Assistance with BGP Peering to AWS VPC

Hi all,

I am in the middle of trying to workout why I am unable to peer with my AWS VPC using dynamic routing. If I configure the Site-site with static it works fine.

Current environment:

• ISP modem in bridged mode (PPOE connection)
• PFsense used as the firewall / gateway, connected to the bridged ISP modem
• FRR used for BGP
• IPsec tunnel configured to AWS with Phase 2 using Routed VTI
• Interface has been assigned for IPsec VTI
• AWS reports IPsec as being up
• Created an IP alias on the WAN interface for my inside customer gateway address
• Used the above as the update source for BGP
• Peering never comes up, packet captures on the interfaces show no BGP connect messages leaving the PFsense, however I can see inbound from AWS on the IPsec VTI interface

I am kind of stuck here as to what to do, I thought it may be firewall and the WAN auto rule blocking bogon networks from RFC1918, so disabled that. Still no good.

I am not sure if this needs to be set up differently for a PPOE connection, where the WAN interface has an address through a peer?

Any tips would be appreciated!

​

Cheers

Remote access my virtual machines that are installed via ESXi

Hello, I'm planning to install ESXi on my RPI 4B and I just wanted to ask if I could remotely access my virtual machines outside of my network.

I'm thinking of using a VPN that has my local IP so I could access ESXi via web browser when I'm not in my home.

Is it possible?

Job opportunity for f5 load balancing vs kubernetes container orchestration

Can any network people shed light on how to choose between a position between one or the other?

Finally ordered fiber, is this website legit? (Frontier)

Sorry if this isn't the correct group for this, felt like you guys would know the most.

So I finally decided to upgrade from cable internet to fiber today, for my birthday. I googled frontier customer service number and set everything up. After everything was said and done, I noticed the website that has the number is GO.frontier.com rather than WWW.frontier.com , I've tried doing more research to make sure its not a scam as well as contacted frontier themselves which said it was ok (via chat) however I just wanted to see if anyone else here has any experience or information?
Thank you in advanced for any help

Is there an easy way of rack mounting heavy switches??

In our environment, we have a lot of cabinets mounting near the ceiling so rack mounting a heavy switch by propping it up with 1 hand while you’re screwing in with the other on a ladder is not fun to do. Any tips or tricks to make this a lot easier? There’s gonna be an easier way!

Looking for solution on which method to use for large room 100x200 ft wifi

Customer has a large open warehouse approx 100x200 feet. No walls in the warehouse, a small 30x50 foot office is in one corner, and the loading dock is in the opposite diagonal corner. See sketch here

Customer purchased this TP-Link mesh system They also bought Google nest cameras (work on Wi-Fi)

The TP-Link set (as is, without additional units) won't cover the entire warehouse in a mesh signal

Can I take a 50ft patch cord connect it to the WiFi router, run it up to the roof of the office, plug it into a simple switch, and from there, run patch cords to each tp link node, run them near the camera that I need so that, while I won't have a mesh network, I'll basically have a hotspot near each camera.

{I know a ip camera system would be easier etc the customer wants the Google nest cams}

OR

Run a cable between the nodes, same idea basically but with out the switch.

OR

Just buy another TP-Link pack and do the mesh correctly.

Those are my ideas. Would love to hear what you think is the best, and if you have a new solution or comments on my idea, please do send!

Thanks in advance!

OSI model/UDP question

I am new to networking and recently learned that the OSI model transport layer is connection oriented when the TCP/IP is connection and connectionless. How does UDP follow the OSI model then if it is connectionless and the transport layer on the OSI model is connection oriented.

Advice on WIRED router

I haven't bought a router in a long time and was hoping someone could suggest the top one or two wired routers for consideration.

Money is no object but it doesn't need to be made of gold for no reason...

It's a small network for one floor(of a house) , but I may consider adding an access point for another floor at some point down the road.

Thank you!!

Best book for networking

I'd like to dive deep into networking since I' studying for the Network+ cert and looking forward in the future as a network engineer.

I'm not looking for a study guide for a certification, just for a detailed and well written book, preferably not outdated, which I can use as my main source of queries.

What's the best networking book you've ever come around?

Help with presentation. DC interconnect using VXLAN EVPN multisite. Phone call would be huge

Hi everybody. I have to gove a presentation this week regarding vxlan evpn multi-site of which I have no experience (its a personal project). I know it's a huge ask but is there anybody reading this with experience in this area? If so would you be willing to talk privately for 15 minutes or so on Sunday Or Monday just so I can pick your brain and make sure that I have the basic ideas terminology down. This shouldn't be extremely technical..more of a broad overview of how the underlay and overlay networks talk, how any cast and multicast is involved, and ideas like that. No actual config will be needed.

I've been reading white papers and watching videos but a back and forth would be huge with someone with knowledge of an actual installation.

I'm in the US east coast and I only speak English so unfortunately I'd have to ask for someone speaking that language.

Thanks for reading and please pm me if you wouldn't mind volunteering your time.

Cheers my friends

Career advice

Hi Guys,

I have an experience of 5 years in the networking field, I'm familiar with different technologies like CISCO routing and switching, Cisco ACI, Aruba switches and WIFI, F5 loudbalacing, Infoblox DDI, Ansible and Security solutions like Fortinet, Cisco ASA and Palo Alto.

I would like to be more specialized in the security field and the aim at the end is to find a remote job in the security field, I will start by doing the AWS security specialty certification and Fortinet NSE4. Any other certification you recommend or any advice you can give ? please feel free to advise anything and I'm thankful in advance.

Thank you.

server as accible pc from everywhere in the house

hi all,

Ive an server with runs ubuntu terminal, im planning on making it with a desktop envirorment .

but would it be possible to connect any laptop or pc to that server and make it control that server? like if you connect the pc its like connecting a monitor, mouse and keyboard. and if it would be possible would it be possible to "create" multiple pc on that server to connect to each a pc or laptop?

I'm learning ipv4 subnetting and would like to gain more understanding of the following answer

I have two examples, first one I worked out, the second I struggle with.

For the first example, I am given the following address:

172.153.75.250/25 

I have to find the:

• Network
• First Host
• Last Host
• Broadcast
• Next Subnet

Given the above address, I work out that the Subnet Mask is 255.255.255.128.

I get there by looking at CIDR of /25. 8+8+8+1

With the subnet mask of 255.255.255.128:

• 172.153.75.128 is the network
• .129 is the first host
• .254 is the last host
• 255 is reserved for broadcast
• Next subnet would start at 172.153.76.0

I understand the above and it makes sense. Here is the second example:

65.6.23.194/14 

Following my logic from the first example, /14 translates to a subnet mask of 255.252.0.0 . if it was 255.255.0.0 then network would be at 65.6.0.0, but since the second mask octet is 252, the network is also two less at 65.4.0.0.

First host is 65.4.0.1

I thought that the last host would be 65.6.255.254 and broadcast would be 65.6.255.255 , with next subnet starting at 65.7.0.0. Unfortunately the last host, broadcast and next subnet are incorrect.

Could someone please explain to me why last host is 65.7.255.254 and not 65.6.255.254? Once I understand that, I should be able to work out why the broadcast and next subnet are what they are.

Thank you!

Remote Access Intranet

So I’ve been trying to figure this out for a while, and likely because networking is about the only thing I DONT know how to do, it’s a struggle.

My company runs all its locations through vpn enabled Cisco routers to enable access to company intranet. It’s that same intranet that is the base for all company related restrictions, such as: only being able to clock in while using said network, and only being able to login to company emails (outlook/office 365) through said network.

Normally it wouldn’t even cross my mind as an issue, or something to even pursue but there are several underlying things that push it borderline unnecessary.

1. Only some assets are maintained through the company intranet, and not the ones you would expect. Namely: External access to company owned emails- No. External access to putty servers- No. External access to anything and everything customer related, from transactions, all the way down to the associate portal where the transaction invoices are kept- Yes.
2. I have remote access, in several ways, but none are reliable. Option 1.) simple remote access with teamviewer or another desktop access program to any work pc I need. Doable, sure, but incredibly slow and impractical. Option 2.) Remote access via company owned virtual machines. Accessible at any time, anywhere with the right credentials. Again, doable, but unreliable even on my fiber connection. Which brings me here.

The main reasoning for my pursuit of this is due to my need for email access (OneDrive to be exact) where I maintain live documents and trackers for the entire area, and as of now, the easiest option is to remote access, email myself the files needed (because they can’t be shared with external accounts), adjust them as needed, email back to the origin account, remote access again, and upload the newest changes. It’s a bit of a pain in the ass. So really what it boils down to is, what exactly do I need to do to “access” the connection on an external network?

Port forwarding on pppoe connection

Hello, can someone please help me port forward on a pppoe connection i am trying so hard and i feel i am going crazy

new to network/ can I install windows server 2012 r2 on my laptop and use it as normal laptop?

Hi I am new in networking and I wonder if i can install the windows server in my laptop and use it also

PoE on Access-port is not available!

Hey guys, I need help to troubleshoot this issue, any ideas?

Does the download speed that an ISP advertises affect the local network?

My current enterprise internet plan is 500 mbps for download and 40 mbps for upload. My previous plan was 50 download and 50 upload. In my previous space, the wireless connection between devices would frequently drop.

Since my current plan has higher bandwidth for download, would there be less interference and would there be a more stable connection between my devices?

In other words, does the download bandwidth account for the bandwidth needed for wireless connections between my devices within the network (i.e., between my devices and the router), or does it only account for the bandwidth of information flowing from the Internet/ISP through my router (and then to my devices)?

I'm thinking the plan only affects the connection between the ISP and the router/modem, so I'm wondering how I can improve the connections within my local network. The drops between wireless computers and printers can be quite counterproductive for our operations.

Edit: Please let me know if this would be better posted in r/homenetworking I created a post there as well.

How do you prefer to restrict access on your management network?

Looking to see how people set up their management network and what they do to restrict access on them. Im assuming a lot of us use a virtual interface like vlan1 to assign an ip on tje management network, but beyond that what are you doing? Creating a mgmt vlan, restricting things down to telnet and https only, etc? What is your preferred method to do those things?

Burn Out?

How do you keep yourself from getting burnt out? I find that I can never "switch it off". My mind always is trying to figure out the next thing, even if there isn't necessarily any problem. Im always trying to learn more, and figure out how to make the new knowledge better our network. But I can't seem to find a way turn it off or step away. And find that I am burning myself out.

Looking for replacing NPS with NAC solution?

I’m looking to replace our NPS with a NAC. I have few players in mind. We want to use it for Radius and what are the other benefits of using NAC instead of windows based NPS? 1. Forescout 2. Cisco ISE 3. Fortinet NAC (Emerging Player)

Any other suggestions than three listed above. Any cloud based solution you are aware of that are really good.

Need Advice For Setup Network

Hy, this is my first post.

I've been working in company for about 3 years, and lately, I've found some problem.
in my office, there's about 30 people (assume every person using 2 devices), and There's only 1 ONT.
It feels really slow when browsing with my internet, i don't have any knowledge about networking at all
so can you guys describe what's the best setup for my office and the tools / devices I have to prepare

sorry for my English, because I'm using google translate

Subnetting, network engineer thinks this is wrong

So, we are having some serious issues with parts of our infrastructure at work, and level 3 network engineer with (top 5 largest server/networking vendor in the world) is telling me that my subnetting is incorrect..

While i do hold a degree in computer engineering, im not a fully fledged network engineer.

I have a range 10.195.45.0/24 split into:
10.195.45.0/26
10.195.45.64/26
10.195.45.128/27
10.195.45.160/27
10.195.45.192/27
10.195.45.224/27

The whitepaper and pre-flight documents state that the system needs to have different subnets for the different networks of the system. They also have an example, but in this example they use /24 ranges (so the third octet is different in each subnet) and he told me that we need to do the same to have real subnets.... There is no mention of there being a limitation to which subnets you can use, or the size of them (of course they have to be large enough to accomodate the hosts in said net..).
My question is, am i wrong? Is my subnetting somehow magical or unorthodox?
I really want to correct my knowledge if i am, so im trying my luck here amongst people who know what they are talking about.
Thanks for any enlightenment you can bring to the matter.

Help extend wifi network to elderly neighbors on the cheap

my 90-year-old neighbor uses an iPhone for her news and weather only. She uses cellular network and I don’t think it is strong enough to let her browse the Internet for news. They can see my network but I don’t think it’s strong enough for a consistent connection. Is there an easy and possibly inexpensive way I can extend my network so that they have a strong connection to it? Thanks so much

Incorporating tv and broadband from the same connection into pfsense.

Hello.

I just changed to an ISP that supplies both TV and broadband over the same fiber connection. This requires me to have the SFP module and fiber they supplied connected to their home central. This can be put into bridge mode, where I can only use lan port 4 for internet, and port 1-3 for connecting to the Set-top boxes. They also only give internet access to the mac address of the provided home central. Problem is, the home central sticks out like a sore thumb in my otherwise clean networking rack, and I want to get rid of it if possible. Provided its removal won't cause a bunch of problems.

I currently have this set up like described above, with port 4 connected to my pfSense whitebox. If I want to connect the SFP module and fiber directly into my pfsense box.

I assume the first obstacle would be the mac address, which from my understanding can be spoofed with a varying degree of success depending on the countermeasures the ISP uses (or not). Examples of these countermeasures would be Reverse ARP, traffic analyzers, and bandwidth monitors.

The second obstacle would be the separation of traffic from broadband and tv. Unless this is utilizing VLAN's I am clueless here.

Question 1: What options does the ISP have to Achieve the separation of broadband and tv on their home central? VLAN? Something else? If not a VLAN, is it obtainable using pfsense.

Question 2: Has anyone tried something similar, and how well did it work?

Wifi switch between 2.4ghz and 5ghz

Hi, There are multiple routers in my residence and some are 2.4ghz and others 5ghz . The problem is my phone keeps switching between 5ghz and 2.4ghz . I've used wifi analyzer and I could see all the routers around me. They all have the same name and they are all close to me like 5m for the 2.4ghz 6m for the 5ghz ect... Do you have a solution to force use the 5ghz routers only ? Or to use a specific router ? ( I don't have the permission to do anything to the routers) so the solution must uses the phone . I have a redmi note 7 with miui 12

Thank you for your help

Client server vs p2p

My first ever post [how p2p can self scale ](http:// https://medium.com/@piyushk123umar/how-p2p-can-scale-by-itself-af4706edbf1b). I will highly appreciate if you guys can look at it once👉👈. Please tell me if it's a good start or not.

in-addr.arpa showing on IP scan

Hello. Yesterday i went to a customers house to replace a small cheap repeater. Then the customer wanted to do a test, so he connected its laptop to the ethernet port and Started doing an ip scan with advanced IP scanner, but the list of IPs where showing like This: x.x.x.x.in-addr.arpa. why are they on reverse notation????? Never saw IP scanner displaying its findings on reverse notation. Can anyone enlighten me? Thanks

How to get around vpn?

Someone else on my wifi is using a vpn. Its causing me problems, like I have to complete the I'm not a robot thing when I google something and I cant update warzone. Is there a way to get around this? He has no idea what hes doing and I've told him multiple times to stop using it or maybe turn off proxy on the vpn app so that it stops causing problems for everyone else. He wont listen to me so I need a way to I guess block his proxy on my windows 10 pc so that I can update warzone and actually google things without problems. It might be slowing down my connection too I dont know.

Temp sensor routing

I am trying to run a temp sensor on my work LAN. But since being located at different locations it goes through different network infrastructures. The 3rd octet changes is the only thing I notcie. Doing a test ping using two laptops before I set everything up. How do I set it up so that from one point to another I can ping each other.

Do I have to go through the routing table to tell it how to communicate by going from the central to the aft switch rack?

Do I need to build a vlan?

I’m an amateur at this but got big ideas, just not up to scratch on the know how to make it possible.

Any advice would be appreciated!

Need 5Gbe/2.5Gbe - Use SFP+ Transceivers, Additional Switch, or Something Else?

I have an Aruba S2500 switch that has 4 SFP+ ports. I have a couple of ports connected to Intel X520 cards, but I need to connect two other computers, located next to the switch, that only have 2.5GbE connections. The only connection options I can think of are finding Aruba compatible transceivers that will work at 2.5GbE or adding an additional switch that provides 5Gbe/2.5Gbe connections as well as an SFP+ port that I can use to connect to the Aruba switch.

Do either of these ideas make sense? Is there another approach I can use to connect the last two computers at 2.5GbE?

Etherchannel can't ping

I just don't understand how come the ping doesn't seem to work at all , I'm pretty sure I followed all the instructions in this lab

this is the pkt file

I had this problem for like a week and I can't find a solution anywhere.

Any help is appreciated! Thanks in advance.

AnyConnect SBL

Is there a way to make AnyConnect SBL Mandatory? I have it so that it shows up in the lower right hand corner before Windows Logon but the end user can still just log into windows without signing into AnyConnect. I unchecked "User Controllable" in the profile but this doesn't see to do the trick. Any Ideas?

Meraki WiFi 6 issue

We are deploying MR 36 and 46 and for outdoor using MR 74 and 76 with Ant-20 omnidirectional antennas. When I move between APs even the strength of signal is -50db it shows few bars or disappearing for few seconds and getting back. Roaming doesn’t look like seamless any idea on that ? And same setup with MR33 is great for indoors no issues at all. With outdoor deployment it’s the same issue.

Network Monitor:PRTG Limit

As we are near 10,000 sensor limit with prtg. Is there a way to increase the sensor limit without installing other server. And what are the other best options available ?

Extending SD-WAN Fabric into Multi Cloud - Design and Throughput Limitation Concern.

Just curious if anyone here has yet extended their SD-WAN fabric into the clouds? I am looking at doing this with Cisco Viptela, the company I work for is a large international org with locations across the globe. All of our locations will soon be on Viptela.

We do not do much in terms of workloads in the cloud yet but we do have devs chomping at the bit to start moving some workloads into both AWS and Azure.

The idea of putting some virtual v-edge's in a central "hub" network account and then using native cloud networking to connect to a multi account (VPC/VNET) infrastructure is appealing to me to help minimize the overhead of manually managing IPsec tunnels and BGP but I am very concerned about throughput limitations, from what I have seen so far of the licensing limitations of virtual v-edge's the max throughput of one of these devices is 100Mbps.

I can put several v-edge's in this "hub" account and distribute load across them but even then to get a full 1Gbps throughput I am going to need 10 if the max throughput is 100Mbps which will dramatically impact the cost factor.

Anyone doing this yet?

looking for a cert that gives basic understanding of cabling/networking?

hi all, i have an interview coming up in a few weeks and, altho im relatively strong on one side of the the house which relates to data centers, the other part i'll eventually have to grasp will be networking and cabling and am wondering, is there a cert that drops some good knowledge on you that you could take a pass in a few weeks?

Can the TCP window size and window scaling affect windows performance?

Hi guys, I’ve been looking at some data and trying to make sense of it. My company has a server that runs Windows Server 2012 R2 and it’s used as a gateway to process a bunch of tcp messages and forward to other stuff. I’m trying to understand some of the latency behavior and I noticed that packets with different window sizes/scale have different treatments.

I know that on Linux the memory is only allocated when used, but on windows OS I’m not sure how the memory and NUMA nodes work. Could it be possible to send a big window size and because the OS has to manage more memory it takes longer to process and it could also impact other incoming packets by “stilling “ thread process time?

Linux IP Routing Problem

LONG POST ALERT**

​

Hey, so I am new to computer networking and trying to wrap my head around linux IP routing but no amount of googling or trial and error is working.

Apologies in advance if my post is lacking any detail, I am finding my thoughts very muddled right now but give me a nudge and I will update :).

I have 4 VM's (Ubuntu 20.04 Servers), each has 2 network adapters (NA) and static IP's as follows:

Machine 1:

NA1 - VMNet2 - 192.168.1.1

NA2 - VMNet3 - 192.168.2.1

Machine2:

NA1 - VMNet3 - 192.168.2.2

NA2 - VMNet4 - 192.168.3.1

Machine3:

NA1 - VMNet4 - 192.168.3.2

NA2 - VMNet5 - 192.168.4.1

Machine4:

NA1 - VMNet5 - 192.168.4.2

NA2 - VMNet2 - 192.168.1.2

​

The aim is to be able to ping Machine 3 from Machine 1, with all traffic only being sent by Network Adapter2, and all traffic only being received by Network Adapter 1.

My routing tables on each machine are as follows (will just shot machine 1, the same applies on the other machines except the IP address/ranges adjust accordingly):

- default via 192.168.2.1 dev ens38

- 192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.1

- 192.168.2.0/24 dev ens38 proto kernel scope link src 192.168.2.1

​

If my understanding is correct (please correct me if I'm wrong), the first rule is the default rule that will apply if the other rules don't i.e. that any traffic unaccounted for should be sent to the default gateway via 192.168.2.1 on ens38 (network adapter 2).

The second rule is that any traffic from 192.168.1.1 should go to the 192.168.1.0/24 range if applicable via ens33 (network adapter 1). The same for rule 3 but change the range and network adapter accordingly.

I've enabled IP forwarding on the 4 machines using "sysctl -w net.ipv4.ip_forward=1"

​

I tried the following rules (my logic will go in the brackets after the command):

- Machine 2 = ip route add 192.168.3.2/24 via 192.168.3.1 dev ens38 (My logic here being that the ping would go out from the 2.1 address on machine 1, to the 2.2 address on machine 2, get forwarded to the 3.1 address on machine 2 and go from there to the 3.2 address on machine 3 as they are on the same local network. Didn't work)

- Machine 1 - ip route add 192.168.3.0/24 via 192.168.2.1 dev ens38 (my logic here being to force any traffic intended for the 192.168.3.0/24 range to go through the 2.1 address on ens38, then realised that the default gateway already deals with this so this rule did nothing new)

- then I wondered why the default gateway rule on Machine 2 "default via 192.168.3.1 dev ens38 proto static" on machine 2 didn't pick up the ping request and force it out via the 3.1 address.

From here, madness ensued and I can't even think of logic for anything i tried after this. I am hoping someone can make sense of the mess that is now my brain and help me out

Quick question about TTL and traceroutes.

So I’m guessing TTL is the time allocated for a packet to die when being transmitted in a network and apparently starts from 1 and keeps increasing. But I also read that, each node in the network decreases the TTL when the packet reaches the node, so how does this increase and decrease happen? Does it happen simultaneously ? Or is the TTL already established before the packets are sent?

Learn Routing /VoIP

I want to learn routing/VoIP. I’m CCNA with couple of years experience want to understand routing for HUB/Branch office deployments on practical level used in offices. Mostly at datacenter level want to learn in deep of how it works. What is best place to start learning about it. Should I learn design also to get complete overview or just stick to routing. I’m looking for books,videos or GNS3 setup or anything. I’m looking for more of practical approach along with best books to understand. And similar with VoIP or Phone system side too. I have zero idea about VoIP side. I want to learn basics like CCNA Collaboration(they don’t have it right now) or something similar to understand which codecs and why this qos is like this and make sure they are good at business policy level.

I currently work with VMWare SD-WAN, Aruba branch switches, Meraki for Switches,APs(Indoor/Outdoor), Fortinets for guest wifi and IoT policies.

I’m aware of Cbt nuggets, INE, BOSON, Fortinet training. I used cbt nuggets before. I read wendell odom (CCNA) before. I’m looking for next step from there to become Sr.Network Engineer do CCNP or further. But foremost at first looking for routing side to understand and troubleshoot at enterprise level.

Thanks in advance 😁

Ethernet Standards: Stranded Cable ? >10m

Hi All,

I was wondering if any could help me find the formal standard (e.g. IEEE) which provides the calculations for running stranded cable >10m, e.g. 15m.

The website below provides the calculation but no reference from where it's been taken from, I've looked a few other sites which have the same calculations but no formal reference.

https://www.flukenetworks.com/blog/cabling-chronicles/considerations-choosing-stranded-vs-solid-cable#:~:text=When%20it%20comes%20to%20de,no%20de%2Drating%20at%20all

If someone could point in the right direction it'd be appreciated.

Thanks

Swain90

a2i marketing center

Hey i got a new router but i found this in the client list

"a2i marketing center"

Anyone know what this is at all?

​

Many thanks

Ping monitor with logs

Hi All

I'm looking for a lightweight ping monitor tool / app which is also able to log statistics for a few days. This tool would run on a Windows Server and would ping external IP Addresses.

So I'm not looking for a complete software suite like prtg or solarwinds.

Thank you!

Want to upgrade the average internet plan from 100 Mbps to 1 Gbps for my broadband users.

What should I do to start providing 1 Gbps internet speed to home users? Currently, I have approx 500 customers and I am using 4 EPON OLTs which only have 1 Gbps downstream speed on the PON port so they max out at 1 Gbps. Currently, the average plan per user is 100Mbps. So I don't think these OLTs are suitable for providing 1 Gbps speed to the home users. Currently, I am using xPON ONTs at the customer end which work both on EPON and GPON OLTs. Can someone help me?

Finding accesspoints that are offline

Hey guys. I just got responsibility for one of our network controllers with about 370 APs connected. There is also 20 APs that are offline and where I cant find the mac-address on any switch port. We use HP procurve/Arube switches and Fortinet APs. I have tried to get local IT helpdesk to look for the ones that are down but it seems many are moved from the room they were in to new rooms without updating the name (we name them based on room to find them easy). Is there any way to find logs on mac-adresse that has been on a port but is not there anymore? Is there any other trick to finding APs that are down that I might not have thought about? Thanks guys and gals, I always learn something new rom this sub and it has helped me a lot

Access point with WPA-Enterprise

Does anyone know the model of the router or just an access point that has the ability to connect wirelessly to the WPA-Enterprise network and send a WPA2-PSK wifi signal ?

WPA-Enterprise <-------> AP -------> WPA2-PSK

GRE Tunnel and OSPF between Cisco and HP Aruba L3 2930F Switches

Has anyone configured GRE tunnels between Cisco devices and HP Aruba L3 2930F switches?

Our site to site links are configured to use GRE tunnels through IPSec tunnels, allowing us to run OSPF and dynamically route traffic between sites. Currently, there is a mixture of Cisco routers and L3 switches doing the GRE tunnelling and running the OSPF routing.

We are looking at using HP Aruba L3 2930F switches at a new site. These switches support OSPF, but I haven't been able to confirm if they support GRE tunnels. Anybody know? If they do support GRE, has anybody configured them to work with Cisco at the other end of the GRE tunnel?

Thanks.

VRRP issue between HP 5406zl and Comware

Intro:

We have 4 switches setup with VRRP on 4 subnets, if we change master on one subnet all hosts on the other subnets try to use the new masters IP for next-hop instead of their default gateway.

​

The setup:

2x HP 5406zl (Switch A and B)

2x HPE FF 5940 in IRF (Switch C)

​

Switch-A

Vlan110 = 172.16.1.2/24 Vlan111 = 172.16.2.2/24 Vlan112 = 172.16.3.2/24 Vlan113 = 172.16.4.2/24 

​

Switch-B

Vlan110 = 172.16.1.3/24 Vlan111 = 172.16.2.3/24 Vlan112 = 172.16.3.3/24 Vlan113 = 172.16.4.3/24 

​

Switch-C

Vlan110 = 172.16.1.4/24 Vlan111 = 172.16.2.4/24 Vlan112 = 172.16.3.4/24 Vlan113 = 172.16.4.4/24 

​

Virtual IP = 172.16.x.1/24

​

Example vlan config from 5406zl:

vlan 113 ip address 172.16.4.2 255.255.255.0 vrrp vrid 10 backup virtual-ip-address 172.16.4.1 255.255.255.0 priority 250 enable exit exit 

​

Example vlan config from FF 5940:

interface Vlan-interface113 ip address 172.16.4.4 255.255.255.0 vrrp vrid 10 virtual-ip 172.16.4.1 vrrp vrid 10 priority 150 

​

All vlans have vrid 10 setup with all switches configured as backup, switch-A has priority.

​

The problem:

If we change the master on vlan 113 to Switch-C, then hosts on vlan 110 through 112 decide to use 172.16.x.4 as their next-hop, ignoring their default gateway of 172.16.x.1, the second we move vlan 113 master back to Switch-A the hosts revert to using their default gateway.

​

Have anyone seen this before?

Port mirroring and ntop - what packets get dropped?

So I've got a 24 port gig switch with mirroring enabled, driving an ntop instance. All good, but it occured to me that the mirror port is only a gig, so if I have two simulataneous high speed transfers on my LAN going on at the same time a whole bunch of packets are going to get dropped. Am I right? I would guess the packets that get dropped would be random based simply on when they arrived at the mirror port? Am I on the right track here?

BGP route "aggregator" on public internet is.... RFC1918?

Hey All - see image - https://imgur.com/a/k2seNgJ

This is one of my public IPv4 routes on Telia looking glass. It's showing my router's private loopback IP as route aggregator... I think this is set in the atomic aggregator attribute on BGP route advertisement. But surely private IP shouldn't ever be seen in someone elses router? For confirmation, the BGP session is established with public v4 address provided by transit provider. Everything working fine.

This doesn't seem right though - is anything wrong here? This is configured on a Juniper router. Perhaps this is expected 🤷‍♂️

iperf multiple simultaneous port testing, with server with 4x1gb LACP ports.

I have a server with 4x1GB LACP ports bonded. The switch ports are set correctly.

When I test multiple simultaneous iperf tests to this server, some of the results allow the full lane of 1GB simultaneously, but some workstations do not.

For the case of this example if I have 2 workstations testing, I expect full 1GB each. What would cause it to drop the transfer 50% on some workstations but not others even though the workstations I am testing are on the same switch.

Thank you for any suggestions.

Routing issue

TL:DR. Switch pings out. Attached PC to switch cannot. There is a static route on the upstream router;

​

​

​

===={swtich config}==============

root@EXDEBLSW1> show configuration

## Last commit: 2021-01-28 05:17:12 UTC by NOC

version 12.3R6.6;

system {

host-name EXDEBLSW1;

root-authentication {

-ommited-

}

name-server {

172.16.0.1;

}

login {

message -ommited-

user NOC {

-ommited-

}

}

}

services {

ssh {

root-login deny;

}

web-management {

http;

}

dhcp {

traceoptions {

file dhcp_logfile;

level all;

flag all;

}

pool 10.1.1.0/24 {

address-range low 10.1.1.101 high 10.1.1.252;

router {

10.1.1.1;

}

}

pool 10.1.2.0/24 {

address-range low 10.1.2.101 high 10.1.2.252;

router {

10.1.2.1;

}

}

pool 192.168.240.0/24 {

address-range low 192.168.240.101 high 192.168.240.252;

router {

192.168.240.1;

}

}

pool 192.168.200.0/24 {

address-range low 192.168.200.101 high 192.168.200.252;

router {

192.168.200.1;

}

}

}

}

syslog {

user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

ntp {

server 172.16.0.1;

}

}

chassis {

auto-image-upgrade;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 172.16.0.2/30;

}

}

}

ge-0/0/1 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/2 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/3 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/4 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/5 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/6 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/7 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/8 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/9 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/10 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/0/11 {

unit 0 {

family ethernet-switching {

vlan {

members LAN;

}

}

}

}

ge-0/1/0 {

unit 0 {

family ethernet-switching {

vlan {

members Wifi;

}

}

}

}

ge-0/1/1 {

unit 0 {

family ethernet-switching {

vlan {

members Wifi;

}

}

}

}

lo0 {

unit 66 {

family inet {

address 1.1.1.2/32;

}

}

}

me0 {

unit 0 {

family inet {

dhcp {

vendor-id Juniper-ex2200-c-12p-2g;

}

}

}

}

vlan {

unit 69 {

family inet {

address 172.30.0.1/24;

}

}

unit 99 {

family inet {

address 10.1.0.2/24;

}

}

unit 100 {

family inet {

address 10.1.1.1/24;

}

}

unit 200 {

family inet {

address 10.1.2.1/24;

}

}

unit 300 {

family inet {

address 192.168.240.1/24;

}

}

unit 666 {

family inet {

address 192.168.200.1/24;

}

}

}

vme {

unit 0 {

family inet;

}

}

}

routing-options {

static {

route 0.0.0.0/0 next-hop 172.16.0.1;

}

}

protocols {

igmp-snooping {

vlan all;

}

rstp;

inactive: lldp {

interface all;

}

lldp-med {

interface all;

}

}

ethernet-switching-options {

storm-control {

interface all;

}

}

vlans {

DMZ {

vlan-id 69;

l3-interface vlan.69;

}

Guest {

vlan-id 300;

l3-interface vlan.300;

}

IOT {

vlan-id 666;

l3-interface vlan.666;

}

LAN {

vlan-id 100;

l3-interface vlan.100;

}

System {

vlan-id 99;

l3-interface vlan.99;

}

Wifi {

vlan-id 200;

l3-interface vlan.200;

}

default {

vlan-id 66;

}

}

poe {

interface all;

}

{master:0}

​

​

​

================ Routes ==============

​

​

​

NOC@EXDEBLSW1> show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0*[Static/5] 00:52:17

> to 172.16.0.1 via ge-0/0/0.0

1.1.1.2/32*[Direct/0] 00:09:05

> via lo0.66

10.1.0.2/32*[Local/0] 01:47:47

Reject

10.1.1.0/24*[Direct/0] 00:52:13

> via vlan.100

10.1.1.1/32*[Local/0] 01:47:47

Local via vlan.100

10.1.2.1/32*[Local/0] 01:47:47

Reject

172.16.0.0/30*[Direct/0] 00:52:17

> via ge-0/0/0.0

172.16.0.2/32*[Local/0] 01:47:47

Local via ge-0/0/0.0

172.30.0.1/32*[Local/0] 01:47:47

Reject

192.168.200.1/32 *[Local/0] 01:47:47

Reject

192.168.240.1/32 *[Local/0] 01:47:47

Reject

{master:0}

​

​

​

​

============ vlans =============

​

​

​

NOC@EXDEBLSW1> show vlans

Name Tag Interfaces

DMZ 69

None

Guest 300

None

IOT 666

None

LAN 100

ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,

ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0,

ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0

System 99

None

Wifi 200

ge-0/1/0.0, ge-0/1/1.0

default 66

None

NOC@EXDEBLSW1> show interfaces vlan terse

Interface Admin Link Proto Local Remote

vlan up up

vlan.69 up down inet 172.30.0.1/24

vlan.99 up down inet 10.1.0.2/24

vlan.100 up up inet 10.1.1.1/24

vlan.200 up down inet 10.1.2.1/24

vlan.300 up down inet 192.168.240.1/24

vlan.666 up down inet 192.168.200.1/24

​

​

​

======== pings ================================

​

​

> To port of router upstream;

​

​

NOC@EXDEBLSW1> ping 172.16.0.1 rapid

PING 172.16.0.1 (172.16.0.1): 56 data bytes

!!!!!

--- 172.16.0.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.616/2.111/2.657/0.361 ms

​

​

> To google DNS;

​

​

NOC@EXDEBLSW1> ping 8.8.8.8 rapid

PING 8.8.8.8 (8.8.8.8): 56 data bytes

!!!!!

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 24.043/26.882/32.554/3.248 ms

​

​

> To PC connected on ge0/0/10;

​

​

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::99e5:e1a3:2d5f:3e8c%13

IPv4 Address. . . . . . . . . . . : 10.1.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.1.1.1

NOC@EXDEBLSW1> ping 10.1.1.101 rapid

PING 10.1.1.101 (10.1.1.101): 56 data bytes

!!!!!

--- 10.1.1.101 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.965/2.196/2.703/0.260 ms

​

​

> From PC to switch interface connected to upstream router ;

​

​

C:\>ping 172.16.0.2

Pinging 172.16.0.2 with 32 bytes of data:

Reply from 172.16.0.2: bytes=32 time=5ms TTL=64

Reply from 172.16.0.2: bytes=32 time=2ms TTL=64

Reply from 172.16.0.2: bytes=32 time=1ms TTL=64

Reply from 172.16.0.2: bytes=32 time=1ms TTL=64

> From PC to Routers interface;

C:\>ping 172.16.0.1

Pinging 172.16.0.1 with 32 bytes of data:

Control-C

^C

​

​

========={route table on upstream router}=================

​

​

​

Gateway of last resort is x.x.242.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via x.x.242.1

1.0.0.0/32 is subnetted, 2 subnets

C 1.1.1.1 is directly connected, Loopback1

S 1.1.1.2 is directly connected, GigabitEthernet0/1

10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks

S 10.1.0.0/16 is directly connected, GigabitEthernet0/1

C 10.1.0.0/24 is directly connected, GigabitEthernet0/1

L 10.1.0.1/32 is directly connected, GigabitEthernet0/1

S 10.1.1.0/24 is directly connected, GigabitEthernet0/1

S 10.1.2.0/24 is directly connected, GigabitEthernet0/1

x.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C x.x.x.0/23 is directly connected, GigabitEthernet0/0

L x.x.x.126/32 is directly connected, GigabitEthernet0/0

S x.x.x.218/32 [254/0] via x.x.x.1, GigabitEthernet0/0

172.30.0.0/24 is subnetted, 1 subnets

S 172.30.0.0 is directly connected, GigabitEthernet0/1

S 192.168.200.0/24 is directly connected, GigabitEthernet0/1

S 192.168.240.0/24 is directly connected, GigabitEthernet0/1

ISRDEBER1#

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Clearpass MacAuth Aruba Switches Issues

Anyone here seeing non intelligent devices falling off the network when connected to Aruba legacy and CX switches? We are seeing more and more devices like printers and dvr fall of the network and rebooting them seems to fix the issues.

Netbox: Devices not in racks

Netbox users, how do you handle devices that are not in a rack? Examples:

• Access switch and IAD mounted on wall in telecom space (wiring closet).
• Smart PDU sitting on floor near a few racks that are in a rack group.

The only idea I have so far is to create a virtual / pseudo rack. Perhaps with a -X suffix on its name to denote that it isn't physical rack.

Cisco Nexus 3172 and vPC AND Port-Channel

So it's been a lot of years since I first did this, and I can't remember how to Google this thing apparently...

1. I have two chassis that are in a vPC. (Nexus 1 & 2)
2. I have a VMWare host that has two links. One to Nexus #1, One to Nexus #2.

I still need to put those in a port-channel, right? The fact that I have the vPC really just makes the Nexus boxes look and act like a single chassis, right?

Reason I ask is that I CANNOT get one leg of the server to member up on Nexus 2 but it does on Nexus 1.

Is my thinking correct on this?

Networking setup question/recommended solution

Hi everyone,

Doing a setup for a business and am a bit confused on how best to do this.

Dsl is all they have to work with in the area and currently running a modem router combo to use voip office phones, a file server and wifi. There is a wifi booster on upper floor but it uses a different ssid than the main unit.

I need to bridge the lan to a shed behind the main building (about 50feet away). I ordered a ubiquiti loco M2 nanostation to mount on the outside of the shed to connect wirelessly to the main network and drop ethernet to a control panel on a kiln inside the shed. The idea is to be able to read data off the kiln from the main network. Can the unit I have handle this by itself?

I've heard that I would need a second loco M2 to receive the beam from the shed. I only have a wifi booster on the area I would beam to so in theory if I connect a second loco M2 to the Or is there a better solution?

Thanks in advance

Network Event Logs forwarding best options paid or free

Hi everyone,

Network technician here.I love network automation, however I'm just learning how to do that better. Currently I check manually about 60 servers and their event logs daily. This is very time consuming and very inefficient, I have looked into setting up an event log server to collect all event logs.

I would like you advice as to what the best event log collects are and if they are free or not. Is your suggestion scalable? And could I roll it out with GP?

How much time do you spend looking at your event logs. I spend 2 hours a day doing this. I am in a small to medium size business of about 500 users and I am a part of another 2 other smaller companies.

We have very little automation. N-central is the tools that we have for our remote software and I have looked into the event log reports there but didn't find that functioning any useful way.

Thanks for any advance.

Does anyone run Cisco C1000-8P-2G-L? Unclear on whether they're integrated power or an external brick.

Pretty much what it says on the tin-I can't find any reliable evidence of whether the C1000-8P-2G-L (not the C1000-8P-E-2G-L, which seems to indicate it's explicitly external) has an integrated power supply with C13-compatible port. Is anyone running one and can take me a photo of the back?

Android access point via USB to laptop and then share that connection.. Help!!!

Hello guys I'd like to ask for your help I am using my android as tethered access point via USB directly to my pc(where I leave we don't have a phone line. I try to conect a 5gh wifi router via ethernet becouse I want to cast something on a 5 gh wifi device(oculus quest) and unfortunately even thow the internet icon show that I am connect there is no actual connection(no internet page loading etc) . When I disconnect the ethernet immediately the pages load normal and I have internet. Is there a way to solve this? Like to share the connection of the USB internet to the ethernet I mean like this Android phone (internet sharing via USB) >laptop>ethernet>router>wifi>device(oculus quest)

Sorry for my terrible English guys thnx in advance

Spectrum Blocking Network Traffic

Hey everyone, I've been expierencing a problem I've never had before but have heard of other people having.

No external connections are ae to be made with my network.

My friend get a timeout immediately when my IP gets pinged. The traceroute dies at the same time warner router every time in one of the major cities nearby.

I've ensured there's no restrictive firewalls on my end to confirm that this isn't a me issue, and is in fact on the ISP. I've spent 4 hrs with them on the phone, because I want to be able to host game servers for friends again. They assured me I should be able to do so without restriction, and are blaming my hardware (modem + router), however this is known good equipment that works at other locations, and their own equipment doesn't even work.

They've escelated my ticket to the network engineers multiple times for them to kick it back and blame my hardware and my end without even probably reading the ticket.

What specific thing can I tell them to do to get the right person to fix this?

elevator phone line options?

I have about 8 elevators connected to a VG224. We have 7 of these VG's to service fax lines and other things, but man is it a pain. I have a ton of dead ports and the VG is no longer supported. We've been moving faxes to ATA. What are my other options besides an ATA or POTS line? I know that the ATA cant be powered for 3 days off the UPS that also powers our switches.

Dual-Internet Connection "Bonding" via OpenVPN

Hi all :)

I've an interesting problem/requirement that I wanted to see if anyone had any ideas as to how to implement it. If this sort of thing isn't destined for this sub, suggestions as to where/who may be able to provide input would be most appreciated.

I've a setup consisting of 2 vDSL internet connections, 2 different suppliers, both with static IPs. Quoted the standard 80Mbps DL/20Mbps UL which I get on both connections without issue. It's nothing special, just your standard BT-Infinity-esque equivalent. Currently load balanced via a Ubiquiti EdgeRouter 4 and I can happily get 143Mbps - 145Mbps DL and 30Mbps - 45Mbps UL. Everything on that front works very well. Weighting is 45%/55% and gets changed as things get busier.

I've also a dedicated server in the cloud that has a 1Gbps symmetric connection that I often connect to and sshfs mount for transferring files and running jobs etc.

I've a couple OpenVPN connections coming into the property too from other sites that share resources across the network, but that's just to paint a slightly bigger picture of where I may use this "solution".

Staying with the dedicated server for a second, what I'd like to know, is there a way that anyone can think (perhaps via OpenVPN or some related tech) to establish a tunnel between the server and each of the 2 vDSL connections, then "bond" them across the tunnel so each end sees the 2 tunnels as one, giving me the full potential of both connections. I've considered creating 2 connections into the network from outside and using EIGRP to advertise the same network across the 2 OpenVPN tunnels, but this seems overkill and I don't think it would "bond" the interfaces in the way I'm expecting.

As you'd expect, at present, whenever I create an ssh connection to the dedicated server, it only does so over a single vDSL connection, decided by the router as to whatever isn't busiest at the time. But I'd like to be able to connect to the server via both connections and get 140Mbps down from the server as opposed to just the 70 on one connection.

It's not a critical of course but would certainly be a nice to have and something that could be used in the future for a couple of sites I manage that have multiple internet connections via the same/different carriers.

All comments and questions welcome,

Thanks in advance :)

When my partner connects to my internet, he has lag spikes and loses connection

I have a 100mbit connection and I never lag out on any of my device (rarely on wireless). My internet is wired through PS4 and PC, wireless on phone. He brings his laptop when he visits me so we can play WoW together, but the problem is he very frequently gets lag spikes. This never happens on his own network or any other Wifis (he travels). At first we thought it was because he's on wireless but when we used my PS4 cable the issues remain. Does anyone have any idea what can be done?

Typical IP-Address usage per Device

I currently study computer science and got across a question from my prof which he couldn't or wouldn't explain to me. According to my professor one hast to usually plan for 2.5 to 3 IP addresses per physical Device connected to the network. 2 IP address kind of makes sense to me, as there could be some devices like notebooks where a LAN or WLAN connection with a different MAC is possible, so therefore 2 would make sense.
Not calculating in virtual servers, obviously.
I'm interested to see if someone has an explanation for his assumption or if you've made different experiences?

In a Jam with a Cisco ASA 5512

So I just took on a new client with a ASA 5512 that’s not under smart net. I don’t sell a lot of Cisco anymore. But I need to configure a anyconnect SSL VPN for them but I can’t download the anyconnect head end client that gets loaded in the ASA flash since I don’t have smartnet.

I found one ftp site on the internet that had it but with all the recent going’s on I feel weird not knowing if it’s legit. Can anyone help?

Thanks.

Group Policy Setting Blocking Home Connections (Connect Automatically Won't Save)

This isn't my area of focus at my workplace but I got involved because of the network aspect, we have a group policy setting so when a university broadcast a secure SSID is in place it uses their credentials pre-login and connects, however when users go home such as during the pandemic we've got an issue where Windows 10 won't auto-connect to their home SSID connection upon a reboot. Is there a setting in group policy our desktop team has overwritten or does anyone know of something similar?

Cisco C9500 MTU

Hi!

We just received our new C9500 core switches. I saw that system mtu was set to 9100 by default.

New SVIs are also 9100. Will this affect performance considering the users in these VLANs are at 1500 ?

We will also have an SVI for the upstream firewalls (firewalls are using 1500).

I know that putting jumbo MTU on L2 interfaces is generally harmless but what about L3 interfaces (routed port, SVI) ?

I can't seem to understand how everything fits together (L2 vs L3 MTU, etc.) and what are the best practices.

Thank you for the help !

Creating another raid array after creating a raid and install os on it

Hi all,

I want to create another raid array on existing server. I have previously 8 x 2 TB hard drives as raid 10 and i have installed esxi on it and using as a backup for all other esxi on our data centre.

But I'm getting low on storage and i want to increase it as there are 4 drives more can be put there.

As it is a critical situation and i can not loose data so is it posaible that i put more drives and create a second raid array ?

so i can move something on that. will this effect my main raid array ?

Server: Dell r730 xd

1 GB raid card

alias command equivalents?

Hello. I have been doing some work with the Cisco IOS alias command. And unfortunately some of our other switches do not support that command.

I wonder, is there an equivalent of the same command on the following series of devices:

-Cisco small business switches

-Dell N 40xx switches

-Linksys Enterprise switches(old SPS and similar)

-Ubiquity Edgeswitch

Noisy network switches

Just wondering if anyone here has tried swapping out the stock fans in 1 1U network switch for something quieter?

I have a Force10 S50V and it's very noisy, so thinking about doing this to try to quieten it down a bit. It uses a bank of 6 40x15mm Delta fans, but i'm struggling to find a suitable replacement.

Any advice or pointers gratefully received.

ASR1002 : Overrun errors

I'm trying to pinpoint a reason I'm seeing intermittent bursts of overrun errors on a ASR1002. Quite large bursts as well up to around 400,000 in a short 10 minute window.

The ASR1002 has the esp-10 and 2 x 10Gb line cards. IT just has one 10Gb uplink and one 10Gb to our supplier on which we have a few hundred customers.

Anything you look at online says that overrun errors are caused by the router receiving too much traffic that it can't process in time. We've been monitoring the traffic very carefully and we are averaging around 1.1Gbps to 1.5Gbps through the device.

Now it's possible there is some very bursty traffic causing this but we haven't been able to spot it with Solarwinds or netflow enabled on the router. But to be honest even if it was a sudden microburst I don't think it would take it above the routers capacity and all the customers which hang off the router have designated bandwidths so they could only burst up to their allocation. Still it's possible and something we are looking at.

As we couldn't find what was responsible our next thoughts were:

Faulty optics,
Faulty Line cards,
Faulty fibre, and finally faulty router.

They've all been replaced and still we see the overrun errors. It happens maybe 4 times a day (some days not at all) and over a day we can run up to around 1 to 2 million overrun errors.

I've got a Cisco TAC case ongoing but they are being pretty useless with finding the cause. They keep basically reading off the Cisco literature and advising that the router is hitting capacity despite them enabling an event manager script to capture traffic on the router and it not actually finding anything of significance.

So i've bounced it back to them several times and it's still in their hands.

One thing I have noticed which may not be of significance is when I compare this ASR1002's 10Gb link to our provider with our others is that this 10Gb has 'route cache' counters incrementing. Not a huge amount, about 5 a second but I don't see this happen on any of our other ASR routers which have identical setups and similar throughputs.

All my reading on the route cache doesn't really point me to an issue but I can't figure out why this one would be incrementing. We've gone down the line that maybe our 10Gb provider is having issues and it's causing buffers to fill up between our ASR1002 and their equipment which then causes the overruns.

Our last direction we are looking into is if someone is sending a certain type of traffic through the ASR at certain times of day which is causing issues. This is where we've enabled NETFLOW to try to see if there is a pattern to what data is going through the ASR when they netflow events occur.

So far not pattern that we can see. We see some high amounts of ESP traffic going through but nothing crazy or of concern.

Looking see if any of you guys/gals may have experienced anything similar? Thanks

Opensource NAC

Hi

I have been looking into different NAC solutions. Does anyone have some good suggestions for a good NAC solution? I have heard Packetfence is good but i am not able to install it currently something i wrong with the install any other suggestions?

SFP Link Negotiation

In principle kind of a broad question, but I’ll provide the specific scenario:

I’m designing a topology for a DMZ in our org, and my constraints are that I have to repurpose hardware from a decommissioned site to do so. It’s not too bad, it could be far worse, but my current bottleneck is the router.

The router in question is a Cisco ISR 4430. It notably lacks any 10 gigabit ports, copper or otherwise. On the other end of things I have a handful of Netgear switches that will be separated into two stacks that will converge on the router via seperate interfaces. One is a M4300-12x12F and the other a M4300-28G-POE+. Due to the limitations, I can’t spare any RJ45 connections to uplink these switches to the router, only SFP+ 10 gigabit ports. The only SFP/SFP+ modules I have are Fiber, no copper.

Preferably I want to make it as easy as possible to insert a replacement router down the track that is capable of 10 gigabit, so question is - if I use 10G Fiber SFP+ modules on the switches, and connect to 1G Fiber SFP modules on the router, will link speed auto negotiation occur the same as with RJ45 Ethernet? Or will I need to use a 1G Fiber SFP module in the switches to compensate and replace them with 10G when a better router goes in?

EdgeRouter ER-X connection to Unifi USG with Load Balancing

What i am trying to achieve is to load balance 2 50mpbs dsl lines and 1 100mpbs cellular with the edgerouter and then pass the combined lines over to my existing usg 3p. I am trying to achieve high speeds on the cheap without switching systems or product lines (I already have unifi APs, the usg and some small non rack mount switches) Basicaly is it possible to connect my 3 incoming internet lines to the er-x, let it handle the load balancing and then connect the lan port of the er-x to the wan port of the usg? I would also like to be able to do port forwarding on the usg which i am guesing i would need to setup DMZ on the er-x. If this is possible will there be a way to forward a ftp server for example and have it utilize the compined upload speed of all the lines?

Need assistance with some TCP config options on a Cisco router

Hi all,

I have been asked to change from defaults to the following settings on one of my networks. I was provided the following 4 settings that seem to be from a FortiNet firewall, however I am using a simple Cisco 881 router at this small remote site acting as a firewall.

set tcp-option enable
set tcp-halfopen-timer 100
set tcp-halfclose-timer 100
set tcp-timewait-timer 100

If anyone has any clue if it's possible to mimic this on a Cisco 881, along with what commands I would need to use and which mode (e.g. global config, interface config etc.) it would be greatly appreciated!

Cisco or Google?

Suppose I get offered a job at both, which of the two would be better, CV-wise?

And how would the two compare in terms of work culture?

As you can understand "a friend of mine" is in this situation.

Thanks!

Looking for Automation Platform/UI Suggestions

To make a long story short, I'm looking for some software suggestions or alternative ideas.

I work at a company where we leverage Ansible for network and server configurations. Those scripts are executed through Ansible Tower. However, our general user base uses an internal website we've built using Django/Apache to have custom UIs for every script we have to allow for a wide range of configurations.

We want to build a new site of UIs that is built using React/JavaScript. Instead of building it up from scratch, we were hoping that there would be some sort of automation suite that we could leverage to host automation apps that make the API calls we need to get things executed. Itential's Pronghorn is one such example, but looking for alternatives.

Thanks in advance!

Random Timeout Issue

Here goes my shot in the dark. And of course the job of the network engineer is to prove it's not the network.

Anyways, seeing a random timeout issue going across our 2 networks. Our production and test environment. When viewing a webpage, you will get get a page that never loads and just keeps spinning (even odd when in chrome, near the bottom it shows the url and it's googletagmanager.com, weird as crap). Again when you visit a page or site, it will just stay stuck loading and if you click refresh everything is happy.

It happens on external pages and internal pages. On both networks/domains. the only thing the two networks share is one of our perimeter firewall. Tired with no web proxy, not WAN errors or routes, nothing out of the norm for switches/routers/firewalls. CPU/memory is fine. Even tried when our WAN is hardly being used. Mostly a Cisco shop but it's been happening for a little over a month and everyone is going crazy trying to figure out what is happening.

I've look at everything i could except a wireshark capture to see if it's just never receiving the rest of the web page.

any suggestion on places to dig deeper?

Any Wireless Engineers in the House?

Hi everybody,

Maybe it's random, but I was just interested in some feedback from wireless engineers and designers. What do you like about the role? What don't you like? I've done some wireless design and implementation, and it's a pretty fun specialty that blends traditional networking with science and blue collar work, but it also seems there's a lot of pushback from customers/users who pull the "well in my wireless network at home" line or are convinced wireless is perfect magic.

Let's hear some thoughts!

Cisco ACI

In general, what does everyone thing of Cisco ACI? I'm thinking of making the plunge into it.

Validate matched class in COPP?

I am on a network with a lot of control plane policing. Is there a quick way I can validate which specific class-map inside of my policy-map that a specific piece of traffic is hitting? I'm sure a problem I'm facing is to do with CoPP, and I won't be allowed to remove the service policy, so I need a way to validating which line in the policy-map I'm hitting. I was hoping there was some sort of #test policy-map kind of command (you know, like how you would test aaa or test which port on an etherchannel you get load balanced out of), but I don't see it.

Bandwidth calculation for WAN

HI

​

We need to determine how much bandwidth we need for every office.

Any one has a good site to calculate?

Kind regards,

​

David

Remote in to Firewall

Hey everyone,

Pretty broad question, and I'm not sure why I couldn't find any direct answers online. Let me give an example.

If we have a brand new site, with only an ISP feed coming in, and I want to install/hook up a firewall and remote in to it to configure, is the easiest way to simply configure the WAN/Mgmt interface as DHCP or Static, plug it in directly from the ISP handoff, and remote in to the device via the public IP? For eg, a PA Fw, have the tech log in, configure the mgmt interface for dhcp, allow ssh/https (should be enabled by default), and then connect to it remotely? Is there an easier way to gain access to a remote box for provisioning, in a situation where the tech is not familiar or comportable with configuring the fw (tech is just there to plug in cables/hardware)

Thanks

Cisco ASA hit counters

Does any of you know what is the maximum size of an acl rule hit counter in ASA?

I know that it allows 32 K flow logs but can't seem to find the max hit counter anywhere.

Planning my first small/medium business network overhaul

Let me begin by saying, I am a software engineer, my B.S. is in applied math, but I have worked the last few years in college as a sysadmin for a small company. Before moving into my new role as a software engineer, I have a big job of reworking the network while working with consultants to meet NIST 800-171 + CMMC Level 3.

I understand static and dynamic vlans, DHCP, and subnetting on their own, but I am having trouble planning how they should all work together.

I have 2 locations with new Sophos routers, the one smaller location just has 1 48 port L3 switch with a main VLAN and VoIP VLAN. I am planning the setup for the larger location that has 4 48 port stacked L3 switches, 1 48p distro switch, and 2 24p distro switches.

MY QUESTION: I have planned out which ports will have which VLAN tags, which ports will be LAG/ trunk, but do I need separate subnets within a single location? (Both locations are on different subnets) Also, we use Windows server 2019 for DHCP, how do I setup DHCP for different VLANs?

I also want to use LLDP for trunking ports where the VoIP connected to the wall and the PC connects to the VoIP, but would that require dynamic VLAN rather than static?

The core switches are Dell PowerConnect 5548 and my distro switches are Ubiquiti Unifi L2 gen 2.

Thanks for the help!

Moving from ACS/ISE to Clearpass for TACACS

I need to replace a Cisco ACS server soon as it is well past EOL and Adobe banning flash has now killed the reporting functionality completely. It is only used for AAA TACACS for about 300 devices.

The most straightforward path is to ISE with device management licensing but I have been looking at alternatives and am considering Aruba Clearpass as an option.

Anyone else gone the Clearpass route? How did it work out for you? Did you have to live with losing any functionality?

VPN beginner here, explanation needed

Hi people

I have always been interested in using VPN but never really paid too much attention into it, until now. I have a number of questions that hopefully you guys will be able to provide the answers for. Lets get straight to it:

1. Does using VPN mean I can use any public wifi (restaurants/cafes/hotels/airports) and be 100% worry-free?
2. How exactly do you use a VPN? Is it: connect to internet, turn on VPN, start browsing? or is it turn on VPN, connect to internet, start browsing?
3. Lets say I decide to use VPN. Is the VPN going to be connected to my device/computer or will it be to the ISP? I ask because I am living with my brother. The question is, if I use a VPN, will it be only for my computer, or will it be connected to the ISP as well, in which case my brother will be able to use it as well?
4. Is it normal to use VPN most of the time, when you connect to the internet?
5. As long as I use VPN, connecting to public wifi and checking my social media accounts, my bank accounts, etc. will be safe, correct?

​

That is all. Thank you for reading

Free Next Generation Firewall -Jam session 2021 ~ 1 Hour

You just have to

1. See the Videos, its just 1 Hour

2. Provide detailed Review and Ratings

3. Share with Friends and Colleagues

https://www.udemy.com/course/next-generation-firewall-jam-session-2021/?couponCode=FREE-3-DAYS

Blacklisted devices

Hello,

I was searching information but without success.

For some reason my router blocks some of my home devices and it adds them to the blacklist. Can't find why this is happening.

Suggestions?

Guidance on Cisco AP drywall ceiling mounting.

Their deployment guide gloss over drywall ceiling mounting and add some nonsense about buying the right angle Oberon mounts. Anyone have any success with mounting 2800/3800 series APs to normal ceilings and not drop ceilings? Worried about pull out using regular drywall anchors.

Best documentation tool for storing circuits and related VRFs etc

We are currently using a excel document to store various details such as the VRFs used by a VPLS, their locations and IDs along with xconnect src/dst/ids etc

After moving all our IP addressing into Netbox, and being unable to find a good way to store the above in Netbox, what does everyone else use for these types of details?

Meraki Auto-VPN/SDN Competitors

I was looking at Meraki with their auto-VPN and cloud SDN

Are there competitors in this space? I'm a noob but I understand multi site-to-site at a edgerouter level but looking for a solution where the primary connection point for multiple sites is in the cloud.

We are a building automation company - trying to come up with a good way to bring all our sites (200) for a customer into our office for remote connection, but we like the idea of this VPN being hosted in the cloud and we just have another VPN endpoint at our office (so we could VPN into that network from other places directly from PC as well).

I may be missing the appropriate terminology (site to cloud?) for research here to properly find the options. I know Ubiquiti has UNMS and Meraki has auto-VPN and their cloud SDN (fancy!) but I don't see a lot of others especially where they all connect to a cloud hosted network that we can in-turn connect to.

Ease of setup is obviously a plus, I know Meraki seems to be the thing but the money isn't there for Meraki in this wonderful economic time.

I am looking to buy 10G-EPON OLT.

Hello Everyone, I currently have 1.25G-EPON OLT and I want to upgrade to the 10G-EPON OLT. So here are my questions.

1. Does 10G-EPON OLT have a 1:128 splitting ratio?
2. Will my existing EPON ONU work on this new OLT?
3. Can I use XPON ONT on this new OLT. Will my existing XPON ONT will work on this new OLT?
4. Where can I buy this OLT and what will be the expected price?

I searched for the 10G-EPON OLT and came across this Telesail TP5500-10G EPON OLT, 8 PON Ports Layer 3 Ethernet. It is saying to have a 1:128 splitting ratio on EPON OLT. I need the OLT to be shipped to India. (Sorry for my bad English)

My boss can't afford a professional and I'm the most tech-savvy employee she has, though only by default. I have a month to fix her outages or else we have to use cellular hotspots for the biggest money-making event this quarter. Our ISP has officially given up on us. Help with a speedrun?

I'm not exactly a genius, everything I know about networking comes from Linus Tech Tips videos. That said, here's the situation as of when I was set to the task:

• At peak, we have 10-20 employees and several dozen customers using the internet at once.
• Internet (Spectrum) comes in via a coax cable that gets split four ways. Three go to different modems, one goes to who knows where. Or at least I assume it works like that, because I need to at least pretend I understand something about all this.
• Of those three modems, one is an Arris 1602 and the others are Arris 1670 modem/router combo units. I have no idea if those are good enough as modems for our network requirements, but the router on the 1670 we use (the 2.5gz network is reserved for guests) just dies during peak, and the connection drops out- not slow internet, the network just drops your device.
• The other 1670 only really exists for employees can try to connect to it when the other networks fail. It doesn't do a great job of that. It does connect to a RasPi TV showing ads and a mysterious, unmarked grey box that nobody knows the purpose of. It also connects to a PoE wall plug injector, which only has one plug for power out. Why is this going into an already-powered router? I don't know, but wish I did.
• The 1602 wasn't actually being used, but it was plugged in, connected to an inline PoE injector which itself powered a Ruckus r500 (the only router that looks like it can handle this many customers, which naturally was only used by half of the office staff). For some reason, it didn't actually provide data, so instead of fixing this the Spectrum guy apparently decided to just plug it into a 1670 while leaving the other cable uselessly connected.
• There's a Cisco 24-port switch of some kind that says "10g/100g" as well as "PoE" on it, so I assume it's good for something, but it's not being used for any of the actual networking. I think it's used for the phone lines, but I don't know for sure because this whole building is an absolute mess of cables. This is a retrofitted warehouse, so no actual ceilings, just steel girders with wires hanging off of them. None of the cables are marked in any way.
• The front office are all equipped with laptops, but can't use wifi due to aforementioned issues. Instead, they run on a massive tangle of wires, one of which is a cheap 5-port switch daisychained off of another cheap 5-port switch all the way back at the main hub/rat's nest.
• None of this mess is in a server room or anything, it's just mounted on a wall by the door. And by mounted, I mean some of it is screwed into the drywall and some is just dangling by it's own cables. The cables are strapped to power lines whenever they're going the same direction.
• The public router still uses the default admin password.
• Not really network related, but there are UPS systems everywhere, and none of it is actually applied to anything. Most of the equipment is tied to one with a dead battery and nonfunctioning battery plugs, so it's just a really heavy power strip. Another is only connected to a printer- the battery isn't even inside the device for this one, it's just sitting to the side with bare wires exposed. Another goes into a room where the only powered devices are laptops. I think (hope) one of them powers the security cameras, but it sure doesn't power the alarms.

The actual issue is that, aside from the public network not working under load, the main issue is that sometimes the networks just stop working. It's either "Connected, no internet", or trying to connect gives you an infinite loading screen. It happens with no warning and lasts anywhere from a few seconds to the better part of an hour. On some of the older devices we have, a disconnect breaks the internal antenna so that it won't pick up signals at all until it's rebooted. Obviously, that's not great when you have business-critical stuff that depends on the internet. Spectrum insists they don't see any outages on their end, so either they're wrong or the mess here is to blame. You can guess which I'm leaning towards.

What my instincts are telling me to do is rip everything apart, then just go modem ==> switch ==> everything else, but this is a business environment and IDK if that's a good idea or would even solve my problem. I'm coming in early tomorrow to try and get more info when no customers are there to be annoyed by falling dust and cat 5e cables. If there's anything I should try to find out let me know.

Edit: we probably need some kind of monitoring system or... something, but I wouldn't even know where to start.

Opinion on interview format for junior Netops/Linux hires

Hi folks,

I'm hiring a couple people in my team for a 2-4 yr experience netops/linux role. I wanted to flesh out their ability to think rather than memorize (see https://www.youtube.com/watch?v=g35UumfZ-H4) I'm looking for feedback on a new format I wanted to try:

The ask for the candidates who will be to document (diagram and build sheet with commands) for, lets say, ansible, rundeck, and nginx to return a value from a switch/firewall/router. They would take this home for homework to present at the technical interview. During the 2 hour technical interview they would validate their work by building the systems using their documentation. The discussion would be around how they could improve the systems, through security/redundancy/virtualization. I'm looking to see how well they understand the systems, and how they react to suggestions/mistakes. I want to see examples of their work and how much effort they're willing to put in.

My boss is concerned that people will "cheat" by getting help on the work, but I think this will be easy to detect during the discussion. He suggests that we get them to build the system live without any foreknowledge, but they are allowed to use the internet or ask questions for help.

What are your thoughts, or what worked well for you? And just a point that 80% of our day to day work in the network infrastructure team is actually working with linux based operational support systems.

Current dilemma

Hi all, i've got a weird one that i've never attempted before. The customer has a 1Gbps fibre connection come in to their Tanglewood property. The homestead is about 2.56KM away from where the fibre connection comes in. The customers Router, switches and wireless access points are all at the homestead and other connected offices via Fiber and has a few VLANs: VLAN1: Management(Switches routers and wireless access points), VLAN10: Admin network(customer network, PC's printers etc),VLAN60: Security network (CCTV, Access control etc), VLAN120 Guest network(any visitors can sign in on this via WiFi and cannot access any internal devices). They also have an existing Point to Point internet connection coming into the office that is sent up to the homestead via a fibre core into their router.

Currently there is no link from the homestead to Tanglewood where the fibre is coming in andthere a re a lot of hills an trees in the way. Can I send the fibre connection that will be a static IP to the homestead where the router resides via a series of wireless point to point connections over ubiquiti airfibre and send the different VLANS so tanglewood has access to the LAN?

​

https://viewer.diagrams.net/?highlight=0000ff&edit=_blank&layers=1&nav=1&title=DBH%20-%20P2P.drawio#R7ZxRd6I4FMc%2FjY%2F1JAQQHqutnTlnZ3d2Ojuzb3MipJpTJC5gtfPpN5GAQCKlFR2c4sxp9RJCyP9HcnNz6wBNltu7CK8Wn5hPgoEB%2FO0A3QwMAznA5L%2BE5Tm1GK4hLfOI%2BqkN7g339CeRRiCta%2BqTuFQwYSxI6Kps9FgYEi8p2XAUsU252AMLyldd4TlRDPceDlTrd%2BonC2mFAOwPfCB0vpCXdix5YIa9x3nE1qG83sBAD7tXeniJs7pk%2BXiBfbYpmNDtAE0ixpL03XI7IYHo3Kzb0vOmB47m7Y5ImDQ5YeShkeN6wDCJh2euezVy0yqecLCWnXG7pXFCwzm3fmBLEicE%2B7L1yXPWY7t7JqJWOEDjzYIm5H6FPXF0wyHhtkWyDOTh%2FK4B%2F%2BCxJfXk%2BziJ2COZsIBFu2oRQLbjjvIjmRi8n8YPNAiykiELiTCxMJniJQ0Ed99I5OMQS7NkzHDk58I1bMeBY8TtOKDzkNs83nkkEobIk%2BdB0ewnEiWUQ3ItyyVM3Jfa5VIFUZxsCyYpwR3hvZhEz7yIPJrjIJ8XG8nPmwJ8wLZS46IAnpWBhyXx87zyver8jRS%2BKQSOAsFXHM4DsmGsl75d6YFT1v4KQo34MNO5KP7IPIX4GYsF8RXJK90IgG1PJge7KbP%2BgWck%2BMximlAmjs5YkrAlLxBUDuxVqMpSIKkIAW%2FDZPfSgZSLPI%2BwT8m%2B5RKdzHxDIz6XpC0IWST6XsMeB3glemG5nYvJbxiSZMOix3i44iSP988CqIO9BXCQaQ5B4WVaJYwgMJBmDNFRdBKIYA%2FRBUBkOp2GCPUQXQBENihD1C2GrJ6hC2BoZHSZoVHP0AUw5Fhmp6hRV9I9NU2oiahs5PnQcZ0qOsBphk5ubJUd1K%2FB3sTOhp8ekDj%2BsVjPzjv2VAByUMOhx7FOgA90FVqIPyf38qPs84KOO%2FHHeeyyIg4J%2FWsRVC1ZplS0pxC6KQVoXozGQEuNxuQRn4OCxGwdeeTQgCu7N8HRnCQHCmVPluiPWmE5SDihT%2BWAsE4leepnxoetAhB2GQjXQuUq0lbKsypa581448yjDhbvQX70S%2BR%2Fu39gvkuVrAtTyX6XKo0uTCXnXarkXpZKqEFQuMPOJXcZlz8CGj7%2BSPuyPZ4abF7V%2Bqm1lKBGbpHRkJLG66Ej%2FScIYcWBQhUHKr1pxYFSPTE4Krvmpn02Tyzr1n4d97pHbclmVPTPGVdwFqqLQI5MdT2n25I9TTjAUjdCPgoReX9d1AAasLWvzoL51RuKrYBc3eRvgQa3vClvqlvyCOnkP8mOvNV9H7Q2ueJt81aWhFI7b2VPxqmX89B27aFjIT6b7H5m43g2pzhw6BZelaDOgamKq4CfC8VWokBc24jyVJaliuzBSqt86%2Fxlwpn%2Fczsd%2BfTfb3%2Ffrb3t9zt0pZvC7CCRegsVs%2FQ9%2B7%2B1yFsbw%2F1b%2Fm4ufk%2Bzc3gT0tNSuxbs3dxWJlp55quz45L6fjpjEN4ePNvVJ2iWncort8YD6ya%2FpjIW5NmE8uRBnpVVJPfAw3lwIAFDA7jV4HI7HlL5BPbwEJNjHRgtALpd%2BFTMeIXDknyZ7ELiq5SLa17ARKutysQ9iZ4of%2FwN8DliT9TnuhoA3s1W%2FBEAUzqLSAGa9FLvCBq7PMKYl8WMbse0PGi8xAwyGjPzha2Fvg1HGF6YL%2BK4%2B5OlDgN16uL%2FpuJuDzlEFc%2FKukZgbCmelSzs43iRezUv%2Bu96t7%2FWeS8EGbLZOvMNdv5SvEpv9IFuRTtSukl0%2B0RSyKHGacOb2BxGacfW0K9M6ocTHaFVJvrKVZ0qQ7ekNNrwqbWUNtihLfSzHpyu%2Bdg1QQqtq3QixyzNI%2F%2BF8YPcP89m3dynf20AwTDNSlXQrlTVXghB74KZL4PahxHaSEA5bojjoNTEEJDpDi1lyDtZQoqepD4d7iJIspxakpD560mye5IugaQR6DxJfXrlRZDkGJ0nSf27tZ6kDpLkWqB77PTpuudM1z0KIFT9o0kEG7vWrezQ6eOkfdLu2ZN2jxyHKhhBs%2FE41Eberp4iqEDTtc2%2BBqlMTYJMxfhRzQPV%2Bl6e4dpl2Q07l%2F2FgI5al1WJDSHLGNoAOlb6PxsCXog5tbZVo444vyk8xQhl7fr09JQd97ijXrHKOrDriv0WedvtKKbZCeiiYlavWGWV03XFGgQXO%2BzRdiRTuBViDoFwro08lOfLZN6aqXhrjXfy7KrDD8%2B7kYf6UOcZ84GPWxzatZt5muSFk%2BUD61HSxTpfl2JjmLoUm0%2FXH%2F%2FkB7%2F89c%2FX2y%2BijQaYYhqwp12uDc3zjptl27zqy8FakA2CSmzRtlSl8iGlJFV1U7%2BBVPzj%2Frv60kFi%2F42I6PZ%2F

Log and Report Weak Cipher Traffic On The Network?

We plan to enforce TLS 1.2 as a minimum on the domain.

What methods are available to log and report TSL 1.1 or anything else weaker is being used so the offenders can be remediated before enforcement is enabled?

Can some kind of network scan be done that can create readable reports of senders and receivers of this traffic? We want to be able to use the report to contact server and app admins to tell them to reocnfigure/update their systems before the date enforcement starts.

Do any Cisco routers, switches or IDS have this type of functionality built in?

Cisco introduces micro switches

Cisco unveiled their catalyst microswitches. Anyone seeing a use case in the enterprise world?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Tool to generate network devices configuration - Template Text Renderer

Hi Folks,

​

Wrote Template Text Rendered tool to facilitate the process of generating static text files using templates: TTR docs

​

One of the first use cases that pushed me toward creating this tool was a need to produce configuration files for network devices out of Excel spreadsheets.

​

TTR is a pluggable framework that can take data from various sources, combine it with templates and produce text output. Additional plugins can be added to support other formats and rendering engines.

It also comes with a collection of Jinja2 templates, not much in it yet, but capability is there.

​

For examples reference quick start or CLI tool or XLSX loader docs.

​

Would be glad t hear what you think.

​

To anticipate the question around why to use excel as an LLD, well, say you need to generate configuration for 50 devices as fast as you can, putting things in CMDB/DCNM of some sort might not make sense, as things might change over time.

What make sense, IMHO, is to use some form of inventory that is human friendly, easy to create, update, share, review, import in CMDB/DCNM later on etc. It happens that such an inventory usually is a some form of spreadsheet or text database like YAML.

TTR can take that inventory and generate configuration files for you, providing that inventory data structured in a way compatible with TTR in the first place.

What is the point of a DMZ / how does it work?

I understand what a DMZ is, I'm just a little fuzzy on how it works.

You can use three NICs coming off of your FW or router. 1. the WAN 2. the LAN 3. DMZ. Or you can sanwich the DMZ between two firewalls with the lan behind the second FW.

But say you have a webserver in the DMZ. That webserver can still reach into the LAN and connect to the database server, load balancer, etc. I see how you gain more control, but I don't see how you gain security. Couldn't you just achieve this with firewall rules / policies?

Tool to generate network devices configuration

Hi Folks,

​

Wrote Template Text Renderer tool to facilitate the process of generating static configuration files: TTR docs

​

One of the reasons creating it was a need for a tool that can take Excel spreadsheet as an LLD source and generate configuration out of it using Jinja2 templates.

​

TTR is one step above it, it is an attempt to generalise and simplify the process of combining various data sources with templates to obtain text outputs, TTR build with pluggability in mind and can be extended to support other data sources, templates engines etc.

​

Last but not least, TTR comes with templates collection included, so far not much in it and only Jinja2 templates, but capability is there.

​

Would be glad to hear your thoughts. Reference quick start to use as a module or CLI tool or XLSX data loader for examples.

​

To anticipate the questions around why to use excel as a source of config, well, its mainly for one off things like you have a task to deploy 50 new devices and need to generate configuration for them as fast as you can. Putting things in CMDB/DCNM might not make sense at this stage as things quiet likely to change. Also, unless you have means to generate configuration out of your CMDB/DCNM that makes even less sense to do so.

What make sense to do is to put things in an inventory that can be easily created, shared, updated, loaded in CMDB/DCNM later on, human friendly etc, and that is usually some form of a spreadsheet or text database like YAML file.

TTR helps to take that inventory and generate configuration for you, providing that data structured in a way compatible with TTR in the first place.