IPv6 Proxies: 2020-12-20

Saturday, December 26, 2020

PC will not discover networks

To start off, I’m not super knowledgeable in computers. Building is fine. But networking, bios those sort of things are above my head still. So I upgraded my PCs bios today, for MSI b450m pro vdh to 12/09 update. The new bios update was for support of new Ryzen 5000 CPUs. Afterwards, my computer lost windows and all of my settings. I reinstalled windows but could not complete because I could not connect to the internet, wireless or Ethernet. So I just went ahead, I’ll activate it later. Once getting into my PC on my user account my computer cannot detect any networks available, Wired or wireless. I know the wireless adapter works and Ethernet cord was tested.

Any help is very much appreciated. I don’t know if this is the appropriate place to post, but this issue is way above my knowledge.

Fun with IP address parsing

A fun read:

Of course we all know how to format IP addresses.

Aside from that there are apparently more ways to write valid IPs, although I would get a headache if I’d see them at work:

https://blog.dave.tf/post/ip-addr-parsing/

Have you ever encountered this in the wild?

Quick question, why do router gateway admin logins not operate with 2FA?

Surely this would stop a lot of unwanted breaches when admins choose unsafe passwords or even keep the manufacturer credentials.

ASA 5508-x :ASDM can't edit anyconnect profile XML file (enable local lan)

running asa 9.8(4).15 with ASDM 7.12(2).

When I try to edit the anyconnect xml profile I get the below error (will try to upload screen shot)

"Input is not a well-formed, schema-compliant XML file. Scheca Validation Failed:"

org.xml.sax.saxparseException;cvccomples-type.2.4.a Invalid Contenet was found starting with the element "backupServerlist". ...

asdm error screen cap

I have an open case with Tac, but they have not been very helpful. The a/c profile file is working with the clients. I need to enable "local lan" in the editor so people can print to local IP printers.

suggestions?

Is it possible to connect a router without ethernet?

I'm working in a house that just has tv/antenna ports. What should I do? They have a working router which is connected that way (i don't understand how) and I wnat to install one in their sons room the same way but I don't know how (he has the same ports) and they don't know how aswell.

Cisco 1841 Router - Is it worth keeping it?

I was given an older router: Cisco 1841. I've reset it to factory defaults.

Question: though it cannot be updated anymore due to model deprecation, is it worth keeping around and using it?

Or should it be relegated for use as a learning tool only?

Download speed fast but program download speed slow

Not sure why this is but applications and programs download at a peak of 8.7mbs on a 70 mb internet speed. I've tried all the optimisation tools possible through cmd, an Internet optimisation software, changed to the fastest dns servers and updated all the drivers but got the same result.

Any reason of why this is happening?

Sonicwall VS Unifi or anything else?

We have 100+ branches with small number of users. Currently they are connected via IPVPNs. We use Cisco small business load balancer for load balancing obviously... It's time for a replacement models and I'm leaning towards Unifi edge routers and vendor told me they have sonicwalls also. What I would like is something with a centralised management (I don't wanna connect to each one individually for a simple DNS server change). I'm just curious about your experience with sonicwalls and Unifi edge series.

Friday, December 25, 2020

Electrician just gave me a quote of $1800 for 1 electric outlet and 1 data port

This is a residential job and it's an older 2 story house. I have a room with no electric outlets and wanted to throw in a data port next to the outlet (for Work from Home). He wants to drill outside and drop it down the wall and into the basement (for both). Supposedly, this is a reputable electrician.

I could do the data drop myself but it'll be ugly and I don't know anything about electricity. So, I figured I could get a pro to come do it for maybe $500 or less.

I'm in Michigan. Does that seem extremely high to anyone or am I out of the loop?

POE switch for home security cameras

I plan on buying this poe switch https://www.amazon.com/dp/B07WJLFCDT/ref=cm_sw_r_cp_apa_fabc_J3Q5FbWYKZ4FV?_encoding=UTF8&psc=1

And use it with this system, it appears to be sufficient but want to make sure I am not missing something

https://www.amazon.com/dp/B082KGF6FX/ref=cm_sw_r_cp_apa_fabc_J5Q5Fb0KMD95Z?_encoding=UTF8&psc=1

TIA

Connecting switch to Altice Modem/Router combo unit

I am not getting internet from the switch for some reason. My switch is connected to the Altice router/modem. Anyone have experience with this?

Maybe wanting to start a WISP/Small ISP in a couple of years.

(I don't live in the USA so my local situation may be different than the majority over here)
Currently I work at a small but fast growing ISP as a network engineer/tech. And I am not gonna lie I like it. Yes it can be tough, you work odd hours, I would not even mind working odd hours if we had some sort of schedule instead of being 24h on call. And customer demands are often perplexing As well as the fact that telephony is murder. But I like it despite that, it can be fun, it is in a IT niche that I find interesting ATM and I get to travel visiting POPs at odd places and meeting interesting people. I also am confident in my layer 2 game.

And although I love the big city, every once in a while an idea pops up in my head that I want to move back either to my small (10000 people) hometown or my also small (10000) high school town. Usually I dismiss that idea in a second. But one day I might not.

The problem is I will never ever find a networking job there. It is hard to even find any IT jobs there, and most of them are commuting to the large city I am already in. The only way I will find a networking job in such small towns is if I make one myself.

So I would start my own one man WISP/Local ISP. At the earliest this would happen in 4-5 years because I feel to green and have no social networking of note. But I know for a fact that no nearby WISPs of local fiber ISPs exist.

Here are some of my challenges/milestones/thoughts/questions on that matter that I have:

I need to learn. I need to learn layer 1, a milestone would be that I know enough to do a fiber run and splice, enough to be self reliant at least. And I also need to know layer 3. The milestone here would be that I am just as confident in my BGP as I am in my layer 2 ATM. I would prefer to have an AS over not having one.
Customer first, product/service second. This is a big one. The hardest way to start a business is to start selling before you have customers. The way I intend to circumvent this issue... Well I would open up a IT related craft shop/service where I would do IT odd jobs for my neighbors and local businesses, fixing up PCs, small time server support and big time network support. I would also network with the local geek community. I would use all of that to network with people, and I would constantly nudge my customers with 'Hey bro I totally can sell you the internets myself.' I could also extend my area by offering wireless to local villages if I have LoS.
Getting my uplink. The local T-mobile is an option but word is they pay a hefty premium for resellable links. Another option is my current workplace but I know for a fact we have no infrastructure in either of the towns I mentioned earlier. A third option would be a WISP from a nearby town but they could give me what, 50/50M? Maybe something else pops up in a couple of years.
Equipment. Right now I favour Ubiquiti as I find their UNMS software enticing. But lately Ubiquiti as a company has been sending out weird signals. And where possible I would try to get second hand cheap Cisco. that one is easy.
What do I do with telephony? I could bite the bullet and add that to my list of 'to learn' milestones or I could outsource it. I could even outsource it to my current company if I leave in good terms.
What about other services? There are bound to be some customers that want bundled services. I could make my life simple by limiting that but that would also limit some of my potential customers.
Running a business, even just to feed one mouth is a stressful proposition at best. There is no way around this.

As for my personal ideals, if my potential WISP to be ever becomes big enough to have more people in it, I can always structure it as a worker owned coop, local laws even recognise that form of organisation.

So, what do you think?

What advice can you give me?

Cisco switch too cold. How to keep it warm?

All - I have a Cisco SG-220-52P in a detached garage/barn on the other end of my property.

This is my first year with this switch, first year with the barn being networked. I live in Michigan. It’s currently 0°. Barn isn’t insulated even slightly. It’s probably 5-7° inside without the wind chill.

Today, around 10AM I got an alert that the switch in the barn went down, along with all devices connected to it. Ran out there, system light flashing rapidly.

I login to the interface, “system temperature critical“

Too cold to operate. There’s all kinds of stuff out there on how to keep switches cold, I have the opposite problem. Need to warm mine up.

Anyone else ever been in this boat? How did you warm yours up? It’s currently mounted horizontally on the trusses (exposed) - I did it this way because it gets extremely hot out there in the summer.

Need some way to regulate the temperature of it once it gets too cold out there.

Barn Switch

Nice motivation

At the last slides of my courses for my certification i found very motivative text.

"If you want to become an IP expert you need to read 2500 RFC docs. So if you read 1 RFC per day, you need to spend almost 7 years. However, this documents only 1/3 of all RFC recommendations.

If you want to skillfully operate the devices of a vendor, you need to master more than 10000 commands. We also need to mention different vendors.

After all both RFCs and device commands keeps increasing their numbers."

I guess they should put it at the beginning, not the end.

Wireless device out of range then has full signal after removing and readding

I have and android tv box that has been unplugged ofr a while. Plugged it back in this morning and would not connect to wifi. Kept saying it was out of range. I removed the saved wifi name and readded it manually and magically/mysteriously its in range with full signal.Box has always been 10 feet from the router and this is not the first time this has happened or the first device either.

Since this is not the first device, What would cause (ANY WIFI DEVICE) to say out of range (when it's really is within range) but want you do deltete your save info and readd everything again.

This is also not the 1st router this has happened on. The common between the 2 routers (Netgear WNDR3400 and TP-Link C7 Archer) is they have bothe been used as a DHCP server so my IPs stay put where I set them. Shouldn't matter because the router has it on a permanent lease. Or DOES it actually matter somehow?

Things ALWAYS work via LAN cord but on WIFI, eventually it's gonna say not in range until deleted and readded which makes ZERO sense since the 3 router antennas and 2 device antennas are only 10 feet apart.

Port forwarding in SRX

I have a following Cisco ASA NAT syntax which needs to be converted to SRX Junos. Can anyone help? Looks like there needs to be done a lot of things in SRX to setup this.

static (inside,outside) tcp interface 8081 TEST-SERVER 8080 netmask 255.255.255.255

Thursday, December 24, 2020

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Looking for a 25GbE switch- from an old timer's perspective

Hi Everyone,

I've found myself in a research loop and would appreciate your help. I come from the Cisco 4509E era and still run a 2960G at home.

I need to build a small (3-rack) datacenter for my startup (we run FPGA computations) and the servers we are using are Dell R7515's and R6525's, I want to connect them using their Mellanox Connectx-5 25GbE links(about 20 Links) and the regular 1GbE stuff(30-Links).

I've done some research into whitebox switches and honestly Its just not worth the effort, from a CEO's perspective I prefer to pay the premium for a managed switch(IOS was a blessing).

I know for sure that I need the Layer2 handled by something as rock solid as the old Catalyst switches only at 25GbE. I've seen the newer 9000 series and personally I don't like that the switch runs an x86 CPU(especially an Intel one) due to MELTDOWN and SPECTRE.

The edge routing will be done by a pfsense machine while the (RFC3021 style p2p network) L3 forwarding will be done by the switch(similar to what a 3750 would've done).

So basically I'm trying to find a way around buying a 9606R.

Any advice would be greatly appreciated, Thanks.

4G LTE as a potential broadband alternative for a rural location

I have a non-profit client in a remote-ish area of California's Central Valley. They have been using an expensive fixed-wireless broadband service, but due to their location they can only get 6Mb service, which has been mostly reliable but slow. They used to use HughesNet satellite service, but that became impractical because of the daily usage caps which required tokens to be purchased frequently to restore service. There were also issues with NAT and port forwarding. In the past year Frontier DSL has arrived in the area, so now they have both services with a load-balancing router to increase both overall bandwidth and reliability. However, internet usage can be up to 8 people concurrently, so I'm looking at the NetGear LB1120 4G LTE modem to do better than 6Mb via cell service. Cell service at the client used to be good with Verizon, but has significantly deteriorated in the past year or so. AT&T and T-Mobile are also not great (2-3 bars for most services). No idea if/when 5G will be available there. The LB1120 may or may not work with Verizon apparently (I'm guessing due to band availability in the area). Can anyone share any experience pro/con using cell service as a broadband alternative in general or with the NetGear LB1120 in particular? Thanks.

Any way to Import Actual Network Scans, other Scans or .CSV into Packet Tracer to Simulate my Companies Network?

So, as the title states I am looking for a way to take a simple Network Scan (Like Advanced IP Scanner) or a .csv file from something like Spiceworks into Packet Tracer to get a head start on Simulating my Network.

It wouldn't be so bad, but I work for a Fortune 500 at a Local Plant and we have a large network here on-site and want to setup the environment on Packet Tracer to prepare for projects, troubleshoot, etc.

I have done some searching online and haven't found much. Mainly just want to get My Router, Switches, Firewall, AP's, Servers, and Workstations in. Around 300-500 devices altogether.

If this is not possible maybe there is a tip or trick to getting a head start on making a large network on Packet Tracer? Like setting up 100 PC's at a time on same Switch, VLAN, Subnet, Physical Config Basically?

Any help here is appreciated. As you may already be able to tell I am no Packet Tracer Expert.

Thanks for your time!

Any way to Import Actual Network Scans, other Scans or .CSV into Packet Tracer to Simulate my Companies Network?

I have done some searching online and haven't found much. Mainly just want to get My Router, Switches, Firewall, AP's, Servers, and Workstations in. Around 300-500 devices altogether.

Any help here is appreciated. As you may already be able to tell I am no Packet Tracer Expert.

Thanks for your time!

First it was SUNBURST. Now we have SUPERNOVA. Good luck to you Solarwinds users.

https://www.solarwinds.com/securityadvisory#anchor2

Over the last few days, third parties and the media publicly reported on a malware, now referred to as SUPERNOVA. Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. Like other software companies, we seek to responsibly disclose vulnerabilities in our products to our customers while also mitigating the risk that bad actors seek to exploit those vulnerabilities by releasing updates to our products that remediate these vulnerabilities before we disclose them.

The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability in the Orion Platform has been resolved in the latest updates.

Vlan switch but router NOT vlan aware

Is there any possible way one can make use of a smart vlan capable switch without a vlan capable router?

I tried everything, I could put a pc on a different vlan (same subnet and can ping other pc's on other vlans) but it wouldn't get Internet from the router, so no point.

Will Traffic Shaping Rules Still Apply If Switch Is Doing L3 Instead of Firewall?

I assume yes because it still has to go through the firewall before reaching the internet?

I.E: if I set one internal VLAN and bandwidth limit it to 3072KB/s. All outgoing traffic to the internet will be limited to that speed but if I want to bandwidth limit it internally, it has to be done on the switch?

Same with if I setup a rule of limited "All Video & Music" to 2Mbps. Since the packets for say youtube will are coming and and leaving out through the firewall at one point, it'll still be able to bandwidth limit it to 2Mbps?

Setup is:

ISP Modem in bridge modem -> MX100 -> L3 Switch (Aruba 3810M) which is doing the routing

MX100 has all the VLANs on the L3 switch defined has static routes pointing to the L3 switch. On the Aruba switch, the default gate is set to the MX100

Print to printer located on office network from anywhere

Google cloud print is to be discontinued.

We do not use a VPN. I would love to find out how to natively add the printer that’s located on our OFFICE network to my browser so I can print to it from anywhere in the world. Happy to do configuration changes.

Is this possible?

Computer Networks book: Tanenbaum or Kurose?

I'm planning to dive deeper into computer networks and was looking for a good book to invest in. After scouring through a lot of Reddit threads and other articles and posts, I'm down to the following two. Both of these have amazing reviews but I can't decide which one to choose over the other.
1. Computer Networks by Tanenbaum 2. Computer Networking: A Top-Down Approach by Kurose

Would really appreciate advice on which one to go with or opinions about any of them. Thanks!

Some more context: I'm starting out in cyber security and I've learnt that networking is super important, which is why I'm doing this.

Wednesday, December 23, 2020

Cisco RV325 Router Vulnerability

Does anyone know of a workaround for this Cisco RV325 Router issue? (thanks in advance)?

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190123-rv-info.html

Seeking suggestions on a router

Hello all! I work for a small business, and am looking into a new router for their network. Thing is, I'm not terribly confident in my ability to pick one that won't give us issues, and would appreciate some second opinions from those who are more experienced.

Some details: The network has roughly 30 computers on it, multiple networked printers, one sql server, and a NAS. The majority of those computers are POS systems, which all report back to the server. Almost all are wired. On a separate VLAN we offer a "public" wifi.
Infrastructure is.... older. We suspect and are currently investigating various Ethernet runs for interference etc., trying to update all switches to at least handle a gig.

This network was initially set up very patchwork, and I've been trying to straighten that out. For some reason that is beyond me, the subnet is 255.255.0.0, and it is entirely too big of an undertaking to change it. There is no server rack.

Our current router setup is: A Linksys LRT224, using the dual WAN/failover feature, and behind that a Cisco RV160w, handling wifi, DHCP, and VLANS. The "Secured" and "public" networks are both behind the Cisco. I've never been able to figure out how to get rid of the double NAT issue, but we haven't had any issues with it.
I really want to get away from this having two routers mess, but the LRT224 won't support a 255.255.0.0 subnet or have wireless, and the Cisco doesn't have dual WAN/failover, so here we are.

We had an outage a few days ago that prompted looking for a new router. I'm still not sure what precisely caused it, but I suspect the Cisco had some kind of issue -- the LRT224 was talking with the modem just fine, but the Cisco had no internet connection. Restarting the Cisco fixed it. It's been stable since, but I'm planing on swapping the Cisco out for another that we have on hand (same model).

TL;DR Any suggestions on a reliable small business router that includes Dual WAN/failover, VLANs, wireless, and will work with a 255.255.0.0 subnet would be extremely appreciated.

Why use a L3 switch vs trunk?

Hello, working with a client whose former IT provider spared no expense in setting up their rack.

One thing I'm wondering is they have a L3 switch that does some routing with very simple static routes. There is one internal Vlan, some IPs route to one switch, others to the second, then the default route for everything else is to the firewall.

The only ports used on this switch are those 3 mentioned. Just wondering why they would have done this versus simply trunking the two access switches?

Not sure on the specific model, but they are all HP ProCurves.

Cisco Meraki

Hey everyone. So I started a new job as a one man I.T guy for 6 offices. Our "corporate" office is fairly small generally about 10-20 people and anywhere from 34-50 devices depending on how many people are in the office. We have 20 IP Phones hosted by nextiva, 2 network printers, 6 android tv boxes, and 4 desktops that are always connected, the rest are all on wifi. Before I started the network stack included an asus ac3200 router that handled the wifi and then powered our zyxel and tp link switch as well as our two 16 channel security camera dvrs. I am really trying to get my bosses to understand that the asus consumer router is not a good idea, but I am very new when it comes to networking. Any advice or thoughts? Can the asus ac3200 actually support our network?

Can ICMP pings be traced back the person pinging?

if anyone knows lmk

Anyone knows anything about this device? Arris G.hn Coax to Ethernet extender (GCA2002)

Hey Guys,

I have what seems to be a MoCA device from bell, but I cant find anything online about it, not even an URL to set it up. The maximun I found was a starter guide, that doesn't explain anything really: https://manualzz.com/doc/28750935/arris-gca2002-g.hn-coax-to-ethernet-extender

I'm getting half the speed on the other side of the COAX cable, but with A LOT of oscillation and I don't know if it's something on the set up, the device, or the cable that's just too old, or maybe has a non MoCA supporting splitter somewhere.

Any insight is appreciated.

Cheers.

Virtualize firewalls?

I’ve been pondering about virtualizing firewalls and vpn concentrators recently what have been your experience? Performance wise and cost wise? I am not looking at extreme performance (sub gigabit WAN links) did the virtualization plateform affected performance? KVM vs esx.

For the firewalls thinking about Palo Alto, vsrx or fortigate

Why do we need bandwidth of a certain size when transmitting a signal in wireless network?

I come from a CS background so my EE and signal theory is not that great. So I was studying wireless networks (let's take the old 802.11b standard) where (for ex) we have a bandwidth of 20MHz per channel and a carrier signal at 2.4GHz more or less depending on the channel. Let's imagine a basic scenario where we have a simple modulation where one high frequency is a 1 bit and a low frequency withing the bandwidth is a 0. My question is: why do we need all the 20MHz? Will we actually utilize them just changing between these 2 frequencies? And if we take more advanced modulations like amplitude or phase, then do we still need to utilize all those 20MHz just to change amplitude? Shouldn't changing power change the amplitude? How are frequencies related to changing amplitude?

Moreover I remember my professor of an unrelated subject saying that "a rule of thumb without any fancy modulation or anything is that 1 Hz = 1 bit transmitted" but still this implies that we utilize all the bandwidth even if we are just using 2 frequencies (1 high and 0 low). How does that work?

Thanks!

Trendnet TEG-240WS Management Utility download

So I'm hoping someone can help me. I'm looking for a download of the Trendnet Mangement Utility for some TEG-240WS switches. I just inherited a network that has a bunch of them and I need a better way to work on and configure them than using the web interface since they are so old and they do not have a console port. I just need to be able to more quickly make changes to them until i can get them all replaced.

I tried TrendNet's site, but the download link for it is broken, and I reported the broken links, but I have no idea when or if I will get a response on that.

Thanks.

Jobs that combine networking and artificial intelligence

I graduated college 2 years ago looking to get into AI, ended up taking a job in IT consulting mainly doing networking and Infra as Code.

Was wondering if anyone holds or has insight into jobs that combine networking and AI? Or start ups that are solving networking problems with AI? I've been doing plenty of network security work, maybe some threat detection start ups?

Any thoughts or suggestions are welcome

Forwarding 2 devices with the same (Unchangeable) Port number: is it possible?

I'm a technician, but not an IT pro. I do locksmith/security primarily. I've been tasked with getting an access control system online, and it's normally not a problem. We've got a static IP from our ISP, and I usually just set up port forwarding and we're good to go. The system we have has port 443 assumed by the manufacturer (honeywell), but the network has a controls system that is already assigned to Port 443. The building management company says the port isn't changeable on their panel either. Is there any solution? We can add a router or something if necessary, I just can't find even where to look for the answer. Thanks for any help!

Tool to ping/tcp request multiple hosts

Hi,

for a maintenance window on our edge firewalls & switches, I'm looking for a lightweight windows tool that can query multiple IP's at once via ICMP/TCP/HTTP. That way we can directly see if cutting a certain link has impact, and if failovers are working.

Of course we have external monitoring and stuff like that, but that monitors only each minute, and for ICMP I want to use a shorter interval like 5 seconds.

I used to use KSsoft hostmonitor (https://www.ks-soft.net/hostmon.eng/index.htm) which actually does a good job at this, but with an expired trial, before spending 200 USD on a tool that looks like it's straight for 2003, I want to check if there are any better alternatives out there.

I took a look at nirsoft pinginfoview, but that doesn't have HTTP checks and options are rather limited.
Thanks for any feedback!

Undocumented user account in Zyxel products (CVE-2020-29583)

https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html

Trunking a Brocade switch from a Cisco switch

Hi all, I understand it isn't called "trunking" on the Brocade end, but I've been tasked with doing that effectively, but have no familiarity yet with Brocade CLI syntax. How can I trunk a port on my Brocade switch such that I can assign an access and voice VLAN to the remainder of my Brocade's ports?

A gentleman named Terry Henry described a tagging process, but my attempt at tagging my incoming interface as well as all of my access ports for the intended VLANs appears to not be correct.

iperf3 - benchmarking Wifi - strange behaviour for traffic from wifi to 10 GbE

Hi!

I have a strange behaviour, that I do not really understand.

I am benchmarking a Wifi6-AP with iperf3.

Everything is working fine, if the remote-station to the wifi-client has a 1 GbE interface.

IF the remote station is using a 10 GbE-interface, ONLY traffic TO the wifi-device is slow:

1 GbE remote station:

Wifi -> remote station: 600 MBit/s

Wifi <- remote station: 600 MBit/s

10 GbE remote station:

Wifi -> remote station: 600 MBit/s

Wifi <- remote station: 340 MBit/s

My first thought was about flow control. I did tests with and without - no success.

I did tests with different NIC chipsets and devices - no success.

I did tests in the same subnet and over the router - same values.

I did a test with VMs and BareMetal servers - same values.

Do you have any idea, how this can happen?

Thank you for your help!

ITStril

Radius auth on Cisco AP Catalyst

Hi there,

Now I have 3 ubiquiti aps running with auth over npas windows server and all works fine.

Now im trying to configure 4 cisco catalist 9115 aps with radius auth too but dont works.

On EWC all its fine, just added radius server to auth on WLAN.

On windows server NPAS I duplicated ubuquiti policy to new NPS Cisco policie . OFC I added EWC on radius clients, but dont work. Firewall its ok. On windows events all its ok. Only I have is this log getting NPA log though powershell:

https://i.imgur.com/WmQtFlW.png

Any idea what could be the problem here? This shit is getting me crazy. Thanks

VPN Setup - There must be a better way

Hi all,

Before Covid, we had one or two employees who access the company network via VPN. This is handled by our Draytek 2850 router and a Windows VPN profile using L2TP/IPsec with PSK. For the most part, it works fine and involved me setting the VPN profile on the router and the user's work-from-home computer.

When Covid hit, it was a mad scramble to get laptops together and manually set them all up with VPN/RDP etc. as I'm sure it was for most companies. Some of these users are still working from home. The company is also growing and we're more flexible with new employees working from home now that we've seen that it works. So if VPN is here to stay for a while, I want to automate it.

I want a VPN that can

be centrally managed by IT - I setup the VPN profiles myself to ensure it's only setup on corporate devices which are known to be compliant and enrolled in Intune MDM.
be automatically setup for relevant devices/users.
be simple to enrol new users
work with our Draytek router
always be on and not require the user to click connect or faff about with waiting 5 mins before being able to reconnect again.
be cloud based - I'm largely taking the company cloud based, so by next year, the server and therefore VPN will probably be a distant memory.

But for now, is there a better way? Something using Azure? Cisco Anywhere?

Many thanks in advance for any suggestions.

Does anyone know how to change half duplex to full duplex mode?

I'm trying to load the config page while connecting using the ethernet adapter but the page doesn't load. The ethernet status shows that its in half duplex. Is that the issue? If so how can i change it?

Tuesday, December 22, 2020

When would you apply QoS to Nexus system context and to normal interfaces?

Hi, after going through Ciscos Nexus QoS documentation it tells you WHERE you can apply the different class policy maps to but it doesn't necessarily TELL you why you would want to use one method over the other.

The main reasons why I could think you'd split the 2 would granularity. You'd apply a policy to the system-qos context if you want everything affected in the sameway and you'd use individual interfaces in the same way, if you needed a particular queue size, bandwidth or qos-group mapping on one interface for a CoS value but not the same on another then you'd go with the interface method?

Am I right in assuming that is the only different between applying a QoS policy via the system qos context and on the interface level to?

Cheers

Do any vendors do fully featured switches (no licenses for additional features required?)

Most vendors will make you “pay for the switch twice” for simple basic features like BGP, VXLAN, etc. God forbid you want to run MPLS then that’s usually another license above.

Cumulus used to offer their full feature set but they sold out and they’re going away.

Who else is out there? Is licensing really universal among vendors now?

TV Ethernet not working then connected via switch

Hello,

I purchased a new Smart TV (LG 55UN73003LA) recently and I wanted to connect it to the internet with an Ethernet cable.

We watch television programs with an IPTV receiver, so I already have 1 cable (I believe it is CAT 5 or CAT 5e) close to the TV. So I decided to buy a switch so I can split that connection to the receiver and the TV. The switch I bought is D-Link DES-1005D. I also bought two CAT 6 cables (0.5 m and 2.0 m)

I connected the old cable (5/5e) to port #1 on the switch and then I connected the new CAT 6 cables to port #2 and port #3. I then turned on the TV and the receiver and noticed that the TV is not getting a connection while the receiver is working normally.

I tried setting a static IP address of my TV to 192.168.1.229 (since that one is definitely not being used) but it wouldn't help.

What could be the cause of my problem? Maybe a conflict between old and new cables? Is my switch malfunctioning?

Thanks in advance!

Change the Default IP/subnet of Managed Switch?

I bought a managed switch in order to create some VLAN’s and wonder whether I should leave it set to the default IP which I assume will be on the 192.168.1.x subnet without VLAN tagging.

Can it be changed to another subnet and have VLAN tagging and should it be changed?

If it can be changed, it seems it might be a good security practice but a downside is I’d lose web access if pfSense goes down so maybe this isn’t worth it?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Advice for a new student. What to study before my Intro to Networking and Intro to Network Security classes start in the spring?

I am currently studying for the A+ exam, and I am signed up for two classes this coming spring. What do you wish you knew going into the start of your classes?

I am very green, so I am still trying to wrap my head around a lot of the acronyms and common terms. I want to be prepared going into class, so if you have any advice I would greatly appreciate it!

Advertising remote office subnet via IPSEC VPN route into BGP

I have a remote office that we have an IPSEC VPN tunnel to that allows that office to get DNS/AD auths from back at the central office. This tunnel is between (2) ASAs.

On the Central office ASA I also have a Layer 2 dark fiber that we run BGP over for us to access our Cloud infras.

In our cloud infra I need this remote office to be able to reach some of the apps we have spun up. To get the remote office route into BGP I have to run a route inside 192.168.200.0 255.255.255.0 10.0.0.1 which is a router below the ASA. This gives me a routing loop when I try to reach stuff on the remote side since it goes down to the router then the deault on that router is kick it back to the ASA.

I am wondering what would be the best way to advertise this remote ipsec vpn subnet into BGP without effecting connectivity either direction.

I dropped in a route null0 192.168.200.0 255.255.255.0 1 and that seemed to timeout my pings to the switch on the remote office side.

Wondering if I should try the below in the BGP config

aggregate-address 192.168.200.0 255.255.255.0 summary-only.

Will that statement advertise the remote network into bgp and keep it up and running for connectivity between the remote and central office? Thanks in advance for any help here.

IOS-XE Programmability

I've been working on a wireless deployment with Cat 9800 controllers. Exploring options for using RESTCONF with IOS-XE.

I find YANG models so frustrating and tedious to work with. The models I want to use are in the link below and can't for the life of me figure out how to construct a proper URI. I know the base URL would be this http://{host}/restconfig/data. Any advice?

https://github.com/jeremycohoe/Cisco-IOSXE-Yang-Models/tree/master/1721-wireless

Can't forward port 80

Hi guys, I'm desperatly trying to open port 80 on my router to access nginxproxymanager but whatever I do I always end up on my router web management console, despite the fact that it tells me that it moves it to port 8080 when I create the forwarding rule. My router is a Contrend

Need Help setting up security lab on GNS3

Hey Folks,

I'm working on setting up a security lab on GNS3 for a presentation on Cybersecurity concepts. It's been almost 10 years since I've lost touch and lot of things have changed so I am in need of some help / advice on best way to set things up. Here is a sample lab I'd like to setup which should comprise of the following security devices and had following questions:

Cisco Firepower (FTD) --> What is the ideal way to mount it ? On a virtual box or on a remote VM ? If it is mounted on the GNS3 VM, I guess it won't work because the firewall would need its own network adapters. Also remote VM might not work as I was able to mount this on a remote GNS3 VM server on google cloud and connect to gns3 but was unable to connect to other devices as the ip address is public?
Web application firewall --> Is there any image / appliance that is supported by GNS3 ? Should it be mounted on GNS3 VM or installed on virtual box?
IDS / IPS --> Is there any image / appliance that is supported by GNS3 ? Should it be mounted on GNS3 VM or installed on virtual box?
Cisco router with netflow enabled
Email security gateway (if possible) --> Is there any image / appliance that is supported by GNS3 ? Should it be mounted on GNS3 VM or installed on virtual box?
SIEM --> --> Is there any image / appliance that is supported by GNS3 ? Should it be mounted on GNS3 VM or installed on virtual box?
VPCS
Windows server --> Should it be mounted on GNS3 VM or installed on virtual box?

Many thanks in advance.

Disabling access ports automatically when switch uplink port is down on a Cisco

Does anyone know if there is a Cisco IOS feature that can automatically shut down/disable an access port when another port (i.e. Uplink to core switch) is down? We have some Linux servers that have redundant active/passive interfaces to separate Cisco 4948 switches, but they have no probing and only failover when their port is down.

Brocade ICX 6450 series SNMPv3 config

I have a whole fleet of these for our remote office access layer to support our voice deployment. I need to set up SNMPv3 on them and even though the documentation details how to configure it, I must be missing something. I cannot seem to get the ICX's configured right for some reason.

Is anyone else running these with SNMPv3? I would love to get a scrubbed config for the SNMP portion.

Thank you much

TCP Offload Woes

Hi everyone,

I'm running into an issue with how to handle TCP offload within a "modern" infrastructure design that I'm working with.

The goal was to come up with a flexible network infra to run latency sensitive bare metal services with the potential to integrate containerized applications at some point. We ended up going with a spine-leaf design using eBGP between all spine/leaf/servers, with the servers peering w/ 2x spine switches. The servers would be reached via a /32 IP address assigned to a dummy interface which would be advertised into the fabric. If one of the switches would fail, the BGP connection dies right away since the interface on the server appears down and traffic picks up routing over the redundant link. We were looking at a zero trust network model with the majority of the firewalling done on the edge servers themselves.

Enter poor communication. The plan right now is to use Mellanox cards w/ TCP offload for all application traffic using LD_PRELOAD. This poses a problem for our design as the dummy interface is a virtual interface created and handled entirely by the kernel and as far as I understand cannot have it's traffic offloaded to a network card. This also poses an issue w/ our firewall design as all of the TCP sockets won't be available for the OS to inspect/filter.

Has anyone else ran into an issue like this in the past? I'm hoping that I have a misunderstanding of how things are working and I'm overlooking something, but am thinking it's time to start to redesign things...

Quick question about ethernet cable wiring order

So the other day we were making our own Cable. But me and my friend had a small discussion. Can one end of the cable be in 1,2,3,4,5,6,7,8 order while the other end exactly the opposite ??? End A:1,2,3,4,5,6,7,8. End B:8,7,6,5,4,3,2,1. Does it work ???

Monitoring your APIs and devices

Hi everyone

Just wanted to let you know that I've recently built a tool that has a ping monitoring feature, useful for keeping a check on devices on your network to see if they're online or not.

I've got a few Raspberry Pi's and they expose some URLs that I can plug into the monitoring tool I've built, it's primarily aimed for monitoring domains, you know, domain expiry and WHOIS data but also monitors IP addresses and websites!

If you're interested, take a look: https://domain-monitor.io/

Question about ebay cisco switches

I'm looking to setup a lab for ccna / ccnp. A lot of the ebay switches I'm looking at don't have images on them. Is this a problem, or is it easy to acquire and install an image?

EVE-NG multi tabbed using xUbuntu

Hello

I'm accessing EVE-NG from a xUbuntu VM, would like telnet windows to open in one app rather than new windows every time.

Has anyone managed to set this up? Using xfce Terminal at the minute which supports tabs, but don't know how to get it to open new instances in a tab instead of a new window.

Thanks!

Lights on SFP on one side but not the other?

I am connecting 2 switches via SMF using SFP transceivers. One switch shows light when I plug in the fiber, but the other side doesn’t. This seem to go against all my experience with networking but I am only starting the backend learning so I suspect there is something I am missing.

Details: one switch is a Fortinet 424e with 24 ports RJ45 and 4 ports SFP+, the other switch is a Perle unmanaged industrial DIN rail mounted switch with 5 ports RJ45 and 2 ports SFP.

I reset my Fortinet to factory defaults thinking my configuring may have been causing a problem and their still aren’t communicating properly.

Is there some special configuration I have to do on a Fortinet to allow it to talk to another switch?

Reverse Proxy Yay or Nay

What are your thoughts on using a reverse proxy for security?

I have a web server that needs to chat with a bunch of different services on 3 different servers on the inside but only needs port 443 from the outside. Currently it is in the DMZ with a complex set of ACLs. A reverse proxy would simplify my firewall config and I'd only be punching one hole between the DMZ and a single server on the inside. This adds an additional point of failure and some additional complexity for troubleshooting the web application. Would you consider this a fair trade off for the additional security? I would be using IIS to do the RP.

Internet and voice access in a cave

EDIT: I just learned it is 240 ft from the Wi-Fi access point to her storage area, so it's within max distance for an ethernet cable, and would this be preferable if I can run the cable than connecting to it via Wi-Fi and setting up my own SSID on our end?

My mother-in-law has underground storage for her business. Property management says she can tap into the internet, but that's all they told her, and she shared a picture with me of a locked cabinet with a WiFi router sitting on top with 4 open LAN ports. Looks like a home Linksys or similar.

This is LITERALLY in a cave with several dozen businesses in it. Huge. Tractor trailers drive in and out of it. Kind of a thing here in the Kansas City area.

I want to tap into that access point, but I want to protect everything on our end. At this point I don't know the distance from that Wi-Fi access point to her location, so I don't know if I can access it wirelessly or if I even want to. Might be best to run Ethernet from one of the open ports to her portion of the cave to my own Wi-Fi router and set up my own SSID for a private, password protected network.

Thinking about it, we really don't need any telephony as I believe everyone who goes in the cave house Wi-Fi voice calling capability on their phones.

Question: If I run ethernet cable to another Wi-Fi access point (assuming it's not too far,) set up my own SSID and password, we should be good to go for internet access for emails, basic web browsing and Wi-Fi calling on cell phones correct?

We will likely have one or two computers in the caves to access an online database, and that's my biggest concern from a security standpoint since I don't know anything about the Wi-Fi access point we will tap into.

New Cisco Switch for home network

Hello networking fellows!

so some days ago i realized that my Meraki MS with 8 ports only had 1 free port left and i came to the conclusion that i needed another switch for future upgrades and long-term port density in my network. The first L2 switch that came into my mind was C2960-CX (pure L2). It is small, relative cost effective, fanless and very power efficient. All aspects of a home switch which matter to me. C3560-CX is almost the same, but also has L3 features, which could come into play.

My company is a gold partner of Cisco and i know someone from the sales team who can get me Cisco stuff with a lot of discount (around 80%). So i kindly asked him if he could make me an offer for C3560CX-12TC-S (with IP Services). He replied that i should look into the newest Catalyst 1000er series before and reevaluate my decision. A quick google search showed me that C1000 Series is L2 only and therefor the successor of the C2960 series. A little bit better and newer.

My questions:
- If id stay with L2, then C1000 series would probably make more sense?
- Is C3560-CX maybe unnecessary for my network? I was mainly thinking about using routing between it and the Meraki MX67, but supposedly the MX only supports static routing. Other than that id maybe play around with VRFs, PBR and other stuff.
- Trivial question: C1000-8T-E-2G-L has an external power supply. For what reason?

Thank you companions!

Monday, December 21, 2020

New site

Hi guys,

I recently took on the whole IT role at a small/medium sized company (~60 users ~100 devices) and they want to set up a second location. I have zero cisco experience.

The first location is setup with a firewall managed by some other IT MSP, and we want to move away from these guys and run everything in house. I have no real formal network training but about 3 years in IT doing network stuff as well as everything else IT includes, I'm looking into doing my CCNA and getting some real certs to further my knowledge.

Would I be dumb to suggest cisco gear for this new location, and for the current location once we offboard the MSP and lose the rental fw they have installed? The catalyst 1000 stuff looks like it would be no problem to set up for me since the CLI isn't "required", but is it as secure if I don't use the cli? I'm not sure if I can do all the same stuff in the web GUI as I'd be able to do with CLI. I'm used to ubiquiti stuff so the second choice is to just toss in an edgerouter 4 and call it a day.

I'm by no means scared of CLI, I'm an avid linux admin with scripting knowledge etc, so I cant imagine that the cisco CLI is that crazy, I just don't want to have to learn on production hardware, if you know what I mean.

Thanks for your thoughts!

Firewall Question, NTP open, does it need to be??

Hey all, I hope this ends up being a simple question. All of my branch office routers serve as the site’s firewall along with other routing duties. We use the ZBFW, and VPN tunnels back to our HQ.

As a generalist, we had our local VAR give it a base config so we knew it’d be done right. We don’t host any services at our branch offices, so the firewall is only doing basic outbound inspection.

I recently noticed that NTP is open to the self zone (from the WAN to SELF). Our routers are currently configured to reach out to public NTP servers, and I’m guessing through NAT, I’m not sure which interface the router uses to poll?

My first instinct was that was a mistake to have NTP open to the world, but before I just went and closed it, the question is, could that have been done internationally?

Is NTP one of the protocols that doesn’t play well with inspection? If so, I’m wondering if it might be better for me to setup an NTP master at my HQ instead. (probably the better route, its just not a project I have the bandwidth for right now)

Looking for a cheap switch that supports bandwidth limit on ports

Hi,

I'm looking to buy a cheap switch(5port) that supports bandwidth limit on ports. Do you have any suggestions?

I'll be connecting an AP through one of the ports and I want to limit it's bandwidth. My router doesn't support traffic shaping or QoS.

Any suggestion would be appreciated.

Cradlepoint internal DNS over S2S VPN

I have a Cradlepoint AER1650 firewall/router that will be installed in a mobile trailer. I have an IPSec site-to-site tunnel up and running. However, unless I nslookup with the switch to specify the internal DNS servers, the Cradlepoint always returns a non-existent domain error. The goal is to send internal DNS queries across the VPN, but allow internet DNS go out the cellular. It's also desired to still allow internet-based DNS and traffic cross the cellular if the VPN doesn't come up for some reason. If it matters, the public DNS servers used are Cisco Umbrella's (for which I have an active subscription and proper configuration on)

Looking around in the config, it looks like I can tell it to use different DNS servers for certain specified domains using the split DNS function. I assigned my internal DNS servers and specified the prefixes, but it doesn't seem to work. Setting the main DNS servers to the internal DNS servers totally breaks everything regardless of whether the tunnel comes up or not. I've also made sure that the DNS suffix of the Cradlepoint is the same as the internal AD DNS zone.

I feel like this shouldn't be as hard as it is to get internal DNS routed to the internal DNS servers, but this is also my first Cradlepoint firewall I've worked on. Any suggestions are greatly appreciated.

Wired 802.1X Authentication in the Data Center?

So the senior engineer once told me “dot1x has no place in the DC, because it’s all LAGs and Trunk Ports... and dot1x doesn’t play nice with those.”

That being said, it’s been about 10 years since that conversation happened, and I haven’t checked back in since then.

Has this line of thinking changed?

Packet Loss

I appreciate any feedback! My ISP has a 3400 connected via MM fiber to an EtherNID. I run a ping to an external IP [and] a ping to the inside interface that connects the 3400 to my LAN (copper). The host computer is Hardwired from the same LAN switch the 3400 is plugged into.

-HOST PC(hardwire)->LAN Switch

-3400 (copper)->LAN Switch

-EtherNID(MM Fiber)->3400->ISP Backbone (1 gig connection)

Im dropping packets randomly every 3,5,7 12th packets on both pings.

- The 3400, copper optic, fiber optic, and fiber Patch Cable have been replaced.

-EtherNID, SM Fiber Patch cable and optic are not new. Yet to be replaced.

***As soon as i unplug the fiber connecting the 3400 to the EtherNID, WAN connection, the ping from the host computer to the 3400 inside interface straightens out and there is no packet loss. As soon as I restore the WAN connection i start dropping packets to the 3400 inside int. and to the internet.

Question:

1)Is it normal to be dropping packets like this to both the router inside interface and to the outside.

2)Why do the packets straighten out when the WAN Connection is pulled

Thank you kindly

Why did this cause a broadcast storm (presumably)?

Juniper shop. Two buildings, connected by primarily dark fiber and wireless point-to-point (PTP) backup. Switch ports connected to PTP access points are normally disabled when dark fiber is operational. Dark fiber went down so we enabled PTP ports. Dark fiber came back before we were ready and this essentially brought our network to its knees for a few minutes. Logs show that storm control was in effect on the PTP port on Switch1. I believe the broadcast storm then caused OSPF to be unable to reach neighbors and caused a failover.

I realize this isn't an ideal design for several reasons, but mainly just trying to understand what happened here. My guess is that the difference in link speed made it so the PTP link couldn't keep up with all of the broadcasts, but I never saw storm control in effect on the other switches (though I could have missed it). Ideally we would just have the Juniper switch monitor the dark fiber interfaces and automatically bring up the PTP ports when fiber was down, but this requires additional licensing on these models.

Diagram

A question regarding leased lines

So I’m studying for MTA 98-366 rn (test in a couple days) and I came across the topic of leased lines.

I understand that they’re a service that is still in use, but I don’t really understand why.

Wouldn’t using a VPN provide essentially the same service? If not why, or what’s the difference?

Adding a T-Bar mount bracket to a solid drywall ceiling?

I'm setting up a small lab to test some different APs - and I need a way to interchange APs easily, without drilling out the ceiling each time for each manufacturer's different mounting patterns.

However, I don't have a suspended ceiling here with T-Bars. It's a gyprock (aka sheetrock/drywall/plasterboard) ceiling.

I contacted Oberon, and they mentioned a spare part they have - "39-TBAR-MOUNT" - which is part of their 1015-00 product. Apparently this is a small U-shaped bracket, which provides t-bar mounting. From their installation instructions, I did see this diagram.

It does look a bit flimsy, and I'm not sure if those two screw holes will be enough, if I hang this from a drywall ceiling. (I assume it's normally screwed into a solid metal plate).

I'm curious - has anybody else done something similar on their ceiling?

Do you know anybody else who makes similar T-Bar mount adapters, to clip things like APs onto, or will the above t-bar mount possibly work?

Clearpass Training

Anyone got a line on some quality Clearpass training? Not too keen on shelling out 1800 bucks(I'll do it if I have to) for the virtual instructor led stuff, Udemy's offerings are pretty slim, and Aruba Press doesn't have any books for any of the Clearpass Cert tracks. My company bought Clearpass and the previous engineer left it half done, so I'm needing to learn it real quick and in a jiffy.

I want to learn Fortigate. Would a used unit function without licensing/support?

Coming from a large deployment of SonicWalls, I want to learn Fortigate. After reading a ton of posts here, it really seems like the best bang for my buck for a NGFW. The best way for me to learn is hands on. I'd like to dive in and replace my router at home with a used Fortigate from eBay.

I have a few questions I'm hoping you kind folks can help me with:

What would be a good model to start with? There's a FG-60D-POE on eBay for cheap. Would that be good?
I will not be purchasing support or security bundles. In the SonicWall world, that means the security features (gateway A/V, anti-spyware, IPS) are disabled, but everything else works. Is that the case with Fortigates as well?
Feature-wise, all SonicWall models do the same thing and have the same feature set. The different models just support more throughput the higher up you go. Is that the case with Fortigate as well?

Thanks in advance!

GNS3/VIRL CCNA/CCNP Labs?

So I've been looking for some supplemental labs for CCNP prep, as well as just reinforcing training I've already done. I've got VIRL and GNS3 running, however, it's difficult to find solid labs. Some old VIRL labs import to CML but not many that I've found. GNS3 has the lab marketplace, however not many have support documentation that I've found, just like a hint at a problem.

Anyone have some good suggestions? I've done some David Bombal labs and liked them, he just doesn't seem to have a ton that I've found.

How does the client know which eap method to use?

Hi all!

In analyzed some wireshark packages but could not find out how the station determines which eap methods are offerd by the authentication server (wpa2 enterprise).

My guess is that this information is given in the beacon frames, because when I select wifi A I am asked which authentication type I want to use (PWD, TLS, LEAP) for wifi B I see a password prompt and no options.

(I wanted to add some but I didn't find the feature)

Maybe somebody could give me a hint.

Passive optical fibertap question

Hi,

We've recently setup a passive optical tap and we wired everything into one server. Tapping 2 links so a total of 4 TX fibers on the server.

However we have an issue with getting the links up an running. We are using a XL710 4x10G with 4 x LX sfp. Whenever there are auto negotiate packets on the real links the interfaces will come up. But after a reboot they will stay down.

We've tried using ethtool to force the links to 1000 FD and autoneg off but we cant get it to work. Any idea's?

Thanks!

ISP Redundancy. Your thoughts?

Hello,

I just wanted to get a feeling of what everyone thinks of ISP redundancy these days. I have long always required two separate ISP providers for each site because that's just what you did.

In talking with a singular global provider that have been trying to make a case that you can still achieve complete diversity with a single provider by specifying diverse loops, diverse pops etc. In the end you still end up on the same backbone of that provider, but those uptimes are extremely high, and any outage at that level is handled much more quickly than something at the LEC level.

I have never worked for a provider so I do not really have a detailed understanding of "under the hood" of the very upstream aspect when dealing with major ISP's. I am hoping to figure out if a single provider with contracted diversity is as good a buying from two separate providers.

Palo Alto SSL Decryption Question

Hi All,

I'm looking to subject ssl traffic to my security profiles, but to do this, I believe I am understanding that for inbound traffic from the outside, you need to import the same certificate and key from each of your protected servers on the inside network into the Palo Alto. Is that true? If so, why? I don't really understand why the Palo can't use any cert, including a self-generated one to decrypt traffic coming in from the outside, then subject it to the security profiles, and drop it if it's malicious. Why does it have to be the same cert the internal servers have?

Cisco Nexus 9300EX Routing templates

I am looking for a switch with the ability to hold up to 300,000 unicast Ipv4/Ipv6 routes and up to 1,000 Ipv4 multicast. Can you help me with the route templates for the Cisco Nexus 9300EX switches?

If I understood correctly, templates allow to reallocate TCAM between LPM, host and multicast routes. From Cisco NX-OS Verified Scalability Guide I found some information about max multicast routes:

8192 (Layer 2 + Layer 3); 32768 (layer 2 + Layer 3 with system routing template - multicast -heavy mode); 8192 (with system routing template - lpm - heavy mode).

But I can't found any information what about other routes in theese templates :( Also, what with a mcast in other templates (e. g. internet peering)? Where can I get information about max routes for each rote type and for each template?

Links: Nexus Verified Scalability Guide

Looking for direction

I have some domain names from Namecheap. I want to point them to webservers on my personal network. My personal network is an ASA, router, and VMWare server. On the VMWare server I have a DNS server and a web server. What needs to be done to have my Namecheap point to my personal DNS server behind my public IP? Any help will be greatly appreciated.

Cisco Nexus 9300EX Routing templates

I am looking for a switch with the ability to hold up to 300,000 unicast Ipv4/Ipv6 routes and up to 1,000 Ipv4 multicast. Can you help me with the route templates for the Cisco Nexus 9300EX switches?

If I understood correctly, templates allow to reallocate TCAM between LPM, host and multicast routes. From Cisco NX-OS Verified Scalability Guide I found some information about max multicast routes:

8192 (Layer 2 + Layer 3); 32768 (layer 2 + Layer 3 with system routing template - multicast -heavy mode); 8192 (with system routing template - lpm - heavy mode).

But I can't found any information about other routes :( Also, what with a mcast in other templates (e. g. internet peering)? Where can I get information about max routes for each rote type and for each template?

Links: Nexus Verified Scalability Guide

Multi IPsec tunnels - Checkpoint

Hey all,

please take a look on the picture,

https://imgur.com/a/dnbCB6O

I want to create 2 separate IPSEC tunnels on FW-Branch.One tunnel with the source IP address of 160.10.10.1And second IPSEC tunnel with source IP address of 80.10.10.1 for internet access.Each tunnel with an encryption domain of 192.168.200.0/24.Currently, both tunnels are with source 160.10.10.1, and this is not what I want, because when eth1 is down I lose both of my tunnels,and I can not create another object because I can not assign the same encryption domain to different objects.

anyone have an idea how to solve this ?

Which one is which?

I'm studying for my CCNA and I see that there's a lot of good information on the Internet there's the free stuff on YouTube and also a paid course on Udemy and I'm actually choosing between David Bombal's Udemy course and Neil Anderson's CCNA course. Now, I want you to ask people if which one is better although I know that they're all good in terms of quality of education and maybe you can share your experience like what kind of learning resources did you use when your still learning CCNA like me.

Recessive and dominant bits.

Can someone explain what are dominant and recessive bits used for in CAN?

I read few articlea but still did not geta point.

Thanks

Advice on switch please

Hello redditers,

I'd kindly ask for your advice regarding the choice of a network switch to upgrade our existing "core". I used quotes as we are a small company, only 30 employees, but we do have a need for speed. On a budget. :)

So, with those new switches, I'd need to connect a bunch of users and 3-4 servers, latter requiring hi-speed and hi-availability that would need at least 40gbe. If possible, I'd like to achieve this with 2 swithes only. I planned to buy Mellanox NICS (QSFP or SFP28, depending on switch choice) for servers.

Ideally, new switch should support/have:

stacking (or virtual chassis, or vPC, ...)
Vlans, Vlans trunking, LACP / port channel, basic QoS... and that's it
48x 10GBase-T access ports (this is to future proof the investment, currently we could live with 1Gb ports)
4x-6x QSFP+ 40GbE / 100 Gbe ports (currently, we could live with 4x 40Gbe)
letter to Santa would include option to channelize those QSFP ports - that would enable us to use limited count of QSFP ports more efficiently
GUI (please don't ridicule me, I am also a sales person, accountant, coach,... :)
ideally price below $2500 per piece, (refurbished, used, off ebay, everything works)
no additional costly licenses or monthly subscriptions

Candidates that I was contemplating:

Juniper EX4300 seems like a perfect fit for this moment in time, it's got jweb, 4x 40GbE QSFP, but with "only" 4 QSFP and 1GB access ports, there is zero space for growth
Juniper QFX5100 is close to perfect, but to my understanding doesn't support jweb
Arista 7050t-64 is close to perfect, but lacks gui (well, it has CloudVision for a monthly subscription of $145 per switch, which we can't justify)
Cisco Nexus N3K-C3172TQ-10GT and CISCO N9K-C93108TC-EX can be bought surprisingly cheap off ebay & seem to be close to perfect, but I can't definitive answer if they can be managed with DCNM in unlicensed mode
Dell EMC S4048T seems like a good fit, but Dells, Brocades, Mellanox don't get too much love here for some reason

Our config is fairly static, so I could bite the bullet and configure it via cli, with learning curve, trial & error, sweating, cursing and all, but this is not preferred option. :)

Any advice? And big thanks in advance, your input is greatly appreciated.

Andrej

What is Airspan Airharmony 1000 BTS 2.5 Gz ?

Hi! I recently found a packed Airspan Airharmony 1000 BTS 2.5 Gz while clearing out the basement. My brother used to work in networking for telecom companies before he left the country 2 years back. He told me he didn't need any of the stuff. I was wondering what this is exactly. From what I understand it is a 4G LTE base station but I don't know anything else about it. If you know what this is, could you please tell me what its applications are and if I want to sell it, what price can I get for it?

Sunday, December 20, 2020

Tutorial - Developing NetBox plugin

I've seen increased interest in NetBox and NetBox plugin development so I thought I'll share posts I wrote on the topic:

https://ttl255.com/developing-netbox-plugin-part-1-setup-and-initial-build/

https://ttl255.com/developing-netbox-plugin-part-2-adding-ui-pages/

I plan on writing more posts showing how to implement API endpoints, and possibly CSV import/export.

There's also repository with all of the source code:

https://github.com/progala/ttl255-netbox-plugin-bgppeering

I'm still exploring possibilities that plugins provide but I'm happy to try and answer any questions you might have.

Link always connected even when shut

I have a RJ45 SFP in a Cisco Nexus 93180 and for some reason even when I “shut” the port on the Nexus, the Dell ESXi host downstream that’s connected to it shows its link status as “connected”. Is this normal? I would think it should show disconnected.

Anyone ever hear of something like this before?

Thanks

Nexus QoS "types" explained?

Hi, so i have picked up studying the NX-OS the last month or so, I have completed almost everything to do with them but left QoS until the end. I am very familiar with QoS on an IOS switch and an IOS router so I'm not exactly a novice. I took a look a while back at the QoS on a Nexus switch we have in our DC but left it alone as it looked way off compared to IOS. After studying it I have gathered that the following below are the certain class "types" and contexts you operate in NX-OS. Can anyone clarify or correct me if I'm wrong to, thanks.

Network-QoS....system wide QoS properties such as the MTU size of the packet

QoS...matching cos values and setting them qos-groups

System QoS...the qos context were all qos "type" classes are applied

Queueing...setting the priority queue (with the "priority level 1" command) and the bandwidth for the weighted round robin queues

Have I missed any out here? Could you fill them in similar to I have done above? Cheers

Trying to setup a management network. Looking for help with this roadblock.

Hi everyone,

I'll start with our simplified network diagram of our environment before diving into our problem:

Network Diagram

https://imgur.com/a/Jech02J

Goal

We're trying to setup an in-band management network to allow us to manage network devices while making an attempt to add a layer of security. Currently (and a bit embarrassingly), any workstation can connect to the management IP of any network device. Our switches are Cisco C2960XRs and they have an ethernet management port. We tried running cables from each switch's eth-management port to a "master" switch, put all network ports under a separate VLAN but that caused us headaches. So after a bit of googling, we opted instead to setup an ether-SVI assigned to the management VLAN on each switch. We then want to control access using ACLs on the firewall.

Problem

However, our core switch, has ip routing enabled. So whenever a workstation attempts to connect to a secondary switch (or any network device), the core switch (SW-1) does not route the packet to the firewall but instead, it routes the packet through the trunk (to SW-2). This is because the ether-SVI is showing up in the show ip route table on SW-1. It makes sense.

But we are trying to avoid adding ACLs to the switch. Our preference (for ease of management) is to have the ACLs consolidated on the firewall.

If I ping from Computer, the packet will hop to SW-1 and then to SW-2. We'd like for it to hop from Computer, to SW-1 to the Firewall, back to *SW-1 and then towards SW-2.

Unfortunately, I believe (with 90% confidence) that our switches do not support VRF (virtual router forwarding.. or something like that). I fear our options are limited besides some restructuring but I was hoping anyone here would have some suggestions or maybe see something that we're doing wrong.

Any help is appreciated. Thanks for your time guys & gals.

Round Hole Rail in Square Hole Rack?!

Hey guys,

What would be the best way to mount a round hole universal rack rail, into a standard square hole rack? Cage nuts wont work as the rail is meant to secure flush to the inside of the square hole rails. I believe I may need square washers that center the screw and basically convert the square hole to round. Any help greatly appreciated!

Pictures below about what I mean:

https://imgur.com/a/MH5bDmj

I found these but with shipping it works out as like €40 which seems crazy expensive for some washers and bolts: https://www.racksolutions.co.uk/versa-rail-alignment-kit.html#description.

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

Enterprise VS ISP?

Kind of new to this world and have read a couple of different post about a variety of stuff, and something that I see come up often is people working in "Enterprise" or at a "ISP". My question is what is the difference between the two? What kind of task or equipment that you work on determine who you're working for?

SNMP proxies - anyone using?

Hi networking,

Is anyone running an SNMP proxy in their management network? If so, what are you using?

With the recent SolarWinds attack I'm considering moving to a model where I only have an SNMP proxy in my privileged network, and place the NMS somewhere where that host cannot generate packets to routers/switches etc.

Cable Management Nightmare

https://imgur.com/gallery/Yir14KD

I have inherited the above nightmare. I’ve never been tasked with cleaning up this had of a rack before. Essentially, there are two 2-post racks with about 4 patch panels at the top, and 4 switches on the bottom. No cable management trays and I’m not sure if there are any for these two posts.

Does anyone have any tips on where to even begin? Buy all new patch cables? These are mostly custom made in the photo

Learn and practice python for network automation

Hey guys,

I am looking for resources to learn python for network automation.

What stage I am on: 1. I have ccna cert, good networking and security fundamental knowledge. 2. I know basic python, I have done several projects in python about web scrapping, data analysis (text analysis) , I know basic about python data structures, I have used modules/ libraries like bs4, requests, panda, csv etc.

What I am looking: for resources either books or websites to learn/practice about Network Automation, do the basic Network automation that is used in today's real world.

Resources I found till now: Automate the boring stuff with python by Juan Ramirez book, learn python the hard way by Zed A Shaw, Cisco Devnet cert Associate cert book.

Any suggestions?

Internal IP Redirect

Let's try this again with more info...

I am working with an HPE A5280X as our internal router. For reasons out of my control, I need to forward 192.168.0.13 (on a 255.255.252.0 subnet) to 10.3.60.9 (on a 255.255.255.0 subnet) . Both subnets have an IP interface on the router. Is this possible? If so, how?

Systems pointed the actual IP address, not a host name, so DNS changes will not help.

I have tried the following and it not working...
ip route-static 192.168.0.13 255.255.255.255 10.3.60.9

Thanks,
Mike

How to connect and configure a 24 port Ethernet switch to a router

Verizon just installed a router and I need to install a 24 port switch. I have both a cisco and a netgear switch available. Is there a certain port I would use to connect them? And, Is there a setup to be configured? I've configured cisco switches before but only local ports, not WAN ports. thanks

Internal IP Redirect

The core switch I am working with is a stacked HPE A5280X.

For reasons out of my control, I need to forward 192.168.0.13 to 10.3.60.9. Is this possible? If so, how?

Thanks,
Mike

Help with understanding Bellman-Ford Algorithm

Dear Community,

Could someone explain to me what are the limits of the Bellman-Ford Algorithm?

More especially, what do we understand under the count until infinity and its implemented solution: poison reverse. It would be much appreciated.

Any help is welcome.

If you are interested, I have an exercise with solutions but cannot upload it on this sub-reddit.

Cheers

Am I allowed to ask...

Am I allowed to ask consumer advice on what some of the best value routers are on the market right now? I want to invest in a decent router and set my old virgin media hub to modem only mode. Am I in the right place for this type of question?

Stuck setting up cisco aps catalyst 9100ax

Hi there!

Im setting up 4 aps cisco Catalyst 9100 ax with embedded controller and I am stuck.

I configured one AP with Master role, set the AP ip and the controller ip etc... And all runs fine, but when I boot the others 3, they allways boots as independent máster controller, instead off slave role to join master controller.

I didnt find too much info, if spmebody can help me would be too much apreciated. Thanks

Networking job feels more like Security Engineer job

When I was 21 I got into networking because I was fascinated how data can travel the world across the internet in just milliseconds. Got my CCNA, CCNP, and have been in multiple network engineer positions.

Fast forward 15 years in the future, right now in 2020 I work as an allround network engineer for a small organization (around 1300 staff), but I feel like I’m actually a security engineer. Sure, I manage routers, switches and wireless LAN controllers, but 90% of my time I’m busy with security related tasks. Updating vulnerable network (management) operating systems, tightening firewall policy’s, organizing pen tests, explaining to management if we’re vulnerable to new threats that the media reports about, and so on. Because I’m responsible for the firewall, I sometimes lie awake at night wondering if I didn’t accidentally misconfigured something that leaves on of our systems vulnerable.

I just realized that I never asked for any of these security related tasks. They just get handed to the network engineer, because the network is what hackers use gain access to an IT infrastructure. I’m not sure I like the way my job has evolved the past decade to be honest.

How have you seen job change over the last couple of years?