For those of you who've designed/deployed SD-WANs, what are some of the "gotchas" / limitations that aren't well-known or well-documented?

Specifically interested in hearing from those who work for VARs/MSPs/Integrators and have had a chance to see several different deployments with different vendors.

Using a PtP microwave link as an IPSec Tunnel failover. Will this work?

So I have two offices that are currently connected using an IPSec tunnel. This works great, but in the event that the fibre goes down I am wanting to use a PtP link as a failover. What would be the most logical way to do this without creating a loop? If I have the PtP link on a separate VLAN that is not shared on the IPSec, can I then use it as a WAN2 source on the Office 2 router? Is it that simple?

Diagram in comments.

DDoS protection without HTTPS

Hello, i need a service like Cloudflare, but which gives me the possibility to just hide my server IP when navigating on a port different than 80 or 443, no SSL required.

AFAIU Cloudflare domains only work when navigating on port 443, and they just redirect the port 80 to 443.

But i need the user to navigate also on another service different than NGINX/Apache, and this service listens to a different port e.g. 12345

I have tried that with my domain which is on cloudflare, it won't work on that port

How to fix cain and abel zero percent problem?

I tried every guide so far. I can't find but only 1 host which is my iphone 6's wifi connection.

Strategy for consolidating firewall access-control policy

Hi guys,

For anybody that's done serious rule consolidation on your edge firewall, what strategies do you use to slim down your access-control policy? Do you find a way to check the hit counts on individual rules first and then try to make decisions from there? Do you simply parse your rule list slowly and try to find redundant rules? Some combination of the two? Verify that a lot of these addresses even exist anymore? I'd love to hear about your experiences in this area if you have any!

Long post incoming: SD-Access + ACI

Hi,

I need outputs from you guys.

Let's go back to early 2020 when the company decided to hire a CCIE Data Center to re-vamp the whole Campus/DC and me, to help out with the deployment of Meraki SD-WAN across our remote sites. The SD-WAN project went smoothly, we are very happy with the results but that's not the topic here.

To put you in perspective, we have 1 primary DC in the same location as our Campus (HQ) and we have a secondary DC at a different location. We have around 100 remote sites, hub and spoke topology with our 2 DCs through SD-WAN. 3000 employees total, 250 located in the Campus.

In our main DC, everything was hooked up to 2X Nexus 5Ks + fabric extenders. Servers, firewalls, user stacks, WAN, etc. Throughout the year we replaced the Nexus 5Ks with 2X Nexus 9Ks. We also separated the DC bloc from the Campus bloc by adding new core switches (C9500) and connecting the user stacks, WAN, firewalls to the Campus bloc. This work was done by the CCIE alone with me helping with the physical work. We also installed 2X Nexus 9Ks at our secondary DC and put a DWDM fiber between both DCs. Everything caused a lot of maintenance windows and outside maintenance window outages.

As of right now, no DCI technology is implemented because they have in mind to go for ACI later-on this year. We have a regular VLAN spanning across both DCs with the HSRP gateway living in our primary DC. HSRP is only between our 2X N9Ks in our primary DC. Now to implement ACI, they want to buy 4 Spines + 4 Leafs + APIC controllers.

We also need to change our user stacks (C2960X) at our Campus. Same thing here they have in mind to implement an SDA fabrics so they are looking to buy 30X C9300 (same amount as C2960X right now) + 2 extra DNA controllers (we already have 1 that came free when they did a refresh in our remote sites). The thing is, we are missing space in our DC right now. Long story short we have to take a step back and re-install the N5Ks in production as a distribution layer because our core is full and to facilitate the transition to SDA.

We basically have to re-do a lot of what we did last year just because of SDA. I don't understand how this hasn't been planned before. Same problem with ACI. We will probably have to do some magic when it comes the time to implement the solution because nothing has been planned.

This whole implementation is on for more than a year now and we are far from being done. This will be time consuming and will cost A LOT of money for our company. I like Cisco products but to be honest, I'm starting to wonder if this is all worth it for the company. Do we need SD-Access ? Do we need ACI ? I mean we are only 200-250 users in our Campus and the setup is pretty standard. Software defined is nice (SW-WAN for 100 remote sites is amazing) but for a Campus with 5-6 user stacks... I don't think it's worth it unless I'm missing something. For our DCs we could simply use a technology like VXLAN.

I didn't even talk about the WLC and the new 50+ Cisco APs they will want to buy for SDA. They are on Aerohive APs since the last 4-5 years and it's been rock solid for them.

The CCIE is a lone wolf that doesn't want any help (apart from the physical work) and we are a small network team (3) so we all get the blame when things go wrong. He is literally a single point of failure for us. When I say "they" it actually means "him" since he is the one pushing for all this.

Bottom line is I don't think SD-Access and ACI are worth it for us. Especially as we start moving services to Azure and especially if the guy is working alone in this big project.

What do you guys think about SD-Access and ACI ?

Thank you for reading

Nexus 9K VxLAN/EVPN L3VNI on global VRF

Hi all,

​

I am trying to create a vxlan/evpn DCI in order to connect to DC's with a pair of nexus 9300 on each side.

While the cisco evpn multisite whitepaper, uses VRFs for each tenant, I only have one tenant and so I tried to use only the global VRF to deploy. But I have problems with the L3VNI, which does not go up, when in global VRF.

So, I have vlan 700/VNI 5000 and an SVI in global VRF as "ip forward" but the VNI 5000 remains in "down" state. When I do the same in VRF, it works.

The config is like:

​

vlan 700

name l3-vni

vn-segment 15000

​

interface Vlan700

no shutdown

ip forward

​

interface nve1

no shutdown

host-reachability protocol bgp

source-interface loopback1

member vni 15000 associate-vrf

member vni 15002 associate-vrf

member vni 16000

suppress-arp

ingress-replication protocol bgp

​

Interface VNI Multicast-group State Mode Type [BD/VRF] Flags

--------- -------- ----------------- ----- ---- ------------------ -----

nve1 15000 n/a Down CP L3 [--]

nve1 15002 n/a Up CP L3 [t1]

nve1 16000 UnicastBGP Up CP L2 [720] SA

​

Is this a bug or it is not supposed to work in the global VRF (which sounds strange)?

need help on clearing users from IP pool of router

Hi all, new here and complete noob, sorry if anything i say has any technical mistakes.

We run a retail store with a lot of computers on LAN so we have assigned a small IP pool to allow 60 users to connect to the Wifi so that there are no clashes with the LAN IP addresses. But the issue is that we allow customers to use our wifi if needed, so their device takes up an IP and shows up in the client list for even days after their visit even though theyre never gonna use it again. This has made the Client list reach 60 in a few days, is there a way to clear all the IP leases ? right now any new device that gets connected says 'connected but no internet' because the IP pool is full

Using a TP link router

this is the screen i see https://imgur.com/a/4wQsxzw

This is my syllabus for the term, Is there any course on udemy or any course online which covers all of the sub-topics given?

https://i.imgur.com/tyKG0t0.jpg

Every course I’ve searched online misses a lot of topics and subtopics.

If anyone can suggest me any course online it will be a great help, I have got the books but it’s tough to read and understand, So, I am looking for a course online on udemy, Coursera etc which covers ALL the sub-topics. Kindly help me out to find the courses, it doesn’t matter if they are ‘paid or free’ ‘single or multiple’.

Thank you

Hired as a project manager, never managed a project

As the title says, got hired as an IT project manager, but never managed a project. I interviewed as a tech for a new company, but was offered a PM position. They brought me in to help modernize their network. I’m reaching out to you good people to see how you would attack your first day.

My initial thoughts are to immediately attack the basics. How and how often are users trained? What policies are in place and how are they enforced? When was the last time a risk assessment has been performed if at all?

I’m wanting to get through as much low hanging fruit as possible in the beginning while I’m still learning user requirements and exactly how they plan on expanding.

Any advise would be awesome.

Fortigate with a netgear router

Hey all, So I have a firewall and a modem, and a router. I know it sounds simple, but how does one go about getting a SSID made that would communicate through a fortigate. I'm basically wanting to use this netgear router like an AP, but im lost on how I set up the routing for it since its not like a fortiAP and even where the SSID is made at - the firewall or the router? At the moment I have devices connected to the router, but since I have to ditch the NAT routing and have it sent to the fortigate im just a bit puzzled how the fortigate sends that traffic or receives it from the router. The configuration is something akin to Internet > ISP modem > Fortigate > Router on Ap or bridge mode, no clue which to use.. or specifically what the difference even is. In theory I want to connect devices to the router wirelessly and have individual devices wired directly to the fortigate. Any advice would be nice. What I tried initially was set the router as an AP, Wired directly to the fortigate Only problem is, I have no idea how they communicate. I have routing working and internet when its plugged in directly to the fortigate on the 1-5 ports for individual devices, but the wireless nature of the router is a bit of a mystery to me how I can avoid double NAT. I kinda just want to send the IPs of the devices connected to it sent to the fortigate. Assuming I would need a policy to route to that IP and then from out in, but any explanation here helps.

Any recomendation on Networking Simulators ?

For a college proyect, my team and i are trying to choose a Network Simulator to analize some basic Pentest Attacks (i.e: MITM, DDoS, ARP-spoof, DNS-spoof, etc).

We've already read about the following:

• GNS3
• eNSP
• Cisco Packet Tracer
• EVE-NG

Our porpuse is to simulate the attacks, and then analyze the data flows on Wireshark, for each protocol involved.

The number of devices will be the minimum (1 Attack Machine, 1-3 Targets Machine, 1 Router, 1 Firewall)

Which option do you recommend to carry out this experiment?

Thanks !

Have multiple NAS devices, want them all synced. Best solution?

Sorry if this is the wrong subreddit to post this in. Let me know if there is a better subreddit for this question.

I have 3 NAS drives (Drobo's - I don't recommend them, but it is what it is) and they mostly have the same information on each one).

Bottom line, I want all of them to have identical info on each. (i.e. I upload a file to one of them, it will later sync to the others automagically or manually, I don't mind doing a monthly manual run of whatever).

What is the best way of doing this? Free solution would be better, but I know you get what you pay for.

Cisco C8500L-8S4X vs Cisco ASR 1001-X

I am looking at a replacement of our WAN service's routers in our Data Center that are running Cisco ASR 1001's today. Today one router has a 1x1Gb rate limited to 250Mb and VPC port-channel down to switches over 1Gb interfaces. The other router has 1x1Gb rate limited to 250Mb and 1x1Gb rate-limited down to 500Mb and the VPC port-channel VPC port-channel down to switches over 1Gb interfaces. I want to upgrade those switches connections from 2x1Gb to 2x10Gb and move a connection in a switch that is 10Gb rate-limited down to 1Gb up to one of these routers so I can control it better with QoS/routing. At some point in the near future, I might add another 10Gb rate-limited to the other router.

I was looking at a Cisco ASR 1001-X but when I looked at the Cisco Commerce page to look at the Cisco ASR 1001-X options on port and throughput licenses, I see a notice to check out the Cisco C8500L-8S4X as its cost may be cheaper. Apparently this Cisco C8500L-8S4X came out some months ago and is the replacement for the ASR 1001-X line. After looking at the comparisons, the Cisco C8500L-8S4X lines up with exactly what I want and comes in cheaper in overall cost from the Cisco ASR 1001-X. It looks like out of the box the Cisco C8500L-8S4X has more 10G interfaces and they are enabled out of the box. When you look at the maintenance costs, there is no comparison between the two. The Cisco ASR 1001-X on-going costs for port and throughput licenses are astronomical. Am I missing something critical on this new line? Why would anyone even look at the ASR 1001-X these days when this is available?

Looking for IP4 space

Looking to lease IP space (/22 or larger), any recommendations? Thanks for any help

How do you determine if your being bottlenecked by your Ethernet cables?

In practical terms how do you guys go about testing to determine your cabling is delivering the speeds advertised or exactly the upper limit of what your media can provide? I know the show interface command can tell you a lot but I'm probably not as well versed in it as I should be. Also I get the feeling that just running show interface <whatever> isn't enough. Do you all feel it's necessary to generate traffic to really stress test what your interfaces and cabling are capable of? If so what tools do you use?

I've seen clients absolutely refuse the expense of running new cabling and clients that would speed way to much on the best cable on the market without considering whether it was necessary or whether the network equipment could keep up with it. I looking to be able to dive a bit deeper that just cable and port specifications and be able to see what is actually happening in any given network link.

pfSense+ box with OpenVPN traversing over a transit network to another site

We are having issues with openVPN going across a transit network, our setup is a pf box on one side ubiquiti antennas connecting 2 separate buildings with a transit /30 subnet and static routes on either end. We can ping across the subnet through the VPN but dns will not resolve anything across the transit network, even though our dns replicates to both sides as secondary zones. I believe it is something build into the VPN config but even listing the DNS server on the other side in the configs won't fix it, even though I can ping it. Feel free to ask for more info, I've never dealt with this type of setup before.

Voice VPN with or without firewall

I see a lot of conflicting info as whether to put a firewall in front of a SBC or not...

I'm aware of the functions required if putting a layer 3 firewall in front of the SBC (STUN, TURN etc..)

But after seeing some sarky remarks on another topic, with no one really explaining why not to do it, I thought I'd ask why...

is it just not worth the hassle for a voice only VPN, that's why people are happy with a SBC only setup, with the SBC also acting as a zone based firewall, or just throwing some access lists to cotrol access...

curious to hear peoples experiences

Flexconnect aps losing Controller Associated Time, but still with uptime

Hello, I have some aps, that are losing the association time, they use wan link to communicate with the controller.Looking in the internet I found that the latency should be less the 300 ms, I activated link latency in one access point for test, but looking in the results they are ok:

https://ibb.co/jrMV1RX

​

pr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0000] CAPWAP State: DTLS Setup

Apr 16 13:07:54 kernel: [*04/16/2021 13:07:54.0099] dtls_disconnect: ERROR shutting down dtls connection ...

Apr 16 13:07:54 kernel: [*04/16/2021 13:07:54.0099]

Apr 16 13:07:54 kernel: [*04/16/2021 13:07:54.0099]

Apr 16 13:07:54 kernel: [*04/16/2021 13:07:54.0099] CAPWAP State: DTLS Teardown

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0000]

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0000] CAPWAP State: DTLS Setup

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0899]

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0899] CAPWAP State: Join

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.0999] Sending Join request to 10.104.240.52 through port 5256

Apr 16 13:06:57 kernel: [*04/16/2021 13:06:57.1299] Join Response from 10.104.240.52

​

My aps are : 1815, with ios: 8.5.151.0

Any idea what should I test, or try ? thanks a loot.

802.1x and forcing a pc to present a specific cert when it's not joined to the domain with ClearPass

Does anyone know how I can force a Windows 10 machine to present a specific cert that I choose when doing machine auth with 802.1x? I've tried to put the certificate in the computer cert store under the Client Authentication Issuers section. I've tried to select the cert in the NIC properties and selecting "When Connecting, use a certificate on this computer" and selecting the cert I want. But neither of them seem to force the laptop to present the cert to clearpass. The laptop still presents a generic Microsoft cert.

ISR 829 embedded AP803 EAP authentication question.

Is there documentation or configuration notes for using EAP authentication on the embedded routers Access point? I cannot find ANYTHING online for this specific model.

NetBox import database on new install

Hi there,

So I want to move our NetBox database from the server where I did the test installation to the production server. I have exported the database with

pg_dump --username netbox --password --host localhost netbox > netbox.sql

and reimport in on the new system with

sudo -u postgres psql -c 'drop database netbox'

sudo -u postgres psql -c 'create database netbox'

sudo -u postgres psql psql netbox < netbox.sql

However after and do that I get a Server Error when loading the Netbox webpage with the advice to run the migration script again. I did that and the webpage loads again but there is no data.

Anyone done a successful export/import and has a good how-to description?

Master's Degree Thesis Topic Suggestions

Hello everyone. I have started my studies this year and I am facing the choice of my master thesis topic. I work as a network engineer (IT outsourcing company) on a daily basis, so I have access to a large network infrastructure (150 clients in 4 data centers) - in which there are a lot of network solutions and vendors - but unfortunately still, I don't have an idea for my master thesis topic. I've started reading a lot about IoT and I guess that's the topic I'd like to pursue, but I know it would be better to use the opportunities to do research in my company where I have access to a huge network infrastructure.

I would be very grateful if someone could advise me on which topic to choose. I was also think to use COVID 19 and maybe do some research on the impact of COVID 19 on the company. Thanks.

DHCPv6 implementation

Hey!

So I'm trying to migrate some IPv6 and am stuck with a weird problem and am wondering how others have approached this. Open to any suggestions for redesigns etc.

For reasons, we would like to use DHCPv6 statefully - give DNS servers and IP addresses from the DHCP and use the routers RA to announce the gw address (and possibly DNS as well as a backup) to the clients.

Currently using M & O flag on the router.

The problem is that with this configuration a Windows 10 client will assign an IPv6 address to itself with SLAAC and will prefer using that IP address for connections, instead of the one assigned by the DHCPv6. This somewhat defeats the purpose of using the DHCP server in the first place.

​

We would like to have clients use only the IPv6 addresses we are assigning by the DHCP. Is that an unreasonable expectation? How have you guys solved this?

​

EDIT:

Due to the fact that when I started experimenting with this, I was not using M & O flags, Windows would have kept using the IPv6 address it got first with SLAAC, till it would have timed out: https://i.ibb.co/pxqmdSz/image.png

Had to run: "netsh int ipv6 reset" to remove that IP - re-enable the interface and now I'm left with the DHCP IP only, which is good enough. In this environment I am not worried about people/devices assigning IPs for themselves in general.

​

Understanding Invalid ARP log messages

I'm trying to get a better understanding of why these messages are appearing. Sorry if this is a daft question!

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi1/0/3, vlan 18.([111.1111.1111/192.26.18.187/2222.2222.2222/192.26.18.115/01:09:03

I have a CCTV camera on switchport Gi1/0/3 that is generating these messages constantly, its MAC address is 1111.1111.1111 which shows up in the first part of the log message. It's IP is 192.26.18.187.

The device with the MAC address of 2222.2222.2222 is the CCTV NVR. It's IP is 192.26.18.115 and it is not directly connected to this switch.

Currently the CCTV camera does not have an IP so I cannot connect to it.

I'm trying to understand what this log message means which will then help me fix this. Any insight would be appreciated.

NetMon problems in Windows 10? (Wireshark not able to capture packets)

I wanted to use Wireshark(Packet Scanner) with Monitor mode but no packets are being captured. Promiscuous mode works just fine. I have an Atheros AR9485 (Netmon capable ) network adapter and using Wlanhelper to turn on Network Monitor mode. I have also tried multiple old drivers. Is the problem with the windows or something?

Some help would be really appreciated.

Ethernet Private Line: Comcast or Verizon

I’m looking to hear some opinions on the most reliable and best quality Ethernet private line service if we have to put Comcast and Verizon head to head.

We’re looking at Washington DC > NY. Probably 50-100Mbps circuit. Those are the only two providers I can use.

I’ve never worked with Comcast before so I’m curious what others think about them.

In general my Verizon experience has been completely and utterly unacceptable, and honestly a giant joke. (I’m not bitter or anything though...)

Thanks

Spectrum Fiber CPE

This may be a dumb question, but I did search for my specific model of CPE. In short, we had an internet outage at a site today. Did all of the prerequisite checking (i.e. rebooted, removed FW, router, etc). Connected up a PC directly to CPE handoff (RAD ETX-203AX) and programmed one of our static addresses w/ correct subnet mask up to the CPE. Still no internet and what's worse is we can't ping the CPE public IP address (thus preventing from getting out to the internet).

Wireshark shows NO responses coming from the CPE, however, can see the VPN tunnel from the main branch side of things trying to initiate the session in Wireshark. Call Spectrum TAC, tech is great and they are trying to get access to the system remotely. CPE address CAN be pinged from outside of the network. After a few moments the CPE address starts pinging and internet traffic starts flowing. What's weird is that the MAC for the CPE is reporting an OUI of Cisco networks (not whatever RAD's MAC OUI space is). Spectrum noted that their management VLAN on the CPE is not responding so they cant get into the device.

My questions come from ignorance of the ISP world and really to try and figure out a root cause. So here goes.

1. How do CPEs normally operate in a ISP handoff mode? Transparent bridge, VLAN isolation, etc...
2. Could it be possible that this CPE is currently acting as just a fancy media converter for fiber to copper since the MAC reporting the public address for the CPE was a Cisco OUI?

how do you store your golden config?

I was thinking JSON format but then I need jinja templates or something to turn it back into conf. We want to store the variables in a git repo. I want to make the variables easy for a person to edit but still able to be processed by the device. We’re primarily a Juniper shop but bonus points for vendor neutral solutions as we have Cisco and some other vendor gear around.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

How can I scan devices for IKEv1 support?

I want to see if certain devices support IKEv1. I downloaded a script called ike-scan but I couldn't really get it to show me what I wanted.

I tried nmap's "ike-version" script but I'm not getting anything back from the script.

Any help is appreciated!

Network Design Basics for Architects

What basic things should a building architect know about networking when designing a building? Please keep it simple. They should bring us in for the complicated stuff.

Rule number one for architects: consult network engineers who know about physical network design throughout the process.

Beyond that, what do you think an architect should know? I'll put a few of my thoughts in the comments.

Cisco DCNM Server Rebuild - Ramifications of burning it down then starting fresh?

We currently have an old out of date Windows DCNM server that is used for our SAN environment.

I have barely touched the server since it was installed because I do most of the zoning configurations through the CLI. Now it is going to take a handful of minor and major upgrades to get the DCNM server to its proper version.

What are the ramifications of shutting the current DCNM server down, and using an OVF from Cisco to rebuild it new, then just re-discover the SAN environment?

Which are the web pages of white list of networking vendors?

Hello everyone can someone help me with this, Which are the web pages of white list of networking vendors?

GNS3 network topology

Greetings all. Might someone point me in the direction of a beginning to end tutorial on setting up a network topology within GNS3? I mean like hand-holding with pictures tutorial. I did the basic GNS3 where you put out 3 routers and then the next one where you set up a couple cisco switches. What I'd like is a relatively medium to large build topology, one that walks me through adding one switch/router/EUD's etc, etc. and getting it to production level of ready. (a big-ole' time consuming build, that will take me more than an hour or two to complete. What I am googling is not coming up with anything other than the GNS3 few small topologies that I have already completed. I can just drag an drop things onto the workspace, but once they are there I need to know where to go from there getting them all spooled up and just everything that needs to be added/protected/shutdown/enabled, as it can be.

Anyway, thank you all for your time. Best of luck to you all.

ME

Need help with extending a wifi signal to a different building

Hey all, so my barber has asked me for some help with extending their wifi signal because their internet always cuts out. Their router is in a building about 150 feet away and they refuse to upgrade the router to better support the barber shop’s internet. I want to find a solution for them that will help them have more reliable internet and ideally won’t cost a fortune. She can’t use a hotspot because the signal there is pretty inconsistent as well. Any ideas are greatly appreciated:)

Help/Rate a Junior IT Analyst's Setup

Hi gang,

I was recently hired as an IT Analyst for a fairly small company (<50 employees) and I've been trying to improve our security (which is not great atm). This company has no other IT person and I'm doing my best but am fresh out of college. Here's what I'm looking to install:

Server with FreeNAS and FreeRADIUS VMs OR Synology NAS with FreeRADIUS VM in it (if I can get the budget for it)

I've heard FreeRADIUS is difficult to setup, but I have time I can pour into it and I think I'd enjoy the challenge. If you have any wisdom to share, about this setup or even general stuff for a junior analyst, I don't have a mentor and will take anything. Thanks 🙏

VLAN Translation - Service Provider

Hi there, I am trying to understand the benefit or purpose of translating the VLAN in a service provider. We are currently migrating a lot of E-Lines/ELANs and just wondering what's the benefit of doing a translation. One example below.

Node_A:

interface GigabitEthernet0/0/0/1.118 l2transport

encapsulation dot1q 118

rewrite ingress tag translate 1-to-1 dot1q 243 symmetric

​

Node_B

interface GigabitEthernet0/0/0/5.157 l2transport

encapsulation dot1q 157

rewrite ingress tag translate 1-to-1 dot1q 243 symmetric

OSPF database output understanding

Hello folks,

Let me preface this by saying, this is the network/scenario that I have to work with. This is not an ideal config/design, but I cannot really change this today.

I am trying to wrap my head around a scenario and why the OSPF database behaves the way it does.

https://i.imgur.com/mNF4oTz.png

R7, far right, is advertising 7.7.7.7/32 into OSPF

R2 is where I am performing my verifications. My goal is to understand what the OSPF database on R2 is the way it is, specifically the external routes in process 24.

Here are the redistributions that happen from right to left. Metric-type 1.

R3: Process 35 Area 35 > Process 23 Area 0 R3: Process 35 Area 35 > Process 1 Area 0 R5: Process 35 Area 35 > Process 45 Area 0 R4: Process 45 Area 0 > Process 24 Area 24 R2: Process 23 Area 0 > Process 24 Area 24 R2: Process 1 Area 0 > Process 24 Area 24 

All interfaces have default cost of 10. Loopback on R7 is 1

IOU2#show ip ospf int br Interface PID Area IP Address/Mask Cost State Nbrs F/C Et0/2 23 0 23.23.23.2/24 10 BDR 1/1 Et1/1 24 24 26.26.26.2/24 10 BDR 1/1 Et0/1 24 24 24.24.24.2/24 10 BDR 1/1 Et0/0 1 0 12.12.12.2/24 10 DR 1/1 

Database Output

IOU2#show ip ospf database external 7.7.7.7 OSPF Router with ID (23.23.23.2) (Process ID 23) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1175 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 23.23.23.3 LS Seq Number: 80000001 Checksum: 0x8A3B Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 11 Forward Address: 0.0.0.0 External Route Tag: 0 OSPF Router with ID (12.12.12.2) (Process ID 24) Type-5 AS External Link States LS age: 1174 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 12.12.12.2 LS Seq Number: 80000001 Checksum: 0xFDDF Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 21 Forward Address: 0.0.0.0 External Route Tag: 0 Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1165 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 24.24.24.4 LS Seq Number: 80000001 Checksum: 0xD0E6 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 21 Forward Address: 0.0.0.0 External Route Tag: 0 OSPF Router with ID (24.24.24.2) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1176 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 13.13.13.3 LS Seq Number: 80000001 Checksum: 0x7B68 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 11 Forward Address: 0.0.0.0 External Route Tag: 0 IOU2#show ip route 7.7.7.7 Routing entry for 7.7.7.7/32 Known via "ospf 23", distance 110, metric 21, type extern 1 Redistributing via ospf 24 Advertised by ospf 24 metric-type 1 subnets Last update from 23.23.23.3 on Ethernet0/2, 00:00:01 ago Routing Descriptor Blocks: * 23.23.23.3, from 23.23.23.3, 00:00:01 ago, via Ethernet0/2 Route metric is 21, traffic share count is 1 

Why does R2 not have 3 entries for the link id 7.7.7.7 ? It lists one entry from R4 and one from its redistribution from Process 23. The redistribution from Process 1 Area 0 is not shown in the Process 24 Area 24 database

Now if I bump up the cost of E0/2 on R2 to 100

IOU2#show ip ospf int br Interface PID Area IP Address/Mask Cost State Nbrs F/C Et0/2 23 0 23.23.23.2/24 100 BDR 1/1 Et1/1 24 24 26.26.26.2/24 10 BDR 1/1 Et0/1 24 24 24.24.24.2/24 10 BDR 1/1 Et0/0 1 0 12.12.12.2/24 10 DR 1/1 IOU2#show ip ospf database external 7.7.7.7 OSPF Router with ID (23.23.23.2) (Process ID 23) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1219 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 23.23.23.3 LS Seq Number: 80000001 Checksum: 0x8A3B Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 11 Forward Address: 0.0.0.0 External Route Tag: 0 OSPF Router with ID (12.12.12.2) (Process ID 24) Type-5 AS External Link States LS age: 8 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 12.12.12.2 LS Seq Number: 80000002 Checksum: 0x6072 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 31 Forward Address: 0.0.0.0 External Route Tag: 0 Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1209 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 24.24.24.4 LS Seq Number: 80000001 Checksum: 0xD0E6 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 21 Forward Address: 0.0.0.0 External Route Tag: 0 OSPF Router with ID (24.24.24.2) (Process ID 1) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1220 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 7.7.7.7 (External Network Number ) Advertising Router: 13.13.13.3 LS Seq Number: 80000001 Checksum: 0x7B68 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) MTID: 0 Metric: 11 Forward Address: 0.0.0.0 External Route Tag: 0 IOU2#show ip route 7.7.7.7 Routing entry for 7.7.7.7/32 Known via "ospf 1", distance 110, metric 31, type extern 1 Redistributing via ospf 24 Advertised by ospf 24 metric-type 1 subnets Last update from 12.12.12.1 on Ethernet0/0, 00:04:20 ago Routing Descriptor Blocks: * 12.12.12.1, from 13.13.13.3, 00:04:20 ago, via Ethernet0/0 Route metric is 31, traffic share count is 1 

Now the redistributed entry from Process 1 Area 0 shows up, but not from Process 23 Area 0.

I'm sure this is cost related, but I cannot seem to find a reference to this anywhere in any document.

Cell modem on MVNO?

Has anyone here had to purchase SIM cards for cell modems? I'm trying to figure out if I can just pick up a SIM from an MVNO like Ting or Mint instead of talking to the main carriers. This is just for testing so I'm not super concerned about data caps.

Planning to get a /24 block, what to do after?

Hi, there we are planning to get a /24 block from Arin, and we getting some questions once we have one.

So we have currently one carrier giving us a Dedicated Fiber Line.

Do we ask our carrier to advertise our ip block and route them back to us?

Or do we need to get a second carrier and do a multi-home bgp?

Is there anything else we need do?

Never setup BGP before, and google-fu was no help.

Thanks!

IPv6: Have you noticed increase in positive user experience?

I have once watched a YouTube video describing the only actual case of why you should move to IPv6 (apart from your org. being so big that v4 is simply not enough).

So he broke it into 4 boxes, with the following:

- Being an ISP with v6 on.

- Being an ISP with no v6.

- Being a content provider with v6.

- Being a content provider with no v6.

​

So the 2 items are a bit straightforward, if you are a decent ISP you will offer v6. However, the question remains on the content providers. "Why should you go in the hassle of dual stacking?".

The only decent answer is speed. IPv4 relies heavily on NAT and NAT introduces delay. So much delay that Google has calculated it costs them thousands of dollars per millisecond. If the elimination of NAT increases 10-15% response time, this means better revenue because the experience is better.

​

Therefore my question is:

People who have implemented v6, were you actually able to measure this? Is this statement true?

Upgrade 3850 Catalyst - Wont boot

I tried to upgrade a Catalyst 3850 stack of 2 switches from 03.02.03.SE to 16.09.06 & now the switch won't boot.

It's in a remote site so I'll need local hands, the switch was in install mode so I ran the command -

software install file flash:cat3k_caa-universalk9.16.09.06.SPA.bin switch 1-2 

and reloaded but Googling it looks as though I should have used software install file flash:cat3k_caa-universalk9.16.09.06.SPA.bin switch 1-2 force new

Has not running the force new arguments the most likely cause of my issue here?

Removed Huawei and ZTE routers fate.

What happens to all the routers and switches that are being uninstalled in the US?

I have seen the costs of uninstallating them but not what happens to the routers themselves.

If you're an industry expert, explain to me, where are the routers going?

Are they being disposed/resold? If disposed, where/who is involved? If resold, what's the procuring process?

What does it mean by (IP - connectionless) but still relies on TCP/IP (TCP - connection-oriented)? If 3-way handshake is handled in Layer 4, why do people mention IP as connectionless since it's not supposed to handle SYN/SYNACK/ACK?

Hi,

I'm new to networking and I'm not sure if I am on the right sub. I'm trying to understand Networking Fundamentals. I'm a programmer but I want to dive into CCNA to improve my knowledge. I bought a tutorial from Udemy and it's mentioned that IP (Internet Protocol), as a Layer 3, can rely on TCP or UDP for transmission (Layer 4).

If Layer 4 protocols are used for ensuring quality of delivery (via 3-way handshake, by TCP), then why is there a need to mention that IP is connectionless? For now, what I know is that connection-oriented data transmission is handled by TCP in Layer 4.

Do some of Layer 3 protocols handle quality of delivery? (Such as packet loss, etc)

Looking for DHCP Relay SW supporting IPv4 Rapid-Commit (RFC 4039)

(First post ever on Reddit...)

I need to implement a DHCP Relay Agent that supports Rapid-Commit on IPv4 (Option 80).
I checked a few sw like ISC DHCP Relay, ISC KEA, https://github.com/42wim/dhcprelay, https://github.com/insomniacslk/dhcp and a few more but none support Option 80.

Open Source or not :)

Any ideas?

Thanks

Confusing Network Behavior

Originally Posted on /r/PFSENSE, can provide any additional details if needed.

EDIT:: All IPs are just examples.

Maybe you guys can help me out here, because something doesn't seem to be working right in a vendor requested configuration.

I have a network where we have a vendor that has a tandem NetGate 7100 in a network rack neighboring ours that handles all of their Vendor related networking.

We have our own Netgate 7100 that handles all LAN/Wifi stuff. The two netgates have been fine being ignorant of each other.

The vendor needs some devices that connect to our wifi to be able to hit their device, and pass through some NATing to have an internal return for an app they are hosting. Nothing too crazy so far.

We have set a custom DNS in our Netgate that resolves to an arbitrary address on our Wifi network that is out of the DHCP range.

All of my internal net works as expected, the DNS name resolves to the specified IP address, all is great.

However, the vendor statically assigned one of their switch ports on their 7100 to the requested address (1.1.1.10) and is unable to respond to a ping from anything on that subnet.

Originally this was plugged directly into a switch that had access to the requested network (1.1.1.0/24), after a few hours of troubleshooting, tagging/untagging VLANs, I figured it would be best to eliminate the Switch as any cause of trouble, and had them connect directly to an open switch port on my 7100. But the two still refuse to talk to each other. The port negotiate and connect with no issue, but still no communication on the 1.1.1.0/24 network.

Netgate-Internal:

Wifi Net: 1.1.1.0/24 (ETH1 & ETH2 Bridged @ 1.1.1.1 on ETH1, vendor on ETH2) Firewall Rules Completely wide open between both bridged interfaces. I have similar setups for Bridged interfaces elsewhere with no problem.

Netgate-Vendor: ETH5 - 1.1.1.10 - GW: 1.1.1.1, Static route for 1.1.1.0/24 with GW added

I have even switched to DHCP on the Vendor device to see if it was the IP itself, but it never gets an IP

Packet Captures just seem to be in a bubble with who-is packets on the internal side showing, and DHCP request Packets showing on the Vendor side, but neither showing the communication on both

I have had the patch between the two replaced.

Any guidance would be great.

A10 Load Balancer Grafana Dashboard Templates

Hi!

​

I was wondering if someone is monitoring his A10 Load Balancer with Prometheus and visualizing this data in Grafana.

I got the Prometheus side working and was browsing for some Grafana dashboard templates but can't find any.

It would be great is someone would like to share his/her dashboard!

Asset Management Help

Hello, I am starting a very rudimentary asset management excel file for the very small company I work for. If I have equipment that has been discarded and removed from our building is it alright to recycle the number identifier (workstation 7 for example) and use it for a new piece of equipment? Or should that identifier stay tied to the old equipment and be retired as well? Is there a "Best Practice" for this? Or is it completely up to the person handling it? Thank you for the help!

Which dynamic routing protocol is most commonly used in Enterprise Networks?

I know OSPF is more scalable than EIGRP but BGP is also popular for VPN connections. Interested to see your responses.

Any opinions on the following ONT models?

I currently have a Nokia G-240G-C from my ISP that they're trying to change to Nokia G-140W-C for "higher speeds". Just wanted to make sure this is really an upgrade and I'm not getting something inferior.

I couldn't find any information on the 140W online though. Any ideas about these?

Constellation Diagrams and QAM Help!

Hello All,

I am having an issue currently in which I have 3 binary numbers: 0111, 0000, and 0010 and I have a constellation diagram: https://imgur.com/a/IJYQlal

I am attempting to find the equation of the waveform required to send each binary number. However, I am having trouble/confused on how to go about this.

I have searched on the internet extensively, however I cannot seem to find anything on the waveforms themselves, only how QAM works.

Any help is appreciated, even if it's a guidance on where I could search to try and find the answer :)

Daisy chained Rosemount level transmitters. Ultrasonic

I've got some daisy chained ultrasonic level transmitters that keep having an issue. My gut says it's a receiving and transmitters issue. There are I think 4 levels being brought into the same point. Only 1 (and the same one) will get working for a while (although wrong) and after a while it will stop coming in at all. Taking a shot out there to see if anyone has a similar problem and how they fixed it. Thanks!

Random question What sort technologies are commonly used in most modern day enterprise networks (Both wired and wireless).

What sort of wired or wireless technologies are used in Campus and Metropolitan area networks?

Design Advise

I have several locations and for different purposes, I need to share the same subnet among them. Also, I want them to have the same gateway. Any advise?

Cisco SF350 and Lenovo Windows Server link issue

Got a new head-scratcher causing me to go bald

We made a switch to Cisco switches thanks to our normal vendor blowing their prices up to where they should be gold plated, yesterday we switched out 3 old hp switches for Cisco SF350s, and the switch over was seamless until we plugged in our file server that is on-site, Its windows 2016 physical server using NIC teaming with 2 ports.

we plugged into the cisco switch on 10 and 11 and no link for either, and not just that no attempt to link in the logs on the cisco either. I tried plugging the server into the old HP switch and it was fine so it's not a physical NIC issue. if I plug the switch into one of the old HP's and then that HP into the cisco that works fine. so I'm thinking there must be a port config parameter I'm missing? I disabled SPT on port 11 as well to test it and it made no difference

anyone else run into this issue? am I about to feel stupid when the answer was something drastically simple that I missed? thanks!

Internet issues on 4/14/21 ?

Did anyone else just have issues with their internet connectivity this morning?

Around 8:50AM - 9:20AM eastern we had a lot of remote sites unreachable via VPN. We use primarily Zayo, HE and Centurylink on the datacenter side. I also had alerts from Akamai and others saying they were having upstream carrier issues.

Trying to figure out what the root cause was.

Anyone has any information on when EVE-NG (community) would be available based on newer Ubuntu?

Does anyone has any information on when EVE-NG (community) would be available based on newer Ubuntu? Right now my EVE community edition shows "16.04.7 LTS" as the base OS which has end of support associated as April 2021 on Ubuntu website.

So (more of curiosity) when will EVE be available on newer LTS, like "20.04.2"?

Edit: has anyone tried to install a newer Ubuntu and then install EVE?

Redesigning a school network

Hello :)
I am currently trying to redesign a network in my old school in my hometown. It's all a big mess, I have to identify each cable where it goes and mark it.

And the thing is they have 4 ISPs, one of them connects all the classrooms and another one connects the administrative computers, while the other two are completely unused.

I was thinking to leave the classrooms connected to one ISP, and join the other three through a OPNSense, with load balancing and failover. I have a computer good for installing OPNSense, the problem is it has only 2 PCI-E, and I need some network cards with more than just une RJ45 port. Also, it seems they are pretty expensive and I don't know how they are compatible with personal computers.

Other option is buying a router like a https://mikrotik.com/product/RB2011UiAS-RM which is a little bit more complicated to configure. But I don't know if it can handle the job, considering the connections are 1 Gbit down/up, 500 Mbit down/ 25 Mbit up, and 100 Mbit down/up, and maybe 10-15 computers using it at peak times.

I would like to find other opinions, how would you see this done and if you think the Mikrotik would be a good option.

Thanks a lot!

When do you bother filing a bug report?

My original thinking was "hold the vendors to a standard of quality. if product isn't performing to spec, yell at them until they fix". But Cisco has worn me down to the point that I'm more inclined to just use whatever shitty workaround I can figure out if possible.

Latest code upgrades for SDWAN have broken the "code upgrade" function so that one version of the upgrade procedure automatically rolls back unless you jump into the CLI of the devices to confirm. Cisco TAC thinks this is okay.

Essentially if we use the "download and activate immediately" button it works fine. If we download first, then use the "activate" button later then it never "confirms" the upgrade like it's supposed to and the vEdge rolls back after a timer.

VERY disappointing to arrange a maintenance window, complete the upgrade, give the all clear, and 15 minutes later both devices at a site reboot.

But whatever. We've got a known work around now, and whether Cisco acknowledges the bug or not... I know it'll make the product better for me and for other folks in my shoes. I know it's not that much work to open a case and send them an admin tech or whatever... but just the thought of their stupid ticket portal leaves me exhausted. Someone's getting paid to QA their shitty products, and it it's not me or anyone else on my team.

Where do you guys draw the line? Do you push for bug IDs for stuff like this and aggressively pursue them? or just take the workaround and live with it?

Cisco ASA CRL VPN

Hello,

​

I'm working on a cert authentication based for our Anyconnect VPN yet so far i encountered a problem that the few answers i found didn't help me.

​

I created the trustpoint by the name of VPN and put the PKI url on it.

The inter-CA is added to the Cisco with the PKI url as a DP.

the revocation is set on CRL and no LDAP since we aren't using it for the PKI

This is what happens when i make a CRL request with the CRL as .pem format :

 crypto_pki_req(0x00002aaacb6f9e10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: VPN. Retrying with next CRL DP... 

I read somewhere that you need to change the .pem to .der except that it changes just the type of error.

​

BatG-FW3# crypto_pki_req(0x00002aaacb6f9e10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened CRYPTO_PKI: Found suitable tp: VPN CRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795 CRYPTO_PKI(select cert) subject = cn=ThalesRCS Root CA,ou=Revenue Collection Systems,o=Thales,l=Bretigny,st=IDF,c=FR CRYPTO_PKI: status = 1872: failed to verify CRL signature Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: VPN. Retrying with next CRL DP... 

From the details of the inter-CA the DP is indeed the same URL i don't understand why can't it verify the signature

​

Also DNS is set and resolve the URL so no problem from here

dynamic network topology with 100 routers.

Hi I got new client and he wants to found a way to connect 100 routers but dynamically (for close network). I need some help with topology.

He has radios that can connect point to point or point to multipoint and he has 100 sites and as he says (for me it sounds crazy) radio can connect to any radio. Each site should work independent and/or with ANY another site.

So, he wants that any router could connect to any other router and wants do to it dynamically.

My thoughts on this (they all seems wrong)

1)layer 2 network - big layer two network, it can work dynamically he doesn't need vlan separation but still 100 switches with one broadcast domain sounds as really bad idea. And if there will be any multicast traffic it will be disaster.

2)DMVPN network - two routers as hub, ospf or isis (isis sounds better because it doesn't have areas) as igp protocol dmvpn above and we have some kind of dynamics...but I don't get how to do IGP dynamic.

3)Software solutions? I have experience only with cisco SDA, but it still needs IGP connectivity to work, and I need some kind of DC to install software.

Any ideas?

Nexus 3k, multiple q in q mappings on single interface

Hello, is it possible to have multiple q in q vlan mappings on a single interface on the Cisco n3k switches?

And how?

Our use case is the following: we are an isp moving into the datacenter of another ISP.

FMC Logging Missing Entries

I have found a problem with FMC logging on 6.6.1, and I'm wondering if anyone else has had the problem & maybe identified the root cause.

I was essentially troubleshooting what was blocking traffic on a particular server out to the internet. Looking at the connection events page, I saw (what I know now as) some connection events and not others, but no blockages. Please note, I have an explicit deny [server ip range] any log directly after the rules associated with this server so that block traffic is logged.

I was convinced the FW wasn't blocking it, so I made a temporary rule rule:

permit hostX to any on the outside zone (tick log at beginning AND log at end of connection in the policy). 

Got the user to access the address/port he said he couldn't access, and it worked. What bothers me is that I did not see the traffic even hitting the connection events page. So I did a capture w/Trace in the advanced troubleshooting section, and I was able to identify the traffic there instead. I add the missing rule (with both log @ beginng and end of connection) , and disable my temporary rule, and his connection works. However, I still do not see the connection event in the Anaylsys > Connections> Event viewer.

This is a real big ball-ache for me as I don't have time to run captures to work out missing rules. Has anyone had this, and found a solution?

HP Procurve Loop Detection - Juniper alternative?

HP Procurve switches have a feature which send out periodic packets and shut down the port if it receives the same packet back https://lkhill.com/loop-detection-without-stp/, does such a feature exist on Juniper switches? We already have bpdu-block-on-edge and MSTP configured, but neither of these would prevent a loop created on a CPE.

Cisco prime with firewall interface

I want to check the bandwidth on the OUTSIDE interface of my firewall, when upload or the download bandwidth reaches a specific value, I should receive an email from cisco prime.

Is this possible?

Linux routing

Two command two different outputs Ip r command displays two default gateways route -n shows only one default gateway.

Which command is telling the truth? From traceroute I see that packets are being loadbalanced between two gateways.

Iperf Results - Host to host testing

I'm having some strange Iperf results, putting this out there in case someone may have an explanation.

1) 2 IPerf VMs on the same host:
TCP: ~20Gbps throughput for single/parallel -p 10.
UDP:~3Gbps of throughput for single/parallel -p 10 (1460 length packets, unlimited bandwidth)

2) 2 IPerf VMs on different hosts (Host A, Host B):
TCP: ~7Gbps throughput for single/parallel -p 10.
UDP: ~3Gbps of throughput for single/parallel -p 10

3) 1 IPerf VM on Host A connecting to 2 IPerf VMs on host B:
TCP: ~7Gbps throughput for single/parallel to each VM on host B (aggregate throughput is ~14Gbps from VM on Host A).
UDP: ~6Gbps of throughput for UDP testing to each VM on Host B (aggregate throughput is ~6Gbps).

4) 1 IPerf VM on Host A connecting to 3 IPerf VMs on host B:
TCP: Aggregate throughput is ~14 Gbps split between the connections to 3 VMs (7 Gbps to one, 3-4Gbps to the other two).
UDP: ~9Gbps Aggregate (~3Gbps to each VM)

Setup:
- VMs are running on ESXi/Hyperflex hosts
- Each host has 2x25Gbps uplinks to TORs (UCS FIs).
- VMs are on same L2 Portgroup
- VDS port group load-balancing is set to balance based on virtual port ID
- No bandwidth Reservation/limiting in ESXi
- No other VMs are utilising the host uplinks during the testing. UCS has 200G uplinks which are <5% utilised during the testing. Viewing the host uplink port stats in test 3 the input/output link to Host A is reaching 14Gbps as expected based on the test result, but never any higher for say test 4.
- All VMs running Iperf3 version 3.9-1 on Ubuntu LTS 20.04 with 4 vCPU and 8GB RAM assigned.

Issues:
- The difference between single and parallel TCP tests is negligible. Each parallel stream decreases until the aggregate speed is the same as a single TCP test.
- UDP testing between 2 VMs on the same host is still slow. This looks likely to be a combination of the VM/Iperf issue.
- A significant difference in aggregate throughput from the tests 2 to 3. This would indicate the CPU core IPerf is running on is maxing out however CPU utilisation is low during the testing.
- I would expect to get at least 10Gbps of throughput on single/parallel TCP testing between two VMs on different hosts.

Additional testing:
- No difference in results if LRO is turned off or on at the VM level
- Minimal difference in results using IPerf2
- No difference in results changing the IPerf traffic direction -R
- Checked for dropped packets etc. on the Server/FIs/Northbound switches
- Tested using different hosts in the HX cluster with similar results.

Split Pairs Error for 568B but not 568A

I have a brand new Klein Scout Pro 3 VDV501-852 and I am terminating CAT6 S/FTP (Shielded) cable. After testing multiple cables with multiple terminations I have discovered that I always get a "Split Pairs" error when I use T-568B wiring with shielded cable and I don't when I use T-568A. I also tested with CAT 5e UTP (Unshielded) and got no "Split Pairs" error message with either A or B wiring. Why Am I getting a "Split Pairs" error when I use a shielded cable with T-568B wiring???

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Need some advice on how to deploy web filtering and load balancing.

Sorry in advance for a long post and some noob parts in the post.

So my company has a very small IT department. And I have to manage with whatever falls in the budget.

On of our office which is mainly operations department had internet issue on daily bases. So I resolved it by having two internet connections and deploying wfilter in gateway mode on workstation with 4 port intel ethernet card. Since wfilter had load balancing functionality as well its working very flawlessly.

It blocked all social media and streaming apps on systems/ laptop and smartphones.

Wfilter have free subscription but its for only 50 clients. We typically have 80+ at any giving moment.

Now company will not agree to yearly subscription for wfilter. the trial period is ending So is there any solution out there with one time less expensive cost solution which can achieve all the things i have mentioned mainly web filtering and load balancing

We are using ubiquity’s AP.

Any suggestions and comments are welcome. Thank you in advance!

Security in LTE networks

Hi, I just had a question about how cellular networks are secured. For example, I always hear about not connecting a laptop to an unsecured wi-fi network and typing in passwords, etc. but how does this compare to a cellular network? I imagine there is encryption and 3rd party checks through the cell providers and such but I am genuinely curious how strong the security of a cell network is and if I should be inputting any information other than SMS over the network.

Small BGP router

Hi all!

I'm starting to work with Cisco devices after several years on Dell and open source network solutions (Force 10, Vyos).
I just acquired an ASN and some IPs from the RIPE. I need to announce my AS on the internet. I'm looking for a small Cisco router to do just BGP. Security and SD-WAN is done by a cluster of Meraki MX. Internet bandwidth is currently at 50Mbps and will never be more than 1Gbps.

What device should I use? I believe I can just buy a ISR 902. Is there some special licence to be able to run BGP? If not ISR902, which device would you recommend?

Edit: I should add that I have to use a physical Cisco router.

Thank you for you help

OSPF - Multi Area, Multi Hub Area design thoughts

I'm starting to design a new network consisting of 2 Hubs (1 UK, 1 US) where all branch offices will connect to. Each hub has 2 routers to terminate vpns and the branch sites have a HA pair of Palo Altos meaning each branch will have 4 VPNs( 2 to UK hub, 2 to US).

The hubs will have their own area and connected to one another via area 0 but I'm unsure on how best to plan the branch site area design e.g. branch's all have unique areas, all branches are in area 0, regional areas etc.

I've moved from an EIGRP setup in my previous role which was much easier to scale with Hub and Spoke configurations so need a bit of help on this 😊.

Has anyone ever had a similar setup and what sort of design did you use?

Haven't ruled out the use of BGP but that'd mean configuring route reflectors etc so trying to check if OSPF was suitable

T1 Interfaces and Cabling

Hi, I purchased a T1 card for a Cisco 4331 router but it turns out that it doesn't fit my available T1 hand off. My router has a NIM-2T card with Smart Serial style of connectors but my T1 handoff is RJ48 style witch fits the NIM-2MFT-T1 card.

I've done some searching around but can't seem to find any available places to pick up a RJ48->Smart Serial cable. There are lots of other cables available like V.35->Smart Serial or TIA-449->Smart Serial, but I haven't found a way to go from RJ48->Smart Serial.

Is there any solution to this predicament other than to purchase a NIM-2MFT-T1 card?

Thanks much!

NGFW application control in real life

Hello,

I would like to know how "Application Control" is used on a NGFW in real life, as per my understanding the application database can never be complete and up-to-date.

While I am only familiar with Barracuda firewalls (which get their application database from German company ipoque in the form of an OEM DPI engine), I guess the principle is roughly the same for all NGFWs.

There are at least the following scenarios:

a) I want to block/thwart an application

It possibly doesn´t matter if not all traffic flows of a specific application are detected correctly, as it might be enough to achieve the goal that the application doesn´t work anymore

b) I need to block everything except some "very specific simple" application

E.g. a server should be blocked from Internet access except contact to some vendor license server -> the license server is documented, I can create a specific custom application. Depending on how I created this custom application, I might need t adjust it in case the license server changes

c) I need to block everything except some "complex" application

E.g. certain users should not have full Internet access but since some cloud resources are mandatory for daily business, they need to be reachable for them without issues. Let´s just assume we´re talking about Microsoft Teams, but actually it could be anything.

For Teams to work, there are quite some dependencies, most likely some Office365 "application" and so on. How do I know?

According to Palo Alto´s Applipedia the requirement is "ms-office365", so if I need to permit Teams, I´d have to permit "ms-office365" and whatever Teams functionality I need (since it lists several ms-teams related applications). Not sure if this works as easy and flawless as I´d imagine?

In Barracuda, in the case of Teams one dependeny is "Web Browsing", which is all http/https access that isn´t detected as a more specific application. In fact this isn´t true, as if you´d just try it and permit detected applications such as "Microsoft Offiec365 Base" etc. until Teams works, you´re probably fine.

But my question is, what happens if Microsoft decides to change Teams in a way that the firewall doesn´t detect it good enough anymore? I guess it will take days, weeks or even longer until a NGFW gets its application pattern updated.

I used Teams only as an example, there are lots of very dynamic and complex applications with many dependencies.

So all this shiny "Application Control" is not really suitable for a scenario c) like I described? (I still see the advantage of better visibility, possibility of a), b) and some other benefits).

Any thoughts? How do you use this funtionality?

Boost license on Cisco 4ks

Has anybody used these? Would reduce router costs massively but I'm wondering if there are any 'gotchas' I'm not seeing....

sFlow configuration issue on Cisco nexus 9396PX

I am trying to configure sflow on Nexus 9396PX switch and having some difficulty to understand tcam region.

hardware access-list tcam region span-sflow 256 ! feature sflow sflow counter-poll-interval 30 sflow collector-ip 10.30.0.91 vrf management sflow collector-port 9995 sflow agent-ip 172.30.0.26 

when i enable on my port-channel1 (which is 4x40G port bundle on GEM module)

sflow data-source interface port-channel1 

When i run "show run sflow" to verify config i can't see "sflow data-source interface port-channel1" line there.

N9K(config)# show run sflow !Command: show running-config sflow !Running configuration last done at: Tue Apr 13 14:24:00 2021 !Time: Tue Apr 13 14:24:58 2021 version 9.3(6) Bios:version 07.68 feature sflow sflow counter-poll-interval 30 sflow collector-ip 10.30.0.91 vrf management sflow collector-port 9995 sflow agent-ip 172.30.0.26 

For experiment i tried to add Ethernet 1/1 (10G port) and that works i can see that in "show run" Look like 40G Gem module doesn't supported. so i did google and found this on Cisco website

Make sure that the sFlow and SPAN ACL TCAM region sizes are configured for any uplink ports that are to be configured as an sFlow data source on the following devices: Cisco Nexus 9332PQ, 9372PX, 9372TX, and 93120TX switches and Cisco Nexus 9396PX, 9396TX, and 93128TX switches with the N9K-M6PQ or N9K-M12PQ generic expansion module (GEM).

Question, is what is SPAN ACL region all i can see following on my switch, does SPAN ACL is ing- l2-span-filter or ing-l3-span-filter ?

hardware access-list tcam region span 0 hardware access-list tcam region ing-l2-span-filter 0 hardware access-list tcam region ing-l3-span-filter 0 hardware access-list tcam region ipv6-span-udf 0 hardware access-list tcam region ipv6-span-l2-udf 0 hardware access-list tcam region span-sflow 256 

A stupid question regarding UDP traffic

Feel free to suggest another sub if this one is a wrong fit.

When opening tcp ports in a firewall, most of the time an opening is only needed in 1 direction. The "reply" traffic is correctly identified as related and is being let through. But does the same logic apply to UDP since there are no acks and nothing else of the sort?

My actual problem: trying to configure DNS forwarding in a Windows domain towards another Windows domain. Set up the conditional forwarders on domain A towards domain B, enabling DNS debug logging on DNS of domain B, I see that my queries coming in from domain A arrive and replies are being sent back, the problem is that the queries actually timeout from the perspective of any clients on domain A, including the domain controllers being used as forwarders.

strange readings, detacting 40Mhz on the 2.4 band, customer swears 40Mhz is not on the 2.4 Radio config?

Has anyone done surveys recently with a deployment that is dense in Cisco 4800 access points? on a few surveys that I have done where the customer has Cisco 4800 access points Ekahau has been detecting the 2.4 band broadcasting at 40 megahertz in some areas, but the customer swears they're not using 40 megahertz channels on the 2.4 band? using my phone I have seen the channels pop up as if it was 802.11 AX 2.4 using 11+7? Or something similar to that? has anyone else seen this and if so any idea if it's a problem with Ekahau or the controller?

Cisco ACI - Set up VPC pair with a single leaf in the fabric (temporarily during migration)

Hi all,

We are planning a migration of a couple of NX-OS switches (C93180YC-EX) in a VPC pair to ACI, to which we have dual-homed servers connected with LACP port-channels.

To minimize downtime, our idea was:

• Migrate one of the switches to ACI in a non-redundant VPC config to allow LACP negotiation:
• Repatch the servers one by one to the new switch (and unplugging the cable to the NX-OS switch) - causing just a short outage per server
• Migrate the second switch to ACI and reconnect the redundant cabling

We're doing this in a test setup right now, but are unable to get the VPC up and running:

• 1 leaf fully operational in ACI (switch/port profiles, etc)
• 1 leaf pre-provisioned - so there is a node-id configured with switch/port profiles, etc
• We can create the VPC protection group just fine, however it throws this fault:

" Failed to configure the vPC policy for the vPC pair xxx and a virtual IP address of xxx because: VPC Node IP Address Unknown,One Node in VPC is Not Leaf,One Node in VPC Not in Fabric,Nodes are not part of same POD "

• "show vpc" on the CLI of the ACI leaf indeed shows that VPC is not configured at all:

Legend:

(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : Not configured

Peer status : peer link not configured

vPC keep-alive status : Disabled

Configuration consistency status : failed

Per-vlan consistency status : success

Configuration inconsistency reason: vPC peer-link does not exist

Type-2 consistency status : failed

Type-2 inconsistency reason : vPC peer-link does not exist

vPC role : none established

Number of vPCs configured : 0

Peer Gateway : Disabled

Dual-active excluded VLANs : -

Graceful Consistency Check : Disabled

Auto-recovery status : Enabled (timeout = 240 seconds)

Operational Layer3 Peer : Disabled

Has anyone gone through this process successfully by any chance?

An alternative we're thinking about could be to configure local port-channels on the ACI leaf so at least LACP will come up when we repatch the servers, but then we still need to convert them one by one from PC to VPC one the second leaf is available in the fabric. But at least it wouldn't be a total downtime while migrating both switches.

Or any other ideas?

Thanks!

LTE cellular WiFi router with VPN option?

Hello Internet, Is there any good LTE cellular WiFI router that has a VPN option? I looked at TP-Link M7350 but it doesn't offer VPN settings.

GNS3 VM Connectivity Issues

Hey everyone,

I have a good setup which I practice labs on, involving GNS3 and VMware Workstation 15 Pro. Originally setting it up was a huge pain in the a**, but once it was all setup after 2 days, it worked well...that's until the next day. If I put my computer to sleep and wake up the next morning, my VM under server summary goes red "vm stopped or cannot be reached". Rebooting the VM and GNS3 does nothing, it simply fails to connect to the VM.

After researching, I read that someone tried to reset the Virtual Network Editor settings "restore defaults". I did that, re-configured my vmnet1 (host) and vmnet (nat) configs bc i'm not using the default network settings. This actually worked.

But again, if I restart GNS3, or if I put my computer to sleep, the next time I access GNS3, the VM is dead again, and I literally have to restore default settings again and reconfigure. I've been doing this daily and getting tired of it. Has anyone experience anything similar who may have an explanation or permanent fix for it?

Thanks!

Cisco Router + IPSec VPN + performance issues

Hi all

Currently facing an issue where we are noticing a gradual performance hit in one of our satellite offices which contains under 10 staff.

The office contains

- A 1000Mbps or 1Gbps fiber link supplied via the ISP provided Huawei NTU
- All traffic routes through a IPSec VPN, not split tunneling
- Cisco RV325 router ( might not be the best - throughput for IPSec VPN caps at 100 Mbps )
- handles the internal network DHCP
- handles the connection to the NTU
- handles the IPSec VPN

What I'm experiencing is that over the course of say a 1 hour period, when I'm plugged directly into the router ( avoiding any other networking equipment ) I run a basic ping test to the ISP default gateway or the LAN port on the NTU and the same test to the internet gateway address which begins at say 2 - 3ms, but eventually increases to 700 - 800ms. Speed tests when good are around 45Mbps but then drop to 3 - 4 Mbps.

At this point in time we have approx. 5 - 6 staff accessing the internet, taking Teams calls, accessing internal resources.

At this point, the IPSec tunnel goes down and comms are lost for the next 10 - 15 seconds. When comms are restored, ping results drop back down to 2 - 3ms.

I'm assuming this is a performance / load issue with the Cisco RV325 and it seems it is unable to cope with the load - essentially causing all sorts of performance issues and seems to reset its connections.

I was wondering if this sounds accurate ? Is there anything else I can look for ?

All ports on the Cisco router are configured for gigabit speed so I dont think its a port configuration issue.

NAC and PXE boot/imaging PCs

Helping implement a NAC (Clearpass specifically) and trying to approach the problem of PXE booting and imagining Windows 10 devices. Our org is looking at MAC auth for the PXE boot part which works ok as Clearpass can identify PXE boot clients and then a switch to 802.1x during the image process as soon as Windows is up and joined our AD and gets GPO settings etc. From the guys testing they have not been able to get the device to stay authenticated during the imaging process and it ends up reconnecting constantly and apparently interrupting the imaging process. Looking online most people seem to just do MAC bypass for imaging and new devices and then 802.1x once the device is deployed. Has anyone been successful with anything other than MAC auth for imaging devices? Thanks.

Honeypot unused IP space?

Like everyone on the internet I see loads of bots scanning my IP space and the occasional brute force attack. I have a scattering of unused IP space that I'm thinking of pointing at a honeypot and using the output of this to firewall off these bad actors.

• The IPs are not published anywhere (DNS, etc)
• There is no reason for anyone to attempt to connect to these IPs unless they're scanning for stuff

If there are solutions to contribute this information to the larger community I'd be really interested in these.

Mitigate poor network performance?

Hi, I'm looking for basic info on how to mitigate bad network performance for KS3/4 level so not too technical. Really thinking around the areas of wiring, network types, hardware. Any contributions would be great.

Basically some simple ideas for how poor performance on a network can be mitigated.

Thanks for any help!

VOLTE

hi ! A noob here!

I am interested on learning LTE & VOLTE. I was looking for some documents to learn. As 3GPP specs looks complex and hard to understand.

How the volte is implemented ?

Cisco ASA NAT by user

Hi,

I got a task to make NAT for Remote Access VPN users by their username. For example, a user1 has several devices are connected to ASA with ip pool 192.168.0.x and then it NATing to 10.0.0.1 and user2 has several devices are connected to ASA with ip pool 192.168.0.x but it NATing to 10.0.0.2. Users authentication happens through LDAP. Is there solution on ASA for that case?

Thanks.

40GB QSFP ER4 question

I didn't realize QSFP don't have a ZR analogue, guessing it's power budget. So I'm trying to figure if a 40/100gb ER4 rated for 40km will be fine with doing 42.5-44km (depending on what tool you're using to measure) It's just slightly out of spec and am not sure on the quality of the glass, but am pretty sure it's carrier grade corning for most of it.

​

I'm guessing there will be less errors on 40gb at that distance than 100gb so wanted to see what others might think of it.

Anyone know of a way to automate shutting down unused ports with netmiko/ansible on IOS switches?

With ansible, I was able to put together a playbook that shutdown any port in the "down" state or "notconnect" state. The only issue was, I could't also filter it by a certain vlan. Is there a way with netmiko to shutdown a port in the notconnet or down state, and also in a specific vlan?

Webex\Zoom Bandwidth

Hello all,

I wanted to see if anyone running Meraki MX appliances has any guide on how I can throttle Zoom\Meets\WebEx to stop it from eating up all the bandwidth. Our school now wants to host Zoom\Webex sessions and 400+ Zoom sessions.

I enabled the default "Traffic shaping rules" by Meraki and set port 8801 to only use 3 mpbs...any other suggestions anyone else has for these situations?

Looking for assistance with BGP setup (paid)

We're setting up our first rack in a datacenter with proper ASN, direct assigned IPs, multi-homed 10Gbps transit, etc. This is a green field setup.

Looking to hire an expert for $250/hr who will guide us through this process. Afterhours/weekend work is fine. We're on the west coast USA.

Would prefer ISP or datacenter engineer with who has been through this bare-ground-to-operational process before.

If you're interested, shoot me a DM with a brief paragraph about why you'd be a good fit for this along with any questions you may have.

This will answer a few questions: ASN: 399489

Equipment is not yet selected. Leaning towards Mikrotik for the router, Ubnt Edge for core switches.

Dont worry about the firewall or servers, those are under control, this is just for the edge DC network, BGP routing setup, perhaps VXLAN?

Thanks everyone for reading!

Maximum acceptable db loss for a 100G LR4 optic

Pretty basic question, but I can't seem to find an answer. Delving into 100Gig connections and having an issue getting light through. Could be distance or loss, but I don't think so. I'm getting -5.6db, which seems pretty good. What would be the maximum acceptable loss for a 100G-LR4 optic?

Cisco 4451 boot issues

I'm having issues booting my cisco 4451. I will post boot process. I'm stuck at rommon and I am limited on .bin files for this router. I've tried booting for USB and I get the SHA-1 hash doesn't match error. Any help would be appreciated.

​

​

Initializing Hardware ...

​

System integrity status: 00000610

Rom image verified correctly

​

​

System Bootstrap, Version 15.4(3r)S, RELEASE SOFTWARE

Copyright (c) 1994-2014 by cisco Systems, Inc.

​

Current image running: Boot ROM0

​

Last reset cause: LocalSoft

Cisco ISR4451-X/K9 platform with 4194304 Kbytes of main memory

​

​

no valid BOOT image found

Final autoboot attempt from default boot device...

File size is 0x00000000

Located tracelogs.772

Image size 0 inode num 12, bks cnt 0 blk size 8*512

​

Boot image size = 0 (0x0) bytes

File size is 0x0000001e

Located throughput_monitor_params

Image size 30 inode num 13, bks cnt 1 blk size 8*512

#

Boot image size = 30 (0x1e) bytes

​

Unsigned package found, aborting ...

File size is 0x22cdd722

Located isr4400-universalk9.16.09.01.SPA.bin

Image size 583915298 inode num 15, bks cnt 142558 blk size 8*512

######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

Boot image size = 583915298 (0x22cdd722) bytes

​

Package header rev 3 structure detected

Calculating SHA-1 hash...done

validate_package: SHA-1 hash:

calculated bc3a0d9a:3469f9e8:5656e3d6:f400a370:df623802

expected bc3a0d9a:3469f9e8:5656e3d6:f400a370:df623802

​

Signature verification failed for key# 2

Signature verification failed for key# 3

Failed to validate digital signature

Signature verification failed for key# 2

Signature verification failed for key# 3

Failed to validate digital signature

RSA Signed REVOCATION Image Signature Verification Failed.

Package Load Test Latency : 6852 msec

​

Unsigned package found, aborting ...

File size is 0x00002834

Located intelliden.cfg

Image size 10292 inode num 16, bks cnt 3 blk size 8*512

​

Boot image size = 10292 (0x2834) bytes

​

Unknown image structure

boot: cannot determine first file name on device "bootflash:/"

autoboot: boot failed, restarting...

​

​

Initializing Hardware ...

​

System integrity status: 00000610

Rom image verified correctly

​

​

System Bootstrap, Version 15.4(3r)S, RELEASE SOFTWARE

Copyright (c) 1994-2014 by cisco Systems, Inc.

​

Current image running: Boot ROM0

​

Last reset cause: LocalSoft

Cisco ISR4451-X/K9 platform with 4194304 Kbytes of main memory

The value of Cisco Devnet Associate / Professional?

Let's say you want to be a Network Engineer or Senior Network Engineer in companies such as Amazon, Google, Facebook, etc. Since these companies have hundreds of devices and policies, Automation is not an option, is a must.

My question is: Does Cisco Devnet Associate/Professional prepare you to deal with these huge environments?

If yes, please give me an example. If not, please tell me the recommended study materials.

Best regards.

MSTP Topology

We have 4 HP switches, 2 ProCurve (SW1, SW2) and 2 ArubaOS-CX (SW3, SW4), connected in a ring and MSTP is not behaving how we expected it to.

All four switches have two instances configured, MST0 and MST1. The two ProCurves are in a region and the two CXs are in individual regions.

For MST0, SW1 is regional root, as expected, with priority of 4096. SW2 is priority 8192. SW3 and SW4 are priority 28672.

For MST1, SW1 and SW2 are priority 16384, SW03 is priority 4096, SW4 priority is 8192.

MST0 and MST1 have the same topology though.

SW1 -> SW2 Forwarding, SW1 -> SW3 Forwarding, SW1 -> SW4 Forwarding

SW2 -> SW1 Forwarding, SW2 -> SW3 Forwarding, SW2 -> SW4 Forwarding

SW3 -> SW1 Root Forwarding, SW3 -> SW2 Alt Blocking, SW3 -> SW4 D Forwarding

SW4 -> SW1 Root Forwarding, SW4 -> SW2 Alt Blocking, SW4 -> SW3 Alt Blocking

With the priorities configured, we expected SW1 to be root for MST0 and regional root for the region containing SW1 and SW2. We expected SW3 to be root for MST1 and SW4 -> SW3 to be Root Forwarding because they are directly connected.

Does anyone have any ideas?

Ping Fluctuations

I have two network connected access control panels at two very near physical locations. The main panel is above our server room, and the second is a fiber connection a few hundred feet away. We have older switches, maybe 9-10 years old. For over 10 years, the network has been totally fine with our badge panels, and their sub 10ms response requirements to allow access to the building. Two weeks ago, they started pinging over 10, sometimes hitting over 100ms, which prevents the door codes/badge swipes from unlocking the doors. Now, I'm seeing a steady fluctuation between 1 - 20ms., and an occasional 100+ms. I have swapped the cables, ports, switches, turned off traffic inspection on the firewall, confirmed no running back ups at time of spikes, had the door access NIC replaced in the panel, changed the power supply, and had back up batteries swapped. Changed the static IPs, confirmed they're not in DHCP scope to reserve, and changed the gateway on the readers. Confirmed the port used for transmission (3001) is okay, too. If I pull the power on one of the panels, the ping will stay at 1ms for about an hour, then steadily increase. I am at my wits end on this. We have a pretty flat/standard network, nothing like OSPF set up. I am a one person IT department, and am relying on vendors for help. They're both great, but neither has any idea what's going on at the moment that's causing this.

​

Any tips/tricks you can suggest? I'm very new to this, but want to do a good job. I hate being dependent, but at this time, I am at the whim of the vendor/consultant.

False Positives in Whatsup

I have started a new position and have found that Whatsup has been reporting devices as down then back up without us ever having them actually go down.  I have seen this only affecting switches.  It can range from the "outage" being a minute to hours.  Whatsup is configured to send a down message when it gets three minutes of no response from the device.  What are some things I could look at that would affect this?  

Fortigate/FortiWiFi 60F/61F vs Cisco ISR 4221

Can anyone here tell me the main difference between the 2 and if the Fortigate/FortiWiFi 60F is a suitable upgrade from the Cisco 4221 that the company I'm working for is currently using?

What I'm mostly concerned about is increasing the aggregate throughput, and the 4221 is specced for 35-75Mbps, and the Fortigate has bunch of throughput mentioned in this data sheet

Redundancy for Voice

A family member has a restaurant which is facing some internet/phone problems, his phones go out from time to time for about 30min - 2 hours, which costs him a lot of money since he's missing all those food orders & deliveries, I don't have much experience with phones, haven't looked at his set up, is there something I should be looking out for? are there any options on how to achieve redundancy for voice?

Quickly Checking Ports?

TL;DR: How can I quickly check if a drop has network connectivity?

Hello all! I decided not to get into networking, and decided to pursue programming. However, I got a job where I am probably gonna be the networking/sys admin/desktop tech guy. So in addition to programming an inventory/ticket system for this job (or at least for my resume), I decided to not waste the opportunity and get my N+ and CCNA while I am here. I have so many ideas to get this place out the stone age such as using VPNs to connect all 3 locations, implementing PC imaging via networking, and adding user network accessible storage but I do not have the know how to implement at the moment.

So that's the background on why I'm here, my question is how can I quickly check if a drop has network connectivity? I'm currently going drop to drop with a laptop and Ethernet and that's very tedious. Also, net every drop on the network has PoE, so i cant just grab a VoIP phone and see if it lights up. I shadowed a guy some time ago and he was able to quickly see new clients that connected to a switch. I am working with a mixture of cisco and dell switches.

L3 Switch for WAN connection

Hey! How do I configure L3 switch with given static IP address from ISP to connect to the internet? Is it possible to do so without router?

Cannot access Dell N2048p switch WebGUI over VPN

I am trying to access our Dell N2048p switch over VPN, but whenever I try to get into the WebGUI, it gives me the following error:

Please note that you are a level 1 user and do not have configuration privileges. This session is limited to read-only operations. 

This does not happen if I access the WebGUI from the local network (either being onsite or remoting into a computer on that local network). I am also able to access the switch over VPN if I try to SSH into it and I can ping it, I just can't get into it through the browser.

Multiple Vlans with DHCP

I have a project that I have jumped into that has got me in a dark corner thinking about ways to accomplish this, I am hoping I am missing something and there is a simple solution :)

My site is a big residential development that for reasons (which I can explain if necessary) needs a separate VLAN per apartment, and there are 680 apartments. So we are looking at around 700 Vlans each with its own gateway and DHCP pool. The Core network includes Brocade L3 switches and Sonicwall firewalls, and whatever else we need to make this work.

The issue here is that even the top-spec SonicWall firewall is limited to 512 VLANS - I have a similar project that was completed successfully and worked very well but it only had 300 VLANS, so the VLAN interfaces sat on the firewall and also gave out the DHCP, etc all from the firewall so was relatively simple.

Is there a way to achieve this? Would it be ok to put all the VLAN interfaces on the L3 switch then add a dhcp helper address to a dhcp server?

​

Any suggestions welcome!