Okta verify radius server and palo alto eap-ttls

I'm struggling to get what should be a simple palo alto firewall radius solution to work with okta's radius server client with eap-ttls. They apparently don't support this with their native palo alto app and asked to try using a Cisco ASA or Meraki radius app, which do seem to have eap-ttls options. Neither work with the palo. Has anyone had success with a similar implementation?

Fwiw I did run packet captures but they seem to get stuck in an access-request <> access-challenge loop. The okta radius agent seems to not send any eap data in the reply which may be the key here. Other authentication options like PAP or CHAP are not an option in my environment, and unfortunately neither is SAML for this use case.

Is it possible to get out ?

Hi all,

Seems like a pretty common post here now this is with a little twist.

The short of it is I’ve been in networking and IT for close to 20 years. Blah blah done it all. But I’ve been getting the feeling it’s time to leave and do something else. But it honestly feels like I can’t take any of the skills I’ve learnt or things I’ve done to another career path.

I’m hoping someone else has made it out and can shed some light on what / how they went about it.

Any advice appreciated Zazzy.

Route-map to advertise only default-routr

Is this the right route-map to only advertise default route to an ibgp neighbor ?

Appreciate any help

ip prefix-list DEFAULT_ONLY seq 5 permit 0.0.0.0/0

route-map OUT permit 10 match ip address prefix-list DEFAULT route-map OUT deny 20

router bgp 65002

address-family ipv4 neighbor x.x.x.x route-map out

ISO/OSI in depth: Network vs. Transport

https://www.techguruhub.net/2021/05/iso-osi-in-depth-network-vs-transport/

Help about signal attenuation in obstacles.

I'm currently working on a basic network simulator software that would calculate (based on router specifications) the signal loss through a wall in a office environment.

Basically, lets say that the router is 2.4 GHz and there is a wall thickness 20 cm, not taking in consideration the space in between (that's just simple path loss), which formula would let me get the signal loss? Hopefully in dB.

VMware workstation Pro :- Guest OS ( configured in Bridged mode ) mac address doubts ?

Hey all, this might be a noob question, i apologize in advance. I tried searching on the internet, but couldn't get any answers.

So i'm running Kali ( guest OS ) in workstation pro. My host OS is windows 10. Guest OS is configured in Bridged networking mode.

Consider the following parameters of :-

1. Guest OS - IP_G:MAC_G
2. Host OS - IP_H:MAC_H

ARP table of :-

1. Guest OS - IP_H:MAC_H ( perfect )
2. Host OS - IP_G:MAC_G ( perfect )
3. Another Host ( within the same network as Host OS ) - IP_H:MAC_H ( perfect ) , IP_G:MAC_H ( why? )

why does another host have the mac address associated to IP_G as MAC_H ? shouldn't it be MAC_G?

Also My guest OS doesn't show up in the router's connected devices, is it because the Guest OS didn't actually authenticate and associate with the router as explained in this post? or is there any other reason?

EVE-NG | Missing running/startup-configs

Been working on a BGP lab for a uni assignment the past few weeks and today I have encountered an unusual issue with start-up configs.

The nodes appear to start up on the default startup-config set for the lab, despite myself doing copy run start and exporting the lab a couple weeks ago. It was working correctly before I did the export, however that file (not the export) is having the same issue.

I've looked at the Startup-config panel and the config I remember doing and saving is not there.

Not entirely sure what has happened or what I have done wrong. I am currently using the EVE-NG Community edition.

Link to .UNL: .zip lab

Why did LTE Unlicensed fail?

I don't know if this is the place to ask this, but about 5-6 years ago there was a lot of talk regarding how LTE Unlicensed could change the public WiFi and hotspot landscape but now it's nowhere to be found. What happened? Did WiFi 5 and 6 make it obsolete?

Should desktops receive HSRPv2 packets?

Howdy. Running a pcap on a customer desktop shows alot of HSRPv2 messages. Is this normal behavior or do we have some fine tuning to do?

Slow network

Hi!

We have a remote site that has been complaining about the network being very slow from time to time. They have a 1Gbps DIA and a 40/40Mbps MPLS coming to our DC. We use Meraki SD-WAN to connect to them. Internet traffic is forced to the 1Gbps circuit and VPN traffic is using the MPLS.

The main issue is that sometimes it takes forever to run a Cognos report. It often times out as well. Cognos is located in the same server subnet as DNS, DHCP, AD, file server, etc. In our DC.

We have over 100 sites designed the same way and no one is complaining. They can run reports no problems.

By troubleshooting with a user over there, I found out that when the slowness is present, it also takes forever to load a new Web page. I ran some speed tests to the internet and got over 800Mbps. They use our internal DNS so I presume the DNS queries times out or something. I tried to force the VPN traffic to the 1Gbps for a few days, same problem. I ran some pings and trace routes to several of our internal servers and didn't find anything strange there either. Everything looks good in our Meraki dashboard and in our monitoring system. They are no where near saturating the MPLS or internet circuit. Same thing in our DC, no congestion or peaks whatsoever.

One thing I noticed though is that if I turn on their client VPN (Anyconnect) slowness disappears. Reports are fast, surfing the web is also pretty fast and the second I turn it off, everything slows down. Client VPN traffic arrives to our DC firewalls through the internet. Non-Client VPN branch traffic arrives on our Meraki VPN concentrator connected to our Core through the internet or MPLS depending on what we decide in the branch Meraki's.

So if slowness disappear when the client VPN is on it means there is a routing issue somewhere but all our other branches are OK..

I've ran some packet captures when I was troubleshooting. I saw a lot of DUP TCP packets from the Cognos server when we were running the report. On VPN I can't see them because everything is encrypted.

The problem is intermittent. Everything could run smoothly for a few days.

Any ideas on how to tackle this? Should I use a pc over there and install some tools on it to gather some info's?

We also have SolarWinds NPM at our disposal. The branch is on the other side of the country so I can't go there and there is no tech to assist me.

Thank you all!

Datacenter evolution after VXLAN-EVPN

Hi all

I was just curious to know what else is out there in enterprise datacenters to learns trends after VXLAN-EVPN.

I was reading how FB designs their datacenters https://engineering.fb.com/2021/05/13/data-center-engineering/bgp/

But while they have the means and resources to customize their datacenters as most hyperscalers would do, I don't know if anyone can shed some more light on what's the next new thing that is on the horizon.

Aware on SD-WAN (meh) ,ACI (lmfao), automation, NSX-T but think EVPN solves most of the new use cases quite well.

Anyone working on some new cool stuff?

Piggyback Network

My college has a captive portal login that spans across all campus. It is pretty slow and I am looking for better bandwidth in my dorm. I have access to ethernet. I am not sure 100% how/if what I am thinking is possible, but I’ll shoot my shot.

I want to use a router to use the Ethernet to then make a new WiFi network so I can connect wirelessly at much better speeds. I just don’t know if the captive portal will be a problem to set up with the router. Or if this is even possible with a router. Please give suggestions. I do not know much about networking.

Why are there only 4 WEP keys? (Hello to whoever read this:)

Hi:)

Difference between deployment and implementation in network industry

English is my second language. I hear these two words all the time. "Deployment and implementation"

I feel like I understand what the words mean, but I am not sure how to use those words properly.

It sounds like those words have similar meanings in network industry.

When do we use "deploy" and "implement" ?

It would be great if you could use some examples.

Thank you.

What is TEST-NET-1/2/3?

On the Wikipedia page for reserved IP addresses, I see that there are 3 IPv4 /24 ranges that say that they are reserved for TEST-NET-<number> with a scope of documentation. So my question is what is TEST-NET-1/2/3 and can I technically use those ranges as private networks, even if they aren't supposed to be used that way? Not that I'm going to be deploying those ranges in production, just curious.

Quick automation question

Is there a way to have a python script triggered so that if a certain event goes off, the script executes?

For example, I currently have a netmiko script that runs on cisco IOS to clear port security when its tripped. It uses textfsm to parse the devices, find interfaces in the err-disabled state, and reset them with a shutdown, clear port security, and then no shutdown. Is there a way to something continuously check for err-disabled ports and if it finds any at all, run the other script that clears it?

Can I get the PRTG app to work when I’m away from network without port forwarding? (OpenVPN?)

I use OpenVPN for my QNAP servers and it works perfect (no messing with ports or the firewall), I assume there has to be a similar way with PRTG without having to open firewalls and ports?

How is bandwidth and frequency exactly related?

Hello,

I don't know if this belongs here but here goes.

I don't see how bandwidth and frequency are exactly related. I'd need a very simple explanation of bandwidth to maybe keep the two apart.

Now in physical terms, free space is used as a transport medium where electromagnetic waves get transmitted. Using frequencies we can establish different communication channels, to be short (a more elaborate answer would go into the different types of multiplexing for this medium)

Bandwidth in short is the threshold for frequencies and the bigger the bandwidth the more data can be transferred or so I understand. One interesting and very simple explanation I heard is in wave length multiplexing the higher the bandwidth the more colors (=frequencies in wave length multiplexing?) are used and therefore the data can be sent across more channels/colors. However if you look at my understanding of frequency multiplexing different frequencies are used for different channels of communication.

Now what I struggle with is this: I understand that different channels can use different frequencies but can different frequencies also be used by one channel to increase data rate? If yes, what context is that used in? Users in a mobile network cell wouldn't start occupying different frequencies to increase data rate, right?

Real world PTP goodput numbers?

Just dropped in our first carrier-grade PTP link using Cambium PTP500's. 40MHz non-DFS channel.

the link is less than half a mile, clear LOS between radios but not much (if any) clearance in the Fresnel zone. Still, -45db RSSI, >99% frames sent in MCS8 or 9, and zero dropped frames up or down.

integrated link test shows 270-280Mbps. this is more than enough for this use case, but I'm curious how this compares to other similar links? I have no frame of reference here, and the marketing numbers are all bullshit.

How to split up DHCP for 12 VLANs when the switch ports are in trunk mode and all VLAN's are allowed on the ports

Scenario:

Customer will be running 1500+ VM's on 4 VMWare servers connected to 15 ports. All 12 VLAN's must be allowed on all 15 ports, which are configured in trunk mode. Customer says that providing MAC addresses is impossible, but wants certain VM's to be in certain VLAN's. Customer also insists that VLAN tagging cannot be set up in individual VM's. The DHCP server is a single Microsoft DHCP server. Is this even possible? He insists that there is a way to do this, but I can find no documentation on how this can be accomplished. Thoughts?

Cost savings, redux or ideas / challenge.

The challenge is to reduce cost or save money on an enterprise network. You can recommend anything but need to explain why an how it will save money.

3000 routers, 6000 switches, firewalls on perimeters. 5 DCs. All 3 big cloud providers are involved.

I’m deliberately being vague as want to see what folks come up.

Is the Devnet Associate OCG a good starting point for automation

So I have my CCNA and I'm currently hired for an entry-level networking role so I have the Basic knowledge. I also have basic knowledge in python, as in I know the building blocks for it. I want to try and go for the Devnet Associate cert. Does the Devnet OCG provide enough knowledge to get me started in the world of network programmability? Is there another book which might be more beneficial for me?

Is there any software to monitor a desktop up time?

I have a user at work complaining that his computer looses internet connection, I checked the network, I checked the config, I check the DHCP lease time, I checked the cable, and everything is supposed to be good, I think they're just BSing in order to get a 'newer' computer just because he didn't get the computer he wanted.

Is there a software I can install on the computer to monitor if it really looses internet connection?

What causes out of Sequence Frame errors?

I'm trying to figure out what could cause out of sequence frame errors on a carrier network. The error counter continuously counts, even at any bandwidth between 10Mbps - 950Mbps.

I'm not very familiar with this type of issue and haven't really run into it before.

I'm suspecting issues with some port-channel hashing, maybe an interface buffer (but I'd suspect to see actual drops if it was a buffer issue)...

If you had to make a guess at what would cause this, what would you say?

Delta in speed for WAN vs LAN on WiFi

Excuse the title if it isn't using perfect terms, but I have an interesting phenomenon that I am trying to make sense of on my network. I've recently upgraded to 802.11ax 4x4 gear and am seeing excellent performance when wireless clients are download/uploading files to a Synology disk-station on the same LAN segment.

However, when those same wireless clients attempt to download/upload things to the greater internet performance is worse. Note: My internet speed is gigabit

What is more confusing is that I can validate on the same switch port that devices can indeed get gigabit download/upload speed on a wired connection.

To clarify here is a rough diagram:

Wireless:

M1 MacBook Pro (10.0.1.90 ) <------------ 920Mbps/870Mbps -------------> Synology (10.0.1.27)

M1 MacBook Pro (10.0.1.90 ) <------------ 620Mbps/510Mbps -------------> Internet

-----------------------------------------------------------------------------------------------------------------------------------

Wired:

M1 MacBook Pro (10.0.1.120 ) <------------ 980Mbps/980Mbps -------------> Synology (10.0.1.27)

M1 MacBook Pro (10.0.1.120 ) <------------ 920Mbps/920Mbps -------------> Internet

I've tested the above with various speed tests online, hell I even stood up a server in a nearby datacenter and ran iperf tests to be absolutely sure, but regardless of the testing methodology wireless speeds tend to cap out around 620Mbps when going over the internet while wireless speeds to the local Synology sticks around 850-920Mbps.

Can someone explain this Cisco ASA Nat statement

nat (inside,outside) source static obj_10.10.10.10 obj_208.1.1.1 destination static obj_10.20.20.20 obj_10.30.30.30

This statement is on a service provider network that hosts services for multiple clients.

Inside int = 10.10.0.1 Outside int = 45.1.1.1 Service provider public ip address.(.i changed last 3 octets.)

Asa is directly connected to the internet.

The connectivity from customer to service provider is via ipsec site to site vpn.

I believe the customer may have overlapping ip addresses and thats whats at play here.

Any help much appreciated.

Failover for Self-Hosted Website

Hey guys,

I posted a question about BGP a couple days ago, and got a lot of good advice, most of which was to not host our own website. Unfortunately, top management is dead set on continuining to host ourselves. So I've changed tack a little bit. Is there a cloud service that could provide redundancy for us? For instance, if our cable connection went down, is there a service that we could automatically fail over to to keep our website up without interuption to the public? Thanks for any help.

802.1X and non-computer devices

I work for a manufacturer that makes devices that plug into customer's networks (similar to IP Phones). We currently don't support 802.1X on any of our devices, however it's come up recently from a few customers that they're looking at making that a requirement in the future.

From an enterprise network operations perspective, how are devices that support 802.1X typically handled? Do you issue unique certificates to each device, and if so, how do you handle renewing those certificates over the long term? Or do you just implement MAC Authentication Bypass (MAB) for these devices (and all the other devices that don't support 802.1X), and not bother managing the individual certificates on the devices?

Obviously on 'full' computers, you have tools (Group Policy, MDM, etc.) that can be used to push/renew certificates, and setup the supplicant automatically. That's something that's not typically available on these network devices. Other devices I'd assume this would also be a challenge for would include:
IP Phones
Printers
Cameras
TVs
etc.

How is this handled in the 'real world'?

Cisco Administrative Distance "Unkown"

I understand what AD is, and what Cisco uses for AD values. I have read the documentation from here. At the bottom of the table is "Uknown"

"Unknown" has an astrix with the following:

"If the administrative distance is 255, the router does not believe the source of that route and does not install the route in the routing table."

My question is, when is a source considered not trusted? When would unknown be applied? Any examples out there? Follow up question, if a link goes down, what AD is applied to said interface?

Why would one want to secure TCP connection using SSL

Hi, I'm new to networking so please bare with me.

Could somone please explain why one would want to secure a TCP connection using SSL? What does the TCP protocol lack?

Cisco inter-vlan routing behavior without L3 default gateway

I am an infrastructure systems person who occasionally plays the role of a network engineer. I was reviewing some configs with the staff network engineer. One thing that stood out to me that I did not understand:

Inter-vlan routing is working for clients without the default gateway on the client being the switch's L3 interface on the vlan.

Example:

Switch A as 2 VLANS with a L3 interface in each vlan. Vlan 10: 10.0.0.10/24 Vlan 20: 10.0.1.10/24

Router B has a L3 interface in each vlan. Vlan 10: 10.0.0.1/24 Vlan 20: 10.0.1.1/24

Client C is in Vlan 10 with an IP: 10.0.0.50/24 and default gateway of the router (10.0.0.1)

Server D is in Vlan 20 with an IP: 10.0.1.50/24 and default gateway of the router (10.0.1.1)

There are no additional routes configured on the client or server.

When I trace traffic going from Client C to Server D, it never traverses the router. My network engineer says this is because inter-vlan routing is turned on. These seems to defy routing 101: I would have assumed that the client would need the default GW to be the L3 IF of the vlan it is in (or something proxy arping into it) for inter-vlan routing to work? That is how I have always configured it for my entire career.

My background is more Juniper and these are Cisco switches so I am not so familiar if this is something Cisco-ey going on or there is a protocol that enables this that I am not aware of?

Thank you for any pointers on this.

Need some help with RCP to a Switch

Hello,

I don't have SCP available to me. How would I go about performing an RCP from my local machine to a 4500x? I remember having to SCP a while back but I've completely blanked on the process and I can't find anything concrete in searches.

vSRX in eve-ng reth interface issues

Hi All,

I've got a lab built in eve-ng with a vSRX cluster built however im having issues with the reth interfaces and wanted to see if anyone has had these problems before.

The below configuration is from node0/primary SRX and the Cisco IOL switch the reth interface is connected to.

Topology: https://i.imgur.com/GknG8E9.png

Note: Eve-ng topology shows that node0 is connected to eth2/0 through ge-0/0/9 however due to how the numbering works, on the vSRX itself its actually ge-0/0/8.

SRX Reth0 Config

root@SRX-THN-NODE0# show chassis cluster redundancy-group 1 node 0 priority 100; node 1 priority 1; interface-monitor { ge-0/0/4 weight 255; ge-7/0/4 weight 255; ge-0/0/8 weight 255; ge-0/0/9 weight 255; ge-7/0/9 weight 255; ge-7/0/8 weight 255; } root@SRX-THN-NODE0# show interfaces reth0 vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 500 { vlan-id 500; family inet { address 10.50.1.1/24; } } root@SRX-THN-NODE0# show interfaces ge-0/0/8 gigether-options { redundant-parent reth0; } root@SRX-THN-NODE0# show security zones security-zone trust host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.10; } {primary:node0}[edit] root@SRX-THN-NODE0# run ping 10.50.1.10 PING 10.50.1.10 (10.50.1.10): 56 data bytes ^C --- 10.50.1.10 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss 

Cisco Trunk Port and test interface VLAN

THN-SWITCH#sh run int eth 2/0 interface Ethernet2/0 description SRX-NODE0-RETH0 switchport trunk allowed vlan 10,500-510 switchport trunk encapsulation dot1q switchport mode trunk end THN-SWITCH#sh run int vlan 500 interface Vlan500 ip address 10.50.1.10 255.255.255.0 end 

On the vSRX if i change interface ge-0/0/8 to not be a reth interface, the interface works as expected and i can access the test interface VLAN.

root@SRX-THN-NODE0# show interfaces ge-0/0/8 vlan-tagging; unit 500 { vlan-id 500; family inet { address 10.50.1.1/24; } } root@SRX-THN-NODE0# show security zones security-zone trust host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.10; ge-0/0/8.500; } {primary:node0}[edit] root@SRX-THN-NODE0# run ping 10.50.1.10 PING 10.50.1.10 (10.50.1.10): 56 data bytes 64 bytes from 10.50.1.10: icmp_seq=0 ttl=255 time=31.026 ms 64 bytes from 10.50.1.10: icmp_seq=1 ttl=255 time=1.635 ms 64 bytes from 10.50.1.10: icmp_seq=2 ttl=255 time=1.526 ms 64 bytes from 10.50.1.10: icmp_seq=3 ttl=255 time=1.400 ms ^C --- 10.50.1.10 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.400/8.897/31.026/12.777 ms 

Has anyone come across these issues before with eve-ng and have any ideas on how to get around this i dont think im missing anything config wise

Thanks,

4G remote power switch with VPN support?

Odd question ... does anyone know of a small 'industrial' system with a simple DC relay type switch which establishes VPN (IPSEC?) over a 4G connection? I need to be able to power on/off a number of remote devices, and would like to potentially script and control this centrally?

I currently have a number of GSM 'gate opener' type devices that toggle on / off based on an SMS message, but these are a little insecure (people are starting to know the numbers) and do not allow any feedback as to current state (a few have been left powered up for extended periods)

I've looked into a number of industrial IoT gateway type solutions, but they all have clever serial/Modbus/SCADA control connections, but not a simple DC switch.

Odd ask, but any idea?

Network equipment for ~50 users business

Note that this is a theoretical project and I'm not actually buying anything, yet I wanna pick decent equipment that realistically makes sense to use. I need router, switches, wireless router/access point and a firewall.
About switches and routers I'm not really sure, Cisco, TP-Link, HP ? Need few switches that have 24 ports and one with like 8 ports.

I'm pretty certain I'll pick wireless solutions from Ubiquiti but still open to suggestions.

For firewalls I heard NetDefend or Fortigate are decent but again not sure.

Checkpoint FW - Disable external access to EAC on Exchange 2016

Hi,

I'm using Exchange 2016 in my production and I want to denied ECP access from external (internet). How can I do it and where should be configure?

​

Thanks,

Feedback for an engineering project

Hello r/networking, I'm a first year engineering student who's been assigned a group project in which we have to create a design that will improve mobile data access in rural Australia (well that was one option anyway). Nobody in my group had any prior knowledge about networking systems at all but we have been studying it a lot over the past month. However, we are still very inexperienced so I thought I would see what you guys think of our design.

Our system will be using antennas and cellular repeaters. We wanted to use high gain dish antennas and operate on a 3G network (using a 900MHz frequency) to compromise between signal quality and signal range. The antennas would be mounted on large poles and the system would be powered primarily through solar power. The large problem we overlooked was that we thought the range of the design was limited by the cell tower's range, and only later we realised that it would be limited by the antenna's range. We thought the design could work over distances of 80km, it turns out it would only work over 8km. So we thought maybe we could turn each house into its own sort of "mini base station". The houses would form a "chain" where the signal from one house is passed onto the next house and so on until it reaches the real base station, from which it can connect to the rest of the network. I'm sure this is an absolutely horrible idea so I thought I'd get some input from people who know what they're talking about!

Once again, we have almost no prior experience with networking or even with engineering for that matter so please excuse my ignorance (and our unit coordinator is a bit useless). And a quick disclaimer: the assignment rubric isn't actually focussed on the design, its more focussed on our method, so we aren't cheating by posting this, its purely for personal reasons.

Thank you!

Is Cisco VLAN preventing broadcast traffic?

Sorry for the novice question. I've got two Catalyst 9200Ls: Switch 1 has all VLANS and there's a trunk in between it and Switch 2. Both switches have ports with access to VLAN 10. When devices are connected to those ports, I can ping all of them from my PC and I can access the devices through a web browser.

My problem is that these devices are to be configured through a software tool. I run the tool on my PC and it's supposed to find any of the manufacturer's connected devices, but it doesn't. I found the following answer on the manufacturer's website:

If any stations are missing from the “Station List” under “Association Settings”, the broadcast used to find stations may be unable to reach them, which is common with managed networks. We recommend placing each station on the same an unmanaged PoE switch as the programming PC. This will allow the station search broadcast to easily find your stations while having the ability to redeploy the once programming is complete.

During the station search and program file upload steps, it may be required to disable any alternate network connections, including Wi-Fi and VPNs, for both processes to complete properly.

I'm sure I could easily go buy an unmanaged POE switch and go about my business, but I'd really like to know why this is happening and how to fix it to prevent this issue during future installs.

When or when NOT to set up a Nexus VPC

Hi! Question I've been pondering...I have a variety of switches ready for an upgrade, and we're all set on upgrading to a relatively consolidated Nexus model - basically 3 or 4 flavors of Nexus 9300s, depending on current copper/sfp load. For the most part, it's straightforward...either a stacked catalyst switch is getting replaced with a pair of vPC Nexuses, or I already have a Nexus vPC so I'm upgrading like for like. However, I have a handful that are not explicitly stacked, thereby relying on STP for redundancy, or in one case I have a pair of stand alone switches primarily dealing with routing. My question is for the latter...

​

This particular pair of nexuses is basically doing all layer 3, mostly single layer 3 ports except for a layer 3 2-port port-channel between the two as a pseudo stacking connection...my question is, do I gain *anything* from making these switches a vPC pair? or would that be complicating things...

​

Typically i'm used to "oh my nexus core has to route so..." and you have layer 2 vpcs everywhere, but you need to accommodate OSPF...so i'm trying to see if i'm under/overthinking this...

​

TLDR - if you're *only* doing layer 3 dynamic routing, is there a point, at all, to forming a vPC pair between 2 nexus 9k switches.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Coupling ethernet cables in bulk?

I've got a project that's extending the ethernet cables in a home to reach a different location - we need to couple 16 solid, unterminated cat5e cables up to another 16 unterminated cables.

What's the proper way to do this? 110 punch down block, patch panel with keystone jacks, or something else? This is a permanent installation and wires won't be touched or changed around once it's installed, just hidden away in a box forever.

Wifi System Recommendations

Hello, I have a 100,000sq ft warehouse (flat area) where I need to set up Wifi across the plant. 5 - 7 Users ( Handheld devices for inventory program)

Currently in the Office I have Surfboard and TP Link Router.

Which brand or model of access point system should I install that has great range?

Thank You in advance!

Nokia 7705-SAR-HMC help

I picked up one of these Nokia routers really cheap on eBay. I thought it would be a good way to get my feet wet with SR-OS. These are FCC Part 96 (CBSD EUD) compliant and we run our own private LTE core, so kind of a cool added bonus. Anyways, when I boot it up, all I get on the console port is

U-Boot SPL 2018.09-TiMOS-H-19.10.R2 (v12) Git: [ Tag/Hash: TiMOS_19_10_R2-0-gef19b3ba0 ] (Dec 17 2019 - 03:30:33 +0000) Trying to boot from NAND U-Boot 2018.09-TiMOS-H-19.10.R2 (v12) Git: [ Tag/Hash: TiMOS_19_10_R2-0-gef19b3ba0 ] (Dec 17 2019 - 03:30:33 +0000) CPU: Freescale LayerScape LS1020, Version: 2.0, (0x87001020) Clock Configuration: CPU0(ARMV7):600 MHz, Bus:300 MHz, DDR:800 MHz (1600 MT/s data rate), Reset Configuration Word (RCW): 00000000: 0610000c 00000000 00000000 10000000 00000010: ff000000 08cc7922 e0185a00 81046000 00000020: 00000000 00000000 00000000 08040f00 00000030: 00000105 0004b100 00000000 00000000 Model: Nokia SAR-Hmc Board Board: SAR-Hmc, boot from NAND Watchdog enabled I2C: ready DRAM: 2 GiB NAND: 512 MiB Loading Environment from NAND... OK In: No input devices available! Out: No output devices available! Err: No error devices available! 

The listing claims that this was a new device but I know absolutely nothing about Nokia hardware. Can anyone help me get a command prompt on this thing?

Instagram subdomain "z-p4", what is it used for?

I was on instagram earlier, and like most people, I will sometimes get random follow requests from fake looking accounts. The profile pic was porn model and the message was like "Come follow me on my private page to see more of me" or something.

Every now and then, I click these links and see where it leads out of curiosity. When you click this one, it just sends you to this URL:https://z-p4.www.instagram.com/

And it shows my normal instagram feed as always. I googled the subdomain but couldn't find much info on it, other than it is definitely exclusively tied to facebook/instagram.

Does anyone know why this exists and what the subdomain was originally designed for?

Hide letters after domain

I wanted to know how to hide the letters after a domain for example i want to shorten it from https://example.com/image0.jpg to https://example.com

i saw an image host using this to shorten urls but i does know how to do it this is an example url from a website that isn't online anymore but did the hidden urls this is it hidden and when i pasted it to a special application that showed % symbols

https://pleasedontrat.me/​‌​‌​‌‌‌​​‌‌​‌‌‌​‌‌‌​‌‌​​​‌‌​‌​‌​‌​‌‌​‌​​‌‌‌​‌​‌​‌‌‌​​‌​​‌‌​​‌‌‌ and https://pleasedontrat.me/%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8B%E2%80%8B%E2%80%8C%E2%80%8C%E2%80%8C

Solarwinds config change templates help

Hi, does anyone have a guide or helpful documentation for the Solarwinds change config template feature in NCM? I have checked the Solarwinds documentation and it seems to be aimed at someone who has experience programming. The vendor we are using doesn't come under the built in templates or any that would be shared on THWACK. Also yes I know Solarwinds is unsecure garbage blah blah blah thanks for your concern in advance. Cheers.

Inter-vlan firewall

Ok so my background is not networking but I'm trying to better understand.

Let's assume we have a simple layer 3 switch. SVIs can be used to route traffic between vlans.

If I want to add a firewall between these vlans, can this only be achieved by essentially moving this routing to the firewall and removing the svi?

I guess what I'm trying to understand is that are SVIs only generally used when vlans don't need any specific security around them i.e, if you don't have any specific need to restrict traffic between vlans, then using an svi is fine via the l3 switch

Looking for new graphening tool for switches server router

We use atm a selfmade rrd solution that creates an image every 5 min. We also use Nagios, but only for monitoring the switches health and link connectivity.

The Product should have:

-a near realtime update mechanism for bandwith useage

-a simple gui

-good support and well known

-works with Juniper (especially ex | qfx | srx )

-implement in some really important linux (rhel, centos, debian) servers like ntp, ipam, dns, management solution for access points

​

I have been looking (not testing) on cacti or netplan

Thanks all

10Gbps fiber link only pulling 5Gbps

I have a UniFi XG Aggregate switch that routes traffic between the router, a Dell r720xd with a I believe Intel SFP+ NDC, a Qnap NAS with SFP+, and two workstations with Mellanox cards. SFP+ modules are Ubiquiti but I also have some other 10Gtek Amazon ones.

When using iPerf, I can do 6Gbps at most between the workstations and the Qnap. Workstation to r720xd is typically 4-5Gbps. I have tweaked the hell out of offloads, jumbo frame, etc, but have only yielded minimal or worse results. My experience with 10Gb is fairly limited to this setup, and I have actually seen better success out of 10Gbe, but I would love to get these connections higher for our new 96TB r720xd that’s showing up Friday, which I ordered an Intel x710 NDC for that came with intel modules. Is 6Gb pretty standard for just a 50 foot run? Or am I losing speed somewhere.

On another note, this new server is going to run in raid 10 and be a primary server for editing RAW video off of. Any recommendations for a NAS OS that manages streaming large video files would also be greatly appreciated. Trying to get up to 800MBps consistent with low latency for scrubbing timelines. I know where to look to solve all this I just think I’ve missed something

Anything helps. Thank you!

Help out a newbie?

We have a copier on our network that isn’t letting users print to it from our virtual machines. Physical machines print to it fine. Scans go through fine and faxes as well. I’ve run new cabling from it to the patch panel. I’ve reseated the cable on the patch panel. I’ve power cycled and rebooted in trouble shooting modes. I am able to ping the printers IP address from desktops and the VM’s. Anyone got any ideas?

Is “Network Warrior” still worth the read in 2021?

I work at a NOC as a Tier 1 analyst so most of my work include IOS upgrades, monitoring site outages, lots of layer 2 troubleshooting and configurations. Would this book still be worth it since the concepts never really changed? I heard a lot of great things about this book.

NATing a destination IP on an ASA for a VPN connection - Can't ping but it works. Normal?

Hey All,

I have a site with a problem right now. Long story, and I realize this isn't ideal, but for now I've bandaided it with NAT so email can flow once again.

Source is 192.168.120.57. Destination is 192.168.198.134. They access each other via site to site VPN. Packets are dropping from 120.57 to 198.134; About 14%. I've bandaided it for now by NATing 192.168.198.134 to an unused IP on another subnet that also resides in the same facility as 192.168.198.134 and is also in the VPN tunnel ACL, which for whatever reason, 120.57 has no problem reaching.

nat (inside,outside) source static obj_120.57 obj_120.57 destination static obj_198.134 obj_172.30.1.134 no-proxy-arp

That fixed the issue, BUT, from 192.168.120.57, I cannot ping the NATed IP of 198.134 (172.30.1.134). Is that by design since technically that host machine doesn't physically exist? If so, I'm good with it. Just want to make sure I have it right. When I try, I get the rpf-check failure and the asymmetric nat rules detected for forward and reverse rules message in the logs. I'm guessing that's because I'm NATing a private destination IP to another private destination IP and not an outside IP or the public interface IP.

Experiences with FS.com DAC cables

I'm making my first foray into non-OEM DAC cables, and I'm trying to convince myself that I'm "safe" ordering DAC cables from FS.com, as they have far and away the best prices that I've found.

Basically, is there any reason that I should avoid FS.com Juniper-compatible SFP+ 10G DAC cables? (They will be used to connect EX4600 switches to Intel X710 NICs.)

WLCs not talking to each other

Got a new job 2 weeks ago and we have 2 Cisco 5520 Wireless Controllers. I have been doing some network investigation and I see packets dropping on the wireless every so often. I think it might be that the APs are jumping between the two controllers not knowing which one should be primary and which one secondary. The controllers don't seem to be talking to each other at all. We have dual Nexus 9k core. Is the correct way to get these going well and redundant to put port channels on the 9ks? Anyone else have more experience than me to point me in the right direction to get these talking?

Juniper stack giving slower network speeds after facility generator test.

Switch stack is on surge protector unit. No packet loss. CPU load at 0%. Memory only at 64% utilization. No connection loss. Reaches all neighbors. Ports all on full duplex.

NAT Rule between LAN's

Hello, I set up a virtual machine with Sophos XG, with two LAN's with different subnets (LAN 1 and LAN 2). We have an application on a computer (LAN 2) that needs to access an application on a server (LAN 1). However, this application uses the external (valid) IP.

We are not managing to create the NAT rule for this. I found an article by Sophos, but it applies to an old version of XG. I was unable to replicate it in the new version.

​

Topology

​

Sophos Article

help me to reach my destination as a network engineer

Im currently a computer science student at final year and i wana become a network engineer so to be a network engineer what should i do .I recently started

CCNA-V7-Introduction to Networks

and what further should i do??? any experts here.....

Looking for simple inexpensive SDWAN device that supports SIM card LTE and can form tunnels to a controller (hub and spoke fashion) to allow access of remote LAN from the hub.

Im looking to use this device to manage a remote router that has satellite connection. The idea is when the satellite modem goes offline I should be able to login to the router through the SDWAN appliance. Another use case is to connect this device to UPS so I can manage the UPS. What are the options? Thank

Can random access happen when UE is in DRX sleep mode?

Hey guys, I have a question. In LTE, when UE has no traffic it switches to DRX (discontinuous reception) mode and don't monitor PDCCH (Physical Downlink Control CHannel). There have been many papers discussing it but they all focus on downlink (i.e. eNB transmits data to UE). Since random access is transmitted via PRACH (Physical Random Access CHannel) but there will be some signalling from eNB to UE via PDCCH in random access procedure. So if UE is in DRX sleep mode, a packet arrives in UE's buffer, can UE generate a RA request?

Thanks you guys for answering.

Firewall Recommendation: Small Office CheckPoint 620 Replacement

Hi,

I have an old CheckPoint 620 I'm looking to replace for a small office (up to 5 people and 10 devices - printer, NAS, wired desktops, etc.). The 620 has definitely been overkill for current requirements and usage.

Are there any good hardware firewalls in the $300-$400 range that don't require annual subscriptions for IPS, etc?

Thank you,

Becca

termux + ubuntu wsl | ssh connection over the internet

Hello, I installed ubuntu wsl on windows 10 and I'm looking for a way to connect via ssh to the virtual machine (the host is ubuntu wsl and the guest termux) even outside the home wifi network (in particular from termux), locally everything works fine. But to make it work even when I'm away from home I have read a lot of guides on the internet but I still don't understand what I have to do ... could someone help me?

do i need to activate port forwarding from the router panel? the one accessed by typing the gateway in the broswer?

CCNP Service Provider

So guys here's the tea, I just failed my exam for SPRI and I admit, I did not prepare well. Could someone know exam vouchers for retaking cisco exam? Anyone? okay, there's no one.

Successful Building Network Deployment! (A Noob Developer's Guide)

A month ago, I posted here to ask for some help about Network Deployment (Previous Post). Being a Developer, Network deployment is not my strongest skill. But after going through it myself, and with tremendous help from various people (Data Electricians and IT Redditors) and a lot of time researching, I was able to successfully deploy a network on a new building! I know the post was not popular if at all, but I would like to thank the redditors that provided their time and advice. :)

​

The physical deployment took about 3 days. There was roughly 2 weeks worth of preparation which included research and ordering. Included was obviously creating VLANs and securing the network and enabling logging etc. I have not included that below as configuration will be different for each device/brand topology.

​

Here is quick mock-up guide for those who may find themselves in the same position as I was (hopefully never):

1.) Create a scope on what it is going to be and what it is you are going to need in order to deploy your network. How many static (approx.)? Guests (approx.)? Telephones (VoIp)? Conference Rooms (Video Streaming)? How much is the budget?

​

2.) Before asking/going for a survey/inspection, ensure you have some tools with you.

a. Network Cable Tester

b. Various Screwdrivers/Phillips

c. Cable ties

d. Flash Light

e. Label Maker (or a Marker and a Painter’s Tape or both!)

f. Tape Measure

g. Ladder

h. **Vacuum (only if it is an old/existing Data Cab)**

i. Documentation (in writing or digital)

​

3.) Request survey/inspection of the building and the building plan (you want to look for the electrical plan if possible). Note: I liaised with our OH&S who was a former Civil Engineer/Tradie/Builder. I am lucky in this regard as he took over the safety inspection for every single floor and also hired the appropriate people to fix and replace things. This included the wiring. You may need to hire a building inspector to do that part or you may not.

Data Cabinet - Before Pics!

​

4.) Begin your survey/inspection when safe to do so. Check the Data Cabinet. Clean up and replace/remove/fix things. Begin testing of every single port against the Patch Panel. Mark/label the ports and number them accordingly (if it wasn’t done so). Mark the patch panel as well to make it easier to visualize things.

​

5.) Roughly measure the distances of the switch to the patch panel so you can buy (or make one yourself [ How To Make RJ45 Network Patch Cables - Cat 5E and Cat 6 - YouTube ]) appropriate length of ethernet cables and also the amount you will need.

​

6.) Create a documentation of things from steps 4 and 5 as appropriate.

My documentation example

​

7.) Begin creating a list of things to order. With my particular situation (for one floor in particular):

a. 2 Wireless Access Points

b. 1 Switch (48 Port)

c. 50 pcs. 1 Meter Cat6 cables (because the Patch Panel actually runs in Cat6)

d. 10 pcs. 2 meter Cat6 cables (for those that need the extra length, then cut to size)

Note: Do test your systems if they are working before working live

8.) When wiring the Data Cabinet, it is a good idea to have some visualization on how you would tackle the situation. Plan out which Ports from the Patch Panel would go. I highly suggest to keep a note as you go along so you do not lose track of which Patch Panel Port actually goes into your switch, especially if you decide not to go 1:1 (like I did). Take your time.

Network Deployment Complete - sort of!

​

9.) Monitor your network and look at the logs. Ask your users and make changes/fixes etc. as needed.

​

And that is it! My experience/simple walkthrough guide for a basic network deployment!

P.S. the pictures reflect the network deployment at about 98% completion. The end product is cleaner. Also, this is a very "simple" network deployment, all things considered. But I wanted to share my experience and learning from it for those who may face a similar scenario or situation. It is NOT intended to reflect a super-perfect-top-shelf-super-professional-I-AM-A-NETWORKING-GOD-BOW-TO-ME-MORTALS guide. But a resource of sorts for those who need some structure and simple guide for a simple/basic network deployment.

Nexus VPC Pair... Setting STP priority on orphan ports

hello all,

quick question coming from a stp newb. We run the nexus family of switches in a VPC domain. We have certain use cases where Orphan ports are must(single run DCI's, etc). When connecting to a single switch port on a single switch is it best case to create the VLAN's on both nexus's in case the need to quickly swap ports from one nexus to another arises...but go ahead and hardset the root bridge as priority on the current "active" switch? Is this bad practice, completely useless/inconsequential, or does this seem like standard practice?

Querying Up Interfaces on 100 Switches

Hi Guys,

I have just been asked to supply a report that can assist with a quote to replace all patch leads on the network. I can go through with Secure CRT and copy the output of 'sh int status' but I would really like to make this my first python/netmiko script. I am presuming this is one of the most basic queries you can run on a network so I was wondering if someone could please point me to a script/instructions that could make this happen? We are talking about 100 switches but they are mostly Cisco Small Business (SG300 etc)

Who likes a single strand of dark mode fiber - and what to do with it?

We're about to be handed a single strand of single-mode fiber b/t our two data centers. Not two strands.. just the one. Does anyone have OEM / Product recommendations on what we might use to get 10Gb or more L1 speed out of this thing? Like a DW/CW Mux that they've had good experiences with?

High ping time and packet loss?

Is it possible to have a high ping time due to a CAT-5 cable that is exposed to sun and rain? The outside part is even in a clear hose to protect it even further. It is just a small business network where we store all of our camera footage in one facility and we use a +30m cable in our main office. What test should we conduct further?

Ping result from the end of the +30m cable:

851 packets transmitted, 837 received, +3 errors, 1.64512% packet loss, time 882813msrtt min/avg/max/mdev = 0.383/3.171/1009.993/35.261 ms, pipe 3

Stupid Question I really should know about routing

I really should know this, but, here it goes:

I have a firewall @ 192.168.0.2 directly connected to a switch @ 192.168.0.254. Switch has a default route to another switch @ 192.168.0.1

I want to make the next hop on 192.168.0.2 firewall the far switch @ 192.168.0.1, NOT the directly connected switch @ 192.168.0.254.

Any issue with that? Should be ok I think since the directly connected switch has a default route to 192.168.0.1 right?

MFA for Cisco ASA while having multiple authentication methods for one Tunnel-Group

Hi everyone,

We are currently working on enabling on MFA for Anyconnect. We just got everyone in our company setup with MFA and we are working on deploying that into our VPN. I have been following a cisco white pages and a YouTube video from cisco and they both seem really straight forward.

However, I would like to turn this on for a few employees to test it out before enabling it for the whole company. Currently everyone VPN's into our main office using a vpn tunnel called vpn_fiber. The authentication method is ldap and it's using a aaa-server-group called LDAP_GROUP. The LDAP_GROUP has two hosts to authenticate with both are internal servers running AD as we are a hybrid environment.

My question is this: When I configure Cisco Anyconnect to use SAML Authentication, and apply SAML authentication to our Tunnel Group, will my other Authentication method be replaced? It seems on the Microsoft side I can specify what users I let use MFA for the VPN, but I am not sure if the other authentication will stay in place as well.

Any insight on this would be much appreciated.

RL application of Spine/Leaf - couple questions

I understand the "scale-out" ability of Spine/Leaf and how EVPN w/ anycast GW can ride overtop, and how you always have an equal amount of hops to the next leaf, can use your local leaf for routed egress, etc... What is the real world physical application of this topology? Is this basically only for top-of-rack vPC leaf pairs in a very large physical data center environment?

After recently learning/labbing it, EVPN to me seems like a very good DR strategy, so I'm wondering if an "EVPN Domain" can stretch across multiple spine/leaf pods, provided you have dark fiber links and can do jumbo mtu? If so, would you just land those links on a border leaf set, mesh VTEPs and call it a day?

Purchasing an IPv4 /24 through a broker.

Anybody purchase a /24 recently through a broker/secondary market? What's the going rate these days what was your experience?

Network refresh help

We're approaching a "network refresh" in about a year or so. We're a small company - consisting of 1 office location (now almost empty) and 2 data centers - primary and backup (active/passive) - this "triangle" is connected by p2p links handled by Cisco ASR (1001 - just went end of service, last month) routers running OTV, for convenience. Each site will have it's own dedicated internet links. So all in all, we have 4 p2p (2 from the office to the primary data center) links and 4 internet links. we run ASA for internet edge (firewalling, VPN, IPS).

We have started deploying Meraki to peoples homes, but without a concentrator, they all terminate on ASAs (with only 10 so far it's not perfect, but manageable)

Anyways, if you had an opportunity to do a total redesign - what would you do in 2021 to make it "better"/more efficient? - we are not planning on "moving to the cloud" or "grow" - so it's most likely the same active/passive/office triangle as far as physical infrastructure.... with more "home/branch" office added...

Juniper EX2300 Virtual Chassi

I'm used to configuring EX3400s with the built-in VCPs on the back. I'm using 1Gig multimode SFPs between the switches but "show virtual-chassis vc-port" shows the ports as "Absent". I'm beginning to wonder if 10Gig DAC cables are required? Anyone have experience with this?

Terminating Single Mode Fiber

Our fiber guys have never done single mode fiber before (they don't do fiber that much,) and we're wondering what the best way to terminate single mode is? We'll do multi-mode with no-polish connectors, can it be the same with single mode?

Manual batch Smart License Reservation?

Hi All,

My org is going to be upgrading large #'s of Cisco devices that will require licensing with the IOS we're moving to. Due to several reasons, we're doing the license reservation manually.

However, as far as I can tell, I can only enter one Reservation Request Code at a time in the text box, to generate a single Reservation Authorization code at a time.

Is there a delimiter that can be used to enter more than one Reservation request code at a time? I've already tried semicolon and comma. I haven't been able to find any detail checking Cisco's documentation, and my GoogleFu has failed me. We don't have a smart contract either, so Cisco support is useless.

Cheers

​

Edit: added some detail for clarity

Creating Hostnames / Device Names

When deploying multiple network devices over a diverse geographical area (ISP network), what do you recommend naming these devices? Do you internally have your own labeling scheme, or use some industry standard way of doing it?

It seems that many of the new monitoring platforms want us to define a hostname for every device (in addition to a name), so we are trying to decide on the proper format.

We used to label the devices by client / customer name, but that is proving difficult as some devices service multiple clients plus clients names change overtime. Plus clients typically have multiple devices at the same site.

Should the name include the make and model of the device? I would think no as that is usually pulled from the device itself using SNMP. Example Juniper MX204

Should it include geographic info? We are including the Lat, Long, and address in the SNMP syslocation location.

Any advice would be great!

How do I go about training a new hire?

I work as a Sr. Network Engineer for a hospital. We have 2 main hospitals and about 50 remote clinics totaling about 4000 users, 10000+ devices, 250 switches, 300 access points, 2 SAN’s, 4 firewalls, clearpass, solarwinds, etc. I have been solely in charge of the network including all switches, routers, wireless, vpns, firewalls and anything else network/storage/security/VM related, as well as all daily tickets, projects, and lights on work, for the past 16 years.

We finally got a new CEO who realizes this is kind of crazy and has approved hiring another network engineer. He is actually coming from a very similar environment (hospital) and has similar qualifications as me so I don’t need to worry about showing him the basics.

My question is, what’s the best way to go about training him on our environment and getting him up to speed so he can start to alleviate some of my workload? Just looking for some tips from others who have done this in the past, as I have not.

Throughput calculation between layers?

Hey everyone,

​

I was given a task to make some kind of inter-layer throughput converter (from L1(PHY) to L4(TCP) by OSI or updated TCP/IP model) network.

By this converterI mean an set of formulas in excel that could recalculate throughput from throughout layers (again between L1 and L4). Throughput at given layer, MTU and TCP header are used as an input data.

For example: I need to calculate available throughput at L4 while having say 100 Mb/s at L1. So do the following: L4thr = (L1thr[b/s]* (MTU[B]-IP[B]-TCP[B])*8)/((L1h[B]+L2h[B]+Payload[B])*8), where L1thr - throughput at L1, IP - IP header, TCP - TCP header, L1h - Layer1 header, L2h - Layer2 header.

My question is: is it even possible to create such calculator, because I am struggling finding any info about it on the internet and now have really doubts if it is even possible and not sure if my approach really works. Because when doing such conversions between layer some results do not match the other. By this I mean if I take L1 as input ex. 100Mb/s to calculate throughput at L2-L4, then if I take say L2 as a corresponding input ex. 97,5Mb/s which somehow refers to 100Mb/s at L1 my results at L3-L4 are different when the source is L1 thr. compared to the scenario, when the source is L2 thr.

​

I a sorry in advance for possible stupid question or the way I am trying to explain my problem. I really would like to know if it is possible to create such converter and if yes, how should I correctly recalculate the values.

Netflow Monitoring Software Based on FLOSS

Hi guys,

I try to find some netflow monitoring solutions based on FLOSS, meaning I want to record netflow streams in a network with over 1500 POPs, switches, routers, OLTs, DSLAMs, ... and have them visualised in graphics for searching and doing research on the performance.

Do you have any ideas/proposals?

Thank you advance.

Juniper aggregate blocking broadcast

I have a pppoe client device in a lab plugged directly into an MX5 router into a physical port e.g. ge-0/0/10. The MX5 router is acting as the pppoe server. This works fine and the pppoe client can establish a pppoe session without any issue.

If I then plug the pppoe client into a switch and I setup LACP aggregate interface (ae0) from the MX to the same switch the pppoe client will not connect anymore. I know end to end that the tagging etc is working correctly because if change from pppoe and I put an IP on the subinterface e.g. vlan 200 it can ping end to end fine.

It's almost like the ae0 port is blocking broadcast requests. The pppoe PADI request just never seems to get to the MX. If I do a capture I can see the PADI requests leaving the pppoe client but they don't get to the MX.

Has anybody seen anything similar to this before?

cisco ncs5501-se

We are planning to expand our internet routing platform with NCS5501-SE. We currently have ASR9001 and we do 7 peerings with FIRT, we do mpls, netflow, BGP v4/v6/vpnv4, QOS.

One scenario that we would like NCS to support is a few dozen customer peerings that each one of them will live in a seperate VRF, in order to have its own routing table and own peerings/upsreams. This means that in each VRF there can be from 10K-300K routes and a default pointing to the global VRF.

I have heard that NCS has limitations on how the ports are used and the scalability of routes in a VRF. So, what is your opinion about that?

Also, in comparison with 9901 and the new 9902 (dualRE), I assume the NCS is positioned as a cheaper solution. Is that right?

Dual Control Software for Configuration Changes?

Full disclosure this is for a paper for school... The idea is that if someone wanted to make changes to say network routers or other critical infrastructure they would need to use dual control to prevent insider sabotage. I did some light googling and all I came up with was results for password managers that have dual control features is there anything for networking devices? Thanks in advance.

BGP communities to 2 different ISP for advertising a /24

I am trying to setup BGP to 2 different ISP in 2 different datacenters. We have a /24 public network we want to advertise out.

DC1 is the primary DC and DC2 is the secondary DC. Have Vocus and Optus in both.

DC1 Vocus primary, Optus Secondary. DC2 Optus primary (3rd) DC2 Vocus (4th). (would have liked to had the Vocus primary at both but someone ordered different bandwidths :( )

Looking at Vocus i cant see anything with communities about setting the LCL pref but Optus does, but i want that the secondary from DC1.

Any pointers before i hit the ISPs up again as they previously advised me that we cant do anything.

cheers

ntopng blacklisted JA3 Fingerprints

Should I be worried that when I click on some of the TLS fingerprints in ntopng it takes me to a ssl abuse website and a few of the TLS fingerprints show as blacklisted for malware? I can't seem to find exactly what app is using these TLS certs, and I don't see any flagged IP's being connected to. Is there a way to see a connection between the fingerprints in the TLS tab of ntopng and a remote server IP or something so I can get an idea of what connections are using them?

How To Find/Detect Nested GRE Tunnels?

Greetings All, I am told there are nested GRE tunnels somewhere on our Cisco routers but given the deplorable state of the documentation, no one has a clue where they are. Is there a way to find out where they are? It would help a ton. Thanks!

Edit: There are dozens upon dozens of tunnels on these routers so I am looking for a quicker/ higher level way to identify them as opposed to going one by one.

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

Need help understanding subnetting and subnet masks.

I did some mild searching on this subreddit and didn't find the answer I was looking for. Let me first say I understand the advantages and disadvantages, I understand the maths behind it.

I'm not actually sure how to convey what I'm confused about but after reading about subnetting for my class this quarter, I just don't understand how it works in theory I guess. Maybe an explanation of how I'm processing this information will help and someone can correct me or fill in the gaps.

So I have a ten computers in a room, all are connected to the same modem/gateway. Since they are individual computers, they each have their own IP address. within this internal network of 10 computers, I want to divide the network in half (lets say they are playing DOTA or something and are paranoid the enemy team is listening in on their textchat or something). So I set the subnet mask to be something that allows for 5 clients to be on each subnetwork. The 5 computers in one subnetwork are communicating with each other but they aren't using their ip addresses because that would be they are connected tot he internet and defeats the purpose of security. But the ip addresses i guess are being used because the subnet mask doesn't work on it own. this is where I usually get lost and frustrated.

I guess another thing that might clear things up is that is one is just trying to make more ip addresses out of one ip address in a local network, why doesn't the network just tack on a couple more bits and the IP address just be read as 192.169.0.1.34? surely thats more efficent with data since it seems 64 bits are having to be used in communication (the 32 ip and the 32 subnet mask).

Its not like I'm trying to understand the inner machinations of how its all being done physically, but the theory and understanding of itself just escapes me. everything else in the class so far makes perfect sense, even the OSI model which I was told would be hard to wrap my mind around.

Does any virl images support pvlan trunk promiscuous?

I am not able to run these commands on the cli:

"switchport mode private-vlan trunk promiscuous"

"switchport private-vlan mapping trunk 3 301, 302"

 I find the CLI to configure Private VLAN secondary trunk:

"switchport mode private-vlan trunk secondary"

but I cannot apply the command associate with primary VLAN:

"S1(config-if)#switchport private-vlan association trunk 100 102

%Command rejected: Community or Two-way community VLANS is not supported on private-vlan trunk ports."

[Packet Tracer] What's wrong with my OSPF configuration?

Hello, I hope this is the right subreddit for this question!

I'm doing a mock Skill Assessment for my course, and I'm stuck on the OSPF part. I've got Static Routing to work. But whenever I use OSPF, I can't ping from PC-PT to the Buffalo router or from the Switch to the Boston router.

Any idea what I've missed here?

Here's the network

And the relevant config commands

ACI Lifecycle Gen1 to Gen3

Hello as we are some early adopters in ACI we have a stretched fabric with Gen1 HW.

Sales has offered a Lifecycle ngor Gen2 hw. BUT gen3 is since, i think February, open for pruchase. So why Gen2 when i can buy Gen3?

But it seems it is not possible to replace Gen1 HW with Ge3 as they are not compatible with each other.

So my opinion is - build a new fabric parallel to the old one and then hard cut over the servers to the mew fabric. As we adv. The subnets with bhp to the DC Core, we could just re-patch the server and then set the metric to a better value for the migrated subnets.

Or would thete be a way to connect both fabrics with each other like leaving the gateway on the old fabric, move the ESX host, and later move the Gateway?

VXLAN overlay 2 switches?

I saw a 2-switch design for Vxlan Overlay. I’m confused, what’s the real benefit? The only encapsulated traffic was cross switch traffic and honestly can’t you just use layer 2 at that point?

Advice on learning networking with virtualised network and hardware.

Hi everyone, I am a beginner in IT studying CompTIA A+ (taking up more courses to get into Cybersecurity). I would like to get a more hands-on experience to understand the networking process better (instead of reading about protocols in A+).

I am looking to set up a completely virtual network to learn more about the stuff in A+. For example, setting up an active directory with DNS, DHCP, SMTP, SMB, Printing servers, with maybe 2 windows 10 users. Also I would like to include virtual firewalls (pfSense) and virtual routers in the network as well.

To all the all the more experienced networking techs, do you think this would be a good idea / is it even feasible in the first place?

For now, I would just be learning how to set up Windows 2019 server and play around with it. (Should I start with linux servers??) I would appreciate any advice on how to start this project! Thanks everyone!