Saturday, January 23, 2021

cisco prefix-list ge vs. le

We're a Juniper shop but have a few quagga instances here and there. Our prefix-lists are pretty straight forward and simple:

ip prefix-list CustomerA seq 5 permit 192.168.240.0/24
ip prefix-list CustomerA seq 10 permit 192.168.241.0/24
ip prefix-list CustomerA seq 15 permit 192.168.242.0/24
ip prefix-list CustomerA seq 20 permit 192.168.243.0/24
ip prefix-list CustomerA seq 25 permit 192.168.244.0/24
ip prefix-list CustomerA seq 30 permit 192.168.245.0/24
ip prefix-list CustomerA seq 35 permit 192.168.246.0/24
ip prefix-list CustomerA seq 40 permit 192.168.247.0/24

But the prefix-list can get very long, quick!

I need to add a /18 soon, that's 64 Class C's . Yikes!

Does the below prefix-list example match my prefix-list above?

ip prefix-list CustomerA seq 5 permit 192.168.240.0/21 le 24

Thank you in advance, your input is greatly appreciated!

Frustrated with Cisco's new FTD Next-Gen Firewalls

My company recently bought a pair of Cisco Firepower NGFWs to replace our EOL ASAs and I've been working on configuring them. It's been a whole mess that I won't go into too much, but at the end of the day I'm super frustrated with them and honestly wish they decided to go with a non-cisco vendor like Palo Alto, whose NGFWs are IMO, vastly more intuitive. To skip my rant about the FTD, CDO and FMC interface debacle, and how the ASA > FTD config migration options simply don't work as expected I'm left doing all the configuration including creating hundreds of objects, ACLs and NATs manually. This would be lightyears easier if I was able to do these configurations through the CLI, rather than a web interface since it would mean I could simply take the list of objects, rules, etc from the old running config and alter the CLI syntax to that of FTD and past the list in, but unfortunately it seems like Cisco has limited the usability of the CLI for configuration in a means to force you to use one of their multiple, but all horribly un-intuitive web GUIs.

The new CLI, oh wait did I mention there are 2? The FXOS for system configuation, and the FTD for "everything" else. By "everything else" I mean that is looks like you can only do some basic interface configurations, static routes, ( but no dynamic protocols) and some other items. Why did Cisco seem to have dumbed everything down in the new line of Firewalls? It's incredibly frustrating as an engineer to not be able to use the CLI as a legitimate means of configuring. It's also incredibly frustrating when you're forced to use a slew of web interfaces that are all horribly designed. /rant

Anyway, if anybody has any advice on how I can make my experience with Firepower better or other's experiences with them, please share.

BGP Traffic sharing caused major issue... any ideas?

Firstly, network diagram with description of issue: https://i.imgur.com/So5caCh.png (we're advertising our aggregate netblock to both ISPs which I didn't mention in diagram)

Hi All - turned up our redundant transit connection today with the above topology, which I thought was fairly standard, but immediately started getting tons of customers complaining about being unable to get out to the internet - intermittently. Had to turn off the redundant transit connection until I resolve the issue. Now, I think our iBGP routes may be the cause... I'm not sure how, but my first plan to test the issue is to lower the import preference so the iBGP routes are only selected as a last resort.

What I saw when troubleshooting, is I used a site called "ping.pe" to test reaching customers from various differing locations. What I was seeing, is that pings from some locations would work absolutely fine, but fail from others. Traffic I could see was ingressing from ISP A, and work to some return destinations but not others. The traceroute ping.pe provided proved that it was reaching us, it just was just failing when it reached us... which means that obviously it must have been failing in the return direction....

Just can't for the life of me figure out an actual definitive reason as to why it would work for some and not others :)... anyone had experience with a similar situation? Am I misunderstanding how this should be configured? Also I know there will be some asymmetric routing, but this shouldn't be an issue.

Newbie doubts

Hello everyone,

I am starting my way in networking. I have a bachelor CS background but never went deep in networking. Now I am working as IT support and willing to move forward in my career.

Studying for taking the A+ certificate, some doubts with TCP IP model came up in my head.

I never understood why is it explained backwards, like Application layer, where is everything starts, where the data comes out is placed last, and the physical layer, which is the layer where the data is transmitted between networks is placed first!
Also, with the physical layer, I don't get if it involves the local transmission with rj45 cables, router and switch or the transmission between networks, optical fiber and so on.

Clearly, don't getting this step is making me much harder to understand the processes involved in each layer. Do anybody knows good books or websites, bibliography related to this which could help me?

Thanks!

Cisco does not allow trunk or dynamic ports to be authenticated by Dot1x. Why? Physically protecting a trunk port on a distribution or edge network seems cost ineffective. Why not add another hurdle so Mallory can’t simply start vlan hopping if he gets to a trunk port?

I understand dot1x can be compromised via a MitM with a transparent bridge under any scenario but why does Cisco explicitly disallow enabling it (or not allowing it to take effect if the port config changes to dot1x)?

What’s the downside of complicating gaining access to the vlans on the trunk?

ICMP Firewall best practice

Ahoi,

I heard alot of oppinions on which ICMP types to allow but couldn't find a comprehensive anwser. I heard everything from allow nothing to allow all. I'm pretty sure both extremes are wrong.

I have a Router in my lab setup that terminates to the internet. It is attached to a /31 transfer network and hosts a /29 network for a few servers behind it. There are lots of non internet networks behind it too, but I guess these are not relevant.

I want to allow at least allow echo replies. But I'm not sure what I should also allow. Especially with IPv6, there seems to be a few other types that you need to allow to make things work.

So my question to you would be what types (IPv4 and IPv6) should you allow on a router like that?

Factory Reset H3C 5500

Hi, I got a H3C 5500, and I want to factory reset him, I can't access to SSH and the Web Panel. How to do plz? Thanks.

Enterprise Remote Power Switches

Anyone have any experience with remote power switches or UPS' for managing reloads of networking devices?
A common issue my team is facing currently is the requirement to power cycle modems of remote locations prior to the internet provider investigating circuit issues. We're forced to walk the local users through the process of locating the modem and power cycling it, or in some cases dispatching a technician. This all creates extra work for my team and can really drag out the resolution time.
It would be appreciated if anyone had any insight or recommendations of vendors that offer remotely managed UPS' or smart power switches.

Office Telephone Cloud System?

I have a home office with 1 number and one device. Would like to share it with a device in my physical office and access via my cell phone when away. Anyone have suggestions of a cloud based VoIP service that is very reliable, HIPAA compliant, full featured and reasonable. Have considered phone.com. Google Voice offers a Workspace option but think my number has to be a mobile number to port and I don’t have an extra device to do that with at the moment. Please help us you can.

WebRTC localConnection.setRemoteDescription(answer) pending for too long.

I am trying to implement a simple messaging mechanism between my browser (peer 1) and another browser (peer 2) on a different network. I am using Google's public STUN servers for learning.

Peer 1 does the following first:

const iceConfiguration = { iceServers: [ { urls: [ 'stun:stun1.1.google.com:19302', 'stun:stun2.1.google.com:19302', ], }, ] } const lc = new RTCPeerConnection(iceConfiguration) const dc = lc.createDataChannel("channel"); dc.onmessage = e => console.log("Just got a message: " + e.data); dc.onopen = e => console.log("Connection opened.") lc.onicecandidate = e => console.log("New Ice Candidate! Reprinting SDP" + JSON.stringify(lc.localDescription)) lc.createOffer().then(o => lc.setLocalDescription(o)).then(a => console.log("Set successfully."))

Then, I copy the generated SDP and send it to peer 2 which then does the following:

/* REMOTE_OFFER_OBJECT is the SDP generated by peer 1 */ const offer = REMOTE_OFFER_OBJECT const iceConfiguration = { iceServers: [ { urls: [ 'stun:stun1.1.google.com:19302', 'stun:stun2.1.google.com:19302', ], }, ] } const rc = new RTCPeerConnection(iceConfiguration); rc.onicecandidate = e => console.log("New Ice Candidate! Reprinting SDP" + JSON.stringify(rc.localDescription)) rc.ondatachannel = e => { rc.dc = e.channel; rc.dc.onmessage = e => console.log("New message: ", e.data) rc.dc.onopen = e => console.log("Connection opened.") } rc.setRemoteDescription(offer).then(a => console.log("Offer set.")) rc.createAnswer().then(a => rc.setLocalDescription(a)).then(a => console.log("Answer created."))

Peer 2 copies its generated SDP and sends it to peer 1 which then attempts to set its remote description:

const answer = REMOTE_ANSWER_OBJECT lc.setRemoteDescription(answer)

The last statement keeps pending for too long and doesn't stop. It works properly if peer 2 is on my same network. I might be setting the STUN servers wrong or maybe the public Google STUN servers are a bad idea. Also, the createOffer() and createAnswer() calls generate several SDPs but I only copy and send the last ones. How can I properly set up the peer 2 peer connection with somebody on a different network in WebRTC? I hope there is a solution with free STUN servers as I am doing it for learning only at the moment.

Automating 30K+ Device configurations from 1 platform to another

Hi my fellow networkerz,

A new project has come down the pipeline for the year. We are looking to build a solution to programatically take in a configuration of one device and generate a configuration for a different, yet similar platform. The configuration will not drastically change. I am reaching out here to find out if anyone's done something like this and what worked and what would you have done better/differently?

This is not as complex as going from say, a Cisco config > Juniper. More like Cisco IOS > IOSxR. Although similar...they are very different.

I hope this is the right place to ask. Anyway, I am Sr Eng with focus on automation. My issue isn't producing a tool, but I would appreciate to hear peoples war stories on similar projects. At first thought, I was simply gonna take a flat file and convert it all to structured data -> JSON and then take that and do the usual, render against J2 templates that are based off a new golden config. However....

One thing I thought about this morning, while looking at deltas: Migrating L3VPNs/L2VPNs/L3 Interfaces to new platforms with completely different port assignments (different line cards) and how do I keep their relational connection? This includes interface configuration, underlying L2 service attached to the service, etc. This is where I need ideas.

IF anyone knows of any similar open source projects out there or blogs that talk about something similar, that would be great if you could share. This project will involve 10K devices to start. Want to make sure I do this right from the start ;)

Lightweight 10G packet capture options?

It's been a few years since I researched this, and wasn't able to come up with anything useful then. I just did some googling and found these: https://www.profitap.com/profishark-10g/

sounds promising, but no idea what the price is like.

I'm looking for something lightweight and cheap enough I can afford to deploy a few dozen of them around. Obviously the 'profishark' would need a laptop (or SBC maybe?) to go with it, etc. Are there any other products I should be looking at?

edit: I should add that intent here is adhoc troubleshooting. So stuff like GPS timing isn't at all necessary. Mostly just proving "you say you're tagging these packets... but you're not", MTU disputes, TCP performance, etc.

Smaller DC without spines or routers

Hyperconverged stuff goes smaller and smaller all the time, so now we're building a small DC with 4 to 8 switches. I'm thinking of doing this without any spine/leaf architecture, just connecting "leaf" switches to eachother as switches usually have 8x100Gbps ports. Also our bandwidth requirements are not filling the 100Gbps links so it probably doesn't matter if we need to jump through another "leaf" switch get to the last one?

As we have Aruba access switches + Aruba WLAN I've been looking into Aruba CX switches for DC too. I've verified the setup with few 6300F that also support EVPN over VXLAN and everything seems to work great.

One option would be to just use 2x 8400 modular switches. What are your thoughts about this kind of setup? In this scneario we would have MPO trunks from other racks to the rack housing the modular switch to not have so much cabling to do. Even one would probably have enough ports but at least with two running in a VSX pair you limit a bit the effect of someone doing an incorrect configuration and bringing the whole DC down :)

Also having a separate router for internet seems bit wasteful, we're just getting default route from the ISPs. Any thoughts why this would be a bad idea to connect the ISP router to DC switches? Probably 1Gbps links. I guess we could do a virtual router in case in the future we need full BGP tables for some reason?

Thanks for any thoughts!

Site-to-Site bandwidth diagnostics

I'm trying to gather some bandwidth metrics on one of my remote sites. The site is mainly composed of old cisco routers and switches, and a couple of servers hosting CentOS 7 VMs. It is not connected to the Internet, but I could scp some packages if necessary.

The connection right now is extremely slow... For now, I'd like to establish a network performance baseline and diagnose from there. Would anyone know how to do this natively, either on a Linux machine or a Cisco device?

Cheers

Slow network

I have my ISPs modem/WIFI router set up as DHCP server, and connected to another WIFI router (in bridge mode) via an unmanaged switch.

Connecting to the Internet via the secondary WIFI is very slow, and ARP requests have been suggested as the bottleneck in other threads in other forums.

What should I do? Upgrade my switch? Abandon bridge mode?

Friday, January 22, 2021

Looking for a Cisco Router that has LTE, IP sec VPN capability, and is FIPS 140-2 certified.

Title pretty much says it all. I'm familiar with the Juniper SRX line, but I'm considering making the jump to Cisco if it is comparable in price. Any suggestions would be appreciated, thank you.

New ISP, bad site to site performance. What data should I be collecting?

SMB here, we have three office locations. Two of our satellite offices (Sacramento and San Jose) switched to Comcast Biz Gigabit service early summer 2020, while our main site Livermore remained on our original ISP (TPX 50/50mbit) while Comcast did construction to bring two, one gigabit, circuits into our building.

Construction completed a few weeks ago and both internet and phone service were recently brought online. We made the switch from TPX to Comcast in the Livermore HQ this week. We immediately discovered that our site to site performance completely tanked.

I've been doing my best to eliminate any possible hadddrdware issue on our side, so all of the following IPERF3 tests were done directly connected to the Comcast gateways (not behind any firewall). I also added one other location/ISP (Sonic 1Gb symmetrical) to illustrate that I think this issue is within the Comcast network.

Sender	Receiver	Bitrate/sec
SJ Comcast	Sonic	40.7 Mbit
Sonic	SJ Comcast	400 Mbit
Sac Comcast	Sonic	38.7 Mbit
Sonic	Sac Comcast	356 Mbit
Liv Comcast 1	Sonic	33.9 Mbit
Sonic	Liv Comcast 1	98 Mbit
Liv Comcast 2	Sonic	40.8 Mbit
Sonic	Liv Comcast 2	87.4 Mbit
Sac Comcast	SJ Comcast	9.36 Mbit
SJ Comcast	Sac Comcast	8.8 Mbit
Sac Comcast	Liv Comcast 1	913 *Kbit*
Liv Comcast 1	Sac Comcast	1.68 Mbit
Sac Comcast	Liv Comcast 2	620 *Kbit*
Liv Comcast 2	Sac Comcast	1.78 Mbit
SJ Comcast	Liv Comcast 1	772 *Kbit*
Liv Comcast 1	SJ Comcast	2.09 Mbit
SJ Comcast	Liv Comcast 2	702 *Kbit*
Liv Comcast 2	SJ Comcast	1.78 Mbit

I understand that this Comcast product isn't an enterprise-level offering, but what the heck, we're talking less than 1Mbit when coming from our remote sites into either of our new HQ gigabit lines. It's clear that there are no hardware issues with my systems, when connecting to the Sonic ISP I'm getting "reasonable" (or at least livable) transfer rates.

Are there other tests that I should be running to help equip myself for the uphill battle with Comcast that I'm about to undertake?

Thanks!

Intermediate To Advanced Packet Capture Analysis

I have a couple of situations where I need to analyze some packet captures but I don't know how.

1

I want to measure baseline network performance by capturing all SYN and SYN+ACK packets on a host for 60 seconds, showing me the round trip time. But I want to capture, or display filter, only the SYN/SYN+ACK packets where the monitoring device sent the SYN packet and received the SYN+ACK back. Meaning, the monitoring device is in normal daily use, it is receiving a lot of SYNs and sending back the SYN+ACKs back but I don't want to see those since they don't tell me anything about round trip time. I can't figure out how to do that.

2

I have packet captures of hundreds/thousands of short SSL sessions where maybe 50KB of data is transferred. How can I get a summary of the length of each of the TCP sessions? We're seeing some sessions complete quickly as they should since it's only 50KB of data, but we see other sessions that last 5-10 seconds. I'd like a simple listing of the length of each session to see if there is some kind of pattern like a particular time of day when the delays occur. I've been using Wireshark to look at each session manually but like I said there are hundreds/thousands.

Thanks for any advice! I'm guessing python might need to be involved, which I'm willing to learn for these purposes

Penguin Computing Arctica 4804x-r Initial Configuration

I just got handed this switch from Penguin Computing. The model is Arctica 4804x-r. It is a 44 ports 10 Gbps switch with 4x 40 Gbps ports.

Naturally, it came with no cables or manuals. I can't seem to find any manual for it on the Internet either. Does anyone get any idea how to install Cumulus Linux onto this thing?

For starters, I need to connect to the console port, which I am able to do so far. Does anyone know the setting to connect to the console port? I tried 9600-8-N-1 as well as 115200-8-N-1, but got no luck so far.

Also, which Linux version should I install on this? Cumulus is recommending this version: 3.7.13. Not sure if it is the right one.

Thanks for any help.

DNA Center Deployment

Having a tough time getting going with DNAC. I've gotten the server setup correctly with the various cabling/IPs/certs/basic settings etc. I'm going through the only two guides I can find but still have a rough time fully understanding workflow for existing devices (imported via discovery) and new devices (all the switches we'll be ordering and hopefully provisioning via ZTP)

Here's what I'm using:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_010.html

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/dnac-network-device-onboarding-deployment-guide-2020jun.pdf

What am I missing? For ISE, I found a ton of information online and got a great book from Amazon. It was a lot to learn but the material was there. For this it's like sorting through scraps. Just really expected to find more information but if what I linked to is all there is I'll continue making notes and labbing to try and fully understand it

TIA

Avaya ERS 4850-GTS-PWR+ 802.1aq SPBM Homelab firmware issues

Hello,

My employer is switching to Extreme 802.1aq Shortest Path Bridging MAC in MAC (SPBM) equipment and I was looking for cheap gear to build a homelab and really play with SPBM since it is quite a bit different then traditional OSPF.

I was able to buy a cheap Avaya 4850-GTS-PWR+ switch from ebay but to get it to the latest code which I have access to from work requires an intermediate firmware of 5.6.20 which isn't available from either Avaya or Extreme. Does anyone still have 5.6.20 stored somewhere that I can discuss getting via PM

Thanks for your time

Todd Smith

Cisco 3750 Switch: How do I enable TLS 1.2?

I'm trying to configure a Cisco 3750 Switch and resolve a vulnerability regarding traffic encryption. However, I'm having a lot of trouble and can't find any documentation to help me on this. Typical commands to configure TLS aren't working and documentation on this device isn't providing me with any information on how to set up TLS 1.2 on the device, so I'm hoping someone here can help me out!

Setup private network in residential area

We are planning to change all the access points in residential area. We are looking for a way where we could provide separate network for each room so that their devices can communicate with each other like Alexa, Refrigerator, etc. Since we want to control the traffic, putting up router is not an option. We are looking to create single VLAN for each room, but things keep getting complicated. Any ideas for efficiently carrying this out are welcomed.

Intent Based Networking

Can anyone simplify or explaining what the term of inteent based network means? As its currently used in the market and seems to be the next trend.

Azure oauth2 VPN authentication with new SMB firewall

We currently have a Cisco ASA (5512) firewall at our SMB which is EOL. Besides firewall functionality we use the VPN quite a lot. Since we use Azure/Office 365 for 90% of our business, it would be great to integrate Azure oauth2 authentication to our VPN so that end-users have just one username and password (with MFA) for most services.

Because the ASA is EOL, it's time to search for a new firewall solution, preferably with the possibility to authenticate VPN users via Azure. I've seen some documentation on integrating the ASA's VPN ( Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML - Cisco ), but I'm also kinda curious about other brands like Fortinet and Palo Alto. I've read some thing about Fortigate being picky on only supporting their own MFA system.

Are there any brands of firewall that provide this functionality in a pretty straight forward manner, without requiring any on-premise infrastructure (beside the firewall of course)?

Software to manage switches in an air-gapped network

We have a network that can not connect to the internet for security reasons. It has been growing for a while encompassing about 100 network devices now, 99% switches from HP. We are planning to acquire a management software to reduce maintenance work and get more visibility. I was checking out Aruba Central but it seems to be a cloud app, so I guess that is out of the question. I feel like HPE IMC might be the best candidate, but it seems to be very heavyweight. Would appreciate to hear experiences of people managing switches with HPE IMC or recommendations of alternative software.

Network monitoring - Very simple level with ping and text output

We are looking for something specific network monitoring wise and want to see if there is an option before we end up spending some cycles writing it.

Monitor ~200 IP addresses for ping drops.
Ping drops are logged and counted. Thresholds can be set for alerting when x amount of pings are dropped in a row.
Email functionality to send when x threshold is received on dropped pings.
Able to perform ping sweeps every 5-10 seconds (This has been a deal breaker on most)

Pretty simple but having problem actually getting a lightweight and always running program that can do this without a bunch of other fluff in the way (WUG, PRTG, etc). Cost isn't a very big issue right now as we are planning to replace some high cost items or end up using a lot of engineer hours to write something new. Just in the exploratory phase right now for figuring out next steps. We already have tooling for SNMP monitoring but even tuning the email portions it is WAY too noisy for our low tech skill noc.

Thanks!

Questions about DC redesign

Hi all,

I'm in a position in my company where I'm having to redesign and implement new equipment within the DC. The reason is it's never been done properly and long overdue. I've just started at this company at the beginning of Jan. Here are some facts to take into consideration:

- Company has 1 DC (doesn't look like there will be any need to expand/stand up a new DC in the next 3 - 5 years)

- AWS instance which is used to segregate another application & data that company have (it was built in AWS just in case it was ever going to be sold off to make it easier)

- Company has 2 offices which are currently connected via Meraki 'SD-WAN' these then connect to the DC.

New network equipment looks like this:

2 x Internet Lines from separate ISP's

2 x Cisco 2130 Firepower's

2 x Nexus 5672

8 x 2208 Switches

I've drawn a diagram of how I see everything logically connecting to each other, but I just want to make sure I'm heading in the right direction.

https://imgur.com/a/Axjngh2

I've got a few questions that I've tried to look up but can't really get a definitive answer:

Should the internet circuits be terminated directly on the firewall? I've read up that this is fine to do given NGFW's are a lot better than older firewalls

Given the size of the estate mentioned above, should I be using BGP? It allows for possible expansion in the future, currently, static routes are being used which I would like to get rid of

If yes to the above, where should the BGP be taking place? On the firewalls or on the Nexus'?

Thank you for taking the time to read through this, I've been in the field a while, but this is the first time I've been a 1 man band so to speak and I would really like to get this right.

Deny outbound by default - question?

We have a lot of small business clients who often have a single Draytek router/firewall - by default outbound traffic is set to allow all. Recently we setup some firewall rules on a clients guest wireless network to only allow 80/443 outbound. This caused several issues with things like iMessage, WhatsApp on staff mobiles and some other services.

So my question is, when setting a default deny all outbound how do you know what ports to allow for all the different services? Do proper firewall/UTM solutions have built in rules to easily allow this kind of traffic or is it a manual process of seeing what doesn’t port and finding the ports it uses?

Are there any reasons for a router to change the value of TCP-CHECKSUM?

I had a multiple choice question in a test that went like this:

Which of the following fields in the SYN packet(TCP) will NOT be modified by the router?

All of these fields will be modified by the router
Source MAC
IP TTL
TCP Checksum

Also, I know the following information about the router (it might not be relevant to this specific question cause there were more questions)

IP address range 96.214.187.144/29
router at IP address 96.214.187.151
The router also serves as a DHCP server

I chose answer number 1: All of these fields will be modified by the router, but apparently the correct answer was TCP Checksum.

I want to know if I have something to "cling" to , to justify my answer. maybe a firewall could have change that? maybe nat? (cause that what I remembered when answering the question)

AMD vs Intel for CML/VIRL?

I'm looking at building a new home PC and my cornerstone will be the processor, which leads me to the choice of AMD vs. Intel. From what I can tell, the newest r9 5900X looks like a beast. But upon doing some searching, I've read of issues with Cisco images, on AMD based computers, in CML/VIRL not booting properly and requiring work arounds to get them to run. I'm wondering if anyone on here is running AMD based computer with CML or VIRL and having any issues with the images? I am specifically using CML at the moment.

Asking the right questions

So they left me in charge of the technical part of the interviews for the first time and I need help with some questions. The HR selected and weeded out the candidates and this is the second interview phase. I have some specific questions to do with the environment we are currently in but what should a CCIE certified candidate already know that I can ask them.

I have stumped a candidate before with a layer 1 question before which goes liked this: The server team has configured and replaced a faulty server, the network team even replaced the network cable for the new server but the network is not working. What should you check to resolve the issue?

Not sure if it's my phrasing of the questions but this happened irl, the cable wasn't crimped properly. The candidate was talking about the configuration of the server disabling and enabling network cards. He skipped the glaring clue in my question about the cable being changed and didn't even talk about the switch at all. I also kept repeating that the server is configured properly. All my questions revolve around real issues that happened to us before.

I am going to have to submit my questions to my boss before the interviews start, if you can help me out or just some advice. Thanks.

ISP Bandwidth Prices

We are a small ISP. And the bigger ISP we are buying bandwidth from makes us pay different amount for Youtube Bandwidth, Tiktok Bandwidth, facebook bandwidth and International bandwidth. I'm just wondering if its just like this in the ISP Business or do ISPs pay for bandwidth as a whole?

When should we create a network baseline in an enterprise network?

this was a ccna question but I couldn't remember the correct answer. Some info would be nice.

Network scanner (just for IPs + hostnames)

Hey Guys,

I'm looking for a tool to scan our entire company network continuously to get an overview of the devices in the network together with information when they have last been seen.

Information I need: IP, Status, Hostname, Last Response

The tool should scan the whole network and store that information for clients that are no longer reachable as long as no other client is reachable under the same ip.

Solarwinds used to have a IP Address Management Solution as part of the engineers toolset which offered exactly this functionality, but it looks like it is no longer supported nowadays.

They still have a solution that would fulfill the requirements, but it is a full blown IPAM which I don't need and don't really want to pay for as the price seems to depend on the amount of IPs in your address space.

Tools like Angry IP Scanner are pretty close, but they are missing the last seen information which is important for me.

Does anyone have any suggestions for an open source solution which would offer this basic functionality?

Thanks in advance!

Thursday, January 21, 2021

ASA code skill useless in the future?

Hi, as someone who is very good (at least I class myself as that level now) at ASA's and can do almost anything on the CLI wise without even having to look at documentation anymore these days to...Are Cisco going to be getting rid of the ASA CLI and replacing it with their NGF Firepower range fully in the future in anyones opinion. I don't mind Firepowers to be honest! I think they're very good, I just mean purely from a point of view of knowing how good my ASA code knowledge is, will that all become obsolete or will the ASA still exist in the future do you think?

Thanks

Design descisions I've seen

Hello Gents and Ladies,

I have two design questions that I want to run past you all. I want to know the pros/cons and how I deploy.

I have a client that uses Palo Altos to terminate 10G Internet circuits. I have heard of people landing circuits on firewalls but I have never seen it done. I'm used to a router at the edge, either doing BGP or static and then a firewall cluster as you move inside. What have yall seen?
The same client has each firewall directly connected to each other through HA. I have seen each HA interface talk over an L2 switch (dedicated VLAN). What are the pros and cons of each that yall have seen?
MPLS for traffic isolation. I usually follow the KISS model when i design and I often find introducing MPLS for traffic engineering and isolation to be a bit overkill regardless of the number of tenants you have - Of course service providers and hyper-scale customers are in a different league. I'm referring to Enterprise environments. Say I have 200 customers, whats the advantage here of MPLS?

Enabling cleanair caused endpoint latency and packet loss

Today I noticed that cleanair was disabled on my 5508 WLC running 8.2. We just replaced the aging 1142's with 3802i's and users were complaining about signal quality and bandwidth. I enabled cleanair on both 2.4ghz and 5ghz bands.

The next two hours were quiet and then all of a sudden a specific portion of the building and only embedded windows devices were experiencing higher than average latency and timeouts. Disabling cleanair resolved the issue. The problem here is, I'm not sure why CleanAir would have done this. From my knowledge, cleanair surveys the environment for interferers and sets channels based on what it hears.

Any idea? Anything you think I should look at?

Split Tunneling For Cisco Jabber

Hey guys. I have a quick question about split tunneling in Cisco ASA for a Cisco Jabber implementation on remote VPN clients. We have a cisco ASA that has Cisco group policy for remote VPN users with the option to tunnel all DNS queries over the tunnel. Everything is working fine but now that we want to implement Cisco Jabber on these VPN clients, in Cisco’s documentation, it says we need to make the queries for the expressway go directly to the Internet instead of going over the tunnel, it is part of the requirement. We first have tried to implement a DNS query block on the firepower module so that it doesn’t traverse over the tunnel but still we keep getting domain not found replies and doesn’t fallback as we were expecting and use the DNS of the physical interface. Has anyone had similar implementation and was able to find a work around for this issue ?

Makeshift Packet Broker?

I’ve read on here before that you can reuse retired data center switches, like N9Ks or QFXs as a makeshift packet broker switch to save a bunch of money buying a real one for your monitoring systems.

How does that work exactly? Do you just configure SPAN/Port Mirroring on a set of interfaces, plug your TAP outputs into those interfaces, and then configure the SPAN output ports to feed the monitoring system?

Would that actually work?

Usually you do port mirroring on revenue ports passing actual traffic. If you just configure SPAN ports and dump tap output into them, will that actually work?

I’m trying to envision in my head what the behavior would look like. The switch is going to receive a bunch of frames from the TAP output, frames all destined for mac addresses not present in the forwarding table, which would result in unknown unicast flood... frames with all manner of vlan tags probably not configured which would result in discards, frames that could be multicast etc... would port mirroring properly replicate all these to the output interface? Or would the forwarding rules of the switch get in the way, I.e it’s not going to be a passive replication of the tap traffic, we’d muddy that up with BUM traffic from the fake broker switch, we’d miss out on discards etc, and of course all the other drawbacks of SPAN like not getting malformed packets, etc.

How would you configure the interfaces? All ports access mode, each in their own VLAN to avoid cross-TAP BUM traffic from flooding to the other interfaces?

Also from a layer 1 point of view, would this even work? Would an in-line TAP output even bring a port on a switch to an up status? We’d only be receiving light from the in-like TAP. I’m not 100% sure if that would even bring the port status as up?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

ASA 5512/5515 AnyConnect replacement without FIREpower?

Looking for what to buy for a full AnyConnect shop using ASAs only for RA VPN. Can you get the new 1120s without firepower? These would be for smaller remote offices with less than a 100 users/sessions at any one time.

DPI Fortigate?? - Certificate Deploy Mobile Device to School

First, my English is bad, I used Google translate.

I have implemented fortigate devices with content filtering and it works fine. Right now I am implementing a 60F in a school, and the content filtering works great when I apply DPI (I have to install the certificates). I understand that with GPOs I can distribute certificates to computers. But in this school the students carry their cell phones and need to access the network. To block traffic or even enable safesearch I need to install certificates on those mobile devices. How can I do this in the simplest way? I know I can enable DNS redirects for safesearch to work, but I WANT TO USE the full filtering that fortigate offers me. The number of mobile devices is large, so I would like to enable a site where the same students can download the certificates without the intervention of IT staff. Is it a very complex option? because nowhere have I found an answer to this.

Advice on Cisco Security Role Certifications

Hi everyone

That time of the year has come around and I have to get one of these three certifications. Implementing Cisco Secure Access Solutions exam (300-208 SISAS), Implementing and Configuring Cisco Identity Services Engine exam (300-715 SISE), Securing Networks with Cisco Firepower exam (300-710 SNCF). I'm currently leaning towards SNCF because I have some firepower experience but I would like to hear what some you think about them.

PS: I also am trying to take in account which certification is most practical and useable.

Thanks in advance.

Small business networking setup

Hi all,

Doing a setup for a business and am a bit confused on how best to do this.

Dsl is all they have to work with in the area and currently running a modem router combo to use voip office phones, a file server and wifi. There is a wifi booster on upper floor but it uses a different ssid than the main unit.

I need to bridge the lan to a building behind the main building about 50feet away and I ordered a ubiquiti nanostation to mount on the outside to connect wirelessly to the main network and drop ethernet to a control panel on a kiln. The idea is to be able to read data off the kiln from the main network.

What am I missing with the general networking setup inside/ will the nanostation solution work ok?

Thanks in advance

Need help extending L2 (arps, broadcasts, etc.) traffic from lab to AWS VPC subnet

Hello all. I hope someone can help me or point me in the right direction. So what we're trying to accomplish is what the title says, bridge our lab network with a network in the AWS cloud. The reason being, we'd like to be able to capture L2 traffic on an instance in AWS that originates from our lab.

Here is our current setup:

LAB-SN(10.10.10.0) -> RTR -> VPN TUNNEL -> AWS_RTR -> AWS-SN (10.10.10.0)

Some things to note:

-both networks, cloud and on-premise, need to be on the same network

-both routers have LISP enabled and is working as intended

---Local router is the xTR, MS, and MR

---AWS router is the xTR

-OSPF is configured and neighbors are seen on both routers

The big question is, is there a technology or feature that I need to be using to accomplish this? As you can tell, I thought LISP was going to allow us to do this but the L2 functionality isnt working as intended. I'm looking into OTV/LISP but I dont think we have the hardware to support this. Any help will be greatly appreciated! If you have any questions, lmk. Thanks again!!!

Adobe Flash from mainland China - via Zscaler Hong Kong

The company I work for has a rather larger operation in mainland China.
The users at these locations are using apps that runs on cloud/servers in mainland China.
These apps requires Adobe Flash.

From my understanding they have purchased and enterprise version of Adobe Flash that runs on their computers.

Running and accessing the Flash based apps on the servers is working fine when they are outside of the corporate network.

Our locations in mainland China access the Internet via Zscaler in Hong Kong, and I guess that Adobe is doing some checks to verify that one originate from a mainland IP.

I can (probably) solve this by routinge the required Adobe IPs directly on the Internet, or via a Zscaler node in Beijing/Shanghai.

Reaching out to Adobe Support has, so far, been fruitless.

Has anybody in here come across the same problem, and if so - been able to solve it?

/Kenneth

Tool for locating underground Cat 5?

Hey,

Typical toners like the Fluke MicroScanner are not sensitive enough to locate buried Cat 5 (which makes sense, that's not the intention of the device). Has anyone used found a reliable tool for this? The goal is to locate a Cat 5 cable underground, and both sides of the cable are accessible (so I have the ability to connect both the toner and a receiver on the other end).

Thanks!

Aruba (Procurve) 2530 SSH from internet safe with no firewall?

I have never hung a switch out with direct internet access without a firewall before.

That is, every switch I have installed in the last 10 years has been behind either a FortiGate, PF, or similar and with no direct access to the management VLAN.

For reasons (remote location, no other OOB) I need to do it now. This would be an Aruba (formerly Procurve) 2530 with fairly up to date firmware. I tried looking over the current CVE but I think I need more sleep first. Web interface would be disabled.

This would actually be two 2530 switches replacing a pair of fiber media converters so that we can get some actual interface statistics.

ISP <--> 2530 <--> fiber <--> 2530 <--> bunch_of_other_crap

Ok? Horrible?

[Question] It is possible to connect a device to a router using WDS Bridging via lan cable , and get internet through it?

First of all, sorry but im kind of a noob in networking and i dont know the offical terminology, that being said, let me explain you my issue: I have a router in a room, which delivers internet through ethernet cables and wifi to various pc's, i also have an old router which im using as a wifi extender via wds bridging, because i dont have space to put another eth cable, however i have a device which cannot connect to the network via wifi, and needs to use an ethernet cable. Now here comes the question, is it possible to connect the device to the old router via an eth cable and connect to internet through it?

Any thoughts on current best practice surrounding iSCSI segmentation when moving to 40G or 100G?

Conventional wisdom for years and years has been segment your iSCSI traffic onto separate physical interfaces/hardware. Never combine iSCSI and your data traffic onto the same NIC. This worked well in the 1G days, and this thinking extended as the industry moved to 10G. I remember hot debates whether or not jumbo frames were still relevant once you moved servers and storage into 10G.

Now that 40G/100G is cheaper and cheaper our organization is moving our SAN's over to 40G. Our VM host servers are currently running 4x10G. active/passive for DATA, and active/passive for iSCSI. I'd like to hear from others that have moved their servers to 40G or beyond and what you're doing as it relates to iSCSI and DATA traffic sharing the same physical 40G interface. Are you continuing to segment on separate physical interfaces? If not, have you noticed any performance issues when DATA and iSCSI share a single 40G link? Or have you seen that once you move into 40G that your bandwidth is now more than what your servers can push and thus it's safe to bring iSCSI and DATA back onto the same physical interface?

(All the above is assuming enterprise datacenter level hardware, i.e. Cisco Nexus, Intel/Broadcom/Mellanox NIC's, ESXi vSphere clusters, etc.)

Cisco Nexus to Juniper QFX5100 with 40 Gbps

I may have to source optics to connect Cisco Nexus switches to Juniper QFX5100 switches.

The intention is to use existing multimode fibers for some of the links, as well a single mode links for the other links.

For single mode, I've eyed these modules:

Cisco WSP-Q40GLR4L=

Juniper JNP-QSFP-40GE-IR4

They appear to have the same characteristics, SMF and LC connectors, using four different wavelengths in the 1300 nm range. They are rated for up to 2 km, which is plenty in this case.

Can anyone say for certain these will create link, or for certain say they are incompatible?

I've also looked at the equivalent third party generic part, apparently QSFP-IR4-40G.

For multmode, there are a few options.

Cisco QSFP-40G-CSR-S

Juniper JNP-QSFP-40G-LX4

To me, this looks an awful lot like BiDi modules, which would be these.

Juniper JNP-QSFPP-40G-BXSR

Cisco QSFP-40G-SR-BD

Same thing here, MMF fiber using LC (don't really want to deploy MPO cables). Also, same question as with SMF. Will this work at all? If yes on both options, is any one of them preferred? The switches are likely in adjacent racks.

Any experiences with the Cisco Nexus 9300 FX3S model?

Hello,

I'm in the market for new Nexus 9K switches and while I was looking to buy 9300-EX, I came across the newer FX3S: https://www.cisco.com/c/en/us/support/switches/nexus-93180yc-fx3s-switch/model.html

However, it seems there is not much info about the model at the moment other than the datasheet. I was hoping for some Cisco Live documentation or other info, but couldn't find any. Does anyone have more info or experience with this model? Is it using the same silicon as the regular FX? The listprice is nearly the same as the EX series and cheaper than the "regular" 9300-FX. Looking at the specs it is an obvious upgrade from the EX series for nearly the same price. Any hands-on experience is highly appreciated.

It seems to be targeted at the lowlatency market, but at the same price as the EX it seems interesting for other markets too.

Thanks a lot!

[Question] Can we create Multiple VPC domains on N9K

Hi All,

I am currently at the center of a deployment for N9k switches and In that we are planning to configure VPC between 2 switches and also VPC with upstream core switch too. I need to know if can create 2 VPC domain. I have never done dual VPC domains on N9k thus I am not sure about will it work.

I have tried to configure this on one of the switch and it failed as it displayed 2 vpc domains cannot be configured simultaneously.

Can you help me with a example or link to one. That would be helpful, Thank you.

Understanding of Telco / ISP setup with broadband - Can someone explain the physical setup (UK)

Hi all,

Slightly embarrassed to say that in all my years as a network engineer, I don't understand the physical setup of how 'broadband' is provided to a home user. I understand campus and security technologies but when delving into WAN's or ISP land i'm miffed!

I'll explain my understanding and hopefully someone can expand on this or just outright correct me :)

I will refer to broadband (not fibre) as it's the copper layout and the path to the exchange/ ISP I want to understand.

I'm going to use a block of flats to as a basis to try and understand/explain how I understand it.

So from a customers flat they'll usually have at least a pair of copper cables from a BT socket, which will terminate into a junction box. This will either be a comms room on the premises of the flats or one of those green telephony boxes usually located in the road. I'm assuming this copper pair is usually run no longer than 100m in the same way that UTC runs should not be longer than 100m?

From there the local loop is used which is copper? to the local telephony exchange into some sort of switched housing where it's handed off to an ISP router? if the above is loosely correct, when it comes to the local loop, generally speaking how much bandwidth can it support?

What I don't understand really is how certain ISP's can offer X amount of bandwdith but others can offer an alternative amount when the copper lines remain the same to the exchange? Do they own an amount of cabling or bandwidth for the local loop?

Sorry a lot of daft questions, but any advice or decent resources to understand this would be greatly appreciated.

Cisco 10G SFP module

About 10g Cisco SFP module, Want to know what is the general heating temperature range your have?

Below is the specification:

Data Rate: 10gbs

Interface: copper RJ-45 connector

10GBase-T module for CAT6A/CAT7/CAT8 cable.

dns setup

I have a stupid question am I able to use more than one DNS from two different providers for the same domain without setting one up as a slave?

SAML authentication on captive portal

Hi all,

our customer wants to authenticate their employees via Azure AD SAML authentication in his guest SSID with Aruba ClearPass and Aruba WLC.

The SAML part works fine, but I can't wrap my head around how to change the User-role (basically the user ACLs) after the authentication.
The controller is configured to intercept traffic for unauthenticated users and forward it to the ClearPass captive portal. The Captive portal forwards to Microsoft, the user authenticates, and is returned to Clearpass. And then I'm stuck. I can see user data from Azure, but I don't know how I could return something to the controller.

The user is stuck on a "captive portal loop" because I never change the role to one that doesn't intercept.

The thing is, that in ClearPass there is no request from the controller that ClearPass could return a new user role to. And I also don't see any user-specific information, except what I get from Azure, so I can not cache the MAC or anything.

In ClearPass I can only see a request coming from the guest application.

Maybe I'm missing something or am I using SAML for what it wasn't intended for?

Wednesday, January 20, 2021

802.1X and Web-Auth Precedence - Same Port

Hey guys,

Wondering if anyone has experience with this.

I am in the process of setting up 802.1X authentication on the LAN for one of our clients. The edge switches they are using are Aruba 2930Fs and the NAC product they are using is called ExtremeNetworks A3. Unfortunately, I am not familiar with ExtremeNetworks so my own naivety with that could be part of the issue.

Basically, I have got 802.1X working with certificates on the machines and with user credentials based on AD security groups - pretty run of the mill stuff. I also have web-auth working using the native Aruba default page.

What I would like to do is set it up so that users can authenticate with the cert or if they don't have the cert, they authenticate via web-auth. This means that I want to have 802.1X and Web-Auth both enabled on all access ports.

I have managed to get both 802.1X and web-auth enabled on the ports but when I test, it only seems to try and authenticate with one OR the other (depending how the adapter is configured). I would like it to try the cert first and then failing that, try web-auth.

I have seen guides using Captive Web Portal with Aruba Clearpass for this scenario but thus far I have not been able to get Captive Portal working in A3.

Thank you for any advice.

Business vs Residential speeds.

I work for an ISP and I'm relatively new to networking. Why would business class customers pay far more money for a 10 meg circuit when residential customers can get speeds up to 1 gig for a quarter of the price? Some customers even use a 3-5 meg circuit... not even sure how much you could do with that.

I guess what would help me is more context as to how a 5 meg circuit would be used by a business and why wouldn't they just pay for a residential modem and get a gig speed connection.

Thanks in advance! Learning so much from this sub. You guys rock!

Azure S2S (Route Based) to Cisco ASA VTI - strange network behavior

New to Azure, and have a S2S connection from Azure to our on-prem networks using a Cisco ASA 5508-x running 9.8.4(17). Azure and ASA show the tunnel up and active, but having weird traffic issues.

I can ping from an Azure VM to on-prem server, and the Azure VM successfully uses the on-prem DNS. But I cannot domain join the azure VM/connect to an on-prem share or open an on-prem webpage. Additionally, I cannot ping from on-prem to the Azure VM.

Windows firewalls are turned off on both servers for testing, and it appears the Network Security Group rules and Azure FW should permit.

Packet captures on the two servers show the initial TCP handsshake packet sent, but then retransmits the [PSH,ACK] and [SYN,ACK,ECN] packets until the TCP RST is sent.

I'm at a loss what to check, as all documentation shows this should work, and it kinda does, so I'm thinking there may be something misconfigured on the Azure side, but don't know what else to check.

Thanks for any hints or tips. I can provide more detail if needed.

OTA/Wireless NIC capture on windows?

I know on Mac this can be done easy. But with windows I'm not finding a way to do this.

Im not looking for a wireshark capture on the wireless NIC. I'm looking for a full on promiscuous wireless capture to gather all RF frames.

For example if I want to find whos at fault the AP or client when EAP is going unanswered. (AP not sending or Client ignoring/not responding)

I think Kali Linux can do this, but I am not familiar with it and don't recall if it saves captures in a format wireshark will open.

Any ideas?

Thanks

VLAN question?

Hi,

I was wondering if someone could shed some light on the issue im having, Currently i have
HPE OfficeConnect Switch 1920

what im trying to do is create a VLAN on port 24 which would give me 192.168.15.0/24 instead of 192.168.0.1/24

This is what i have so far on the swich

https://imgur.com/mbzes0s.png

https://imgur.com/6tTn69p.png

https://imgur.com/zHC6v6V.png

https://imgur.com/QH47QRL.png

there is a part on VLAN/interface config but im not sure what setup i should put?

https://imgur.com/ppnmML3.png

Thank you

How to Validate Network Performance

We are a vendor for our customer and we have a flat /24 SCADA-like subnet on their network with all of our equipment. On that network I remotely guided them through upgrading 4 HP 1910 switches to HP 1920s models. After that I got the dreaded "now the network is slow" complaint. They reverted back to the old switches.

I can't imagine how the new switches could really cause a problem. There are other upgrades in progress on that /24 that are likely the true source of the problem. But at the same time I want to be humble and know that there are things I don't understand.

I want to get some metrics with the old switches in place and compare them to the new switches. Then present to management to prove it isn't the network. Below is what I plan to record before and after. Is there anything else I should document?

document arp and LLDP entries on the old switches and compare them to the new ones. This way I can be sure they didn't mess up the cabling. The cabling is a 1 to 1 transfer but I can't rule this out as a problem
iperf3 results to and from a sample of servers/workstations in the /24, before and after
robocopy results of large ISO file (Windows environment obviously) to and from a sample of servers/workstation in the /24, before and after
mtr stats before and after
possibly put PTRG or LibreNMS monitoring into place?

Thanks for any advice!

Manually add routes to FRRouting?

Hi. I'm setting up a ocserv VPN server on a CentOS box which will have a number of different subnets for different groups. The VPN access works and when I manually add routes from our (VyOS) router to the ocserv box the traffic to the different subnets flows correctly. However, I thought that adding OSPF on the ocserv box would make adding subsequent groups easier so I set up frrouting on the ocserv box.

The ocserv box and the VyOS router see each other as full neighbors but I have no idea how to add the VPN client subnets to the local routing table in the OS of the ocserv box, for redistribution with OSPF.

Does anybody have any pointers?

Bit of a weird problem with dhcp and samsung s20 running Android 11.

So I have atleast 2 people with galaxy s20s running Android 11 that are getting couldn't get ip address errors. When I do a packet capture on network port of the ap. I get a full process all the way through acknowledgement. The dhcp server record the lease, switch doing the vlan routing has the mac address of the phone tied to the proper ip address. Now at the same time I run the trouble shooter on the ruckus ap and it's saying the phone never got an acknowledgement. Which was clearly sent in the packet capture. Further more this error is present on both my aerohive and ruckus apps. All I am at is possibly my network is responding slower than the phone wants and it's restarting the whole dhcp process again. I am having a hard time accepting this one as I am not hearing about any other problems.

Dhcp server- windows with 2 servers load balancing.

Vlan routing switch is a cisco 9500 with ip helpers pointing to the dhcp servers and the wds server.

Access level switch's are cisco 2960x Aps are a mix of ruckus r610 and aerohive 230, 330, 130 and 141 aps.

Dhcp snooping is on.

So any one have any ideas where to go from here?

Fiber Tester Recommendations

Recently we started doing a lot of work with SM fiber uplinks to long distance building. Due to amount of staff and current skill set, we rely on a contractor for running, termination, and testing of fiber links. This obviously comes at a cost. When there's faults we typically d basic troubleshooting - change transceivers, patch cables, use new pair of fiber from tray, or try it in a new switch - as you can see this can be tedious. At this point we are interested in procuring an OTDR Fiber Tester that can support SM (GPON would be good). MM testing would be good since we rely on MM fiber between racks (would be nice, but not a must).

Does it make sense getting an AIO solution that can support MM, SM, and GPON?

Budget: Depends - we don't want something cheap and unreliable, but something that doesn't break the bank and reliable.

There are countless vendors and I'd like some recommendations on vendors.

I can't find a reason for this to not work - Meraki MX84 - Just do your job

Right now I have the following config.

ISP Fiber < Meraki MX84 (10.30.50.5) < Barracuda web filter gateway (10.30.50.1) < 10.30.x.x subnets

I'm looking to simply remove the Barracuda web filter so that the MX84 can take over as the gateway device for the entire network. Now I would think that all I need to do is change the MX84 IP address from 10.30.50.5 to 10.30.50.1 and connect it directly to the switching network and disconnect the Barracuda.

This is what the new config looks like

ISP Fiber < Meraki MX84 (10.30.50.1) < 10.30.x.x subnets

Since all devices on the network are configured with a default gateway of 10.30.50.1 this MX84 should just pick right up but that's not the case.

When I swap all of this out and connect to my network I can't ping the MX84 at It's new IP 10.30.50.1 and I can see that it does, in fact, have the new LAN IP address from the Meraki cloud side. Is there something else I need to chance on the MX84 side to allow this device to take over as the default gateway? Meraki support is riddled with support reps that speak 15% English which makes it very difficult to troubleshoot with them.

Any ideas?

Is there a way to make SuperPuTTy launch a .exe application from the sessions list?

If this is not the right place to post please point me to the best place.

I manage a lot of MikroTik devices and the MikroTik Winbox application is much better to use compared to their CLI terminal, but I have most of our MikroTik IP sessions saved on SuperPuTTy and I still like using SuperPuTTy to manage our Adtran devices. Is there a way where I can fork the Winbox application from SuperPuTTy so when I click on a SuperPuTTy session and its MikroTik, it opens the Winbox application to that session?

Would love to here your guy's feedback, thanks.

Scalable load testing for CPE devices

I'm at an ISP. I'm looking for solutions to perform load testing on routers, ONTs, and modems that have been returned from the field. Solution should be able to scale horizontally well and perform load testing for a length of time that we prescribe. Horizontal size would be 24-48, not hundreds or thousands. Solution must be able to do at least minimal reporting if there are any anomalies with the traffic so that the equipment can be further examined or removed from circulation.

Ideal solutions are drop in so that I don't have to configure anything, but also looking for recommendations on homebrew if the cost savings can be significant. The boss likes options.

Current head-plan is to have a couple iperf hosts running with some magic scripts thrown on to identify when a client is having an issue and which one it is.

Fortigate 2FA forticlient error

Have a strange issue. Recently did a 2fa implementation by importing all users as LDAP users and assigning hard tokens.

1 user has no problems connecting with their token on the web VPN, but no matter what, it won't connect in the forticlient application with the token. Any ideas?

Question: IP camera cable has weird color code, red/brown and red/blue wires.

Hey all, I am trying to repair an IP camera that had its networking cable ripped off by a careless contractor. It has a 6-wire design and colors I have never seen before.

Red/Brown
Green
WhiteGreen
Red/Blue
Orange
WhiteOrange

I tried fixing it with just he green and orange wires and it is discoverable on the network, but there's video feed which I assume is because I didn't use the other wires. How does one properly crimp an RJ45 for this?

Thank you!

Implementing EAP-TLS for 802.1x authentication (Google Pixels can’t gain access without specifying a domain)

Without giving too much detail about our infrastructure; we are having issues onboarding Android 11 devices running the December security update. It’s only affecting Google Pixel phones at the moment but I’m fearful this will affect all Android devices soon. We currently use PEAP and MSCHAPv2 and “do not validate” certificate to authenticate to our Radius server using user credentials. Google Pixels now require you to specify a domain as well where they did not in the past.

The more I read about this, the more I understand the need for certificate authentication per device and not relying on user credentials. I guess my question is how do you configure your NAC to use EAP-TLS and how do you generate and share a certificate that is installed by the client?

I’m a fairly new network analyst so I’m not we’ll versed in security. We have our own security department that owns our NAC and server team that operates our Radius server. My group really only handles network infrastructure. It’s a team effort so no one group owns the onboarding process.

I’m sure other organizations are experiencing this and wanted to know how they are solving this problem.

TCP/IP & OSI - Adjacent and same layer interaction

Hi all,

I am studying for my CCNA and I wondered if you would be able to give some examples of how the layers work with eachother?

I know they are just models, and the OSI is largely not in use, but for understanding sake I am asking.

Could the responses be something like.

Layer 6 Adjacent Interaction = X example Same Layer Interaction = Y example

(Ps. If this is the wrong place for the post I applogise, point me elsewhere and I will repost it there. Thank you)

How does one reach this level of competence?

So, while back i had this strange problem. Seemed like layer 2 or orquestrator issue. I investigated the problem for many hours and got nowhere, opened a case with Cisco and had the same result.

Then i talked to this really senior guy at my company. I knew this guy was very good.

He says "yeah let me look into it" then like 45 mins later says "its a bug in Cisco's code regarding the interface, tell them to call me when they have like 30 mins and i'll tell them how to write the code to fix it, here's my number".

I was perplexed.

Where do you even learn how to write code for a Cisco device?

What can i do to even approach this level of technical depth?

SMB Network Suggestions

Hi Everyone,

I am needing a quick sanity check and some assistance with some initial discussions on deploying a new wired/wireless network into a business. I'm our global System Admin with a network backbone that hasn't been touched in about a decade.

Background: The discussion is prompted by deploying a Hyper-V cluster to an on-site datacenter which needs 24 ports of ideally RJ45 10Gbps although could be SFP+. This main switch is supporting Storage Spaces direct storage across 5 hosts and a backup server. We have four global locations with small data centers already implemented with redundant fiber, generators. From a server standpoint, we are migrating from a very heavy physical base to virtualized.

In the immediate future we will also be overhauling/implementing true access point wireless connectivity in the building which in it's currently state are a ton of consumer grade Linksys routers acting in AP mode. I am fully aware of how awful this is and I have finally been given CapEx funding for a full replacement.

I'd like to manage all switches from a single pane of glass along with wireless APs. After contacting our CDW account reps, they are pointing me in the direction of Aruba 3800 series for the data center portions and then 2530s for the access layer of the network.

In the building, our internet connection comes into our datacenter, and then is joined to the main distribution point via Cat 7 cabling (~50 feet) before being further distributed via fiber to three other locations in the building where I have 8, 5, and 4 access layer switches providing connectivity to client devices. Everything I have is layer 2.

Currently in the building:

Datacenter - 4 switches , two are redundant against each other and our the networks connectivity to the firewall, feed to the main distribution point and then each daisy chain to two other switches.

Main network hub - 8 switches all layer 2, daisy chained together.

Warehouse - 5 switches, top has fiber from the main hub and then daisy chained.

Offices - 4 switches, top has fiber and then daisy chained.

I also know that we have some cat 3 (yep, not a typo) in the building but it's limited. Most of my wall jacks are Cat 5/5e so access layer can be 1Gpbs.

Brands:
+I'm not convinced HPE/Aruba is the way to go. Reviews, and other information is sparse and I can't find a definitive yes/no answer.
+The Cisco Catalyst 1000 line seems like it would fit the need nicely with the exception that none of the series provides 10Gbps connectivity.
+The Netgear M4300 series seems to actually fit the bill here, however, no one thinks "Netgear" for this type of networking.
+Meraki by Cisco - They are cloud managed and require a subscription, while I'm not apposed to licensing etc, this is a constant OpEx and requires a constant management subscription for the devices to work.
+Dell X series - this also fit the bill, although without a wireless component however they have just been retired.

I'm not brand loyal, and most important aspect is manageability for both wired and wireless hardware.

Are there other brands/series which would fit the bill much better?

I've also thought about excluding the 10Gbps switch need from the overall design and focusing just other the other 99% of the network and buying a purpose made switch for the Hyper-V Cluster connectivity.

Thanks everyone for readying and for any advice you can pass along.

Relatively inexpensive cage/box to protect ethernet plugs at floor level?

Is there a way to keep wall-mounted ethernet keystones from getting kicked in? We have a location that is in constant need of new wall plates/jacks since they are at foot level underneath desks and keep getting damaged. Is there a box, cage, or cover that mounts to the gang box or plate that would protect them?

Help understanding the trace route PostgreSQL server and deciding whether I should contact my cloud service provider

I have been trying to troubleshoot this problems for hours. I followed all the setup instructions for setting up the PostgreSQL server: I changed the value of listen_addresses to '*'. I added the line

host all all 0.0.0.0/0 trust

I made sure there is no IP rule that prevents connections on port 5432: screenshot here

Finally, I tried to use trace route to check the route and this is what I got: https://imgur.com/a/SiPNkPK

I read that if there is a time at the very end of the hops, then it's probably a firewall issue. However, the time out here is not strictly at the very end and I am not sure what to make of this. Any help will be very appreciated.

analysing network traffic in teams meetings

Hi!

So I am now about to write my bachelor thesis. I chose an intresting task which was presented by an ISP. The task is to analyse data for virtual meetings that uses either teams or webex. The reason for this task is that before corona it was basically not a thing to join a virtual meeting from outside an office. Now I am to simulate virtual meetings and anaylse the data.

I will be given enough cisco meraki equipment to analyse locally. I have also been given access to see traffic from meetings for both teams and webex(control hub). This basically means that when I for example start a meeting using webex I can both analyse data by using webex controlhub AND meraki.

I have also been given diffrent tenants that I am administrator of(cool right?!). These tenants are placed diffrent places in the world and I can therefore choose which tenant to host the meeting on.

But I am also kinda scared at this point. I have had courses that is basically CCNA and CCNP. I also have hands on experience with cisco routers and switches by doing labs on our campus. But I have never used ANY of the tools given to me by the ISP. I dont have any experience with meraki. I dont have any experience with teh control hub or teams analysing tools either.

I know there are great network administrators here and because of this I want to get suggestions on books, articles or just general tips on how to use these tools. Also, what do you guys wish you knew when you first started using these tools?

MikroTik CCR1009 vs CCR2004 vs CCR1016 - Small time ISP.

Greetings! So we are a small ISP who is moving over for a new fibre project of 50-200 homes to start, then expending up to 25,000 homes.

I am not the networking guy, but the owner who has dabbled in networking when possible. But I am curious to know what is this subreddits thought on the MikroTik Cloud Core Routers.

What we will be carrying:

10GB ENNI
500M Protected Local Transit
10,000M Pure international Protected L3

The recommendations I got given from the networking guys is the Mikrotik CCR-1016-S+ or CCR1036-2S+ which are great from what I know, but not the best for a tiny network which has plans for expansion. This is where I was doing research and came across the CCR2004.

Any thoughts will be greatly appreciated, and yes the network guys will make the final decision and educate me more when possible.

Vlan tagging check

I am looking for software or another tool, I can easily check vlan tagging. I have transparent firewall betwwen vlans and need to check how it affect taging.

Technical Documentation in Software Development: Types, Best Practices, and Tools

Technical documentation in software engineering is the umbrella term that encompasses all written documents and materials dealing with software product development. All software development products, whether created by a small team or a large corporation, require some related documentation. And different types of documents are created through the whole software development lifecycle (SDLC). Documentation exists to explain product functionality, unify project-related information, and allow for discussing all significant questions arising between stakeholders and developers.

Agile and waterfall approaches

The documentation types that the team produces and its scope depending on the software development approach that was chosen. There are two main ones: agile and waterfall. Each is unique in terms of accompanying documentation.

Tuesday, January 19, 2021

Experiences with over length CAT5e

Today I had some interesting experiences troubleshooting a drop that was beyond the 100m length for Cat5e. On a cable run of 375ft+ two Cisco unmanaged non poe SG100 switches were connecting together fairly reliably, although the devices on the far end experienced poor behavior. At first the issue seemed like a bad switch on the far end, because when I plugged straight into the far end drop my connectivity was much better...but then I couldn't get several different dummy switches to even show link when swapping. Does anyone know what technologies or processes that the Cisco equipment might be leveraging to explain this behavior?

Anyway here are some helpful pieces of advice for anyone who doesn't spend a lot of time out on the field working on network issues of this kind:

If you've forgotten your electronic troubleshooting tools, don't forget to use distance marker printing on the wire jacket to calculate cable distance (subtract low number from high number)
Take pictures of everything before you begin making changes.
Take notes as you go so that you can keep track of your variables.

Imagine if the Internet Were to be Redesigned from the Ground up Today, How Different Could it be?

Keep in mind, this is a very hypothetical situation

Assumptions:

We are not tied down by the need for backwards compatibility for the existing Internet
The infrastructure would also be recreated from scratch
The world will not face a crisis or collapse because of this
The Internet is designed to best serve the needs and interests of people in the modern day. In other words, assume there aren't a handful of companies or governments that would influence the decision in a direction against the common benefit

Would the Internet look very different? This is surely an impossible question to answer correctly, but consider it an exercise in trying to imagine the ways the Internet could be made better if we did use the constraints mentioned in the assumptions above.

At the very least, we know there won't be IPv4 anymore!

I need help with my networking homework (NMS Zabbix)

Hi everyone. Sorry if I wrote a sintax mistake, I'm not a English spekear, I'm learning to. I'll do it my best.

I need some help with my homework.

I do a network with virtual machines on VirtuaBox and nowI need to monitor it with Zabbix.

This network consists in a NMS host connected to a router, and that router is connected with other two routers. Finally, at the last router is connected to a HTTP server. All of it (Zabbix server, routers and HTTP server) is on VirtualBox. For all I use the system operative Linux for each VM. So it's a network that in a point is a NMS (Zabix server), in the opossitive point is a HTTP server and in the middle there's three routers. The routers use OSPF protocol.

I don't know how I add a host that is a Linux's virtual machine on GUI's ZabbiX (frontend's browser). I mean, how to create the host and its setting and then add it to monitor if the hosts are all linux systems.

Someone could help me with that please.

Thanks

Reverse proxy on the router or in a vm?

So I need to get a reverse proxy up. I am stuck between running it on the router or in a VM on a server.

Pros I see to router: no local DNS serves. No server resources, SSL offloading at the edge.

Cons to the router: servers dependent on the router. No modularity.

Pros to vm: redeployment in case of server failure. Less dependent on router.

Cons to vm: requires local DNS servers.

I would really appreciate some thoughts.

I would run it on the router but then I would not feel safe without a backup router. Ik ik. Thats standard anyway but like always im looking to save some coin. So thinking the VM would be a better solution.

Sorry if this is a noobie question

Help with IPv6 on new routing table and netplan config

Hello all,

I'm not having any luck with moving ipv6 requests over the wlan0 interface to a new routing table.

My situation: NodeJS program uses the default eth0 interface to connect to a local server that has MongoDB and communicates over IPC. Eth0 also has internet connectivity. Everything is fine there. However, I want to connect to services on the internet via a 4g hotspot which I'm connected through wlan0.

I'm unable to use the non-default network interface (wlan0) within node and can't use curl without sudo when specifying the wlan0 interface.

My google search directed me to create a new routing table. I was able to successfully accomplish what I needed with ipv4 with a custom netplan config, but I can't get ipv6 to work.

network: version: 2 wifis: addresses: - 172.20.10.2/28 - 2607:fb90:17d7:a98d:xxxx:xxxx:xxxx:xxxx/64 gateway4: 172.20.10.0 gateway6: 2607:fb90:17d7:a98d::1 routes: - to: 172.20.10.2/28 via: 172.20.10.0 table: 2 - to: 2607:fb90:17d7:a98d:xxxx:xxxx:xxxx:xxxx/64 via: 2607:fb90:17d7:a98d::1 table: 2 routing-policy: - from: 172.20.10.0 table: 2 - from : 2607:fb90:17d7:a98d::0 table: 2

I'm much more familiar with IPv4 than IPv6. Is my gateway6 correct? Where do I find my IPv6 gateway?

With current config:

$ sudo curl --interface 2607:fb90:17d7:a98d:xxxx:xxxx:xxxx:xxxx http://ip.jsontest.com curl: (28) Failed to connect to ip.jsontest.com port 80: Connection timed out

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

I need PBR, but don't have it. What else can I hack together to get this to work?

I need to be able to change routes based on a source IP. I was planning on using PBR, but my HP5400ZL switch has a few V1 modules in it, so PBR doesn't function. We have our hosts trying to access a remote server. They have two paths to that server. Currently we have a static route to point everything on the green path. We want everything to take the dotted orange path because it's a fast pipe, but not all of our source IPs are allowed on that route. The green path allows any source IP, but it's a slow link.

PBR would have easily fixed this, but I don't have that in my toolbelt. I currently have these old 5400ZL switches and that firewall is a PA850. Are there any easy fixes I'm overlooking?

https://imgur.com/rfDrMmR

Reliable and secure port forwarding with accurate relative send timing on destination

I'm trying to find a solution for forwarding multiple local ports to a destination computer. I have the following requirements:

Windows (or cygwin, or a VM running linux)
Multiple ports (outgoing UDP only)
Reliable
Secure (SSH tunnel?)
The receipt of packets at the destination are timed relative to how they were sent, with some necessary global delay

E.g. on the last point: packets sent every 1.5s at the source will be received at exactly every 1.5s at the destination. I imagine a large enough jitter buffer being used to ensure this, given network variability.

It doesn't appear that SSH gives me relative timing accuracy, though I'd love to be proven wrong.

Edit: I should have posed the title as a question--sorry if you found this thinking I have a solution for you! :)

Sonicwall VPN Software / RDP setup - Easiest way to roll out via GP?

I have a number of companies I work with that use Sonicwall kit, most of whom have their sonicwall integrated into LDAP, and most of whom are 100% Windows 10 environments and want to use RDP over their VPN.

I've struggled with a way to get this streamlined to deploy, and was looking for a sanity check and/or a bit of feedback on using the Global VPN client (or netextender), versus built-in Windows VPN client and also rolling out RDP profiles for an entire network of users.

Right now, set up is very much so a manual, hands on task. If we push out a GPO with built-in Windows VPN profiles that in theory should work with Sonicwall's settings, they never seem to work the first go-round. We'll set the Sonicwall up to use IKE with PSK and then the L2TP server - but there will always be some misconfiguration there. Sometimes it's that the shared secret isn't in the VPN profile for some reason. Sometimes, MSchapV2 isn't the default authentication method, and the VPN connection will time out. Regardless, I'll have to fiddle with it on each individual machine and each user account to get it working the first time. RDP profiles work more smoothly, but still need to at least set up the machine name, accept the self-signed security certificate the first time we connect.

Using the Global VPN client or Netextender also seems a bit hit or miss, and difficult to roll out. Some users won't have permission to install software on their machines, so our GPOs won't always kick off successfully - and then pre-storing credentials and profiles never seems to work as well as we'd like - could entirely be user error on our part though.

Anyways - just curious if anyone has any best practices or just wants to sanity check me on this. Any links or words of wisdom welcome!

Multi-Site network design. Input/advice needed.

Hi yall,

so I'm currently (re)designing a network for an upcoming hardware refresh and came across some knowledge gaps while trying my initial design. I'm facing a few design choices where I'm either overthinking something or just lack experience.

I'll try to outline the basic environment to paint a better picture.

We got company A, B and C.

This is where the datacenter for all other companys is.
Network consits of multiple Class C VLANs under 10.1.0.0/16
Multiple buildings all connected via fiber

Connects to A via Site-2-Site VPN
Network consits of multiple Class C VLANs under 10.2.0.0/16
Multiple buildings all connected via fiber

C: (This one gets new hardware)

Multiple branch offices, all in different locations
Connects to A via Site-2-Site VPN
Each office has its own 172.xx.2.0/24 network

The idea is to get C in line with with the 10.X addressing scheme and introduce some segmentation. Which is definitely overkill since most offices only have like 10 devices and 1-2 printers (and possibly some VoIP in the near future). But hey, can't hurt to make it more scalable.

My first draft looked something like this:

10.3.10-20.0 - Office 1

10.3.10.0/24 - MGMT VLAN10
10.3.11.0/24 - DMZ (not needed, but better to plan for it now) VLAN11
10.3.12.0/24 - Clients VLAN12
10.3.13.0/24 - VoIP VLAN13

10.3.20-30.0 - Office 2 etc.

Basically give each office 10 Class C subnets to leave room for expansions.

Pros:

Subnets and VLAN tags are easy to remember since the last digit aligns.
More then enough room for future expansions

Cons:

I didn't account for routing **sigh**. All Site-2-Site routes are static, so in order to reach every subnet/vlan of every office (from A) I would need to create <Num. Offices>*Subnets of routes.

Enter draft number 2.

The idea this time was to put each office in a 10.3.X.0/22 range.

10.3.0.0/22 - Office 1

10.3.0.0/24 - MGMT VLAN10
10.3.1.0/24 - DMZ VLAN11
10.3.2.0/24 - Clients VLAN12
10.3.3.0/24 - VoIP VLAN13

I would leave a 1 block gap between each office to make room for expansion (or more segmentation) in the future by switching to a /21 netmask.

Pros:

Simpler routing **yay**

Cons:

IP->VLAN tag won't be easy to remember

I know that, given the size of each office, the simplest solution would be to slap everything in one /24 subnet per office and call it a day. But that feels short sighted. May be just me though.

Anyway...any input, pros/cons, gotchas or "have you thought about <this>/<that>" will be much appreciated.

PS. probably obvious, but I'm not a network engineer by trade. But when time and money is short beggars can't be choosers ;D

Traditional segmentation vs NSX segmenation

I remember arbitrarily creating VLANs for internal segmentation based on server function, department, you name it. I get the concept, but I'm not really gaining much... Yay, now I get crude in/out nACLs to work with and maintain on the SVIs!

New job, inherited a network that's fairly flat ("server" network is a /23 and contains almost all of our servers) - currently on a call regarding VMWare NSX... it almost seems like with NSX, a large L2 domain would be desirable to me since FW/IPS is being applied as a wrapper around the VM (outside of the OS). This will limit broadcast traffic, and spares L3 encapsulation between servers who would traditionally be on separate L2 domains (technically less comms overhead). Also, it gets away from using a core DC FW if you have a requirement for IPS between all L3 boundaries.

I can't see why the traditional "NO BIG L2 DOMAINS!" golden rule can't be broken here. Am I wrong?

Is IWAN dying

I just came across an EOL notice for IWAN 2.X.X. I heard a while ago about a version 3.0 for IWAN but I can't find any more info about it.

Is there a version 3.X of IWAN?

Or is Cisco killing off IWAN completely now?

WAN Uplinks that terminate directly in the the firewall?

Hi All,

As someone who is pretty new in the networking world I have a quick question regarding wan uplinks. What is the best practice for connecting these to your equipment in the datacenter? Currently, We have them connected directly to our firewalls but I've been told by certain vendors and even read that we should really be running these through our switches first then to the Firewall.

The concern I have about moving the wan uplinks to the switch is mixing that 'dirty' wan traffic with all of our other l2 traffic. Is there a way to isolate these uplinks from all other l2 traffic on the Cisco Nexus paltform? Would a vrf be appropriate for this?

Thanks,

Network Segmentation: Blocking Multicast IPv4 Addresses?

I'm working on upgrading some networking equipment and part of that is converting some internal network segmentation rules. I noticed that the old equipment had a rule on some subnets to block traffic to 224.0.0.0/4 which is the range for IPv4 multicasting. I believe the goal was to prevent any unwanted traffic between internal subnets, but does this actually help anything from a security point of view? Does this hurt anything from a performance point of view? I don't believe there is any internal multicasting that needs to happen between subnets, but I do see a lot of devices trying to talk to these addresses.

ROADMs for last-mile access?

I am trying to get a better understanding of how a ROADM can be used in a last-mile access network. My limited familiarity with them is only used for data center interconnectivity applications where you need fast failover and insane amounts of bandwidth. Would love to hear/see how they can be implemented in the last mile. Is this something that's even done?

What is the DNOX protocol (Port 4022)?

Have been seeing more and more of it on our network recently and not sure what it's purpose is. Looking at the hosts involved it seems related to SCCM / endpoint config.

Googling it has proven difficult as well. Every result just gives the port number and the DNOX abbreviation but nothing else.

Anyone know what it stands for and what it does?

Remote VPN on backup ISP connection

Hi,

I have a Cisco ASA 5516-x with 2 ISPs connected, lets say outside_1 and outside_2.

I also have Remote Access VPN connections created, one using IKEv1 (used for macOS computers with built-in macOS VPN client) and one using AnyConnect (used by Windows users).

Using AnyConnect I can actually connect to the IP address of both outside_1 and outside_2 and access services via VPN.

But using IKEv1 VPN from macOS outside_2 doesn't work. I can still connect and authenticate, but I cannot access anything on the internal network.

Is there a way to make it work?

Thanks!

Cisco Continuing Education credits

Hello, can any of you who use CE credits see your balance at ce.cisco.com? There used to be a piechart showing how many credits you've earned and a running total. They seem to have redone the website and all that info is now gone. I've been working with Cisco for days now trying to get them to confirm my ce balance but no luck so far.

Hub vs Switch

Hey all, I know that a hub broadcast packets sendt to it to all devices connected while the switch send it to the targeted destination, what Im not sure of is, is the hub Bi-directional as in let's say I have a network that consists of a router with a hub and switch connected to it, both of the switch and hub have 3 PCs connected to it (Pc1,2,3)

The PC1 on the the hub network wants to send a message to Pc2 on the switch network will the message go through Pc1 -> Hub -> Router -> Switch - Pc2

Pc1 -> Hub Then the hub resends it back to to pc1 pc2 pc3 and router -> Switch -> Pc2

Cisco Continuing Education credits

Help Please! ISP Modem > Switch - Location 1 > Switch Location 2 > Main Router for Site?

Hi All,

I'd be very grateful for some help and advice from the wise Networking folks on here please.

I've been trying to research this but didn't find anything that I could use to get a grip on this issue.

I do understand that the below isn't an ideal starting point - But we've been pushed into this and need to work out a solution now.

Basically due to the size of our large Building our ISP would only run our fibre connection to a small switch cabinet that's about 150 meters from our main comms room. (Location is near front of building and point of entry for fibre cable etc etc.)

The switches in this cabinet ( Cisco Catalyst 2960-L series) are connected back to our core switch in our main comms room by fibre cables so performance should be acceptable.

I'm trying to determine the accepted solution or best approach to getting everything to work.

Basically I need to try and get the below working:

ISP Modem > Switch - Location 1 >>> Fibre Link >>> Switch - Location 2 > Main Router for Site.

This main router is a Sonicwall TZ300 that we also use for our incoming VPN connections to the Site.