EBGP Route advertised

Hi all,

I have a question about bgp. So I'm currently doing some lab about BGP in GNS3. I am doing a simple IBGP only network and combination of IBGP and EBGP as shown below

Network

the BGP peerings are done only between connected router ( R1-R2 and R2-R3)

in IBGP only, after configuring the routers, R1 cant see the LAN network in R3. I understand that in order to fix this, either I can create neighborship between R1-R3 (adding static route or IGP) or put R2 as a route-reflector.

IBGP only

While using EBGP, R1 can see the LAN behind R3, without adding route-reflector or creating peering between R1-R3.

IBGP + EBGP

Is this a standard behavior of EBGP route (the route advertised to an EBGP neighbor is passed on to the internal neighbor of the peer itself)?

Mesh network

What is the difference between 802.11s and adhoc?

Which one do I use to form a mesh on different channel?

LTE routers that connect to CDMA

Hey All, working on a small setup for a small business, they want it done on the cheap. The location they are in doesn't have many broadband options, and of the few that are present - the owners don't... approve of?? Lol... Anyway, they want an LTE hookup to the IOT stuff that monitors the site. Trouble is that the lte towers closest to the area are Verizon..

I've looked at cradlepoint and their cheaper alternatives, like this and this but many of them either explicitly state that they do not work with Verizon SIMs, looking at the docs it even shows that they do not connect to CDMA bands at all..

Does anyone know of a reliable lte router that connects to the verizon lte bands? Would really help me out - thanks!

Unmanaged Switches

I currently am running a Ubiquiti Dream Machine Pro. If I run a 10 gigabit line into a 10gig microtik unmanaged switch, can I still manage all of the devices through ubiquiti? The Unifi Switch 16 XG is too far out of my price budget.

What is the difference between RAP MTU and SAP MTU?

What is the difference between RAP MTU and SAP MTU?

Is RAP for Remote Access Point and SAP for CAP?

Copper/Fiber Certifiers/Testers

We have a job coming up that will have enough profit in order to provide our company the means to purchase another OTDR. If money was no object, what is the best OTDR out there? Best manufacturer? I know this is probably highly subjective. The easier to use the better. Not knocking the fiber techs, but it has been my experience that the easier an electronic interface is to use, the more our techs seem to be able to master the system.

On another subject, I have been reading that the new Fluke Cat8 certifiers are considered the standard for copper testing, especially for cat8 instations due to Fluke usually being able to negotiate longer warranties if using their testers.

Would we be wise to consider some sort of combination function testing equipment?

Channel selection in a mesh network

I am using 802.11s to form a mesh ,but the problem with the setup is channel interference since 802.11s requires all the nodes to run on the same channel.
Is there any work around or I need to ditch 802.11s and opt for something else ?
If am opting for something else what do I opt for?

dB loss on internal AP antennas?

Hi Guys.

​

Im redoing my CCNP, and have for once to get into wireless as well.

​

I think i understand most of the concepts - except for the calculation of EIRP - in regards to dB loss..

So this is always explained as the "loss of power between transmitter and antenna"... cool, no problem.
So am i right in assuming that my, for example, Ubiquiti AP that i use at home, dont have a loss, as the antenna is internally, built in the the transmitter?

Topology help.. MLAG Core, A/P Fortigates and VRF Routing...

Hello,

we're deploying a new network infrastructure as part of a building move and settled on MLAG L2 for the Core and Access switches, which we were going to LAG into a pair of Fortigates in Active/Passive for segregation and routing at L3 from there.

​

BUT, the gateways are now going to sit on the Core switches (a pair of Arista 7050SX3s) and we're going to connect L3 to the fortigates for 2 VRFs (Prod and DMZ) for segregation.

​

How do I configure the transit VLAN interfaces on the MLAG switches? Would we use LACP to the Firewalls still? Do I need a VLAN interface on the Aristas, or as the transit VLANs are trunked up to the fortigates, can I just have one interface per VLAN on the fortigates?!

Can anyone point me in a direction, this feels like my misunderstanding some fundamentals...as usual..!

I need to write an essay and explain how to analyse TCP packets with Wireshark. The thing is I've never used Wireshark and I'm a complete noob when it comes to networking (but I'm interested to learn). Do you have some good resources to recommend? 🙂

I'm studying Computer science and this is my first networking class. The professor is really great and I want to write something good.

I hope this isn't spam

10Gb SAN upgrade - Thinkiny way through ot

I've got a rack with a SAN currently running, 2 shelves with drives that are DAS attached to a server for the head. That server runs FreeNAS with iSCSI going out 2 NICs, 1 to each switch on my stack, and each ESXi host has 2 NICs for iSCSI that go into each of the two switched in the stack.

I'm looking to upgrade this part of my network to 10 GB and need help deciding what's a better option. Budget isn't firm but cheapest isn't the only way for this to go. At first, I found the MikroTik CRS305-1G-4S+in with 4 SFP+ ports and figured I could use 2, one for each segment. Then I don't need to worry about VLAN config, ensuring enough resources to the iSCSI via QoS, and other issues with running iSCSI on the main switch stack.

Them I noticed that I could grab a Ubiquiti ES-16-XG for around the same price. It has 12 SFP+ ports and 4 x 10GBase-T ports. I figured I could go with this option as well and end still split up the ports to their own subnet/VLAN for the iSCSI to keep two but end up with more ports for expansion on the future.

Are there other sides to this that I'm not seeing? Anyone have experience running iSCSI on either model and can give input? Am I not even looking at the right hardware?

I can't afford HP/Cisco/Dell 10 G but MikroTik or Ubiquiti are within my price range.

Currently the build is at $1400 CAD and that's with the MikroTik. Price difference to the Ubiquiti is around $100 more, so not enough to think about it being an issue.

Thoughts?

(Question) How normal is it for ISPs Routers (CE,PE,PC) to have telnet, ssh, and FTP open to the internet?

(Question) How normal is it for ISPs Routers (CE,PE,PC) to have telnet, ssh, and FTP open to the internet?

Title pretty much says it all, but I'm currently studying ISP Networking (Nokia NRS 1) and wanted to know how common it is for that stuff to be open like that.

I have a fair bit of InfoSec knowledge to know that that kind of stuff shouldn't be open to the internet in an Enterprise environment, but I have no clue what level of normality it is in the ISP space. For example, looking on Shodan.IO shows a ton of ISP controlled Routers having SSH, Telnet, and FTP open to the internet.

Thanks for taking the time to read my question. :-)

Looking for a fiber broker in Phoenix

(I didn’t see a rule against this but mods please delete if this is not appropriate)

We’ll be moving into a new facility for our video + event production space in downtown Phoenix, AZ and I’d be interested to work with a broker to get a dedicated internet link.

CenturyLink is already in the building so we’ll talk to them, but as I check dark fiber maps it seems there are at least 2-3 carriers either on our street or a couple of blocks away.

Thanks!

Identify this...

Anybody know what this is? Shout out to the IT crowd working today! thing

Confused about how I’m able to access remote asa site.

So I have a site to site configuration with another asa and then I have some anyconnect clients that is able to access the other site but according to my configuration they shouldn’t be able to. I don’t have an outside,outside nat configured for that to get to the other side yet. I’m just confused on how that would be working now.

[HELP] 3 router configuration

Hey, so I'm planning to extend the wifi in my home. Currently I have 1 router (let's call it A) which is connected to a modem.

I'm planning to get 2 more router (let's call it B&C), which then I will use the wifi repeater feature to connect between B & A.

Next, I would use an ethernet cable to connect B & C due to impenetrable wall.

My question is: is it possible for B to send internet to C while it's in repeater mode?

Thank you

SNAS.io (OpenBMP) what happened?

Hello Everyone,

After implementing RPKI invalid drops I have been looking for a way to monitor the difference of adj-rib-in vs local-rib and adj-rib-out. I have been looking into BMP and specifically OpenBMP and now SNAS.io since late 2018 when everything with that project seemed quite active. However now it looks like nothing has been touched since November 2019 and it also looks like the Demo on SNAS.io is and has been down since November 2019 as well. Also looks like their Gitter has slowed down drastically.

Does anyone know, is the project dead?

Finally, any suggestions on alternative means to monitor pre and post filtered sessions?

What error could that be?

I create a network design which include 2 multilayer switches, 2 layer2 switches, 3 routers (one router is for ISP) and for VLAN, has 2 PC for each. Then I connect all the cable and I did all of those basic configurations like - giving username & password, ssh and console access and login including STP and Etherchannel. And I gave and assigned IP addresses to PC and other devices.

THE PROBLEM IS - I can connect PC to switches. Even connecting with PC from different VLAN is working. But the only device that ain’t working with is Router. I can’t access and connect with Router to other devices at all. What did I do wrong and what kinda error could that be? Please help me

Fresh Network Engineer - 30 Day Update

Hey guys,

Because of all the encouragement you gave me on my last post about this miracle of a job I landed, I wanted to come on here and give you a 30 day update.

So far, I have been learning the infrastructure. I've gone around to some of the places we administrate and looked at the equipment and I've learned how it works.

They are paying for my training and certs, and my boss is cool with me studying on the clock, as long as I'm being productive. I nearly missed the pass on my CCNA a few months ago (795) :/, but I'm wholly confident I could pass it now, given what I have already seen.

During my first week, a lot of it was just driving around with my boss and him explaining our topology. I went to our data center, which was really damned cool, and also around to our "huts."

The data center was awesome. They took my picture and gave me an ID badge. There was a machine that raises up to your eyes and scans your retinas. You have to open a submarine vault door to get into the data center. I had never been at a real one before. I remember it was nice and cool, with blinking lights everywhere. We plugged a laptop in and it looked like something straight out of a Cisco certification book.

The huts were really cool because we share it with google. There is fiber everywhere like spaghetti, redundant generators upon generators, and fire control systems rivaling that of the data center. It was like a bunker, rated for a cat 4 tornado.

The second week I started actually configuring switches. I installed a switch at a police station, complete with ssh, all the required vlans, and a fiber uplink to our distribution switch. The experience was really cool because unlike packet tracer I was able to console in to a physical piece of equipment, and use my hands to rack it up and plug in the uplink.

The third week I was tasked with configuring and deploying a couple traffic camera switches by myself. I started copy/pasting the entire configuration instead of going line by line and after I handed them to the traffic coordinator I forgot about it.

The next day he called me and said they weren't working. I went out there, opened up one of the metal traffic boxes, and plugged a console cable in while holding my laptop. I ran a "sh transciever detail" and noticed that the SFP module wasn't sending out light. I went back to my office yet again and grabbed a new SFP, which I tested on my personal switch.

Once I got back to the first traffic switch, I plugged in the functional SFP module, but I wasn't able to ssh. It turns out that copy/pasting an entire configuration can cause problems. I was able to fix that, but then the second switch wasn't working either, but for a different reason. This one wasn't receiving any light.

Sure enough, when I went to the hut to run a couple jumpers, the guy I spoke had given me the wrong one, and it wasn't reaching my switch. I remember when I went back there was a traffic guy there who let me into the traffic controller box. I had to fix ssh on this switch and verify that it was receiving light. He watched me and I'll never forget what he said.

He goes, "Holy shit man, this is some real computer stuff. I just do the traffic controllers, but thats not anything like this. How long have you been doing this?"

I felt like a wizard and finally after all the things I've been through trying to find this job I felt like I might have made it.

This past week, I have been tasked with configuring 20+ switches for the city PD. They are putting them up on poles, (IE2000's), and connecting a copper SFP to a 360 camera, with the other uplink going straight back to the hut via fiber. I figured out which SVI's to use on the distribution switch, configured them as their default gateways, and have been going one by one. I anticipate I will be done with it next week.

I have also been studying some network automation in my free time after I get home. I love python, and I think my ultimate goal is to combine it with networking, which I have the freedom and privileges to do here, if I can figure out how. I've messed with some libraries, like sockets, and some cisco ones, but nothing in production.

Thanks guys, and the longer I'm here, the more I can weigh in on some of these posts.

TLDR: Boss is a mentor to me. They pay for my training. I've been to places that require retina scans and facial recognition to get in. I'm really getting my feet wet, and I think I'm killing it.

Joining multiple isp connections for higher bandwith in low bandwidth area.

Say i was in an area where only low speed options are available, dsl, satellite. I have considered starlink but it takes a while to get set up. I want to start a small company that will require high bandwith but cannot get a fiber provider in my area. I was wondering if I could reliably connect several isp's and create a larger pipe so to speak? I know there is load balancing but that sounds more like I wouldn't have increased bandwidth, just more pipes at the same speed. Any advice where to look into this?

S4148F-ON as BGP router with full routes....

I am new to the Dell S4100-ON line. It's advertised as a 10/40/100gbit switch and the software supposedly supports BGP. Is it plausible to use this as a router with full BGP routes?

I see the RAM is only 4gig, so probably not.... Is this really only aimed at using BGP in an internal environment, like when building a VxLAN fabric?

Is there a point to the traditional UTM (Sonicwall) when everyone is working from home?

I need your best thoughts here. Right now we have a Sonicwall TZ600 that is up for renewal. In the covid era everyone is working from home.

So my question is: is there a point to renew this device? It seems to me we would be better served by using a manage endpoint protection (bitdefender?)

I know we could have both but then they just end up fighting each other.

We use M365 for email.

We would still maintain a firewall but maybe just a pfsense and then offload the protection to the endpoint.

I know it better to stop at the perimeter but we don’t really have perimeter anymore.

Thoughts?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

looking for free port scanner with web interface alternative to nmap!

hey

I'm looking for a free port scanner tool that scans my whole network multiple time in the day,, different subnet for open ports ( specific ports like default ssh 22, etc, ) then export report daily for hosts that have open ports

host 192.168.88.34 port 80 open , time 1:46 am , 1/1/2021

the output should be in txt,html or csv file

I did this with the Nmap command but m I'm looking for other tools, use Nmap but with other features like a web interface

the idea in my mind is to script Nmap to do scan multiple time on the day and export the results to CSV or txt on the folder that I enable sync on one drive

so every night I open my one drive folder and see the result.

Any of you cowboy types running VyOS rolling release in production? Any other free recommendations?

I'm in the market for a free or dirt cheap router. Mikrotik CHR has rubbed me the wrong way with their half implemented IPv6 features. I'm currently running Debian + FRR and it's mostly fine but I'm longing for something with a more complete CLI/config system. With FRR, I end up doing half the config on the host and half in FRR, and it's kind of a nightmare.

Very little traffic on this setup currently, but I need OSPF, VRFs, BGP with vpnv4/6 and VRRP. It's a service provider type network.

I'm happy to pay the $750/yr for the stable version eventually, just can't swing it right now. Just curious if anyone has been bitten by trying to use the rolling release, or if tends to be pretty stable.

Or, any other OS recommendations would be welcome as well.

Is a redirect a type of rewrite rule?

I'm trying to understand the difference between a rewrite and a redirect and I'm a bit confused. I've read in some places that the difference is "A Redirect rule instructs the client (usually a browser) to switch URLs and navigate to the destination of the rule. Redirect rules are typically used for old paths that you’d like to redirect to new ones.

In contrast, a Rewrite rule does not change the original URL; it simply serves the content of the rule destination at the original path. The browser can not tell that the content was served from a different path or URL, making it possible to display content from a different path or URL on any other path on your site. "

But looking into Apache Servers, the documentation says this: "The mod_rewrite module uses a rule-based rewriting engine, based on a PCRE regular-expression parser, to rewrite requested URLs on the fly. By default, mod_rewrite maps a URL to a filesystem path. However, it can also be used to redirect one URL to another URL, or to invoke an internal proxy fetch."

So in this case can rewrites function as redirect such that the URL will appear to change in the browser? Or is it always the case that if it's a rewrite, the browser url will never change? Is it a different answer if you're using IIS vs Apache Server perhaps?

Forticlient clutter in Infoblox

We've got a situation where we use Infoblox for DHCP/DNS, but because our Forticlient is used for SSLVPN, the Fortigates themselves have to do the DHCP (there's no DHCP relay on SSLVPN, only IPSec, for some reason). Therefore, we need the Fortigate to update Infoblox with A records for hosts connected (because Security said so).

And it even works fine, as far as it goes - not only does it create the A record for the VPN tunnel IP, but it also creates one for that hostname for EVERY IP on the remote computer. And they never ever go away unless we manually delete it.

So what I'm looking for is a way to either:

1. Stop the Fortigate from creating the mess in the first place

2. Stop Infoblox from setting them as if the lease is long-term when it's not

3. Or, barring anything else, automatically clean up the mess in Infoblox, but restrict said cleanup to just the IP blocks used for the Forticlient VPNs (and things like 192.168.1.0/24, which is an absolute mess and we don't use anyhow).

Digging around on this, I found two possibilities; one is DHCP Option 81. Infoblox has two settings, and I'm not clear what they do - DHCP Server always updates DNS, and DHCP Server updates DNS if requested by client. I think it's sort of what I'm looking for, meaning the second one says "Don't expect a departing DNS update from the DHCP Server" but I'm not certain, and the one "explanation" I found was way too opaque for me to figure out on New Year's Eve.

The other thing is DNS scavenging, but because Infoblox approaches nearly everything with the hostname as the basis, rather than the IP, I can't find whether or not I can restrict scavenging to specific IP ranges. Has anyone ever done that and if so, is it as trivial as adding any other condition, or do you have to jump through hoops?

Wireless Lan Controller Questions (Extreme Networks)

I'm tasked with searching for a Wireless LAN Controller for my company. My only rule was that it has to support about 50-100 access points. I'm pretty sure I've narrowed it down to the Extreme Networks C35 Physical Appliance.

I have a history with Cisco and a perfect "Cisco World" environment. I recently learned about WLCs but only when it comes to Cisco, and obviously not enough.

Here are some questions I have regarding WLCs:

1. Do WLCs only work with specific enterprise access points? For example would the C35 WLC be able to manage Extreme Networks 7632 Access Points AND Motorola access points? Or would I be looking at replacing some access points to make them all the same?
2. In your experience how hard is it to implement a WLC into an environment that's already setup?
3. Are multiple WLCs needed at every building if the access points are on the same network or would they still be able to contact the single WLC? ( I'm pretty sure I know the answer to this one but it doesn't hurt to verify)
4. What advice or tips would you give regarding this kind of task?

Thank you in advance for any questions answered or input, it's greatly appreciated.

Need new bandwidth provider. Equinix MI1. Not sure where to start.

We have been with company the past 10+ years but they are shutting down our circuits as we have been in the same ones for about that long.

They are being assholes about new services.

We need at least a 1gig+ on a 10gb port.

Would like double cross connect for equipment redundancy.

Not a fan of att enterprise or Verizon.

Anyone deal with that or have a rep that would be interested?

When I google data center bandwidth I basically just get HE.

100G Switch Recommendation

We're building out a small virtualization cluster of three nodes and would like to have a 100G Ethernet fabric between them. I'm looking for a best "bang for the buck" switch with at least 6 100G ports that will perform little more than layer 2 duties. Our immediate bandwidth needs don't dictate 100G, but would be a nice to have. Secondary 1/10/25G ports aren't a necessity

current Access speeds in the Enterprise Data center?

I left the industry in about 2013, due to serious ilness, so I haven't kept up with industry develoopments much since then. When I left, 10GbE was gaining traction as the default server access speedin enterprise datacenters, and was only just beginning to phase out bundles of GbE. Much faster speed were availlable and obviously still are, but how much of this have become pratical common use,by now? is 25GbE the new standard for host access speeds? I assume, that leaf-spine has now become the clearly dominant DC architecture, so if running 25 GbE leaf ToR switches, what is commonly used for uplinks to spines? 100 GbE?

Raisecom device to catalyst switch not working but raisecom to firewall works

I in my life have never encountered such problem. When connecting from raisecom to firewall, it works. when connecting from raisecom to PC, it still works. But when connecting to switch there is no lights whatsoever. When connecting switch port to pc, there is lights on switch (connected to check whether there was issue on switch port). I have also tried on switch port. ISP has sent access vlan. I have configured switch on access also. Switch doesn't receive mac of raisecom. Switch receives mac of pc when connected on same port of switch.

Also, there is no mac bind from ISP side

What exact cable is this?

It connect to the router and says ‘WAN’ as input, lookingnit up shows UTP cable and i’m notnsure if it’s good, the cable goes to the router from the optical fiber box.

https://ibb.co/p4LbVDv

How do you keep up with the latest networking news?

Which RSS feeds do you have? Which blogs do you follow and which podcasts do you listen to?

News is a huge thing in CyberSec, there's a ton of resources to keep up with the latest in security.

I'm new to networking and I want to live and breathe it. I just want to find out how everyone keeps up with the latest news.

I've been binging Network Chuck and he's taught me a lot about the future of networking and how I can prepare myself.

What other resources can I use to keep up to date?

Catalyst 9500-32C 10G Connection

I am replacing a stack of Meraki MS425’s with a stack of 9500-32Cs. I wan’t to connect the two together so our vendor sold us a couple of breakout cables. I configured the breakout interfaces and connected them to the 425’s but no link. I checked on the Cisco side and the interface is broken out into four 25G interfaces. I checked the cables and they are QSFP-4SFP25G cables. I assume there is no way to use these and I need different cables that break out to 10G correct?

Small Business Access Switch

Happy holidays,

I currently have an office of about 20 people on sight (less now due to COVID) and 10 people remote, with BOYD such as tablets and phones on the wireless networks at the office. Want to plan for 100% growth 3-5 years.

Have a fortigate for the NGFW and have an existing Unifi 48 port POE switch and some Unifi access points. Physical office size is small. I am in need of more switch access ports, and am trying to decide if I should keep going down the Unifi line, or get something like a FortiSwitch, or maybe something else. Will need a POE variant and a non-poe variant for switch location outside of the network closet.

I am looking to set up LAG interfaces if the Unifi makes more sense, or possibly replace the Unifi with a pair of FortiSwitch 248E POE with MCLAG and an aggregate interface to the "IDF" switch.

I am planning on getting a file server (probably TrueNas or Synology) which the primary use will be for VM backups on the upcoming Hyper-V server. All business critical documentation and files are cloud hosted. The VMs will not require much network bandwidth (1-5 Mb sustained), however i would prefer to have 10Gb SFP+ for future and the 248E's do not have them. However, Unifi does not have enterprise support and have been very happy with Fortinet support when i need them.

There is VoIP with a PBX with 12 extensions.

All email is cloud hosted with O365 and do not see us moving to on-prem at all.

Budget is about 1000-1500 per switch. 2 or 3 switches needed, depending on purchase path

-Cheers

Geolocation Issues New IP Block

I am located in the US. We acquired a new IP block from APNIC. This IP block has been assigned to our organization in ARIN. The IPs work however we have been having geolocation issues where specific services think the IPs are still located outside the US. Its clear that some services do not check to see if the IPs are in the US or not. Considering how many providers of services there are google, netflix, hulu, etc its not really realistic to contact every single one of these service providers to have them correct the IP issue. Does anyone have and suggestions on the best way to tackle this issue or any other suggestions?

Anyone familiar with Moxa AWK-3121 APs?

I've got a Moxa AP that I want to configure to use as a bridge, but can't seem to log into this thing. I've downloaded the manual and have connected it to POE switch. It has power and is showing a link light. I've reset it several times, and the default IP should be 192.168.127.253. I try and ping and connect via Web, but no luck.

Anyone familiar with this?

Switch loses power and clients can't get back on the network after power comes back up

We have a branch site that has lost power twice this month. We use ISE for our NAC and our clients at the branch authenticate to it. When this power outage happens and the clients try to come back online, the client machines fail to authenticate or gets denied network access. For the immediate future, I will make sure everything is on a proper power backup so this doesn't happen again but until then, I just want to know what can be done to quickly get the client to properly authenticate to ISE.

ruckus unleashed vs. Cisco mobility express

looking for people with experience of both of these to give some input on their differences and which one is better/ they prefer?

Need help understanding Channels in the 2.4 Ghz band

From my research I understand that the 802.11 wireless standards that operate in the 2.4Ghz range and use 11 channels, 3 of which are non overlapping. What I am having trouble grasping is things like Spread Spectrum types (FHSS and DSS) the 2.4 Ghz frequency band is said to be broken up into 70 1Mhz narrow channels that data flows through. So what is the difference between the two? Why does one 2.4Ghz Channel have 11 channels but at the same time have 70 Channels?

Making sense of AWS site-to-site VPN MTU

The default AWS site-to-site VPN connection (Tunnel mode / AES128 / SHA HMAC / no AH) looks like it should be good for 1438 byte inner packets over a 1500 byte Internet:

New IPv4 Header for IPsec 20 ESP Header - SPI (4 bytes) - Sequence (4 bytes) 8 ESP IV 16 Original IPv4 Header 20 Original IPv4 Payload 1418 ESP Trailer - ESP Pad (0 bytes) - Pad Length (1 bytes) - Next Header (1 bytes) - ESP ICV (12 bytes) 14 ---- Total IPsec Packet Size 1496 

AWS has several ways to export customer-side VPN config details, including:

• API dump of CustomerGatewayConfiguration, an XML blob that includes:

  <tcp_mss_adjustment>1379</tcp_mss_adjustment>

• Configuration export formatted for a Cisco router, which includes:

  interface Tunnel1; ip tcp adjust-mss 1379

• Configuration export fomatted for a Vyatta router, which inludes:

  set interfaces vti vti0 mtu '1436'

There are a number of disparities that I'm struggling to reconcile:

1. AWS recommended MTU (1436) looks a little pessimistic when compared to my expected 1438.
2. AWS recommended MTU (1436) looks wildly optimistic considering we could switch to SHA512-HMAC, and wind up losing another ~20 bytes to ESP trailer. I do not believe that the numbers I'm getting from their config tool take into account the operational state of the tunnel (peer proposal and whatnot).
3. AWS recommends 1436-byte MTU, but also MSS clamping at 1379 bytes... 43 bytes of IP+TCP headers?
4. AWS config examples for some platforms set tunnel interface MTU while others don't (perhaps reflects more on AWS' faith in Vyatta than anything else)
5. Is the strategy for non-TCP traffic (no constrained MTU and not MSS clamp ability) to just let it fragment as needed?

I'm hoping somebody can help fill in some of these gaps in my understanding.

Thanks!

LibreNMS questions

I've just started poking around LibreNMS. Right now i just have it on my laptop running on virtualbox. So far i'm liking the interface design and im thinking it's a good candidate to replace what we have (we've used tools like mrtg, prtg,cisco pi, solarwinds, airwave). I was wondering if any long time admins of LibreNMS can chime in about it: how it compares to your previous nms, are there surprise costs, support, what is it NOT good for, etc.

Undocumented user account in Zyxel products (CVE-2020-29583)

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Tool for converting a single /23 or larger network into a number of smaller networks

Does anyone know of a tool that can take (for example) a single /20 IPv4 network and return all of the /24 or smaller networks it contains?

This just came up at work--at least one of our spam filters; whitelist does not accept networks larger than /24, while the IP whitelists we're dealing with has multiple larger networks in its list--and while it sounds like it could be an interesting project, I want to make sure I'm not duplicating effort if that already exists. A cursory Google search didn't turn up anything, but if something like that exists already I assumed someone here would be able to point me in the right direction.

Aruba Wi-Fi kit - what to do with it?

Just cleaning our network stockroom today (a safe task to do the week before Christmas and New Years) and found of box of roughly 30 Aruba AP-105’s, a handful of AP-125’s and a couple of AP-205’s plus a 3400 controller. Are these just destined for the bin or does anyone have any suggestions for these?

Edit - as was mentioned in one of the comments, just wanted to state that we are in Canada.

Campus Network Segmentation: Internal VPN that directs to multiple VLANs?

Background: I'm working on upgrading a campus network from Cisco to Juniper and we are looking to increase the segmentation between VLANs to reduce the risk/impact of ransomware and the like. There are business buildings, some residential buildings, as well as guest VLANs. The residential and guest networks were already segmented with Cisco access lists that we converted to Juniper firewall filters. Each of the business buildings has a set of vlans for general data (PCs, printers, etc), IP surveillance, VOIP, and network management. We should be able to set each of these VLANs to be able to talk to the server VLAN and the internet, then block other traffic. VOIP will need to talk to other VOIP vlans, and I think I know how open up just the needed ports for that.

My main question is: How do I allow IT staff to connect to all of the VLANs for troubleshooting? I've setup an IT office vlan and can allow that to communicate with all of the VLANs, but if an IT person with a laptop is connected to the general data VLAN of a building, how can they connect to the IP surveillance VLAN of that building to work on a camera? There is a Windows RRAS VPN setup which does allow business devices on the residential network to connect to the business network and bypass the internal ACL/firewall filter (this is all within the same campus network). I thought if I could get that server to put general business devices on one VLAN and IT Laptops on another VLAN, that would work. But best I can tell, RRAS can't do that.

Is there a self hosted VPN server that can put different groups of clients on different VLANs? Or a VPN server that can easily run multiple instances with multiple network adapters to the same effect? The servers run on Vmware. Or is there a better way to go about this problem in general.

nic "Supported link modes" list removed.

We operate 10G suricata IDS.

"#ethtool ens1f0" printed This "Supported link modes: Not reported"

​

1. Restart suricata by changing the memory buffer
2. The detection log is reduced.
3. Checked the occurrence of many drop packets in nic.
4. Ens1f0 abnormality checked ("Supported link modes: Not reported")
5. Ens1f1 is OK

​

Does anyone know of a phenomenon like this?

I tried "ifconfig ens1f0 down/up" but it didn't work.

Congestion-control Cisco Nexus clarity

Hi, after reading about PFC on Cisco's site I've understood about 99% of it now as well as all the commands too. Two commands i'm not completely sure what they do are:

congestion-control tail-drop

congestion-control random-detect

I think they mean what the behaviour will be for each class/CoS if there is congestion, so tail-drop will just knock packets off the end of the "tail" of the buffer queue or not allow them to join the buffer is another way of saying it i suppose.

Random-detect will use the WRED settings that are put into your queuing classes, so:

policy-map type queuing bandwidth_wred

class type queuing 1p3q4t-out-q2

bandwidth percent 50

random-detect cos-based

random-detect cos 5 minimum-threshold percent 10 maximum-threshold
percent 30

random-detect cos 6 minimum-threshold percent 40 maximum-threshold
percent 60

The following random-detect settings above in the class-map are applied when there is congestion on the links.

Would you be able to clarify if you know the answer?

Cheers

C9500 : Transmit Discards

I've got a C9500-48Y-4C unit which isn't pushing much traffic currently. We are actually only using 3 interfaces setup as 10Gb with each interface pushing around 2gb to 3gb.

I've been keeping an eye on our Solarwinds stats for the C9500 simply because it's our first of these units in our network.

I've noticed we are seeing some transmit discards on two of the three interfaces. Not huge amounts but enough to make me concerned. At times it has spiked to a few thousand discards in a 60 minute window.

My initial thinking was potentially the optics/modules may need replacing but I've been digging around and now I think 'maybe' the below two built in policy-maps may be responsible:

system-cpp-police-sys-data
system-cpp-police-data

If I look at these then I can see quite a few exceeded bytes and as such the exceeded bytes have been dropped.

My first question is will these show up on Solarwinds as transmit discards?

My second query is I know the built in policies are to protect the switch itself but I'm struggling to find out what has been exceeding these built in policies.

The switch is locked down and there is no access to the switch other than the 3 devices which are connected (OSPF neighbors).

OSPF has stayed up for as long as the switch has been powered on and I don't see anything in the logs showing anything which could have triggered the exceeded bytes.

It's possible I guess that the policy-map has matches from when it was first setup and the matches are historic in which case I still have an issue with transmit discards.

For now I've taken a note as to how many packets are exceeded and I can see if it increments.

I can try swapping the optics but I kind of think I'd be seeing a LOT more discards if it was an issue on the optics and probably more likely errors and not discards?

Thanks

Archer C6 Gigabit Router

Hi All, need some help please

I have a 250 MBPS connectivity from ISP, when I connect the ISP’s internet cable to My desktops LAN port - which is the default LAN port from my motherboard - I get full 250 MBPS connectivity.

I recently bought a TP Archer C6 router with Gigabit connectivity and Gigabit ports. Through the 5 Ghz frequency I am receiving full 250 Mbps speed on my iPhone, however when I connect the desktop to the router via a LAN cable, my speeds are restricted to 100MBPS. Any reason as to why this is being capped at 100 Mbps? Any change in setting I need to make please?

It’s strange when I connect the ISPs internet cable directly to my desktop I get full 100% speed but not through the router - C6 Archer claims to provide full gigabit ports. Unsure what I am missing

Kindly help me out - Thanks in advance

SC

VLAN while using Android

Hello,

I am looking to use an Android Tablet/Phone as a field tool for connecting and setting up devices. I am aware that VLAN tagging cannot be done on the base version of Android.

However is anyone aware of any method or application in which I can set a custom VLAN ID to use my prefer browser to connect to a network device? All of the devices we use only have a management VLAN on them and that's the only option for us to connect to.

Thank you in advance and happy new year

Podcasts for ccie RnS

Hi. I am looking to utilize the time(2 hours) I go for a walk by listening to some of ccie topics. Please post any links available. I have udemy business access but all are videos and probably difficult to understand. any alternate suggestions would be great too

TEG-7080ES Power Cord Retention

I am interested in purchasing the TrendNet TEG-7080ES:

https://www.trendnet.com/products/managed-switch/8-Port-10G-EdgeSmart-Switch-TEG-7080ES

I am wondering if there is a way to secure the power cord? I see a hole below the power cord port, and I am not sure if that is for any form of retention mount.

I would consider unconventional ideas also. Thank you anyone for your assistance or ideas.

Does Intel X540-T2 support 5GBASE-T

Have the card getting planing on feeding it 5G5GBASE-T.. will it work. Looking up info and can't find relevant info.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Good Course or Learning Resources for Network Infrastructure Foundations

Does anyone have any suggestions for good learning materials concerning the network infrastructure and technological concepts of communication service providers?

I don't want to learn about the IP protocol or DNS, I would like to learn the foundations of concepts like the internet backbones and the relevant technologies, preferably also about the business side of it.

The closest thing to what I am looking for was the "Cisco Service Provider Network Foundations (SPFNDU)" course, but I don't want to spend 800$ https://www.cisco.com/c/en/us/training-events/training-certifications/training/training-services/courses/understanding-cisco-service-provider-network-foundations-spfndu.html

The Intel® Network Academy has a interesting course on coursera "Network Transformation 101", but this course seems to assume all the material that I would like to learn as a prerequisite https://www.coursera.org/learn/network-transformation-101

Cisco AnyConnect, connected but no internet

Hello, Cisco AnyConnect says I am connected to the internet, however when I try to open a web browser it says “no connection to internet.” I need to connect to the internet to request a token for my VPN. I obviously cannot do this since there is no connection despite it giving the green check mark and reporting no issues.

I’ve tried everything so this is my last resort.

Trying to understand how to use static IP work from ISP

Hi this is for my home, I was trying to host games and struggled hosting them so I could only join games but others cant join me. So after talking with my ISP, they said I had to pay for a static IP from the ISP. So anyways, they said that all is set and that I could forward ports etc. Even though they gave me the static IP, I did try to put it in my Netgear router, to use that IP , and it wouldn't work, so I went back to auto DHCP and it will get online. I'm wondering how can i configure my router to use that IP address? I could ping that static IP, and get to my main wireless page (I use wireless ISP) based on the number they gave me. What do I need to do. Thank you.

Using VRRP during access switch migration?

We have a layer 3 campus, so all of our access switches are running VLAN interfaces which act as the gateway for each VLAN. From there, traffic is routed upstream.

We're replacing an old Cat6500 with a Cat9400 soon. The 9400 will need to have the same gateway IP as the 6500, and I'm trying to move away from a hard cut and do something a little more graceful in terms of outages. A lot of these devices have static IPs and gateways configured, so unfortunately I can't just come up with new DHCP scopes and start patching.

I'm wondering if anyone here has used VRRP for this purpose, i.e. setting the shared IP to the actual gateway IP for each VLAN, configuring the new switch as standby, and then moving devices over to the new switch and shutting down the VLAN interfaces on the old switch as we go. When everything is patched into the new switch, set the VLAN interface IPs to match the gateway IP and then remove the VRRP config.

I tested this out in GNS3 and it seems to work fine, but that is small-scale and might not be representative of some weird problems that could pop up, i.e. ARP conflicts and such.

Anyone here have experience doing something like this with access switches? Any tips for not blowing everything up?

LTE/CBRS, GRE Tunnel - Need help troubleshooting weirdness

Please forgive my ignorance on this subject; I really need some assistance with this. I know almost nothing about how LTE and CBRS other than the freqs, provisioning process, and that an outside controller has to kill the entire network or just a single CBRS cell if it violates certain licensed freqs. This is why there is a GRE Tunnel. The LTE Core has to have total control of this network.
We hired a 3rd party to help set up the CBRS Network. The "LTE Core" for this CBRS network is sitting on a ProxMox server with a couple of VMs and a router sitting on it. I'm not privy to the configs on this as they have not handed out any credentials for us to log into with yet. This "LTE Core" connects to a Juniper switch stack and pair of Juniper Routers with failover connections to multiple uplink providers. This equipment is what I'm responsible for.

• Some websites that use really low MTU's don't work. https://flightaware.com/ is one of those sites.
• Customer VPN Stability, constant dropping off of the network.
• DHCP leasing is taking 300ms or longer. Causing a CPE to resend a discovery and never get an address.
• High RTT when pinging in or out of the GRE Tunnel
• And this... I've never seen this before! This is an RTT graph to Flightaware. It does this on every website and even to our core switch.
  • https://photos.app.goo.gl/qyf9sP7HaaEtd5Cz8

[technical inquiry] Fiber line capacity and router capacity.

Setup: I live in Jordan and have fiber internet from a company called orange. The modem/router given is a Nokia device (Model 140W-C).
Problem: I repeatedly lose connection suddenly and the tech support says they aren't detecting a "loss of connection/service" on their side, but are suggesting that:my TP-Link extender is causing compatibility issues and that there are generally too many devices connected.
Info/Troubleshooting: a) disconnected the TP-Link extender but problem didn't go away
b) company's initial offer is just an extender i buy at their store, assuming that this should be more compatible.honestly i'm not buying the story, this is a mere assumption. no guarantee.
MY Questions:
Q1: how do i actually evaluate whether i'm having "too many" devices on the router? (i accessed the list but i don't know what's ok and what's too much!)
Q2: if i think of improving my setup and maybe changing the system by having a MORE CAPABLE main device and then maybe two or three sub-devices (multi-story house, two families) . Then, how would i decide whether the single fiber internet subscription can handle that load ?---------------------------------------
usually connected devices:
1 laptop via ethernet. (gives 34 Mbps on ookla speed test)
1 TV via 5 ghz wifi
4 phones via 5 ghz wifi
6 phones/tablets via 2.4 ghz wifi.

Router disconnecting and then redirects to GStatic Generate 204

Often, my router randomly disconnects to the internet. Whenever that happens, I get redirected to a site called something like "Gstatic generate 204". After I restart my router usually everything works again.

What is this? Is this normal? Could this be a sign that I am being monitored or that I have a virus/malware in my network/router or some other device?

Thank you

ASA - Dynamic split tunnel + traditional split tunnel

I can't seem to get this working correctly. We already have a traditional split tunnel running with certain networks to be included. I want to apply an anyconnect custom attribute to be used on the vpn group policy so that the tunnel will also include certain URLs. When users connect however, their client is not showing these domains in the inclusion list. I thought perhaps it was because they overlapped with the ip addresses already in the split tunnel, but I tried removing those ip's from the split tunnel, with the dynamic split tunnel custom attribute applied, and this caused them to not be able to reach them at all (access requires vpn, so this proves they are not being tunneled). Any ideas?

MPLS Option A | Packet loss on specific source IP?

Hi Guys,

I'm currently reviewing 1 issue and just want to seek your inputs about the current setup and the problem.

Topology: https://ibb.co/HTTKg5b

The setup is there's 2 ISP involve (back-to-back vrf exchange between ISPA and B), Now the issue here's is that when SIP: 192.168.100.1 pings x.x.x.169 of ISP A IP packet loss exist while no packet loss when pinging ISP B IP(x.x.x.170).

- Ping test from CE to ISP A IP CUST_A#ping x.x.x.169 source 192.168.100.1 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to x.x.x.169, timeout is 2 seconds: Packet sent with a source address of 192.168.100.1 !!.!!!.....!.!!.!...!!!!!!!.!!..!.!!...!!.!.!.!.....!!!!.!!.!.....!... !!!.!!.!..!!.!.!!!!.!!.!!!..!! Success rate is 54 percent (54/100), round-trip min/avg/max = 30/35/70 ms CUST_A#ping x.x.x.129 source 192.168.200.1 re 100 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 30/35/60 ms - Ping test from CE to ISP B IP CUST_A#ping x.x.x.170 source 192.168.100.1 re 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to x.x.x.170, timeout is 2 seconds: Packet sent with a source address of 192.168.100.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - Routing From ISP A Routing entry for 192.168.100.0/24 Known via "bgp x", distance 20, metric 0 Tag 37107, type external Routing Descriptor Blocks x.x.x.170, from x.x.x.170, BGP multi path Route metric is 0 x.x.x.129, from x.x.x.129, BGP multi path Route metric is 0 No advertising protos. Routing entry for 192.168.200.0/23 Known via "bgp x", distance 20, metric 0 Tag 37107, type external Installed Dec 27 09:01:01.620 for 2d07h Routing Descriptor Blocks x.x.x.170, from x.x.x.170, BGP multi path Route metric is 0 x.x.x.129, from x.x.x.129, BGP multi path Route metric is 0 No advertising protos. 

So I'm thinking this could be a circuit issue between 2 ISP but when I tried a different source IP noticed that there's no packet loss. Conduct a reachability from CE router block (192.168.100.0 & .200.0) towards to ISP B IP but unable to detected packet on both link facing ISP A. Also note that issue also happens on both ISP A link when CE pings sourcing to 192.168.100.x.

I do have access to ISP A and I'm thinking what could possibly go wrong. Let me know if I have missed.

1. no packet loss on ISP A to ISP B p2p ip addresses / no congestion.
2. Does the BGP multi path can affect the traffic ? (i believe should not affect since able to see the p2p and bgp peering's are stable).
3. No ACL or some sort of filtering applied on ISP A interface.
4. IPS/FW on customer side?

Thanks in advance

Your go to label maker...Dymo vs Brady vs Brother

Hey guys

Regarding label makers, just wondering what your go to favorite unit is in the field for cable wraps, patch panel labeling, etc. I’ve seen many videos and reviews on the Brady BMP21 and Dymo Rhino series, most of which have been in favor of the Brady.

Recently I came across the Brother PT-E300/500/550 series, which is different to the other 2 brands in that it actually laminates every label that comes out of the machine, unlike the other 2. So from what I see, because of that, the labels are much more resistant to abrasion, oily/caustic environments, etc. the labels also happen to be cheaper than the other 2 if you buy the clones. The Brady labels are extremely expensive where I am (Canada), and there are no third party Brady labels available.

Opinions on this? Which one is the best?

Stackwise Problems on Catalyst 3850s

Hi, wondered if anyone has seen a problem I've just seen at work that might offer any advice.

We have many Catalyst 3850 stacks in our HQ that we use as access layer switch connectivity. We have been doing upgrade from IOS-XE 16.6.7 to 16.12.4 without issue, having performed over 350 upgrades on this switch model, including 50+ logical stacks. Yesterday we noticed some APs dropped unexpectedly soon after the last upgrade of the day and traced it back to a 5-switch stack, which showed that a single non-master/standby stack member had been removed from the stack. When we consoled to the switch, it was in ROMMON mode.

We disconnected the switch from the stack, copied over the .bin file again, unpacked the file and updated boot parameters, rebooted it and it came up fine on its own in Install mode, as expected. We powered off the stack completed, reconnected the 5th switch stacking cables and powered it on again, only to find that we now had the master and the 5th switch in the stack, but the other three were now showing as Provisioned, with no MAC address. Again, those switches were sitting in ROMMON even though they had successfully booted and joined the provisioned stack previously. The adjacent stack ports were showing as down and of course the other stack members were totally missing from the stack.

We were pretty confused by this point but we went ahead and manually recovered the other three switches, expecting all to now boot correctly (As the 5th one did), which actually worked for a moment, but then we saw errors in logs referring to losing connection with the standby switch (PEER_REDUNDANCY_FAILURE or similar, I'm typing from memory here). A stack member would go from READY to REMOVED, eventually return to INITIALIZING and back to READY, only for a different stack member to move from READY to REMOVED. While this was occurring, a new Standby would be elected and go through the HA Sync process. It resulted in essentially a cascading failure where the stack election process would repeat over and over again, resulting in different individual stack members repeatedly dropping out and rejoining the stack, almost as if the stack cables were damaged.

By this point, we were getting pretty late into our unplanned working time, and after testing with a completely new set of stack cables, and testing with only two switches in a stack and finding the same issue occurring, we gave up and replaced the stack completely with spare switches, and we also downgraded back to 16.6.7. This time the provisioned stack formed successfully, stayed online and we spent the rest of the night redeploying configs and testing services

For tech info - Stack members are numbered and have correct priorities configured (15-11). Stack ports would show as down but then come back up, which seemed erroneous as we saw it with multiple switches and multiple stack cables. We checked and rechecked IOS packages, cleaned and redeployed files, verified boot parameters as well as changing out stack cables themselves. Despite having this software revision on hundreds of devices by now, this particular stack just would not behave and we eventually gave up trying to fix it and just swapped them all out and deployed on the 16.6.7 code.

Has anyone see this happen with Stackwise 3850s on 16.12.x? Other than the switch platform itself being particularly slow to boot and the log messages, there wasn't really much to go on to explain this stack reelection behavior. We are planning to try to recreate the issue in our lab and escalate it to Cisco via our Cisco partner, but we also know that there are so many anecdotal experiences of odd behavior with stacks and we might not get anywhere.

Appreciate any insight or similar experiences which might help understand what is the most likely cause.

Implementing DMVPN into a graduation project ideas.

Hello there, I’m in a desperate need of help. We chose DMVPN as our graduation project idea because it was the only thing left. I have read a lot about it, but i was wondering if anyone can give me the basic idea for a graduation project using DMPVN :(

BGP Peering Issue

I have /23 IP block purchased from APNIC. My ISP is not announcing my ASN and not peering as well. But, they gave me a static public IP that has all ports open. So can I announce and peer the IP block to my ASN using the live static IP that I have?

Avaya Desk Phones blocking return DHCP traffic to data devices.

Issue is that the PC does not obtain DHCP lease information. I found this by checking the port the device was connected and monitoring it's network activity. Impacted devices will show that they did send out a DHCP lease request to (Our DHCP Server) but received 0 bytes of data in return. - This indicates that the request itself went through but the device connected to the Phone did not obtain DHCP leasing information. - This also indicates that this potentially is NOT a networking issue as the network itself is doing everything correctly. - A better way to put this would be "Devices connected to Avaya Phones do not obtain DHCP leasing information" Basically the computer does not have permission to access the internet. It still is connected and would show up as connected.

The ongoing solution/temporary fix is to either bounce the port or power the phone off and on. There are a few reasons why this works.

• When you bounce the port or restart the phone.. It requires the phone itself to obtain DHCP leasing on a Voice VLAN.
• The speed at which the phone obtains this leasing info is much slower than that of a PC
• During the reboot process of the phone, since the phone has no leasing info and has not fully connected.. The phone then becomes a switch and the DHCP request and return information goes through uninterrupted.
• Once that phone obtains it's leasing information. Any device requiring DHCP leasing info on a data VLAN WILL NOT WORK.
• You can verify these findings by disconnecting the ethernet cable from the computer. Cycling the port or restarting the phone.. Waiting for the phone to come back up and connect fully and then connecting the PC. You will achieve the same results (PC will not obtain DHCP leasing information and will not be able to connect to the internet)

I do not believe this to be a networking issue as if it were one the following wouldn't happen.

• I would not be able to see DHCP lease requests
• The internet would not show connectivity
• The phone wouldn't work
• We would not be able to "Resolve" this issue by bouncing the port or restarting the phone.
• Restarting the phone as the "Solution" strongly suggests it isn't a networking issue because one you remove the "problem" out of the equation. Network functionality returns and everything works as intended.

You will have to forgive me if my terminology is wrong. I know the issue. I just don't know how to fix it. I am Level 2 Help desk, not a networking engineer.

Basically everyone is fighting over whos fault this is. I'm just trying to get people to quit calling the help desk.

We use Meraki.

CAT6 wiring with 5e panel, what are the actual differences other than wire gauge

Okay, to cut it short, I know the diameter of conductor in a 6 cable is thicker than a 5e cable and the punch blocks in either a 5e or 6 panel/modules are spec’s to this.

BUT

In terms of operating, assuming termination creates a good connection, can you achieve cat6 speeds with a decent cat5e patch panel (Connectix, Excel etc)?

There’s nothing ‘active’ in the panels and assume it’s just down to connection qualities and reduction in noise crossover - but are the panels actually designed in this way to reflect these design considerations in the cable?

I’ve searched the heck out of this and people just say it will work at the slowest speed component, but I question how much difference the panel actually makes in real world.

ASN or networks of cloud g. services?

Hello fellow networkers. :)

Since my google-fu was too weak apparently, does anyone of you know if a list exists that would classify users as connecting from a cloud g. service such as Stadia, Geforce Now or Shadow?

AS Numbers would be perfect as i could just pull the networks from RIPE, ARIN, etc. then. But networks in CIDR format would be ok as well.

Thanks. :)

(Wtf is this auto-mod ... filtering posts because of keywords? As if g.-traffic wasn't relevant..)

Radius Server VLAN assignment

Hello,

I`ve setup a .1x authentication with MAB for phones. I`ve wanted to test what happens if someone uses the mac address from the phones and connects to some port in the office. I thought he will put in the VOICE vlan which I added in the network policy, but instead he receives both vlans and gets an address from DHCP. The port is configured with access and voice vlan.

The test notebook I'm using has an address from the phone and will receive both vlans. Why?

Vlan Mac Address Type Ports

---- ----------- -------- -----

255 xxxx.xxxx.xxxx STATIC Gi1/0/35

5 xxxx.xxxx.xxxx STATIC Gi1/0/35

I can't understand some details of "ip route add" command.

I'm facing some problems in adding routes within different computers defined via SDN.
Let me explain: if I type

ip route add <ip\_address> via <gateway>

The <ip\_address> could be one of this:

ip_host (i.e. 10.0.0.1), or

net_id, but with subnet mask (i.e. 10.0.0.0/24).

My doubt is: why do I must add the CIDR notation only with the net_id? How can the machines understand the network if only the ip_host is given, without the subnet mask?

Thank you all in advance, hoping it's not OT.

HP Aruba access point region variants

Hi All,

wanted to know if we can use HP Aruba 535 US region JZ347A access point in europe?

why are there different access points for different regions? is there any HW difference or is it just regulatory stuff?

any comments and feedback is welcome.

ZTE Gateway MAC Adress Filtering

im trying to filter mac addresses on my ZTE gateway to allow only specific devices that join the LAN to access the internet. for some reason i cant seem get it working.

i have MAC Filter enabled> default policy dropped> input the mac address> protocol all> action accept> comment is device name apply

the devices shows up in the list below with these settings saved however the devices I add will not connect to the internet. do i need to add source and destination ip addresses for it to work properly?

BGP Duplicate AS Number

Hi there,

I could use a little help if you could provide it. So basically the day finally came where a new client tells me their AS number and it conflicts with the AS of an existing neighbor we have. Here is the config I was going to push to our Arista until I noticed the duplicate:

 neighbor 10.1.1.21 remote-as 64000 neighbor 10.1.1.21 description Client 1 neighbor 10.1.1.21 timers 5 15 neighbor 10.1.1.21 route-map client1-accept in neighbor 10.1.1.21 route-map client1-advertise out neighbor 10.1.1.21 maximum-routes 12000 neighbor 10.1.1.25 remote-as 64000 neighbor 10.1.1.25 description Client 2 neighbor 10.1.1.25 timers 5 15 neighbor 10.1.1.25 route-map client2-accept in neighbor 10.1.1.25 route-map client2-advertise out neighbor 10.1.1.25 maximum-routes 12000 

Does anyone have an idea of how I circumvent this on Arista EOS without involving them? Thank you!

Pause no-drop Nexus

Hi, I've almost come to the end of studying QoS on Nexus and have a couple of final questions regarding it...

What does the "pause no-drop" command do? And if its something to do with "lossless" packets then could you fill me in on what lossless is because thats something else I'm not up on. As far as I know it is traffic that cannot be dropped, kind of like an alternative to fibre channel.

Thanks again

CDP Program

Anyone know a working program for windows that can run cdp on a NIC so you almost can use it as a Fluke?

Any instances of network devices processing packets not meant for them in the real world?

I’m studying for my CCNA and the instructor is going over the OSI model. He’s discussing things I already about encapsulation at each layer and how a packet is packed and unpacked on the sender and receiver. He mentioned how when a receiver unpacks a packet and looks at the MAC address or the IP address if that packet is not meant for it then it will discard the packet. This is how it “should” work. I’m curious of any know where what “should” happens doesn’t. I know with a switch for example a packet should not routed to the wrong interface because it knows the MAC address. But do they ever go rouge and act like a hub? Do normal devices ever process packets not meant for them or can they be forced to? Just seemed like an interesting attack opportunity potentially. He really emphasized the “should” part which just got me to thinking “and what if it doesn’t”. Thoughts?

TLDR; what if network devices look at whatever traffic they receive right or wrong? Or send traffic however they want?

Notepad ++ Junos syntax

Hi,

Have you ever tried to install Junos syntax for Notepad ++ ?

https://github.com/click0/npp-udl

https://github.com/wildsubnet/npp-junos

I’ve tested this two package but after import, the color doesn’t change on my file.

Could you help me ?

Regards.

Branch OOB

Good afternoon all!

I have a branch location with a Cisco router uplink. There is a single 10G at that site coming to my hub.

When that 10G goes down, I lose all visibility to the site, which makes it difficult to troubleshoot whether its a circuit issue or something else causing the outage.

What solutions have you used to get OOB for your unmanned branch locations? Is there a service that can use LTE to provide console access into that branch router I could deploy?

VXLAN Spine-to-Spine Design

Hey all,

​

I have experience deploying VXLAN, but I want to know your opinion on this design. Imagine two buildings with a pair of vxlans leafs and a pair of vxlan spines. There is 8 strands of single mode dark fiber between the buildings (this will be a new deployment).

​

The issue is, there is not enough fibers to connect leafs in building B to spines in building A. Is it possible to just have direct links running OSPF and BGP between spines? This will allow us to have enough fiber, and also allow us to grow out each pod as needed while only needing 8 strands of fiber.

​

We are looking to do this with NX-OS, not ACI but I do know ACI has an option for direct spine to spine.

VLAN Connectivity Issue

I have created a network topology with three switches, 2 of them are layer 2 switches, one of them a multi-layer switch. The layer 3 switch routes between the two vlans which is the (Management VLAN 20), and (Production VLAN 10). I can ping the switches on the 2 seprate vlans but cannot ping the hosts on each VLAN. In other words, I can't ping between PC's on the 2 VLANS does anyone know or have an idea of what might be wrong?

CCNP.....Now What?

So I have made a post on here before on reaching my goal of becoming CCNP certified (ENCOR/ENARSI). I have noticed that my skill set has improved drastically after reaching this accomplishment.

Now that a couple of months have passed and I enjoyed my off time from studying, what should I go for next? It seems the world of IT has changed a bunch the past couple of years and I don't want to go into the new CCIE if it won't pay off for me.

I am passionate about networking and would love to accomplish the goal of becoming a CCIE but it seems like more jobs out there are looking for AWS or Linux or Security guys than just a CCIE.

Any responses would be greatly appreciated. I have been a bit stressed about this lately now that I have come down from being extremely happy with the CCNP cert.

Current pentest tools?

Hi All,

It's the end of the year, and I find myself working this week, everyone else seems to have taken time off and it's dog slow for me since we're in change freeze, etc.

​

I wanted to do some external poking and see how well our Security team has been this year and wanted to see if there are any new good tools to use for pentesting that may have come out this year i should be looking at besides the typical nmap, shodan, etc.

Set Cisco 3560 to dummy switch

I need more ports than my current 8 port has to offer. I have a Cisco 3560 sitting around that I can use. I want my Ubiquity Gateway to handle all the routing and VLANs. However, I have almost no CMI experience.

I have found this -

Switch2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)#interface range Switch2(config)#interface range fastEthernet 0/1 -10 Switch2(config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast will be configured in 10 interfaces due to the range command but will only have effect when the interfaces are in a non-trunking mode. Switch2(config-if-range)#end 

and this -

int fastethernet 0/01 spanning-tree portfast 

Are both/either of these correct?

Thank you!

Cisco ISE 2.7 Timer Configurations

Hello guys,

A simple question, is there any timers that affects the authentication process?

Anyone have a documentatuon regarding the best configuration that can be done on the switch side in order to provide the best authentucation process.

Thank you all

Cisco ASA IPV6 - SLAAC and prefix delegation

Hello fellow networkers!

So i've been given a small project of implementing ipv6 on a customer firewall.

I must admit, IPv6 is not my strong force, and i barely touched it since i joined networking in 2010. My proudest ipv6 moment is probably ospfv3 in an ISP network.

Anyhow - i got an ASA 5506 and i need to get ipv6 up and running.

I've configured the router infront - and the outside interface of the ASA. All good here seems to be working.

On the inside my customer wants 2 things.

A /64 for the clients - xxxx:xxxx:1002::/64

and a /52 for prefix delegation xxxx:xxxx:1002:1000::/52

So for the clients i've configured the inside interface, and made a dhcp pool aswell.

ipv6 dhcp pool IPv6-DHCP dns-server 2001:4860:4860::8888 dns-server 2001:4860:4860::8844 interface GigabitEthernet1/2 nameif inside ipv6 address xxxx:xxxx:1002::1/64 ipv6 nd other-config-flag ipv6 dhcp server IPv6-DHCP 

I haven't tested it with the customer yet, but i do believe this works aswell, since i see clients in my show ipv6 neighbors.

So this is where my problem begins, because whenever i wanna add a prefix delegation it just tells me I can't when i have dhcp server configured.

(config-if)# ipv6 dhcp client pd Test-prefix ERROR: Interface is in DHCPv6 server mode 

I might just be stupid, but is there any way i can have this working?

Lookup private AS numbers?

Probably a dumb question but I’m not so much aware of these stuff.. can you lookup private AS numbers? I know it’s called private for a reason but I wonder if there is still a way to look them up.

Much slower than expected remote server WAN speeds (UK <---> Canada)

My server in Canada has 100 Mbps line-speed.

I live in the UK and my internet connection is around 60/20 Mbps (down/up)

From the server I have verified that my practical line-speed is more around 95 Mbps.

If I run iperf (as server or client) between my PC and the server however, I consistently get speeds of around 4 Mbps.

If I run iperf in parallel mode -P 5 (5 parallel connections), it's more around 10/11 Mbps

I've tried some iperf tests with specific servers that my provider gave me:

From my PC to their france-based test server (iperf.ovh.net) I got 11 Mbps

From my PC to their canada-based test server (bhs.proof.ovh.net) I got 9 Mbps.

From my server to their france-based test server (iperf.ovh.net) I got 88.6 Mbps

From my server to heir canada-based test server (bhs.proof.ovh.net) I got 94 Mbps.

​

Why are the speeds I'm getting from my PC so low?

Some troubles configuring Cisco AP Catalist with EWC

Hi there,

Im looking somebody with cisco experience to helps me to setup guest wifi and some small configurations to get all ready. Ofc I will pay this services. If anyone are interested, please send me a mp.

In perfect escenario I should learn all and make myselft, but its urgent and I dont have time. Thanks

Difficulty "trunking" Brocade switch from Cisco

I'm aware that "trunking" is a Cisco thing, but that's the term I'm most familiar with to describe what I'm looking to accomplish--

I have an older Catalyst switch on IOS 15.0.2, and a Brocade ICX 6610. I want to "trunk" my voice VLAN (38) and my data VLAN (39) from the Cisco switch to the Brocade. My trunk on the Cisco side looks like:

interface GigabitEthernet0/20

switchport trunk encapsulation dot1q

switchport trunk native vlan 2

switchport trunk allowed vlan 38,39

switchport mode trunk

no mdix auto

Meanwhile, this is almost all of my Brocade config: (wow their "show run" output is tiny)

!

vlan 38 by port

tagged ethe 1/1/1 to 1/1/48

!

vlan 39 by port

tagged ethe 1/1/1 to 1/1/48

!

dot1x-mka-enable

!

interface ethernet 1/1/2

inline power

Eth 1 is my uplink, Eth 2 is my test port for the phone. VOIP functionality is much more important, so I haven't introduced "dual-mode" yet to risk complicating any troubleshooting further...

What else am I missing, assumedly on the Brocade end? Thanks so much for any assistance!

So how do we put VM's on a server out on the internet?

My title probably sucks but i really dont know how to put it properly. Maybe i can explain better like this.

So in scenarios where we got a server(spec dont matter) and on that server we got 4 VM's running whatever they running. How do companies(data centres and hosting companies) actually put these out? I know that, if there is only 1 ethernet port that u can setup VM's to share it but this makes no sense if these VM's are for someone else.
My logical thinking:

1. If they got 4 VM's then they get a NIC with 4 ports, 1 port for every machine.
   

Or do they somehow route the traffic between VM's in a localized network(network between hypervisor and vm's)?

what the type of Network Security?

Network security is that the process of taking physical and software preventative measures to guard the underlying networking infrastructure against unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, learn more about the type of network security in this article

What is network security? Definition, methods (unifiedway.net)

Intel SFP nic question

Hello. I have Intel x520-sr1 which already came with transreciever Intel AFBR-703SDZ-IN2 850nm LASER PROD 21CFR(J) CLASS 1 SN: AA1243A4MYJ E65689-001 I'm trying to connect it to NETGEAR PROSAFE MS510TX which does not have a transreciever and no cable.

My question is I need to know a cable type and transreciever type (for switch) distance is less then a meter.

Thanks for your time.

Why is SFP so complicated.

How to assign a CoS value to a threshold in Nexus?

Hi, so i have been wrapping my mind trying to find the answer to this for hours now and cannot find the answer anywhere. In Cisco IOS you can assign a CoS value to a threshold and the threshold then drops traffic if exceeded based off the queue-limit (or queue-set given to it), so for example:

wrr-queue queue-limit 10 40 50.....setting the buffers for each queue

wrr-queue random-detect min-threshold 2 80 100 100wrr-queue random-detect max-threshold 2 100 100 100.....setting min/max thresholds to each threshold available in queue 2

wrr-queue cos-map 2 3 5.......setting CoS value 5 to threshold 3 in queue 2

​

You cannot seem to do this in Nexus, the closet i've seen is:

policy-map type queuing bandwidth_wred

class type queuing 1p3q4t-out-q2

bandwidth percent 50

random-detect cos-based

random-detect cos 5 minimum-threshold percent 10 maximum-threshold percent 30

random-detect cos 6 minimum-threshold percent 40 maximum-threshold percent 60

......were you set the buffer size for the queue and the bandwidth, okay thats fine but as for setting what threshold cos 5 and 6 belong to, i cannot see anywhere that this can be done? Because there is just looks as if both values are assigned to threshold 1 when there are 4 thresholds available.

I'm either missing something or it really can't be done.

​

Does anyone have any experience or knowledge on this?

​

Cheers

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

WiFi Card Issues

I have this wifi card and some times even though I have it in the PCIE slot all the way (I have even pressed on it) and it connected to my motherboard it doesn't show up in device manager or board explorer in the BIOS. Even when I get it to work I have spikes in latency and dips in speed which can make games unplayable. Does anyone know what a possible solution could be? The problem started when I installed this PSU coming from this one (500w). I have the correct wifi drivers installed from the Intel website. I have checked the drivers on TP-Link too and they are the same.

Router and modem combo used as only a modem

I use a netgear cv7000v2 modem and router combo. I'd like to upgrade to WiFi 6 to get less latency and use Virtual Desktop to stream VR applications over my network. Can i use my existing modem/router as just a modem and buy a cheap wifi 6 router?

Can a router and pc have the same ip address? Packet tracer 17.8.2

I don't know if this is a stupid question. But im doing the packet tracer assignment 17.8.2 and I'm kinda confused. I gave 3 pcs an ipv4 which I created from 192.168.0.0/24. They each respectively have 100 hosts, 50 hosts and 25 hosts. I gave them 192.168.0.1, 192.168.0.129 and 192.168.0.193 (the tracer wouldn't let me do 0.0, 0.128 or 192). So I assigned the addresses to the pcs. But in the addressing table the ipv4 addresses for G0/0, G0/1, G0/2 and switches were blank. So I didn't know if I had to create subnets for them too. So I found the answer version of the assignment to see what they did and it just made me confused. The interfaces in the router had the same ipv4 addresses has the ones I assigned my computer. I don't understand o.o can someone please explain it to me. And can I use the same ipv4 addresses for my computer as the interfaces on the router or is that a no go? I really need help since I'm pretty new to all the network stuff

Thanks a lot

Help tunneling through two VPS servers via Wireguard

Hello!

I have two identically setup wireguard servers, both work fine on their own.

I essentially wish to create a tunnel through one, so it would be me -> vps1 -> vps2 -> internet.

So this is what I did:

On vps1 I have two interfaces, one wg0 which is the connection between me and the vps (10.0.0.x). The second interface is wg0 (10.100.100x,) which acts as a client to connect to the wg0 interface on vps2.

Both of these connections work fine, I can connect to the vps1 (wg0) and vps2 (wg0). vps1 (wg1) can also connect to vps2 (wg0).

I cannot however get vps1's wg0 to tunnel everything into wg1 and thus complete the project.

I have tried iptables and forwarding the interface, much like how wireguard already forwards eth0 traffic into itself.

I have tried routing tables.

I think I am just missing the intricacies of wireguard itself or my one semester in linux networking has been completely forgotten.

Any advice?

Things I have tried:

sudo iptables -A INPUT -p udp -m udp --dport 51821 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -i wg1 -j ACCEPT iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ip6tables -A FORWARD -i wg1 -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE And I dont know, I did some stuff with ip routing and gateways and ahhh this is giving me a headache. 

VPS1 wg0.conf

[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = key PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #USER [Peer] PublicKey = key AllowedIPs = 10.0.0.2/32 #VPS2 [Peer] PublicKey = key AllowedIPs = 10.0.0.6/32 

VPS1 IPTables:

-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT 

VPS1 IP Route:

 sudo ip route default via myip dev eth0 onlink 10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 myip dev eth0 proto kernel scope link src myip 

VPS2 wg0.conf

[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = key PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #Gateway (vps1) [Peer] PublicKey = key AllowedIPs = 10.0.0.4/32 

VPS2 wg1.conf

[Interface] Address = 10.100.100.2/32 ListenPort = 51821 #DNS = 10.0.0.1 PrivateKey = key PostUP = route add -net 10.0.0.0/24 gw 10.100.100.1 [Peer] PublicKey = key AllowedIPs = 10.100.100.1/32, 10.0.0.1/32 #AllowedIPS = 0.0.0.0/0 Endpoint = myip:51820 PersistentKeepalive = 21 

VPS2 IPTables:

sudo iptables --list-rules -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT 

VPS2 IP Route:

sudo ip route default via myip dev eth0 10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 myip/24 dev eth0 proto kernel scope link src myip 

Foritgate - outbound SNAT IP translation?

TL;DR: is it possible to replace destination IP with another in Fortigate for a specific port range?

Sysadmin here from an MSP (i.e. AIO).

The issue: We have a local Avaya PBX and a remote Avaya PBX. The Local PBX need to communicate with the Remote PBX. I have control over the Fortigate at the local PBX and control over the local PBX itself. The issue is that the local PBX supports a H323 line to another PBX and only has an option for one IP that includes signaling and voice. The destination PBX has the function split.

Network setup: Remote PBX has 2 IP addresses - one for voice (RTP) and one for signaling (H323). Remote PBX talks to Local PBX via DNAT address (VIP in Fortigate) and there is an SNAT address for the Local PBX to Remote PBX (single one-to-one IP pool in fortigate and NAT on policy).

My hacky solution: add another rule for SNAT, but swap the destination IP to the Remote PBX if the ports are in the RTP range. Other Signaling traffic will use the original IP address and SNAT rule.

Except that I can't seem grasp how exactly to conigure SNAT IP translation. Is there such a thing at all?

The return path can use the same DNAT as before.

MAC Filter on Cisco Catalyst AP

Hi there and merry christmas,

I configured one corporate wifi ssid with radius auth and I want to add MAC filtering for add an extra layer of security, but I cant make it possible

In EWC I check mac filter on wlan>AAA security and I added macs on config>AAA>Advanced, but still can connect with any Mac.

Anyonr can help me? This shouldnt be too much difficult, I did in some aps, but cisco is cisco :/

Thanks

Quad NIC for pfsense

Hello everyone,

I’m looking for an intel nic with quad ports for my pfsense machine.

On eBay there are so many cards with different prices, since I don’t have no idea about Ethernet adapters maybe you guys can help me out choosing one.

I saw those 2 cards and I don’t the different

https://www.ebay.de/itm/Intel-PRO-1000-PT-Quad-Port-LP-Gigabit-Ethernet-Server-Adapter-MPN-D57995-007-/143788522719?_trksid=p2349624.m46890.l49292

https://www.ebay.de/itm/Intel-PRO-1000-PT-Quad-Port-Server-Adapter-EXPI9404PT-/142109064824?_trksid=p2349624.m46890.l49292