Cloud server to VPN SMB/Network Discovery?

Is there any way to connect a Cloud server to a VPN LAN on-site and still retain Network Discovery and SMB?

Short story; Setting up a propriatery server for a customer, their IT provider has provided a Microsoft Azure server, server can not discover equipment from the cloud inside the VLAN on-site.

Is there any way to make this happen? The server software we use basically requires our equipment to be visible in My Network in Windows. If the IT department can manage that, we have no problems.

​

Sorry if this is out of place, I know of nowhere else to ask. Their IT provider is out of ideas or just doesn't care so they are no help for me.

​

Edit: I can add to this by saying the server can connect to the equipment using IP, but that is not enough. There needs to be some sort of Network Discovery/SMB/Whatever it's called.
Is this what they call Layer 2?
Or is this just impossible?

Cisco CBS switches and "Lifecycle management" features

I have a small client that needs some switches and I'm looking at the new Cisco CBS350 series switches which came out just a few months ago. These are the replacement for the older SG350 series.

I am very leery of buying anything Cisco given Meraki and Cisco's new "Smart" licensing where you must pay for support in perpetuity (or until Cisco EoL's the model) or else the switch basically stops working or otherwise degrades it's feature set.

It's not appropriate for me to sell this client into something that they have to rent but can never own.

Thus I'm looking at the Cisco CBS 350 series and while the FAQ for these mentions that they don't require a support contract to continue working, it does mention a "Lifecycle management" feature that "Provides detailed lifecycle information about your network devices—including maintenance and warranty status and end-of-life bulletins."

It is reasonable and prudent to assume the worst, or at least be skeptical. Could this be a feature which nags and annoys the user when the device goes EoS/EoL? What exactly does this mean? No doubt it's nothing good, but I'd like to know exactly what Cisco is doing here.

Does anyone have these switches yet and can you offer any insight into what Cisco's "Lifecycle management" features are here?

Thanks

Are cable testers better than switch cable diagnostics (home user)?

Have all Aruba networking gear at home - 2540 Switch with a mixed Aruba AP environment. Clients on one of my POE access points are sporadically losing connection (seems to be cable related because I don't see any loss of AP connectivity at the switch or in the AP logs). The cable in question does not have the best cabling job (had to do the wiring in a dark attic) but the cable looks fine when I run a cable diagnostic test on the switch:

Pair Status Distance to Fault

------ ----------- ---------------------

1-2 OK 20m

3-6 OK 19m

4-5 OK 22m

7-8 OK 20m

Would a real deal cable tester like the fluke identify issues I wouldn't be able to see with the simple switch test? Worth the investment?

Help with Cisco 4321 and Spectrum Technicolor TC8715D Cable Modem

Kind of some noob questions,

​

[Design]:

I want to install the Cisco 4321 device as my main L3 router, the connect to a juniper ex4200 where i plan on connecting my hp proliant 380p gen 8 running with a media server for sonar/radar/tranmission/plex/etc..

From the switch I plan on having POE cameras and 2 x wireless router running in AP mode (2 different models of netgear wireless routers.

I switched my modem to "bridge mode" and connected an ethernet cable from port one on the modem to the g0/0/1 interface on the cisco device. Once i did that i was able to get an IP automatically assigned from the modem. which i was having issues with before.

Once i did this i was able to connect the g0/0/0 interface to my juniper ex4200 switch. Once i added a lab pc from my switch it was resolved to an IP not in my "configured" network. For example, i had configured 192.168.24.1 as my dhcp pool network that should have been applied to the switch's interfaces as it is vlan 100, which has the family inet address to 192.168.24.1/24 network.

​

This is most likely a configuration problem,

Can anyone help me with configuration that will work correctly?

thank you! any help is appreciated.

Crash course/ resources on layer 1? In particular SFPs and Fiber Connections?

Well, prior to my current job, I've always been tier 3, remote troubleshooting, mostly ISP connections. At my new job, I am the only network administrator and responsible from the core to the unmanaged access switches.

I am fine with patch panels, running ethernet cables and all that. My problems come when fiber comes into play. I admit I am not too knowledgeable between picking the right SFPs.

When it comes to fiber, I can tell you the difference between single/multimode and know to match rx/tx on both sides.

What should I use to learn this? I am looking for more hands on/axtual equipment training.

Thanks!

Questions about WAN switch to split our network drop to redundant firewalls

We are upgrading our Sonicwall TZ600 to a HA pair of TZ670s. The Sonicwall documentation for HA indicates a WAN switch in front of the two appliances, and a LAN switch for the inside network. My first assumption was WAN/LAN were just an indication of the placement of the switches, but as I'm not a network guru I wanted to check to see if there was anything special about a switch that would sit in front of our firewalls.
Google is a study of information overload and I can't find any confirmation either way - some of the links for WAN switches were huge appliances that are likely overkill for our needs.

Is there anything special about a switch that would sit in front of our Sonicwalls, or will any decent switch work?

Dmvpn tunnel questions. (Cisco + standard internet VS Cisco + cellular AP)

We use a Dual hub cisco DMVPN set up for our branch locations to connect back to our home office. (two tunnels from each location, one to home office and one to DR site)

Normally they are connected through a standard modem from one of the various providers out there, however recently we have opened locations with insane construction fees to get a wire to the building and have opted to use cellular devices in leu of. (cradlepoint)

Everything works the same with this set up, except for some of our internal sites. These sites resolve to the same IP address but use different ports. Through the cellular devices we cant reach a port that we can through standard modems.

I would think the cellular device would have nothing to do with traffic passing through the tunnel. Ive checked for firewalls on the CP, routing, etc.

Anyone run into anything similar.

Static IP Requirement

Forgive me if I use the wrong terminology.

I have a CCTV security system that is currently connected to a monitoring company via the internet. When having the system installed, we were advised that we needed a static IP for the system to connect properly.

Fast forward a few months and the static IP service has been installed and is a complete nightmare. The routers they use for the static service are unreliable, the connection is temperamental to say the least and although the data rate is okay, there seems to be a lot of latency, which affects various real time applications.

I would like to switch back to a dynamic IP but I need a service that can provide a sudo-IP service. I want to use the acronym ‘DNS’ but I don’t know if that’s actually what I’m looking for.

Any advice on a solution would be much appreciated!

Rack design advice for drawer

Hi folks, any tips on locating a drawer in a rack? We are doing a greenfield 42U and looking to stash our extra SFPs, zip ties, underground gambling winnings, and velcro neatly instead of stacked on top of equipment. Looking at a 2U, and if you have a vendor you've had good experience with please post below (Normally we'd do fs.com but i'm only seeing a 4u there).

Thanks in advance, and i'll also cross post with the server reddits.

Will an OM3 LC connector work with a Single mode fiber?

Cant really find much info out there related to this. Heard one place it can and another alluding it won’t work.

Looking to terminate it to a single mode fiber.

EDIT:

Should have added this is for unicams.

Thank you for the fast responses everyone! I’ll ask one of my guys if they can find a SM LC unicam connector!

Materials are VERY limited so I’ll give it a test but hunt for the proper connector.

stacking vlans per ingress port; switch recommodation

I have a bunch of devices which have a not changeable networkconfig including same vlans and ip addresses. I want to access them all through a single linux machine using stacked vlans and nw-namespaces. Any recommodation for a cheap 1gig 10+ port switch, which is capable of adding a second tag per ingress port and sending all packets to a single egress port? I already testet a TP-Link T2600G-18TS v2.0 but their „VLAN VPN“ letting me add a second tag only for one egress port. pls see attached drawing. thanks in advance!

How to Connect to Multiple customer network environments using single solution ?

Hey Folks , I need a solution suggestion here. I work as a network admin in an IT company supporting multiple projects which have their own VPNs it's really difficult to connect/disconnect from VPNs to troubleshoot issues is there any unified solution to solve this .

I thought of few solutions like 1.Build a IPSec tunnel b/w our organization firewall and rest of customer firewalls and then connect to our organisation firewalls through a VPN solution. 2.Take a cloud desktop solution like Azure virtual desktop and allowing network access to other environments

Hoping for good solutions

Wifi Antenna receiver

Hello,

i am looking for the following solution.

My home building and my office building are literally 300 feet distance one from another.There is small difference in the high of the floors but it is not significant. There are a few high trees that are between the buildings and are literally blocking the two floors from eyesight, not sure if this will affect the wifi signal.

Anyways, i am looking for the following solution. Is there a wifi antena good enough so i can connect to my office internet from home.How i said the distance is around 300 feets, i can't place extender in my office so this is out of the question, i am looking for antena receiver placed in my home.I looked in amazon and there are some receivers in the 200-300$ range, but the reviews are mixed.

What worries me is that these antennas might be working for the coutnryside, but not for thet town because there is probably hundreds of other wifi networks in my home building+office building and the buildings aroudn us. Do you think it will be impossible to reach exactly my office Wifi with antena from my home?Do you have experience with any specific antena, can you recommend me somethingT?

Thanks in advance

40Gb QSFP+ to 25Gb SFP28 adapters

Hello,

I currently have some 10Gb + 40Gb Arista/Dell switches, but I'm eventually planning to buy one of the newer unifi switches (so either 10Gb + 25GB, or 10/25Gb + 40/100Gb). I haven't bought my network cards yet, but I was thinking of just skipping 40Gb and getting 25Gb and using adapters until I upgrade my switches. Is that something that makes sense? Should I just get 40Gb cards and adapt them to 25Gb later if necessary? Let me know if I need to clarify more or if you have a better suggestion. Thanks.

Benefit of Segment Routing

Hi,

Could you explain me what’s the benefit of SR instead of RSVP ?

I’m not sure to understand in which use case I should move from RSVP to SR.

802.1x wifi issues with vWLC and Windows NPS

Hi All,

I've sorted out about 90% of my 802.1x config with EAP-TLS for wifi, I have my NPS/CA/DC setup properly with policies and GPOs to push out machine and user certificates. The certificates are enrolling on both server and client but when I attempt to connect to Wifi I just get a message that it's unable to connect. I'm using a Cisco vWLC that I'm 99% sure is configured right, PEAP is working fine with it and the only other change between PEAP and EAP-TLS is one checkbox. I can't seem to find any logs on the client/server side that are telling me why it's unable to authenticate, I've probably got 15hrs in trying to get this working so far.

Anybody use dialectic grease in comm ports?

I have some equipment in "austere" conditions, and some of the ports are just wrecked with oxidation. The RJ's aren't as bad as the comm ports or USB ports, but they're not great. Has anybody had functionality issues after just loading up the ports with dialectic grease?

Best practice for entering a single IP in CIDR notation (Mimecast)?

Mimecast is requiring the IP whitelisting to be entered in CIDR. If I want to enter just a single IP would I use n.n.n.n/0 or n.n.n.n/32? I've tried searching a few forums and can't find an exact answer because too many other results are coming up. I know this might be kind of simple but I'm a little green can some one please help me out w/ this one?

Is blocking outbound ports outdated strategy?

Hey,

Just curious, is blocking outbound ports and outdated strategy nowadays (restricting outbound ports t only what's needed)? Reading most things just use Http/https anyway. Should I just be allowing all outbound traffic and just restricting a few? I.E SMTP/SMB etc... ?

BGP Blackholing Question

All of my ISPs offer a “blackholing” option for me to advertise IPs I want them to block from their routers. I’ve never used this before. JUST FOR CLARIFICATION...

When they provide this feature, it’s to black hole your own IPs (for whatever reason), correct? It’d seem odd / easy to abuse (intentionally or accidentally) to give a customer the ability to blackhole someone else’s IPs from their network.

What is a good use case for why someone would blackhole one of their own IPs?

Ports temp dropping on uplink 2960X

We have two 2960X 48 port gb switches daisy chained to each other, and one has an uplink to a core switch.

connected to the switches are static PLCs, IOs and other manufacturing controllers. Everything works fine even if we loose the uplink because the devices just talk amongst themselves, we just loose monitoring capabilities. Problem happens when uplink comes back online. Both switches ports go blinking orange and drip all connections for about 10 seconds. Causing tonnes of errors on our systems. It starts working again but the damage is done. Switches are setup as factory default. Why does this happen? Thx

Keep losing IP-address

Recently I've been disconnecting from my internet again and again due to having no IP-address. When this happens I have to reset my computer if not once then twice, or turn of my wifi again and again. This takes time and it is really bothering me.

This problem is only accruing on one of the PC in the house. I have my settings on DHCP.

I don't know a lot about computers or anything like this, so it would really be a big help if someone could give me a solution.

Portable version of putty or any alternative

Hi, I would like a portable version of putty or any alternative that can run off my thumbdrive, but I need it to be 32-bit and compatible with Windows 7/XP.

Thank you

How does the router use IP, subnet mask and gateway information to establish a route to a host on another network?

So I understand how subnets are used to create domains so address spaces can be distributed efficiently. I understand how the subnet masks are used to declare which part of the ip represents the network id. What i don't understand specifically is this; a router uses the network id without a host id to reach another router. How does that router know to which host the incoming packet should be sent to? Somehow I have the feeling that I misunderstand something fundamental.

If the question is too complex to explain in comments, perhaps someone could show me the way to an easy-to-understand reference on this. If this post doesn't comply with sub rules, please forgive me.

Tl;dr : how does the destination router know which host a packet should be sent to?

Has anyone seen weird SFP/fiber issues with a Cisco 9300 switch in particular? Weird being link up, seeing packets in/out, spanning-tree good, but no MACs learned, no CDP, etc.

I've never seen anything like this before so I was wondering if any of you have. Off our core 9300-48UXM, one off the SFP ports with a GLC-LH-SMD in the network module just quit working, taking its access switch (2960) down. The weird part is the link status is up and not err-disabled, transceiver details all show signals within range, interface shows packets in and out, CPU was fine, and spanning-tree on both sides shows no blocked ports.

However, CDP on the core switch didn't see the access switch, but the access switch could see the core switch. There were no MACs learned on the core switch, but the access switch was seeing MACs from the core.

Previously we had seen low RX power (-23.5dBm) on the core switch SFP port. Ended up testing the entire run and replaced all SFPs and cables, which we though fixed it when the power went up to -6dBm. Access switch transceiver stats looked fine. Then the exact same problem happened yesterday so in the interest of time, we replaced the access switch with a 9200. The link came up for a minute or two on the core, then went back into the same state described above.

We went back to the core switch side and moved the SFP to another port on the same network module. This time the link came up and stayed up, but the core switch transceiver RX power went back down from -6 to -23.5dBm. I'm not sure what to think in this case and there are so many questions. Why did moving the SFP to another port cause such a drastic loss in RX power on the core switch side? We handled it very gingerly and it was a new cable. Why did the link become stable at low power, but suddenly give up when everything was good at -6dBm? Why was the core not learning MACs when we were clearly seeing packets in/out in the interface counter? Etc, etc. Was hoping someone here has run into something similar and have some insight.

how common is it to see input pause on interfaces connected to an AP

Hello,

​

We have a number of Meraki AP's connectioned to 2960x switches. All pretty standard - 1gbps trunk ports on the switches, couple of SSIDs broadcasting on the AP's and not many (currently 0) clients connected to the AP.

I've read that the input pause counter is the interface sending pause messages to the connected devices to wait before transmitting to allow the switch to clear its queue/buffer. Given that this interface is not likely to be oversubscribed, why would the input pause counter be increasing?

I cant see anything else of concern on the interface but we get complaints about WiFi now and then and I'd like to ensure that any underlying issues are ironed out

​

Is it normal to see input pause counters increment on trunk ports connected to access points? i reset the counters shortly before posting this

​

thanks

Description: Link to Meraki AP

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:58, output 00:00:00, output hang never

Last clearing of "show interface" counters 00:19:14

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 7.0 kilobits , 3 pps

5 minute output rate 73.0 kilobits , 39 pps

2,970 packets input, 1,514,845 bytes, 0 no buffer

Received 370 broadcasts (332 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 332 multicast, 13,502 pause input

0 input packets with dribble condition detected

62,076 packets output, 25,874,223 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Help to source an ethernet switch.

Ive been working in some AV buildouts. And one of my projects requires a built-in ethernet switch.

I thought my Netgear 5 port would do the trick, but the 1.1-inch height is too much. I even took the rubber feet off and I'm like millimeters over my required clearance.

Does anyone know of an ethernet switch that is 12v DC powered that can fit in a .9 inch space? width and depth, not an issue, have 6 long and 5 deep. I really don't want to custom make a PCB for this.

Hight on my gs105 is 27mm, so shorter than 23mm for you metric bunch.

Dynamic DNS Records on a LAN

When do clients provide dynamic DNS entries to a local DNS server? Does the server request a record from the client or can a client configured to provide their records automatically on connection to the network? Or is it manually triggered client side by a user action (running nsupdate or automated script .etc)?

Restructuring Network and Making Topologies

I am a new staff in my office and apparently, the network connection is so slow and the network structure is a mess.

To make it simple, I wanted to identify which port goes to what hostname in a specified switch so later i could make a proper topology and mapping.
I already set my switches SNMP's enabled (mostly aruba and dell), and connect them to Cacti.
Yet I still don't know how to identify which port goes to what hostname in a specified switch.

Am I going in the right direction? Should I change Cacti to Zabbix or PandoraFMS?

Help Interpreting this PingPlotter chart?

I've been dealing with lag spikes in games over the past few days and have been pulling my hair out trying to figure out why. I know I'll be told to use an ethernet cable but that is not an option in my home at this time.

While the average latency seems acceptable in most cases, I do get extraordinarily random spikes every few seconds.

Chart here: https://imgur.com/a/D9udVg9

Any thoughts on how I can combat these ping spikes? I've reached out to Spectrum to get a new modem shipped to the house, hoping that might solve the issue. But looking to see if anybody else has any ideas?

Frames and IP Addresses

Feel a bit silly for asking this because I feel it might be obvious.

Do Ethernet frames always contain src/dst IP addresses or only when needed? And when a src/dst IP address is added it gets encapsulated before the frame header correct?

I ask because I started learning about overlay protocols like OTV and VXLAN where I keep imagining the frame that already contains a src/dst IP address is then encapsulated by yet another IP header with a src/dst IP address.

Just bugging me is all and surprisingly tough to find a clear answer on this. Thanks for your patience.

Researchers Find Way to Steal Data through Wi-Fi from a Computer with No Dedicated Wi-Fi Hardware

TLDR: They basically force DDR SDRAM busses to generate signal at 2.4GHz . Presumably means you need to gain access to the original air gapped system first to install malware somehow? Like a compromised firmware update?

https://www.bitdefender.com/box/blog/iot-news/researchers-find-way-steal-data-wi-fi-computer-no-dedicated-wi-fi-hardware

My switch makes everything break?

I’ll attempt to be as brief as possible. I’m on staff at a church directing all things tech. My original trade is sound engineering, but these days much more falls on my plate. Today it’s our network.

Setup/flow:

Modem -> Switch

Switch feeds a wireless router that is mostly used for wireless control of various systems through iPad apps.

3 iMacs are also connected to the switch for live streaming purposes. 1 runs OBS, one runs ProPresenter (which then connects back to the OBS iMac for NDI video output), and 1 runs lighting.

Everything has always worked fine, outside of constant issues with Cox. We lease a building on another church’s property and have always just used a split from their network for ours. We got tired of this, and today has Cox come out and set us up with our own drop and modem.

Now things don’t work like they did. It seems my switch has decided to make things not work. Anything connected to the switch gives me a “self assigned IP address” issue and doesn’t connect to the internet. If I take the switch out and just use the router for all connections, everything works fine.

Why would the switch be doing this, and what can I do to fix it? I’ve googled endlessly and can’t find a solution. We are using:

NETGEAR 8-Port Gigabit Ethernet Unmanaged Switch (GS108) - Desktop, and ProSAFE Limited Lifetime Protection https://www.amazon.com/dp/B00MPVR50A/ref=cm_sw_r_cp_api_glc_fabc_aAb3FbJ8CP3JW?_encoding=UTF8&psc=1

Is there a different switch I should try?

Thanks for any help.

Fiber to outbuilding - Can I combine two cables?

Newbie here. Building a new house. I have a shop about 300 ft away from the house, out of line of sight. I was going to buy a preterminated single mode fiber cable to run to the shop. My initial plan was to bring it inside the house via conduit, then convert to copper to take it the rest of the way (130ft) to the central wiring location.

However, I now realize I don't have anywhere inside to convert (nowhere inside at the demarc location to bring wire in, it will go immediately up the wall to the attic). So I am wondering is there a way to use a LC/LC coupler to connect two cables together so I can make a run from the shop to the house, then in the attic connect it to another to run it to the central wiring closet and there convert to copper at the modem? Splicing two together sounds way outside of my skill level, and I don't know how practical one long run (130 ft in the house and then 330 ft underground in conduit?).

Thanks for any help!

Cannot reach private IPs beyond ASA in site-site vpn tunnel - advise appreciated!

Hi all,

I was wondering if someone with more ASA experience than me could help with a problem I'm having with a crypto-map based site-site vpn between this ASA 5520 and a Palo Alto PA-220. The ASA is the side closer to me and the PA is in a remote site. An interface within the encryption domain/Proxy ID on the Palo Alto can reach an internal (the "inside") interface of my ASA. However, it can't reach anything past the ASA, which it should by routing through the inside interface. I'm not sure what's wrong but I think I'm missing something on the ASA side. It's pretty basic config and I've pasted it below (with no sensitive IPs/information).

(crypto map is already applied to outside interface)

I would appreciate any help or tips on things to check/make sure of.

access-list crypto_map_100 line 1 extended permit ip 10.0.0.0 255.0.0.0 10.109.100.0 255.255.252.0

!

access-list crypto_map_100 line 2 extended permit ip 172.21.0.0 255.255.128.0 10.109.100.0 255.255.252.0

!

crypto map outside_map 100 match address crypto_map_100

crypto map outside_map 100 set peer x.x.x.x

crypto map outside_map 100 set ikev1 transform-set [transform-set]

crypto map outside_map 100 set reverse-route

!

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1

!

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

crypto ikev1 policy 100

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

PHPIPAM cron jobs only scanning one subnet

Header says it all. I've 4 vlans with 4 different subnets. I've also cron jobs set up to run the discovery and ping scripts every 15 minutes, but they only scan the first vlan/subnet I added in. This occurs when manually running as well.

Cron jobs are running as root Subnets are all marked to discover new hots.

Ping not reporting back to PHPIPAM correctly either (just noticed all my hosts are "down").

TIA

How much of TCP/UDP do I need to know?

I'm currently taking the Google IT Support class on Coursera. I'm curious how much of this I actually need to "know" offhand. I am in the networking section right now, which I am struggling with, specifically with TCP and UDP. I mean, I get the concept, but not necessarily how it applies IRL. A lot of this I feel like is that I am just watching videos of the instructor explaining things, rather than "doing" and actually applying fundamentals. So, that said, should I be beating myself up for not knowing half of this offhand after watching it?

The subnetting section was _hard_. After watching some videos, I understood it a little better, still aways to go, but that had a practical quiz & exercise at the end that kept it interesting. This other stuff, I'm just not "getting"

IPSec Network. Question about mtu.

Hello awesome community,

Since I am a network noob, I was wondering, since it is recommended to lower the MTU on tunnels over IPsec to avoid packet fragmentation.

Should one lower also the LAN side's MTU and all the devices MTU, or just leave them at the default 1500?

I am really confused about that part. And googling didn't really help me. Any opinion with a small explaination will be greatly appreciated.

DMVPN VS FLEXVPN

Hello everyone,

I am hoping to gain some insight on dealing with an issue that keeps popping up for me.

TLDR: what are the current key differences between a dmvpn vs flexvpn? And pros and cons?

Background i joined an it team a few months ago and right after I joined the team, the other guy left the company.

I literally had no cisco experience(my background revolves around telecommunications installs, with a smattering of all types of it work)when I started, and have come a long way since then, but an issue keeps rearing its head.

The below link explains the issue I am dealing with.

https://www.trueneutral.eu/2017/dmvpn-mobile-blues.html

In the bottom of the article it said that flex VPN does not experience the issue, so I am exploring the option of switching over.

Thanks for your help in advance.

Network Heat Map Tool

Hi everyone,

I'm looking for a network heat mapping tool without any associated costs. The pandemic has left us with an overly-gutted budget and we're experiencing some wireless issues.

Does anyone have any recommendations for this? There some that are nice where you can ingest your floor plan and APs to get a more detailed picture. That would be ideal, but I know I won't get that for free.

Book Recommendations: History of the Internet

I’m looking for an easy-to-read book for a gift which would talk about the inception and/or early days of the Internet for a history fan. I’m a network guy, this person is a fan of 20th century history, especially as it relates to engineering feats such as aircraft. I feel like there’s room for a book we could both enjoy reading and discussing together. Anyone here have any recommendations?

Just passing by, quick question...

Hey guys,

​

I'm sorry to hit you with what probably seems like a simple question, so please forgive me in advance;

I'm looking at providers such as Cox, GTT, Cogent for their IP Transit service that they provide. The biggest disconnect that I'm having is the 'cross-connect' aspect of it. Do I have to already have my own rack/system in place somewhere personally, or could they cross-connect to a server I have, lets say out of Hivelocity or OVH Cloud?

I'm sorry if doesn't even make sense. I've been running around the questions so much that it's getting scrambled.

Thanks again guys.

What does redirect mean in Iptables?

In

iptables -t nat -A OUTPUT -p tcp --dport 8080 -j REDIRECT 

It supposedly redirect traffic to an application running on port 8080. But it redirects from what?

Need advice on providing file upload proof

I would like to ask you for advice. This is what happened: There was a corporate competition where a file submission was the entry requirement. There was a website set up where the file could be uploaded until a deadline. We have uploaded the file. Got a "thank you for your submission" popup. Unfortunately there was no confirmation email and we did not take a screenshot of the thank you popup. Now the stakeholders say we never submitted the file. Is there a simple way to provide proof that the file was sent from our end?

Not a flat network, but - whaddaya call a network where traffic isn't limited by ACL/rule/port etc?

I've got a client with tons of vlans but not much in the way of rules limiting traffic flow by port/protocol. The single firewall is monolithic. So basically traffic is limited by vlan, but not by protocol. Is there a term for this?

Port security not activating (Cisco)

Hello r/networking !

​

Ran into a curious issue, just wanted to make sure that my understanding of it was solid, and possibly get a more authoritative answer/documentation.

​

I have 2 network switches that were erroneously connected together.

​

• The switches were both the same model (3750X)
• The switches were both connected via an access port (not trunk ports)
• The switches were both configured with different VLANs
  • Switch 1 used VLAN 25
  • Switch 2 used VLAN 27
• The switches did NOT have the same VLANs in their configuration
  • I.E. Switch 1 did not have VLAN 27, Switch 2 did not have VLAN 25
• The ports were configured as follows:
  • Switch 1
    • switchport access vlan 25
    • switchport nonegotiate
    • switchport port-security mac-address sticky
    • switchport port-security mac-address sticky 1111.1111.1111
    • speed 100
    • duplex full
    • spanning-tree portfast
    • spanning-tree bpduguard enable
  • Switch 2
    • switchport access vlan 27
    • switchport nonegotiate
    • switchport port-security mac-address sticky
    • switchport port-security mac-address sticky 2222.2222.2222
    • speed 100
    • duplex full
    • spanning-tree portfast
    • spanning-tree bpduguard enable

​

When the switches were connected, I would expect that port-security would have tripped and shut down both ports, but it did not. I'm assume this is because they were on separate VLANs, and did not actually pass any traffic aside from identifying the incoming/outgoing VLAN.

​

Any assistance in verifying this would be greatly appreciated!

Goodbye, Sonicwall

Well, I am throwing in the towel. With pandemic remote work up, we've had several capacity issues with VPN/bandwidth/random disconnects and given that our Sonicwall NSA 2600 was slow with regards to the management interface and often had CPU >50% use, we thought upgrading it to 3650 would help some of these problems. Well it didn't, many of the issues persist, particularly the management interface becoming terribly slow & unresponsive, and working with SW tech support gave us conflicting configuration settings nearly every call as they attempted to throw things and hope they stuck. Well we are done. I'm looking at getting a couple test units from Palo Alto and Fortinet and changing vendors.

Edit: apparently not as easy as I thought to revert our licenses back to our old 2600. No options for reverting an upgrade, let that be a warning to anyone else, once you push an upgrade you are hosed.

Interesting Discussion I'd like some opinions on in regards to a VPN solution

So I'm going to be vague on some parts of this in regards to the actual implementation.

The objective is that we have a remote side operator who needs a very secure method of connecting to the server housing a controls system. Currently we have an ASA configured to administer a client VPN that only allows the specific subnet traffic across the VPN and the rest out of the client's NIC.

In discussing this solution we then proposed if a remote side Firewall packaged with the remote computer and a site to site connection would be a better solution? And if we did do that would it be better to have a remote firewall not in the site to site but a very restrictive ACL and the client using the Client VPN, or would it be better to get rid of the client VPN and just use the site to site to the router? I honestly don't know the answers to these questions, and of course reaching out to see if anyone here does.

Buying /24 subnet from a IP broker

Hey guys,

Our company is thinking on buying a /24 subnet from a IP broker since the datacenter company where we rent our dedicated servers can no longer provide us IP ranges.

Does someone know the process involved on this? I have registered an account in ipv4.global but Im uncertain on how the IPs are delivered and what needs to be done for our datacenter to allocate this IPs to us? I asked our datacenter and this is what they said:

"We can advertise your IPv4 ranges on our ASN. If you have your own ASN, we can also announce the ranges. Do you wish for us to advertise or announce your IP ranges?"

Do I need to own an ASN? What is the difference?

Any help will be highly appreciated!

Thanks and stay safe!

Site intermittently unavailable - pcaps included

A couple weeks ago, we had an issue where a website on the Internet that users had been using for quite a while suddenly was inaccessible.

After a bit of troubleshooting, checking firewall logs and looking at the pcap, I couldn't see anything that might be causing the issue so I pushed the traffic over to our secondary datacenter(different firewall and Internet) as a workaround. Site worked fine for users for a couple weeks after that. Thinking I would get back to it later, I never touched it the last couple weeks. Well, yesterday the same issue came up, so I removed the change I made and started pushing the traffic back over the primary DC firewall/Internet. After that change, the site was again accessible.

I have pcaps but I don't see anything that might be causing the issue.

Any ideas?

First pcap(site not working)

https://drive.google.com/file/d/1RGNjueEdBSrteHW3_2HXsFpOphqXDJ5j/view?usp=sharing

Second pcap(site working)

https://drive.google.com/file/d/1P9wFjHN6K_uuWJb63fByO1hsAiucwryw/view?usp=sharing

Transit Vlan

I am trying to understand how there is a difference between a Transit Vlan and Inter-Vlan routing?

https://community.meraki.com/t5/image/serverpage/image-id/13731iB3FF5238FA4FE7F3/image-size/large?v=1.0&px=999

Based on this image I found on google, it comes across to me like it's just another way of saying we are routing within our local network via IGRP's. I am notoriously bad for interpreting terminology differences among different people.

Example: I learn a default route being called a gateway of last resort, and it took me a while to understand what people were referring to when they said default route.

Everything slow after adding a UniFi switch

I added a UniFi switch to one of our sites last week and now we are having network issues across all devices. The rest of the network is made up of Cisco’s, netgears, and junipers. Is there anyway adding a single switch could impact the entire network?

Multiple tunnels with same source interface. Any weight to the scary "potential forwarding issues" warning the router gives you?

I'm designing a network with a need for a bunch of tunnels. When you configure multiple tunnels with the same source interface, it gives you a warning. "This configuration has the potential to introduce forwarding issues." Does anybody have any real-world or theoretical knowledge of the risk of forwarding issues? Everything works fine in my labs.

Free / Open Source network inventory software?

Hi all,

does anybody have any recommendations on some free or open source network inventory tools? I have used LanSweeper in the past, seemed to do everything I needed - I gave it a subnet, told it to 'scan', and I'm assuming it did a mixture of ping sweep, SNMP and other Windows based stuff to detect assets.

At the very least I'm after something that will give me an inventory or 'live' IP addresses and MAC addresses. Any additional info (device type etc) would be beneficial as well.

Thanks in advance

Proxy IP

Hello

I want to buy a /24 IP block and rent out the individual ips and would like to know what I would need. How would I set up a vps to host the block?

Vpn taking out network?

I have an issue I can't find much about.

I noticed that when my work vpn disconnects for whatever reason,and tries reconnecting, it takes out my whole network.

I know it's not the other way around (i.e. the network disconnecting takes out my vpn) because when i unplug my work computer, all other computers start working again. If i plug it back in and it still can't connect, it takes the network out again.

I'm totally confused as to what's going and how or why it would happen, anyone have any idea?

I tried 2 different routers so it shouldn't be that and all lights on my modem look good (and again, works fine the moment i disconnect the work computer)

Upgrading fiber

We’re building out in a couple of years and I was wondering if it’s possible to upgrade our underground fiber while keeping the old stuff. Basically I’m thinking the new building will have om5(?) connected to our 20+ yo cabling. Will that work? If so, will the added cost be worth it? TIA

Sensitive Network Device Dropping Off the Network

We have a piece of old school video gear that has been dropping off our network recently. Basically the device has an old 100Mb NIC built-in and seems to be very sensitive to network conditions.

The current working theory is the increased number of ARP broadcasts on our network being too much for the device's poor quality NIC to handle.

Question: Enabling storm control on the device's switchport wouldn't help here since it only works on ingress traffic, right? Storm control would need it to work on egress from switch > my device which isn't a thing as far as I'm aware.

Looking at some network graphs today we noticed that since our firewall upgrade we are seeing a lot more ARP traffic on the network. My theory is that upgrading our firewalls (about a month ago) caused many DHCP leases to expire and therefore many devices are still trying to reach the old IP's.

I've ran Wireshark captures and can start to go device to device and attempt to suppress the storms manually but I'm wondering if anyone else has any tips or tricks to deal with old/sensitive network devices?

Thanks!

Cisco to Huawei EVPN-VPWS

Has anyone ever had any success trying to get evpn-vpws up and passing traffic between XR and Huawei (specifically VRP software, I've tried a few versions so far incase it was a version issue)?

I'm not too sure how much detail I should share since the configuration is fairly straight forward as long as the underlying MPLS is working as expected no matter the protocol(s) used for the LSPs. In my case I have tried both LDP and Segment Routing (which I have managed to get working between the specific vendor implementation, cisco to cisco and huawei to huawei -> These both work, control plane and data plane).

​

Huawei support is a bit useless (sorry Huawei) and I'm not too sure if Cisco TAC would take a look at an issue like this (which I don't blame them, correct me if I'm wrong). I am receiving everything I expect within the control plane of BGP (evpn auto discovery route, labels received, RD/RT, traffic is even passing on the cisco side under the xconnect details)

Topology is pretty much 4 routers:

​

EVPN-R1 -------- P router --------- P router -------- EVPN-R2where P routers only care about the transport label

Huawei config:

``` evpn vpn-instance 100 vpws route-distinguisher 192.0.2.1:100 vpn-target 65530:100 export-extcommunity vpn-target 65530:100 import-extcommunity

evpl instance 1 mpls-mode evpn binding vpn-instance 100 local-service-id 10 remote-service-id 12

interface GigabitEthernet0/2/1.567 encapsulation dot1q vid 567 evpl instance 1 ```

Haven't provided XR config since it's quite straight forward, xconnect group with evi instance along with the subinterface assigned to the group. I'm just focusing on single-homed atm so I'm not configuring any ESI or doing any fancy stuff with bundles/lags.

I notice one difference when I do a Huawei to Huawei EVPN-VPWS config, an extra Extended Community is sent in the BGP update containing EVPN L2 Attributes:

Ext-Community: RT <65530 : 100>, EVPN L2 Attributes <MTU:1500 C:0 P:1 B:0>

I gave up early hours of the morning and wanted to see if a simple EVPN with bridge-domain would work and behold, I was receiving MAC routes via BGP and everything was working perfectly fine so it makes me think either some configuration missing on the Cisco/Huawei side, or Huawei just derps with interoperability for EVPN-VPWS.

I'm back at it again now and would like to some day rest at ease so I reach out to the wonderful reddit community ;) I don't mind providing more output for troubleshooting purpose but I think this post is more towards "have you seen this/done this and does EVPN-VPWS work between Cisco and Huawei".

Sec+ voucher for sale!

CompTIA Security+ Vouchers

Hi all I just took and passed Net+ & Sec+ that my employer ended up paying for. I have an extra Security+ SY0-501 / SY0-601 voucher I am willing to sell for $250. Cost from CompTIA is $349. This saves you a total $100. Expiration is 12/07/2021 for both vouchers; however, I'm sure youd want to take the test sooner! Let me know!

netflow analysis

So last week I decided to analyze netflow output from my routers and firewalls because I am working on a network refresh project. I installed SolarWinds Orion (latest version before the HF2 patch) and 2 days ago, well...I shutdown the server and deleted the VM without thinking twice.

The server has only been running for 2 days, I don't see any issues for now.

Moving forward I still need to do Netflow analysis, and to be honest the Solarwinds software was in my opinion incredibly helpful and well designed. It took me a couple of hours to get everything setup and I was really digging the UI, and the logic made it so easy to follow conversations between endpoints and routing devices...

I have installed ManagedEngine as a potential replacement but there is no comparison, I cant get anything from it as fast as I did with Orion, the Interface sucks, I don't like it at all.

Do you guys recommend something? Would you run Orion HF2 at this point?

App to check for Wifi Roaming

I'm currently using 2 Meraki AP's in my home. The MR32 and MR42. I think I have them configured for Wi-Fi roaming between clients.

Is there an IOS App or MAC OSX based tool that can help me test the wifi roaming on my client devices? Devices are mainly iphone/MAC/laptop (with no rights)/ipad.

Thanks for any help.

Layer 3 Switch Upgrade - School Environment

Hi everybody,

Just wanted to bounce some ideas off of some of you in regards to layer 3 switching upgrades. Background:

*Cisco shop

*Elementary school environment, about 500-600 users.

*Replacing Catalyst 3750Xs. Looking for way more SFP+ ports, not just a direct replacement.

*Collapsed core. Our L3s handle both routing and aggregate fiber directly from layer 2

*Biggest consideration is latency, getting users to their web apps as fast as possible. Internet circuits are at other sites, so we're carrying Internet-bound traffic to/from those sites over Metro E.

*Reliability and stability is a more important than HA.

Some of our other buildings are using Nexus 3500-Xs at layer 3. I love the low latency and that's the option I'm leaning towards sticking with.

Any thoughts on the Catalyst 9500 series or Meraki 400 series? I know Cat4500s used to be the hot go-to for this use-case but I haven't gotten a chance to play with the 9500s yet. On the Meraki side, we're already Meraki at layer 2 and really don't need need to do any advanced routing at the sites we're upgrading, just participate in the OSPF process. Or any other models you guys or gals really like?

Thanks!

New to enterprise networking equipment. Need advice setting up basic networking and choosing SFP.

So, I recently got my hands on a used Aruba 2920 and 2530 48 port switch. I was going to go with a simpler setup for our small office(20 emp) using just retail switches from TP-Link/Ubiquiti but the deal I got was too good to pass up.

Basically, I'm trying to create separate VLANs for the different devices on the office network, like servers, desktops, IP Phones, CCTVs, APs etc. I've read through the Aruba documentation and it seems to be fairly easy to VLAN tag ports but I want to know what else I can do with these switches, considering they seem to run 10-20 times the prices of regular ones, what features do they offer that would help my setup.

Also, I'd like to use SFP ports to connect the two switches together and also some servers with 10Gbe networking and I'm so confused regarding what modules to use. There are so many different types and I'm overwhelmed.

Any advice would be greatly appreciated.

AnyConnect VPN with Microsoft NPS RADIUS and Azure MFA extension - Group Lock

Looking for some help I can't quite wrap my head around....sorry, it's a long story:

So we have Cisco FirePower FTD appliances for VPN headend, but we need to use Microsoft Azure for MFA. I have this all working via the Microsoft NPS RADIUS server and the Azure MFA extension for NPS.

However, the NPS extension has a caveat regarding RADIUS AVP data being returned during certain MFA scenarios: If your user uses SMS or App Code verification methods, the RADIUS attributes you have setup in the NPS policy are not returned to the VPN appliance.

This is a problem because I was trying to use Class 25 AVP to return the AnyConnect Group Policy I want the matching user to get.

So, now I think I need to create 2 separate VPN Connection Profiles (aka Tunnel Group), with each Profile getting the specific Group Policy applied as the default. My users will have to be trained to connect to the different profiles depending on the access they need.

But I need to configure FTD so that only certain users can login to each connection profile. I believe I can do this with something called "Group Lock", but this requires RADIUS AVP again, so I think I will just run into the caveat above again.

Is there some way I can lock a Connection Profile to specific user group, while also leveraging NPS Azure MFA extension? Does anybody have experience with this?

[Linux] What's the best (most efficient?) way to whitelist an IP on a particular bridge interface?

Let's say I have a router (Linux machine) with any number of interfaces attached to a bridge. The bridge interface is assigned the gateway address in a /24 network.

I want to assign the downstream users IPs from this /24, but there is no explicit trust in this relationship between the router/network admin and the downstream users. Therefore, if I allocate them a single IP, I need to prevent them from using 5, or from accidentally configuring the wrong one and causing problems for another user.

This router in question is just a Debian server, in a ROAS configuration, and we have the freedom to put each user in a VLAN, VRF, or whatever makes sense, to make this work.

My approach so far is to give each user a VLAN, trunk up to the Debain server, and attach all the VLAN interfaces on the server to a Linux bridge. Then I'll use ebtables to whitelist, based on the incoming/outgoing interface.

Is there a less shitty way? This isn't so bad really. Managing it all with Ansible makes it painless, but it seems inefficient and feels convoluted. I feel like I'm missing something easy/obvious.

Aruba CX (and in general) - Management Interface & Mgmt VRF and routing

Hey all - I've done a bunch of Googling and reading on this and I'm trying to wrap my head around management and VRFs. I understand what a VRF is - basically an isolated routing table. That said, I'm a bit confused regarding the management interface and management VRF, or basically curious about best-practices.

Let's go with the following setup:

Vlan 1 - Default
Vlan 2 - Mgmt

This switch is also acting as my inter-vlan router. As things sit, both vlans have vlan interfaces enabled and both in the default VRF, so given the proper gateway or routes, any computer on vlan 1 can interact with everything on vlan 2, and vice-versa. This is great for admin computers on vlan 1 to access management ports on vlan 2, but bad for security unless every management port has ACLs enabled.

If I put vlan 2 into the MGMT vrf, that disables all routing between vlan 1 and 2. Once thats done, what's the best method for providing access to a management vlan without a route? Dual-home the admin stations with Tagging? (Won't work for VPN though, but I could use jumpboxes for that).

Thanks!

ciscoconfparse 802.1x automation

I am working on automating 802.1x configurations for cisco switches. I have been toying with this python script. What I would like to do though is us the vlan_id in "switchport access vlan 10" as a variable to add to the command " authentication event server dead action authorize vlan 10 " I don't want to have to worry about what access vlan is assigned to a port.

​

from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('h:/Scripts/Cisco_Python/10.220.151.1')
for intf in parse.find_objects(r'^interface.+?thernet'):
    is_switchport_access = intf.has_child_with(r'switchport access vlan 10')
    has_dot1x_pae_authenticator = intf.has_child_with(r'dot1x pae authenticator')
if is_switchport_access and (not has_dot1x_pae_authenticator):
         intf.append_to_family(' device-tracking attach-policy ISE-DEVICE-TRACK-POL')
         intf.append_to_family(' authentication event server dead action authorize vlan 10')
         intf.append_to_family(' authentication event server dead action authorize voice')
         intf.append_to_family(' authentication host-mode multi-auth')
         intf.append_to_family(' authentication open')
         intf.append_to_family(' authentication order dot1x mab')
         intf.append_to_family(' authentication priority dot1x mab')
         intf.append_to_family(' authentication port-control auto')
         intf.append_to_family(' authentication periodic')
         intf.append_to_family(' authentication timer reauthenticate server')
         intf.append_to_family(' mab')
         intf.append_to_family(' dot1x pae authenticator')
         intf.append_to_family(' dot1x timeout tx-period 3')
## Write the new configuration
parse.save_as('h:/Scripts/Cisco_Python/10.220.151.1new')

802.1x vWLC issues with Android

Hi all,

I've been setting up 802.1x with my vWLC recently, doing some testing with both EAP-TLS and PEAP using Windows NPS. I can computers to join the wireless network with no issues at all but for some reason Android phones will not join. I connect to wifi, put in the username, password and domain and the phone attempt to connect over and over. I don't get any logs on my windows server, I do get excluded clients from too many attempts to authenticate on the WLC. I'm not sure if I'm doing something wrong on the NPS side, there isn't much more I can change on the Android side though.

Where to get MTP connector pins?

Need to do some gender changes on some connectors but can't seem to find the pins for love nor money. Successfully scavenged a couple out of some spare MTP-LC cassettes but that's not a sustainable approach. My google-fu is seriously lacking on this one!

Best open source for SolarWinds exploit details?

Hi all, what’s your go to for specifics regarding the SW exploit? How it works, mitigation suggestions, i.e. specific domains, files, IP spaces to quarantine/black hole.

Skills/knowledge network engineers should have

Hey guys, I tried searching but couldn’t find anything matching what I was looking for.

I’m starting a new job in March 2021, it’s an internal transfer to the senior network engineering team for the ISP I work for.

I’m vendor qualified in our hardware (Extreme Networks, Juniper JNCIS and Fortinet NSE7). I have about 3 years experience working daily on these vendor devices so not brain dump certs.

I’ve got a pretty decent knowledge of routing(mainly BGP, ISIS and MPLS), my switching and layer2 knowledge isn’t bad, but not too great either and firewalls I’m very comfortable with.

What should I look at learning to carry on growing within the field? I want to be able to hit the ground running without having to ask too many noob questions. I’ve been considering devops and automation (ie Python and Ansible) and the rest of the Juniper SP certs are required for my position.

I won’t really be dealing with cloud solutions as we have dedicated teams for cloud, voice and data.

Thanks in advance.

How do I manually determine if Fiber Readings are within spec for SFPs?

Hello Networking,

I'm new to networking so I apologize if this is a rudimentary question but I haven't taken any fiber schooling. I just passed my CCNA a few months ago and was hired for an entry level NOC position. Recently, I was tasked with installing a redundant MPLS-TP system for a customer and the devices will be running on fiber (10Gb Base-LR and 1000 Base-LX).

Unfortunately, this is my first time speccing out backhaul fiber (mainly deal with short range fiber links) and I feel a bit dumb in this aspect.

Do you have any references on how I can determine if the fiber loss on the backhaul link is within spec of fiber sfp threshold? For example:

The 10Gb SFP specs are: Minimum Output Power: -8.2dBm Maximum Output Power: 0.5 dBm Receiver Sensitivity: -12.6 dBm Reciever Overload: 0.5dBm

If, say, the backhaul link readings are: 1310: 13.26dB / 27.1dBm and 1510: 13.29dB / 27.18dBm

How do I determine if these readings along with my fiber sfp specs are within threshold?

I'm used to just checking the threshold specs on the Juniper or Cisco devices to see if the fiber is within spec but the device I've provisioned doesn't have this feature and so I will need to do this manually.

I appreciate any help or references you can provide.

Thanks again.

Recommended Version for Junos Space and Network Director

Hello,

Juniper has the link for the Junos recommended version which covers SRX, EX, etc.

Link: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

​

However, I need to know what is the recommended version for Junos Space and Network Director.

Can someone guide me or share a link in regards?

​

Thanks in advance.

So - with Solarwinds Vulnerability in the wild, how boned is your IT team?

Just wondering how this effects others.

I set up Solarwinds previously at a former employer, but it was not complicated (single server, all Cisco gear).

My current employer has multiple pollers, multiple SQL databases, etc.

I am NOT volunteering to rebuild my current employers system, by ANY possibility.

Are y'all using something in the interim? Are y'all just installing the update from SW and hoping that fixes everything? Or y'all wiping the past, building new VM's, install the new updated/patched software and running from scratch?

Only one jack works with DSL

I need to move my router to another room. Only one jack in the house works with DSL. The other jacks are working because I get a dial tone. My phone company charges too much for me to have them come out right now. Any ideas?

WiFi Pen Testing

Anyone here has any prior experience with WiFi pen testing? Who did you hire to do your pen testing? What was that experience like? Lessons learned?

What metrics would you use to figure out if your server is receiving too much traffic?

How can I monitor traffic coming to the server an application is hosted on? What would I use? OS?

I got this question in an interview recently and the only thing I could think of was AWS CloudWatch Logs. Very new to this.

X-Piper-ID for Verizon http?

Anyone know what exactly the header “x-Piper-ID” is that Verizon used to (or still does??) inject into http headers? It says in a link it’s a random 10 digit identifier, anyone know if it’s connected back to the subscriber or if it changes a certain amount of time?

https://www.ftc.gov/system/files/documents/public_comments/2015/09/00008-97486.pdf

Cisco Learning Space Website Not Secure?

Last night and tonight I've gotten this page after going to learningspace.cisco.com and going through the login portal. It says secure on the learningspace site once I'm logged in though... Is anyone else getting this?

https://i.imgur.com/g83ocp7.png

Can I send digital signals between two routers in this scenario?

Maybe this isn’t the best sub and I don’t know much about these topics (I don’t do PLC) but here’s my dilemma:

I need to bump some motors for I/O checkout. I have to send the signals from one control panel to another 500 ft away. I was going to run an Ethernet cable with a switch between the two panels, but that’s not allowed.

Now I’m thinking that maybe I could buy 3 routers, hook one up to the main panel, one at the second panel, and another halfway as a sort of repeater or relay to send these signals wirelessly.

Could this work? If so, what are some challenges and considerations come to mind for you?

Thank you.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Entreprise Router to connect to ISP Router(10GB Fiber) and 5x 48 port switches?

For this lab at school i need to propose an entreprise router for a main office with 300+ employees also there is no budget limit but the router needs to be reasonable for our needs. We are not looking for any specific protocols or vpns,etc just a router that is optimized for this network. The ISP is offering 10gb fiber speeds and I will also need 5 48 port switches to be used as access. I have looked at the Cisco ISR 4000 but they dont seem to have 10gb ports. Is there something I am missing? Basically from my understanding, i need to find a router that will be able to handle 10gb fiber and distribute it to 5 48 port switches, the isp has already provided us with a router. Should i be looking for a router with 1 10gb port and 5 1gb ports? How does the Ubiquiti EdgeRouter Infinity 8-Port 10G SFP+ Router sound? It seems to be my main choice for now even if i am wasting those 10gb ports and only actually using 1 of them...

Hosting Providers That Allow Stress Testing

Hello, I am interested in stress testing websites for friends. However, I'm paranoid that the hosting provider will suspend the droplet for the number of packets sent out so quickly (this has happened before). Does anyone know any providers that wouldn't do this?

Voice traffic over Aruba wireless solutions

I'm trying grandstream ip PBX and was thinking of enabling ppl using wifi to communicate using soft phone on there mobile devices how can I identify voice traffic from access traffic has anybody tried that before, when it comes to wired network you can actually use voice vlan and access vlans - pass tagged voice packets and untagged data packets etc but on wireless I'm not sure that it can be done please help if you can

TP LINK W9970 V4 synchronization issue

I have a Question about the TP LINK W9970 V4. does anyone of you guys faced an issue with these particular version of TPLINk in loosing the synchro or just disable the DSL connection in bridget mode.Im actually working for an ISP and we are using mikrotik + a TPLINK in bridged mode since the Mikrotik dont have an RJ11 port for adsl or SDSL customers.DO you have an idea about the possible reasons. the previous version are stable.

Using variable for IPs in Visio?

I'm not having the best of luck with my google-fu so i'm hoping someone here may have figured this out already.

I'm trying to create Visio documents for all our offices and I've broken out the IP schema so it's identical everywhere, just the first couple octets change.

Is there a way I can populate variable fields on one Visio page and have it update those variables elsewhere in the Visio?

Up to now i've been doing a search\replace on the /24 i have all my routed /29, /30s in; X.Y.Z+1 for example. I'd like to be able to populate that using a variable like $RoutingSubnet.

Create AS-SET for ASN to accept BGP route through ISP

Hello,

One of my customer who is a small private ISP is receiving an email from one of their upstream ISP's. They are rejecting a route because we do not have an AS-Set to accept the downstream clients prefix/route.

​

We have an ASN of xx and this client has an ASN of YY. The client uses our network as a backup in case their primary fails via BGP. The upstream provider accepts our ASN and network but does not accept our downstream clients.

​

This is the first time I am dealing with ASN's and ISP acceptance routing and rejections. Could anyone help me understand how to get an "AS-SET" created with the down stream clients ASN so our upstream ISP will accept their subnet?

​

I understand there is a document on ARIN's website but it's confusing me and was just wondering if there was a few step by step directions someone could provide? I think I need to email [rr@arin.net](mailto:rr@arin.net) with a defined AS-Set name and other information?

Checkpoint Log Exporter to Syslog Size Reduction

I'm very new to checkpoint and syslog, but one of the first things I am trying to do is get rule activity logs over to Splunk via syslog-ng. Our CP talks a lot, and I want to see if there is a way to reduce the data that is sent via log exporter to syslog. I currently see it sending 42 fields, but if I wanted to send less, is there a way for log exporter to filter out the ones I do not want, or just specify the ones I want?

Alternatively, and what seems to me would be far more complicated, can syslog-ng filter out unwanted pieces on it's end?

The overall goal here is to have less indexed by Splunk so I do not have to expand licensing to index information I simply don't need.

Thanks!

CISCO ASA. Alert on exceed theshold syn attacks

Hi there,

There is anyway on ASDM to send an alert when syn attack exceed a threshold?

https://i.imgur.com/J41jt2E.jpg

I have this Windows opened on second monitor all day and some times I receive over 200-300 even 1000 syn attacks on web server or ftp server.

Can ASDM do this? I also have kiwi syslog and scomm to help me to monitorize this shit. Any idea is very much apreciated.

Thanks and regards

Aruba 6300m - 24 port SFP(10gb) - 100mb support?

I opened a ticket, and am guessing the answer is "not supported" - but does anyone know if this switch supports 100mb? Went to start moving things over and didn't realize how many management ports I have are 100mb. I bought a handful of of J8177D transceivers for the management ports in the rack but thinking a seperate switch now may be the answer.

Fluke reseller who offers support?

I am in the market for some Fluke cable testers, but I dont havea budget of 30k to buy a new DSX-8000 with all the fancy bells and whistles. I am interested in the DTX-1800 tool than can certify CAT6a and test fiber connections. Fluke stopped supporting this model in 2018. I was just curious if there is anyone out there who offers seller refurbished equipment and any kind of support. Something like Curvature who sells refurbished Cisco equipment?

​

Thanks!

VXLAN & Firewalls

Hi, got a bit of a problem with a project I've just picked up from someone who has left our company. A customer has 2 DCs, both have a pair of HA ASA's in each DC that do not support clustering. My predecessor implemented VXLAN across both DCs, assuming that the firewalls just did routing for internal traffic, but no, they actually do have a large ruleset on them. His intention was to move the gateway from the firewalls to an Anycast gateway on the VXLAN switches, but we can not do this as all the traffic would be unfiltered impacting the customer's security posture.

One solution, other than buying new firewalls that do cluster (100k's worth of firewalls) was to forward the traffic up to the firewalls from the VXLAN switches via an L3 out, using VRF's to keep the VXLAN traffic separate, advertising host routes via BGP so when a VM moves from one DC to another they will not trombone over the DC interconnect. I'm not keen on this design as I suspect we'd get into firewall bilateral routing hell, but I'm interested to see what other people think of it.

MACsec encryption from unsupported device to a supported device

So, direct to the point:

I have a stack of Cisco 2960X switches uplinked to a stack of Cisco 9300 core switches. I need to enable encryption, however, it seems the 2960X series switches do not support anything without a separate module (though, I don't think there is one? I can't seem to find one).

I'm wondering if I can enable MACSec on the trunk ports on the 9300 using an MKA policy without PSK and not break anything. Would this allow traffic that passes through the uplinks on the 2960X stack to be encrypted on the 9300 stack? Would this pose any issues to where network traffic would be dropped due to the inconsistencies in uplink/trunk config?

Thank you!

VLAN tagging gone wrong?

We have an issue where no matter what switch we use, it randomly puts clients on the wrong VLAN, no matter what the vlan tagging on the port is.

If we disable DHCP on the secondary vlans, the main VLAN works.

If we enable DHCP it starts assigning addresses from the wrong VLAN.

When enabling DHCP on tagged VLANS, we experience random DHCP assignments on the tagged VLANS.

Example: Switch is configured with VLAN 1 and 40, the port is set to VLAN 1.

The firewall then assigns an IP from VLAN 40.

This seems to be an issue with the firewall, what do we do here?

Aruba switches with VLAN 1, 10, 20, 30, 40, 50, 60, 70, 80

4 Switches, all of them have the issue randomly.

Watchguard firewall that acts as DHCP server for all VLAN's except VLAN 20 that uses DHCP relay to Domain controller.

Strange network issue

Hey all. Not sure anyone has experienced this or can help with what little info I have. We have an issue where users get no internet connection, just says "cannot connect to the network" on wifi. We have EAP-TLS cert and use windows 10 1909 as there have been issues with TLS on 2004. It might be that the issue is only for Lenovo E495 machines with Reaktej wifi cards but this is not 100% clear. The weirdest part is that the workaround fix is to connect to an open SSID or PSK SSID and then back. This works but only for a limited time as the issue comes back after about a weeks time. Im currantly looking to get some better logs from a client, both windows wireless report and wireshark. Any help or tips is greatly appriciated.

Anyconnect dual wan PBR?

Hey, trying to plan an anyconnect implementation. I have 2 WAN connections (outside1, outside2) with static IPs on both (outside1 x.x.x.21/29, outside2 x.x.x.3/29). All of my network traffic is set to go out outside1 as external services are locked to that IP. If i run my anyconnect on outside2, am i able to route the VPN user traffic out outside1 with NAT/PAT or PBR?

Are there any benefit from running IPv6 network?

Are the any benefits running IPv6 vs IPv4 for your local network?

Failover to Public Internet if AWS via MPLS fails on Velocloud

One of our customers has AWS using NetBond over MPLS and a DIA connection terminating on a Velocloud. How can I design this or configure this so that if the MPLS ever goes down, AWS is still accessible?

The customer has three sites with MPLS and a DIA. Either we take traffic to other site and use MPLS their to get to AWS or we use the DIA to go to AWS via a Non-Velocloud site tunnel to it. Or if there is any other easy way to accomplish this?

Thanks in advance everyone!

I would really appreciate some friendly advice

Mods - i don't consider this to be "early career advice" since you define that as someone who is looking to get into networking (I'm already there). If you must remove this post, go ahead, but it would mean a lot to me to hear any opinions and advice.

I don't post in this sub that often, but I figured I'd ask for some opinions on my current situation. I'm currently working as a graduate network engineer, with some prior experience from various internships/placements etc. This role is very different to any I've had before, there is basically no hands-on networking (patching, installations, etc) and that's something I enjoy a lot.

The role is very remote (even without covid, it would still be remote given I work for a global company). When I joined, I was told that I would be trained up and be mentored by another 1-2 network guys. The issue is, I haven't really been given that much in the way of what I would consider thorough training or mentoring. I tend to be shown bits and pieces for specific jobs, when the people mentoring me are not busy.

I also have some learning difficulties in the sense that it takes me a lot longer to pick up things than others, and my Cisco knowledge has somewhat disappeared over the last few years, given that we worked with HPE kit in my previous role. So what I'm feeling is, I'm not being shown enough to feel comfortable in doing my job, but at the same time I feel that my own background knowledge isn't up to scratch.

It seems to be the most basic things that I have to ask for help with, and then wait 30 minutes for someone to come off of a Teams call to help me.

The other issue I'm facing is that I'm being handed network troubleshooting tickets to work on when I don't even know where to start. The company is hugely confusing to me, with about 4 different sets of logins before I can access a switch to even try some basic troubleshooting. It just feels very... time consuming to me, like I spend most of my time figuring out where to go, and passing login screens, then when I finally get onto the correct device to check things, I am bummed out because I don't *really* have that troubleshooting experience, especially in the context of this complex organisation.

I feel like they were looking for a graduate, but assume a fair bit of prior experience from me, which is just not the case. It doesn't matter how many times I have mentioned this to my boss or colleagues, they just seem to not have the time to spend with me to get me to the point where I'd be comfortable in the role.

So my question is... is this a me problem? I can't help but think that if I was in a network role at a smaller, less confusing company, I could absolutely learn and thrive there. Something like an in-house engineer for some campus network.

I understand there are things I could do to help my case (re-study my CCNA, brush up on troubleshooting, etc). But right now, I just don't have the passion or motivation in this role to want to do that, which is why I would appreciate any advice you more experienced engineers may be able to offer.

Have you been in a role that just wasn't compatible with you before? Did you find a new job right away or did you try and make it work?

Apologies for the wall of text. Hope you all have a good day/evening :)

What are my options for monitoring utilization of an interface with a higher degree of resolution?

tl;dr - How can I tell if my WAN is regularly getting saturated?

We've got a 100/100 connection from one of our ISPs. Recently I've been getting reports and behavior that makes me suspect it's getting overly congested. But when I look at my SolarWinds graph of the interface, it shows it's only using (on average) 10mbps utilized with occasional spikes to 30mbps.

I understand the way that ethernet works, that being a serial interface it only runs at one speed and the reports from SWinds are simply a reading of utilization over a set period of time. Is there a way to get higher resolution reports of an interface's bandwidth usage?

SSL Decryption/DPI

I recently seen a post about someone deploying SSL Decryption/DPI and a couple of issues they had with certain applications not working. As the person posting did not seem to be of the network/security side and more end user side I made a comment about ensuring that certain sensitive websites were not being decrypted (banks mostly).

I was surprised to be called out that this was not a good idea, that if you're doing SSL Decryption it should be an all or nothing approach and users don't get privacy.

My understanding is that if you're doing SSL Decryption/DPI you could potentially see things like credit card details and bank account details. This would pose quite a security risk and surely then require those companies to ensure access to and storage of that data is appropriate?

Is my understanding correct? and also if you are doing SSL decryption/DPI are you decrypting everything?

Weird, frustrating issue

Hello guys,

It has been one month with our microsoft problem, we have our outlook it says that trying to connect.

I created a rule on the firewall with a permit any, and a rule on the router also with permit any.the issue still persists.

If i access outlook from the browser, it works fine. Microsoft are saying that its a network issue but i have allowed everything on the firewall but still no luck.

I did a pkt capture of the FTD, i found that the server is sending a reset pkt to the user.

On the firewall, i checked the events and i can see that it is allowing microsoft traffic.

Any help plzzz

WPA2 peer to peer vs end to end (wifi)

Hi!

My question might be very basic but I don't understand why the traffic in a wifi network is encrypted between the peer entities end not end to end?

If I understood correctly the station and ap exchange a pairwise temporal key to encrypt their traffic. So if station a (SA) wants to communicate with station b (SB) the package will be encrypted first with the SA-AP-key by SA, on arrival at the ap decrypted and again encrypted with the SA-AP-key.

​

Would be glad if somebody could help me with this. :)

Network Design - Subnetting, VLANs, and Regulatory Compliance using NAC and micro-segmentation.

Let me start this thread by stating that I have worked in IT for nearly 20 years. I have even taught as an adjunct professor for a school teaching Associates level networking. To this day, I had never heard of the separation between VLANs and subnets. While logically, I knew that there is a difference, I was never taught or shown a network setup that uses VLANs that aren't tied to a specific subnet. (e.g. VLAN100 - 10.1.0.0/16)

I say all of that to bring up my point. I am in a unique situation where I need to take a traditional "Higher Education" network and start the process of micro-segmentation to aide in meeting regulatory compliance. I am trying to figure out how to do this without causing network outages or disruption if possible, or to at least minimize them. I inherited this network with over 490 subnets and roughly as many VLANs all directly tied together and purpose built. Needless to say, this is not very conducive to implementing a NAC solution with RBAC to specific VLANs based on user / device / application, etc.

To describe where I am at in my thinking, we have 48 active buildings on campus. Currently, each building has a specific building number and has been assigned 10 VLANs. An example of this would be:

Building 12

• VLAN 120 name BLDG-MGMT - 10.12.0.0/20
• VLAN 121 name BLDG-FacStaff - 10.12.16.0/20
• VLAN 122 name BLDG-Students - 10.12.32.0/20
• VLAN 123 name BLDG-Guests - 10.12.48.0/20
• VLAN 124 name BLDG-WiFi - 10.12.64.0/20
• VLAN 125 name BLDG-IPVID - 10.12.80.0/20
• VLAN 126 name BLDG-VOIP - 10.12.96.0/20
• VLAN 127 name BLDG-TBA - 10.12.112.0/20
• VLAN 128 name BLDG-TBD - 10.12.128.0/20
• VLAN 129 name BLDG-Quarantine - 10.12.144.0/20

I am trying to wrap my brain around a logical change that would simplify the logic in NAC policies to increase network security and regulatory compliance using RBAC based on AD security groups to automatically place users in specific VLANs across campus depending on their device type, device ownership, HIP profile, AD User security group, and any other identifiable attributes required to meet compliance needs for the different types of data to be accessed. Once this model is built, automation should then become a piece of cake therefore reducing the time and effort spent on such menial tasks as user on-boarding and device management.

It seems like there should be a way to utilize the current subnet structure that is in place and assign VLANs based on regulatory compliance restrictions, RBAC, or IOT device types. I'm just not 100% confident in how to go about this. I get that you can have multiple subnets in a specific VLAN, but I start getting fuzzy on how this routes or works when managing a fairly decent sized network.

Has anyone else crossed this hurdle and successfully segmented their network across a mid to large sized campus or business network with an average of 7500 users and upwards of 21,000 devices?

How to bypass isp limit by routing through a specific website

The title is somewhat accurate idk how to describe it.

So my question needs context. My isp is a piece of shit monopolistic assholes. Who hard caps at 6mbps or 700 KB/s and blocks all cache servers in the name of security and charges high . So today i noticed that in the wattsapp website i can download the exe file at 9 MB/s .

So can i mask and route through this site and get this speed somehow with other downloads such as steam or torrents ? It would really be helpful as downloading games at 700 KB is a pain.

Idk if i made any sense but any help would be much appreciated

CAT6 Manufacturers (Structured Cabling)

I was recently put in charge of hiring a company to install structured cabling at our new site. I have been reading up on CAT 6 and there seems to be a lot of opinions but little experience behind them. I have never had to purchase more than a box or two of CAT6 in the past and now I'm talking hundreds of drops. All of the drops will be going into offices for employees (under 100m). All drops will be terminated into a rack in our server room. I have two questions that I would really appreciate help with.

1) Do I need to nitpick the cable manufacturer? Each of the three companies I have quotes from are using CMP CAT 6 from major manufacturers (Hitachi, Commscope and ICC). Is there anything you wish you would have known before selecting a cable manufacturer or specific cable in a segment like CAT 6? The reason I ask is that the Commscope (CAT 6 CS37P) cable is much more expensive than the Hitachi (CAT 6 XS UTP Plenum).

2) Have you ever needed to worry about the 15-30 year warranties on your cables? Each of the installers will use a FLUKE DTX and provide a report and labeling for each cable. One of the companies is not matching the termination to the manufacturers list, so the manufacturer won't offer a warranty, but the installer warranties the cables themselves. The installer explained that in the 20 years they have been doing business they have never had a cable warranty request. (I'm just wanting to check if they are selling snake oil)

Let me know if there is clarifications that I need to make, or if you think there is anything in general that you wish you would have known before your first structured cabling adventure.

Singlemode Fiber Issues... 1G Works & 10G Does Not Work

I recently installed singlemode fiber to interconnect a client's main house to their guest house using UF-SM-10G SFP modules, however I keep receiving an RX Fault, I used a VFL to confirm light is coming through the fiber and re-cleaved the ends multiple times... then through accidental turn of events I connected the fiber ends to UF-MM-1G.... and it WORKED! The issue is I need 10G connectivity plus... I have no idea why single mode fiber would ever work with multimode SFPs...

I have triple checked to make sure I pulled single mode fiber and I did... confirmed the labeling on the jacket... and confirmed I was using the correct AFL connectors... included below are the details of what I used... along with the details fo the environment

Any assistance here would be great... because i am at loss for words on this project.. Thanks.

AFL LC Termination: AF-FAST-LC-SM-6

Fiber Specs: https://files.cablewholesale.com/pdfspecs/10f3-002nh.pdf

Environment:

UDM-Pro (v1.8.3.2949) Connected to USW-Pro-24-PoE (v 5.43.18.12487) with UF-MM-10G (Main House)

Main House Switch Connected to USW-Pro-24-PoE (v 5.43.18.12487) with CAT6 & UF-SM-10G (Guest House)

Network Diagram: https://img.community.ui.com/c6524b24-732e-44a0-8441-d48fe79190e5/questions/75784abb-199a-445f-835d-ae9fa4a33c14/05da41c0-9c49-4892-95dc-09e8802b5075

Odd OSPF failure

We are running a Silver Peak SD-WAN for our remote sites. Our two hub-sites each have an HA-pair of Silver Peaks that are in OSPF Area 0 along with the core routers at each site.

Site B's primary Silver Peak stopped communicating with The SP Cloud Portal and Orchestrator, and then eventually completely over the WAN interfaces.

The secondary took over - mostly. There was about 10% of the routes that The Primary SP was still clinging onto somehow. The route table in Site B's core router showed it was forwarding 90% of what it should be to the Secondary. But there was a small handful of subnets at Site A that Site B's core router was forwarding to the Primary for some reason.

We could ping the LAN-side interface of the Primary at Site B, but that's about as responsive as it got. Once I shutdown the switchport connecting to the primary Silver Peak to the LAN at Site B, then Site B's core router route table corrected and started forwarding those last few subnets to the Secondary Silver Peak.

Any idea how something like that could happen? I thought with OSPF being a link-state protocol that it should fail over all or none of those routes.

Reverse DNS Records Not Matching Hostnames

Hey

We have a handful of clients, where their hostnames should be 12345.domain.com.

Most are fine, but those handful show as having mh1.12345.walmart.us or bmw.eu.

How do I determine the cause of this? Will I need to enable verbose logging on the DNS servers?

The hostname on the client endpoint shows correctly, if you remote on to it, or query WMI.

​

Cheers.

Commercial network amateur with Cisco issues

So I only know general networking stuff and enough to trouble shoot certain things and configure end points. I have been left with 3 cisco 9300s with no configurations that I desperately need to get up and running to test equipment with. I have one of them where I can finally access the webui, but no matter what login I try it is saying it is wrong. I have tried cisco, admin and webui, with the same as passwords as well as the chassis SN for the password for each. I also created a user with admin privilages and a set password, which still told me it was wrong, as well as one with privilage 15, but again it told me I was wrong.

​

Can someone please point me in the right direction? If I can do it for one, I can figure it out for the other 2.

​

Thank you in advance

Accessing subnets via switch

Hello everyone,

I'm facing issues connecting to specific subnets via an ethernet connection to a switch.

Say the switch give access to 10.128.77.224/27

When I connect to any port that's working i get an ip address of 10.0.0.128 in the subnet 10.0.0.0/24

And no matter what I do I can't reach the initial subnet. I tried setting a static ip address in the initial subnet, adding routes to the initial subnet via the gateway 10.0.0.1 in 10.0.0.0/24 but to no avail.

Any ideas how to proceed ?

I do not have access to the switch administration, I'm doing all of this from a Linux machine. The goal is to access the subnet for testing purposes.

Thanks !

Does anyone have eNSP?

Hello,

I need to create a lab to test a configuration with Huawei equipment, but it is impossible to download eNSP and Huawei doesn't want to provide it, the next version will only be released in several months I would need the old version if someone can pass it to me :)

​

thank you 'in advance

Alternative to The Dude to install in windows

Hi everyone, my team of devs needs to keep an eye on several servers (VMs / DB / HTTP pages) as we provide services for our company and clients.

Internal IT does not have a very good response time so i decide have something on our own to monitor and report anything down.

Several years ago i use The dude but its discontinued from windows server installation.

I can ask for a creation of a linux VM but i would prefer to avoid it so it could be all contained in my team, for the same reason it would need to be something free.

Tool to run period ping tests from switches - achievable with Solarwinds?

We have been trying to get some simple baselines for ping times across our network as a benchmark so when if we do have any issues we can compare back. Currently we have Solarwinds set up with NTA, NPM and UDT (from what I can see, we don't have much time to play with it so just leave it running as alerting and back up system). I know I can use Solarwinds to run ping to various devices on our network but was also hoping to run ping from switches on our network. At a basic level I'm thinking I can get Solarwinds to run a job where it logs in to a switch, runs ping commands to the various destination and saves the output. From there I imagine there might be some smart way to check the contents of the text output and maybe generate alerts based on it but that isn't required as we mostly just want a baseline to be able to refer back to.

Is this something worth trying with Solarwinds? I know typically for this type of test you would install and agent or remote servers across the network estate and collect data from there but we currently only run one server. I imagine there are also probably loads of other ways to achieve this or systems that can do it so open to hearing suggestions although we aren't looking to buy anything. I know also something like Ansible or whatever could run mass jobs like this and parse the results but our switch vendor has so far been impossible to get working with Ansible so I don't hold out much hope for things like that achieving this.

Thanks.

Best Practices - ISP network device hostnames

I'm currently attempting to find an updated BCP for naming standards on our core infrastructure devices. I'd like to look at possible standards that list our ASN, and possibly acronyms for device type, interface speed, interface port. So an example would be: er-8-1.ASNNAME.possiblylocation.fqdn.com

Any assistance with this would be greatly appreciated.

Firewall with VPN

Hi all,

I am looking for recommendation for a firewall device with remote and site-to-site VPN feature supporting 300-500 Mbps VPN throughput.

I have worked with Palo GlobalProtect, Cicso ASA/Firepower AnyConnect, but for customer they are costly.

Low throughput upto 100 Mbps will also do, budget is I guess around 20k AUD.

​

Many thanks

I need some help on connecting Eve-NG to a VM

I am trying to learn some networking and want to connect a Linux VM hosted on the same computer as Eve-ng where both exist on the same PC. I have added a managament cloud in Eve-NG that connects to my physical real life network and bridged the Linux VM to that network. But that makes it so the traffic has to go througjt my real life router.

How do I connect the Linux VM directly to Eve-NG without bridging it to my real network? Both are hosted on the same PC.

Is it also possible to connect two Eve-NG instances together on completely computere? For example, one instance could theoretically on another network in someone elses house and connect to mine over the internet?

Can I have the physical PC hosting Eve-NG be on the same the network as a rohter inside Eve-ng? I tried putting my PC on the same subnet as the Eve-NG router interface, but It wouldn't connect. Wouls I put the Eve-ng VM in host only mode?

I am new to Eve-NG and I thought this subreddit might know.

Designing ISP addressing schemes that scale

not sure if this is really the right place to ask this question, just after a bit of advice from someone who may have had more experience than me as there seems to be fairly slim reading about 'best practices' on the web.

I am trying to (re)design a poorly planned management addressing scheme for a rather large (and quickly growing) ISP network (OSPF and iBGP internally). multiple PoP sites across multiple regions. currently I am playing with the 10/8 RFC range, as I am using the rest of the RFC range for various other things (point to point addressing, etc). I have segregated our management network into several VRFs for particular use cases e.g. core infrastructure, customer CPE, etc, which allows me to control access between these route tables as needed.

my current proposed design allocates a /16 per geographical region, the second octet being an arbitrarily assigned area code which can contain multiple PoP sites in a given region. this is further split into /18s for the 4 individual management vrfs and further to identify the devices hanging off a particular router. for privacy's sake the VRF names are skewed, but there are valid reasons to segregate.

example:

Region: 22

Summary route: 10.22.0.0/16

​

Per-VRF Subnets:

Core Infrastructure: 10.22.0.0/18

Customer CPE: 10.22.64.0.0/18

VRF 3: 10.22.128.0/18

VRF 4: 10.22.192.0/18

​

how this looks in practice, using 2 routers and the first 2 VRFs as an example. to be clear, each site will have all 4 VRFs configured so the subnetting format won't differ between regions:

RFC Range	Region Code			Mask	Purpose
10	22	0	0	/22	Core Infra - R1
10	22	4	0	/22	Core Infra - R2
10	22	64	0	/22	CustCPE - R1
10	22	68	0	/22	CustCPE - R2

​

am I overthinking this? the only suggestion I have been given is to simply use a flat management topology, basically using a portion of 10/8 for each VRF, then using BGP communities to do the needful. I find that it is helpful to look at an IP address and be able to at least somewhat identify where the device lives in the network but that may be personal preference and not best practice.

TIA.