SD-WAN Scale

Greetings All

Hope all is well and I wish to have some guidance from SD-WAN experts.

Am working with a customer of mine who is considering moving to SD-WAN solutions for centralized management , SaaS optimization and seamless failover.

We have more than 6 offers from Giant SD-WAN players and technically they almost fulfill the requirements.

One of the consultants however working closely to the management is concerned about SD-WAN scale for vendors especially the solution should serve around 2000 entities.

I searched a lot for big vendors such as Cisco , Velocloud and Silverpeak but I cannot see a number that really reflects such a requirement (I can see from the blogs as an example that Cisco has the largest deployment but nothing assured).

Any highlights would be appreciated.

Measuring out shorter cabling lengths - any tips or devices that help?

Does anybody here have any tips for measuring our short cable runs, so you can either make/order in custom length cables?

This is for copper, fiber or power cables.

The distance range is from within a rack, or between racks in a cage (i.e. through the overhead raceways).

Is there maybe some kind of semi-rigid cabling, with metre markings on it? Happy to get different items for different ranges if I need to.

(e.g. I know for RU, there's rack tape - https://racktape.com/ - but I can't find anything here. Standard measuring tape is obviously too stiff to route through cable guides etc., and won't bend/flex the same way copper/fiber cables will)

Can We Use Either 1550 or 1310 Transceivers on Single Mode?

Our campus just had single mode fiber installed and we're trying to figure out what to use for SFPs.

Can single mode fiber use either 1550 or 1310 for a given fiber?

What I'm beginning to understand is that either can be used for single mode fiber, and it's up to us to determine which type of transceiver to use (this run is about 2,500 ft).

Is this correct?

Thanks for any insights here.

Need help urgent , how to protect from tcp reset attact my isp use tcp reset attact for censorship ,

Need help urgent , how to protect from tcp reset attact my isp use tcp reset attact for censorship ,

(Probably Simple) Ruckus ICX Help

Bit of a newb here, so i appreciate your time/patience. I have two stacks of Ruckus ICX switches connected via a LAG. default VLAN traffic travels fine, but im in the process of adding a second VLAN and i'm not having a ton of luck with convincing the LAG to pass traffic for this new VLAN. I assume that i need to add the VLAN to the truck ports in one way or another, but in trying to tag the LAG port to the new VLAN, i broke the LAG. Thoughts?

Issues with DuckDuckGo with BYOD Century Link Fiber

I have not been able to use specific websites after installing an edgerouter X on my century link fiber service. The router has just the bare minimum VLAN 201 + PPPoE Authentication configured for its WAN. Most websites work fine. A few websites hosted by Microsoft azure don't seem to connect. This issue does not occur with the Century Link provided router.

As you can see in this traceroute, Century Link is handing my traffic over to Microsoft, so it does not appear the issue is on Century Link's end.

Tracing route to duckduckgo.com [52.149.246.39] over a maximum of 30 hops: 1 2 ms 11 ms 7 ms 192.168.2.1 2 4 ms 9 ms 3 ms boid-dsl-gw18.boid.qwest.net [184.99.64.18] 3 6 ms 6 ms 6 ms boid-agw1.inet.qwest.net [184.99.65.137] 4 16 ms 14 ms 31 ms ae27.edge6.Seattle1.Level3.net [4.68.63.133] 5 * * * Request timed out. 6 15 ms 14 ms 16 ms Microsoft-level3-10G.Seattle1.Level3.net [4.71.156.74] 7 23 ms 56 ms 25 ms ae25-0.icr01.mwh01.ntwk.msn.net [104.44.233.82] 8 72 ms 160 ms 72 ms be-160-0.ibr02.mwh01.ntwk.msn.net [104.44.21.149] 9 73 ms 73 ms 74 ms be-7-0.ibr02.cys04.ntwk.msn.net [104.44.18.224] 10 85 ms 163 ms 98 ms be-8-0.ibr02.dsm05.ntwk.msn.net [104.44.18.151] 11 72 ms 100 ms 111 ms be-4-0.ibr02.ch2.ntwk.msn.net [104.44.19.252] 12 73 ms 75 ms 73 ms 104.44.29.252 13 72 ms 72 ms 74 ms 104.44.30.5 14 74 ms 71 ms 71 ms 104.44.32.47 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 

This occurs with all DNS resolutions to duckduckgo.com I have tried (including google public dns, century link's dns, opendns, cloudflare, etc.)

I think my IP might just be banned in Azure Cloud or something. Unfortunately I have not been able to get a new one assigned. Rebooting all on premises equipment and explicitly diconnecting/reconnecting the PPPoE interface does not assign a new IP.

Best ground bar location inside a Telecom room

Where is the place inside a telecom room to locate the telecommunications ground bar? Would wall in front of the racks, behind the racks, or to the side of the racks work best?

Nexus loop avoidance?

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/115900-l2mp-vpc-switch-00.html

With the link above, how do the broadcasts or unknown unicast traffic when it reaches "Host 1 or 2" NOT forward itself back out on their interfaces facing the Nexus switches again also and create a loop? I understand understand peer-link won't forward it out across the links on the Nexus switches (only orphan ports), but when the nexus switches recieve the broadcast via the direct link from the host, it is then sent out the other VPC facing the other switch, so then surely the other switch (host) will get it and broadcast it back out the same interface facing the other Nexus switch? If so then how does a loop not occur here?

2 internet connections 1 switch

Hey all,

Can I possibly setup two internet connections coming into my router to be split between half the ports in my switch?

So 24 ports on my switch would be on 1 internet connection and the other 24 ports on another.

I've got a sophos router and a datto switch.

Thanks

VPN Not accessible.

I configured a VPN server ( windows 2016 using routing and remote access )

Configured with NAT and L2TP.
Internally I cant connect and it works fine, but when I connect to my hotspot and try to connect it does not seem to work. I received a few errors such as, mis-configuration of settings and what not and I fixed those issues however now I've come across " The L2TP connection attempt failed because the security layer encountered a processing error during initial negations with the remote computer"

Does anyone know why this might be ?

Some of the error codes I received on the event log on the server were:

"Remote Access Connection Manager failed to start because the protocol engine IKEv2 failed to initialize" Error Code : 20063

"Cold={3844df3e-fd67-5b1c-2681-973424702a01}:The following error occured in the Point to Point module on port VPN2-127, Username <unauthorized user>. Negotiation timed oiut" Error code:20255

I have port forwarded 1701 on the router and im using the public ip address to connect to it externally ? (is this the right ip to try and connect too ?)

Someone please help

reading old database (.dat)

Can you recommend me some software into which I could import an ancient database.

i have two files

ora.dat and ora.log

.dat file looks like export from some kind of sql

ªEXPORT:V09.02.00

DSYSTEM

RENTIRE

2048

0

20

0

ª ªР Pet Pro 13 7:3:28 2013E:\Backup\Ora.dat

​

this is first three line of log file

Connected to: Oracle9i Enterprise Edition Release 9.2.0.5.0 - Production

With the Partitioning, OLAP and Oracle Data Mining options

JServer Release 9.2.0.5.0 - Production

How does my router gets a public ipadress and connects to the internet?

I'm really a noob in networking, just started learning a bit for fun and I didn't find a lot of stuff about it so I thought I just ask here hope that's okay lol

I read on the Internet that my router basically just connects to another "big router" which uses dhcp to give away ip's, but how does my router connect to this "big router". Like my router is just plugged in into an electrical outlet, how does it get a connection with something and then an IP. I can't see other networks than the one from my router if I scan for networks on for example my phone. So how does my router gets a connection with this "big router".

Nexus VPC design question?

With normal stack wise and VSS they use one control plane each for when they're stacked together and packets that need to travel between the switches in the stack go over either the stack wise cables or the VSL link. With Nexus, the peer link will only be used if no other link or way of getting to a destination is possible.

So with a back to back VPC setup, if a packet comes in upstream on a VPC portchannel that spans across all downstream switches and needs to go back out on that same downstream portchannel to the other downstream switch where the destination resides then it wouldn't because its not allowed since packets received in on a portchannel do not go back out the same portchannel interfaces. So would the peer link would be used? And if so, then once it gets across the peer link the other VPC peer switch would forward it out the same VPC downstream possibly the wrong interface in the portchannel because that's what the hashing fell on, providing a 50% chance of sub optimal forwarding?

So singled side VPC were a seperate VPC is on each of the upstream switches and is used to allow a packet to go upstream to the upstream VPC switches and then back downstream onto the other VPC portchannel interfaces that the destination resides on. Is this right or am I missing something?

Apologies if the description is confusing but it makes sense to me haha.

Thanks everyone for the help

Cisco Stackwise

I will be the first to admit that I am a network beginner. My first real work on enterprise networking has been on the Cat9200 line, though I did my learning on 3560 and 2900.

I've done plenty of decent sized stacks on 9200's at this point, so I'm familiar with the physical Stackwise concept (using actual stack ports and cables). However, when we went to move a critical piece of our network from a single FastE switch to a 1G stack we ran into a problem. We were looking to split the stack across two different cabinets in our data center. What my team lead ended up getting was 2 2900xr switches and running the stack over structured Om3 fiber. The idea was a cool one, but I didn't like that we were seemingly going backwards on version. However, Cisco told us that's all they had (about 6 months ago). So I didn't argue (what did I know?).

However, now I'm seeing that the Cat9400 & 9500 switches have a virtual stackwise feature. Is that similar to what we're doing with the 2900xr? Could we have used new switches this whole time?

SLA for Hurricane Electric?

Is there a published SLA for various services from Hurricane Electric? I've dug the internet and can't find anything but an MSA that doesn't mention it.

USA Networking Remote Hands

I have a project to replace 30 firewalls/switches in different cities in the USA. With COVID, I can't travel to get it done myself. Does anyone have any recommendations for companies that I could use to provide competent remote hands in different cities? Finding 30 separate technicians to do a day worth of work sounds like a pain in the a$$.

Aruba VMC in tunnel mode Same ssid different vlan, roaming issues

Hello,

Not sure what the best way to do this would be in a tunneled enviornment, but we need to have an ssid, which has a different vlan per ap group but same name. I have this working, However when i connect and roam, I can get an ip in another group, but roaming back my ip does not change. Would a named vlan work better in this case? assign the named vlan two vlans, and assign that to the vap?

Changing an L7 LB to an L4 LB ramifications

We are migrating from -V to -T and manually creating the new configuration. In -V we had a few Virtual Servers that were configured as "Protocol: HTTP" I assume that this defines them as Layer 7 LBs. We replaced them with Layer 4/TCP Virtual Servers in -T and all but one worked fine.

I am not an LB expert - but can anyone think of a reason why changing an LB from Layer 7 to Layer 4 would break the load balancing of a RESTful API-based application?

Issues with Cisco 9500-48Y4C in StackWise-Virtual configuration

Hi All. Sorry for the long post.

I've hit a weird problem with Cisco 9500-48Y4C switches when in a SWV stack.

The switches are running IOS XE 17.3.3 (The version recommended by Cisco).

After stacking the switches and reloading, the switches boot, form the stack, then shut all of their interfaces down, including the SVL and DAD links. The stack is up though and the standby switch knows it's a standby (console disabled, etc). Reloading the Active also reboots the standby switch, so they're definitely communicating. All interfaces show not connected in show int status, and all of the transceivers show as unknown, including the SVL and DAD links:

Port Name Status Vlan Duplex Speed Type

Twe1/0/47 DAD Link notconnect 4094 auto auto unknown

Twe1/0/48 DAD Link notconnect 4094 auto auto unknown

Hu1/0/51 SVL notconnect 4094 auto auto unknown

Hu1/0/52 SVL notconnect 4094 auto auto unknown

Twe2/0/47 DAD Link notconnect 4094 auto auto unknown

Twe2/0/48 DAD Link notconnect 4094 auto auto unknown

Hu2/0/51 SVL notconnect 4094 auto auto unknown

Hu2/0/52 SVL notconnect 4094 auto auto unknown

After 40 minutes, all of the transceiver types are suddenly known and the DAD links come up. After another 40 minutes the SVL Links come up, along with all other interfaces on the switches.

Port Name Status Vlan Duplex Speed Type

Twe1/0/47 connected 4094 full 10G SFP-10GBase-CU3M

Twe1/0/48 connected 4094 full 10G SFP-10GBase-CU3M

Hu1/0/51 connected 4094 full 100G QSFP 100G CU2M

Hu1/0/52 connected 4094 full 100G QSFP 100G CU2M

Twe2/0/47 connected 4094 full 10G SFP-10GBase-CU3M

Twe2/0/48 connected 4094 full 10G SFP-10GBase-CU3M

Hu2/0/49 notconnect 1 full 100G QSFP 100G LR4

Hu2/0/50 notconnect 1 full 100G QSFP 100G LR4

Hu2/0/51 connected 4094 full 100G QSFP 100G CU2M

Hu2/0/52 connected 4094 full 100G QSFP 100G CU2M

Has anybody seen this before, or know where the hell I should start troubleshooting? There are no errors thrown in syslog and no logs pointing to a service starting or anything before the links come up, just the link up messages. I'm going to raise a TAC case as well, but I'm hoping somebody here might have an idea what it might be.

The switches are brand new. I have 4 of them, configured in two stacks, both stacks doing the same thing. They shipped with IOS XE 16.12.4 which did exactly the same. I updated one stack using ISSU and the other manually to 17.3.3 and both methods updated the standby switch as expected.

I've included some show outputs and config that might help tell the whole story below.

show switch output:

Switch/Stack Mac Address : 0000.0000.0000 - Local Mac Address

Mac persistency wait time: Indefinite

H/W Current

Switch# Role Mac Address Priority Version State

-------------------------------------------------------------------------------------

*1 Active 0000.0000.00c0 5 V02 Ready

2 Standby 0000.0000.0060 1 V02 Ready

show Stackwise-virtual output:

Stackwise Virtual Configuration:

--------------------------------

Stackwise Virtual : Enabled

Domain Number : 1

Switch Stackwise Virtual Link Ports

------ ---------------------- ------

1 1 HundredGigE1/0/51

HundredGigE1/0/52

2 1 HundredGigE2/0/51

HundredGigE2/0/52

show Stackwise-virtual link output:

-----------------------------------------------

Switch SVL Ports Link-Status Protocol-Status

------ --- ----- ----------- ---------------

1 1 HundredGigE1/0/51 D R

HundredGigE1/0/52 D R

2 1 HundredGigE2/0/51 D R

HundredGigE2/0/52 D R

show Stackwise-virtual dual-active-detection output:

In dual-active recovery mode: No

Recovery Reload: Enabled

Dual-Active-Detection Configuration:

-------------------------------------

Switch Dad port Status

------ ------------ ---------

1 TwentyFiveGigE1/0/47 down

TwentyFiveGigE1/0/48 down

2 TwentyFiveGigE2/0/47 down

TwentyFiveGigE2/0/48 down

show rommvar output:

Switch 1

SWITCH_PRIORITY="5"

D_STACK_MODE="aggregation"

D_STACK_DOMAIN_NUM="1"

D_STACK_DISTR_STACK_LINK1="Hu1/0/51,Hu1/0/52,"

D_STACK_DISTR_STACK_LINK2=""

D_STACK_DAD="Twe1/0/47,Twe1/0/48,"

Switch 2

D_STACK_MODE="aggregation"

D_STACK_DOMAIN_NUM="1"

D_STACK_DISTR_STACK_LINK1="Hu2/0/51,Hu2/0/52,"

D_STACK_DISTR_STACK_LINK2=""

The relevant config from each stack:

stackwise-virtual

domain 1

!

interface TwentyFiveGigE1/0/47

stackwise-virtual dual-active-detection

description DAD Link

!

interface TwentyFiveGigE1/0/48

stackwise-virtual dual-active-detection

description DAD Link

!

interface HundredGigE1/0/51

stackwise-virtual link 1

description SVL

!

interface HundredGigE1/0/52

stackwise-virtual link 1

description SVL

!

interface TwentyFiveGigE2/0/47

stackwise-virtual dual-active-detection

description DAD Link

!

interface TwentyFiveGigE2/0/48

stackwise-virtual dual-active-detection

description DAD Link

!

interface HundredGigE2/0/51

stackwise-virtual link 1

description SVL

!

interface HundredGigE2/0/52

stackwise-virtual link 1

description SVL

QinQ on Nexus and Level3 eLync/Lumen Dynamic Connections ExpressRoute

Anyone done QinQ on a Nexus 9K? Pretty much all the examples I've seen are for Catalyst, which doesn't work on the Nexus. Going off the NX-OS manual my best guess is below, but I am unable to get the Azure VLAN to come up. VLAN 200 being the Azure VLAN and VLAN 900 being the Lumen outer VLAN. IP on the Azure side would be 10.1.1.106/30. Interface e1/1 is up.

This service also appears similar to Megaport if there's anyone using a Nexus with Megaport.

interface Vlan200 ip address 10.1.1.105/30 no shutdown interface Ethernet1/1 switchport switchport mode dot1q-tunnel switchport vlan mapping 200 dot1q-tunnel 900 switchport trunk allowed vlan 200 no shutdown 

Aruba 1930 PoE Budget calculation

I'm planning a setup and need some guidance on the PoE budget calculation.

​

I'd like to use the following access point types (besides some other PoE devices):

• Aruba AP11 "maximum power consumption (worst case)": 10.1W
• Aruba AP17 "maximum power consumption (worst case)": 13.5W
  

With probably one or more of following switch models:

• HP Aruba Instant On 1930 Rackmount Gigabit Smart Switch, 24x RJ-45, 4x SFP+, 195W PoE+
• HP Aruba Instant On 1930 Rackmount Gigabit Smart Switch, 24x RJ-45, 4x SFP+, 370W PoE+
• HP Aruba Instant On 1930 Rackmount Gigabit Smart Switch, 48x RJ-45, 4x SFP+, 370W PoE+

Are there any best practices regarding calculating the required power budget?

Or do I just need to satisfy: "accumulated worst case power consumption < PoE capacity of the switch"

​

Which would mean 19x AP11 (10.1W) = 191.9W on the 195W switch. Quite close, but this is also worst case power consumption, so I expect the typical to be less.

AWS DX / public VIF

Been reading about direct connects, specifically public VIFs. Their documentation makes sense WRT how the IP and VLAN on the DX is supposed to work. Per the AWS documentation, you should use an IP you own or have authorization to use via your ISP. You can request public IPs from AWS to use for it but it sounds like you need to justify it.

How do folks do this in practice? Say I have dual homed Internet running BGP and advertising a leased /24 that I use for NATs. Each ISP lands in a vlan on an access switch and is then trunked to the firewall, and each handoff is a /29

ISP1 ----vlan10-----\ switch ---trunk: 10,20 ---- Firewall ISP2 ----vlan20-----/ 

• ISP1: 1.1.1.0/29
• ISP2: 2.2.2.0/29
• Leased blocked: 5.5.5.0/24

Do I land the direct connect in a port on vlan 10 or 20, then give the VIF an IP from the respective /29 handoff? Do I carve out a /30 from the leased block and use that?

Traffic generator for SD-WAN pilot

We're about to kick off a pilot of two vendors SD-WAN solutions, and one of the things we're most interested in is application aware routing (e.g. route http traffic over link A, and FTP traffic over link B), and context-aware routing (e.g. route traffic to Website1 over link A and traffic to Website2 over link B).

I was thinking that I'd need to set up a webserver, and FTP server and maybe one other in order to demonstrate this, but I was wondering if there was something that could auto-simulate this sort of traffic, ideally statefully. Cisco TRex, Solarwinds WAN Killer and Ostinato look like options. Does anyone have any advice on whether these are worth trying for what we want to achieve? Any other tools we should be looking at?

Cheers!

Kevin

Networking + Python

Hi All,

Recently been learning python, coming from powershell.

I've stumbled upon modules such as Netmiko, Napalm etc.

I work for a relatively small company and we've pretty much done every config manually network wise.

Can these modules assist with tasks such as copying config from Sonicwall to new Palo Altos?

Any advice would be great!

Pulse Secure VPN client gives "Unacceptable TLS certificate" error on Ubuntu 20.04

Hey everyone,

I am unable to connect to my org's VPN using pulse secure since yesterday. It gives "Unacceptable TLS certificate" when I press "Connect" on the Pulse Secure VPN client.

I am using Ubuntu 20.04 with the 9.1r9.0-b255 version of Pulse Secure.

What have I tried:

I opened the connection URL in the browser, exported the certificate from there, and put it in /usr/local/share/ca-certificates. Then I ran sudo update-ca-certificates --fresh
This fixed the "Unacceptable TLS certificate" and got me to the login screen on the VPN client but after entering the credentials, nothing happens. I cannot connect to the VPN. [Source]

I have also tried to reinstall the Pulse Secure VPN (same version as listed above) following instructions from here after deleting the /usr/local/pulse and ~/.pulse_secure directories, but the issue persists. [Also tried filling the form given here but never received the download link of the latest client]

What I found:

During my search, I also came across this r/sysadmin post which tells me that Windows users have had certificate problems recently. This link on that post tells that Linux users should not be facing any issues. I am not sure why is this happening and I am also not an expert in this field.

Could someone please help me out so that I can log in back to my org's VPN?

Thanks a lot.

What information would you expect when starting a new network admin role?

I’m a network engineer working for a University with around 50 MPLS sites. We have four main campuses with many other minor sites. We have five team members across two geographical locations around three hours drive apart. The team consists of an architect, two senior engineers and two standard engineers. A new person is starting in our team next month (replacing a standard engineer) who will be based at the other geographical location. I’d like your advice and opinions on what I can do to prepare for this new person starting.

Our environment is complex and due to the small size of our team versus the workload, there’s not a lot of documentation of our systems. I want to develop an on boarding process (or something? ANYTHING?) for new members of our team but don’t know where to start.

What have your good/bad experiences been when starting with a new organisation? What things did you initially learn that helped you in your new role? What important things got left out?

My role is mainly based around maintaining/upgrading L2, responding to level three tickets and managing the wireless infrastructure. The new person will have similar duties but in a region with a majority EOS L2 fleet. They have a good background in network support in a small-mid sized environment, but likely with different brands and network designs.

Let me know what your experience has been starting in a networks team and what you wished they’d done for you.

Aruba C1000 6.9 upgrade faults

Anyone come across this? Upgraded a c1000 from 6.7.0 to 6.7.14 (went fine) then to 6.9.0 (as per the recommended upgrade path from Aruba) But after going to 6.9 the radsec and radius server services kept failing to start (the ever helpful check systemctl status when we have no shell access...) I upgraded to 6.9.5 hoping it was a bug is 6.9.0 but no love.

Foolishly tried a factory reset and now the device can't even get through initial setup.

Have an rma raised but curious if anyone has come across this before?

Annoying can't even find a way to break the boot cycle and force it to load 6.7 or 6.8 :/

Strange Problem with Ethernet Connectivity on DGS-108/GS108 Switches

Hi,

I have a very strange problem with respect to connectivity on DGS-108/GS108 switches.

Background: I am working on developing a embedded hardware which uses i.MX8M Mini System on Chip. Atheros AR8031 Ethernet Trans-receiver is installed on this board. This embedded hardware runs a minimal variant of Linux OS which supports the Ethernet software stack which supports the installed trans-receiver. The embedded hardware supports speeds upto 1Gigabit/s

On the Linux OS running on the embedded hardware, we have configured a Static IP of 192.168.13.200, Netmask 255.255.252.0 and Gateway of 192.168.12.240 by default on boot. (DHCP can also be enabled, but for testing we have kept it as static)

​

I am facing the following issues/observations. In all of the cases mentioned where I have used a switch, there is no other device connected to the switch other than the embedded board.

Observation #1: When I connect the Ethernet cable (Cat-6 RJ45) from embedded board to a Host PC (Windows 10 PC) directly, ie one-to-one connection, the Ethernet link is up within 2 seconds and the speeds are set at 1Gbps after auto negotiation (Confirmed from Windows and also the lights on the embedded board, LINK LED is GREEN, SPEED LED is GREEN).

Observation #2: When I connect the Ethernet cable from embedded board to a managed switch (DLink DGS-1100-5), the Ethernet link is up withing 2 seconds and the speeds are also set at 1Gbps after auto-negotiation. (Confirmed from Windows and also the lights on the embedded board, LINK LED is GREEN, SPEED LED is GREEN).

Observation #3: When I connect the Ethernet cable from embedded board to a unmanaged switch (DLink DGS-108), the board is stuck at auto-negotiation. The Ethernet link gets up momentarily(~500ms) before going down again. The Ethernet LEDS are always blinking, i.e in the same pattern as when they are trying auto-negotiation.

Observation #4: When I connect the Ethernet cable from embedded board to a unmanaged switch (Netgear GS108), the Ethernet link is up, but the speed is set to 100Mbps. The Ethernet LEDS on the embdded board are set to, LINK LED is GREEN and SPEED LED is AMBER.

​

TLDR:

My custom embedded device supports 1Gbps Ethernet(Atheros AR8031) and it runs a minimal Linux OS which supports the Ethernet Stack

1) When I connect my custom embedded device to DLINK DGS-108 switch the Ethernet link is not stable, it is always stuck in Auto negotiation

2) When I connect my custom embedded device to NETGEAR GS108 switch the Ethernet link stable, but stuck at 100Mbps

3) When I connect my custom embedded device to DLINK DGS-1100-5 switch the Ethernet link stable, and I get 1Gbps

4) When I connect my custom embedded device to Windows PC directly the Ethernet link stable, and I get 1Gbps

A question already asked but version 2021 : SDWAN Actor choice

Hi guys,

I know this question have already been asked many time these last years, but I don't see any recent info on the topic (I've read a lot of review from [4-1]year, but nothing 2021 related.

We have 60 sites, linked by a mix of IPSec over Internet, MPLS, VPLS, etc. We will standardize it with full SDWAN over internet (2 DIA and 1 broadband).
We have drilled down the different providers and retain two solutions ; Silverpeak and Velocloud but we now have some trouble making the final choice (we don't have money nor time to POC it correctly). Have some of you tried the two solutions and what was the advantages and drawbacks that you found on this two solutions ?

I like Velocloud ability to show quite clearly the QoE and underlay link state based on real traffic, also the segment/VRF is a nice to have, and 9 CoS that consolidate 2000 business policies.
I don't like the design of the orchestrator that feels win95 like, and I feel like DMPO is less efficient than FEC.

I like Silverpeak enormous list of application, integration with Aruba Clearpass in the roadmap (we have a project to use Aruba for the LAN), the integrated TCP opt (we have a lot of web services) and boost options.

We feel technicity is a draw, did we miss something ?

*French here, so be lenient with me*

MDF - IDF’s: Infrastructure build

I’m designing for a security camera system for a large warehouse. Currently their is no existing infrastructure in place and due to the distances of the required cameras I will need to build out 7-8 IDF’s. I’m looking for help on the best practices for implementing this. Please tell me what you would use for: The MDF switch, IDF switch’s, MM or SM fiber and topology.

Scope of infrastructure:

MDF - non existent. Needs main switch going out to 8 IDF’s and connecting to ISP-MM fiber.

IDF’s - Each located 600’+ IDF to the next and so on, spanning in four separate directions from the MDF. Each IDF will have 4 cameras connected (Dinrail industrial switch?) also no local power readily available.

Cameras are cloud based (no NVR) operate at 20Kbs rest

I appreciate any insight. Thank you

Tiktok

What are the range of IP addresses and domains names of tiktok app?

HP/Aruba 1930 LED lights weird? Maybe not?

Good day folks, hope all is well. I have been putting in some HP/Aruba 1930 switches, and to me, the LED lights on them are weird. Looking up the documentation, it really doesn't state what's Im seeing. Everything is working right, but I feel its a weird light pattern.

Video: https://imgur.com/a/15Rdxdz

Creating new uplinks from Fabric Interconnects

Hi Everyone,

This one has me scratching my head in a dumb founded way, I must be missing something very obvious. We have UCS Blades with FI 6454s connecting to 2 Cisco N5548up's via vpc.I am trying to replace the N5Ks with 2x Nexus C93180YC-EX. We have Pure Storage and was purchased as a Flashstack without the upstream switches from the FIs.

The design guide was followed to setup everything except the N5ks as they were already in production in out other virtual infrastructure environment. I am now following that guide to setup the N9Ks and when bringing the new uplink online to FI-B, Bridge Assurance/Spanning Tree immediately blocks the vlans on the port-channel (The other uplink from FI-B to the N5Ks is disabled before trying to bring the new link online). The same vlans are in use on the N5Ks with no issues.

Config of one of the ports and port-channel

interface Ethernet1/45 description vpc link to fryfi-b switchport mode trunk switchport trunk allowed vlan 130-135 spanning-tree port type normal channel-group 145 mode active no shutdown interface port-channel145 switchport mode trunk switchport trunk allowed vlan 130-135 vpc 145 

I have tried spanning-tree port type edge trunk as per the design guide as well. If I do a single uplink not in a port-channel it works and is not blocked, and if I put that single link in a port-channel it start blocking.

Link to diagram Image of diagram, the C3750X is the root bridge for all vlans except the 2 storage vlans (these are only on the 4 Nexus and FIs) they are all being blocked so don't think its the root bridge causing the issue.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Do you guys use strict interface description formatting?

For example, do you guys implement any strict formatting requirements for interface descriptions, even at the access level, to aid in troubleshooting?

For example, instead of an interface description like this:

Office printer

A strict format would be something like:

Office printer : HP-382059 : 42.G.12 : 2021-05-06

Where

Device : Hostname : Patch Panel : Last updated

Or something like that? Is that helpful, or a complete pain? Instead of doing it like this, do you just do your port documentation in a DCIM?

Recommendation for an Ethernet Tester

I'm a bit new to networking and trying to locate an issue with a cable drop or three. The ports are all mislabeled, but I was able to trace them back to the patch panel with the toner. However I get no data coming through the lines when they're patched in. I'm suspecting a short or, more likely, a bad punch on them as they were never in use to begin with and it's a pretty new office space.

Before I go through the trouble of re-punching them, I'd like to verify that that's what the issue is first. Plus I'd need something like this handy for next time anyway.

Can anyone recommend a good ethernet tester that would help identify an issue like this?

Multilink PPP issue over T1s

Having a strange issue that I've not run into before. We have a 4xT1 connection to an MPLS cloud bundled into a multilink PPP interface. Outbound to the cloud we're able to get between 5-5.5 Mbps throughput, inbound from the cloud we're only seeing about 1.8Mbps with occasional spikes to 2.4Mbps. We've been running tests for the past 12 hours or so using iperf at either end of the connection and making various adjustments to no avail. Anyone have experience with this and any ideas what I should be looking for?

Setup:

Cisco 2951 with 2 T1s on VWIC3-2MFT-T1/E1 card and 2 T1s on VWIC3-4MFT-T1/E1 card

T1s bundled into multilink bundle and connected to provider MPLS Cloud

On the other side:

Cisco 2951 with 10Mbps ethernet connection into provider MPLS Cloud.

Static routing is setup with the provider

Can you pass the CCNA with absolutely 0 experience?

This may sound ignorant but can somebody with 0 experience in math, computing or networking start to study for the CCNA or other easier exam(just like that from scratch like you learn a new language) and pass it? And then if you pass it, are you like actually qualified to work and get a job or how does it work?

I'm in high school right now and have a humanities background so I'm not accustomed to math or computing at all but I'm interested in a career in this field. Again sorry if this sounds really stupid, I tried to do some research on my own but I'm not sure what other people may mean by 0 experience, in my case it is literally 0, like teaching a toddler to speak.

thank you

Juniper MX pppoe subscriber access redundancy

I've been trying to learn about subscriber access on Juniper. If you want to run pppoe subscriber access everything would work fine on one router but how would you design a solution that has next hop redundancy? (Put in a second MX for redundancy)

There are no IP addressing on the subscriber facing interface so you can't VRRP or anything like that. The only config is the VLAN, encapsulation ppp-over-ether and the profile.

​

​

Thanks

BDI interface on Cisco ASR 1001-x router

Hi All,

The current setup is

ISP1 ISP2

| |

RTR1 RTR2

| |

SW1-----SW2

​

My switches are cisco also. The switches are not stacked but are connected by a trunk link. If SW1 fails, HSRP will failover to RTR2 but the BGP failover has about a 60 second outage because we have to change ISP. I've been tasked with creating the criss-cross style redundancy using the BDI interface.

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html

The documentation doesn't seem to match up to my specific network as I've L3 port interface on the router with an IP address assigned and L3 access port on vlan 100 on the switch side.

I want something like this

ISP1 ISP2

| |

RTR1 RTR2

| X |

SW1-----SW2

​

I've tried to set it up but its causing a loop. The ports on the switch side are access ports but I tired following a forum post changing the switch ports to trunks but I still had issues. The switch is running RSTP. It appears I can only get the ASR router to run ieee. Is this even the correct way to achieve what I want ?

The end goal is to have redundant inside/lan cables (2 cables from each router to the LAN). It's a network design I've seen many times but usually with all L2 or all L3 links.

RTR1 LAN cable1 going to SW1

RTR1 LAN cable2 going to SW2

RTR2 LAN cable1 going to SW1

RTR2 LAN cable2 going to SW2

​

From research online it looks like a few other people have had this same issue moving from BVI interface to BDI interface, some have found a solution but nothing has worked for me so far. Thanks in advance for any help or insight here.

Discussion: Does ANYONE use network load balancers?

Load balancers have evolved from layer 4 devices to ADCs and WAFs. Administration and management has changed from the network engineering team to the DevOps/Web/SecOps teams. I have personally never seen a network load balancer (balancing Layer 4 protocols between links).

I have seen it in a "traditional" mode (where the lb shares traffic listening to port 80), but that's because the team did not want to change the mode into a L7 device (if it works, don't fix it).

I have never seen anything else being load-balanced apart from HTTP/S traffic. Even DNS traffic is being advertised as anycast instead of being load-balanced.

Do you have L4 LB in production? Or have you seen any in your life?

Virustotal detected trojan inside of iperf?

I wanted to do some bandwidth/network testing and saw that iperf is recommended. I got the most recent version off it's sourceforge page (linked from the official iperf site, since the official site doesn't have the latest version) but before installing it I ran it through virustotal and it came back as a trojan on multiple anti virus engines. An older version comes back clean.

Is iperf safe? What is causing this? Has iperf been compromised?

Network data vs voice vs security. What's best career option?

Hello. I am a network professional who has worked on all the three fields so far. Now I am planning on specializing in one of them but I am confused on where to go..

I have searched lots of articles, videos but cannot make a decision as I like all three to be honest.

Please help me with this to make the decision easier. Please note that I like technical stuff not managerial. And if possible also recommend good certifications. Thank you.

Lead times through the roof

Nearly a year ago I posted this topic about Cisco lead times blowing out. https://www.reddit.com/r/networking/comments/i3etrd/cisco_lead_times_blowing_out/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

Things seem to have gone from bad to worse and it’s now almost impossible to get any sort of gear. We’re in Australia and literally can’t seem to get any Cisco gear and I have no idea what I’m meant to do. I’ve had an order in for a bunch of 9200Ls and various routers since January which had an estimate of end of April which has now blown out to mid July.

I spoke to one of my suppliers today who said if I don’t have any orders in by the end of this month to not expect anything this side of Christmas.

How are things elsewhere or with other vendors? It pains me to consider moving away from Cisco but I can’t exactly tell my bosses that we can’t build a new site or hire new employees because we don’t have the network infrastructure.

Troubleshooting TCP errors

Hi, I have a user who cannot reliably get to several websites. Eventually they do load but it's taking forever, significantly more than any other internet destination.

When I look at the pcap, I can see, right after the TLS Client Hello and throughout the entire conversation, a lot of TCP Retransmissions, TCP Dup Ack and TCP Out-of-Order packets. Basically the whole Wireshark is black.

Where do I start troubleshooting this? The MTU / path side of things, or maybe their physical equipment / cables, etc. Any insights would be most welcome.

Routing, firewall and VPN restrictions

Hi all

Can I get some clarification on the following ?

We have a small site that is running a Cisco router with its firewall turned on, no IPSec VPN is configured - its WAN is configured for straight fiber internet.

I've since created a few firewall rules to restrict all outbound traffic from the local LAN to our VPN IP - so that when users are plugged into the LAN, the only way to get access to the internet or internal resources is to generate and connect to our client VPN.

During testing - I can browse direct to the VPN portal via IP and log in - DNS fails ( assuming this is because the firewall rules are specific to IP )

However when I attempt to connect using the GlobalProtect app - it establishes connection but fails to authenticate

I was wondering if Global Protect or any client VPN for that matter requires or needs to detect an active internet connection to work ?

Security Newb - Looking for some guidance on identity based protection for web servers.

Hello all,

Currently we're running palo altos and performing all kinds of web inspection but would like to rely less on the firewalls and add another layer out front. I have very little previous experience with WAFS and proxies but essentially it sounds like the C levels would like to see us throw some kind of reverse proxy/identity protection out in front of our web servers. Essentially allowing us to cut down on the amount of traffic inspected by the FW's by dropping all non approved traffic before it even makes it to them.

I know this is very broad but does anyone have recommendations on some kind of identity-based or reverse proxy type products we could look into implementing? We have alot of webservers accessed by different users so it would need to be something that could scale well. Any suggestions or input would be greatly appreciated.

Wired 802.1x issues

Hi all,

We set up 802.1x for our wireless and wired network via NPS using MS-Chap. The wireless 802.1x is working well, however the wired network keeps giving "Authentication Failed"

In Event viewer we are getting this error:

​

Wired 802.1X Authentication failed.

​

Network Adapter: Intel(R) Ethernet Connection I219-V Interface GUID: {afc07ca4-417b-4ad9-b15d-8efec4c5fe26} Connection ID: 0x2 Identity: host/PC001-test.test.corp User: - Domain: - Reason: 0x50005 Reason Text: Network authentication failed due to a problem with the user account 

​

Error Code: 0x40420110 

Inherited a Cisco Network - New Branch Office

Hello all,

I've inherited a small network as part of my job. I'm currently a one man IT team supporting around 50ish users. One Asa at our corp and 8 branch location ISRs 1900 series with VPN tunnels back to corp.We are physically moving one branch to a new location so therefore new static IP.

I'm currently no expert in Cisco CLI, though I can do basic things. To get to my question, what is the ideal way of changing the static IP address for both my ISR and my ASA and continue to have the same vpn tunnel?

Any pointers will be helpful my overall understanding of networking is pretty decent.

Ciena 3903 - Can you run commands with out them instantly activating?

Is there any way on a Ciena 3903 to build out a config with out it activating each command after its entered? Kind of like on a Juniper device where you can enter in all the configuration commands than then commit them all at once?

Hear me out, 4x 5g unlimited cell plans tethered and bridged to a pc all secured with a vpn

Say you need a lot of bandwidth for a month and don't want to mess with an isp and pay huge premium for fiber. Theoretically, you buy 4 5g phones and secure each one with a mullvad vpn, then, using a vpn tether app, you pass the 4 connections into a PC. The next step is to bridge the connections, then enjoy 400MB/s downloads at $160 giving you a "Boost" month. You can que a huge download, sync a backup to the cloud, or download a steam library really fast. Good Idea?

Help Needed from Cisco Network Admin

Hello everyone! So I've been tasked with sourcing a Cisco network switch for a client that is based in East Africa. I know my way around computers and networks but SME/Enterprise level networking is a whole different ball game. I apologize in advance if the below post could have easily been found through a Google search but I just wanted to be 100% sure before committing to him.

He does not have a Cisco account and usually orders through Dubai to save on costs. The problem is he usually asks for products that are no longer being supported by Cisco. Resellers in the region do not seem to be competent enough to answer his queries which has resulted in me doing a bit of research to find out exactly what are his requirements and how I can fulfill them.

Long story short, I was looking for a WS-2960-48TT-L Cisco Network Switch (he quoted this model number himself which I'm guessing was through his preliminary research) which I DID find but he asked if it had POE which it doesn't. The problem is that the Cisco website upsells you the latest model which is really expensive (the 9200 series). I wanted to ask if anyone could recommend a Cisco Network Switch that has 48 ports (10/100/1000) & has POE along with "Borderless Network Architecture, SNMP Management with Auto Smart Ports" that is in the same price range of the above model (around 200-300 USD)

TL;DR - I need help to narrow down a couple of Cisco Network Switches that has 48 ports, POE, & "Borderless Network Architecture, SNMP Management with Auto Smart Ports" that is in the same price range as a WS-2960-48TT-L model.

ASR920 Questions - MPLS PE, EFPs, BDIs, NTU/CE

Hi all,

Hopefully someone can shed a bit of light on a dilemma I am having. Investigating how viable it is to use a Cisco ASR-920-24SZ-M in lieu of a more complex device like an ASR9901. We currently working to build a metro ethernet style product suite including Internet services, E-Line, E-LAN and E-Tree style connectivity. For all of these services, an NTU (usually an NCS520, however we're still in transition from ME3400's) is used at the customer premise. The NTU is physically traditionally plugged into an ASR9901 or similar. In this scenario we simply create sub interfaces on the ASR9901 for each service with the correct encapsulation configured, and if l3vpn or internet services are required we configure those on the sub interface, if l2vpn services are required we configure the sub interface to be a member of a VPWS for example.

Each NTU also contains a BDI or VLAN interface that's standard across the entire network for in-band NTU management. It uses nothing more than a VRF and a /31 point to point configuration as a sub interface on the ASR9901 currently for reachability. We utilise import/export policies to allow our corporate network to reach this NTU management network.

So for example:

We may allocate vlan 100 for an internet service handed off on a per-port basis (EPL type service) on the customer site NTU (utilising encapsulation default so they customer does not need to tag traffic) and vlan 500 for management for the NTU. We carry the traffic layer 2 back to the ASR9901, where there might be a sub interface like this, with a sub interface for NTU management also. Note that the config below is just a quick snippet and example only.

interface Gi0/0/0/0.100

description ---Customer A internet---

ip address 169.254.0.0/31

service-policy input

service-policy output

encapsulation dot1q 100

!

interface Gi0/0/0/0.500

description ---NTU Management---

ip address 10.0.0.0/31

vrf forwarding 500

encapsulation dot1q 500

So from a config standpoint, they're simply nothing more than a sub interface, for l2vpn services we'd do the same except with the appropriate l2 config on the sub interface and the appropriate l2vpn configuration applied. The above also may have additional BGP config etc which isn't overly relevant to the discussion.

So what's the issue? Well on an ASR920, you can't simply create sub interfaces. The nice part about using sub interfaces is that we can utilise the same sub interface for every customer service, standardising .100 for internet .500 for NTU management .400 for voice .300 etc. So at a glance if i want to see every internet service on a router I can do a show int descr | in .100 etc. It also makes automating it a bit nicer.

My understanding is we need to utilise the bridge-domain functionality, however this means we need to create a BDI for each NTU management + internet service or any other l3vpn type service instead. In doing so, we can no longer just use a standard like BDI500 for all NTU's, because BDI's cannot overlap on the same router. So we'd need to have BDI500 for NTU-A, BDI501 for NTU-B, BDI502 for NTU-C etc. Is this correct? Is my only option to essentially go down this path if we want to utilise an ASR920 that relies upon service instance/EFP configuration rather than standard sub interfaces?

Happy to answer any questions as I'm sure I've missed some details that may help answer my question.

Keeping My IP Safe with TCP Shield

If I run a server behind TCP Shield, does it stop attackers from finding my true IP Address?

POE Injector/Splitter Issues

Hi everyone,

I got a POE Injector and Splitter from TP-Link. I connected them today and was testing it out on my Wavlink Router. However, it seems like it power-cycles at random times, thus turning off our internet at random times. I have it hooked up correctly, according to youtube and the manuals. Why is my router power-cycling like that?

​

Router : WAVLINK Smart WiFi Router AC2100 Dual Band Gigabit Wireless Internet Router

Splitter : Amazon.com: TP-Link PoE Splitter 802.3af Compliant Gigabit Port 5/9/12V DC Power Output Up to 100 meters325 feet TL-PoE10R, Black: Electronics

​

Injector: Amazon.com: TP-LINK 802.3af Gigabit PoE Injector | Convert Non-PoE to PoE Adapter | Auto Detects the Required Power, up to 15.4W | Plug & Play | Distance Up to 100 meters (328 ft.) | Black (TL-PoE150S): Electronics

​

Thank you

Will adding my own access point on top of the hotel's wifi make it more secure for me?

So I'm traveling, and I have a tp-link n300. Wondering if me connecting it directly to the ethernet port in the hotel, then creating my own access point makes it any more secure?

If not, what are some practical ways to make it more secure without a vpn?

Why without a vpn? 1.Internet speed isn't great to begin with, adding the vpn just makes it way slower that it's completely unusable. 2. I rented a room for a month, and connecting each device to the vpn upon reconnecting is really annoying, and disconnects many times.

Btw, I have AirVPN

Maybe an extra hardware or an extra layer of software? Some configuration?

Thanks a lot in advance!

Firepower PAT Pool. Keep Same pub IP with Round Robin?

We have a PAT Pool that has been set up in FP for years without issue. Suddenly, there is a single web site that keeps killing users connections because 'their IPs are changing mid session'. They do send a pic showing that the user is logged in with an IP from the PAT pool & then just a couple minutes later, they have a different IP from the pool.

Is the best option to help ensure the same internal IP keeps the same external IP from the pool for their whole session to check the 'Use Round Robin Allocation' box? I think this because of this snippet from this Cisco doc, though I haven't seen it anywhere else.

Edge Switch Considerations - 3560CX-8XPD-S

Looking for a stand alone edge switch to terminate an ISP connection and sit between our firewalls. At most, there would be 5 ports used. The speed of the Internet connection wouldn't be any higher than 1Gbps up and down. This switch supports VRF-lite, BGP, has 4x 10 gig ports (2 are mGig), supposedly can achieve line rate speeds, and is fairly inexpensive compared to a c9xxx series. Best of all, I don't have to buy a useless DNA center license.

Link to that datasheet:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-cx-series-switches/datasheet-c78-733229.html

Am I crazy for considering this?

Thanks for your help

DNS-ReverseLookupZone is not sychronized

Hey,

i think it's the correct community to ask that. ( DNS is a part of networking in my oppinion )
i'm a network admin in our company and i working here for 5 weeks now. I had a look in our DNS Server (Windows Server 2019) settings and i noticed that we do not have ReverseLookupzones confgured but a whole bunch of static dns entrys. So for a new system i installed, we need that rdns zones.
Never thought about that, but when i configure a rdns zone the static entries are not synchronize with the new rdns zone.
Is there any way to synchronize the static DNS Entrys to the new Zone or is the only way to archieve that to do this manually or via script?

FortiGate with VLAN's

Hi All,

I'm hoping you could help me. Prob not seeing something i should, but i have listed my diagram here:

Diagram (Whiteboard) (Imgur)

I get the reflections are annoying but i really hope someone could help.

Thanks!

Cisco ASA VPN to AWS dropping every hour

I have a Cisco ASA with an IPSEC VPN to AWS. The VPN works and passes traffic but the problem is that it drops every hour for about 4 or 5 minutes. I have used the AWS generated config so all of my phase1/phase2 timers etc match. I wouldn't mind if it dropped for a few seconds but it drops for 4 or 5 minutes which makes it unusable.

Has anybody seen this behaviour before? I have done a debug but I can't see any obvious reasons as to why it's dropping from the debugs.

I have a single network to a single network (as AWS recommend)

Thanks

Below is a snippet from the logs from when it's down to when it comes back up again. There is a limit to how much I can post so can't post all the logs.:

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x2dcdeb4a)

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:06 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=557f54c8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:16 [IKEv1]IKE Receiver: Packet received on 221.16.20.114:500 from 99.16.210.2:500

May 05 09:15:16 [IKEv1]IP = 99.16.210.2, IKE_DECODE RECEIVED Message (msgid=523756c0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing hash payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing notify payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Received keep-alive of type DPD R-U-THERE (seq number 0x2dcdeb4b)

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x2dcdeb4b)

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:16 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=9143ab9f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator: Rekeying Phase 2, Intf Outside, IKE Peer 99.16.210.2 local Proxy Address 0.0.0.0, remote Proxy Address 10.22.0.0, Crypto map (outside_map)

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Oakley begin quick mode

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator starting QM: msg id = cebea1a5

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Active unit starts Phase 2 rekey with remote peer 99.16.210.2.

​

IPSEC: New embryonic SA created @ 0x7fea3ec8,

SCB: 0x79DB3F20,

Direction: inbound

SPI : 0x1516D12F

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, IKE got SPI from key engine: SPI = 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, oakley constucting quick mode

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec SA payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec nonce payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing pfs ke payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing proxy ID

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Transmitting Proxy Id:

Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0

Remote subnet: 10.22.0.0 Mask 255.255.255.0 Protocol 0 Port 0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator sending 1st QM pkt: msg id = cebea1a5

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 308

May 05 09:15:22 [IKEv1]IKE Receiver: Packet received on 221.16.20.114:500 from 99.16.210.2:500

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE RECEIVED Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 320

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing SA payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing nonce payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ke payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ISA_KE for PFS in phase 2

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ID payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, ID_IPV4_ADDR_SUBNET ID received--10.22.0.0--255.255.255.0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ID payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, ID_IPV4_ADDR_SUBNET ID received--10.22.0.0--255.255.255.0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, loading all IPSEC SAs

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Generating Quick Mode Key!

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, NP encrypt rule look up for crypto map outside_map 10 matching ACL VPN-TRAFFIC-INTELYS-AWS: returned cs_id=777bcd40; encrypt_rule=7b3ffc98; tunnelFlow_rule=78106dc8

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Generating Quick Mode Key!

IPSEC: New embryonic SA created @ 0x777ed790,

SCB: 0x84A0D7D0,

Direction: outbound

SPI : 0xC187DB6A

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: Completed host OBSA update, SPI 0xC187DB6A

IPSEC: Completed outbound VPN context, SPI 0xC187DB6A

VPN handle: 0x0711bb3c

IPSEC: New outbound encrypt rule, SPI 0xC187DB6A

Src addr: 0.0.0.0

Src mask: 0.0.0.0

Dst addr: 10.22.0.0

Dst mask: 255.255.255.0

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 0

Use protocol: false

SPI: 0x00000000

Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0xC187DB6A

Rule ID: 0x7ae31e78

IPSEC: New outbound permit rule, SPI 0xC187DB6A

Src addr: 221.16.20.114

Src mask: 255.255.255.255

Dst addr: 99.16.210.2

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0xC187DB6A

Use SPI: true

IPSEC: Completed outbound permit rule, SPI 0xC187DB6A

Rule ID: 0x7d48e4d8

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, NP encrypt rule look up for crypto map outside_map 10 matching ACL VPN-TRAFFIC-INTELYS-AWS: returned cs_id=777bcd40; encrypt_rule=7b3ffc98; tunnelFlow_rule=78106dc8

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, Security negotiation complete for LAN-to-LAN Group (99.16.210.2) Initiator, Inbound SPI = 0x1516d12f, Outbound SPI = 0xc187db6a

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, oakley constructing final quick mode

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator sending 3rd QM pkt: msg id = cebea1a5

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + NONE (0) total length : 76

IPSEC: New embryonic SA created @ 0x7fea3ec8,

SCB: 0x79DB3F20,

Direction: inbound

SPI : 0x1516D12F

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: Completed host IBSA update, SPI 0x1516D12F

IPSEC: Completed inbound VPN context, SPI 0x1516D12F

VPN handle: 0x0711c174

IPSEC: Completed outbound VPN context, SPI 0xC187DB6A

VPN handle: 0x0711bb3c

IPSEC: Completed outbound inner SPD rule, SPI 0xC187DB6A

Rule ID: 0x7ae31e78

IPSEC: Completed outbound outer SPD rule, SPI 0xC187DB6A

Rule ID: 0x7d48e4d8

IPSEC: New inbound tunnel flow rule, SPI 0x1516D12F

Src addr: 10.22.0.0

Src mask: 255.255.255.0

Dst addr: 0.0.0.0

Dst mask: 0.0.0.0

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 0

Use protocol: false

SPI: 0x00000000

Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0x1516D12F

Rule ID: 0x7908d7f8

IPSEC: New inbound decrypt rule, SPI 0x1516D12F

Src addr: 99.16.210.2

Src mask: 255.255.255.255

Dst addr: 221.16.20.114

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0x1516D12F

Use SPI: true

IPSEC: Completed inbound decrypt rule, SPI 0x1516D12F

Rule ID: 0x7c161328

IPSEC: New inbound permit rule, SPI 0x1516D12F

Src addr: 99.16.210.2

Src mask: 255.255.255.255

Dst addr: 221.16.20.114

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0x1516D12F

Use SPI: true

IPSEC: Completed inbound permit rule, SPI 0x1516D12F

Rule ID: 0x7d3687d0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, IKE got a KEY_ADD msg for SA: SPI = 0xc187db6a

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Pitcher: received KEY_UPDATE, spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Starting P2 rekey timer: 3420 seconds.

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, PHASE 2 COMPLETED (msgid=cebea1a5)

IPSEC DEBUG: Inbound SA (SPI 0x1516D12F) sent an ACTIVE PFKey message to IKE (location 1)

May 05 09:15:22 [IKEv1 DEBUG]Pitcher: received KEY_SA_ACTIVE, spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]KEY_SA_ACTIVE old rekey centry found with new spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, sending delete/delete with reason message

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec delete payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=351bc571) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Active unit activates new SA for remote peer 99.16.210.2.

​

Outdoor AP Suggestions

I am looking to replace some aging, inappropriate APs for an outdoor rooftop thats about 13000 sq ft. My focus was using the Meraki MR86 but they are currently out of stock. I am looking for alternates that have the same qualifications. Was looking at the Ruckus T610 (can these run without a local controller?) or maybe something from Aruba (though their product guide is beyond confusing).

Not looking for low support or smb solutions (unifi, forti, tp, ubiq, etc.)

Rate limiting broadcast, multicast and unknown unicast best practices?

Hi guys I am currently carrying out comliance checks on our estate network config to standardise configs and have noticed some parts of our network had flood rate limits configured for broadcast traffic. They are on user facing ports and set to half the interface bandwidth. Looking online there seems to be differing opinions about rate limiting on ports and the effectiveness of it so wondering what you guys think?

Single Strand Multimode Fiber SFP compatibility

Hey all,

I have a project I'm working on (been learning more about networking as I go) and I was wondering if the Cisco GLC-SX-MMD SFP were compatible with single strand multimode fiber. The SFP is in fact multimode but it is usually used with a 2 strand pair of fiber rather than a single strand.

I've been coordinating/managing/implementing/engineering most of this project remotely but I have been on site a few times this month. I wasn't aware single strand MM fiber was being used or had the ability to perform full-duplex communications. I'm hoping the SFPs and fiber are compatible as it would be a headache to reorder new SFPs and media converters.

How does VeloCloud edge and gateway exchange routes?

As far as I understand, VeloCloud Edge only exchange routes with gateway. So is it just good old BGP between the Edge and Gateway? Or it is something similiar to the Viptela OMP (customized BGP)?

I am aware of VCMP and DMPO but they are more on the data plane. I want to understand the control plane aspect.

POE Spliter with 12v and Poe passthrough

Does anyone know of a device that can take POE power a 12v camera and then pass power through to something like this. https://www.magewell.com/tech-specs/pro-convert-sdi-tx Ideally trying to power a camera and that with just one cable. Thanks!

Cisco Router IPsec Phase 1 and Phase 2 Rekeying?

Hi, we have a tunnel with ipsec profile and I would like to ask if by default router do rekeying? If Yes, what is the port being use is it udp-500/4500 ? and how we can validate if rekeying is enabled?

From my verification, Not able to see any rekey on crypto session and isakmp sa. Thanks

​

Sample config: int tunnel 19 tunnel protection ipsec profile TEST_PRO shared ! crypto isakmp profile TEST_IP ca trust-point TRUST_AE match identity host domain test.com ! crypto ipsec transform-set TRANS_TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile TEST_PRO set transform-set TRANS_TEST set isakmp-profile TEST_IP show crypto isakmp sa 8872 122.1.1.1 89.31.25.94 INTERN ACTIVE aes sha rsig 5 23:59:32 D Engine-id:Conn-id = SW:2872 8878 122.1.1.1 85.207.75.50 INTERN ACTIVE aes sha rsig 5 0 D Engine-id:Conn-id = ??? (deleted) 8866 122.1.1.1 85.207.75.50 INTERN ACTIVE aes sha rsig 5 0 D Engine-id:Conn-id = ??? (deleted) 8874 122.1.1.1 52.122.1.1 INTERN ACTIVE aes sha rsig 5 23:59:44 DN Engine-id:Conn-id = SW:2874 8859 122.1.1.1 52.122.1.1 INTERN ACTIVE aes sha rsig 5 0 DN Engine-id:Conn-id = ??? (deleted) 8847 122.1.1.1 52.122.1.1 INTERN ACTIVE aes sha rsig 5 0 DN Engine-id:Conn-id = ??? (deleted) Interface: xxx0/0/0 Session status: UP-IDLE Peer: 122.1.1.1 port 500 Session ID: 0 IKEv1 SA: local 122.1.1.1/500 remote 52.122.1.1/500 Active Session ID: 0 IKEv1 SA: local 122.1.1.1/500 remote 52.122.1.1/500 Inactive Session ID: 0 IKEv1 SA: local 122.1.1.1/500 remote 52.122.1.1/500 Inactive 

Guest network bandwidth

I am charged with deploying a fair extensive guest network. I generally know that guest network are congested from my own experiences, however I am trying to beside what size circuit to order for my guest network.

What size circuits have anybody deployed and how many concurrent clients are being served?

Thanks in advance for any feedback.

Network adapters that support 10GBase-ER optics

I'm planning to use a Supermicro server as a low-end router, but I was blindsided by the fact that the Intel X722 card only supports SR and LR optics, but my circuits are DWDM and we only have ER and ZR optics.

​

My backup option is to connect the circuits to the switch and then from switch to router, but that will burn all 4 SFP+ interfaces on the Juniper EX3400 switch, so the internal interfaces on the router will either have to be trunked with the external interfaces or the internal interfaces are 1G only.

​

Is there a PCIe network adapter that supports ER optics (DWDM)?

If devices are connected to the same switch but are in different subnets, why do they need a router to send traffic to each other?

If i have switch and i have 2 PCs connected to it. One of the PCs has an IP of 10.10.10.10 and the other has an IP of 10.10.20.10, why do they need a router to communicate? I thought devices connected to a switch sent/received traffic based on mac addresses so why would it matter if they are on different subnets?

AWS DX High Resiliency (2 links) with 4 On-premises routers (2 sites) and VPN backup - Design discussion

Hi subreddit,

I got a question about this design. My architecture consists of 2 data centres (DC1 & DC2), higher-ups decide to purchase only 2 Direct Connect links (in different locations, connecting to each of my site), with intention to purchase additional links as required later on (due to limited budget and pandemic).

Each pair of routers, logically, will connect to a CX router in each DX location.

So my idea of the topology is to have each of the Direct Connect link connected to a L2 stacked switch in each site, which provide L2 connectivity between my routers in each DC as well.

• Does the VIF support /29 subnet?
• Or, what if I were to create different VIFs (different 802.1Q tag) for each of my routers within a site? I'm more incline to this design.
• Is it possible or wise to peer with my AWS network using our public AS? Since the public AS is already used for the DMZ BGP routers (not the same pair in question) and in production.

The final goal is to set up DX for each site as the primary connection, with private BGP advertising each DC's private subnets, and a summary route of both DCs and receiving our AWS VPC routes.

• If one DC's DX failed, use the other DX
• Both locations will also have Internet connection for setting up VPNs, and private BGP peering will also be established over VPN
• Failover order for DC1: DX1 > DX2 > VPN1 > VPN2

Is this gonna be a valid design?

Router raccomendation for a small office?

Connected I have:

- 2 Phones

- 1 NAS

- 1 Selta SamOffice SE

- 20 Devices (PC / Tablet / Mobile)

​

What factors do I need to take in consideration?

Which to use and why

For network segmentation on Juniper networks, what’s the use case for using either logical systems or different instance types (virtual router or vrf). Seems to me that each solution is solving the segmentation problem. I ask because I work in an environment with heavy use of virtual routers and vrfs.

Cities with the highest salary for Sr. Net Engineers

I am a Sr. Net Engineer close to be turned into an Architect, don't have any knowledge on Clouds(not yet), here in LA and I want to move out...

if you can help me sort the cities here in the US from the Best to Least pay scale.

and ofc this is not skill dependent, we're assuming the same level, just different geo locations.

and please if you can sort it based on your experience\encounters\vision, not google!

and do you think number of job openings(or ongoing positions) per capita, has a direct relation with how high the pay rate is?

this is what I think, and I am not sure if I am right..

1. Washington DC
2. Virginia Beach
3. San Jose
4. San Francisco
5. Los Angeles County
6. New York(from here down idk which cities are better)
7. Florida
8. Austin
9. Dallas
10. Nevada

Juniper EX2300 in-band management?

Hey all -

New to Juniper, trying to get my bearings. I'm trying to enable SSH management on an in-band vlan, but having no luck.

set routing-options static route 0.0.0.0/0 next-hop 10.0.0.254 set interfaces irb unit 0 family inet address 10.0.0.2/24 set vlans mgt vlan-id 1 set vlans mgt l3-interface irb.0 set interfaces ge-0/0/1.0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/1.0 family ethernet-switching vlan members [mgt xxx xxx xxx] set interfaces ge-0/0/1 native-vlan-id 1 

The default route nexthop is untagged on ge-0/0/1, and I can reach it just fine through the switch. How can I enable SSH on irb.0's IP?

Networking Hardware

Hello everyone,

With Cisco Meraki taking off, and gaining popularity. I was curious.

Do you guys think that Cisco Meraki can be used as the main networking equipment for an office? In this example, I would say 35 to 45 users at a time, and growing steadily.

OR do you think it would be better to invest into traditional Cisco equipment?

Thanks in advance!

Cisco 9120s

Anyone deploying Cisco 9120 WAPs yet? How are clients working with them?

GRE/OSPF Routing Issue?

I'm having trouble getting a printer to communicate with a print server over a Hub & Spoke network using GRE/OSPF.

The printer is behind a spoke router is configured as such;

GRE interface - 172.29.99.5

Primary LAN - 192.168.130.33

Printer - 192.168.130.38

We are able to ping (from 192.168.130.38) to the GRE interface of the hub (172.29.99.1) confirmed with tcpdumps.

​

We are able to ping from the hub's GRE interface (172.29.99.1) to the gateway of the printer (192.168.130.33) but NOT the printer itself.

​

To rule out zone forward issues, we set 'all/all' rules on either side and still could not reach.

​

The route policies suggest everything is in order on either side. Could this maybe be an issue with the device itself?

Cisco 9120 WAPs

Does anyone have any experience with these WAPs yet? We are deploying these and are running into some serious issues with Zebra devices (printers and hand heads) and Medical Devices. Whenever the devices are within range of our 9120 test device, these devices lose its IP and has to be rebooted away from the 9120. Anyone has experience with this?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Can I Add Another Router To Small Office Network That Is Experiencing Poor Signal Upstairs - Currently Have Two Routers And A Switch Connected

Hi everyone, thanks in advance for any help! I am a complete novice at this, but am trying to help out!

I work in a small office that is two stories, in the far corner of the upstairs the wi-fi is extremely slow. We currently have an AT&T modem with two routers and a switch connected to it. The area that has slow internet does have a wall plate with an active ethernet port, can I simply connect another router to this port that the people upstairs can then connect to that would have better signal than when they connect to the routers downstairs? Although there are wall plates in many of the offices, almost everyone in the other offices uses wi-fi without any issues.

It’s also been suggested that range extenders may help. I was also just told that a wireless access point may be the way to go and am going to look into that as an option.

If this would not work, any suggestions on a simple way to make this work? It's really only three people in one large room that are experiencing issues.

Thanks again for any help!

continuous ping fails when backup default route becomes active

hello. wonder if anyone can help me.

i have secured my network with 2 routers (vrrp for hardware redundancy), each one of them connected to it's own wan access (R1main - fiber and R2backup - lte/4G).

to test the performance of this solutions i made a continuous ping to a responsive domain name, using both a laptop with win10 and another one with ubuntu.

when i test the hardware redundancy (vrrp) the continuous ping keeps going, not even droping a single ping, wether i poweroff the main router or put it back on.

but when i disconnect the fiber and my backup default route (to the R2backup- 4G) becomes active, i do continue to have internet access on both laptops, but the continuous ping stops responding on both laptops. if i connect the fiber again on the windows laptop it starts resuming the pings, but the ubuntu laptop continues to fail the pings, and i have internet access. why is that behaviour with the pings when it changes to the backup default route and resume the main route????

the routes seem to be doing the job, as i checked with a tracert/traceroute to a responsive internet domain.

Migrating internal routing from one L3 switch to a new one - how easily can I re-structure my network while I'm at it and transition from RIP to OSPF?

I've been the IT manager at a medium-sized hospital for about 3 years now. I inherited the network in the state it's in and have made small improvements. I'm running into issues with having enough room for devices in various subnets and the network getting larger and progressively messier. I'd like to re-organize, but this is a bigger project than I've dealt with before.

Here's what I've got:

• Hospital environment. Shutting down the entire network at once for any extended period is a non-starter.
• One site.
• Aruba/HPE switches.
  
• Primary internal routing is shared by two HP 5406zl switches using RIPv2 and VRRP.
• I want to transition to a new Aruba 3810M stack.
• Router/firewall is a Fortigate 201F handling traffic outbound to the internet and several VPNs.
• Main internal network is a /16 (again, I inherited it) with several /23s and /24s. For example: 172.16.0.0/16, 172.17.1.0/24, 172.17.5.0/24, 172.18.0.0/23, etc.
  

I want to take most of the /16 and turn it into discrete /23s and /24s. Most of our /16 is separated out functionally. 172.16.5.1-254 is servers, 172.16.10.1-254 is imaging devices, 172.16.8.1-254 is printers, etc. These are all using the same gateway, however, say 172.16.0.1. A ton of these devices are using static IPs, so if I change anything there's going to be a huge amount of virtual legwork changing manual IP configurations.

I'd like to do something like take my printers from that huge /16 to a smaller subnet. I'm looking at migrating them from the /16 to a separate /23 or /24. So I'd create a subnet like 172.20.8.0/24 with a GW of 172.16.8.1, which would be a VIP on the new 3810M stack. I'll never be able to completely get rid of that /16 most likely because there are a metric ton of devices on static configurations that would require hours of work re-configuring VPNs, routes, etc. for each individual device. It's just not feasible.

I am hoping that I can take some of the subnets that are on the higher end of the /16 like 172.16.254.x and move them one by one to new subnets. The bulk of usage on that /16 is on the lower range like 172.16.8.xx. I've got about three ranges up higher at .50, .100, and .254 that if I can move, would allow me to shrink that /16 down to a /18 or /19 maybe. I could then go through those static configs on remaining devices, update the subnet masks, and eventually reclaim some of that original address space without leaving everything on one enormous subnet. Say I change it from the /16 to /18, as long as no devices exist on 172.16.64.x and up, it shouldn't matter if the clients have the wrong subnet mask until I get to where I can change it, right?

What I'm really not sure about is if I need to transition from RIPv2 to OSPF, or even how to do it, honestly. Both my Fortigate and my current HPE L3 switches are using RIPv2. I'm not sure how to handle transitioning from one protocol to another smoothly. If I enable OSPF on the new Aruba stack for the subnets I'm creating, the new stack will be able to talk to the old devices. Once I've got as much moved to new subnets as possible, I can transfer the VIP for the /16 gateway from the old switches to the new stack, decommission the old switches, and switch my Fortigate from RIP to OSPF. Does that sound reasonable?

Sorry, this is a lot. Any advice?

Clearing arp table fixes connection for a couple minutes

I'm running into an issue where my connection to a server goes down about every two minutes after I clear out the arp table on my firewall. I can see the traffic leave my firewall go to another switch then it dies. As soon as I clear out this arp table the connection will restore and I can run a ping for about 2 minutes again then it will die again.

Now we have cleared out an arp entry that was stuck in there that had the same mac address that is no longer used. I'm not sure what is going on at this point.

Any suggestions?

Fiber internet hand off

I recently had new fiber internet service turned up at one of my remote sites. It’s a fiber hand off. The ISP told me to plug in the fiber into my router/firewall whenever I am ready. They sent me a picture of the SFP that I will be connected to on their switch. All that I can get from the label is that it’s a 1.25gb 20km DDM 1310nm LC SFP.
I’m not sure what to match this SFP with on my end. I’ve asked for compatibility list of SFPs, but got no answer. My end will plug into a Palo Alto 820, but I’m not sure if a PAN-SFP-LX will match with theirs.

Need help diagnosing packet loss (Please take pity, I've been googling as much as I can)

Good afternoon. If you take a moment to read my story, I would be very grateful.

I work for an ISP and was tasked with creating our own in-house speed test server.

They gave me a server that they put an Intel 82599es 10 gigabit ethernet adapter which is configured with an internal private interface (mainly for ssh from local network machines) and the public interface with a public IP.

Software for speed testing includes iperf3 and the open source "librespeed speedtest" server which uses Apache and php. IPTABLES is also being used to only allow customer ip addresses to connect to the speedtest server.

The problem I'm facing, is that I have packet loss when pinging the public interface only. This causes the speedtest webpage and iperf3 connections to commonly have to be reloaded 2-3 times before a connection is made.

For some reason, I average between 11-13% packet loss. If I ping OUT from the PUBLIC interface, there are no issues. The private interface has no issues in or out. It's only when I do a ping from something else to the public interface.

When I do a continuous ping, there will be numerous passes. Then, for a short time, every other ping will fail. This burst of intermittent failure is fairly consistent. Seemingly happening after every 35-55ish successful pings. Theres always a round of successful pings, and then 3-4 failed ones, then a round of successful pings, etc.

This packet loss happens with or without iptables enabled.

​

Here's a picture of the ping returns. Notice the icmp sequence number and how it begins to fail every other ping. http://imgur.com/a/wKKrnZh

​

Any help or ideas would be appreciated. I've been pulling my hair out trying to fix this. If you need more information, please let me know and I will try to get it for you.

Thank you in advance!

Question RE: FPR 1120 w/ ASA code

Hi all,

Just got my hands on a new Cisco FPR 1120 after years and years of working with ASA’s and Cisco IOS in general. The device our company purchased is for a customer and came with the ASA image license. So once I go through the smart account process I will need to reimage the device to use ASA code instead of the FPR GUI.

My question is this - once I perform the re-image, can I still manage the NGFW IDS/IPS features that come with the device? Or do I forgo that ability once the device is imaged with the ASA code? Would really suck to not be able to take advantage of the NGFW stuff simply because I’m more comfortable operating the IOS CLI....

I know that the ASA code essentially will live on top of the FXOS so logic would dictate that IDS/IPS management would still exist but I’ve heard otherwise and seen mixed reviews. Anyone shed some light?

Thanks in advance!

Question with my netmiko + textfsm script

Here is my current script....

https://github.com/Alston518/Netmiko/blob/main/Textfsm

This is working good to get me the structured output that lists all interfaces, their status, vlan assignment, and many other things.

With textfsm working, how do I take this output and have commands pushed out to specific interfaces that are down and in certain vlans?

For instance, the first switch i ran this on has interface gi1/0/1 in a down state and is also assigned to vlan 500. I want to issue a shutdown command to this interfaces and all other interfaces that are also down AND in vlan 500. Then do this same thing to all switches on my initial list.

Does anyone have any ideas?

Secure Edge - DIY SASE - Thoughts?

We all know the history of how we got where we are, in the old days - we built IGW Internet gateways in our data centers or campuses, and funnelled all Internet traffic into the stack. IDS/IPS/Firewall/Proxy/NAT. deep packet inspection, in soke places stood up /23's and /24's with carrier independant addressing. In others just a /29 or so from an ISP and NAT'd against it in a pool.

The world has moved on. Everything is in the cloud, everyone is working from home. It makes zero sense to backhaul Internet traffic over the Internet, to then egress out of a datacenter. Thus, secure edge is gaining a lot of ground. Enter some obvious players who were well positioned - mainly zscaler. I love that they were able to pipeline stream a bunch of decades old technology into a billion dollar company - DNS, GRE, etc.

If you had to do that - offer Internet edge service/service provider type service for Internet - what would you be considering? Obviously Next Gen firewalls for IDS/IPS, malware detection, malware and botnet blocking. DNS filtering. What else? How would you handle remote branches or remote users that wished you use the IGW in the cloud - VPN based? Site GRE/IPsec tunnels back to branches like zscaler?

Would one need to peer with multi cloud POPs like equinox and the like to get direct cloud access? Should things like Netflix caching servers be considered for inclusion? Would you even bother with IPv6 support, would you lean heavily towards it?

What about the security security subscription models - ie botnet/malware databases, IPS signatures, what is an effective liability against zero day exploits? Has anyone else gone though this or thought out the rather large pitfalls and gotchas that I am seeing?