so i manage a small business that's growing. we have a building about 4000sqft and i put 2 traditional wifi AP in it. we then bought another/adjacent building, that i'd probably need to put 2 more wifi AP in it. i do have fiber line connecting the 2 building.

I'd like to upgrade to mesh wifi, but some of them require it to be the router. which i don't want because i have a secure LAN network that can only interface with the WIFI network through a firewall.

also worth noting, currently, i have separate ISP on each building (each with its own router). i'd like to do load balancing between ISP circuit, but treat the whole building as 1 wifi network.

with that said, do any of you have recommendation for small business grade (not enterprise grade) wifi mesh that would work with what i need?

This Trendnet switch is handing out a different Gateway, can it be reset?

Hey guys,

I have a Trendnet tpe-tg240g that I inherited from previous tenants of the office my org is now in, I cannot get the gateway to conform with the router/modem combo I have, any idea how I can reset this thing? I can't even access my router/modem's gateway through it.

Checking for QoS on ISR 4331

I have a Cisco ISR 4311 router and I'm troubleshooting some speed issues. I have run show qos and nothing more appears. If I run show class-map I get the output below...

--------------------------------------------------------------------------------------------------------------------

myrouter#show class-map

Class Map match-any class-default (id 0)

Match any

---------------------------------------------------------------------------------------------------------------------

I assume this is default and the ISR doesn't come with any default packet inspection or QoS settings I should be aware of?

any help on this would be appreciated.

why use zscaler for SaaS applications? those apps have their own security stack already

I understand why you'd want to use the zscaler cloud to give access worldwide for an application that you own, but I'm not fully understanding the argument of going to a SaaS app that you don't own. Those apps have their own security stack already... what am I missing?

Difficulty with voice basics....

Hey all. I hope someone can help shed some light on this. So here is our basic set up.

We have two HQ locations, both with redundant cucm clusters, cuc, ect. At the edge of each we have a session boarder controller. Double everything. Then we have a ton of remote sites that are connected via SIP trunk to a 4321/4331 ISR. Also connected to those routers are POTS lines into the FXO module.

I have a fair grasp on internal dialing but my question is external. Say I'm sitting at our HQ in Atlanta and I want to dial to the local pizza shop. Does that hit the SBC then go to the PSTN or is that routed some other way?

Also say I wanted to dial the pizza shop down the street from a remote site we have, say in San Antonio. Is that handled the same way or does that go through the WAN to the remote site, then to the PSTN from there?

I'm all kinds of confused.... The question is so basic it's hard to get a straight answer which is making everything more muffled for me....

Cisco N5Ks and N2Ks Replacement

I've recently started a new job and I've been asked to look at options to replace our current LAN switches. Basically, we have 6 Cisco Nexus 5Ks (3 pairs); each pair extends to multiple Cisco Nexus 2Ks.

I understand that FEX is now a dying technology, but I'm a bit confused as to what technology is meant to replace FEX. I've done a bit of research on this, but it still doesn't seem clear to me.

Which Cisco switches are meant to be the successors of the N5Ks and the N2Ks?

Thanks

WLAN roaming between vendors

We are replacing our Cisco APs with Aruba, same SSID and same RADIUS server with Aruba as with Cisco. I'm wondering if we're going to get roaming issues in places where the vendors meet? Or is there something we could configure to help the roaming? Will it be smooth, or do we get disconnected Teams/SSH session etc?

We're planning to test this next week but hoping to get some thought beforehand.

Thanks

Server Rack Layout

I’m in the process of installing a server rack in the loft. I have two PDUs and one switch that is going in there so far. What would you recommend for the layout of these 3 as having the PDUs right next to each other will block some of the plugs because of the cables

Need to renew my Comptia Certs (A+, Net+, Sec+). Should I just renew with certmaster ce or spend a few weeks prepping and go with CySA+/Pentest+?

Debating whether to get a higher level certification to keep showing some advancement, or just take the easy way out with certmaster CE. I have other certs like CCNA and I'm currently in a network engineering role, so I'm not sure if the CompTIA stuff is doing a lot for me, but I definitely want to keep them current. What do you think?

Hi fellow geeks. I really need a crimpable right angled RJ45 connector. Do they exist?

I've just visited a job where the installers have gone into a multi million euro villa and, using grinders and heavy artillery, installed plastic wall boxes in the concrete walls intended to house some DANTE audio nodes (similar to this).

As usual, when the account manager specs the boxes without consulting a tech, the boxes they've just finished installing fit the nodes fine if you don't take into account that they need to be actually plugged in. The box is too small when the ethernet is plugged in...

So a right angled RJ45 will save the day. But I cannot find any that are crimpable and I don't want to put a little extender in if it can be avoided, as it's just another potential failure point.

So does it exist, or is it a unicorn?

Thursday, November 19, 2020

Cisco mDNS discovery forwarding across VLANS

Anyone know this well and willing to help with an issue? I think we have it pretty close but it's not working and I think we are missing something small.

We are trying to let client Windows machines discover and connect to Barco ClickShare units on a different subnet using the Service Discovery Gateway. The machines are not discovering the units, however.

The mDNS packets are coming back to the clients but they look a little different than when the ClickShare is in the same subnet.

I have configs and good vs bad wireshark files and can post it all if you think you can help.

Tips to safely powercycle medium aggregate devices?

Bit of backstory and node description: I have an aggregate fiber switch with multiple 1gige and 10gige p2ps coming off of it in a hub and spoke configuration. This device is currently refusing management connections, though it is still switching and I can manage devices down stream of it. I had a field engineer go out and attempt to connect with different rollover console cables and even tried different laptops to be thorough, but the device is also not responding on its console port. My next steps are to reboot this thing as I'm currently unable to log into it for troubleshooting config and stats level.

I have had some extremely bad experiences when rebooting these devices, and am seeking tips on ways to softly turn an unmanageable, core machine off that has no power switch/button. This particular type and brand of machine has a bad habit of going down and never coming up when the power plugs are yanked. I will have a blank machine on standby to drop-in-place if this happens but these machines are $$$$$ and frankly a PITA to flash on the fly.

Does anyone have any tips on making this process safer for the machine?

Meraki ProCurve Meraki

Encountering an issue with how the vlans are talking across the devices. Everything was working, only thing that changed is firewall was changed from a Barracuda to a Meraki MX67

MR33 - Device IP was set statically with a tagged vlan of for example 10. Port 10 on procurve is tagged as vlan 10 and vlan 1. Uplink port 48 on Procurve to MX is set to vlan 1, port 48 untagged.

other vlans work fine, but for some reason the AP isn't reaching the cloud.

New jobs during COVID

Curious to know how other people’s experiences have been starting new jobs in the era of COVID and most places going fully WFH. I made the jump from government work to contacting right in the middle of the year and now I’m on my second gig. The first company was fine, decent onboard process, shadowing a couple engineers for a week or two, getting initial work was slow pretty slow but I’m not sure it would have been different in any other F500 company, COVID or not. That company ended up doing some massive layoffs and my contract was on the line so I ended up needing to find another role. The place I’m at now, their onboarding is abysmal. Coworkers are super unhelpful and are hesitant to help, my manager is one of those senior engineers that went into management but couldn’t leave the engineer behind and does everything himself “because it’s easier”, most documentation is pre 2010, everything has a “process” but they only exist in people’s heads, the list goes on. Best part is they explicitly wanted someone with MPLS and BGP exp but all there having me do is onesie, twosie, ACL modifications. Needless to say, I’m already looking for a new role 3 weeks in. Anyone else start a new gig recently? How was your onboarding? If your WFH hows your company doing on that front?

Confused about outdoor "protector packs" at building demarcation

I manage a small network for an HOA. 34 condos across 8 buildings, sharing a Comcast business line over cat5e. Three of our buildings are seeing very slow speeds and unstable connections. Basic cable tests are coming back good. iperf is showing between 1/2-1/4 the speeds they should be getting. Since the problems started I replaced one building's un-managed switch with a new one and replaced the core switch. That made no difference. I'm doing my best to troubleshoot while I try and find a local company that I can bring in, which is turning out to be difficult.

One thing I'm wondering is if the outdoor protector packs where the underground run connects to the building's line could have issues, maybe with old or blown fuses? I know next to nothing about these things. They were installed during initial construction in 2003. They are Porta 1504 PX2. Looks like Porta got bought by Tii Technologies in 2010. Here's a picture.

Questions:

Could a problem with these protector packs cause slow speeds and unstable connections?
If so, should I try to find replacement fuses for the existing packs?
If not, any recommendations on what to try replacing them with?

Advise on Post Studio 10g Internal Network

I'm in the process of setting up a small post production sound studio and Im planning to add a 10g network for file serving. All computers will be located in a central machine room with short cable runs.

We have just installed 2 new Mac Pro machines with 10g RJ45 networking built-in and Im planning to updated our other computers to 10g network cards as well. The total number of computers will be around 10 - 12, all with direct 10g connections to the switch.

We have an existing 1gb network that we will continue to use for internet and our dante network audio routing. That 1g networks runs mainly on a Cisco SG300-24 switch and some misc Trendnet POE switches attached to a Peplink Balance 20 router.

The 10g network will be used for internal file serving only. Instead of a server we will be using a Mac with an 8 drive thunderbolt 3 raid that will allow us to serve files to the Pro Tools editorial and mix systems and handle backups and other file management.

We also have a ubiquity Unifi wifi network so I am already dealing with that configuration software as well. With the Cisco switch I am also familiar with that configuration software.

I have a baseline understanding of IT for dealing with the things I have to deal with like setting up static IPs and Qos in the Cisco switch. This is a pretty basic use case but I haven't dealt with and enterprise level switch at this point.

I've been down several rabbit holes and want some feedback on the various choices available and some of my assumptions/plans.

- Since we are dealing with serving media files across the network it seems that a switch that is enterprise grade could or would be appropriate to be sure we don't run into bandwidth bottlenecks. Our raid is capable of 20gb per second. The plan is to put a dual 10g card on the server system and connect both ports to the switch via bonded ports so we would want a switch that can support that.

-I have been looking at various enterprise switches that are available. Since we will be running a single switch for this network in a 24-7 cooled machine room, power and noise aren't really too much of a concern. I started only looking at copper/rj45/Base-T switches because the existing machines I have are already setup for that and we don't need the distance capability of fiber at this point. However I have see that with the cost of transceivers being somewhat reasonable that it could make sense for us to use an SFP+ switch since it opens up a lot more low cost options. To have some expandability I think we are considering 16 - 24 10g port switches. If we are using 10 - 12 Ports for now, going the SFP+ direction would add around $500 - 600 to the cost to get us up and running if we can get the RJ45 -10 transceivers for around $50 each. I could see there being a benefit to use having long run fiber in the future but for now its not necessary.

Here's the list of switches I have been considering with prices I have found available now:

SFP+ Switches ( Add $600 to all these costs to get us up and running)

Quanta LB6M - $230 (Refurb) - Total Cost $830

Brocade TurboIron 24X $269 (New) - Total Cost $869

Ubiquiti US‑16‑XG / ES-16-XG-US - $538 (New) - Total Cost $838

ARISTA DCS-7124SX - $450 (Used) - Total Cost $1050

RJ45/Base-T Switches:

Arista Switch DCS-7050T-52 $900 (NEW)

Cisco SG550XG 24 - $1400 (USED)

I understand many of these are the usual suspects in this price range but Im curious if there are any recommendations specifically to my isolated internal files sharing for media files use case.

Curious if there is a sweet spot between performance / price / ease of setup and use?

Should any of these be avoided because of low reliability or other know problems?

Also with any of these are there additional licensing costs I need to be accounting for?

Should I avoid headaches of enterprise equipment and just stay in the world of Ubiquity, Cisco SG, or Netgear 10g products? Do they have the horsepower for what Im doing?

If you see anything I'm not considering or some error I have in this plan please let me know.

Thanks!

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Cisco Meraki client VPNs (multiple clients behind same NAT IP)

Hi,

We have a Cisco Meraki MX84 in our head office and, since we cleared out in March, some users have been having issues making a VPN connection.

We tracked it down to homes where we have multiple employees and investigation by our support partner has indicated that it's related to the L2PT protocol and a known issues when operating multiple clients behind the same NATted public IP address.

Meraki only supports L2TP for client connections.

Where things get odd is that it's not consistent. Sometimes both clients can connect, when it's not playing nicely it's first come, first connected. This can then sort itself out later on or decide not to work for the entire day.

Reboots of routers and client computers sometimes works and sometimes doesn't. Resetting windows networking sometimes resolves the issue, sometimes not.

Routers/ISPs are a mix of vendors.

Has anyone come across this or has any suggestions as to why it works a lot of the time I'd be grateful for your input!

We're actually looking at adding a separate VPN using an Unifi XG but this will require an additional switch, the XG and additional public IPs from our ISP. Not the end of the world but expense my budget would rather put elsewhere!

Question: Possible to configure Juniper MX irb as a l3-interface?

Design: I want to create a virtual interfaces for our subnets on the MX104 (will be used for the default gateways for subnets). I planned to do this through an irb.
Problem: I am unable to create create a l3-interface for any irb I created. It seems that irb's can only be added to bridge domains, but a unit that is configured for family inet (example ae1.0) cannot be added to the same bridge domain, bridge domains are only for layer 2 and irbs (I think). On a system like a QFX I could create an irb then run a command like set vlans vlan-1111 l3-interface irb.1111, after that interface terrace would show the irb as up, there does not seem to be such a command on the MX. Therefore the irb.1111 will always show "down"
Configuration:
- This a connection to a firewall we have, all traffic will be routed through that IP set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 unit 0 family inet address 10.80.11.1/30
- The IRB set interfaces irb unit 1111 family inet address 10.1.11.1/24

From what I read here https://networkengineering.stackexchange.com/questions/3709/adding-a-simple-vlan-on-a-juniper-mx I would need to either

A) Configure bridge domains and make sure all traffic is tagged to the specific units, this means all traffic will need to be trunked to the firewall connection, and I would have to build interfaces on the firewall side for each L2 tagged interface (really don't want to do this)

B) Configure an inet address on some other physical interface. Don't want to do this either, what if the interface goes down?

How can I accomplish making a virtual interface for a separate vlans but allow for l3 routing between said interface and other interfaces? If its not accomplishable, are there any other options then what I described above?

Juniper now blacklisting SFPs?

We have a QFX5100 in our network running Junos 18.4R2-S5.4 (JTAC recommended), we have had an issue occur twice where we have inserted an SFP (two different types of SFP, two different ports, both from fs.com) and within a minute or so of inserting the SFP, the device reboots.

The device continues to reboot, until the SFP is removed, after which it continues to operate normally.

We've raised this with our channel, and they have provided the following response:

Juniper has begun to Blacklist Various Third Party Manufacturers Including FS.

- On Inserting a Blacklisted SFP Units will report technical Issues and Reload

- This will persist even after the unit is downgraded as this has been done retroactively

- Currently There is no workaround for this issue

We have other devices running 18.4R2-S3 and earlier that don't seem to exhibit this behaviour.

I wondered, has anyone else come across this or experienced it recently? We have thousands of FS optics in our network and we've always been happy that Juniper have generally taken a more relaxed view on third party optics - not even bothering us with a warning in our logs - so this seems like a dramatic shift in stance if correct.

SDN - ONOS Cluster

Hello gents,

So I've been assigned a university project, part of it is creating a ONOS Cluster with Mininet, and so far I've created the cluster but cant get it to work with Mininet at all. So far I've created a cluster like this :
"https://wiki.onosproject.org/display/ONOS/Notes+on+cluster+formation+for+Docker+instances"

And I cannot link a separate Mininet VM to work with it, even tho VM with controllers and VM with mininet can ping each other. I've also installed mininet on the same machine and still cant get it to talk with those ONOS Controllers. I ran this command on the docker containers to make sure its ports are exposed, "docker inspcet --format='' $container ID$ > $output name.txt$", and ports are exposed and the needed openflow apps are running on the controllers. Any input is appreciated because this is the only step that has been killing my progress so far.

VPN Issue

Ok this is driving me absolutely crazy, has happened with two users now after they've gotten new modem/routers from Charter, where they can't connect to VPN (RRAS on Server 16) even though everything is exactly the same save for the new router. With the first user, I remoted in and got into their router settings (default user/pw, firewall set to low which basically allows all in/out, nice!!), and after messing with firewall, even briefly making it DMZ and verifying it was reaching and being allowed through office router, but not connecting to VPN still. I see no errors on server side about it rejecting login or anything (and I do get those when randos try to connect), so I'm absolutely stumped as to what is going on. I've searched and searched, and did find one thing (removing/reinstalling all WAN miniports) that worked for first user, but nothing is working for 2nd user. So, user's laptop is making it to and through router, but it's failing at the server apparently, and I'm out of ideas of what to check, any ideas???? Thanks!!

Subnet creation using OSPF protocol.

I have 20 openwrt routers running batman mesh.Wanted to create 2 different subnets using OSPF on border nodes which communicates on a wireless link.

I used quagga for OSPF and followed openwrt tutorial for BATMAN ADV mesh.

My quagga configuration for my border nodes :

/etc/quagga/ospfd.conf

hostname OpenWrt password helloworld enable password helloworld interface eth0.1 ip ospf hello-interval 60 ip ospf dead-interval 240 router ospf ospf router-id 192.168.3.1 network 192.168.0.0/16 area 1 access-list vty permit 127.0.0.0/8 access-list vty deny any line vty access-class vty

/etc/quagga/zebra.conf

hostname OpenWrt password helloworld enable password helloworld interface eth0.1 ip address 198.168.3.1/16 access-list vty permit 127.0.0.0/8 access-list vty deny any line vty access-class vty

Quagga configuration is same for both the border nodes except their ip-configuration

My network configuration :

/etc/config/network

config interface 'loopback

option ifname 'lo' option proto 'static' option ipaddr `127.0.0.1` option netmask `255.0.0.0`

config globals 'globals'

option ula_prefix 'fd04:575b:e9bc::/48'

config interface 'lan'

optin type 'bridge' option ifname 'eth0.1 bat0' option proto 'static'` option ipaddr `192.168.3.1` option netmask `255.255.0.0` option gateway `192.168.4.1' option ip6assign '60'

config device 'lan_eth0_1_dev'

option name 'eth0.1' option macaddr '84:d8:1b:4a:77:14'

config interface 'wan'

option ifname 'eth0.2' option proto 'dhcp'

config device 'wan_eth0_2_dev'

option name 'eth0.2' option macaddr '84:d8:1b:4a:77:15'

config interface 'wan6'

option ifname 'eth0.2' option proto 'dhcpv6'

config interface 'bat0'

`option proto 'batadv'` option routing_algo 'BATMAN_IV' option aggregated_ogms 1 option ap_isolation 0 option bonding 0 option fragmentation 1 #option gw_bandwidth '10000/2000' option gw_mode 'off' #option gw_sel_class 20 option log_level 0 option orig_interval 1000 option bridge_loop_avoidance 1 option distributed_arp_table 1 option multicast_mode 1 option network_coding 0 option hop_penalty 30 option isolation_mark '0x00000000/0x00000000'

config interface 'nwi_mesh0'

option mtu '2304' option proto 'batadv_hardif' option master 'bat0'

lan.proto is set to dhcp for the mesh nodes and static for only border nodes.

/etc/config/wireless

config wifi-device 'radio0'

option type 'mac80211' option channel '11' option hwmode '11g' option path 'platform/10300000.wmac' option htmode 'HT40'

config wifi-iface 'mesh0'

option device 'radio0' option ifname 'mesh0' option network 'nwi_mesh0' option mode 'mesh' #option mesh_fwding '0' option mesh_id 'wemesh'

config wifi-device 'radio1'

option type 'mac80211' option channel '36' option hwmode '11a' option path 'pci0000:00/0000:00:00.0/0000:01:00.0' option htmode 'VHT80'

config wifi-iface 'default_radio1'

option device 'radio1' option network 'lan' option mode 'ap' option key 'helloworld' option ssid 'Node'` option encryption 'psk2'

OSPF troubleshooting output:

vtysh -c "show ip ospf database"

% Unknown command: username root helloworld OSPF Router with ID (192.168.3.1) Router Link States (Area 0.0.0.1) Link ID ADV Router Age Seq# CkSum Link count 192.168.3.1 192.168.3.1 1717 0x8000000a 0x7812 1 192.168.4.1 192.168.4.1 1727 0x80000009 0xa261 2 Net Link States (Area 0.0.0.1) Link ID ADV Router Age Seq# CkSum 192.168.4.1 192.168.4.1 1707 0x80000003 0x8916

vtysh -c "show ip ospf route"

% Unknown command: username root helloworld ============ OSPF network routing table ============ N 192.168.0.0/16[10] area: 0.0.0.1 directly attached to br-lan N 192.168.1.0/24[20] area: 0.0.0.1 via 192.168.4.1, br-lan ============ OSPF router routing table ============= ============ OSPF external routing table ===========

Currently my border nodes don't work as expected.

Needed help with its configuration.

Best Hybrid Cloud WAF?

I'm looking into a new WAF (Web Application Firewall) Solution to protect and cover our legacy internal on-prem network systems, plus our new cloud systems that are already in AWS. A quick google shows CloudFlare WAF, AWS WAF, and Sophos XG Firewall as possible solutions for a large network. The requirements are a single solution for on-premise legacy hardware on an internal network, plus virtual systems that are already in AWS (Hybrid Cloud), with several web applications and DMZ configurations in the mix. Obviously, the AWS folks are pointing us towards AWS WAF, but are there more compelling Hybrid Cloud offerings available, as it will take us years to fully virtualize the on-premise servers into AWS?

How can i establish a wireless LAN between my laptop and desktop to transfer a large file?

would i need any equipment for this? i dont have a switch or the cables to do this wired, i am new to networking and wanted to see it could be done.

Best way to document data flow on a network? What to look at and install?

I am currently working on redoing all documentation at my job. I am using Visio. I have most of my network connections mapped out, and now I have to document the traffic flows.

Our layout is basically a core 6500, 3 separate ring networks starting at ending at the core, and access switches for industrial equipment(PLCs,etc).

What is the best way to document the traffic flow? Should I break it down for each VLAN? Since we have a ring topology, wouldn't data flow be self explanatory? For example, it would go from core to switch 1, switch 2, switch 3, switch 4 - switch 9, then back to core.

Anyone have any recommendations on how I should go about networking traffic flows? Besides adding netflow to the core switch?

ling aggregation and traffic policy/shaping

good afternoon,

is it possible (on cisco switches) to do traffic policy or shaping on interfaces aggregated?

thank you!

How do I prepare myself for networking beside CCNA?

Hey Tldr at the end is basically the title
And English is not my first language.

Full story:

I got a job. But the company thinks I do not have enough networking knowledge. I was told to learn more about networking before I go to work in Dec. I am willing and all but I just do not know how to start. I am CCNA certified. I have basic networking concepts but when it comes to different brands or models, I am as dumb as a monkey. The company tell me to read cisco.com. I did but I find it confusing. It does offer CCNA training which I think I do not need. I did try to study CCNP as well. But to me CCNP is like a harder version of CCNA and I doubt it will help me much at this point. I did try to google "how to learn networking" or something like that but all I get is stuff CCNA related but I just want to learn something more real life.

Thanks in advance.

Can I simply put 2 single stand media converters and build myself a sub-$100 fiber extension to my network?

Say I have some distance I want to cover, could i just put one of these one each end of the run?

LFC-100-SC20A Fast Ethernet to BiDi WDM SC, 20Km, T:1310/R:1550nm singlemode Single Strand Fiber Media Converter

Mikrotik openvpn question

Probably a dumb question but...

I am setting up Openvpn on a Mikrotik. It works but every time I login it asks me for the ssl keys password. What do I do to avoid that? What did I miss?

There is no ssl key file, it is a copy pasted ssl key into the openvpn configuration.

All certs including the CA were made on the Mikrotik itself and self signed.

Which layers do these "system level approaches" operate?

In Kurose' Computer Networking book:

9.5 Network Support for Multimedia

In Sections 9.2 through 9.4, we learned how application-level mechanisms such as client buffering, prefetching, adapting media quality to available bandwidth, adap- tive playout, and loss mitigation techniques can be used by multimedia applications to improve a multimedia application’s performance. We also learned how content distribution networks and P2P overlay networks can be used to provide a system- level approach for delivering multimedia content. These techniques and approaches are all designed to be used in today’s best-effort Internet. Indeed, they are in use today precisely because the Internet provides only a single, best-effort class of service. But as designers of computer networks, we can’t help but ask whether the network (rather than the applications or application-level infrastructure alone) might provide mechanisms to support multimedia content delivery. As we’ll see shortly, the answer is, of course, “yes”! But we’ll also see that a number of these new
network-level mechanisms have yet to be widely deployed. This may be due to their complexity and to the fact that application-level techniques together with best-effort service and properly dimensioned network resources (for example, bandwidth) can indeed provide a “good-enough” (even if not-always-perfect) end-to-end multimedia delivery service.

Is "system level" some layer in the Internet Protocol stack or the OSI model? If yes, which layer?

In which layers in the Internet Protocol stack or the OSI model do the following "system level approaches" respectively operate

content distribution networks
P2P overlay networks?

Thanks.

What are services and interfaces of a layer in a computer network model?

In Tanenbaum's Computer Networks book

Three concepts are central to the OSI model:

Services.

Interfaces.

Protocols.

Probably the biggest contribution of the OSI model is that it makes the distinction between these three concepts explicit.

Each layer performs some services for the layer above it. The service definition tells what the layer does, not how entities above it access it or how the layer works. It defines the layer’s semantics.

A layer’s interface tells the processes above it how to access it. It specifies what the parameters are and what results to expect. It, too, says nothing about how the layer works inside.

Finally, the peer protocols used in a layer are the layer’s own business. It can use any protocols it wants to, as long as it gets the job done (i.e., provides the offered services). It can also change them at will without affecting software in higher layers.

These ideas fit very nicely with modern ideas about object-oriented programming. An object, like a layer, has a set of methods (operations) that processes outside the object can invoke. The semantics of these methods define the set of services that the object offers. The methods’ parameters and results form the object’s interface. The code internal to the object is its protocol and is not visible or of any concern outside the object.

Although the protocols associated with the OSI model are not used any more, the model itself is actually quite general and still valid, and the features discussed at each layer are still very important.

I am trying to understand the three concepts (services, interfaces and protocals).

What services and interfaces does (the layer of) the HTTP protocol provide?

Are the HTTP methods (e.g. GET, POST) services or interfaces?
Are the formats of HTTP requests and responses not part of services or interfaces?

Go down one layer:

Is socket API interface of the transport layer?
Are TCP and UDP two protocols that implement the transport layer?

Thanks.

Considering changing wireless to Aruba

We currently have approximately 70 Xirrus access points across 10 sites. We have a new site we’d like to bring online and I’m constantly hearing good things on this sub about Aruba so I think I’d be remiss to not look into at least. I haven’t floated it with my VAR yet as I’m not quite ready to spend an entire day on the phone but I just wanted to gauge from you guys what you feel are the strengths of weaknesses of your Aruba deployments or any you have been involved in.

What I love about our Xirrus gear is how easy it is and how little time I need to spend on it. It is all cloud managed which I would like to retain with Aruba. All I need to do to add a new access point is add the serial number to our account, add the AP to the appropriate profile and plug it into a switch. All the config gets downloaded straight to the AP and no additional network configuration is needed. Is this the case with Aruba as well?

How does Aruba stack up price wise? From what I can see their individual AP prices are quite good but what other costs are involved such as licensing? Is it a requirement to have an on-prem controller or can it all talk to a cloud controller? Our network is all Cisco so I assume that shouldn’t be an issue but I understand it likes to talk to Aruba switches.

Creating new profiles and SSIDs is a breeze on Xirrus and takes no time at all. We’re using 802.1x for corporate devices authenticated against NPS. Does it need to talk to ClearPass?

Ultimately I’m looking for something as simple as Xirrus but not quite as expensive. Does Aruba fit the bill?

Gather POST request on HTTPS traffic?

Hello everyone

I work at a digital agency that has quite a few machines that are managing some Instagram accounts, we are using Squid as a proxy to log and analyze some usage statistics and to make sure the machines are only used for Instagram.

We had an idea to use Squid to capture the POST data of users on the proxy level, for example, likes, follows, comments, etc so we can log and analyze everything in a convenient central way, so we can analyze it and even send out clients a monthly report of all the actions their accounts made (who they followed, what they liked, etc).

I can easily see the requests that I want to capture inside the "network" tab in Chrome but the problem is that Instagram uses HTTPS, so I can't seem to be able to capture this data.

Is there any proxy software that can capture this kind of information from any clients connecting to it, without the client needing to set up anything but the proxy itself?

I have seen some solutions like fiddler but they require you to set stuff on the client machine other than the proxy and I don't want to waste time going over every machine.

Note: We are aware of the legal issues, all machines connected to the network are company property, and all the accounts are client accounts that allow us to gather statistics. No personal account data will be gathered.

Thanks.

Wednesday, November 18, 2020

HELP for SDN

Would like to write a custom switch using BOFUSS for my SDN project. But I am not able to find tutorials on writing a custom switch logic. Could you provide me with some tutorials and references?

High Total Compensation Non-Management Network Engineer Jobs

From what I’ve researched and gathered the highest paid non-management senior network engineer roles are found at FAANG companies. For example a Senior Production Engineer at Facebook on the Network Team can make anywhere from $300k to $400k in total compensation in the California Bay Area. Same for a Senior Site Reliability Engineer on the Network Team at Google. Granted these are high cost of living areas and extremely difficult companies to get into. From my understanding even in the Bay Area for a non FAANG company it is tough for a Senior Network engineer to break $200k in total compensation let alone anywhere else in the US with a lower cost of living. Am I crazy? Are there Senior network (non management) roles not in FAANG that can make comparable money to FAANG?

Getting default route from VRF into global routing table

I have a Cisco DM-VPN spoke router that is setup with two internet connections, each in its own VRF (ISP1 and ISP2). The setup is almost identical to this: https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html#anc11

The DM-VPN part works excellently, though I'm trying to figure out how I would get local internet access to work. I expect this would somehow involve getting the default routes from both VRFs (Which could also be dynamically obtained from DHCP or Dialer interfaces) to get into the global routing table. I found a few resources for "route leaking" but I haven't managed to get a default route from the VRF to show up in the global routing table. I just haven't been able to find examples of what I'm after, it seems like this is a very uncommon use of VRFs...

This would be a heavily simplified version of the config. I'd have a LAN interface in the global routing table, and two interfaces facing different ISPs in their own VRF.

ip vrf ISP1 rd 1:1 ip vrf ISP2 rd 2:2 int gi0 desc LAN ip add 192.168.0.1 255.255.255.0 int gi1 desc ISP1 ip vrf forwarding ISP1 ip add 192.168.1.1 255.255.255.0 int gi1 desc ISP2 ip vrf forwarding ISP2 ip add 192.168.2.1 255.255.255.0 ip route vrf ISP1 0.0.0.0 0.0.0.0 192.168.1.254 ip route vrf ISP2 0.0.0.0 0.0.0.0 192.168.2.254

Vtp domain name change and version change.

Have one vtp server that i would like to 1.change the domain name 2.set a password 3.set version to 3

My question is will doing this change remove the vlans from the vtp clients? I know ill have to go switch to switch and update the vtp info but im worried as soon as i make the change the switchs would lose vlan info.

From logic the vlans should keep all info just new changes wouldn't go to clients.

Can anyone clarify with me?.

Charter Spectrum's router is taking down the internet.

The network is simple. There are only 2 vlans. One for voice and one for data. There is a charter router that connects to a layer 2 switch. The charter router is only used for phones and not data. The switch has a few ports on the voice vlan and the rest on the data vlan. The port on the switch is set to be on the voice vlan. The problem is that every time I connect that router to the switch it takes the internet down. Internal network connectivity seems ok just no internet. Anyone have any thoughts/suggestions? Was working fine yesterday but stopped working last night when no one was in the building. Any thoughts/suggestions? let me know if you need more info.

Edit: not unmanaged

Setting a wifi on a linux-based embedded board - don't see wlan0

I'm trying to set up a wifi on this linux-based embedded board which has a wifi module embedded on top of it.

I have configured hostapd.conf and wpa_supplicant.conf with specific SSID and password.

A couple of initial questions:

When I run ifconfig, I see there's no wlan0. Is that an indication that the wifi driver isn't loaded?
in order to use this wifi, is it merely a matter of running a hostapd file?

Depreciation Period for Network Hardware

When acquiring things like routers, switches and firewalls, what is the period your company puts on them for deprecation to zero value?

thanks

Network Musing from Limbo

As I enter my last few weeks at a Fortune company, I ruminate over my time at the company, my career, my next steps... I've taken the opportunity to relocate to be closer to family and have a clean exit from my employer in the first week of December.

Offers come daily, do I put them on the list and push forward, do I let them fall by the wayside? Each day brings some anew. As I train my successors and document the environment, I stay vigilant and focused. "What is missing? What are the choke points, both politically and on the network? What would I want to receive as an incoming engineer? What tribal knowledge is worth divulging? Do vendors need to know? What are my relationships I plan on keeping moving forward? What are my career goals? What are my technical goals? What are my responsibilities?"

All valid questions which deserve the time to be answered. What do you do in your last weeks as a network engineer/team lead/manager? Thank you for your time and consideration.

Optimizations that can help Windows SMB over VPN

Longtime lurker, had a sleepless night where I decided to test optimizations for our RRAS VPN and wanted to share optimizations that have added up and made a difference. Some of this is probably known to some, but most of these optimizations were scattered and I thought it would be good to get them all down in one spot. Hope this is helpful.

We use RRAS on Windows Server for an SSTP VPN, and this works decent enough, but I have always been on the lookout for optimizations to reduce latency and keep the chatty SMB protocol flowing with fewest retransmits and trying to prevent packet fragmenting.

I tested copying a 68MB .exe file from a server to my PC over the VPN, I also tested opening documents that represent average sized/complexity.

Depending on the speed of your internet connection, some of these settings may not work well

DO NOT APPLY THESE SETTINGS WITHOUT TESTING FIRST AND DOCUMENTING YOUR CHANGES SO YOU CAN ROLL BACK IF NECESSARY

Adjust Windows SMB protocol parameters via PowerShell (requires Admin privileges)

Set-SmbClientConfiguration -EnableBandwidthThrottling 0 -EnableLargeMtu 1

Slow SMB files transfer speed | Microsoft Docs

Adjust Windows UDP packet size

HKLM\System\CurrentControlSet\Services\Afd\Parameters

Add the value FastSendDatagramThreshold of type DWORD equal to desired packet size (1500) for example).

I set server side to 1500, and client side I setup Group Policy to set this to 1468 to match VPN MTU

https://kb.vmware.com/s/article/2040065

\The actual MTU setting you should use depends on your internet connection and you should test to find the highest value for client that works consistently without lots of ups and downs in download speed.*

Adjust Windows RRAS/VPN MTU

I was having an issue with file copy performance over the VPN where it would have lots of peaks and valleys in terms of max and min speeds, and I eventually stumbled on this and tested multiple settings and found what worked best for us and allowed consistent fast speed.

I will provide my settings as an example, but keep in mind that every network is unique and you should test multiple settings to find what works best for your network.

I ended up setting the MTU setting on our RRAS server to 1500, and then created a Group Policy for client PC's to set MTU at 1468. Initially set MTU at 1500 for cable internet users and 1492 for DSL users, but found that I still was having file copy slow downs where it would go up and down. After setting to server 1500 and client 1468 I got consistently high throughput. I also tried matching the MTU on the server and setting to 1468, but this reduced performance.

I only mentioned the MTU setting because that is variable, this depends on a couple other registry entries to specify the PPP protocol, make sure you read the instructions closely.

\These MTU settings require a reboot on each device whenever a change is made.*

HOW TO: Change the Default Maximum Transmission Unit (MTU) Size Settings for PPP Connections or for VPN Connections - Office Support (microsoft.com)

SFP port shows status "linkdown" on Centos 7

Sincere apologies if this is a low post question: I'm facing an issue during connection between QLogic FC HBA and Cisco Nexus SFP switch(n5k-cc5548up). The Cisco SFP ports show up when transceivers are inserted but I don't know how or why the QLogic FC HBA in Centos 7 does not become online. everything i have tried seems to not resolve It and always shows status "Linkdown". any help would be much appreciated.

if we cannot ping a wan ip from a remote location does that mean it is likely to be behind a NAT ?

I have a client connected via vpn, I get his public wan ip but I cannot ping it.

Is this over summarization using BGP?

I'm in a class learning BGP currently. The instructor asked us to summarize these hypothetical routes without oversummarizing. I summarized them to 214.1.0.0/19. He says this is not correct, but I went to a route summary calculator and it says it is? Any help/explanation is appreciated, thank you!

Routes to summarize:

214.1.2.0/24

214.1.3.0/24

214.1.4.0/24

214.1.5.0/24

and so on to 214.1.20.0/24

Available methods to monitor online/offline status of APs on Cisco vWLC?

Looking for a way to monitor my APs. I’m using a Cisco vWLC and have several hundred APs. I do have Solarwinds NPM available to utilize (which shows a list of all of the thin access points currently under the WLC node entry). Having trouble on how to create an alert for when these go down to be notified.

Anybody have a solution that works well for them? I’d prefer to do this inside of Solarwinds if possible. Even just an email notification when an AP goes down and another when it goes back up would be useful. Also just curious how other people manage their APs.

Is this over summarization using BGP?

Routes to summarize:

214.1.2.0/24

214.1.3.0/24

214.1.4.0/24

214.1.5.0/24

and so on to 214.1.20.0/24

CloudPath vs SecureW2 vs ...

I'm starting to evaluate options for handling EAP-TLS for wireless. I need a system where the CA is built-in and can be seamlessly integrated with a MDM product. Device certificates handed out with SCEP and all the rest.

I know ClearPass is one of the best, but could be too costly since the requirements are quite basic, more granular control might not be needed.

CloudPath and SecureW2 JoinNow seem like good options as well and there's also SafeConnect and some others.

What do you use and are you happy with it? is it intuitive to setup and use? How's the cost?

GUI interface for ACL management

Hello, I need to find a tool to manage ACL rules with GUI interface instead of CLI. Something like FWbuilder. Are there any good tools for that? Preferably free, but could be paid as well. (on Windows). Ive been told that we are using Cisco ACL rules as firewall If that makes sense.

Sorry for no context. It's not my field of work. Please feel free to ask questions that could help with my case. Thank you!

Is it even practical to switch to GUI?

Juniper Core-Switch Multicast Routing

Hi Guys,

unfortunately I don't know much about Multicast and need it way to less to get my head into it.

I was at a customer site yesterday who has a Juniper Core-Switch with multiple VLANs routed over that core.

Now someone is planning to add light automation stuff to the network (wired KNX gateways and Wifi tablets to control the light). No enterprise equipment and therefore no enterprise documentation.

The only thing I've found in the documentation is that the KNX stuff only talks to a multicast adress.

Yesterday both device type have been in the same VLAN. Since it didn't word I enabled IGMP for the VLAN-Interface. Long story short: the communication worked and then the network broke down (high packet loss. I guess the Multicast stuff brought down the net) so I needed to roll back.

I guess this could have been fixed with IGMP-Snooping.

Any idea what I need to do to archieve the communication without breaking the net?

In the next step the KNX-Gateway shall be put in another VLAN.

All the PIM/Multicast routing explanations in trainings are for multi-Router setups with one sender and multiple receivers.

Any ideas?

Does anyone know where I can get the Solutions Manual for this book: "Internetworking with TCP/IP Volume One, 6th Edition"?!

I searched a lot on Google, but I could not find any solutions to the exercises found at the end of each chapter for this book: "Internetworking with TCP/IP Volume One, 6th Edition", even at Pearson website nothing.

Could anyone help me please?! I really need it.

Between TCP/IP and the OSI model, which came first?

This might seem weird but according to this article the OSI model was invented in 1984, and this article says that TCP/IP was adopted by ARPANET in 1983. Which doesn’t make sense since TCP/IP was based on the OSI model.

When I did some further research I found another article that says that TCP/IP came 10 years before the OSI model.

Can someone clarify this? Was TCP/IP invented first but then was redesigned based on the OSI model or did the OSI model come first?

Edit 1: I was just repeating what my professor said when I said

TCP/IP was based on the OSI model

But I can’t find anywhere that says that tcp was based on OSI. Which raises the question, why are the two models always being compared?

Tuesday, November 17, 2020

Cisco ISE VM: offline snapsnot

Hey guys, I have to move my two ISE VM from an ESX cluster to another. I know Snapshot are not supported because they alter thé database and real time synchronisation. However i am wondering, if i shut down the VM, and use Veeam to move it, does this has an impact on the data ? I'm guessing no but couldnt find a clear answer and TAC tells me to ask my VM expert...

Thanks

Cisco QoS advice

So I'm typically a Wi-Fi / NAC guy, but over the past two years have found myself doing a lot more route/switch projects. I'm a long time CCNP R&S and that is where so foundations are mostly rock solid, except for QoS.

I am on a switch refresh project where customer just "wants QoS" but doesn't really have the budget to do a full blown QoS scoping/design engagement. At least not right now. I would like to pull in one of our CCIEs to help out and learn from - pending availability, but I need to assume they aren't available to assist.

Is there a framework or best practice config that I can apply on the new L2/L3 switches that doesn't require too much modification, and is suitable for most environments analysing business requirements?

I've decided to grab Cisco's End-to-End QoS Network Design Book to brush up on some foundation topics in the mean time.

Any other advice re: QoS would be super appreciated.

Cisco TAC Engineer Hiring India

Hi Guys,
Recently i got hired for Technical Support Engineer role at Cisco, India (Salary 650,000 INR). Though, from the portal when i applied it showed the role as TAC Engineer and now in offer later it's Technical Support Engineer. Moreover, this is the only job offer i have, and have a gap year of (1.5 years, graduated in 2019 BTech CSE). I plan to do MS-MIS (Management Information System), is it worth it joining this role? Anyone who is working as Technical Support Engineer, can you please elaborate on your daily work.
Is it like customer care? Though my interview was technical with some HR questions.

Weird situation help

We have equipment on a customer network that is in the /28 subnet We now need another IP address and they said to add a router and put some equipment behind it.

I need to access that equipment behind the new router from that subnets gateway router

We are going to use a ERX

Should the ERX be setup with no firewall (nothing on this network gets to the internet) and all I really need is a NAT box essentially?

I Just need more IPs but I’d like for all of the things on the ERX LAN to be able to reach the ERX WAN devices and vice versa

So should I do a firewall with port forwards or is there some benefit to having no firewall but still doing forwards?

we have access to a jump server in their data center that gives us a windows machine to talk to our /28 subnet

I understand port forwarding for this. I just wonder if there is a more open and simple way if we don’t have any need to be “secure”

They have switches and routers that we can’t expect to be reconfigured for us.

If this is a simple scenario sorry, I’m like 33% into learning about networking but here I am!

port channel setup

Trying to get a better grasp of using port channel. I understand the benefits of using it, just trying to understand it more logically as in configuring it. So once a channel group has been created, do i apply the configuration on the port channel, the ports themselves or on both? I am working with Nexus 9K's and getting them hooked up to a stack of 3850's. And then on the 3850's would i do the same or configure it a bit differently? Or am i just really over thinking this :)

Here is a sample of the config:

interface port-channel100

switchport

switchport mode trunk

switchport trunk native vlan 999

switchport trunk allowed vlan 1-2,5-6,11-14,550,999,2400

vpc 5

N9K-1# sh run int e1/56

interface Ethernet1/56

description N9K-1 Port 56 to 3850

switchport

switchport mode trunk

switchport trunk native vlan 999

switchport trunk allowed vlan 1-2,5-6,11-14,550,999,2400

channel-group 100 mode active

N9K-1# sh run int e1/57

interface Ethernet1/57

description N9K-1 Port 57 to 3850

switchport

switchport mode trunk

switchport trunk native vlan 999

switchport trunk allowed vlan 1-2,5-6,11-14,550,999,2400

channel-group 100 mode active

Studying networking at school and struggling with some homework

I have to configure a wireless network from scratch in packet tracer, and my WLC isn't recognizing any lf the APs on the network. Is there a way I can manually register the AP? If not, can anyone tell me the exact steps to join them?

Thanks in advance

ANSI/TIA/EIA-568 Standards

I know this is probably a wiring sub, but I can’t post there and there seems to be less followers...looking for a good set of eyes!

I’m looking for some help interpreting ANSI/TIA/EIA standards. - We have a contractor doing low voltage work in our buildings. They ran about 75 Cat6 cables and terminated both ends with modular plugs. On the MDF side, instead of terminating to RJ45 keystones or punching down to a patch panel, they terminated with modular plugs and used keystone couplers to create a “patch panel”. I’ve never seen cabling installed like that and wouldn’t do it myself because it’s another point of failure. The modular end could also easily be disconnected from the coupler on the “horizontal cabling” side. We specified to follow ANSI/TIA/EIA-568 standards. Is this acceptable? How does everyone else interpret the standards?

The cables aren’t even dressed nicely as well. There’s 48 coils of cables sitting behind the patch panel (well hanging 3-4RUs below) with the module end just plugged into the coupler.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

MikroTik - No option to adjust MTU for IPSEC Tunnel to troubleshoot perf

Q: Anyone have some experience with MikroTik device(s) provide some insight if MTU is adjustments for IPSEC overhead is possible?

I've used alot of firewalls over the years (Checkpoint,PaloAlto, Cisco ASA/FP, Openswan, Fortinet, etc) but I've run into a vendor that uses MikroTik as their router/firewall that we work with.

I'm terminating an IPSEC tunnel from PAN-OS to the MikroTik device and the IPSEC tunnel is performing really bad for TX. Wanted to match the MTU 1400 on the PAN-OS side to the MikroTik device but there doesn't seem to be support to do this without doing it their L3 WAN interface for all their traffic.

The tunnel is crawling at TX = 1.5mbps and RX = 32mbps (10 sample sizes over 1 min intervals)

I can get

ping 192.168.1.1 -s 1476 over the tunnel 1477 is where DF bit kicks in.

Read through some of the docs myself and I don't see any IPSEC support.

https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS#heading-AdvancedSetupExamples

Aruba/HPE Loop Protect vs BPDU-Protection or both?

Hey,

If I want to prevent switching loops on my network on an aruba 2930F switch, should I be using Loop Protect or BPDU protection or both?

Question on adaptive antenna systems for mid/high-band 5G

Hi everyone - while job hunting, I've decided to tackle a side project related to rooftop site acquisition using geospatial analytics and data science. I'm in a stage where I need to be doing significant due diligence on antenna and hardware vendors manufacturing / prioritizing R&D on adaptive small cell repeaters or stations that use MIMO technology to be amenable to multiple carriers leasing bandwidth from the same location. If folks have worked with reliable equipment providers in this space or know of ones worth reaching out to, no matter the size, I'd be interested. Thanks!

Experience with Aruba 6300/6400/8300/8400 series

What have been everyone's experiences with the new(er) Aruba CX series switches? We are looking at options to upgrade our old ProCurve 5406/5412's and the 6400 series chassis are looking like the clear upgrades, however I know the series and OS are still newer that most so I'm curious about what peoples experiences have been.

From a pure price/performance perspective, the 6400 series is murdering the Cisco 9400 series chassis.

Number of APs supported

Hi to all,

I have a WLC 2504 in our environment, however I want to know if how many access points are supported in my wlc?

In data sheets it says that it supports 75 AP.

How can i verify it on my WLC?

Information:

Software Version- 8.3.143.0

Field Recovery Image Version - [7.6.101.1]

PoE lighting for shed

Hi there, I haven't managed to track down much info about PoE lighting options so wanted to run it by everyone here. Other than the UniFi dimmer switch and panel, which is close to what I'm after bit probably a bit too smart/pricey for my needs, I haven't had any luck.

In a nutshell, I have run 2x Cat6 cables from a basic 4-port PoE switch to my outdoor shed. The shed doesn't have power nor do I want to run power to it. I have a security camera connected to one of two PoE ports, so have one spare PoE port available in the shed.

I am trying to track down a PoE light switch + LED light combo so I can light the shed, as an alternative to a 12V battery + 12V LED which I have in place at the moment.

Are there any products out there that would allow me to run Cat6 from the spare PoE port -> PoE light switch -> LED light? It doesn't need to be waterproof and I could mount to an internal wall or overhead beam easily enough.

If there is nothing out there I can just stick to the 12V battery + LED which does the trick, but can be a bit of a hassle when the battery runs flat!

Thank you!

400G PON with dynamic assignment of 25G subcarriers

While discussing unamplified 100G DWDM over 40km using pluggable QSFP28 optics (https://old.reddit.com/r/networking/comments/jv94f6/100g_dwdm_over_40km_using_pluggable_qsfp28_optics/ ) this little gem came up: 400G-XR ( https://www.infinera.com/innovation/xr-optics )

It's basically a pluggable QSFP28-DD or OSFP 400G optic which you connect via a typical PON topology to multiple clients and then dynamically assign 25G subcarriers to each according to need.

In addition to that it will support client devices from SFP28/QSFP28 up and it will use coherent(!) optics. This means no chromatic dispersion compensation and no amps needed to get out of the gate.

It will even support bidi connections over a single fiber using circulators.

I recall when 100M BiDi was the new hot thing in FTTH networks. We've come a long way.

All credit goes to u/Enrage who helpfully also pointed out that this 400G-XR will die a lonely death due to it being a proprietary, vendor specific standard :)

EVPN and the silent host problem

I think it's pretty well documented that with EVPN and ARP/ND Suppression you can run into what is termed the silent host problem in which a host, if it never speaks, is never learned, and therefore unreachable, because the EVPN fabric suppresses any ARP requests that would cause it to speak in reply. It's a real thing, for sure, as I see it in my labs often enough.

I have not seen this in production environments though. But my scope is somewhat limited. I'm having a hard time conceiving of a device I would have in my datacenter that just never talks, ever. It seems like everything is busy trying to chat about something, be it verifying it's next hop is there or begging some other Windows box to be its Netbios BFF.

My question is has anyone actually experienced this in any kind of production environment? If so what was it? How did you overcome the issue?

Multi-site, multi-ISP, geographically separate

Hello,

I am thinking over some scenarios and wanted just some high level advice. I have a main hub site with a single ISP connection. Company purchased a new location that will basically house all the administration staff while the operations staff will stay at hub site. Wanted to purchase a totally independent ISP connection separate from the HUB site, and use them as fail-over between each other. So, if Hub site's connection was lost, traffic would route to the spoke location ISP and visa versa.

Company is a Cisco and Palo Alto shop. I am familiar with BGP multi-homing and multi-path with dual ISP connections to a single site, but something I haven't done is using BGP multi-homing configuration over two geographically separate sites with a single connection at each site. The intent is to have Hub site clients use it's ISP connection unless it failed. The spoke site would also use it's single ISP connections unless it failed. Should a connection fail, then traffic would pass over to the other site and use its ISP connection. So, not an active active load-sharing scenario. More, of an Active-Passive scenario from a single site's point of view.

In my mind I'm thinking:
HUB Site A Inet --> WAN Edge Router --> Pair of DMZ switches --> Pair of Collapsed Core Switches --> Palo Alto Firewalls and Access Switches will connect off of the Collapsed Core Switches.

Spoke Site B Inet --> WAN Edge Router --> A pair of Layer 2 switches --> Pair of Collapsed Core Switches --> Palo Alto Firewalls and Access Switches will connect off of the Collapsed Core switches.

**The part i'm fuzzy about.. For the failover to be possible, wouldn't there need to be a layer 3 connection between each WAN edge router at the site?

What technology would be best to use for the fail-over scenario? HSRP? BGP multi-homing? Policy-based Routing? IP SLA for interface fail-over?

Cisco Aironet console commands for setting up bridge?

Have a client side / remote side AP that is already installed and trying to figure out a way to configure AP for bridge setup and also join to the WLC. I have the root AP already configured with AP Role, BGN, ethernet bridging checked, etc on the WLC but not sure how to go about configuring the mesh side? The mesh side device is currently being powered by a POE switch. Not sure if I can set up a dhcp scope on the switch and console to it or connect to it that way. Not sure if the AP takes dhcp by default?

Any ideas....

Dell N2200 Port Issue / Dead Port / No Data

Hey Reddit,

Just wanted to send out an S.O.S. regarding Dell N2200/3200 series switches. I can easily complain about my woes, but here's the breakdown of some facts(from some guy on the Internet, Me)

The Dell N2200(and N3200, read on please) series switches (not to be confused with N2000) which were released in 2020 have a fatal bug that exists even on the original Firmware version of 6.6.1.0. As of 11/17/2020, with version 6.6.3.3, the issue still exists.

Location of support and downloads --> https://www.dell.com/support/home/en-us/product-support/product/networking-n2200-on/drivers

For some context of the symptom. Occasionally, a random port on the Dell N2200 will simply stop working. With every debugging feature enabled, and Wireshark directly connected to said port in question(again, random), the N2200 series switch simply does not return any network traffic. Regardless of what configuration is on the interface, regardless of how spanning-tree is configured, regardless if it is a single switch with no uplink, the issue is random and simply shows no data. Interface counters stay at 0.

With Wireshark listening in, any PC, IP Phone, or network switch(dumb and Managed with appropriate Vlan config and routing) you'll notice that devices will send its typical DHCP request (even if you set it Statically with or without Vlan tagging), the N2200 just does not reply whatsoever.

If using IP phones and a PoE enabled N2200, you'll see that the port supplies PoE, but no data. Switch will not respond. Interface counters still 0, phone sending data to the port, but nothing coming back (used SharkTap + Wireshark to verify this)

And, yes, a shut and no shut was issued many times and extensive careful consideration of the config, with a plethora of combinations to the config to solve this issue resulted in 0 success(adjusted speed, duplex, even the inline for PoE, removing all config, just making it Access port, ect).

After escalation after escalation, and 9 Dell Engineers later, we received admission and confirmation from Dell that the issue was reproducible internally at Dell, received word that another customer of Dell also has the same issue we do and that this problem exists only on N2200 and N3200 (which we don't have) Series switches. The ETA to supply a fix is scheduled for the first week of December 2020 (fingers crossed).

The only fix currently is by rebooting the switch, and the port magically works for some time. Even logs before the issue occurs are void of any helpful information. We're able to determine when it stopped since a user was actively using it up until it went dead. It just stops working. Performing a Show Interface of the dead port has in some cases caused the switch's management Plane (control plane appears to route just fine for a little bit) to spike to 100% CPU and eventually, with enough time, the Control plane locks up, resulting in an immediate reboot to bring things back to normal. Console cable shows a frozen/usable session during this scenario.

Hope nobody else has to deal with this. Cheers.

tl;dr - Dell N2200 and N3300 Series switches as of 11/17/2020 with Firmware Version 6.6.1.0 to 6.6.3.3 have a fatal issue of ports not working. Issue was admitted and is currently being worked on by Dell. ETA of fix is the first week of December 2020.

"Wireshark" online?

Is there any reputable online service (free and paid) to provide wireshark or wireshark-like online in browser? So I can upload PCAP file to perform quick analytic without installing wireshark on local PC.

Configuring Firewall on Windows? | Windows Firewall Control

Configuring Firewall on Windows? | Windows Firewall Control | Through this article, I am going to tell you what a firewall is. How does a firewall work? And also I am going to talk about its configurations with full details. In this, I will give you information about how to block and unblock the website

The way we humans live in safety in some way or the other. So that we can breathe the chain. Similarly, a firewall is required to protect the computer. By having a firewall on the computer, it can be protected from viruses and malware. Configuring firewalls is considered to be a huge factor in learning to hack. With this, you can keep your data safe while hacking.

Router Recommendation

We are looking for a new router to replace the slowness issues we are experiencing with our Mikrotik routers. We have tested Ubiquiti but performance was worse than Mikrotik. We are primarily a Cisco shop but cant find any decent pricing on their routers.

We require 2 - 10Gb ports

support for up to 900 VLANs

NAT/BGP/OSPF/ECMP

Bandwidth Throttling per VLAN

Cost in the $500 range, used is ok.

A day in the life of a network admin

Hey all,

I don't think this post violates any of the rules, but feel free to delete if it does. I'm trying to get a better understanding of what's important to networking folks on a day to day basis. Full disclosure, I work for a NPM vendor. I ask because I fully understand what we do at my job, but I know that's just a subset of what folks like you care about. A few years back, I got Network+ and Security+ certifications, which gave me a good understanding of the basics from a technology standpoint, but I guess I don't necessarily understand how that translates to the day to day. I've been looking for resources like the Network Manager's Handbook and network planning and design books to give me a broader understanding. I enjoy the posts here because they seem so varied and helps me with what I'm looking for, but I was wondering if anyone had any other suggestions for resources for me to read that you think might make sense. I understand what I'm asking for is very broad, but I feel like I can't have meaningful conversations with networking people without fully understanding what they care about. I appreciate any feedback anyone has!

Source for Sonicwall console cable?

Sonicwall isn't our preferred firewall but we have clients who have them and they can't seem to locate their original console cables. We've attempted to make adapter cables based on their KBs but haven't had much luck. Sonicwall's own support won't provide them or even a SKU to order them.

We want to be prepared for a situation where we need console access and have known, working cables but this seems to be a bigger challenge than it should be.

Does anybody have any sources/SKUs for off-the-shelf cables you can buy?

Why don't large organizations such as Google, Microsoft, Amazon, etc. provide a looking glass tool?

Hi,

Why don't large organizations such as Google, Microsoft, Amazon, etc. provide a looking glass tool for network troubleshooting? (For example, to inspect the BGP table/best paths or traceroutes).

Correct me if I am wrong on this... but i checked PeeringDB and apparently none of them do.

Since they host a lot of content and services, e.g. from their respective cloud platforms wouldn't it be beneficial for everyone else?

Without being able to inspect how the other side sees your network means any sort of troubleshooting is guess work at best.

Public WiFi operators - What do you block?

I work for a small local government and we operate public WiFi in a number of areas for community use. It is very well received and gets quite a bit of traffic daily.

My question is to other operators of public networks and what you block? The public SSID traverses our corporate network but is all isolated and terminates on our Palo Alto firewall. We’re utilizing url category filtering and app-id to block a small number of things like adult websites but the previous admin also blocked things like VPNs and BitTorrent. I’m curious if others would agree with that sort of blocking?

My take on it as a user of public WiFi at say McDonald’s is that I would want to use a VPN firstly to protect my traffic from attackers but also for the obvious business use of connecting to the corporate network. As for stuff like BitTorrent although it can be used for nefarious purposes I’m dubious about the value of strictly blocking it when I could just apply some qos so users don’t blow away our bandwidth.

Cisco equipment substitute for PFSense?

Hi! I am currently using a Old Optiplex 360 running Pfsense in a network with 100 devices. I need VPN client for Windows, proxy, firewall, routing and failover for 3 WAN link interfaces. What Cisco equipment I need to do the job?

I am starting to study about Cisco now, and need to understand if I need to pay licenses too for that solution.

Thanks!

Monday, November 16, 2020

Best Firewall for small business ?

We have two networks with one being 1Gbps and the other one is about 350Mbps.

I am planning to use 1 firewall to control both networks.

I might need a firewall with dual wan + fail-over, personally I prefer firewall with IPS and SD-WAN features.

I am looking at Fortigate 60F with the UTM license, that seems to be able to handle everything I need and also provide good amounts of SSLVPN user as well. (I only needs few of them)

Just curious if anyone has been dealing with a similar case and has a good recommendation of hardware I could take a look and some tips.

Thank you very much.

I'm purchasing a switch with 5 ports. Can I plug the ethernet IN into any port?

Does it matter which port I plug the ethernet IN into? The ports are labeled 1-5 with no IN port. I assume I can just plug the IN into any one of those and the OUT to any other free ports

Alcatel-Lucent multicast issues

I have two Alcatel-Lucent omniswitches I am using with edge switches along with a Core switch setup with an application that uses multicast communicating with a VM on a hypervisor connected to the Core switch with all 3 on the same VLAN.

Multicasting is working on switch one fine no issues and the VM can see the application fine. However on switch two the VM can't see the application but the device on the other hypervisor can which is not what I want.

Running the command "show ip multicast source" on switch one shows me itself, the device on switch two, and the VM in the multicast routing table.

However, running the same command on switch two only shows me itself and the device on switch one. The VM does not appear in the multicast routing table at all.

How on switch two can I add the VM to the routing table for my VLAN?