IPv6 Proxies: 2021-03-07

Saturday, March 13, 2021

Per packet load balancing

Is there a solution which can offer per-packet load balancing?

I have multiple sites which are identical, and utilise a private layer 2 ethernet private line network. An underlay and an overlay network exist; the underlay has 1Gbps capabilities, however the overlay can only support multiples of 100Mbps due to physical hardware bottlenecks between the overlay and underlay networks.

I'm after a solution which will be able to forward >100Mbps TCP traffic between sites. Everything I've found so far doesn't solve this issue as they seem to operate on a per-flow basis, which hashes to a particular 100Mbps link only.

Does this solution exist? Maybe SD-WAN for a 'tunnel' overlay for the.. overlay network?

Any gotchas to be made aware of?

Mellanox vs HP StoreFabric SN2010

We're looking for a TOR 10/25Gb switch for a small cluster, and am looking at the Mellanox SN2010. Looking it up we can see that we could buy this from Mellanox or we can get the same equipment HPE StoreFabric as SN2010M.

Anyone has any experience with these, or whether there are any differences going with one or the other?

Thanks!

Introduction Book in 2021

Hello community,

I fear this is a question asked very often, but technology advances a lot so I ask it anyways.

I am a information systems grad. and now work as engineer. Beside my actual area of work (Dynamics 365 and standard software) I wanted to fill my networking knowledge gaps for years. What is a good introduction book for computer networking.

Currently I plan to buy a pi-4 and experiment in my own network, so I would like to buy a book for introduction.

Greetings

David

Top 3 Edgerouter 10x alternatives?

Recently I setup OpenVPN on my ER-10x. Bandwidth was limited to ~15MBps because the CPU is very slow. I believe 500MHz.

What would you recommend as a firewall/router replacement for the Edgerouter 10X?

CPU must be a minimum of 2GHz and should support DUAL WAN AND WAN failover.

TCP 3-way handshake

Hey,
I doubt what's the purpose of the third handshake?
I can understand the syn + syn-ack massages because the sender knows his segment arrived and now he can send the next segment.
Maybe it says to the receiver to be prepared for a new segment? I just guess...

Separate Data Network but has a Shared VoIP VLAN Requirement

We have a Customer that requires 2 separate Data network segment & cannot be talked w/ each other (w/c I'm planning to have the GW in CORE SW w/ a VRF setup) but their VoIP System will be shared between the 2 network segment (w/c I plan to have the GW in FW) & CORE SW will act only as Layer2 for VoIP. And so I can use the switchport w/ data vlan & voice vlan. And the communication between Voice & each Data network will happen in FW via Inter-VDOM. Though I'm not pretty sure if this will work.

DATA NETWORK 1 = VDOM 1

DATA NETWORK 2 = VDOM 2

VOICE NETWORK = SHARED VDOM

-SHARED VDOM will be able to communicate w/ VDOM 1

-SHARED VDOM will be able to communicate w/ VDOM 2

-VDOM 1 cannot communicate w/ VDOM 2

While for ISPs, they have 2 ISP that will also be configured w/ SDWAN (load sharing/auto failover).

Any insights of yours ?

How can I know if my Router support Wi-Fi 6 AX ?

Hi Guys I bought a cheap Wi-Fi 6 Router From Huawei how can I know if it is actually true Wifi6 AX

thanks

SRW2024 Linksys Network - Firmware update

Hey, just checking on here that no one has software update files for the SRW2024 Linksys Network switch. I can't seem to find it anywhere as it was EoS a while ago.

Friday, March 12, 2021

Dual-Router Dual-Homed

If you are thinking about how to implement a Dual-Router Dual-Homed topology, you should consider these tips in order to guarantee traffic optimization and failover:

Use provider-independent IP address space to allow for advertisement to both ISPs (make sure not to configure your network as a transit network between autonomous systems, apply route filtering).
Request a public BGP AS number for eBGP connections to the ISPs.
Receive full or partial Internet routing tables to optimize forwarding outbound.
Use a FHRP or an IGP internally.
Whenever possible, use SD-WAN.

Has anyone here worked in environments where E-LANs/VPLS was used as an SD-WAN transport? If so, did you encounter any scaling issues?

The reason I'm wondering about this is that it seems like a metro-based E-LAN (which is essentially built over the local ILEC's access network, instead of an MPLS backbone) would be a pretty cost-effective alternative to a DIA/broadband combo for environments with high site density in key markets. However, I'm wondering perhaps the multipoint nature of E-LANs would negatively impact scalability.

Multiple Subnets - Same Network Gear

I've always run into this issue. You have a physical network all connected but multiple subnets (ex 192.168.1.0 and 10.0.0.0) running all across the same hardware. Sure it works but I've always notice it acts quirky, mac address tables break, weird things happen. I'm very familiar with VLANs and I realize VLANs segregate those networks properly to fix issues. But what is it about sharing network hardware with multiple subnets that makes it act funny? Is it ARP Tables break? Or issues with switching? Every environment I've ever witnessed set up this way tends to have issues. I'm guessing since the invention of VLANs this setup is kind of frowned upon but most importantly I'm curious why - what makes it act so quirky??

Behold - the Aruba 6405

Got 6 of these for an access layer refresh. We're going to end up putting them at the core too to replace our old 5406s. Maybe went a little overkill and got mGig on every port but.. ya know.. future proofing or whatever.

Age-old question: Router or firewall first on the edge?

I know this is an old topic that has been discussed often, and the answer is usually "it depends". I was chatting with this guy today and he said if someone puts the router first they are a total dumbass and he won't talk to them any further. I felt a little awkward because I always put a router on the edge, so I stayed quiet and nodded sagely. I null route a bunch of stuff on the router like RFC 1918 and bunch of other subnets that I don't like. I can also filter IKE and SSL traffic to the firewall so I don't have to scramble every time Cisco announces a new vulnerabilty (we're small so it's not hard). I guess you could do that with two firewalls though.

So anyway, is it as cut and dried and this guy seems to think? Just wondered what the consensus was these days. Maybe I'm behind the times.

Aruba Procurve ESXi ~ My brain is broken

Hi, I have been trying to get this working for what seems like ages ~ i'm missing something ~

We are expanding out infrastructure (actually we're building a smaller faster less dense cluster for a 24x7 colo). Anyway we trunk (LAG ~ Aggregate ~ Bond ~ Link ~ whatever you terminology) our ESXi hosts to the switches, that way they observe VLANS and we can assign VM's to individual VLANS

So we got some Arubas and here I am struggling

Can you help a cranky admin out?

##### Procurve 5412zl release #K.16.01.0013 ######## trunk A1,B1 trk11 trunk trunk A2,B2 trk12 trunk trunk A3,B3 trk13 trunk logging facility local3 timesync sntp sntp unicast sntp server priority 1 10.0.0.250 no telnet-server time daylight-time-rule continental-us-and-canada time timezone -300 ip route 0.0.0.0 0.0.0.0 10.0.0.254 ip routing interface A1 name "VM01 eth" no power-over-ethernet exit interface A2 name "VM02 eth" no power-over-ethernet exit interface A3 name "VM03 eth" no power-over-ethernet exit interface B1 name "VM01 eth" speed-duplex auto-1000 exit interface B2 name "VM02 eth" no power-over-ethernet exit interface B3 name "VM03 eth" no power-over-ethernet exit vlan 1 name "DEFAULT_VLAN" no untagged A8-A14,A16,B8-B14,B21,C8-C14,C21,D6-D7,D15,D21 untagged A17-A18,A20-A22,B17,B20,B22-B24,C16-C18,C20,C22-C23,D3,D8-D14,D16-D18,D20,D22-D24,E1-E24,Trk1,Trk6,Trk8-Trk9,Trk11-Trk17 tagged A15,B15-B16,C15 ip address 10.0.0.1 255.255.252.0 exit vlan 101 name "VOIP_VLAN" untagged A15-A16,B15-B16,D15 tagged Trk1,Trk6,Trk8,Trk11-Trk17 ip address 10.10.0.1 255.255.252.0 exit spanning-tree Trk11 admin-edge-port spanning-tree Trk11 priority 4 spanning-tree Trk12 admin-edge-port spanning-tree Trk12 priority 4 spanning-tree Trk13 admin-edge-port spanning-tree Trk13 priority 4 no spanning-tree bpdu-throttle no autorun no dhcp config-file-update no dhcp image-file-update password manager ############## ESXi Standard Virtual Switch ~ 6.5 ########### Load balancing Route based on IP hash Network failure detection Link status only Notify switches Yes Failback Yes ############## Aruba CX 8320 ~ 10.5 THIS DOESN'T WORK the host is unavailable until we pull the interfaces out of the LAG ########### clock timezone us/eastern ntp server 10.0.0.250 ntp server enable ntp vrf mgmt ! ! ! ssh server vrf mgmt vlan 1 vlan 20 name VMotion_VLAN vlan 101 name VOIP_VLAN interface mgmt no shutdown ip static 10.0.0.194/22 default-gateway 10.0.0.1 nameserver 10.0.0.249 10.0.0.250 interface lag 110 no shutdown no routing vlan trunk native 1 vlan trunk allowed 1,101 interface 1/1/10 no shutdown lag 110 interface 1/1/20 no shutdown lag 110 ############## Aruba CX 8320 ~ 10.5 THIS WORKS ~ but vmware can't "see' the hash??########### clock timezone us/eastern ntp server 10.0.0.250 ntp server enable ntp vrf mgmt ! ! ! ssh server vrf mgmt vlan 1 vlan 20 name VMotion_VLAN vlan 101 name VOIP_VLAN interface mgmt no shutdown ip static 10.0.0.194/22 default-gateway 10.0.0.1 nameserver 10.0.0.249 10.0.0.250 interface lag 110 no shutdown no routing vlan trunk native 1 vlan trunk allowed 1,101 interface 1/1/10 no shutdown no routing vlan trunk native 1 vlan trunk allowed 1, 101 interface 1/1/20 no shutdown no routing vlan trunk native 1 vlan trunk allowed 1,101 ! ! https-server vrf mgmt

Thanks again

MTU size

Why was 1500 bytes chosen as a default? Same with Jumbo frames, why was ~9000 - 9200 bytes chosen? Where were these numbers derived?

Jumbo Frame MTU over LANX possible issues

Hi all!

So our business has two sites and over the years, jumbo frames (9000) have been enabled successfully at each site. End devices (PCs, servers, hypervisors, etc) are all sending large frames across the LAN and are working fine within that LAN.

However, recently we added a LANX in order to connect both sites to each other and allow hyperconverged systems to work more efficiently. Flat for a few VLANs, others are routed across using a specific VLAN for that purpose.

Problem is the metro ethernet doesn't support jumbo frames and I'm starting to think some of the connectivity issues across site we're experiencing are linked to this limitation. Seems to impact for flat and routed VLANs afaik.

So from my understanding:

Large MTU frames are sent by the end device, when configured accordingly;
L2 devices will drop the frame if too large; no fragmentation here;
Fragmentation occurs at L3 only, requires router (or routed VLAN?);

So my question is: can it be configured for large frames to be fragmented before being sent over the LANX and how/where to do so, or are we in a pickle requiring we disable jumbo frames on our whole infrastructure, or at least all end devices?

Here is a brief topology of our setup:

End devices (9000MTU) <--> L3 switch (9000MTU system MTU) <--> LANX (1500MTU) <--> L3 Switch (9000 system MTU) <--> End devices (9000MTU)

I hope the question isn't too trivial and thank you!

Suggestions on Switching Platforms

I am looking to either upgrade or replace about 6 Extreme switches(x440 non G2). I haven't had any issues caused by the platform. Curious to know what peoples thoughts are on Extreme/Fortiswitch/Aruba/Ruckus

All in all ill be rolling out 10 or so switches spread across multiple campuses

Future of ALTDB - xpost from /r/NOG

Greetings /r/networking ,

My company maintains some IRR records on ALTDB including our as-set. A few months back I noticed that the ALTDB query page started returning a 404 and has not since returned. I'm wondering if their days are numbered or if the maintainers just want to keep the service as simple as possible.

We've moved some of our records to RADb and are considering the ARIN IRR also since the web version was deployed last year, but I want to know if we're on the clock here.

Thanks for your time, all.

-Mike

Firepower 2110 question regarding what you get with licenses?

Hi, so we are in the middle of getting quotes for x2 2110 Firepowers to replace our single ASA 5525 and 2 SRX 340's we have. Both different Firewalls are used used different reasons (a strange network design, before my time with the company). Being a Cisco Gold Partner the natural choice was Firepowers and I've heard since the latest 6.7 patch that they're very stable now.

Anyway, I've worked on them before more so in a junior position a couple of years back. I'm in more a senior role now and in charge of getting all the correct licenses in place for them too. I essentially wanted the Web Filtering, the ability to select firewall rules using the different application (application protocols, client applications and Web applications) options and the Security Intelligence feed Cisco offer to.

At the moment the main licenses I've submitted and gotten quotes for are the:

Threat defence threat and URL licenses

This may be a bit of a noob question but knowing what Cisco are like with their licenses, I also think it's worth asking to be honest haha!

Thanks everyone for the help

Bird and BGP routing issue

Hello.

I am playing with bird and bgp. Actually I am using bird2. It works all fine.

On my router I announce 192.168.0.0/24 and use 192.168.0.1.

But if I traceroute from outside to my announced net 192.168.0.2, the hop before 192.168.0.2 is the IP of my router external ip (10.0.0.1). I thought it should be my next-hop address for my bgp session where I connect from 10.0.1.1. Best I find is if this should be 192.168.0.1.

If I traceroute to 192.168.0.1, there is a hop less. After outside lan comes directly 192.168.0.1

Have I to configure it in bird or is it an Linux config issue?

Thx pr0

Link between Firewall and Core Switches

We will soon be deploying some core switches.

When going upstream (towards outside) from the core L3 switches to a set of firewalls, I'm unsure if the the links between the firewall and core switches should be routed or access ports?

We currently do not have any core L3 switches, and have been using the firewalls for routing purposes. The links between the firewalls and our current switches (L2) are access ports. Note that we are restricting external traffic to a unique VLAN (e.g. VLAN 10). In other words, VLAN 10 is the only VLAN that is subject to routing, so switchport access vlan 10 on the interfaces directly connected to the inside interfaces of the firewalls.

Bird2 and BGP address issue

Hello.

I am playing with bird and bgp. Actually I am using bird2. It works all fine. But if I traceroute from outside to my announced net, the hop before my net is the IP of my VM. I thought it should be my next-hop address. The ip of the device i connect to neighbour.

Have I to configure it in bird or is it an Linux Problem?

Slower download speed

So I had 600 mb/s download speed and now I only have 16mb/s. Why.

Q: Source for ceiling boxes?

Does anyone have a source for ceiling boxes to mount APs? They'd need to be for drywall and stud construction, preferably new-work and round like for light fixtures. And they'd need to have 1 or 2 keystone holes for a female twisted pair.

For comparison, here's one from HD without the keystone holes:

https://www.homedepot.com/p/Legrand-Pass-Seymour-Slater-New-Work-4-in-Plastic-Round-Ceiling-Box-with-Captive-Mounting-Nails-and-Auto-Clamps-S120RAC/304271017

DIA vs Broadband

I'm about to upgrade my WAN, which is currently built on 5 MPLS circuits. My vendor is recommending SD WAN with DIA (Dedicated Internet Access) I'm wondering if DIA is necessary or if broadband will suffice. Most of my satellite offices have up to 30 devices connecting. Half my traffic will be local, (AD, file server, printing) the other traffic being hosted/cloud based software and your typical web traffic.

And I'm also considering just connecting these locations with just VPN, versus SD-WAN

Any thoughts would be appreciated.

Junos: How do I remove 1 filter from input-list?

set interfaces xe-0/0/1 unit 0 family inet filter input-list D-Fi set interfaces xe-0/0/1 unit 0 family inet filter input-list S-Fi

family inet { filter { input-list [ D-Fi S-Fi];

I don't understand how I remove only S-Fi from this. If i do:

interfaces xe-0/0/1 unit 0 family inet filter input-list S-Fi

I get an error message.

 'filter' Next term specified but no following term exists

I need to do

delete interfaces xe-0/0/1 unit 0 family inet filter

to remove it, but then both is removed, and I only want to remove S-Fi.

How do I do that?

Reboot Nexus vPC domain

I need to reboot a pair of Cisco Nexus 5000 in vPC domain. What's the best practice to have minimum impact? If I reboot the primary, the secondary one become primary without put down vPC port?

Attempt CCNP without CCNA

Hey guys,

I'm a sysadmin but I've been working with networks for a while, I've configured lots of switches (Cisco) and firewalls (Fortinet & Palo Alto) dealt with ipsec tunnels and wireless networks, I think I should be able to skip CCNA, however since all my experience is hands on I'm definitely missing some parts so I'm here to figure out the best way to approach this.

I'm thinking maybe subscribe to something like CBTnuggets and watch their CCNA stuff then for the CCNP I'm gonna actually buy the books, what do you suggest?

Do you think it's possible to pull off CCNP without CCNA? And how would you approach it if you were me?

Navigating and Negotiating Small Business Service

Our business normally sees three to four simultaneous clients for several hours per day during peak times. Since the pandemic, this has caused all clients to be virtual video calls. We've always struggled with internet problems, but this really has disrupted the perceived quality of the business due to disconnections, troubleshooting network when file transfers fail, and poor video/audio quality.

Our current copper service from ATT should be a 25 mbps dedicated line to the office, but all our video qualities are bad. We spoke with Comcast about their fiber option, but they quoted twice the price for a 30 mbps line. Neither contract has any SLA for upload. Everywhere I look for guidance on how to navigate comparing these plans, I see nonsense marketing like this "comparison" which quotes inconsistent prices and unrelated "rankings" between ATT and Comcast, or this ridiculous "DSL" fact sheet that doesn't even make sense.

The ATT technician says they don't have a better line coming to our building. The comcast sales rep claims "his entire office of engineers and staff uses all their mobile devices simultaneously and never touches 100mbps" and refutes the ATT claim that our current service is a dedicated line without even visiting.

How do small business owners do it? We can't afford huge contracts, but we need better service. The service providers are all just trying to outsell eachother with no valuable resources and bullshit SLAs that aren't even a priority for us. They insist on selling "managed" solutions that cost a fortune, but I certainly don't trust them to know what will actually work for us. Meanwhile, our home service is a consistent 900+ mbps symmetric connection for less than $60/month.

Apologies if this feels like a rant (it sort of is), but we really need a better service for our business and can't figure out how to get it without doubling our budget for some meaningless marketing "guarantees" about a managed solution. If anyone has insights or stories of how they setup their service, please share!

Thursday, March 11, 2021

Replacement of High Speed Ethernet (Fibre Optic) Cables

A question for those of you that have experience with data centers. How often are the fibre optic transceivers replaced (or upgraded) on the high speed (100 Gb/s+) links. I'm interested in information about all of the transceivers but, particularly the ones with long runs if it makes a difference. I'm a circuit designer that is interested in some market information so sorry if I'm not exactly correct on terminology.

Anyone have experience with IKM network engineer assesments?

6 years in and looking to relocate. Have spent the last 3 doing Cisco network support along with general IT support. Thinking about switching from system analyst to network engineer and a recruiter wants me to take the IKM assessment. Does anyone have experience?

Is 5G network splicing analogous to a pesudowire in MPLS?

I'm reading that it's taking a slicing of the RF bandwidth to provide customers with tailored services in a nut sell which just sounds like selling someone an ATM line basically over an IP network core.

Sophos Firewall Issue

I have a Sophos UTM 110/120 Firewall. This is my first time using a firewall, and I set it up from scratch with UTM 9.7 software. The installation completed and listed the Web-Interface for configuration at 192.168.0.1:4444. My modem is also at 192.168.0.1. When I try to open the page by plugging my computer directly into the LAN port, it fails to load properly, if it even connects at all. My modem is not plugged into the firewall to avoid conflict. Is there a way to change the IP address on the firewall through command line so that I can connect it to my modem without conflict and then configure it from there?

Another MTU question

The more I think I understand MTU, the more I wonder if I truly understand.

Simple problem I hope, but on a physical link between a router and a firewall with IPSec over the top (via Azure vNet) I have the following -

Mismatched MTU between Physical interfaces 1460 and 1500
Mismatched MTU between Tunnel interfaces 1500 & 1424

I have taken a packet capture and I see encrypted traffic, with the highest frame length of 1434.

Now, I have bad performance over this link, but I can't see the fragmentation in the packet capture. Is wireshark putting them back together? Is mismatched MTU bad, I think so. I even see the tunnel MTU higher than the interface MTU so this would also cause fragmentation?

Brad

SASE Advice

Considering migrating away from a multi-site MPLS to SASE via VeloCloud Edge + Prisma Access over Internet links.

Has anyone gone down this route, if so what's your feedback?

Meraki and Fortinet are possibilities but I'm liking the idea of DMPO and Palo's Security integration.

24 Port Layer 2 switch good to 60c

I need a 24 port SFP switch with additional SFP+ 10g uplink that is good to 60c. Anyone know of a switch like that?

UDP Hole punching with ephemeral ports - Is it even possible?

Hello,

I am trying to establish a P2P connection for a P2P UDP networking engine using the STUN protocol.

Both Peers are behind different non-symmetric NAT's.

I am writing all of this in C# and i am using one socket on each peer to communicate to the server and to each other.

The principal is quite simple:
Peer A and peer B use rendezvous server S to share their public endpoints with each other and once they recieve the endpoint of the other peer they start sending datagrams to it; thus punching a hole into their NAT's.
See https://tools.ietf.org/html/rfc5128#section-3.3 for a more detailed description.

My problem:
While peer A was sending datagrams to server S the public port may have been 7435 but when he sends data to client B the port changes to some other random number.
Now, client B is expecting client A's port to be 7435 but since that is not the port that A is using to connect to B - the NAT is not letting A's connection attempts through.

I have two solutions but i don't know if they are feasible:

Solution 1:
I need to make the public port for communication static so that the public port doesn't change whether i am sending data to the server or a peer. Can i make ports static?
How would i even bind a socket to a public port? Seems like the socket gets a different ephemeral port assigned every time it initiaites a session with an endpoint. HOW DO I STOP THIS FROM HAPPENING??

Solution 2:
I somehow have to get the new public port from peer A when he sends data to peer B so i can send this information to peer B and establish a connection.

Any help would be greatly appreciated, i have been banging my head against the wall for a couple of days now.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Wi-Fi 6/802.11ax USB adapters?

I have use cases where I need to add 802.11ax/Wi-Fi 6 to desktop computers, and in many cases, PCIe cares are a great choice. But sometimes USB is the only option, but I've yet to find any 802.11ax adapters that connect via USB. Do any of these exist yet?

Multicast Traffic TTL 1

I have a phone system (Zultys) that uses multicast traffic for paging groups of phones. I have some phones at remote locations that they want to receive the same pages as the main location. The layer 2 network was stretched to accommodate this when it was set up in previous years.

Examining the traffic it sends the multicast out with a TTL of 1 so I can't route it.

I have Aruba 5400 Zl2 switches that handle the routing. I verified that I am able to route other multicast traffic with a higher TTL with no problems.

I spoke with the phone vendor and they don't have a way to change the TTL. It appears that I can explore using a CyberData SIP Paging Server with the phone system.

Does anyone have a product or method they suggest or use to deal with scenarios such as this?

Thank you for any help. Getting a paging server wouldn't be the worst thing ever I just didn't know if anyone had any suggestions on how to approach this that were different then something that specific.

BGP issues/concerns/thoughts/Hi I'm New and I don't understand why.

Okay, back in the day of T1, I could run circles around this stuff, but alas, I'm getting older and less sharp.

I'm trying to figure out why my router isn't preferring a route that I'm directly peering with.

BGP routing table entry for 216.58.192.0/22 Paths: (1 available, best #1, table default) Not advertised to any peer 33387 32097 6939 15169 204.12.204.65 from 204.12.204.65 (172.16.4.125) Origin IGP, valid, external, best (First path received) Last update: Thu Mar 11 02:14:00 2021

I've got direct peering with HE.....

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt 206.51.7.54 6939 28121 321 0 0 0 05:16:14 120743 0 206.83.12.54 6939 43787 954 0 0 0 15:51:16 120745 1 206.83.136.54 6939 43932 954 0 0 0 15:51:16 120749 1 204.12.204.654 33387 244742 955 0 0 0 15:51:16 785454 1 206.51.7.1264 40542 437 23 0 0 0 00:20:25 2668 0 206.83.12.2544 46389 27582 952 0 0 0 15:49:48 85595 1 206.83.136.2544 35920 30298 953 0 0 0 15:49:48 85402 1 2001:504:1b:1::5 4 6939 68366 6152 0 0 0 00:12:01 NoNeg

What am I missing here?

Thanks!

Inconsistent MAC address table in VLAN 1

I'm labbing and I see something that I do not understand. Tried to Google this but the question is hard to describe. I have three Cisco 3560CX's, all running the same software. S1 and S2 each have 12 ports, S3 has 8 ports.

``` S1#show version Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(7)E3, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Sun 06-Sep-20 15:15 by prod_rel_team

ROM: Bootstrap program is C3560CX boot loader BOOTLDR: C3560CX Boot Loader (C3560CX-HBOOT-M) Version 15.2(6r)E, RELEASE SOFTWARE (fc1)

S1 uptime is 6 hours, 13 minutes System returned to ROM by power-on System restarted at 09:58:29 UTC Thu Mar 11 2021 System image file is "flash:/c3560cx-universalk9-mz.152-7.E3/c3560cx-universalk9-mz.152-7.E3.bin" Last reload reason: power-on

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

License Level: ipservices License Type: Permanent Right-To-Use Next reload license Level: ipservices

cisco WS-C3560CX-12PC-S (APM86XXX) processor (revision C0) with 524288K bytes of memory. Processor board ID FOT1941Z0LD Last reset from power-on 3 Virtual Ethernet interfaces 16 Gigabit Ethernet interfaces The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 9C:57:AD:A2:98:80 Motherboard assembly number : 73-16468-04 Power supply part number : 341-0675-02 Motherboard serial number : FOC194122P7 Power supply serial number : LIT193819HB Model revision number : C0 Motherboard revision number : A0 Model number : WS-C3560CX-12PC-S System serial number : FOT1941Z0LD Top Assembly Part Number : 68-5361-01 Top Assembly Revision Number : C0 Version ID : V01 CLEI Code Number : CMM1300DRA Hardware Board Revision Number : 0x02

Switch Ports Model SW Version SW Image

1 16 WS-C3560CX-12PC-S 15.2(7)E3 C3560CX-UNIVERSALK9-M

Configuration register is 0xF

```

None of the three switches have an active port in VLAN 1. All are running RSTP.

``` S1#show spanning-tree vlan 1

Spanning tree instance(s) for vlan 1 does not exist.

S1#show vlan br

VLAN Name Status Ports

1 default active Gi0/6, Gi0/7, Gi0/8, Gi0/13, Gi0/14, Gi0/16 12 WORKSTATIONS active Gi0/1, Gi0/2, Gi0/3, Gi0/4 14 VOIP active Gi0/1, Gi0/2, Gi0/3, Gi0/4 16 MGMT active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup ```

``` S2#show spanning-tree vlan 1

Spanning tree instance(s) for vlan 1 does not exist.

S2#show vlan br

VLAN Name Status Ports

1 default active Gi0/13, Gi0/14, Gi0/15, Gi0/16 12 WORKSTATIONS active Gi0/1, Gi0/2, Gi0/3, Gi0/4 14 VOIP active 16 MGMT active 999 UNUSED act/lshut Gi0/5, Gi0/6, Gi0/7, Gi0/8 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup ```

``` S3#show spanning-tree vlan 1

Spanning tree instance(s) for vlan 1 does not exist.

S3#show vlan br

VLAN Name Status Ports

1 default active Gi0/5, Gi0/6, Gi0/9, Gi0/10, Gi0/12 12 VLAN0012 active 16 MGMT active Gi0/1, Gi0/2, Gi0/3, Gi0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup ```

So here's the question: why do S1 and S3 show MAC addresses, but S2 does not?

``` S1#show mac address-table vlan 1

Mac Address Table

Vlan Mac Address Type Ports

All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0ccd.cddc STATIC CPU All 0180.c200.0000 STATIC CPU All 0180.c200.0001 STATIC CPU All 0180.c200.0002 STATIC CPU All 0180.c200.0003 STATIC CPU All 0180.c200.0004 STATIC CPU All 0180.c200.0005 STATIC CPU All 0180.c200.0006 STATIC CPU All 0180.c200.0007 STATIC CPU All 0180.c200.0008 STATIC CPU All 0180.c200.0009 STATIC CPU All 0180.c200.000a STATIC CPU All 0180.c200.000b STATIC CPU All 0180.c200.000c STATIC CPU All 0180.c200.000d STATIC CPU All 0180.c200.000e STATIC CPU All 0180.c200.000f STATIC CPU All 0180.c200.0010 STATIC CPU All ffff.ffff.ffff STATIC CPU Total Mac Addresses for this criterion: 21 ```

This is what I would expect to see. Same story for S3:

``` S3#show mac address-table vlan 1

Mac Address Table

Vlan Mac Address Type Ports

But something completely different on S2:

``` S2#show mac address-table vlan 1

Mac Address Table

Vlan Mac Address Type Ports

```

What is going on here?

Weird issues on VM's after vLAN move

So we just re-did our VLAN 1, and moved all the hosts and SVI to vlan 100 for reasons of doing disjointed networks off our FI's in our UCS.

Everything went well, but now some random (2 out of a few 1000 so far) VM's are experiencing issues where they can't ping out their subnet. They can't ping the gateway to the VLAN. All other VM's within the VLAN can communicate fine.

So immediately I'm like okay, subnet/gateway issues. The VM in question just cannot ping the gateway, 10.1.1.1, but all other VM's in the subnet it can ping just fine. From the NEXUS 9k I can ping the VM from the SVI of the same vlan, but not outside of it. Clear IP arp and mac of the VM, nothing.

The weird thing is that when we remove the nic on the VM, and add new one, (giving it a new MAC), the issue resolves.

When I do a show arp on NEXUS 2, I do see some IP's have the * flag which is "Adjacencies learnt on non-active FHRP router." BUT, I see that * on some other IP's in other networks that don't seem to have any issues.

How useful is a network engineer in the cloud?

So I've been studying some cloud things, Azure being the first. The content seems to be very heavily leaning towards sys admin kind of tasks. I understand there's some items like VPN, load balancing, Express Route setup, those sort of networking style things, but where does a traditional network guy find his niche in the cloud? I don't think AWS or Azure are going to use OSPF or BGP in them. If a company were to cycle everything up to the cloud, would there even be a need for a team of net engineers? Those of you that have seen that change in your organization, do you feel left out of the loop? What's your new day to day look like?

[Help] External Antenna for lte router

hi all and sorry if this is the wrong sub reddit its what google suggested for lte networks ,if is wrong id ask kindly a mod to move it where it belongs . So i have a huawei b618s-22d router provided by TIM ,it was working kinda acceptably but two weeks now is full of spikes from 40ms-60ms (depends on the weather ) which was its normal now its has the same but it spikes all the time to 100 200 300ms its unplayable , i have noticed that it has very low sinr (sadly i dont remember how was before but for sure not much better), from what i have read since am not an expert in lte things will be better with an external antenna . I need your lights on picking up one , i have to withstand this internet for 2 months + - so i dont need a super duper antenna, from the things i have read i think i need a point-something antenna and not a generic external antenna sorry if am wrong . I need you lights on a make and model, TIM is providing one with 99 euros with the instalation from their Bob The Builder which i have 0 ideas if is good or no or if it will help me with my problem am trying to contact them 3 days now and they keep closing up the phone on me ,please help :)(

Network Monitoring with Google Maps Overlay

We have a network that spans a couple of towns and cities. As we install more fiber and wireless links we find it beneficial to see how everything is linked together. We are looking for a network monitoring solution that:

Uses Google Maps a the base map. We find satellite and street view very beneficial.
Where you can place network devices on the map with GPS coordinates.
Shows the real time status of the device on the map.
Shows the link between the devices. Some towers and network devices have multiple links to/from them. Would be great if it would show how much traffic was flowing over than link / or link status.

GenieATM Ballpark Pricing?

Anyone here have experience with Genie Networks GenieATM product? We are trying to quickly figure out what the ballpark pricing would be without going through a prolonged sales dance only to find out it's not feasible whatsoever. Have been searching and searching and very little info is available about them online. Trying to architect some off ramp DDoS scrubbing and everything really adds up. Fastnetmon is transparent on their pricing and quite affordable, but requires more work on our part for integration. Have to assume GenieATM is significantly more but a factor of 3x or 25x seems to be in play for NPMD. Quite a spread...

strong travel router that supports 20 devices

hello, looking for a strong router that can be powered off a power bank and can support at least 20 devices wirelessly without too much speed loss.

For some reason my cellular network ISP doesn't throttles the access to Open DNS after exhausting their daily usage cap.

My provider provides a limit of 2GB/day. The speed gets unbearably slow after exhausting their data caps. The weird part is after running out of daily cap there is substantial difference in the ping delays between every domain except Open DNS 1.1.1.1 and the default gateway of the provider.

Did they just forgot to pull the switch on Open DNS or it's something else ?

Cisco IP phone not registering

Hello,

some of the Cisco IP phones are not getting registered to the cisco call manager.

I cleared the MAC address on the port where this phone is connected, reset the port, and checked the VLAN where the phone is getting connected. Also, I can see that it is getting an IP address from the DHCP lease.

I tried everything but nothing is working, any suggestion please that my help.

SD-WAN positioning in the topology

To cut costs we are moving away from MPLS and looking at SDWAN solutions with redundant circuits. We have tentatively settled on Viptela VEdge. We have several remote sites and each site has NGFW connected to ISP with MPLS and Internet circuit. Later, MPLS will replace another internet link.

The question is where do we put vEdge in the topology. I feel more secure when the traffic is inspected firewall.

Any advice/feedback is appreciated.

Management Information Systems degree

I'm a freshman in college interested in going into networking. My college has a MIS program in the business school which is like a mix of business and technology. Is it a good idea to pursue an MIS degree and also what certifications should I aim for? Thanks in advance

Wednesday, March 10, 2021

K02566623: Overview of F5 critical vulnerabilities (March 2021)

F5 has released a security advisory to address RCE vulnerabilities in BIG-IP and BIG-IQ: CVE-2021-22986, CVE-2021-22987.

https://support.f5.com/csp/article/K02566623

How do packets know where to go when traveling between intermediate nodes? Is the destination address updated at each intermediate node? Does the application layer need the other 3 layers when setting up communication the other application layer? Is my understanding wrong?

My understanding is that every layer need only concern itself with its corresponding layer. For example, the when the receiving end host receives the packet, the packet is encapsulated. The transport layer encapsulated the application layer, the network layer layer encapsulates the transport layer, and the link layer encapsulates the network layer. This data is sent, called the PDU (Protocol Data Unit) and is received by intermediate nodes. The nodes do not know where the packet is going, but each packet has an IP address, a destination address, and a source address to which the intermediate nodes send the data to. Eventually, the end host receives the packet. When the packet is received by the end host, the packet moves through to 4 layers, from link layer to application layer, being de-encapsulated at a time. During this de-encapsulation process, each layer is only concerning itself with data from its associated layer, e.g., the receiving transport layer is dealing with only the sending transport layer, hence the term, peer to peer process. Correct if my understanding is wrong

My questions are: When the data is going through these intermediate nodes, is the destination address the receiving end system or is it the intermediate node at the next hop? When the application layer is setting up communication, does it need the network layer, the transport layer, and the link layer to set up the communication?

Is it possible to reinstate a TCP after FIN_WAIT_2?

Here's an example: a client sends a FIN packet stating that it wants to close a TCP Connection. It continues receiving messages until the server sends a FIN packet, but due to some client logic, it must resume sending data. Now, can the client "take back" its FIN packet later and resume sending data?

IP Address Bans and Dynamic IP Addresses

Quick question. I am looking to start a community website and I want to learn about policing methods. How can someone IP address ban someone when most IP addresses nowadays are dynamic? I have seen some forums use those to great effect. I doubt that at the drop of an internet connection and the assignment of a new temporary IP address, that things drastically change on the part of the ban itself. In fact, I've heard the opposite. That they still remain in effect.

How can an IP address ban withstand dynamic IP switching?

Help with trunk port between ASR 920 and Cat9k5

I'm having a bit of trouble on this one for some reason. Both devices are running 16.9.3. I'll eventually need to add two more VLANs for this as part of a rehoming project.

Cat9k5

int Te1/0/1 switchport trunk allow vlan 999 switchport mode trunk int vlan 999 ip address 123.123.123.3 255.255.255.248

ASR920

int Te0/0/1 service instance 999 ethernet encapsulation dot1q 999 rewrite ingress tag pop 1 symmetric bridge-domain 999 ! int BDI999 ip address 123.123.123.1 255.255.255.248

I can see a mac from the ASR920 on the Cat9k5, but I can't see a mac on the ASR920, and obviously traffic is unidirectional.

#show ethernet service instance id 999 interface te0/0/1 mac dynamic address Bridge-domain 999 MAC Address #show ethernet service instance id 999 interface te0/0/1 detail Service Instance ID: 999 Service Instance Type: Static Associated Interface: TenGigabitEthernet0/0/1 Associated EVC: L2protocol drop CE-Vlans: Encapsulation: dot1q 999 vlan protocol type 0x8100 Rewrite: ingress tag pop 1 symmetric Interface Dot1q Tunnel Ethertype: 0x8100 State: Up EFP Statistics: Pkts In Bytes In Pkts Out Bytes Out 0 0 831 56508 EFP Microblocks: **************** Microblock type: Bridge-domain Bridge-domain: 999 Microblock type: L2Mcast L2 Multicast GID: 1 Microblock type: dhcp_snoop L2 Multicast GID: 1 Microblock type: PPPoE IA UBLOCK PPPoE IA info Enable: 0 Format Type: 0 cricuit id: remote id:

wireless clients not receiving multicast traffic

I have a Cisco 3504 WLC with 2802 APs. My switch is an Aruba 2930

Wired devices connected to the switch are getting multicast traffic As soon as I change the device from wired to wireless, it stops receiving multicast traffic.

"Enable Multicast Mode" and "IGMP Snooping" is enabled on the WLC

The multicast sender is attached to VLAN 200 on my Aruba switch The wireless client is associated to an SSID that is tagged to VLAN200

Any ideas what could be causing this?

It seems I am missing a setting that allows multicast traffic on the switch vlan to be forwarded to the 'air'

Thanks

BGP Advertisement tool

Anyone know of some sort of tool/simulator to help with putting together route maps etc for BGP Advertisements?

I have 4 upstream providers coming into 3 edge routers in 2 geographically separated locations, some of which do not have any bgp-community support, so I can't tweak local preferences on their end at all, so path prepending does not get me where I need to be to load balance incoming traffic.

This mostly leaves me with route specificity as my knob to tweak traffic for both balancing, and to get traffic to come in to the closest edge router to it's destination and keep as much as possible out of my core.

While I am pretty good with BGP, its not something that I do all day, and I hate playing with live traffic when it doesn't always do what I want it to.

DYN being DDoS'ed again?

All of our DNS resolution went offline, down detector is showing DYN and most sites backed by DYN as offline currently.

Cisco Switch 100% CPU. Any way other than a reload?

I was checking on our config archive and issued "show archive" to a 4948 running 12.2(53)SG1 (It has been up for 10+ years, if it ain't broke....) Apparently there was a disconnect to the archive storage location and instead of listing the recent config archive filenames, it started regurgitating connection issues in an endless loop which I was unable to kill via the session. The line shows idle and is far past its timeout period, but due to the stuck process it isn't clearing itself. clear line, clear tcp tcb etc. all have no effect. Clear socket doesn't exist in this code base.

Is there any way to kill the following PID w/o having to reload the device?

show processes cpu sorted 5min CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 202 4582100 250984 18256 86.38% 85.99% 86.24% 1 Virtual Exec

Thanks in advance.

ACI multipod and separate L3Out per pod

In my ACI multipod environment, we have L3outs for each VRF replicated for each pod. Recently I noticed that external traffic which I expected to ingress in one data center would instead, traverse the L3 wan and instead ingress in another data center. I didn't really pay much attention to this until I was configuring more L3Outs for a new VRF.

I configured it on one pod (POD2 - the same dc that ingress had bypassed previously) and noticed that my EPG/BD prefixes weren't being properly advertised to the external wan. I could see them being advertised across the L3 interface, but on my MPLS node and throughout the wide WAN the prefix was nowhere to be found in the routing table. Now the host using the EPG exists only in POD1. When checking the VRF routing table for leaf switches in POD1, I can see the prefix. In POD2, the prefix does not appear in the routing table. Is this by design? Is this a misconfiguration on my part? Is there something I can do to allow this EPG that is technically only hosted in POD1 to be accessible via ingress into POD2?

Packet Capture appliance

All, I was wondering if anyone can point me in the right direction, I'm looking for an appliance whose sole responsibility is capturing packets 24/7/365. Is there such an appliance or would I just need to stand-up a server and throw Wireshark on it?

What do I need to look for in one? For the appliance I know plenty of HD space, multiple NICS? Is Wireshark the best solution to have 'always-on capture' or another software manufacturer? Thanks for being gentle...

Selfhosted site visible from the world but not from site's network

by public IP or site domain i get this error:

This page isn’t working

XXXXXX didn’t send any data.

ERR_EMPTY_RESPONSE

from the world it works

i get it from every device on my network

localhost works

any tips??? i cleaned all, certs, caches, browsers, cookies, flushes dns. in fact if it happens on every network device, then these are two culprits:

- confgiruation files for XAMPP

- my network

prob the only thing i can do network wise is resetting the router but idk would it help? (i turned it off and on already) as far as i know reset only resets router settings on the router's local page but who knows

as for XAMPP settings, theyre pretty much default

LPT: Wanna have EVE-NG PRO for free? Use PNETLab instead.

Hello guys,

I see many people who recommend EVE-NG for labbing and I've been on of the people as well. I stumbled upon PNETLab accidentally on CCNP subreddit and found out that someone forked the Community Edition lol.

So not just you have all of the PRO features available but also you can download labs which contain instructions and images so you just open a lab within the GUI and that is it! Very handy!

I hope it helps someone.

Cheers.

Need help to connect laptop to Cisco UCS to do security scans

I am trying to connect a laptop to a trunk port in VLAN 30 on a Cisco UCS 6248 UP, the 6248 is trunked down on VLAN 30 (30.x.x.x network) to a UCS 5108. Also, this trunk link is described as using "vNIC eth 1". On the 5108, a few VM's exist in the 30.X.X.X network that need to be ACAS scanned. I cannot scan these devices or even ping them for that matter, presumably because they are in an internal network via the vNIC? I am in a new environment and learning, so anyone who can educate me on the relationship between a vNIC and NIC address would be greatly appreciated! The way I understand it is that a NIC address is one that would exist on a workstation or server physically, while a vNIC is a software based NIC that can be added/modified on the server as needed per requirements. Asking questions to get more information would be extremely helpful to me. Also, if you can ping an address relating to a loopback, int vlan, interface, or NIC...how do you go about pinging the vNIC or seeing the vNIC talking to the rest of the server itself? I could be thinking about it wrong, or asking the wrong questions. Thanks for your help!

Here is the connection:

Cisco UCS 5108 (Where VM's are housed in the 30 network in VLAN 30)>>>Cisco UCS 6248UP (Port 8 trunk w/ VLAN 30)>>>>Laptop

Port forward between two interfaces

I have the following setup

1 x HP server as a Default gateway running Zentyal

1 x vXrail Running Vcenter

In the HP server eth0 is connected to the vCenter server

Eth1 is connected to the company’s network.

I am able to SSH to the HP server within the company’s network.

So, my basic network configuration is done.

However, I would need to access vCenter, how to port forward between two interfaces

For an example:

HP server External IP : x.x.x.x

vCenter IP: y.y.y.y

I would need to access vCenter by connecting to my company’s’ network and browsing to x.x.x.x:8080

Can someone kindly advice, my apologies if this is a silly question

CAT 6 in Warehouse Question

Need to extend office network out onto warehouse floor (planning on installing mesh routers so wifi is available). Warehouse has electrical motors and a few forklifts and consists of 3 100' by 160' metal buildings. Longest needed cat 6 run will be nearly 100 meters and will installed following the inside roof rafters. Was wondering if cat 6 cable should be run inside conduit (or panduit) versus just running without along steel rafter girders. Dust is really the only environmental issue to be concerned about. Thanks.

Setting outbound rules on AWS server?

I was asked to whitelist a few IP addresses and set the outbound rules on AWS. I am wondering how do we do the latter? I've whitelisted a few ip, and now to set the outbound rules on AWS, how do you do that? I am thinking you need to take the EC2 instances where the web servers are hosted and set a few rules, but I am not sure how to do this.

dACL on Firepower

The goal: Get a user to use a specific seperate ACL when connecting on anyconnect (as to avoid the configured access-policy on the FTD, as this user needs special access). Method attempted: dynamic ACL created on ISE and pushed to the 2130 to be applied as a VPN-filter for that particular user.

As such I'm trying to test downloadable ACLs, so that a specific user can have a completely difference access-list applied to them when they login to our anyconnect VPN (i.e. the goal was to try and make the firepower box ignore the configured access-policy, and instead use the downloaded ACL as a VPN-Filter instead).

What happened When creating and applying a dACL on ISE, and pushing that radius attribute to the FTD for that user, the firewall definitely is applying that acl as a VPN filter (on #show vpn-sessiondb detail anyconnect I see the ACL applied in the "Filter Name" field); additionally I see hit counts on that downloaded ACL via #sh access-list. However, it seems that the user is still subject to further processing whereby the 2130's regular access-policy is then checked as the traffic comes into the firewall.

The order of operations seems to be:

Check vpn filter for access-control
If traffic is permitted in this vpn filter ACL, then check the access-policy on the 2130
If you get a permit in both statements above, then allow the traffic

This is totally not what I wanted. I want a specific ACL that over-rides the interface ACL, OR, applies an ACL AFTER the processing of the original firepower device/interface ACL. How do I achieve that?

Please no replies regarding ASA code, as the config options are completely different. Also note: I'm on testing on FTD code 6.6.1

Has Cisco given up on being competitive in the firewall market?

Installing ASDM launcher in Windows required me to read something in a forum. Don’t they have staff for this? Give me a break.

Dell EMC N1548P adding to existing stack question

Hi all,

I know normally, on a new stack, you configure the switches to operate in stack mode, power them off, connect the cables, turn them on in order (master first).

What I don't know is - if I have an existing stack with two switches and I need to add a third, do I need to power off the current stack switches then power them all on in the order needed or can I leave the two existing ones on, shift the cables around (and add new cables) to include the new third switch then power on the third switch? I don't deal with stacking all that often so I want to make sure I'm doing it right before I add in the switch.

SFP Speed mismatch

Can you use a 2gb SFP in a port that is 1gb? I have a 1gb SFP that I need to replace on a switch and I have a lot of 2gb SFPs in stock, but did not want to cause more trouble if it is a no no.

New Windows Server Network Infrastructure resources

Orin Thomas has published new Windows Server Network Infrastructure resources on Microsoft Learn detailing how to implement and manage networking services in Windows Server 2019. Resources include details on deploying and managing DHCP, secure DNS, and implement IP Address Management (IPAM) and Web Application Proxy. The team and I are looking for feedback. Let us know if anything else needed to be added or changed.

Adding WiFi 6 APs to existing WiFi 5 deployment

We are looking to improving coverage by supplementing the existing AP provision with some new WiFi 6 APs. Would they work ok with the existing WiFi 5 APs or should we add WiFi 5 APs instead?

How can I set up NAT rules to allow LXC containers to access the internet?

So, we want to create a virtual network of LXC containers at my job for one reason or another they want to simulate what it would be like to have a bunch of different servers up and running. They want us to learn how to do this manually. Thus far I've set up an unmanaged NAT bridge(lxc allows you to create managed ones, but this wasn't allowed) and assigned it an IP. I've also created a container and assigned an IP to it as well.

Basically I used netplan with this config to create my bridge:

```yaml network: version: 2 renderer: networkd ethernets: <your interface>: dhcp4: yes bridges: vbr0: addresses: - xx.xx.xx.xx/24 ```

The bridge works and I intend to use the a /24 subnet to assign IPs to the containers. Nonetheless, they're unreachable to the internet and I'm not sure about how I should go to manipulate my NAT iptables to make my bridge and containers accessible to the internet.

Clearing DF Bit on Cisco ASA VPN for a single tunnel

I'm trying to clear the DF bit for a single tunnel on my Cisco ASA firewall.

I tried "crypto map map 1 set df-bit clear-df", but the partner says the decapsulated packets are still arriving with DF bit set.

Does anyone have any experience with that? Does the IKE version matter for this?

Thanks!

Tuesday, March 9, 2021

Cisco ACI / How hard is it to be confortable with it ?

Hello everyone,

I'm a junior network engineer, currently working as support for an ISP since 1,5 year. I've just passed an interview to work for a major website, (~ 4-6 millions unique visitors per day, 2 DCs, 2000 servers and 200 switchs, 3 POP) and they asked for deep understanding of BGP plus knowing Cisco ACI.

I've managed to get an interview with the engineer and his manager even If I've never touched Cisco ACI or SD-x solution (Well, I've got a lab on SDWAN Versa, but not very much).

They'll call me back later this week to let me know if the job is for me, but they seemed very anxious about me not knowing this solution.

How hard is it to understand Cisco ACI's logic and be at ease with its administration ? Is it really this hard ?

Thanks a lot for your feedback, and sorry if my english is bad !

Cheers

Router VRRP setup

Hey r/

I've been setting up a lab in packet tracer to prep for an upcoming installation at a customer of ours. It's not a big network, I have one router, two switches and from there all devices are connected.

I wanted to avoid a Router On A Stick implementation but the customer just recently bought new router and switches and I don't think we can get them to buy a L3 switch, maybe our sales dep will do this when there is a meeting with the customer.

So I wanted to connect both switches to the router, and configure something like VRRP. We deal in Zyxel equipment and it should be possible, but I've never configured it before.

Example below:

https://i.imgur.com/DVkqQOJ.png

However, should something like VRRP not be available, a router on a stick solution would be the only way to go or am I missing something?

Fire at OVH Strasbourg SBG1 / SBG2

https://twitter.com/olesovhcom/status/1369478732247932929

From Octave Klaba @olesovhcom:
"We have a major incident on SBG2. The fire declared in the building. Firefighters were immediately on the scene but could not control the fire in SBG2. The whole site has been isolated which impacts all services in SGB1-4. We recommend to activate your Disaster Recovery Plan."

"Update 5:20pm. Everybody is safe. Fire destroyed SBG2. A part of SBG1 is destroyed. Firefighters are protecting SBG3. no impact SBG4."

[Troubleshooting help] HP Switch says my access point isn't connected to it (PoE), the AP is offline, but I can ping it, I can't SSH into it. Why would this be the case?

I figured it I can ping the AP, I should be able to find it on the switch via CIL, but I can't. If I restart the AP and it comes back online then it automatically appears on the switch.

Any idea why this would be the case? I have never seen this. If a piece of hardware is ping-able I expect to be able to find it connected to the switch. (Yes I had the right IP, I verified it when I pinged it and unplugged the AP. Yes I had the right MAC address).

TIA

DHCP taking a long time to handout addresses

I work in a K12 environment with about 15k+ devices. We have two load balanced Windows DHCP servers in our data center which each school connects to with around 100 scopes going to different vlans across the school district. We've had a similar set up for the past few years without any issues. Recently in the morning during the start of the day, it can take 5 to 20 minutes for devices to get an IP Address. After about 30 minutes, once all the students and staff arrive there aren't any issues.

One thing that has changed is since COVID we've let students take home their assigned iPads, which means at 8:00am there are around 12k devices coming in the network within a 15-30 minute period. I'm assuming this is the cause of the problem as it started the week that students changed from distance learning to back to school and we never had this many devices connecting at once before.

I'm not really sure how to resolve this issue, tried changing lease times to 1.5 days, not seeing any errors on DHCP logs, server resources are below 50 percent, bandwidth is fine considering the devices have no issues after receiving an address.

Has anyone had any experience like this or has worked with an environment with this many connections happening at once?

How to block connections past a certain number per port on Linux server using IPTABLES?

Hello guys!

First post here. We are looking for a way to limit a specific port on our linux server to X amount of connections and block all connections past this number.

We have tried limiting the port to a certain number but it is only applied per source IP and not globally across the server. So clients are able to use multiple machines and effectively bypass this limit. Essentially we dont want this port to be reached more than 400 connections per port. Each client will have its own port. So one client cannot access more than 400 connections.

Is there a way in IPTABLES to apply a hard limit per port number bypassing the per source IP?

Thank you

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Managing Firewall Rules and Change requests

Hello Reddit friends,

I am seeking for some advice on firewall change management. At the moment we don't have service desk system in place. Firewall change requests are received via email. Therefore, for the moment I have decided to work on developing a process until management acquires the suitable product.

I'm curious to know what should we in such case?

How to document the firewall rules?

How to manage and approve the firewall change requests ? What about using form ? Do the requester need to sign the form ?

Is there open source tool that can be used internally with security team ?

I would appreciate any insight or advice on this

AnyConnect SAML Azure AD Authentication ("cookie" error)

Let me start by saying I feel that we have really, really done our due dilligience on this issue, and we can't figure out the underlying issue. We've opened a ticket with Cisco and Microsoft, neither was conclusive.

We have AnyConnnect on an Azure ASAv, running LDAP authentication against a domain-controller VM in Azure. It's working great, no issues.

We are trying to enable SAML authentication directly to Azure AD with MFA. We have largely used these guides as a reference:

(although there are a few small updates due to changes in the Azure GUI).

As part of troubleshooting I tried to follow this as well: https://www.youtube.com/watch?v=bSGjeJotO2s (it works so well for her)

We are successful right up until the very final step by AnyConnect. We get the AnyConnect login screen, we get 2FA text message, and then just as it would normally connect we get the dreaded "Authentication failed due to problem retrieving the single sign-on cookie".

We know this is a well known bug, but we don't feel it's relevant to our environment: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605/?rfs=iqvred

we are running version 9.14(1) which is (allegedly) not an affected version.
we have done the workaround dozens of times during troubleshooting: 1) removing the tunnel-group SAML configuration, 2) removing the SAML configuration from the webvpn, 3) reapplying the SAML config to webvpn, 4) reapplying the SAML config to the tunnel group.
we have done a full reload, but have not experienced success.

nor is it this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw77930 (a "." in the tunnel group name)

We have confirmed and/or tested all of the following, but none had any successf in fixing the issue:

confirmed that NTP is enabled in the ASAv. The time is correct, and it matches the AnyConnect client being used for testing.
we don't think this is a license issue, but we can't be 100% positive. When I look at currently active AnyConnect sessions, the license shows "AnyConnect Premium", which I'm pretty sure is Apex. So I think the license in use supports SAML. However, since this is an ASAv it uses SmartLicensing, and the SmartLicense portal has "AnyConnect Plus Licenses" configured, although the 'In Use' count shows 0. Unfortunately, if I try to obtain demo Apex licenses, the Cisco license portal doesn't recognize the serial number of an ASAv, presumably because it has to use SmartLicensing, so the license has to be "read" from the SmartLicense portal.
I have enabled "no force re-authentication" under SAML config (webvpn) and that tries to use the cached login of the browser. It's not really relevant to my testing because my laptop is not a member of the domain.

The really ironic part of this is that our own corporate ASA is successfully using SAML to Azure AD. We've compared the config, and other than Azure tenant ID's, the only real difference seems to be that the ASAv is not working.

Microsoft has basically said "everything is completing as expected right up until the connection is refused by AnyConnect". Their logs indicate success at every level until AnyConnect throws the error message.

Cisco and I have gone round with about 10 things for testing (some of which I have described above).

webvpn

{redacted for brevity; contains "anyconnect image disk0:...", "anyconnect enable", etc.}

saml idp https://sts.windows.net/blah-abcd-1234-5678-blah/

url sign-in https://login.microsoftonline.com/blah-abcd-1234-5678-blah/saml2

url sign-out https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0

base-url https://{this is the URL that users point AnyConnect to}

trustpoint idp AzureAD-IDP-Trustpoint

trustpoint sp TrustPoint_Anyconnect

no signature

force re-authentication

tunnel-group-list enable

cache

disable

error-recovery disable

tunnel-group TG_MFA type remote-access

tunnel-group TG_MFA general-attributes

address-pool POOL_AnyConnect

default-group-policy GP_MFA

tunnel-group TG_MFA webvpn-attributes

authentication saml

group-alias TestMFA enable

saml identity-provider https://sts.windows.net/blah-abcd-1234-5678-blah/

group-policy GP_MFA internal

group-policy GP_MFA attributes

dns-server value 172.16.0.4

vpn-idle-timeout 1440

vpn-session-timeout 5760

vpn-tunnel-protocol ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AnyConnect_ST

default-domain value internal.local

address-pools value POOL_AnyConnect

Any assistance would be appreciated. But...I've done so much poking around and trying this, then trying that, I'm getting fatigued from testing.

Wi-Fi AP Recommendation BAS/Non-critical Use-case

We have some refrigeration equipment with its own offline network that the centralized controller runs a DHCP server.

We intend to install an AP at one of the pieces of equipment (outdoor/rooftop environment) - the AP will ideally get its IP address from that main controller and we will set a SSID/password on it for technicians to use.

Considering something simple like a TP-Link EAP225-Outdoor, have also been browsing MikroTik but I'm not familiar with any of their equipment really. Sub-$100 or so would be nice.

This is a "non-critical" installation.

But there is one feature that would be cool - if by default out of the box the AP was setup to get its IP via DHCP and even if a default SSID it simply broadcasts some SSID to connect to the network it has joined. Like a zero-touch install so in the event of a failure we can just Amazon a new one to the site and they can plug it in and no one needs a PC to set it up etc.

I know if we did some type of managed Wi-Fi this would be simple, but adding some type of SDN controller like Omada or Unifi is a bit more complex than taking a few days to set one up then ship it as a replacement.

Do you have a recommended AP for such a project? And do you know of any that just operate that way out of the box without some managed controller present?

(We are a BAS integrator not a networking company so we have no other big network presence at these sites besides our main BAS network which doesn't connect with this particular network directly. The reefer network is like 4-10 devices at most and this is just a convenience add rather than something more critical)

Fiber color codes

Sorry for such a noob question... Are fiber patch cables color coded. I have heard before that if it is orange it is MM and yellow is always sm. I have to purchase some new patch cables and SFPs for a new switch by only using pictures of the rack that the old switch is in.

Need suggestion on job change

Hello guys,

I have recently been selected for one of the MNC as NOC Engineer (L1) and meanwhile my friend is asking me to join his organization as post sales engineer (deployment). Currently I'm working as post sales engineer. I deploy firewalls, routers, switches and access points.

Should I join as NOC Engineer or again change the organization with same position as Post sales engineer (Deployments of devices )?

Your inputs will be valuable.

Thanks

Do Aruba Remote Access points support ARM

I am planning to deploy Aruba RAPs to a warehouse where we do not control the physical networking but we want to have wifi devices that are connected to our corp network. So we will them APs that they can plugin to any POE port that has internet access

If I deploy 5 AP as RAPs will they be able to do ARM and assist with device roaming like Campus Access points?

Environment Division in Git

I have a bunch of network automation stored under one Gitlab repo. Ansible and Python. Currently within that one repo I have a lower environment branch, and an upper. Automation will then run using one branch or the other relative to the environment. This is done currently via Gitlab scheduled pipelines which run the code from a docker container.

What I think I want is to work off feature branches that get merged into the lower branch, like the below diagram. Once satisfied with the lower branch, I simply bring the upper branch up to where the lower branch is.

* LOWER-BRANCH | \ | \ | * SOME-JIRA-BUILD | / | / * UPPER-BRANCH

My current workflow has been something like...

checkout new branch based on lower
implement new feature/change/whatever and test
merge it with lower
validate lower automation (the steps up till now may happen several times before lower merged into upper)
merge lower branch into upper

This workflow works fine functionally but has resulted in some headaches as far as managing commit history and merge requests is concerned. For starters the commit graph/history is nowhere near as clean as the diagram above seeks to be. Merging lower into upper also often has commits that were included in previous merge, unless a rebase is done beforehand which comes with its own pains.

So I guess my question is - is this a dumb way to do this? Does something else make more sense? Anybody else doing something similar and able to provide insight on what works well for them? For context, I'm currently the only person involved, but at some point others should be contributing as well.

Do any of you run https inspection/decryption?

We are running a Sophos XG without https inspection/decryption and in order to block file type downloads you have to have it turned on in order for it to function. But as soon as we do, it interferes with our clients configuration to vmware/citrix platforms outside of our environment. In order to fix this issue we had to not only bypass https inspection on the domain url but also the ip address to that url. We reversed this change because of worries the client might change their IP address and cause an outage. Do any of you know of appliances or other equipment that might help mitigate this issue?

Nexus 9k pair - Two default routes configured?

Hello,

Ran across this recently on a core switch pair of Nexus 9ks configured by a previous vendor. Symptoms where odd ingress speed issues via a Meraki VPN link. Egress is fine so I started to look at the configs and do some testing from each switch.

I do not have current diagrams for this network but its fairly simple -

2 Nexus 93180ex-yc's in a VPC pair NX-OS 7.3

2 Wan connected L2 trunked from 2 4431 ISRs

Meraki MX 100 as the last hop to ether the VPN or out to the net

10.8.120.254 should be the gateway while 10.8.120.1 is the hsrp VIP for VLAN 120

I can not remove 10.8.120.1 via no ip route

Also one switch can ping 8.8.8.8 while the other can't, however, they can both ping 1.1.1.1

VPC Peer-Link config -

sw1# sh run | sec vpc feature vpc vpc domain 150 peer-keepalive destination 172.16.150.2 source 172.16.150.1 peer-gateway layer3 peer-router auto-recovery ip arp synchronize vpc peer-link interface port-channel1 description ***VPC Peer Link*** switchport mode trunk spanning-tree port type network vpc peer-link

Here's what I see in the routing table -

sw1# sh ip route IP Route Table for VRF "default" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> 0.0.0.0/0, ubest/mbest: 2/0 *via 10.8.120.1, [1/0], 1y9w, static *via 10.8.120.254, [1/0], 1y9w, static 10.8.99.0/24, ubest/mbest: 1/0, attached *via 10.8.99.250, Vlan99, [0/0], 1y9w, direct 10.8.99.1/32, ubest/mbest: 1/0, attached *via 10.8.99.1, Vlan99, [0/0], 1y9w, hsrp 10.8.99.250/32, ubest/mbest: 1/0, attached *via 10.8.99.250, Vlan99, [0/0], 1y9w, local 10.8.100.0/23, ubest/mbest: 1/0, attached *via 10.8.101.250, Vlan100, [0/0], 1y9w, direct 10.8.100.1/32, ubest/mbest: 1/0, attached *via 10.8.100.1, Vlan100, [0/0], 1y9w, hsrp 10.8.101.250/32, ubest/mbest: 1/0, attached *via 10.8.101.250, Vlan100, [0/0], 1y9w, local 10.8.102.0/23, ubest/mbest: 1/0, attached *via 10.8.103.250, Vlan102, [0/0], 1y9w, direct 10.8.102.1/32, ubest/mbest: 1/0, attached *via 10.8.102.1, Vlan102, [0/0], 1y9w, hsrp 10.8.103.250/32, ubest/mbest: 1/0, attached *via 10.8.103.250, Vlan102, [0/0], 1y9w, local 10.8.104.0/23, ubest/mbest: 1/0, attached *via 10.8.105.250, Vlan104, [0/0], 1y9w, direct 10.8.104.1/32, ubest/mbest: 1/0, attached *via 10.8.104.1, Vlan104, [0/0], 1y9w, hsrp 10.8.105.250/32, ubest/mbest: 1/0, attached *via 10.8.105.250, Vlan104, [0/0], 1y9w, local 10.8.106.0/23, ubest/mbest: 1/0, attached *via 10.8.107.250, Vlan106, [0/0], 1y9w, direct 10.8.106.1/32, ubest/mbest: 1/0, attached *via 10.8.106.1, Vlan106, [0/0], 1y9w, hsrp 10.8.107.250/32, ubest/mbest: 1/0, attached *via 10.8.107.250, Vlan106, [0/0], 1y9w, local 10.8.108.0/23, ubest/mbest: 1/0, attached *via 10.8.109.250, Vlan108, [0/0], 1y9w, direct 10.8.108.1/32, ubest/mbest: 1/0, attached *via 10.8.108.1, Vlan108, [0/0], 1y9w, hsrp 10.8.109.250/32, ubest/mbest: 1/0, attached *via 10.8.109.250, Vlan108, [0/0], 1y9w, local 10.8.110.0/23, ubest/mbest: 1/0, attached *via 10.8.111.250, Vlan110, [0/0], 1y9w, direct 10.8.110.1/32, ubest/mbest: 1/0, attached *via 10.8.110.1, Vlan110, [0/0], 1y9w, hsrp 10.8.111.250/32, ubest/mbest: 1/0, attached *via 10.8.111.250, Vlan110, [0/0], 1y9w, local 10.8.112.0/23, ubest/mbest: 1/0, attached *via 10.8.113.250, Vlan112, [0/0], 1y9w, direct 10.8.112.1/32, ubest/mbest: 1/0, attached *via 10.8.112.1, Vlan112, [0/0], 1y9w, hsrp 10.8.113.250/32, ubest/mbest: 1/0, attached *via 10.8.113.250, Vlan112, [0/0], 1y9w, local 10.8.118.0/24, ubest/mbest: 1/0, attached *via 10.8.118.250, Vlan118, [0/0], 1y9w, direct 10.8.118.1/32, ubest/mbest: 1/0, attached *via 10.8.118.1, Vlan118, [0/0], 1y9w, hsrp 10.8.118.250/32, ubest/mbest: 1/0, attached *via 10.8.118.250, Vlan118, [0/0], 1y9w, local 10.8.119.0/24, ubest/mbest: 1/0, attached *via 10.8.119.250, Vlan119, [0/0], 1y9w, direct 10.8.119.1/32, ubest/mbest: 1/0, attached *via 10.8.119.1, Vlan119, [0/0], 1y9w, hsrp 10.8.119.250/32, ubest/mbest: 1/0, attached *via 10.8.119.250, Vlan119, [0/0], 1y9w, local 10.8.120.0/24, ubest/mbest: 1/0, attached *via 10.8.120.250, Vlan120, [0/0], 1y9w, direct 10.8.120.1/32, ubest/mbest: 1/0, attached *via 10.8.120.1, Vlan120, [0/0], 1y9w, hsrp 10.8.120.250/32, ubest/mbest: 1/0, attached *via 10.8.120.250, Vlan120, [0/0], 1y9w, local 10.8.121.0/24, ubest/mbest: 1/0, attached *via 10.8.121.250, Vlan121, [0/0], 1y9w, direct 10.8.121.1/32, ubest/mbest: 1/0, attached *via 10.8.121.1, Vlan121, [0/0], 1y9w, hsrp 10.8.121.250/32, ubest/mbest: 1/0, attached *via 10.8.121.250, Vlan121, [0/0], 1y9w, local 10.8.122.0/24, ubest/mbest: 1/0, attached *via 10.8.122.250, Vlan122, [0/0], 1y9w, direct 10.8.122.1/32, ubest/mbest: 1/0, attached *via 10.8.122.1, Vlan122, [0/0], 1y9w, hsrp 10.8.122.250/32, ubest/mbest: 1/0, attached *via 10.8.122.250, Vlan122, [0/0], 1y9w, local 10.8.123.0/24, ubest/mbest: 1/0, attached *via 10.8.123.250, Vlan123, [0/0], 1y9w, direct 10.8.123.1/32, ubest/mbest: 1/0, attached *via 10.8.123.1, Vlan123, [0/0], 1y9w, hsrp 10.8.123.250/32, ubest/mbest: 1/0, attached *via 10.8.123.250, Vlan123, [0/0], 1y9w, local 10.8.124.0/24, ubest/mbest: 1/0, attached *via 10.8.124.250, Vlan124, [0/0], 1y9w, direct 10.8.124.1/32, ubest/mbest: 1/0, attached *via 10.8.124.1, Vlan124, [0/0], 1y9w, hsrp 10.8.124.250/32, ubest/mbest: 1/0, attached *via 10.8.124.250, Vlan124, [0/0], 1y9w, local 10.8.125.0/24, ubest/mbest: 1/0, attached *via 10.8.125.250, Vlan125, [0/0], 1y9w, direct 10.8.125.1/32, ubest/mbest: 1/0, attached *via 10.8.125.1, Vlan125, [0/0], 1y9w, hsrp 10.8.125.250/32, ubest/mbest: 1/0, attached *via 10.8.125.250, Vlan125, [0/0], 1y9w, local 10.8.126.0/23, ubest/mbest: 1/0, attached *via 10.8.127.250, Vlan126, [0/0], 1y9w, direct 10.8.126.1/32, ubest/mbest: 1/0, attached *via 10.8.126.1, Vlan126, [0/0], 16:33:32, hsrp 10.8.127.250/32, ubest/mbest: 1/0, attached *via 10.8.127.250, Vlan126, [0/0], 1y9w, local 10.155.12.40/32, ubest/mbest: 1/0 *via 10.8.120.254, [1/0], 1y9w, static 10.155.12.55/32, ubest/mbest: 1/0

SW2 is identical

During some testing yesterday I decided to shut one of the SVI's associated with the WiFi to test routing behavior with just 1 int. Doing that on the Primary caused total disruption in traffic which was unexpected.

I believe this was caused by a copy/paste of the config from a set of 4500x's as the mgmt vrf had its own GW. I also believe ripping off the config, correcting, and tftping the startup config back might be the only solution here but wanted to get some more opinions before I call TAC.

SIP/NAT problem on CUBE behind Meraki

Hello, I have a client with a Cisco UBE (2921 router) behind a Meraki.

It's a bit of a weird setup where the CUBE is the gateway for VOIP and DATA and static route forwards

So the Meraki is 192.168.100.2 and the CUBE is 192.168.100.1, the Meraki has a static route for the VOIP network (192.168.200.0) to the CUBE (192.168.100.1)

The solution was going to be to give the CUBE it's own IP with 1-to-1 NAT on the Meraki - but I'm a little confused how this alters the SIP headers, won't they still be showing the internal IP address?

I know the CUBE can do SIP inspection to alter SIP headers and change the internal IP to External, ie:

request ANY sip-header From modify "192.168.100.1" "1.2.3.4" request ANY sip-header Via modify "192.168.100.1" "1.2.3.4" request ANY sip-header Remote-Party-ID modify "192.168.100.1" "1.2.3.4" request ANY sip-header Contact modify "192.168.100.1" "1.2.3.4" response ANY sip-header Contact modify "192.168.100.1" "1.2.3.4" response ANY sip-header Remote-Party-ID modify "192.168.100.1" "1.2.3.4" request ANY sdp-header Audio-Connection-Info modify "192.168.100.1" "1.2.3.4" request ANY sdp-header Connection-Info modify "192.168.100.1" "1.2.3.4" request ANY sdp-header Session-Owner modify "192.168.100.1" "1.2.3.4" response ANY sdp-header Session-Owner modify "192.168.100.1" "1.2.3.4" response ANY sdp-header Connection-Info modify "192.168.100.1" "1.2.3.4" response ANY sdp-header Audio-Connection-Info modify "192.168.100.1" "1.2.3.4" request ANY sip-header Call-Info modify "192.168.100.1" "1.2.3.4" request ANY sip-header P-Asserted-Identity modify "192.168.100.1" "1.2.3.4"

So I guess my question is, without ALG, will modifying SIP headers be required to do this with a Meraki?

DOCSIS/RF Pals - What causes modems to have low TX power in HFC plant?

We're having issues with upstream performance on one of our new nodes. We recently lit up a new fiber line and split a leg onto a separate launch amp. Upstream SNR is very poor, around 25dB. Modems on that node have low TX power, about 35dB. RX power is good, around 0dB.

Modem logs are filling with T3 timeouts, failed DHCP requests, and resets due to the poor upstream.

My initial reaction is the return path is running too hot and the modems are dropping their output to compensate. My line techs did a sweep of that leg and report that levels are good, and swear up and down there's no issues with the HFC plant. There's definitely an issue somewhere but I don't have the expertise to speculate what it could be. There was a power issue with the launch amp when we first switched over, but I trust my RF team and they're reporting that the node is good and running correctly. I'm at a loss here.

Ookla speedtest anomaly - upload speeds much lower than download speeds in AWS (not home network)

I'm conducting Ookla speedtests from AWS in us-east-1 to multiple Ookla speedtest servers in Singapore and I'm finding that upload speeds are consistently much lower than download speeds, by a factor of 5-10x. (e.g. download will show as 500 Mbps and upload will show as 50 Mbps)

My test setup: - AWS us-east-1 region - Windows Server 2019 - Ookla CLI for Windows (i.e. not the browser version of Ookla) - t2.xlarge instance (supports up to 1 Gbps)

I understand that I should see some degradation in speed the further away my client is from the Ookla server but what I don't understand is why the upload speed is so much lower than the download.

This isn't a home network where there is asymmetry between upload and download. I have tested with multiple nearby Ookla servers in us-east in Ashburn, VA and then I get consistent 980 Mbps up and down speeds so I'm confident I should be able to get symmetrical speeds when using further away Ookla servers.

But as soon as I test with Ookla servers far away from my client in us-east-1, the upload speed drops drastically from the download speed. I have tested this with multiple Ookla servers in each test region so I'm confident this isn't an issue with a single Ookla server.

I have also setup an iPerf test from us-east-1 to a Digital Ocean server in Singapore and have been able to achieve 1 Gbps upload and download:

iperf3 -c <public IP of server> -u -b 1G -t 30

At this point, it seems like there's an issue with how Ookla does their upload tests because I was able to get fully symmetrical tests with iPerf but not with Ookla.

Am I missing something here? Or are Ookla speedtests not reliable?

Question about 1Gb SFP SX Transceiver speed

RE: HP 2620-48 Switch (J9626A) w/ HP J4858C X121 1Gb SFP SX Transceiver
I've been asked a question I can't find an answer to on HP's website. Can that 1GB transceiver listed above be dialed back to run at only 100Mbps? I cannot find a way to set the speed on the mini-GBIC (SFP) slots.

One connection two networks , subnetting

Is there any way for creating two networks using one home connection ? **Wirelessly

Please help.

Question regarding capacity planning

Let's say you have been asked to make some improvements to a network of around 100 edge switches and only core router. How would you decide if more routers are needed to be added and where would you put them?

HELP - MSM760 HDD failure

hi everyone,

so i have this HPE MSM760 Acess Controller, long story short, the HDD dies and I cant boot into it, so now my APs are in controlled mode with a ghost of a controller( (luckily i didn't set it to go down if the controller is not active)

i have access to all the firmwares from HP, from the first till the latest (CIM files, and MIBs if it matters)

is there a way to flash a new HDD, SSD, or even a USB with the firmware?

i have looked into the HP manuals, no where (at least that I could find) it talks about failed HDD

so far I found info that some people did an HDD transplant but it was cloning the disks, that doesn't work in my case as I don't have a working disk to clone

I tried to create a bootable USB and putting the CIM onto it and booting, well, to my no surprise, it didn't work

the controller shows an option for a PXE boot, is that possible or is it just for when they manufactured it?

any help would be appreciated

Disclaimer: this is a home/homelab type network, not sure if this counts as a topic for this subreddit of if I should go to r/homelab

Quickly reaching NAT policy limit of edge router looking for hardware / software recommendations.

I have a few dozen web servers hosting a few websites, and each of these websites has a static IP. Well for each static IP I have 3 NAT polices a Inbound, Outbound and Loopback. Due to this I am quickly reaching my routers NAT policy limit of 2048 polices. I have been looking at software and hardware solutions and am looking for recommendations, and or ideas how I can shave down the number of polices I have.

Take a listen

https://soundcloud.com/ado-kese/yb-x-cant-make-this-up?ref=clipboard&p=i&c=1

Monday, March 8, 2021

Post on /r/eero with some questionable logic?

Hey there, Can someone with a bit more networking knowledge take a look at this post?

https://www.reddit.com/r/eero/comments/m0l7nu/does_eero_block_wlan_to_lan_traffic/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

The flaired Eero developer goes off about topology, and isn’t very helpful, but I am trying to understand what they are talking about.
It sounds like their Ethernet backhaul is doing stupid stuff with spanning tree and the master unit needs to be “upstream”?

Aside from the /r/iamverysmart material, is there something I am missing? If all the access points, in bridge mode, are plugged into the same switch, why would it matter that the default route goes through the Eero or not? It would not change the path the backhaul packets take to get from Eero to Eero. (I might be too tired to be thinking about this.)

Appreciate the assistance with my curiosity ;)

FEC and Packet Duplication features in SD-WANs - worthwhile, or risky?

I'm curious to know if anyone here is currently leveraging FEC or packet duplication technologies in their SD-WAN environments today. On paper, it seems like an excellent idea to ensure that real-time applications get the appropriate treatment even over lower-quality transports. However, it was pointed out to me a while back (at least a year ago, perhaps two) that these technologies were buggy, not mature, and introduced a significant amount of latency. For those of you who have used or have tested these technologies today, do you agree with that assessment? Or are they absolutely worth considering when building out a new design?

Site-to-site vpn

Currently setting up a site-to-site vpn to connect an on-prem active directory to an azure virtual network. I'm using RRAS on a domain joined windows server as my vpn server. From this box, I can easily access my azure vnet/VMs. My understanding is it is best practice to keep RRAS off of the domain controller, but now I'm stuck. I can't get other on-prem machines to access/see the azure vnet. How would you get other devices in the on-prem domain to access the vnet through the RRAS server?

Applications and the need for layer 2 adjacency

Hi everybody,

I'm somewhat new to the world of networking and I've been learning VXLAN/EVPN/ACI lately. I keep seeing that the big deal with VXLAN is that it extends layer 2 (eXtensible LAN lol) and that many applications require this layer 2 adjacency. I haven't found a great answer for it though.

Any help would be appreciated!

Sporadic drops on connectivity

Experiencing sporadic drops on connectivity for all of the devices in one site. Not timed, unpredictable behavior is observed. Extremely noticeable and impacting during video meetings, voip phones momentarily disconnecting and dropping calls. I’m stuck on finding a quick to setup monitoring tool to check if some interfaces are causing too much flapping or a loop that I am not able to see. Using Juniper equipment for the network.

Any advice on how and what to check?

FortiGate SD-WAN

I have two ISPs and I want to configure Outbound Load Balancing using FG SD-WAN (Forti OS 6.4). Port 1 and Port 2 will be members of my SD-WAN Zone. My questions are about VIPs (Inbound NAT), and 3rd party VPN tunnels. Since the traffic will be load-balanced between port 1 and port 2 how will that impact my setup of a traditional Site to Site VPN to a 3rd party (non Fortigate device)? Will I be able to just terminate the VPN at port 1 or port 2 (as I would if I didn't run SD-WAN)? Will the NAT (aka VIP IP) work fine?

Mobile Site VPN option

We are working on a mobile network option and i am wondering best way to go about this. We need a VPN connection back to our datacenter from this mobile network. this network will only be at the same place for a week or two at a time, so calling in a ISP is a no go.

We tried a LTE option but the speeds were terrible based on the 1st planned location. The site does have a hardware internet connection we could tap, which has me thinking would it be possible (and if so how) to config our Cisco router to VPN back to the datacenter FTD. Mobile network wise it would need to be setup as plug in and auto connect to the firewall, cant do any NAT/Firewall rules on the mobile site's edge.

any thoughts on this or articles to point me in the right direction.

Router and Hub

Hi,

I was wondering what the difference between a router and a hub is?

Along with this what is the device your internet provider send you when you join, is that a router or a hub, mix of the both?

Very confused about this, any help would be appreciated.

Thanks.

Mikrotik NATing to make DNS queries source IP visible and available on my Local DNS filter

So I'm trying to forward/redirect all DNS requests coming into my mikrotik to a Local DNS filter, my only problem is that all traffic entering the Filter are being masqueraded by the Router's IP?

I tried using NAT to forward incoming DNS requests on port 53 using DST-NAT to go to my local DNS, I also had to use Hairpin NAT to make the connection work, but no luck the Dns queries are always masked and I want to try to find a solution without having to change the static DNS ip on every device inside my org.

Any idea on how to resolve this, or redict me to a place that can help me?

Odd network/internet issue...help please

I have a local network with a firewall that also acts as the gateway and my workstations seem to loose gateway access for 10 or 20 seconds every so often from 45 mins to 3 hours.

I can't ping out by name or ip but can reach the domain controller fine.

The odd thing is that the domain controller can reach the internet durring this time without issue and generally if I have a running ping it will also continue to work. But...Not always...generally however I don't get any timeouts when everyone else does if I'm running a -1000 ping or the like.

I've confirmed it's not the switch or anything related. Users connecting via vpn have no issues it's just machines on the local network.

I've tried running Wireshark but don't see anything change and the it seems to effect everything on the network minus the server's.

Any idea of things to try?

Windows ICS (Internet Connection Sharing) to a Cisco switch via an unmanaged switch?

So I have a network engineer configuring some Cisco devices to replace EOL equipment on a customer's lab network. The temporary configuration setup seen here was per the engineer's request, allowing him to access all 4 devices via a remote connection to a workstation. We have 2 workstations with separate paths back to the internet to keep our options open, as I am no longer on-site and we're trying to do all this initial configuration remote until the cutover...

Well the engineer discovered the Core switch needed the Advantage license... so that was purchased, token generated, etc... Come to find out, the core switch still needs internet access to take advantage of that license. I'm trying to use one of the config workstations to facilitate internet sharing to the unmanaged switch to make this work.

"Config 1" is the machine the engineer is working on almost exclusively. The windows image has group policies though making configuration of internet sharing not working out as intended.

"Config 2" has internet via a hard line connection to the customer's existing lab network. It has an internal IP on a VLAN that has internet access. I've tried sharing the connection via the 2nd interface but I'm not having any luck.

Does anyone have any experience with Windows Internet Connection Sharing?