Does this have decent accuracy as an explanation?

I have some content that explains the usage of proxies with mobile telecoms providers. If this isn't 100% correct, what would you add / delete from this?

​

Delivering mobile data uses network architecture with satellite connections and something called backhaul internet connectivity.

IP-based network architectures use proxies for quickly delivering data to meet the demands of subscribers.

Speeds become very slow if there are too many subscribers on a congested network with poorly-optimized proxy servers.

Implementing [redacted] allows mobile carriers to deliver very fast cellular data speeds using automated NAT load balancing technology for DNS and proxy processes.

WAN connection has a /29 - how to have 3 separate routers?

Hello,

I have an internet connection that comes with a /29.

Is it possible to have this connected to three different routers? At the moment the connection is delivered on a single ethernet cable - was wondering how I split this into 3 separate routers.

Advice on deployable IP camera system with no dedicated Wi-Fi connection

Hey! Before I get in to my post, let me just say that I am completely new here and my knowledge is probably pretty limited compared to your guys'. With that said, here's my problem...

So I work in the consumer electronics business and I have my fair share of general technology/networking/security knowledge (definitely enough to get pretty dangerous), but I need help from a true expert. To keep it short, I am in the early stages of starting a business that requires the use of an easily deployable, remote accessible, outdoor IP camera system that can operate without the use of nearby Wi-Fi. After quite a few hours of research, I have come to the conclusion that I will need a few different devices and it may even require some light fabrication, which I am totally okay with if it means all of my needs are met.

My current understanding is that I will need (work with me here):

1. A 4G LTE network gateway/modem - this will provide me with a cellular connection that will give me remote access to...
2. A PoE switch - This will provide power and a network connection to...
3. IP cameras - 2-4 cameras, self explanatory (P.S. could use a recommendation of a good camera that wont entirely break the bank)

I think this is the "backbone" of my solution but I am really at a loss when it comes to some of the specifics and intricacies of everything.

For example, is it possible/how easy is it for remote monitoring software to be installed and WHERE is it installed to? The PoE switch? Do I NEED a hard drive on site to record footage to or can I just remote monitor and use cloud storage when motion is detected (maybe throw an SD card somewhere for backup)? Is a 4G connection even remotely fast enough to upload live footage? Is it going to cost me an arm and a leg in data fees (more than $100/camera/month)? Is there software out there (to your knowledge) that will allow me to give access to a client to view the cameras for a set amount of time...say, 2 months?

I have found a few products that fit the bill, but have noticed that some cellular modems/routers seem to be VERY pricey (upwards of $600 each). Also I should mention, I have discovered cameras such as this one that would technically do everything that I am looking for, but I feel that I would be paying a ton of money per month for cellular service if I have 4-6 cameras on a site, and I am really not too certain on long-term reliability.

I am extremely grateful for any help anyone can provide and I am looking forward to responses. I am also eager to learn about how/if this solution is the right one for my use case.

Thank you again!

Setting Bandwidth Metrics in EIGRP Over-the-Top

Hello,

I have a 25 or so site network with an L3VPN MPLS service connecting all of the sites together. I run EIGRP at every site, and then use BGP between the PE and CE. This works pretty well, except for the backdoor Microwave links between these rural sites that we have. This of course requires redistribution, prefix-lists, etc., and gets messy quickly. I am in the process of setting up EIGRP over the top, which is working pretty well, however, I am having trouble setting the bandwidth on the LISP interfaces. (EIGRP OTP uses LISP for the overlay). Regardless of I set the bandwidth on the LISP interfaces, the bandwidth of the routes still shows 56Kbit. All of the resources that I have found only reference increasing the delay on the backdoor links to make the routes learned via the MPLS interface running EIGRP OTP preferred. Has anyone set this up and found a way to set bandwidth on the LISP interfaces used for EIGRP OTP?

New config, Meraki MX100 behind PA-820

Making some changes tonight. Old config: 100% Meraki SD-WAN and internet egress. New config: Meraki SD-WAN w/ data center MX moving to VPN concentrator and PA-820 becoming the egress firewall.

Before you ask, we are in the queue with both PA and Meraki.

Current state, ping, tracert (both directions) and basic connectivity across SD-WAN is up. However, we are getting denial of service on RDP, file share and general application connectivity.

Any known config settings we should be reviewing? Any guidance would be greatly appreciated.

Boss wants me to get a Cisco 2 x ASR1002 & ASR1006 but I think it's a bit outdated and he wants them new. What options should we look into?

I don't know much about the ASR's honestly. I know he has a friend who will set it up inside and out. We are bring in a 10gig and potential for up to 800 Customers in a small Town.

I feel like the 1002 must be not even supported anymore and the 1006 must be close if not already lost support.

Is there something similar or better for better costs that I should recommend him considering? I think the goal is will do a proper PPPOE setup with it.

Their for 2 diff sites btw one with much smaller client.

Thanks.

Experience with mikrotik switches?

Looking for feedback on Mikrotik switches.

Upgrading a network for a elementary school, going from a CAT 3 / CAT5 mix to CAT 6. Most of the money was spent on new CAT 6 cabling and two racks, building has two floors. They also purchased a UniFi PRO 24 PoE switch, 14 UniFi access points and Gen 2 Cloud Key. Previous network design was "flat", I want to implement Layer 2 VLANs to segment wireless, staff, student and teacher traffic. The budget is very low, so I am looking into Netgear, TP-Link, TRENDnet, etc. Also, I re-purposed a server with pFsense and multiport NIC to replace a Zyxel USG40 firewall. They "couldn't believe" that open source software could perform so well.

I have never used Mikrotik equipment but the CRS326-24G-2S+RM has caught my eye. The price is very competitive, but I'm not sure about the performance, software (RouterOS or SwOS) and the external power supply.

​

Basic requirements for the network:

• 4 VLANs for network traffic (no VoIP stuff)
• 150+ wireless users (mostly student Chromebooks)
• 20+ wired users (teacher desktops, other devices)

The network was super slow due to a bad design, I have to make things better for the students, teachers and staff. We got every teacher desktop upgraded to an i5, 16GB RAM, 240GB SSD HD and a wired connection.

Anyone have experience with Mikrotik swiches? Performance? Reliability?

Thanks in advance for your time!

I.S.E + Clearpass

I KNOW. This is absolutely ridiculous! A customer is using Cisco I.S.E for wired 802.1x authentication and posturing. They are using Anyconnect client to override any windows settings/GPOs pertaining to the network.

They purchased Aruba controllers, Airwave and Clearpass. I am building an entirely new WLAN infrastructure for them. They want the wireless network to do the same thing that the wired network does.

Simple enough right?

Except, they didn't purchase OnGuard licenses. Ok the question. Is it possible to somehow send any attributes to I.S.E from Clearpass for posturing after the user authenticates successfully?

If this seems like a stupid idea, please don't hesitate to yell at me and call me crazy.

What setting am I missing? Wifi poor response from ping to wired LAN.

I'm using a Draytek Vigor 2862ac as an office router.

LAN1 is 192.168.22.254/24

WiFi Alarm is 192.168.22.10 DHCP

My phone is 192.168.22.11 DHC

My laptop is 192.168.22.12 DHCP

DNS primary 192.168.22.254 secondary 1.1.1.1 Gateway 192.168.22.254

​

Office printer is static at 192.168.22.200

​

Any of the wired LAN devices can ping and use the printer but none of the wireless devices can.

Using a network scanner like Fing I can see all the wireless devices but intermittantly see some wired devices like the server and occasionally workstations, never the printer.

Can anyone tell me if this is something I've missed?

Aws VPN to ASA (9.8 code) aws side can't bring up tunnel

I have ASA running 9.8 code. have an Ipsec tunnel with AWS. Issue is that the server on the aws side can't "bring up the tunnel" with pings. I can bring up the tunnel with a ping stays up for the typical 30mins (no traffic) down tunnel goes. I have zero errors on my side in my logs.

Naturally if I keep a constant ping going tunnel stays up due to the 30min idle time-out. But doing pings every 15 mins via an SLA monitor isn't a real solution. I need the AWS side to have ability to bring up tunnel since they are "pushing" data to me.

What is the AWS vpn side missing? Is it something in their phase 1 crypto-map that defines interesting traffic? Once phase 1 is done, the tunnel is up traffic flows both ways.

Saw some older 2-3yr posts about similar issues, but that was 2-3yrs ago, surely much has changed since then?

Ping loss every 10 minutes

Hello,

We have some network consisting of over 50 managed network switches. Mostly HP (Comware) and Aruba. And some small unmanaged switches, where not possible for additional network drops.

Last week we started experience problem. About every 10 minutes 2 ping lost. All RDP screens freeze, many folk working from home, so they not happy :)

All switches have STP enabled, but not really implemented. Root switch have "bridge priority 0".

I started implement bridge priority at one hub spoke, but it not change anything.

Doing MSTP and something like this

Root 0 Building 12288 Access 245476 If anything chained to Access switch then 28672 

I counted network diameter of 9 at broadest. . Do I need some MSTP instances or something, because diameter is over 7?

All switches send logs to syslog server, at that times I see nothing interesting.

I read there that most possibility is network loop, it mentions same 10 minutes. https://community.spiceworks.com/topic/2119207-topology-changes-spanning-tree

How can I find it ? :)

Tried pinging from many locations, it follows mostly 10 minutes intervals.

2/20/2021 5:20:03 PM - Request timed out. 2/20/2021 5:20:08 PM - Request timed out. 2/20/2021 5:30:27 PM - Request timed out. 2/20/2021 5:30:32 PM - Request timed out. 2/20/2021 5:33:49 PM - Request timed out. 2/20/2021 5:33:54 PM - Request timed out. 2/20/2021 5:37:31 PM - Request timed out. 2/20/2021 5:37:36 PM - Request timed out. 2/20/2021 5:40:57 PM - Request timed out. 2/20/2021 5:41:02 PM - Request timed out. 2/20/2021 5:51:22 PM - Request timed out. 2/20/2021 5:51:27 PM - Request timed out. 2/20/2021 6:01:47 PM - Request timed out. 2/20/2021 6:01:52 PM - Request timed out. 2/20/2021 6:12:12 PM - Request timed out. 2/20/2021 6:12:17 PM - Request timed out. 2/20/2021 6:22:38 PM - Request timed out. 2/20/2021 6:22:43 PM - Request timed out. 2/20/2021 6:33:02 PM - Request timed out. 2/20/2021 6:33:07 PM - Request timed out. 2/20/2021 6:38:37 PM - Request timed out. 2/20/2021 6:38:42 PM - Request timed out. 2/20/2021 6:49:23 PM - Request timed out. 2/20/2021 6:49:28 PM - Request timed out. 

​

Do you guys draw network diagram IRL?

Hey guys fresh meat here. I hope my question will be appropriate if not I'll head over to some other sub.

So my question is basically when you are working, for example troubleshooting a network, do you actually draw diagrams or something? Because I'm doing pretty well in PT labs for example where I can see the network components, the ports are written out, etc. but how does this work in real life? Do you sit down and map out then write down each ports on each device or after enough practice and experience it just clicks?

EAP-FAST w/o using PAC

Good morning all. I'm curious of the strategy to setup your enterprise WLAN service with EAP-FAST but in ISE I can see that we don't use PAC's and we have both checked " Accept Client Certificate" and "Allow Machine Authentication" [Enable EAP Chaining is also checked]. I'm a bit perplexed because I'm reading that EAP-FAST allows you to achieve mutual authentication w/o certificates.

So my understanding is that by setting the environment up like this, we are using EAP-FAST with machine certificates and AD login [Allow EAP-MS-CHAPv2 is also selected in this authentication profile] to cryptographically "bind" the authentications and perform EAP chaining. Do I have this right?

I'm just curious of why do it this way vs just allowing PAC files to be generated etc. It seems like that would be less complex however maybe it's not as secure? I appreciate any feedback, I'm trying to upskill in WLAN authentications and ISE etc.

Do I need QOS on Nexus switches?

I’m using a pair of Nexus 93180YC’s for a VPC deployment with a new shared storage cluster we purchased.

I’ve gone ahead and setup VPC, all of my layer 2, interfaces, my layer 3 interfaces to FW’s and a few HSRP groups. Everything seems to be working fine.

I know very little about QOS, do I need to configure it on brand new Nexus switches? We basically pulled them out of the box and set them up like I described but didn’t do any QOS configs.

Any advice is appreciated! And if you have resources to learn about Nexus QOS that would be great!

Thanks

Mail server taking up main domain although it was not assigned to it

I have two servers with two separate IPv4 addresses, one is my mail server which I use with iRedMail while the other is the one I should be hosting my website on, on that domain I have two A records: one assigning "mail.mydomain.com" to the mail server's IP and the other assigning "mydomain.com" to my other server's IP but for some reason when pinging (or opening on a web browser) "mydomain.com" it shows my mail server, does anyone know the reason for this?

Output Drops on C9200 Switch for Server Farm

Hi there, I am encountering Output Drops on my port-channel connecting to Core Switch (topology: server-farm - server switch -core switch ) However, members of this channel (physical interface) have no output drops, There is 0 output drop also from the portchannel of core switch to my server switch. Is the output drops in the port channel of my server switch an area of concern? Thank you.

Load balancing on a per machine basis via Pfsense?

I'm a potato on these things but hear me out please. Load balancing is normally done by rules right. Is there a way to "balance the load" depending on the machine?

Client A B C goes to ISP1. ISP1 gets saturated.
Client D E F goes to ISP2.

All connections from ClientA stays in ISP1 until the the load balancing algorithm decides that ClientD needs ISP1 more and swaps them both or something.

I originally thought of getting the Edge Router 4 but that is hella expensive since I have to ship it over.

[Help] Newbie trying to set up home router and AP.

Hi, I am sorry if this is not the right place to ask. My wifi router just died and I am planning to go for the Edgerouter 4 and the UAP 6 Lite instead of a consumer wifi router. Is it the right combo or am I missing something ? I have never setup an Edgerouter before. Is it difficult? I tried to search for Edgerouter 4 setup tutorial on youtube but most of them are for the Edgerouter X. Are they pretty much the same ?

I have mix feeling about them. On one hand I am excited about the new system, new toy. On the other hand, I am afraid that it will be too difficult for me to set them up.

Is there any guide/tips for setting them up? Thanks.

New office Infrastructure setup guide

We have few offices coming up in next few months. Can someone point towards online guides/material I can refer to. For ex, MDF build, HVAC, racks, Networking devices (APs, routers), power etc?

Wanna get FREE resources to learn Networking?

Here is the telegram Channel Invitation Link: https://t.me/joinchat/RKl4ijBvEDBRlM3k

Wireless suggestions

I currently have an old Cisco wireless network that is about seven or eight years old that I'm starting to have a few issues with and I'm planning to replace.

This environment consists of about 400 devices mainly being Chromebooks for a school. Currently we have two separate buildings that I need to replace the hardware in. We are in the early planning stages of building a new school. I am told we are about two years away from having a new building. Does anyone have any recommendations for wireless access points for both buildings?

One of the buildings has a Cisco network that already has everything ran and the other building does not. The building that already has wires that's simple to just replace the old access points with these newer ones. Our goal is to be able to take the hardware from both buildings to our new school that will be a single building when it is complete.

The school that does not have wireless currently I need to add it as cheaply as possible but to be as effective as possible.

I am looking for some suggestions on what wireless solution we should put in!

Wireless access point replacement in education suggestions

e currently have a Cisco wireless network that is about 8 years old that we are starting to have some issues with. We are looking for a scalable solution that we can use for our multiple campuses that will eventually be moved into one building in about 2 years. I have ruled out ubiquity as unfortunately, it is too buggy for this environment. Currently, I am looking at either Cisco Meraki or Aruba.

Does anyone have any suggestions? On any brands they would recommend

DNS amplification attacks and recursive vs authoritative servers

I've been reading about DNS Amplification attacks recently. It seems like the universal consensus is that running a public UDP recursive DNS resolver without any rate limiting is a terrible idea, because with UDP, the source IP can be spoofed and the (large) responses reflected back to the fake source IP.

But couldn't you spoof the source IP and perpetrate such an attack with a public (which it has to be) authoritative server too?

Aruba switch - can a VLAN be both tagged and untagged on one port?

I think this is a sort of unconventional configuration but I got used to doing it on Ubiquiti switches. Is there a way to configure say VLAN 5 so that untagged traffic going into the switchport goes to VLAN 5, and traffic tagged VLAN 5 is accepted also?

I guess I would just basically use it as a way of getting connectivity to a connected switch (switch B, let's say), both when switch B has the default config (pulls a DHCP lease on native VLAN) and when switch B is configured (pulls a DHCP lease on management VLAN). Yes, for consistency I want to have all VLANs tagged on the uplink/downlink ports, NOT having the management VLAN untagged.

An interesting thought though, is I wonder what those Ubiquiti switches did when asked to send VLAN 5 traffic out on that port? Send it untagged AND tagged? Now I am doubting whether this actually work the way I am remembering it...it was a couple years ago.

SNMP(No Response)

Hey all, I’m not particularly new to snmp, but it feels like I’m missing something basic. We are trying to monitor a device using nagios. I have set this up on several devices before, but this time no luck. I get a “timeout: no response” . I have confirmed that snmpwalk works from windows(using both powershell and cygwin) but not from a mac(same network as the windows) a Linux box(different network), or the nagios.

I am new to this sub, and relatively new to networking.

Is there any need for Visio PROFESSIONAL to make network diagrams or is Standard fine?

Is there any need for Visio PROFESSIONAL to make network diagrams or is Standard fine?

It says "Logical network layouts" and detailed network diagrams are a feature of professional only, but I'm trying to save some licensing money. I need to use Visio.

Fluke Linkrunner Pro or Microscanner2?

I know these are old products but what would you get between the two? On paper, the linkrunner pro looks to be the superior product but the microscanner2 has the remote module to test at the other ends at a wall panel. I'm looking for cable verification basically.

Network Monitoring Software Suggestions

Aloha!

Looking to add a network monitor of some sort on my network. It's a small Enterprise network, Cisco networking. Would like to see overall bandwidth usage as well as detailed user usage if possible.

Thank you!

Newbie at Network Architecture

Hello networking friends!

I'm being tasked with creating a whole new networking setup for 3 remote offices and I'm looking for some pointers and/or physical equipment preferences from you folks.

​

Backstory:

I'm the sole "IT Manager" for this company (I know what you're thinking; yes, it does suck and the title is purely lip service) and we have a new office being made in a different state plus the existing offices have Cisco equipment that is EOL and I don't know a thing about Cisco routing/switching. This job now comes with the friendly perk of wearing a network architect hat and while I know the basics. I've never had to start from scratch. Essentially all of the equipment in the 2 existing offices need to be replaced and with the addition of a new office, we would like to make the setup cohesive. Previous techs left no documentation and I'd rather start off fresh so I'll know everything about our setup moving forward.

​

Some things to know:

• We have a hybrid environment with no physical on-prem servers. Almost all of our internal resources and data are housed in AWS, with a handful in Azure or GCP - depending on the clients request.
• We recently acquired a Citrix Workspace subscription. We unfortunately don't have the Virtual apps add-on but the goal here when we made the switch was to do away with VPNs. In an attempt to future proof, I recommended SASE and they decided on Citrix. The goal is to have everyone use their Azure AD account to auth with Citrix to SSO into any AWS client account that they are working on
• 80% of our workforce works remotely and not in any offices. Since the pandemic, WFH has been the default and coming into the office is rare. (Why are they opening a new office then? Your guess is as good as mine ;) )
• Port count:
  • Office 1 = (2) 48port switches
  • Office2= (3) 48 port switches
  • Office3= (1) 48 port switch

​

Things I've done so far:

• I've reviewed all the helpful links in the r/networking wiki but unfortunately it seems that the two things I need to focus on (Routing/Switching) don't have any links :(
• I'm looking into getting a demo from Juniper. So far, they seem to tick all of these boxes:
  • Remote management
  • Extensive and free training with options for certifications
  • If I end up epically failing, they offer Managed services
• Attempted to make a rough draft networking layout but I think I'm stuck on where to start?

​

Tips I'm looking for:

• Router/Switches/Firewall Recommendation that don't have a steep learning curve or if not, a vendor that has a good support team and training available
• Network design tips. Any sites or reference guides that you find helpful would be much appreciated here!
• Any pointers that you think a newbie like me might overlook - i.e security, features
• Site to Site VPN - do I even need this if our goal is to use Citrix for all secure connections to resources?
• Features:
  • Remote management
  • scalability
  • not really sure what else I need to look for :/

​

Anywho, I know this is a long post - thank you for reading! And TIA for your help!

​

Sincerely,

One lost kid

​

Edited: Added in port count and specific features

Recertifying CCNP with only CE credits

Since the Cisco Certpocolypse created a lot of changes and confusion, I wanted to share my experience navigating Cisco’s Continuing Education process that is now available for the CCNA and CCNP. I was pretty frustrated that Cisco now requires an IE level Core exam or (2) specialization exams to recertify the CCNP and like a lot of people was thinking of just letting it lapse since I had other projects/priorities to focus on.

I looked into the CE process and realized that the regular training my employer provides qualifies for credits and claiming them is pretty straight forward. I received a lot of training to prepare for a migration to ACI and was able to claim 2 ACI classes for 40 credits each to fully recertify my CCNP for another 3 years! All at no cost to me personally and no endless studying the same old topics.

If anyone is in the same situation as I was I would definitely see if your employer would cover any classes that qualify for CE. There are some lower priced “on-demand” classes that may be more palatable price wise and some free credits available as well. Is anyone else here working on this path to recertify? Is this the way forward to maintaining these certifications long term?

War story: Best circuit order conference call ever!

I've just been hired (as a consultant) to implement edge firewalls for my customer who is getting new PIP and DIA circuits at all their sites.

I get invited to the usual weekly conference call with my customer and the carrier so I can get a sense of the larger scope of the project. Turns out they're on week 40 of the 12 week long project... normal, that happens all the damn time with all the carriers.

PM says everything should be good for the last turn-ups, then one of the engineers, a WAN guy, pipes up and asks to share his screen. He's prepared an excel sheet which kind of looks like the excel sheets that every PM from this carrier uses... its listing out all the problems at all the sites which are preventing him from being able to activate the circuits. He starts talking about how he built this sheet because there needs to be a PM on this project and someone needed to create a document that put it all in the same place. He's thanked well by the customer, because he's stepping up and throwing a flag against his own company.

Still sharing his screen, he brings up his internal teams app and starts sending messages to the PM: "Someone needs to step up on this account", "I won't take this anymore", "I'm going to management"... the PM says nothing. Not a word. I'm virtually certain that putting this on the screen share was entirely intentional.

I request copies of the current design documents from the PM (fat chance, right?), she says something about having to see who has them (I ask her to forward my request to the person running the project, which I can do since its my first call and I don't yet know its her). Then its back to complete silence so the engineer and the customer kind of close out the call with a "see you next week". And the call ends.

30 minutes. What a ride.

Who wants to share telecom conference call stories?

Outdoor or humid environment IP phone

I need a SIP capable IP phone to install on the wall of an indoor pool. Has anyone found a product for this scenario before? Our PBX vendor does not sell a phone with any sort of rating (Shoretel).

ASA 5508-x vpn load-balancing with Management tunnel

Hi guys,

I’m looking into setting up vpn load-balancing with mgmt tunnels. The basic setup works, if i connect to the lb group address with the client it automatically chooses the least loaded server. So far so good.

I’m not sure about the mgmt tunnel though.

They are set up as vpn-hq.mydomain.com and for the backup server vpn-hq2.mydomain.com. This setup works. If the primary is unreachable, it will connect to to backup with the management tunnel, however, if it’s reachable, but the license limit is reached, it won’t try the backup and just hangs there.

Do any of you have any experience with a setup like this?

I’m using 9.10 asav With 4.9 anyconnect client

Sorry for the formatting I’m from my phone.

Remote Ping Tester

I have a series of network connections on multiple that use copper to fiber transitions for lightning protection. We need to validate the connections before we raise the equipment. So the connections will go:

(rack) RJ45 copper <-> 225' MM fiber <-> RJ45 copper (top of tower)

Is there a small remote ethernet device I can plug into the tower end of the RJ 45 to test ping? We need to validate the entire length of the connection. Hauling up (and using) a laptop up there is not safe.

There is PoE power available on top of the mast.

HPE 7506 - unable to monitor port security

Hi, i enabled port security on a HP 7506-7557P01 but when a violation occurs there's no logging (display logbuffer) and there's apparently no way to monitor via SNMP, unlike with the cisco gear. The only way to see if an interface has been disabled (port-security intrusion-mode disableport) is to do a show interface. Am i missing something?

Problem with search domain and dns suffixes not being set on iPad/iPhone - iOS 14.x

Hi all,

Have noticed that our iPads that are running iOS 14+ are not showing a search domain (DHCP Option15) under the network settings. These are connected to our corporate Wifi. Also, I'm unable to get dhcp option 119 to work (yes, i'm using hex) on either 13.x or 14.x. This is with windows server 2012r2 and also a cisco IOS router. I can see windows machines receiving and setting both of these options successfully and also wireshark tells me they are being sent in the DHCPOFFER.

Obviously, if we use the FQDN for our internal hosts it's all fine but it's an issue for things like Canon Business Print where end users just want to use the short printer name.

Has anyone else experienced this issue? Any fixes or work arounds?

Fibre Optics/ SONET. Explain what a Loss of Pointer is like I am a 5 year old.

I know networks pretty well, learning SONET and SDH. Trying to learn how LOP and LOS and LOF interact and exactly what it all means.

Datacenter Switching : Nexus ( FEX: Fabric Extenders )

Today I am going to talk about the FEX that you generally heard when you are going to connect your datacenter servers in the Nexus Switching environment. It is called as Bridge Port Extension. It means there is a Parent Switch and the port of that parent switch get connected to FEX( that is another Switch) but act as the Interface card for the Parent switch.

Parent Switch :Nexus 5K or Nexus 7K

FEX:Nexus 2K ( Another Switch but interconnected with Parent Switch and controlled)

Nexus 7K or 5k is act as Parent Switch but Nexus 2K act as FEX for Parent Switch. So all the function of the Nexus 2K is controlled by the Parent Switch and that is Nexus 7K or 5K. Simply says that Nexus 2000 Series FEX behaves logically like Remote line cards for parent Nexus 5K  or 7K Nexus Switch.

Lets talk how we can connect the FEX with the parent switch in the datacenter environment.

Let's talk about the basic Configurations to configure the FEX.

Step-1 :Enable the FEX feature

N5K-1(config)# feature fex

Step-2 :Create a FEX instance (Note: Its up to you to choose the FEX number, 100, in this example. FEX numbers can range from 100 to 199.)

N5k-1(config)#fex 100

Step-3 :Configure the interface(s) on the 5500 that will be used for connecting the FEX.

N5K-1(config)# int ethernet 1/1, ethernet 1/21

N5k-1(config-if)#switchport

N5k-1(config-if)#switchport mode fex-fabric

N5k-1(config-if)#channel-group 100

Step-4 :Create the port-channel and associate the FEX with it. (It’s always nice to keep the port-channel and FEX number the same if possible. It just makes it easier to know that FEX 100 is on port-channel 100, FEX 101 is on port-channel 101, and so on. Obviously, if those port-channels are already in use you wouldn’t be able to do that.)

N5k-1(config)#interface port-channel 100 N5k-1(config-if)#fex associate 100

Step-5 :Check to see if your FEX is online. It may take a minute for it to show up.

N5K-1# show fex

FEX             FEX                   FEX                 FEX

Number    Description    State              Model                 Serial

100            FEX0100        Online   N2K-C2232PP-10GE   SSIXXXXXXXX

101            FEX0101        Online   N2K-C2248PP-1GE    SSIXXXXXXXX

If the FEX is running a different version of NX-OS than the 5505 it will download the matching image from the 5505. This process can take a few minutes. When you do a show FEX it will show “Image Download” under the “FEX State”.

Seeing lots of DNS queries to my WAN for w/ OPT additional record

I recently noticed a bunch of DNS requests hitting my WAN IP (where I don't run a DNS server). They're sustained, from a fairly small set of source IPs. The queries are weird: The "Question" is for <Root> (a single 00 byte), and have an "Additional record" of type OPT, also with name <Root>. Is this part of an attack against some recent CVE? Is it worth reporting these sorts of things to the abuse contact in WHOIS for the IP?

22:30:06.406020 IP (tos 0x0, ttl 240, id 43779, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.43136 > xxx.xxx.xxx.xxx.53: [udp sum ok] 22510+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:12.415737 IP (tos 0x0, ttl 240, id 43789, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.35237 > xxx.xxx.xxx.xxx.53: [udp sum ok] 12216+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:23.110057 IP (tos 0x0, ttl 240, id 15394, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.2532 > xxx.xxx.xxx.xxx.53: [udp sum ok] 37476+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:29.129976 IP (tos 0x0, ttl 240, id 15402, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.45860 > xxx.xxx.xxx.xxx.53: [udp sum ok] 31860+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:35.139692 IP (tos 0x0, ttl 240, id 15410, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.16678 > xxx.xxx.xxx.xxx.53: [udp sum ok] 13519+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:45.435683 IP (tos 0x0, ttl 240, id 43833, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.44565 > xxx.xxx.xxx.xxx.53: [udp sum ok] 14516+ [1au] A? . ar: . OPT UDPsize=1280 (28)

In case anyone is curious here's a redacted (-) hexdump of one of the packets: -- -- -- -- -- -- -- -- -- -- -- -- 08 00 45 00 00 38 a8 81 00 00 f0 11 12 df a9 37 77 04 -- -- -- -- 40 cd 00 35 00 24 59 f9 4d 2b 01 00 00 01 00 00 00 00 00 01 00 00 01 00 01 00 00 29 05 00 00 00 00 00 00 00

MPLS L2VPN - output interface

Using the command below it shows the output interface for the MPLS L2VPN VC. I'm wondering if anyone knows of an equivalent command for IOS-XR that would also provide the output interface?

Thanks for any help you can provide.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-17/mp-l2-vpns-xe-17-book/l2vpn-multisegment-pseudowires.html

Router# show mpls l2transport vc detail Local interface: Se3/0/0 up, line protocol up, HDLC up Destination address: 12.1.1.1, VC ID: 100, VC status: down Output interface: Se2/0

Switch suggestions ?

Looking for switch recommendations. Currently we use switches in the Nexus(Cisco) family.

Use case: We need to expand our infrastructure into a rack that is several rows away from our main racks in the datacenter. Hence this rack will have a limited amount of infrastructure (maybe a server or two and a legacy san) with a trunk that connects to the main infrastructure.

We will likely just need a L2 switch (although the possibility to add l3 capabilities with a card/license would be preferred).

​

I originally planned on staying within the nexus family but im not sure we need something with the "VPC" functionality, however we do need redundancy. What is everyone using these days as far as basic, not super critical(but redundant) switches?

​

I realize this is broad but my experience is limited... if any further info is needed feel free to ask.

needded specs are limited: 12 10g ports minimum, bonus for a switch that supports fibre channel

edit: Would i be better off just buying another nexus and adding this as a third switch in the VPC domain

Public IP routing question

Please bear with my noob question here. So work has a site let’s say vpn.xyz.com at 12.1.1.12. When I traceroute to it from home it basically goes from a few routers to the wan link at work, on to 2 more hops inside the network (one other device and then the firewall—50.1.1.1 then 60.1.1.1 ) and on to the destination.

My question is how is the vpn’s ip address being advertised even when it’s behind other devices? The isp’s router on site connects to a L3 switch. from what I see it’s all default and static routes (no bgp etc). Could this just be a previous arrangement with the isp? How do I verify the method being used?

TCP ACK confliction

When a packet is being sent after the SYN ACK connection has been established between a host and a server, packets can now be sent between the hosts and a server. Sometimes, there’s a window size which is determinable by ACK sent after reception of a segment. Let’s say the window size is 100, the sender can send 100 segments before it expects to receive an ACK. But what happens is segment 50 gets missing along the line? I read somewhere that 1-49 & 51-100 gets sent but then the receiver ACKs for 50 and the sender resend 1 segment with segment number 50. I was also reading somewhere that, for example, let’s say sender has a window size of three, and my sender sends segment 1,2,3, receiver ACKS for 4. The next window must be 4,5,6. Let’s say 4 doesn’t get sent, the receiver ACKS for 4 again, and the whole segment gets sent again, which conflicts with the earlier idea. I was thinking 5-6 gets sent before an ACK for 4 gets sent, then the 4th segment gets sent after 5-6.

Which idea is right?

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Security Inspection on Firewalls. Most of it seems useless with TLS?

Hi all,

Wanted the community's feedback on this! I'm still relatively new to the field (4 years), and I have worked with a variety of different firewalls (primarily Fortinet). After going through the training for Palo Alto, Fortinet and Checkpoint, I have found it is hilarious that most of the security inspection features seem effectively useless unless you're doing TLS inspection simply because most traffic used these days uses TLS.

So that all said, is there a lot of value in some of these UTM inspection features if you're not able to inspect encrypted traffic (more specifically the payload)? If you're not able to inspect the payload, you're effectively only doing inspection up to layer 4, which doesn't really give you that much info.

I bring this up, because at this point, most stuff really seems like marketing and most people don't seem to understand that a lot of these features aren't as good as they think they are even though they're turned on because of TLS...

Anyways, interested to hear your thoughts! Feel free to be hard on me. Always willing to learn!

Native Vlan Scenarios?

I understand the concept of trunk links and vlans. In order for a trunk link to be established there needs to be a native vlan to carry all untagged packets. All other vlans sending will have the vlan id associated with it to the respective vlan.

What scenario would want you untagged traffic?

Me, I would think a native vlan would be created without any assigned access ports.

Engineering tip...

Setup your favorite terminal program to log EVERY session. Make a folder, put it somewhere you'll remember, and log all your sessions into it. I called mine "Sessions" and put it on my desktop. This works wonderfully for tracking config changes, remembering CLI commands, "show" commands from weeks ago, etc. I've come back to files over and over again finding relevant info from previous events. Totally worth it.

I use iTerm2 for everyday connectivity, and SecureCRT for TAC access (because of how I have iTerm setup). Both are excellent programs on Mac.

connecting communal buildings via fiber, shared internet

Today I was asked if I could help in setting up shared internet access for various communal buildings in a small town near from me.

They have some schools and the offices of the local community etc ... And they already have fiber all around, nice ;-)

So I think of creating some star topology to connect all the "satellites" to one point where I would place the main router. Plugging some Bidi-Modules into their switches and establish a (V)LAN for their new gateway to internet.

Sure, that is very simple and not redundant etc ... I only start to develop ideas.

Do you guys have any pointers to HOWTOs, best practices or so for stuff like that?

I know my way around switching and routing so far, I just wonder what to consider when building a network of some larger scale. Kind of a provider-network, right?

Addition: for now they only want to set up some central internet gateway. No cross-connections so far.

Cisco Learning Credits - free with big orders - please share your experience

Hey guys,

We recently bought some cisco techs (on top of tons we had) - Cisco ACI ($0.5mln) and Cisco Wireless 9800, DNA, 9130 etc ($1.4mln). and we have only 80 credits for Wireless. None for ACI.

Can you please share if you get free credits for your big or modern orders?

Thank you

Evolution of the CCIE Security over the years

Hi everyone,

I have been teaching the CCIE Security track since it started and have taught all the versions including the current one, version 6, which I continue to teach. I am going to share some of my experiences and insights regarding the evolution of CCIE Security as I think it will be interesting for Network Engineers to have this background knowledge.

I have been privileged [i.e. am old enough now ;-) ] to have worked and taught in the IT field since the early 1990s. I have seen networks & network security evolve from being a luxury item into a necessity.

I passed my CCIE Security exam in 2003, that was CCIE Security v1. It was predominantly a Routing & Switching exam with a bit of Security added on top. I also passed my CCIE Routing & Switching exam around the same time. At this time, 65% of the 2 exams were almost identical. L2 technologies made up 30% of the exam. This section included Ethernet Switches, Frame relay and ATM Switches as well. The next big section was IGPs, another 30%. Believe it or not, 15% of the CCIE Security v1 exam was BGP. Only the last 35% of the exam was the Security part of the exam! The Security part included basic IPSec/GRE VPNs, PIX Firewall (Basic Initialization), and a section on the Router-based IDS (IOS-IDS).

Right from the start, CISCO made a decision to take an evolutionary path rather than a revolutionary one by easing engineers into the new field of Network Security rather than forcing the change on them overnight. When I reflect back on it, I think this was a really smart business decision on CISCO's part.

The next phase came with the introduction of additional security devices to the topology. CCIE Security v2 included the Cisco IDS & VPN Concentrator devices. VPN Concentrator was the first device from Cisco that had the Web VPN capability. With this version, you could start to see the shift from Routing & Switching to Security as a standalone stream. There was a considerable cutdown on the Routing and Switching related questions in the exams. The ACS Server was also introduced in this version. Although the ACS Server was present in the v1 topology, it was in the backbone and was pre-configured. This exam also included a heavier dose of VPNs, including the mGRE/DMVPNs type of VPNs.

The next major security device introduced to the CCIE Security exam was the ASA Firewall. This was done in CCIE Security version 3. The ASA has been an integral part of the CCIE Security exam since then. It is still an important part of the current version. This exam also saw the introduction of VPN technologies like GET VPN and EZVPN.

Version 4, released in 2012, saw the introduction of the ISE, WLC & WSA devices to the exam. CCIE Security v4 was when the exam started to feel like a full-blown Security exam with little or no direct correlation with Routing / Switching. Over the course of 4 evolutions, CISCO had fully established Security as a standalone CCIE track with little overlap with Routing and Switching. You still needed to have a solid Routing & Switching foundation but the topics were not tested like they were prior to this version. The Flex VPN & IKEv2 technologies were also included in the exam.

CCIE Version 5 saw the introduction of the Firepower devices (FTD & NG-IPS). It also saw the inclusion of the ESA device. Although these devices were introduced, the coverage was light. The main firewall being used was still the ASA. The emphasis for VPNs was on Flex VPN, AnyConnect Remote-Access VPN & GET VPN. ISE also started to have a bigger footprint on these exams.

CCIE Version 6, the current version which was released in 2020, is similar to version 5 in terms of the devices being tested (remember evolution and not revolution is CISCO's mantra). ASA was the main firewall in CCIE Security v5. The focus of this exam will be on the FTD as the firewall. The ESA should also see a bigger coverage in this exam. But the main difference in my opinion is the introduction of the Design element to the exam. They want you to understand the technologies beyond just configuring the devices. For example, given a customer requirement, you should be able to pick the appropriate technology to fulfill the requirement.

In my opinion, network security is not implemented by using one magic device. It is a layered approach to securing your network at different levels for different threats. You need to be able to have perimeter protection using Firewalls (FTD, ASA), you need IPS devices to analyze incoming packets against a database of known network attacks (FTD, NG-IPS), you need to be able to make sure e-mails coming into your network are clean (ESA), you need to make sure that the devices that are logging into to internal networks are authorized (ISE), you need to make sure that your internal users are visiting sites that follow the corporate policy (WSA) and that your external communication is protected (VPNs). I personally like and agree with CISCO's decision to focus on Design as it makes learning required to pass the exams more relevant to real-world implementations. After all these certifications are meant to train engineers for everyday problems that they face in their work environments.

The current CCIE Security has been designed to enhance your knowledge on all fronts. It exposes you to various devices and technologies.

Based on my personal experience as well as the combined experience of thousands of students that I have taught, I can assure you that embarking on the CCIE Security journey will make you a better security engineer.

Please feel free to ask any follow-up questions that you may have, I will try to answer them to the best of my knowledge.

Cheers,

Khawar

I'm not sure if it's lack of terminology that's holding me back from finding any specifics but I'm unsure why I cannot ping a router through L3 Etherchannel.

For my mock lab I have a pc(PC0) connected to a switch(sw1) and that switch connected to another switch(sw2) using Etherchannel 10.0.0.0/30 network. Sw2 is connected to a router on the 192.168.3.0/24 network while just a simple pc(PC1) on the other side is using the 192.168.2.0/24 network. My Vlan is trunking the ports the the port channel is on and it's on the 192.168.1.0/24 network along with PC0. Now, sw2 can ping both the router and PC1. PC0 can ping both the port channel and the Vlan provided I switch the default gateway. However when I configure the static routes on both the switch and router, the packet won't even get forwarded from the first switch and I'm at a loss because I'm am unsure if I should be using the Vlan to route the traffic or the port channel or how the Vlan interacts with the port channel.

BGP advertising network that should be blocked

I have a switch - My router - ISP router

My router is running eigrp with the switch - and redistributing eigrp routes into bgp for the ISP peer router at 169.x.x. 25

The problem is BGP is advertising the route 10.195.92 / 22 that is receives from eigrp - when it should only be advertising 10.195.92 / 23.

The easy fix here would be to only advertise 10.195.92 / 23 via eigrp from switch to my router.

However I'm convinced the route map eigrp2bgp config below should only advertise to my isp router 169.x.x. 25 the route 10.195.92 / 23

Partial config below from MyRouter

MyRouter#show ip bgp neighbors 169.x.x.25 advertised-routes

Network Next Hop Metric LocPrf Weight Path

*> 10.195.92.0/23 10.195.84.515 32768 ?

*> 10.195.92.0/22 10.195.84.515 32768 ?

MyRouter#sh ip bgp route-map eigrp2bgp

Network Next Hop Metric LocPrf Weight Path

*> 10.195.92.0/23 10.195.84.515 32768 ?

*> 10.195.92.0/22 10.195.84.515 32768 ?

MyRouter#sh run | sec bgp

router bgp 65500

bgp log-neighbor-changes

neighbor 169.x.x.25 remote-as 5466

redistribute connected metric 1

redistribute static metric 1 route-map cpe-static

redistribute eigrp 200 metric 5 route-map eigrp2bgp

neighbor 169.x.x.25 activate

neighbor 169.x.x25 route-map BGP-FILTER-IN in

maximum-paths 4

exit-address-family

!

address-family nsap

maximum-paths 4

exit-address-family

route-map eigrp2bgp permit 10

match ip address 99

MyRouter#show route-map eigrp2bgp

route-map eigrp2bgp, permit, sequence 10

Match clauses:

ip address (access-lists): 99

Set clauses:

Policy routing matches: 0 packets, 0 bytes

MyRouter#sh access-list 99

Standard IP access list 99

10 permit 10.195.99.48

20 permit 10.195.99.72

30 permit 10.195.99.73

40 permit 10.195.92.0, wildcard bits 0.0.1.255 (24 matches)

50 permit 10.195.84.56, wildcard bits 0.0.0.7 (12 matches)

60 permit 10.195.84.88, wildcard bits 0.0.0.7 (12 matches)

Any advice much appreciated.

ENWLSI 300-430 Training

Hey guys,

I just finished the Cisco branded training for the ENWLSI 300-430 wireless exam, but I feel like I didn't learn much. I'm a huge user of CBT Nuggets (got me my CCNA), but they don't have any training for this exam.

Do you guys know of a better resource for training for this exam specifically? I'll be using CBT Nuggets for the general CCNP ENCOR training. The Cisco training was pretty daunting needing to read everything, and their labs weren't the best.

Set-Up with 2x LTE and 1x WAN (DSL) = 3x WAN with Failover // Quesion about Teltonika RUTX12

Hello everyone,

i'm looking for a set-up that can use 3 connections (2x cellular lte + 1x Internet over LAN) to securely send a video stream over the internet and have some capacity for normal office internet usage. Preferably in a single device.

I came across the Teltonika RUTX12 a very cheap solution for this and was wondering if anybody has got any experience with this device or the company and if there are other products i should look into.

Thanks in advance!

Stripping VLAN tags and Applying new VLAN in a vSwitch

I have been googling quite a bit this morning and i cant find anything that answers my question.

​

I have 2 virutal systems together on one vSwitch that are normally separate when they are in their physical form. Up until now this hasn't been an issue. For professional reasons I do not have permission to separate these systems to more closely resemble their physical counterparts.

​

I have run into an issue where we are bringing part of the system capability online that now uses a VLAN that is already in use in the system(VLAN3). This information cannot mix for security reasons. I have changed the VLAN for the new capability to VLAN5 for now. Is there a way to build a second vSwitch in the system, associate PG5/VLAN 5 to it and then strip the VLAN 5 tag and apply VLAN 3 before sending it on its way.

​

I understand this may be a novice question, please bear with me. I am not CCNA certified and I am mostly self taught.

​

EDIT: If you know of a youtube video that can get me on the right track. I would love a link

Why would you need to use a Layer 3 switch? What instances would it be required?

Hey everyone,

First off I probably know enough about networking to be dangerous. Treat this as if I know nothing, lol.

I was told that I need a Layer 3 switch for my project. We are going to use a Cisco 3750 that we can get from a refurb vendor online and it's already been purchased.

When I suggested we use a Cisco 2960 switch, I was told this wasn't Layer 3 and therefore it wouldn't work for our application.

In my application, the Cisco switch will be on XXX.XXX.1.100, and all the devices it will connect to will be on XXX.XXX.11.1, XXX.XXX.11.2, XXX.XXX.12.1, XXX.XXX.12.2, and so forth.

Why would you NEED to use a Layer 3 switch? What instances would it be required?

Please help educate me, and if you have any links or info handy I'm all for it. Just looking to learn from people much smarter than me.

Thanks!

HP timeout

Hey Reddit!

After a bit of advice on an issue I have with HP Procurve switches. I have run the commands below,

• Console idle-timeout 600
• Console idle-timeout serial-usb 600

In theory these commands should force any connected sessions to timeout after 10 minutes of inactivity, which in part it does however, I have noticed if you leave a switch without finishing the command for example run a ‘show running-config’ with more lines to tab through, it doesn’t timeout.

Has anyone come across this before? I did contact HPe support but got nowhere. Appreciate it’s a bit random but just something I wanted to patch up.

Thanks for any advice guys :)

x-post - Cabling for VyOS HA Setup - help to sanity check

I am moving to a new HA setup for VyOS, and was hoping to have somebody sanity-check the physical cabling.

We have two physical routers, running VyOS. Each one has 4 x SFP+ ports.

For WAN, we have two redundant switches, and we can use port channels to span the WAN connection across multiple ports on each.

Downstream, we have a pair of 100Gbe switches as well (MLAG).

What is the best way to use the 4 x SFP+ ports?

I was thinking, for each router, use two ports, one to each WAN, then one port for the heartbeat between them, and then the final one to the downstream switches. (That means no LACP to downstream switches).

Does this make sense, or is there a better way?

https://i.imgur.com/a4fZkuB.png

Generalish availability of Starlink

Starlink has opened up service to the unwashed masses on a first-come, first-served basis.

Service is still $99/month plus $500ish (+ taxes + shipping) for the dish.

Likewise, Starlink is still designating the service as beta, so you get what you get and you might not get it at all, since there's a limited number of spots. Service levels are clearly not high enough for commercial service as outages are explicitly to be expected and the ToS limits service to residential use in named locations with strict no-reselling, no sharing terms.

On the upside, so far there are no bandwidth caps, IPv6 has made an appearance and both latency and bandwidth has been reasonable according to multiple reports, with cautious optimism that latency might be trending downward going forward.

The billion dollar question is of course will available bandwidth per user also be trending downward going forward.

It'll be interesting to see how Starlink handles the onslaught of thousands, if not millions, of customers that they need in order to break even. It'll also be interesting to see when/if Starlink breaks out of beta and starts offering commercial service.

Starlink would undoubtedly make an excellent addition to the connectivity toolkit of any network engineer looking to diversify their options in connecting businesses and enterprises. Not to mention the use of Starlink as backhaul.

Network engineers being network engineers, the first RIPE Atlas probe is already up using a Starlink terminal:

https://atlas.ripe.net/probes/1001821/

As posted on NANOG, here are some tidbits:

"This probe is at present not contained within AS14593 (Starlink). All beta test terminals that I am aware of right now, including my own, are in cgnat IP space and meet the public Internet via AS36492 (Google).

This particular terminal is topologically closest to things at major IX points in the metro Seattle area. The absolute lowest ping time I've seen to something at the Westin is 15.85ms, with averages more often between 21-32ms."

Advice!

Is there any way to create a prepaid user in mikrotik hotspot server? Like after using 10gb the user will get disconnected automatically?

STP question, access switch becoming root

<Cisco Core> VLAN 15 [Root Bridge]            I            |            |            | <Dell N3000>            |            |            |            | <Cisco IE2000> New switch added (VLAN 15 and new VLAN 71)

The whole network is running RSTP. VLAN 15 on my Cisco core is defined as the root switch. Off of my core switch, there is a Dell N3000 trunked. The only STP command defined is on the core- spanning tree vlan 15 priority [#].

Today when I added a new access switch to the Dell, it took over as the Root Bridge for VLAN15. Why would it take over as the root if the priority is defined on my core switch? What should I add to to prevent this from happening, root guard?

Is there a way to stop the access switch from taking over as root?

Cat6/Cat6A - Data/Ethernet and power line next to it

Dear All,

Thanks in advance,

I know that it is not advisable to run Cat6/Cat6A - Data/Ethernet and power lines side by side though i want to ask how rational we could be with this.

​

Is there any formula to calculate the risk?

​

for this case there would be a Cat6/Cat6A UTP running 2-3 Inches away from the power line where power would be drawn at 60 watts max and it is from the UPS so no fluctuation would be there.

while some very low power motor would be attached through this power line in very few cases but i want to make sure if it is a good idea or not.

By standards it is not acceptable i guess while from thumb rule or experience there would be no issues whatsoever, is it true?

Remote SIP Extensions

Sorry for the long post, I tend to over-communicate and write short novels.

I'm the network guy at my job and we have a dedicated phone tech. The two of us have for years wanted to get remote SIP phones working. He wanted it for our contracted AV company to be able to just plug a phone into the guest network and it'd connect to our phone network, I wanted it for working from home during snowstorms. Covid came and now the higher-ups want to make it happen, and here we are. Also in a big snowstorm, which is just funny timing.

Our phone vendor set us up with NEC's remote client, tested it from a computer (tech server) on the phone network and gave us the addresses/ports we'd need to get things up and running.

We are PCI-beholden so have 3 networks: admin, phone, and guest. No VLANs, each is a flat network. I put a Fortigate in place to bridge between phone and guest, to either be a VPN (split-tunnel it so only SIP traffic goes over and users can still use their own devices), or even potentially VPN-less using a FQDN and some port forwarding. On Fortigate's VPN I could ping everything to my heart's desire but couldn't actually register the extension. Same using the FQDN, no matter the settings.

Yesterday I gave up and replaced the Forti with pfSense. The Forti was old and not covered by an active license, I thought maybe it wasn't working because of that. pfSense definitely gives me more information, but it still doesn't work. With OpenVPN through pfSense I can ping the tech server (gateway for that NIC is the pfSense firewall), but nothing else.

I can Wireshark and check logs all I want, the NEC client is sending SIP REGISTER packets to the proxy port but nothing is coming back across. If I plug my laptop into the phone net it registers immediately, but on guest or at home nothing comes back. On both Forti and pfSense I have the vendor's listed ports whitelisted from WAN -> LAN, and LAN -> WAN is unrestricted.

Here are the generals:
Phone net: 10.1.0.0/23
Phone switch: 10.1.0.5
Phone proxy: 10.1.0.5:5080
Firewall phone net addr: 10.1.0.20
Tech server: 10.1.0.10
VPN client net: 10.1.10.0/24
Guest net: 10.10.0.0/22
Firewall guest net addr: 10.10.0.20
FQDN: phonevpn.contoso.com (Peplink NATs the public IP to a private IP on guest)

The phone switch and other devices have their gateway set to 10.1.0.1, the new firewall is 10.1.0.20. I have no idea what the 0.1 device is, that network is managed by the phone vendor so I haven't touched anything on it ever.

My line of thinking is: because the gateway is set to 0.1, when NAT-ed requests come through the VPN or FQDN via 0.20, the phone switch is replying but since they're originating from different networks/subnets it sends to 0.1, which has no idea what I'm trying to do and drops the packets. I haven't yet put Wireshark on the phone network side to see what it's doing but I can try that tomorrow.

We have an NEC phone switch with a mix of SIP and analog phones. My suggestion to the vendor was to change the gateway at least on the SIP blade of the switch to 0.20, but we also have a cloud provider (BluIP. DIDs hit them first and then if the land network goes down their router switches to cellular) so I don't know how that would affect normal operation.

All this to say: am I in the right direction with thinking the phone switch can't reply to the REGISTER requests because it's sending to its default gateway instead of directly? I'm out of my depth with phone stuff, and we don't have full access over the switch so I can't test on my own. Our phone tech is retiring soon so I will need to learn more about all this, but at the moment it's still way above me (more acronyms than in networking, it's nuts.) I swear I'm not completely stupid, I've just reached the rabid stage of trying to get something to work.

Thanks for any advice!

Dedicated GPON vs Hybrid GPON (With Switches)

Dear All,

The thing is creating a closed security network with multiple edge elements (4000+ - Camera/Access Control/Barrier), and this network deploying is GPON.

and the network is spread in one huge campus with multiple building and floors but confined in one area only.

So the basic question is what would be the Pros and Cons of deploying Dedicated GPON (With only OLT-Fiber-ONT/ONU-Cat6A-Edge Element) vs Hybrid GPON (With OLT-Fiber-ONT/ONU-Cat6A-Switch-Cat6A-Edge Element).

Both are possible as of now but what would be the better option or what would be thing that would be at stack. Which is better or have limitations In terms of manageability, redundancy, maintenance, scalability and things that should be also incorporated in.

If any other details are required than please let me know.

Server and other things would be same in both.

Thanks in advance.

Help needed??

Can somebody please explain Ip address and port ??

Cloudgenix

Hey guys,

Im evaulating a few SD WAN products - usual suspects Viptella, Velo cloud, Meraki and Ive come across Cloud genix. I can see they are under the Palo Alto banner. Has anyone deployed it and got any commentary around it? Is the product stable? any killer features that stand out?

Wondering where the best place is to look for ipv4 contacts

Hi all, so my company and I have recently been trying different tactics to find ipv4 reps. We've been browsing forums, looking at registries, etc however we haven't really been all that lucky.

Was wondering if you guys could maybe point us in the right direction? Would be for buying & leasing. Would really appreciate any help you guys can offer!

Multiple connections between a router and layer 3 switch

I have a router, which serves as a gateway for different WANs, and a layer 3 switch connected to it. The goal is to use the layer 3 switch as a 'router' for the devices connected to it, and to then forward WAN traffic to the true router. The general goal is to have a point to point connection between the switch and the router, but with a caveat. I'm trying to get two links running between the two with no luck. The router is set with two interfaces configured as a BVI, but I don't even know where to start with the switch. Creating a BVI isn't an option, so my thought immediately go to created an LACP with two switchports, and then assigning those switch ports to a vlan with an ip address for the point to point, but that doesn't seem to be working. Any help would be greatly appreciated

BIRD RPKI validation policy based on community

Coming from a Juniper shop, creating a simple route server using BIRD for a looking glass. Having an issue getting it to match extended bgp community that our Juniper router is sending to BIRD for validation state.

Need some help with the BIRD equivalent of the below config (from Juniper) be?

show policy-options policy-statement validation-ibgp { term valid { from community origin-validation-state-valid; then validation-state valid; } term invalid { from community origin-validation-state-invalid; then validation-state invalid; } term unknown { from community origin-validation-state-unknown; then validation-state unknown; } } community origin-validation-state-invalid members 0x4300:0.0.0.0:2; community origin-validation-state-unknown members 0x4300:0.0.0.0:1; community origin-validation-state-valid members 0x4300:0.0.0.0:0; } 

It receives the community fine, but obviously not doing anything with it, validation wise:

Table master4: 8.8.8.0/24 unicast [core_rt1 07:22:31.151 from 0.0.0.0] * (100) [AS15169i] Type: BGP univ BGP.origin: IGP BGP.as_path: 15169 BGP.next_hop: 0.0.0.0 BGP.med: 0 BGP.local_pref: 110 BGP.ext_community: (generic, 0x43000000, 0x0) BGP.large_community: (53339, 11, 1) (53339, 11, 3) (53339, 11, 5) 

Looking for it to output BGP.ext_community: (RPKI Origin Validation State: valid)

Hobbyist-level cable/network tester

Let’s say I am running some network cable through walls, occasionally cutting my own patches, etc. often enough that I want something solid to do testing, not enough to justify the $1000 price of a used LRAT1000.

I definitely want TDR capability and to try and stay under $500. Used is preferred since I would rather get a better unit than a cheaper one.

Options?

• Linksprinter 300
• Fluke MS2-100
• Ideal VDV II Pro
• platinum has one also

I feel like a lot of these have been on the market for a long time so the field is a bit stale. But whatever.

Check Point experts, some policy help

We’re about to add a bunch of policies (at least 20) as part of a deployment. What would be the cleanest, etc way to do so? From what I understand you can add a separate set of policies altogether above your exiting one (edit policy, add new layer) or create a new rule and have sub rules under it (rule 20, 20.1, etc)

I just don’t know if there are any disadvantages or risks involved between the 2 methods or if should just add the rules in a new row like it was done before. If there are other ways to do this cleanly please let me know.

Management cct options for Cologix Canada?

What are you guys running for OOB circuits? I don't want to have to pay for another cross connect at several hundred dollars a month on top of a backup cct, and I don't like the idea of LTE because the signals in the datacentre are usually bad.

Do I have 2 different public IPv4 addresses?

I was recently messing about with my friend and we were sharing IPs to test out each others code, when we realized that I had 2 separate IPs. The IP he managed to collect was a public one starting in an 8, but it was different to the usual public IP that is on my network. It was not as if my IP had changed, due to my IP being the same as the old one when I searched it up on a lookup site. Does anyone know why I have two public IP address and if I change one, will it change the other as I do not want my IP to be exploited by people. All replies would be appreciated :)

Aruba PoE Won't Power Device

I have a bit of a strange one here!

​

We have a location with a bunch of Aruba 2930M's with redundant power supplies, and a 5400zl with redundant supplies and a PoE card in it. There are a bunch of devices hanging off already (CCTV cameras, intercoms, UBNT AP's) and they all get powered up just fine. We have an elevator interface (Butterfly MX relay box) that looks like it wants to take power but won't, the poe light flashes on for about half a second ever few seconds. If we put a standard PoE injector inline it powers up just fine, and if I plug it into a Cisco SG300 with PoE it runs without any issues or special config.

​

I have tried forcing the class, forcing the wattage, and every other PoE setting I can find in the cli, even tried legacy mode, and nothing will let this device power up. The device is supposed to be 802.3af compliant

​

Config guide

https://grow.butterflymx.com/hubfs/Installers/Elevator%20controls/ButterflyMX%20-%20Elevator%20Control%20Installation%20Guide.pdf

​

The customer has some of these units installed in other buildings and I am trying to get one of my guys to track one down and see how it is hooked up and what type of switch it is hanging off.

Has anybody else seen issues with an Aruba switch not playing nice with PoE?

Computer disconnects from Internet but other devices does not

Has anyone had this issue while running thousands of chromium tasks or high intensity workloads? So I run thousands of chromium tasks and my computer internet disconnects but my other devices are fine like my phone WiFi and TV internet. I have a MSI Tomahawk Z490 i9 10900k and 48 GB of RAM. Not sure if it persists but I see online that the MSI Tomahawk has a lot of driver issues. Does my network card not handle this amount of load? I’m connected via Ethernet. I have an Eero Pro 6 and it should be more than capable of handling this many tasks.

Enterasys xp 2400-256

I have been looking for some used Enterasys XP-2400-256 for months. Could anyone help me locate 2 units??

Lumen fiber ring question

Hey all,

The weather is historically bad in Dallas (or at least bad for us) which has caused rolling blackouts and extended power outages across the state. Lumen claims a fiber ring in Irving has been without power since this past early Monday morning when this all started. This is actually the second time in less than 6 months that this same fiber ring has had an extended power outage. The other time was for a blown transformer or something of that nature. My question is, do they not run these on some type of generator? They claim there is a battery backup, but once that is out it goes down. You would think something this service impacting would have some type of generator. I mean we are a simple company, but even we have a generator that can run our building indefinitely as long as we have diesel fuel. I get that we are nowhere near the level of Lumen’s size. I’m wondering for those of you that have worked for a carrier if this is standard? Maybe I just don’t understand how these are designed as I’ve never worked for a carrier.

Hosting Internal Captive Portal Page - WiFi

Hi all,

I'm wondering, what are the exact steps required to host a captive portal page (for eg, aruba clearpass captive portal) for guest wifi. In specific, how can I get it working with a cert so the connection is ssl/https without giving the warnings?

I'm a little confused. My understanding is that we require a public dns name (ie, wifi.company.com) with a ca signed certificate tied to that domain? But if it's internally hosted, how would the DNS record be set up? Then, that certificate is loaded in clearpass for the hosted captive portal page.

Can anyone walk me through from a very high level view on the requirements from end to end?

Note, I did mention Internal. Let me explain further. This site is secluded from the company network. The site has internal access with one another and outbound access to the internet. No internal access is provisioned.

Thanks!

Question - Corporate Network - Communicating with Static Devices on Undefined Subnet

I have a Corporate LAN with scope 192.168.30.X

I have an Engineer asking me if he were to set a static IP for his computer and that of his PLC of 192.168.250.X range if they could communicate with each other over the switches just by static IP assignment.

I have suggested we could go proper course and create a vLAN in the firewall and switches to pass traffic along a newly defined schema but he is just questioning this hypothetically.

My inclination is that it doesn't have the scope defined anywhere so it would fail.

Unless they could create a route on their PC to allow for this?

Load balancing across 2 satellite links

We have a customer who is very remote and can only get satellite internet to their location. They already had a single viasat connection, and decided that wasn’t enough bandwidth for their 9 PCs, so the owner ordered another Viasat connection. From what I can tell, they just installed a 2nd modem and called it a day, there’s no bonding of the links or anything (not even sure if that’s possible).

I guess I’d like to load balance across the 2 satellite links if possible. What sort of device would you guys recommend to do that? I saw the Ubiquiti EdgeRouter devices support load balancing across 2 wan links. Does anybody have experience with a solution like that?

How did you guys practice as a beginner?

Please point me in the right direction if this is the wrong sub.

I'm in the beginning stages of studying for comptia a+ and networking+ so it's mostly terms, hardware and protocols right now. How did you guys practice as a novice? Did you start tinkering immediately or start with something like packet tracers after a certain point?

HA firewalls with non stackable switches

hello Reddit,

Just confirm my thoughts (of tell me I'm wrong!)

I need to reconfigure a network to be more HA, currently there is HA firewalls but the split of the wan and lan to HA, and the actual LAN, exist on the same switch in vlans, then there is 2 daisy chained switches further on from this switch. So it's not very HA at all. The physical cabling all looks a bit loopy, but is currently working (unless that switch fails or is rebooted, then everyone loses internet as both firewalls hanging off the same switch - which is also splitting the single WAN feed out to both firewalls - eesh)

The switches dont stack - otherwise I would do HA properly with Lagged interfaces from the firewalls accross the stack.

with that in mind I think my best approach is to do trunks between all the switches, make it a loop and turn on STP, then have a single interface from one firewall going to the lan vlan on one switch, and the LAN interface on the HA firewall going to the lan vlan on a different switch?

Then any firewall or lan side switch can fail and everyone would still be able to get out to the internet, except clients plugged into the failed switch?

The switches and the firewalls aren't very good, but are quite new so I don't think I'll get much motivation to replace it all just to make it better, so trying to work with what I've got (new customer etc)

Fortinet SD-WAN

Greetings

We have started to deploy Fortinet SD-WAN at one of our customers locations but am concerned about the below issues if anyone can assist with.

In the 360 protection bundle it is mentioned that orchestration entitlement is supported , does that mean I will not be able to orchestrate tunnels without this license?

And what is really cloud assisted monitoring? I should have visibility without this license , am I right ?

OCVPN is used to orchestrate the overlays , in the full license maximum of 16 devices , what does that mean actually?

Thanks!

ASA 5525 ASDM

Hey,

​

I recently decomissioned our ASA to upgrade the firmware in it.

​

So far so good before upgrading i had every access (ASDM, SSH, web UI).

​

I upgrade to cisco software 9.8(2)

and device manager to 7.8(2)

​

I reloaded but checked the option to use the current running config as startup one.

​

But now i lost both ASDM and web access, i still have SSH access.

​

I tried :

- Downgrading both ASDM and java jre

- reinstall from scratch ASDM and java

- deleting asdm cache + java folder in appdata

- add the http://ip of the management int in the java security tab

- added tls1.2 medium in the asa

- http server is enabled

- added grant permission to the java.policy file.

​

asa logs don't show anything

and the asdm console logs only show this.

​

OK button clicked java.net.SocketException: Connection reset at java.net.SocketInputStream.read(Unknown Source) at java.net.SocketInputStream.read(Unknown Source) at sun.security.ssl.InputRecord.readFully(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.cisco.launcher.s.new(Unknown Source) at com.cisco.launcher.s.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(Unknown Source) at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.setPressed(Unknown Source) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source) at java.awt.Component.processMouseEvent(Unknown Source) at javax.swing.JComponent.processMouseEvent(Unknown Source) at java.awt.Component.processEvent(Unknown Source) at java.awt.Container.processEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Window.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$500(Unknown Source) at java.awt.EventQueue$3.run(Unknown Source) at java.awt.EventQueue$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue$4.run(Unknown Source) at java.awt.EventQueue$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) java.net.SocketException: Connection reset 

Dell switch stacking, stack operational switch?

We have a Dell S4048T-ON that is configured and has been running for a couple years, we just purchased a second one to replace an unmanaged switch.

Should I expect to run into issues if I stack these 2 switches without bringing the old one back to default? Couldn't find any instructions online that didn't start from 2 new switches, but nothing explicitly said that 2 new switches was required either.

Central network monitoring solutions

Hey,

I'm in the middle of evaluating our company's current monitoring solution and that includes exploring other options that we are missing and so on. We are heavily relying on just simple snmp polling at this point and we use Zabbix for it. My plans/ideas involve taking this to a whole new level and gathering SNMP, telemetry, Syslog and even sFlow if feasible.

I have no problem setting up different systems to gather data with all of these "methods" but I'm curious to hear what central place is most common for monitoring different methods like this. So far I've had my go at using prometheus and grafana to get SNMP data and then use the node exporter to get health data from our devices. ELK with all its integrations looks promising and I have tested few things there already as well.

I guess my main question is are you monitoring networks via multiple systems or do you have one central place that does it all for you?

Ipv6 , really?

Is ipv6 ever going to take over, or has it taken over and we don't know it?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Strange SFP behavior. Can someone explain?

In this age of remote work, I had one of my onsite techs install a new server and get it to a state so I can finish the config remotely. It has a Chelsio 25G card and he was having some strange issues connecting it to the Juniper 10G switch. He tried some different SFPs and when he landed on one that worked, he left it at that. After a couple of hours the system dropped off the LAN and the switch showed no link. The remote guy confirmed the system was still online but the SFP was extremely hot. He shot me over the model number of the SFP, which turns out to be an 8Gb Fibre Channel SFP!

Can someone tell me how or why a Fibre Channel SFP would work in an Ethernet card and link to a 10Gb switch? The SFP's spec sheet doesn't make any mention of Ethernet, only different Fibre Channel standards supported. I'm confused.

small business VPN solution

so i'm supporting about 20 remote workers that has to VPN to our office.

i have 2 openvpn servers on 2 ISP that act as a hot-hot vpn servers. so i have license for 40 connections.

openvpn has "overhauled" their licensing and the cost is more than quadrupled of when i first started the project.

​

my question to you guys, what are my modern options ? i'm getting away from cisco, so anyconnect won't be in my radar.

i do have fortigate NGFW, mikrotik. i can probably do pfsense that i know come with free "openvpn".

Simple Tool to Test Max BGP Table Size

Anyone know of a tool that can be run on a Linux VM to test the affects of very large BGP table on a device?

I found this, https://docs.opendaylight.org/projects/bgpcep/en/latest/bgp/bgp-user-guide-test-tools.html#bgp-test-tool , but it does not ever seem to send a full table, no matter how many prefixes I say to advertise.

Assign VLAN traffic to L2VPN according to RADIUS

This is a fairly complex one, at least for me. I am looking to design a network as follows:

• A customer is connected to a port of a layer3 switch.
• On ingress, frames from the customer are assigned a VLAN tag based on the port. (Simple so far)
• A RADIUS (or similar database driven) server is then consulted, and the traffic is encapsulated into a L2VPN (ie MPLS) tunnel. Critically the identifier of this tunnel is determined by RADIUS according to the VLAN tag, allowing the customer to be dynamically bridged to one of several endpoints.
• Elsewhere on the MPLS network, the customer frame is retrieved and sent out to the chosen endpoint (in this case a retail ISP who is renting the customer's line to sell a layer 3 service to them).

Given that a layer3 switch likely does not have this functionality, an alternative version of this might look like the following:

• A customer is connected to a port of a layer3 switch.
• On ingress, frames from the customer are assigned a VLAN tag based on the port (as above).
• The tagged packets are then encapsulated in a L2 overlay protocol (ie VXLAN) and transmitted to a metro sized router (ie Juniper MX204)
• The router, retrieves the tagged packets from the VXLAN encapsulation, consults RADIUS using the VLAN tag, and re-encapsulates them to be sent over MPLS as above.

Does this make any kind of sense? Is it sane? Will a Juniper MX do everything required (VXLAN->RADIUS->MPLS)?

My question is inspired by a desire to automate the provisioning of customer ports in a wholesale environment, and this presentation, which looks great but which I don't yet fully understand the implementation of: https://www.ausnog.net/sites/default/files/ausnog-03/presentations/ausnog03-nagy-layer2_wholesale_nbn.pdf

Thanks!

ACL - Deny SSH/ICMP best practice

Hi Guys,

Is there any best practice on denying SSH/ICMP? I've see it being done a couple of ways through the VTY lines and through the VLAN interface.

Cheers,

Should I enable Protected Management Frames on my Cisco WLC wireless network?

I have a Cisco WLC based wireless network and am considering enabling PMF as Optional. I'm a little hesitant because I haven't tried it before. Are any of you using it / tried it in production? How did it go?

Point to Point Radio

Hey guys, we are looking at an office space that is roughly 2,800 ft away with direct line of site from our cooperate office. Curious if anyone has any experience with the airMAX GigaBeam products? Seams like I can just buy two of these, connected them on the roofs via ethernet, and they can act as a layer 2 extension? Not finding a lot of documentation on line for configuration on them. Basically just download the "app" on your phone and configure, which makes me nervous. Just looking for reviews or ideas on this type of product, or if there is a better solution? This office space is only temporary so not looking for MPLS or trenching in fiber.

https://store.ui.com/collections/operator-airmax-and-ltu/products/airmax-gigabeam-plus-60-ghz-radio

Cabinets recomendations

Hello /r/networking , I need to purchase 4-5 cabinets to install network equipment in a customer's own datacenter. We'll install a mix of network equipment(1u switches, 1u fws) and 1-2 u servers on them.

Any suggestions about brands / models and reputable vendors?

Thank you!

Class-C Block from ARIN

Out of curiosity (because I don't have too much experience in how this works).

An office has 2 circuits from two different ISP/providers. Each provider has given us a /29 to work with which we're out-growing rapidly.

Would it make sense to request a /24 from ARIN? Am I able to get a /24 from ARIN and have ISP#1 take /25 and ISP#2 to take the other /25 and provide these ranges to us?

I realize this is pretty vague but I'm looking for a simplified overview of how we can get our own IP addresses instead of using what the ISP provides (at a huge upcharge).

Edit: Thank you for the replies and the extra details! -- It's giving me a greater understanding now.

iWarp (RDMA) understanding?

Hey every body.

So I am trying to learn the benefits of iWarp, if any for a client setup.

What I/we wanna accomplish. The client flies and collects multispectral images for agricultur, and they proces these data (stiching images, oberlaying, 3D modeling etc.). As of now they have central storage, where they copy data from, proces the data and put it back. This proces os time consuming. So in an effort to improves their current work flow, we are looking into a new high speed NVME storage, 10gb network and iWarp to try and mitigate the CPU overhead of the network.

So the question. iWarp surely seems smart, in that we can leverage NICs with onboard RDMA chips and iWarp capabilities, and get enhanced latency. BUT. What I am unable to awnser / find, is:

Do the applications they use, need to support iWarp or some thing to be able to benefit from iWarp. It does say that SMB Direct takes care of this, but am I missing something? Anyone have hans-on experience?

Its gonna be between a win 2019 server and win 10 pro workstations.

What i have looked at so fare:

https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/iwarp-rdma-here-and-now-technology-brief.pdf

https://www.intel.com/content/www/us/en/support/articles/000031905/network-and-i-o/ethernet-products.html

And related links in the URL above.

Enterprise: Where to put eve-ng server

Been doing some googling but haven't found anyone that's touched on this. In an enterprise environment, where should we put our eve-ng server? Should it be on its own lab network or can it sit on the corporate/server network? What security risks are there?

A couple of details:

• we are running on a physical server
• we do not plan to connect the lab to the internet
• we do not plan to connect the lab to other physical networking equipment

Current IPsec Recommended Settings

I've stumbled upon this IETF RFC and it says to use DH group 14 as best practice right now (in 2017 when the RFC was published) and to avoid a bunch including 2, 5 and some of the 20s.

I can't see a more recent version of this RFC so I'm wondering if this is still accurate 3.5 years later and where people look to see what the current best practice is?

SALTSTACK Nornir proxy

Hi Folks,

​

Great news everybody, crafted 0.3.0 release of SALTSTACK Nornir based proxy minion modules together with new documentation - https://salt-nornir.readthedocs.io/en/latest/index.html

​

Would be glad to hear your thoughts.

Cisco IP phone with ISE

Hello, I am implementing cisco ISE on my network. I can see that the IP phone is getting authorarized on ISE but I is not getting an IP address. I checked the switch, I saw that the IP phone is authorized but on the DaTA VLAN. Any solution for that?

Grafana dashboards

I'm trying to set up some Grafana Dashboard for my monitoring system.

I'm trying to find dashboards for general hardware health i.e. temp sensor, PSU status, transceiver light levels etc. I've looked on https://grafana.com/grafana/dashboards but wasn't able to find anything useful. Are there any other good places I should look in?

Just to clarify, I understand that Grafana dashboards are dependent on datasource, but I don't mind that. I can change it to my particular one (Prometheus) from any other. I'm just looking for dashboards that are already done which I can tweak to my needs.

SmartConsole equivalent for Cisco

Hi, I just changed job and I'm now sitting in an Cisco environment.
At my old workplace they used Check Point and I had read-access in SmartConsole to look at traffic and firewall-rules to figure out what certain traffic was not going the way i wanted.

What is Cisco's equivalent product to SmartConsole or is there none?

I have tried to google it but I'm not getting any good hits for my searches.