Can/Should I connect to an IX or Transit provider?

I’ve never dealt with this. I’ve done my fair share of BGP configuration with ISPs and internally, but I’d been reading a bit about various IP transit providers (namely HE) and had never worked with them. I’d also noticed that there are IXs at colos that I have fat pipes to already.

For context, I work for a modest sized enterprise. We have an ASN, v4 /16 and v6 /40 (which I’m yet to use), all in an ARIN region. There are 2200 or so users, and roughly half have been remote WFH for the past year. The remainder had been spread through a number of SDWAN sites.

Our biggest internet traffic uses are, in no particular order:

• General web traffic (we require full tunnel VPN and for the time being, everything is funneled through HQ). We are moving to a cloud proxy soon.

• SDWAN

• Remote access VPN

I’d noticed that HE peers with the cloud proxy provider we are moving to. I’ve also noticed that they peer with the majority of ISPs that our WFH users and SDWAN sites use. Many of these ISPs are also present at our local IX.

As a modest enterprise, and not by any means a content or service provider, am I able to just “join” an IX? Is purchasing IP transit through a provider like HE an option? It seems they do not allow using this service for a default route l, but I imagine I can just continue to receive that from my ISPs.

Is this a common practice? I’ve only really ever gotten regular internet service, either business class or with BGP, in the past, so this is somewhat new territory for me.

Thank you.

TACACS & TrippLite Console Servers

Has anyone here worked with ISE 2.x and configured restricted access to console ports on these servers?

Telecom Giants as MSPs & VARs - Are they all awful?

Over the past few years, I've been working for an American telecom giant and I've been severely unimpressed with the way that we scope out and deliver managed services to our clients. We are inflexible to a fault, incompetent, ridiculously expensive, and totally unequipped to built or support anything that falls outside of our standard cookie-cutter designs. We are also supposedly one of the more "innovative" telcos...

For those of you who have also worked for telecom giants - or who are used to dealing with them as MSPs and/or VARs (not just as circuit providers) what is your opinion on this? Can a telecom/network service provider actually deliver good managed services?

Sidenote: I heard NTT acquired Dimension Data a few years ago, who from everything I've read was a solid MSP. If any of you have worked with them, I'm curious how this has affected their managed services practice. Do they offer a solid solution, or just a shitty telco version of managed services?

Anyone use CSR100v on White box hardware ?

Curious if anyone has used CSR100v on white box hardware such as stuff from Edge Core networks?

if so what has the experience been like, and what is a typical cost for say a 500mg or 1gig traffic license?

A brain-busting routing question

Let's say I have three routers, and each router has its own route to the Internet.

R1 --- Internet | R2 --- Internet | R3 --- Internet 

I can set up OSPF so each router knows the best path to any destination on this routed network. However, I need a way for some traffic on R1 to reach the Internet when using R3 as the gateway. Normal L3 routing makes it easy to use R2 as a gateway, so don't think about that. However, without a L2 network to help, there's no way for R2 to tell between traffic destined toward it and then the Internet, and traffic going to R3 and then to the Internet. Is there a way to do this? I thought of a couple methods: 1. L2TP VPN. This would technically work, but is a nightmare to set up because it has to be done for every single multi-router link, and in my network, that's a lot of links. 2. MPLS. This could actually work better, but some kind of setup still has to be done on every link and I don't know how to do it. I need a simple setup where R2 would look at the MPLS packet and immediately know that this packet isn't intended for it, so it uses regular IP routing to send the packet to the destination, and only use MPLS to see if it should take that packet and send it to the Internet using its own gateway.

I would want to do this in order to set up a kind of load balancing for R1, so if I had a mesh network, I could take advantage of multiple routes to the Internet and have it dynamically recover from link losses with OSPF.

Software

Good afternoon, colleagues. I want to ask you what software do you use for accounting of optical connections, especially xPON. At my work, nothing better than Visio has been invented. I had to write my own software to automate the naming of fibers, but it is still in the process.

Best setup for a LAN w/o internet access

Hello,

I am setting up a small office LAN which will not be connected to the internet. It will consist of <10 workstations, 3 printers, and a NAS.

I don't see the need for a router, and am planning on using a switch like the Ubiquiti Switch 24 to tie it all together.

I can either a) build a DHCP server, b) set static IPs on all devices, or c) use local link IPs.

I don't want to do a) because I want to keep this as lightweight as possible. There will not be a LAN admin onsite and I just want it to work.

B) is OK but I don't know what printers will be purchased yet so I don't know if I will have the option of setting the static IPs on the printers or not...is it very common to have that option?

Will C) work with printers and NAS, allowing filesharing and printing automatically from all workstations?

What are your thoughts on this? Do you see any problems I will run into? Thanks!

Fiber WAN is coming and problems too

After many years using an old TP-Link TL-R470t+ to cumulate 2 slow WAN links (DSL + 4G) our office (5 users) will receive 2 fiber WAN in few weeks, to have gigabit WAN and LAN interfaces instead of 100Mbps for the TL-R470t+ I need to change it. I'd like to get a load balancing router with 3 WAN slots (the 2 fiber links and the 4G as failover) , I was looking for the TL-ER5120 but is out of stock in my country.

Do you have any advice for a router that will do the job.

Thanks for your advices

Connecting to a network 5km away!

Hello I am living in the boonies with really bad internet and I would like to fix that! A relative of mine is willing to share his internet but I have no idea on what to do. I do see that Ubiquiti's litebeam and powerbeam are the way to go!

I'd also like to ask how well would this work to get internet to my place. I play competitive shooters and i am also trying to find a job. Help is greatly appreciated! 😃

Should I use cat6, 7, 8 (or something else) ethernet cable?

I’m trying to turn an old router into a WiFi extender. I’ve been told an Ethernet cable is the way to do that.

But when I went to look on amazon, loads of different options came up. I didn’t even know cat 7 or 8 was a thing. And to be honest I don’t understand what the difference between cat 6 and 6a is.

So would it make a difference if I got cat 6 vs cat 8 cable or anything else I might be forgetting?

if it matters, I have dsl for internet

Can i connect my computer to one router through eithernet, and another router through wifi?

I need a dedicated wifi router to connect my oculus quest to my pc. Can I get internet through through one router over eithernet and connect my computer to a seperate offline router to air link with my oculus quest?

Shared Port DIA?

You know a DIA is both a "loop" and a "port" combination to get the total solution and solution cost.

Someone just asked me if SPs can offer let's say 3 loops at the cost of only the loop and then connect them all to a single "port". Effectively sharing a DIA port with multiple locations.

First of all, is this even a real thing? If it is, what's it called exactly and who offers it? The guy thought Cogent offered it but I cannot find a data sheet, etc about anything of the sort.

Thanks!

Help with what to do with career planning and next steps

Hello all I'm wondering if you guys would be able to help with what I should do with career planning. I have an associates as of right now for network design and administration and working on my bachelors in information technology. I have my CCNA, Security plus, a retired windows server cert that I got with my degree , and secret clearance. My experience work wise is working at my community college as a lab assistant who helped users with basic issues and did some basic hardware installs. Then 4 years as a data center hardware maintenance which was swapping hard drives, rack and stacking routers, switches,etc and running and replacing fiber and copper cables. I have a few months as a networks ops person but was put into help desk instead so didn't really get anywhere with that. Currently I'm at a job for the last 4 months doing face to face user support dealing with office 365, installing/troubleshooting pcs, and basic software issues it feel like an almost tier 1.5 support. I don't really like that position but don't know how to leverage myself into a better position because currently I'm make 25 an hour and don't know how to best move to a better paid or same paying position.

TLDR: No idea how to leverage my experience into a better job and just looking for help.

For those Multicast experts out there.

What is best to use Multicast Anycast-rp or Auto-rp? And why?

Trouble configuring PIM-SM Auto-RP on GNS3

Hello everyone, I am studying multicast, and trying to make auto-RP work on GNS3. I have tried different IOSv images.

I have configured the RP candidates with :

ip pim send-rp-announce lo0 scope 10 interval 5 

and the mapping agent with :

ip pim send-rp-disco lo0 scope 10 interval 5 

My problem is that both the RP announcements (224.0.1.39) and the RP mapping (224.0.1.40) get only to the directly connected routers and are not forwarded. I checked with wireshark the TTL is 10 for both packets. So why aren't the routers forwarding 224.0.1.39 and 224.0.1.40 packets, while other multicast traffic is forwarded ? Is it a GNS3 bug ?

Choosing networking equipment

I know it’s common to outsource equipment selection to VARs, but there are jobs that require network engineers/architects to choose the right product for the use case and be able to justify the choice.

How does one go about learning to compare and contrast different platforms? This can apply to campuses vs data center networks, and different data center environments, such as HPC, VXLAN, and vmware chassis.

Core Switch Suggestions

Hey there,

I'm starting to plan to decommission a really old Cisco Catalyst switch we use in our core and want to replace it with two switches for some redundancy.

There's nothing really complicated with our current setup, there's some VLAN SVIs, ACLs, DNS load balancing, Route Maps and some OSPF. Our border router (Another catalyst) takes care of BGP and upstream routing (We might want to condense these two units into a couple smaller, higher powered switches). We have between 1-4G of sustained traffic in either direction at the edge and internal traffic contained within the datacenter like iSCSI, client backup jobs etc.

I was getting excited and looking at the white box switches on FS along with Cumulus to see if these would be a cost effective replacement. But after Broadcom cut SDK access because Nvidia owns Mellanox, I'm not really wanting to go this direction as I was considering this as a way to save on costs and to not be vendor locked on hardware.

My question is, are there other reliable NOS I can use on these white box switches or am I better off trying to go with something like Arista? If I'm better off going with a specific vendor, what are your recommendations?

Price is a bit of a concern which is why I was going down the white box rabbit hole earlier.

Question about Aruba InstantOn APs

Starting with an existing router and a single Aruba InstantOn AP that is connected to the router via Ethernet, I am considering a second InstantOn AP. Does the second AP also have to be Ethernet connected to the router or can it pick up its Internet access from the first AP? No PowerOverEthernet, all devices will be powered the old fashioned way. Thanks.

SBC Migration Advice

New to company. They have 8 old physical SBCs/media gateways, heaps of legacy VOIP phones. Upgrading to 2 virtual SBCs at our internal data centres with the plan of migrating to Teams Direct Routing. What are the networking considerations I need to be aware of when migrating, before moving to Teams? I’m worried it won’t be a simple change of ‘point the old SBCs to the new ones’. We are still in the process of pulling the old SBCs configuration to see what is coming in and what is going out. Most of my experience is in SIP so all this legacy equipment and PBXs are hard to wrap my head around.

Any advice?

Cisco ASA Firepower FTD VPN to Azure (VTI Route Based)

I'm trying to configure an IPSEC VPN to Azure using Firepower FTD (configuring with FDM, not FMC) I'm using the VTI tunnel option. FTD is running 6.7 so apparently it is supported. After lots of tinkering I'm only able to get Phase 1 up but not Phase 2. The debug doesn't show anything useful.

If I switch to policy based (on Azure and FDM sides) using the same proposals the VPN comes up.

Has anybody ever successfully setup a VTI VPN to Azure with FTD? It seems like a bug or something not supported. I'm using IKEv2.

Any feedback appreciated.

Thanks

Getting static routes to redistribute in EIGRP?

Hello,

I am trying to get the EIGRP on my L3 switch to propagate some static routes on said switch through the network.

The L3 Switch has an attached FTD device running Anyconnect. The routes I want distributed are the subnets VPN connected clients are put into.

Switch Info:

Switch Ports Model SW Version SW Image 1 54 WS-C3560X-48P 12.2(55)SE8 C3560E-UNIVERSALK9-M 

Unfortunately this cannot change right now. There is no maintenance time and the site is remote. It cannot go down as the entire business there is cloud based.

EIGRP Configuration:

router eigrp 100 network 10.10.0.0 0.0.255.255 network 172.16.0.0 0.15.255.255 network 192.168.0.0 0.0.255.255 offset-list EIGRP-OFFSET in 100000 Vlan253 offset-list EIGRP-OFFSET out 100000 Vlan253 passive-interface default no passive-interface Vlan252 no passive-interface Vlan253 no passive-interface Vlan254 no passive-interface Vlan255 eigrp stub connected summary 

Vlan 252 and 253 are the adjacent routers that are not recieving the routes as I would wish.

The subnets I'm trying to get distributed are:

10.10.200.0/24 10.10.220.0/24

I added them both as static routes pointing back to the FTD on the L3 switch.

I've tried this two different ways i've seen done in the past. Admittedly I don't know a lot about routing so please forgive me if I don't include everything.

I started trying to create a Standard ACL to list the subnets:

Standard IP access list 33 10 permit 10.10.200.0, wildcard bits 0.0.0.255 20 permit 10.10.220.0, wildcard bits 0.0.0.255 

Ok then in my mind, next step:

route-map VPN-POOLS permit 10 match ip address 33 

And finally after it's mapped?

 router eigrp 100 redistribute static route-map VPN-POOLS 

I got no routes on the adjacent devices doing this. so I went back and redid it but used a prefix-list instead of the Standard ACL, hoping that would make a difference.

ip prefix-list VPN-POOLS seq 10 permit 10.10.200.0/24 ip prefix-list VPN-POOLS seq 20 permit 10.10.220.0/24 

Then again with the route map

route-map PERMIT-VPN-STATIC permit 10 match ip address prefix-list VPN-POOLS route-map PERMIT-VPN-STATIC deny 20 

Then Re-add it

redistribute static route-map PERMIT-VPN-STATIC 

Still did not see the routes on the adjacent routers. Like I said, I don't know a whole lot about routing. In my mind this is to keep the default route from that core switch traveling across the network by just redistribuing all statics. Hence the route maps?

Is the stub connected command preventing these routes from getting learned in spite of my exercise here? I believe this is needed as it's included at all remote sites like this. Any help would be appreciated thank you.

WiFi scanner and Spectrum Analyzer for iOS/mobile? Something less eye-watering than Ekahau.

I'm trying to find a good middle ground between some Rasberry Pi based hack-together-yourself solutions, and laying out $4,000 + $1,200/yr for an Ekahau.

Metageek has their Wi-Spy Air for $800, or the Oscium WiPry for $650. Does anyone have direct experience with them, or something else in the price range that might be comparable?

Vendor Routing subnet?

Our need to support "Secure Vendor Comms" (and house their devices because "Our flavor of VPN is sooo special that you need to buy our direct sourced Cisco/Fortigate/SonicWall/Netgate device at highly inflated cost so the magic packets don't fall out!") is growing substantially, and is leading to a rethink on how our network is organized.

Currently we have 3 main subnets - Servers/Routers, Users, Wifi. A few more for direct vendor access equipment, but that's not important. Generally the vendor comms are done through static routes on 1 or 2 servers that require it, but recently we have added some as general routes for all servers/PCs as required.

One vendor in particular is getting really bent out of shape that the device they forced us to implement isn't our primary gateway for all internal networks. They're clearly used to being the only vendor for very small shops. They have somewhat founded concerns about ICMP redirects.

So - am I off base to think about implementing a subnet just for these vendor supplied routers? How is this handled elsewhere?

Thinking of a career change

I work as a Lead Network Engineer/Sys admin for a good sized school district with 100+ sites over a 70 mile radius, supporting about 150k users (teachers and students) with the help of 11 other network engineers under me. We are a 1:1 district, so all users have devices they take home, plus whatever BYOD device they want connect to the network. I also maintain two datacenters with the help of a vendor that provides managed services for the very difficult stuff and/or the stuff that me and my 11 staff don't have the manpower to maintain. Long story short, with the much heavier reliance on Networks during the pandemic, my job has become much, much more difficult, without any additional staff or pay. They've started requiring us to work evenings, weekends and other other requests not commonly found in a school district. They also do not allow work from home, except for weekend monitoring.

I've been doing this since college, I'm about 15 years into my career, so at this point, is it worth it? The school system has good benefits and a great pension, plus training opportunities, but the pay isn't so great. I'm making low 80's for salary. I'm told by others in the private sector the work and hours are lighter in the school district, but I'm having a hard time seeing it, especially now. They want us to start providing 12 hour a day, 6 days a week coverage, whilst simultaneously cutting vendor services by 20%, with no raise or additional staff. Has anyone here done the transition from public to private sector or vice versa? What do you recommend? What sort of pitfalls or issues? Should I stay put?

Help!

So, I'm teaching a Systems Admin course to a bunch of people that don't know anything about computers. One thing that's important (critical) is that they understand how machines communicate with each other. That involves teaching them (lightly) about the functions of switching/routing and why it's important. We are working with an extremely limited budget (government) and any effort to use actual devices has been shot down.

Presently, I am using foam blocks and skewers to represent clients, servers, switches, routers, etc. as the networks get more complex, so does the modeling and it quickly loses effectiveness.

What I REALLY want is model sized network equipment (non-functional, of course). Mini servers, mini switches, mini routers, mini racks, mini network cables... blah blah. To the point where we can table-top build a network. Do any of you know of anything like that?

I have googled my ass off and come up dry.

Is there a reason to NOT use the same subnets across multiple sites? Including the WLAN Connection?

I have two restaurants, and to make things easier, I'd like the network in the second restaurant to match in both SSIDs and subnets. In my mind it's easier to troubleshoot. Is there anything to consider before I roll that out?

Subnets include
native IP for the firewall
point of sale
audio
VOIP

Creating a new Vlan took down my switch stack

We were trying to add a new vlan to all of our switch stacks (we have about 8 stacks) and everything was going fine until we got to one stack of Cisco 3850s running ios-xe version 16.3.6, once the vlan was added (simply conf t ,vlan 60, name VDI, end) the stack started acting very strange, show run would lock up the session, any commands referencing vlans would also lock up the session, and eventually (about 15-20 minutes later) the stack dropped all connections, and were were forced to reboot the stack. I have been unable to find anything online as to others running into a similar issue as this, but this is also not the first time this has happened to this stack (vlan 110 was the other incident). Does anyone have any clues as to what might be causing this to occur? (edit) We have done all of the troubleshooting that we know how to do to try and discover why this occurred, we did notice a spike in CPU usage just prior to the crash, but were unable to determine what caused it

SD WAN

If I implement sdwan, can I replace the existing branch office mpls wan connection to Internet? I'm still trying to understand sdwan,I hear people saying SDWAN is replacing MPLS. Does that mean I don't need a dedicated MPLS connection for my branch offices or Data center.?

Need to replace HP Procurve with fiber transceiver

I am a small business IT consultant that needs a little guidance as we usually don't do a ton of work with fiber lines or fiber infrastructure. I have a network with an HP Procurve 2324 J4818A that has a 100-FX SC fiber transceiver on it (J4853A). The switch and transceiver are both limited at 10/100.

How would I go about upgrading this to something with gigabit capability? Would I just need to get a gigabit switch with SFP ports and buy a fiber module for it? Any specific type of fiber module? I need to make sure that it will be compatible as this type of fiber connection is a bit before my time.

Based off my initial assumptions, I was looking at these two devices:

https://www.newegg.com/netgear-gs724tp-200nas-24-x-rj45-2-x-sfp/p/N82E16833122950?Item=N82E16833122950&Description=24%20port%20switch&cm_re=24_port%20switch-_-33-122-950-_-Product

https://www.newegg.com/tp-link-tl-sm311lm/p/N82E16833704109?Item=N82E16833704109&Description=sfp&cm_re=sfp-_-33-704-109-_-Product

Would these work?

Thanks in advance for any responses.

What is an IP hit / VLAN hit?

I am in the ISP space and we provide layer 2 circuits over metro Ethernet for our customers. Often times we have customers that report an IP hit or a VLAN hit. Can anyone explain what that means?

A Google search returns nothing helpful. From what I understand, an IP or VLAN hit is when a customer experiences very short brief bounces over a reported period of time.

Is this correct? Can anyone elaborate?

crypto pki trustpoint TP-self-signed-2219518117

Hello guys, I'm trying to move a configuration from a 1900 oob to a 2900 and when doing so I found this chunk of commands and I don't understand what is it and if I should copy it in my new config:

​

crypto pki trustpoint TP-self-signed-2219518117

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2219518117

revocation-check none

rsakeypair TP-self-signed-2219518117

!

!

crypto pki certificate chain TP-self-signed-2219518117

​

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32323139 35313831 3137301E 170D3134 30343139 30353333

  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32313935

  31383131 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A4C4 39559281 6D3A646E 230B2A86 DCE5F06E A7576D5B 32D1565F 800C5081

  CC5ED802 1A3D5314 6BEC102B 8C470227 613B45F6 49C29610 7B9F8183 BFB95FB2

  C199C421 3411163B CA0C79C6 5256BEEA BD917CB6 649AD91E 09921EC9 1EEE381B

2561476B 18E060CB B6E8752A 0138F3BC B099C748 6877D708 CEDB826F 6803E0D3

33790203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 146B363F 93888798 5C61F633 B7DC12D8 25F15825 85301D06

03551D0E 04160414 6B363F93 8887985C 61F633B7 DC12D825 F1582585 300D0609

  2A864886 F70D0101 05050003 8181008E 17C88153 EBFE0D13 13E068FB 809292C5

  49A13C27 164BE239 C3E51408 D18E3A00 7E0FE538 87E7852C D992D43C 5D9FCD48

BABEAADF 064CF2A3 B7784CBC 093741C9 C0238AC3 5254DE47 B81D76A8 94A8EFE3

  C487333A 1EF964F2 12872F22 274541EA 9F0546DD A8063FED 14A6D5FC 4397C267

  670CF7DB 1972A68F A4331887 34639E

license udi pid CISCO1921/K9 sn FTX1816859

User authentication across internet for remote devices

We took on a customer who requires 2FA for us to login to their network via Anyconnect. Not an issue.

For that to work though we have had to build a completely separate Windows AD server and assign it a public IP address in order for the customer to carry out first factor authentication. That insisted it be on our architecture/services rather than theirs so it is fully managed by us. This public facing server is sat in a DMZ with ACLs limiting what public addresses can access the service and not domain joined.

This obviously it's not ideal for many reasons: AD isn't designed for internet use in this way primarily, but also means that the limited number of people using this extra box have to remember two (usually) different passwords.

Are there any suggestions as to how to improve this setup - ideally without having AD on the internet?

Tia

Juniper VCF best practices.

Hello,

​

Is anyone using Juniper VCF technology in a production environment?

We have deployed this technology on qfx5110 + qfx5100 switches, but we are seeing some oddities in the performance of the switches, such as dropping traffic, vcp not working, etc. We installed 17.4R2-S12.4 version of Junos.

I would like to hear from you gentlemen feedback and opinions about this technology.

BLE SSID

Can BLE which is now on most access points be used as a bluetooth network for devices to connect to? I understand it is mainly used for location services etc, but is it possible to be used as a way to connect devices out of range of each other through the BLE access points

Cisco "show this" command?

Huawei network gear has a useful command "display this". When you are in system-view (Cisco's "config term"),let's assume you enter "interface g0/0/1" then you input "display this". You can see the commands under that interface (and is valid in any submenu, interface is just an example). I have an example below:

Running config:

[-------ommited-----]

set cpu-usage threshold 80 restore 75

#

aaa

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 10.0.0.1 255.255.255.0

#

interface GigabitEthernet0/0/1

[-------ommited-----]

​

CLI:

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]interface g0/0/0

[Huawei-GigabitEthernet0/0/0]display this

[V200R003C00]

#

interface GigabitEthernet0/0/0

ip address 10.0.0.1 255.255.255.0

#

return

Does Cisco has something similar?

The point is, when configuring the device, before I do any change, I want to take a look at the config on that submenu.

Cisco Port LEDs blinking in unison

Hi,

perhaps someone might have an idea to push me in the right direction.
On each of my Cisco SG350x switch stacks, all active ports of one particular VLAN are blinking rapidly in unison, first thing that comes to mind is a loop or a storm.

But i don't have any performance problems, STP is not blocking ports nor do i see anything suspicious in the switch logs.

Wireshark shows a lot of ARP request, but we're talking 1-2 per second, although a lot of ARP request are asking repeatedly for the same IP without getting an answer; but that doesn't seem wrong, specially since the request are coming from domain controllers and nagios.

No large multi or broadcasts either and it is definitely not a Unicast storm (since i already experienced one of those, do to a STP missconfiguration from an MSP).

Re-checked all LACP LAGs and bondings, all seem fine.

Interfaces usage is also low.
No error counters either.

I see myself left with to things to try:
Enable loopback control, and i'm not sure if this will break something
Unplugg cables one by one, until it goes away

Did someone had a similar experience, could the LED indication be normal on SG350 series?
Any help is much appreciated.

Brocade ICX MSTP setup

Hey all, long time listener, first time calller.

I recently took on a job as network admin at a brocade only shop, while I come from cisco-land. I'm figuring out the different method of vlanning, but the way MSTP is still confusing. I understand how it's setup, it's started, scope defined, with the region name, revision, etc. What I find confusing is that each vlan has 'no span' in the config. I've asked several times, and all I get here is "that's how we set it up".

From the documentation I can find on ruckus/commscope/whatever sites, it appears that command disables 802.1w for the vlan. One guide says it disables spanning-tree entirely). MSTP is running on the switches for sure. I've checked a couple, and while they've sent millions of bpdus, they've not ever received any.

Anyone have insight into MSTP on these brocades? Is 'no spanning-tree' disabling part of MSTP I'm missing, or just an odd redundancy?

I'm gonna see if I can set up a handful of switches on my desk the next few days and see for myself, but if there's an expert or two here, I'd love to hear from ya. Thanks!

AWS : ipsec vpn tunnel through vpc peering connection

Is it possible to build an ipsec tunnel from two vpn devices in separate but peered vpc's ontop of or through the vpc peering connection? The peering connection basically being the underlay path.

Rough estimate of packet collision frequency in TCP

I know this question probably doesn't make a lot of sense since it depends on a number of factors but I was curious to know a very rough estimate (or at least order of magnitude) on how often do TCP packets collide in the "wild" internet. Let's imagine I am just browing the web for one hour and using a cabled connection. How many packets during that hour will collide and have to be resent? Are we talking about 0.001% or 10%? Is there a paper or article expanding on this? And to expand, how many packets will fail to reach the destination on the first try for whatever reason?

Thanks.

Podcasts/Audio Books to listen to at work?

For someone new to Networking, is there anything I can listen to while I’m at work that starts at the beginning?

I know this isn’t the most efficient way to learn, but I just want to take in any extra information I can.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

VOIP- ICMP Policing?

Hello,

So just some background, I’m fairly new to the VOIP world and networking world in general so I apologize in advance if I say anything stupid. But onto my question:

I’ve taken traceroutes from a cloud hosted VOIP server to a local network to determine audio issues and I’ve often seen hops that have sometimes 80% constant packet loss. I’ve been told by my superior this is not accurate and it’s something called “ICMP policing” and if there’s icmp policing you won’t be able to tell true pack loss on that node if there even is any. This seems accurate as I’ve seen this on systems where audio quality is perfect even though some node is showing that same level of packet loss. When I search online I can’t find anything about icmp policing or what it actually is or why it results in a seemingly huge level of packet loss.

Can anyone explain this to me? Is there anyway to get an accurate measure of nodes that have icmp policing? Is there anyway to tell if a node is for sure icmp policing or true packet loss?

Thanks in advance for any guidance

Wireless Roaming Understanding Help

Trying to understand something. I'm reading something that says if dhcp renews during wireless roaming it can cause a problem. I understand that it could be a problem, but I don't understand how it could happen. So say I have a WLC in a DC, and 10 lightweight APs in a building for arguements sake. I go in the building with my laptop and join SSID X. On my controller I have an interface that related to SSID X, with an IP address bound to VLAN 10 (for arguements sake). Now, The intention is to roam around the building, staying on SSID X. So I go from AP1 to AP2 staying on SSID X. Since I moved from AP1 to AP2, the subnet hasn't changed, since I've not changed SSID, I'm still on VLAN 10 (and there is 0% chance that will ever change). So like, how can DHCP ever renew during roaming since 99.9% of human people don't switch SSID every time they roam, you will never leave your subnet. What am I missing?

QSFP+ to SFP+ Dark Fiber

Hi - our datacenter is giving us a dark fiber pair to connect two racks. They will be LC handoffs.

The problem is, we have Cisco Nexus on one side with 40/100 QSFP+ ports and Cisco 550X on the other with 10Gbps SFP+.

Can I use a 40Gbps QSFP+ LC transceiver on the Nexus side and connect it to a 10Gbps LC transceiver on the SFP+ side, and have it communicate at 10Gbps?

(How to) Disable Amazon Sidewalk via router/firewall?

Ive been reading up on Amazon Sidewalk which is going to be automatically enabled on all Amazon devices within the next week unless it is manually opted out. This is done via the Amazon Alexa app.

I'm wanting to know if there is anyway that this can be blocked at the router/firewall level instead of relying on the end user to disable it on their device themselves. A quick Google search didn't turn up any results on how to do this.

Not only is there no way for myself or any network admin for that matter to verify that the service has been disabled on the customers device and even if said customer claims they have disabled it there's a chance they didn't do it correctly or at all, essentially putting the security of the entire network at risk.

The security of the network is my job and putting the security of the network in the hands of the end users hands doesn't constitute as safe for me.

Any help or advice on how to disable this service network wide would be much appreciated. Thanks!

Source (Disable Amazon Sidewalk)

Source: (Amazon customers given one week to opt out of mass wireless sharing)

FS switches

I'm tempted to try out a couple FS switches in a lab to see if they are decent or not. But I don't even want to bother if others have already done so. I can't even find what the CLI is like and wether I could manage them with IMC or similar.

Anyone had any experience with them? We are an aruba house right now and obviously we would be loosing out on lots of support.... but a L3 switch with 20 10g SFP+ ports for under $2000 is kind of hard to ignore haha.

Help with Ubiquiti Wireless

Hello,

Wanted to see if someone with more experience than me can help me or point to what I'm doing wrong. I'm fairly new to this hardware/OS platform so pardon my noob questions...

Here is the info on hardware I'm using:

• 2 Ubiquiti UAP-AC-Pro
• 4 Ubiquiti UAP-LRv2
• 1 Ubiquiti Controller Version6.2.25 Installed on a PC (all AP's have been adopted and broadcasting)

What my intent is (to which I'm not having much luck) is to create 3 SSID's at the office I work at.

• 1 network would be for internal office users with internet access
• 1 for guest access with internet access and bandwidth throttled to 20Mbps
• 1 for internal office devices no internet access

Only office Users wi-fi and Internal office devices can see each other whereas the guest Wi-Fi does not see the internal network or other SSID devices.

Things I've done to this point:

• I have created the 3 intended SSID's and they are broadcasting (2 wi-fi and 1 hot-spot)
• I have created 3 different networks with their corresponding subnets
• On the guest Wi-Fi (hot-spot network) when I try to isolate with appropriate settings, this network can no longer access the internet if I enter any subnet on the "restricted Authorization Access" on the Network Isolation option

My question is, how do I accomplish these settings; where the guest Wi-Fi can still access the internet, but cannot see Office SSID, or any internal physical network. Basically a straight path to the internet.

I've poked every setting there could be and I'm not finding any settings that would isolate one network like the intention I looking to do.

Thanks in advance

New home - all blue and white/blue cat5 cables are connected together?

Trying to get the wall cat5 ports working. I'm thinking of just making the ends and putting a switch in there, but not sure what wire color code was used.

Cant ping default gateway,any device on the LAN, but can go online and receive pings (not firewall issue)

Hi everyone

At work we just had a new employee arrive and I set her up with a laptop. I installed all the apps she needed but when I got to installing her printer over the network it didnt work.

Tried adding the same printer on my own laptop (and one other) as a test and it worked.

It turns out this laptop I got her (not new, been in our server room laying around for a year or so) cannot ping anything. Not its own default gateway, not any printer or any other host. It also cannot connect to our OpenVPN server. It is connected to the same access point as everyone else.

This laptop can also receive pings (and it replies to them) from any other hosts, and can ping the loopback address.

Another very strange thing is that when I tried disconnecting it from our network, then connected it to a hotspot I made off my phone, and then reconnected it back to our network, everything worked again for 20 seconds or so and I could again ping anything on the network.

This is not a firewall issue since I m looking at the rules and there are no block rules set within the VLANs, only for the WAN interface (and those are just to block bogon,private addresses)

I am honestly completely stumped as to what is happening

The only suggestion I could give to her was to complete the Windows update that has probably been pending for a while since it has last been used. Could this be the issue? She will do the update overnight so it does not interrupt her work.

In the meantime ,if anyone has any suggestions I welcome them.

​

Thanks so much everyone!

Discussion: Digital electricity.

I have recently discovered a new trend in the industry called digital electricity. It is basically a "revolutionary" technology that can utilize electricity smarter than the current setup. The traditional electric sockets have been described as "trying to fill a glass of water with a fire hose". They claim that this is the reason why our laptop power supplies are heating up. Every electrical device requires different power requirements and the excess energy is being wasted in the form of heat, damaged electronics and humming noise.

It seems to me that they are trying to make every socket PoE with the receiver negotiating power requirements at a constant rate.

Has anyone worked with this before?

Advanced network masks

Hello Redditors

I'm sitting here with bit of a challenge and need your input.

I have a Cisco ASA firewall with this object NAS_10.32.1.64 and it is made with these propeties.

IP: 10.32.1.64 Netmask: 255.224.1.254

As far as I understand it this object will contain this range of hosts: 10.32.1.65 - 10.32.1.66 10.33.1.65 - 10.33.1.66 10.34.1.65 - 10.34.1.66 10.35.1.65 - 10.35.1.66 and so on....

Agreed or am I wrong?

Bonus: This works and I didn't make it.

Advice on replacing router and AP

Hi,

I need to replace a router and a range extender (with an AP) in my network and I need your advice and recommendations. My network currently looks like this.

Basically, the linksys router is acting up and frequently slows down the network and needs rebooting, whilst the extender is s***y and I want to replace it with a good AP for good outside WiFi access. I am also considering to place all the smart devices in a separate VLAN, so I would need a router that supports that.

Now, for the router side, I would like a more business-like equipment, but also something that doesn't cost thousands. I was considering an Ubiquiti Dream Machine pro or maybe a TP Link Omada. However, I am in doubt about Ubiqiti, given the way they handled the latest breach and the frequent issues with their updates breaking things. I am not totally excluding them, but if there are good alternatives to it, I would rather take them. I heard Ruckus and Fortinet are good as well, perhaps better alternatives.

Same thing for the AP side of things. I really like the Ubiquiti access points, but would prefer something else. I would also like something that supports PoE, as the place where I will keep it has limited power outlets.

It would be nice to have something SDN-oriented, like the Ubiquiti/Omada ecosystems, so they are "highly" configurable, provide statistics and so on.

So, what would you guys recommend for a good router and AP and also what would you recommend to change to my network setup?

Thanks.

Layer 1, 2 & 3 Presales guys- How long does it take to realistically put a quote together?

Hey reddit,

​

I recently started a new gig as a presales consultant. I have a background as a network analyst/engineer and Infrastructure PM. So thought it would be nice to try presales.

​

The issue is the CEO of this business says I'm drawing up quotes too slowly. I've always been an efficient worker so this comes as a shock.

​

Although the CEO is known to be quite toxic so now i'm questioning if i am slow, or if his work mentality is nothing is ever good enough.

​

Currently i'm drawing up a router/switch installation, WAP upgrade, and desktop push across 95 sites nation wide

- with 5 user desktops per site

- plus a major site requiring a 90 switch refresh and 400 desktop deployment

- some UAT, E-waste, staging for all network devices and desktop machines.

- account for all the logistics

​

It's taking me around 6-8 hours in total to draw up the quote, and totaling close to $500,000AUD.

​

Is 6-8 hours unreasonable? he says it should take me 3. This is a guaranteed job so I want to make sure my implementation guys don't hate my existence.

​

If you got some reference numbers on how long it would take to turn around 6 figure quotes with some complexities that'd be appreciated

​

Cheers,

Chillandnetflix

Network Security Job

Hello Everyone,

Tomorrow I have an interview for a Network Security job I applied for a while ago. I am reviewing the job description and pretty much studying/analyzing the job description and the things I would be doing if I get hired. I'm trying to get ready for any questions they would throw at me. Any thoughts, ideas, on how to prepare better for a role like this?

Specifying USA Equipment Advice

A consultant is designing a new building comm for my company. I have a chance to provide input on desired manufacturer of racks, cable, fiber, etc.. This is a little out of my area of expertise, I usually order switches, routers, servers, etc..

Mostly I want it to be good quality and made in USA, here is what I have come up with. Any advice or anything to add/remove?

Fiber: Corning, OFS, Mouser

CAT6: Corning

Racks: APC

Power Distribution: Starline Systems, APC, Phoenix

nat type clusterfuck

my nat type changes from moderate to open. when i try to play black ops 2 with my friend, but I can't since my nat went from open to moderate. anyone know what could be causing this?

Google search leads to an auto login on reddit?

I did this search:

https://www.google.com/search?q=more+accurate+cable+lenth+test+cisco

Found this link to reddit which automatically logs me in as the user "JicamaSouthern918"

This test post is from someone else posting as JicamSouthern918 who belongs to /rnetworking and a guest in /rannouncements (I think). That's why it's being posted here. Someone with more power than I can please move it to it's rightful place.

So my question is, WTF? Am I mistaken or what?

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjT0Mur9fnwAhWTFzQIHVptAGUQFjAPegQIGxAD&url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2F6932ka%2Fhow_accurate_is_the_tdr_test_in_cisco_switches%2F&usg=AOvVaw1cpa_ZSpJ02s4lqtyVPA6R

About Peer-to-Peer neworks

Hi, i am a beginner and just started learning about P2P Networks. I have learned that when the peers are downloading a file they help by uploading Blocks to each other so the file will be downloaded faster. So the question is, does the Uploadrate of the server when uploading the file to the internet play a roll in this ? Will it affect the speed of the Peers in anyway if it was fast or slow ? And do the peers start to download the data once the sever finishes uploading it or they start downloading and uploading to the other peers when the Server starts uploading?

Suggested SDWAN Solutions

I’ll start with the usual statement, im not a networking guy, im a sysadmin that dabbles in networking from time to time. Just looking for some recommendations for a cloud managed SDWAN solution.

Currently we are running Riverbed SteelConnects SDWAN solution in around 75 small sites. The product is terrible and is essentially dead so we are looking at alternatives to replace it. I’ve used Meraki previously and liked it but wasn’t keen on the limited feature set and price.

Who is worth having a look at? Ease of management with decent support and a reasonable feature set. I’d started looking at Fortigate but have no experience with them.

Slow commection to shared drives

Hey everyone! I'm currently troubleshooting an issue someone in my office is having. When he tries to access the shared drives we have on our network, it's extremely slow but his internet connection is fast.

This issue isn't presenting on any of the other computers in the office. It also doesn't present when the same computer/user is connected to the network remotely through a VPN. The computer is a Win10, running version 2009.

We've tried pinging and tracerting the server from the affected computer and the numbers look very normal, there doesn't seem to be anything weird. I've checked the connections that correspond to his office in the server room and everything seems fine there as well.

Has anyone been faced with this issue? What was your solution? This is the only computer out of around 15 in this office, and the only one I'm aware of out of 500 in the company, that is presenting with this issue.

Thanks in advance.

Web Filter Recommendations

I am looking for a decent web filter product. We need to filter inside LAN users and log web traffic and tie it to their AD accounts. We also need to filter some outside guest subnets that also hit our same Internet connection via different interfaces on the ASA.

Any suggestions? I'm not sure what's out there, but I am looking for something robust. IT wants to use it for cybersecurity purposes and management wants to block inappropriate sites as well as monitor employee web activity.

Netally G2

Has anyone had any luck with off-brand SFP's for 100Mb and 1Gb SM fiber in the Netally G2s? Netallys $2500 SMF SFP is not something I want to buy if I can find the Finisar they rebranded for $200 :)

Thanks!

What is the IPSEC VPN Tunnel configuration of Cisco 1100 Series (C1100-4P)?

What is the IPSEC VPN Tunnel configuration of Cisco 1100 Series (C1100-4P)?

1) ACL

2) ISAKMP Policy (Phase 1) ISAKMP Key

3) IPSEC transform set (Phase 2)

4) Crypto MAp

5) Apply the Crypto Map

Really hard to get the IPSEC configuration guideline for C1111-4P router online.

Anyone can help on this? Very very appreciate it! And thank you very much

Meraki APs dead after lightning storm

We had a giant lightning strike nearby and lost visibility of all MR45 APs on our Meraki dashboard. We found that each PoE switch that the APs were connected to needed replacing. Some were no longer getting power, others were just malfunctioning with lights going crazy on them. We replaced the switches and out of the 12 APs, 8 came back up but 4 did not. If the switches were on power surge protectors and the surge protectors looked good (all LEDs indicated no surge), how would some APs survive and others get fried, and how would all the switches get fried if on surge protection? Can the antenna in the AP take the strike and channel the surge down to the switch it's connected to, but not make it to the surge protector?

iBGP Route Redistribution of eBGP routes

BGP Novice here, trying to figure out where I'm going wrong with this. Through poor design, I'm staring at a router with 2 virtual routers on it. One virtual router is the "Edge" vRouter when interacting with vendors, the other is for internal traffic. One of our vendors is asking to do a BGP Peering session with us. This is the first time we've been asked to do BGP on this particular router.

However, we already have iBGP running, but all it does currently is route redistribution of internal to our OSPF

Anticipated mock up:

 OSPF to rest of network [Vendor Router/AS1] -> IPSec Tunnel -> [[Edge vRouter/AS2] -> [Internal vRouter/AS2]] 

I've labbed this up already and am having trouble with the following:

• I can get routes from Vendor Router to Edge vRouter
• I can get routes from Edge vRouter to Vendor Router
• I can get routes from Edge vRouter to Internal vRouter
• I can get routes from Internal vRouter to Edge vRouter
• I CANNOT get routes from Vendor Router to Internal Router or reverse of that
• If I wanted to (I don't) I can get OSPF to Vendor Router and Vendor Router to OSPF

Our router is Palo Alto running PanOS 9.1.8. The only way to do vRouter to vRouter is via BGP OR using a physical interface assigned to each vRouter (all our interfaces are taken, and I don't want to add another VLAN to our switch stack for a subinterface if I can avoid it, as well as it would potentially cause a larger issue with our existing network infrastructure)

This is one of those problems where I'm sure it's been done before, but I have been unable to find the answer so far.

TIA!

Increased AnyConnect attacks?

Curious if anyone has seen a ramp up in attacks against brute forcing AnyConnect logins? Since Mid-May we are seeing large scale brute force attempts out of Russia/Cyprus against Cisco ASA/FTD running AnyConnect. I know of the recent CVE about SYSTEM level access through a vulnerable client, but it requires valid credentials which may be what they are fishing for.

​

Curious if anyone else has seen this behavior in their environments and if there is something big coming from Cisco. I am dreading a new zero-day that we'll frantically need to patch because Cisco finally went public after Talos saw large scale exploitation in the wild...

Cisco vs Arista cost comparison

If you have multi-vendor environment (Cisco and Arista) then you can probably help me in getting this cost comparison. I am trying to compare total cost of ownership for a data center switch (with 3 year of support) between these two vendors. We are a Cisco shop as far as routing and switching is concerned. I am trying to understand where does Arista stand in terms of cost for a comparable DC switch. For comparison purpose we can assume a switch with 48 10GE ports and 4 40GE UL ports. Also assuming we are not including any orchestration system or other fancy management software costs. I am not looking for any detailed analysis, just a ballpark number like if Arista would be x percent cheaper/expensive etc.

​

Thanks,

[Question] DSL help? 4-pair G.SHDSL card connecting to G.SHDSL? Wire splicing into RJ45 plug?

I'm trying to figure out DSL and there seems to be very little out there on it - specifically trying to make sense of this document: https://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/GSHDSL_EFM_ATM_NIM.html#68879

If I have 2-pair copper running from a spoke to DSL hub, can I terminate (4) spokes on one hub using a NIM-4SHDSL-EA card (4 pair G.SHDSL) at the hub? Would I have to wire in 4 sets of 2-pair copper into the RJ45?

Clearing Solarwinds kiwi CatTools database

I'm currently using Kiwi CatTools 3.11 and I currently have a devices and activities list loaded but I need to swap to another set of devices and activities, previous version of Kiwi CatTools all I had to do was delete the KiwiDB-CatTools.kdb and it would wipe the database and I could start fresh to import the new lists.

The newer version does not allow me to do this by deleting the database file and will just add it to the existing list when I import the new list (thought it might work, you never know) .

I've tried searching through the manuals and Google but I'm at a loss, does anyone know how to clear the database on 3.11 without having to re-install CatTools?

Thanks.

Juniper MX map multiple inner tags to one outer tag

I have a Juniper MX in a lab terminating pppoe sessions. I'm using s-tag/c-tag setup.

s-tag = 175

c-tag = 900

set interfaces demux0 unit 175 vlan-tags outer 175 set interfaces demux0 unit 175 vlan-tags inner 900 set interfaces demux0 unit 175 demux-options underlying-interface ae10 set interfaces demux0 unit 175 family pppoe dynamic-profile BasicPppoeProfile 

This config above works fine.

How would I be able to map multiple c-tags (9xx) to one s-tag (175)? e.g. instead of just 900 I would have 900,901,902,203 etc. I've had some looking and I can see there is something called vlan-map. Not sure if I'm on the right track there. Does anybody have a working example of this?

Thanks

Weird ESXi HTTPS Issue

So we have 2 subnets behind a firewall: Production (.1) and Development (.2). We're accessing them both via an OpenVPN server in the following manner:

(1) Client connects to VPN server (192.168.1.10) with NAT'd IP address (1.1.1.10)

(2) Firewall does the NAT'ing

(3) Client establishes the tunnel to the VPN server which then provides access to 192.168.1.0/24 and 192.168.2.0/24

As a client, I can ping anything on both subnets. In terms of services, everything seems to be working fine. More specifically to this issue, I can access all services on both subnets that runs HTTPS, such as iDRAC, cameras, switches, routers, Splunk, etc. I can also access the ESXi web interfaces on the Production subnet. However, when I try to access on the Development subnet, the ESXi web interface loads endlessly.

Note that the same ESXi web interface is accessible immediately after reboot, but then "loses connectivity" after a couple of minutes. Also note that I can always ping and SSH into that same ESXi.

Been trying to wrap my head around this for a while. Some of our engineers would like to play with their own ESXi... The solution so far has been to spin up a VM on the development subnet, RDP into that VM and then access ESXi that way...

Any ideas?

Ciena Acquiring Juniper Case Study Help

Hey everyone! I recently got handed a case study to do for my MBA class. Ciena acquiring Juniper. However I'm a networking newb. I'm trying to get a handle on the ecosystem, where the two companies are strong, where they are weak, how they compete, and how one would compliment the other.

I know Ciena is super strong in optical transport network hardware and they have some software (Blue Planet) that helps with network automation. Juniper is strong in routing and switching products, SDWAN. Is that the main difference?

How do they interact with each other? And what software pieces does one do better than the other?

I've been doing research, but for a complete novice in this space it's a bit difficult to grasp. Also, I can't seem to find good information out there that shows the entire industry and where each player sits.

Thanks for any and all the help.

For those that HAVE to use Firepower...

It seems nobody would choose to run Cisco Firepower these days, but if you're one of those who would, or that decision's already been made for you...

Why not avoid the terrible GUI or terrible CLI, by using my terrible creatively-named Python library!

https://github.com/certanet/firepyer

It's a wrapper for the FTD API when running in FDM mode (not FMC).

It returns native Python objects (dicts, lists etc.) rather than modelling the API objects to custom classes and doesn't have major coverage, as I've only added the few endpoints I needed to use in my spare time, but if there's something missing that you need or have any feedback let me know!

Some docs and examples are here

What are common issues with enterprise switches at your job and how do you resolve them?

I’m trying to create a lab for myself. I will also use these resolutions and findings for work. It can be any model but Cisco has to be the make.

Viptela & Prisma Access

Greetings

I am working with my partner on deploying SD-WAN solution and we have offered Viptela to the end customer who is already using Prisma Access for cloud security.

The concern am facing is the integration between the two solutions.

I already found the integration document on the Internet : https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-integration/secure-sdwans-with-prisma-access/viptela-sdwan-solution-guide.html

What am looking for is real experience from people deployed such a setup to check if there is any restrictions or caveats related to this.

Appreciated.

Is -20dbm signal good for JioFibre FTTH having a single strand of fibre coming to home

So somehow I got my fibre cable broken in two halves and then used a field piece connector I cleaned the fibre and trimmed for straight cut then used the connector tho I’m getting the max speed what I’m paying for and the signal strength on meter is ranging in -20dbm just before the terminal point for ONT modem.

Cato Network quarterly report highlights cyber threats based on almost 200 billion network flows that passed through their cloud [PDF]

Link to the report: https://go.catonetworks.com/rs/245-RJK-441/images/Security%20Quarterly%20Report.pdf

Key Findings Highlight Risks and Key Applications

• The most popular corporate applications on enterprise networks. Some applications, like Microsoft Office and Google, you will already know, but other applications that have been a source of significant vulnerabilities also lurk on many networks.
• Is video–sharing consuming your network bandwidth? A popular video–sharing platform was surprisingly common on enterprise networks, generating even more flows than Google Mail and LinkedIn.
• The most common exploits. The report identifies the most common Common Vulnerability and Exposures (CVEs); many were still found in essential enterprise software packages.
• The source of most threats. While the news focuses on Russia and China, most threats originate closer to home. “Blocking network traffic to and from ‘the usual suspects may not necessarily make your organization more secure,” says Etay Maor, our senior director of security strategy.

Network design for new servers and switches. Design check and advice

Hi All, I've recently undertaken a project from an old IT system Admin in the company I work for with a few issues.

The main issue is that the guy i have taken over from as passed away taking with him a LOT of core system passwords as he setup a lot of these and did not write/document them or he did in an encrypted files that is basically useless to me.

​

I created a Rack diagram that's basic and is my rough idea of the layout so if you guys need an imager link or that kind i can provide that

Now I currently have 3 new servers on the way

​

2 x R440

1 x R540 - planning to run TrueNas - open to suggestions

3x power switchN2248X-ON

The Switches will be stacked connected via 40GBps uplinks.

each server will have dual SPF+ connections, 4 Gigabit NIC's and IDRAC enterprise

​

I plan to have four networks all class C ( 192.168.10.x, 192.168.15.x 192.168.20.x 192.168.200.x)

​

I plan to run ESXi on the servers however my CEO with the last System Admin preferred Hyper-V s i dislike the idea of a windows system running core of servers for their need to need to shutdown on the slightest update

1) are there other options besides EXSi//Hyper-V for enterprise? (ProxMox)?

2) these servers will be supporting around 200 users, is there any suggestions on the virtual setup of servers as currently i plan to have 2 VM's to run just DC's and authentication, 1 VM to run "Utilities" server for DNS, WSUS and the likes. Due to wireless access a Unifi controller must also be run on the servers

3) Management tools is another big area i am not so familiar with as I have really only assume this role for this project. Can anyone suggest management tools. We have used Spiceworks in the past However it has been buggy with AD authentication and the likes in the past and i would like to move away from it if possible can so any suggestions would be greatly appreciated

​

4) as for the router it is a FortiGate 60F with 4 LAN ports and 3 ISP/WAN ports and 1 DMZ that is currently unused

​

my question is does this topology currently sound like it will work fine as I have no one in my organisation to currently communicate this this off with the passing of my fellow IT member.

​

Any advice or suggestions would be great. Ive been doing networking for about 2 years now but its very different when you have to call the finial shots so thanks for any replies in advanced :D

Downstream switches not learning VRRP mac addresses for certain VLAN's

Hi,

We are having a fairly strange issue, it could be a very simple resolution but I can't seem to figure it out, just looking for some idea's to check that we might not have thought of.

We use pfsense as our main router, we have a Dell N4046F stack as our core, and multiple various Dell Edge switches hanging off them.

For some odd reason, the core and the first edge switches work correctly in that they learn the MAC of the VRRP for the specific VLAN. The problem is that switches below that don't, but only for certain VLAN's.

Because the switch doesn't learn the MAC, it spams the traffic out on all ports on that vlan and the trunk too. The next switch up, works correctly.

Any ideas?

Mass change password in switches - cisco, edgecore

Hello,
we have about 300 switches in our network. Cisco and edgecore. We need to change login to every device.

Any working solution for this? Will be thankful for working script maybe.

Thank you

What are some good python for network engineer courses, besides Kirk Byers?

Just want to see what other options are out there for training. My work pays for me to do training every year, so I think I am going to really focus on learning python. Just want to see what other reputable classes there are to take for beginners with no python experience. Not worried about price at all, there is really no limit on that.

I have taken boot camps in the past through global knowledge, infosec institute, and others, so was leaning towards something like that. I was considering looking into a course on the CCNP ENAUTO, but wasnt sure how deep that actually dives into python itself.

Cisco WLC - Inter-Controller Layer 3 Roaming

I have personally never set this up but am trying to solve a design issue.

Is it possible to use Layer 3 roaming to have a Guest Network SSID: GUEST on WLC1 and it's associated VLAN 100 on our downtown core switches.

I have a remote site that I really don't want to stretch VLAN100 across via layer 2 (but I do have that option). At the remote site with WLC2, how do I properly create the SSID and a VLAN so that it 'forwards' all that traffic to WLC1.

Is that just natively how it works? Is there a setting to mark one SSID/Interface the Anchor on WLC1 and then mark another one the 'foreign'. My hope is that when a user is at the remote site, and they try to join the same SSID, it just knows to forward all that traffic to the WLC1 without having to stretch that VLAN across my distribution switches.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Way to manage on premise devices? Is my approach decent?

Hello there,

Im a software engineer and I'm deploying on-premise Jetson Nano devices for retail shops. I'd like to have a tool that allows me CI/CD and monitor said devices. I have a skim knowledge about way to achieve this.

The only thing that comese into my mind is setting up an OpenVPN server that allows me connect to devices via ssh and update them. Is this a good approach?

I dont know whether port forwarding will be possible by some clients so I'd like to have a solution that doesnt involve managing networking on client side .I'd like this to be seperated as much as possible.

Are there any other ways to achieve this? Can someone guide me if I'm naming my problem correctly?

Sharing radius keys securely with external entities

I'm curious what mechanism or method you use to communicate a new radius [or other shared key] key with an external vendor. I'm sure some folks have a portal that is meant for this very thing [Cisco etc] but for those who don't have something like that setup how are you securely sending sensitive information like shared secrets with your vendors?

Help me choose switches with these specifications! After reviewing a well-known brand, I was puzzled by the options number in the market Budget is $ 2,200 per switch

Switch Category: High End SMB to Enterprise entry level

Type: Managed

Layer: L3

Downlinks speed: 1Gb

Uplinks speed : 10Gb

Ports: 48 x 10/100/1000
+( 2 x 10GE copper/SFP+ combo + 2 x 10GE SFP+) or (4x 10GE SFP+)

Switching capacity: at least 175 Gb

Performance: at least 112 Mpps

PoE: PoE, PoE+ and 60W PoE

Enclosure type: Rack-mountable - 1U

Remote management
protocol

SNMP 1, RMON 1, RMON 2, RMON 3, RMON 9, Telnet, SNMP 3,
SNMP 2c, HTTP, HTTPS, TFTP, SSH, CLI

Cisco SG250 "Drop Events" on uplink port

Greetings

Sorry in advance if this isn't "enterprisey" enough but it's what we have in this office. If I should ask this somewhere else, let me know and I'll do that.

I have a Fortigate 60F (6.0.12) feeding into a Cisco SG250-50 (2.5.0.83), both of which are brand-new in the last 90 days. The Fortigate is plugged directly into an ISP-provided Hitron cable modem, attached to a 1G/50M service.

We are seeing inconsistence in our service. Speed tests can range anywhere from 50/5 to 950+/55. Days can go by without performance issues, and then we'll have days where the voip will get choppy/drop-happy/one-sided etc, and/or teams video will be laggy and choppy and freezy.

Speedtest issues do not correlate to the other issues.

Vendor support has been, so far, hopeless.

The only outlier that I can put my finger on, and that only inconsistently, is that when the speedtest results are bad, the switchport connected to the firewall LAN interface will sometimes accumulate RX Discards (called Drop Events in the web GUI) during the speedtest. As in, 10K to 15K packets per test run.

These results happen only when the speedtest is run through a web browser, connected to either speedtest.net or "whatever it is google uses when you search for speed test". If I use the win10 Speedtest.net App, it does not accumulate drop events, bad result or good.

Also, speedtest results are much less likely to be bad when run through the app.

Also, drop events do very slowly accumulate during non-speedtest use, but only in the order of a couple dozen per day.

My research suggests that drop events (InDiscards) indicate that the switch received a packet and did not forward the packet on -- due to ACLs (none active), QoS (default setting but the port shouldn't be triggering it) or a lack of resources on the switch -- ie buffer space. I can't rule out the last one, becuse I have been unable to find a guide to debug-mode on this switch (if debug-mode on the switch would even help diagnose something like this).

If I move the uplink port, the discards follow the move. So there's something about the way that this firewall talks to this switch.

Except, as I mentioned, both these devices are new in the last 90 days. The previous firewall, a FortiWifi 60D (6.0.8) was connected to an HP 1810G-24, and we saw the same kind of performance issues. I can't tell you if the "discard" symptom was showing because those HP switches don't export crap through SNMP. The intermediate combination, the FortiWiFi 60D connected to this Cisco SG250, also exhibited the same performance problems.

Every cable I can lay my hands on has been replaced. Both the switch and the firewall have been replaced. I can't see any evidence of ip conflicts or mac stealing. The only pre-existing "neworking" equipment still here are a pair of Aruba Instant Network things, and to simplify things I've turned them off while we work on fixing the wired network issues. And still.

Further upstream, the ISP has been in and replaced an open splitter on the input cable with a straight coupler. When they (or we) plug directly into the ISP device, the performance is always good.

I'm losing my mind here. At this point I'd welcome someone rolling up and saying the equivalent of "You idiot, have you set the [obvious parameter] from [broken] to [working]?" because it would just get this issue off my back.

What should I look at next?

Guidance gratefully appreciated. Thank you.

Inter-VLAN Routing with multiple sites and L3 devices

Hello!

This may be too basic but I have run into an issue wherein I may be over-complicating things.

​

TL;DR - User cannot ping/upload/download/access data from their device (D1) in VLAN (a) to another specified device (D2) in a VLAN (b). Our internal DNS lists the sought-after device with. There are two L3 switches (ip routing enabled on both) that connect back to another L3 switch acting as our gateway. Each of the VLANs have /24 subnet to help demarcate traffic.

​

The Specifics: The user's device is connected to a L2 switch -> L3 Switch (Distro) -> L3 (Core) -> L3 Switch 2 (Distro) -> L2 Switch 2 -> ((Sought-After Device)). The L2 SWs are HP and not tagging traffic. L3 Distros are Cisco Catalyst 3750X and L3 Core is Cisco Catalyst 9400. All L3 switches have matching VLANs and IPs assigned to each VLAN for every device. I can't even seem to get a DHCP address when I connect to the switch directly tied into D2.

Is it possible that there are 'too many cooks' given the IP routing capabilities of the core and distro switches?

​

If this questions is inappropriate please delete!

​

Thanks for all you have taught me so far!

Cisco 2960s

Anyone still got these in prod? Was thinking of grabbing one from ebay as a spare? we don't have vlans so i think it would be a safe spare. Thoughts?

More SFP converter in a network

Hi!

I would like to ask a question about a small factory network. I was learning networking 10 years ago, working on a cnc machine, and my boss asked me if this will works.

We would like to use 5 TP-Link MC220L.

We have 4 switches that does not have a SFP module.

If we buy 4 MC220L and we connect them with the switches, will it work? (let me try to explain)

Switch1 ethernet to MC220L(1) Ethernet

MC220L(1) SFP to MC220L(2) SFP

MC220L(2) Ethernet to Switch2

Switch2 ethernet to MC220L(3) ethernet

MC220L(3) SFP to MC220L(4) SFP

MC220L(4) Ethernet to Switch3

Switch3 ethernet to MC220L(5) ethernet

MC220L(5) SFP to MC220L(6) SFP

MC220L(6) SFP to Switch4

​

Or is this totally pointless.

We got optical internet some days ago, and the network is not builded yet. My boss wants to build the network cheap AF.

​

Thanks for the helping.

A forgetful network specialist

Fiber Question

Does fiber connector color matter at all? If I have a multi mode fiber cable, multi mode SFP 10G (both ends), and using LC connector on both end points. I would assume I’m good to go?

FTD with FPR

Anyone know of a really good place to get information on the FTD system, specifically using the FPR device line? the Cisco documentation is pretty non-descript on a lot of items. I've fumbled my way through the learning curve so far. I can't seem to figure out how to ping the inside interface of my FPR devices from inside hosts. I can hit the management IP no problem. I can route traffic through the device no problem.

I've setup ACP rules to permit ICMP, I've set the platform options to allow ICMP and created a policy there as well. It worked until I put the first ACP on the device. one place I read said ICMP is open by default so since I'm not explicitly blocking it why can't I hit it?

Port Mirror without losing network access

Up until now, I have been plugging my laptop in and outputting the mirrored port to the interface the laptop is connected to on the switch. Since we have started working remotely, there have been a few times where I need to port mirror from several switches away. So laptop > PC in office > office switch > access switch > core. I need to capture traffic from a port on the core. Is there any way to do this without killing the remote connectivity. Do I need another device to output to? How does that device retain connectivity?

Unifi switch for data center

Any concerns from anyone about using a unifi (usw-24) as a core switch in our data center? When I say core, I mean it'll connect our firewall to our vsphere esx environment. The controller is hosted on a vm on that esx environment, so my concern is FW upgrades as the esx servers will go offline for a few mins when that occurs. Anyone else doing this? Unifi doesn't make stackable switches like my old Dell stuff was. Thoughts? Comments?

Network Management

What do you use for monitoring your network? More specifically is there any software that can make backups of the configs daily and compare any changes that might have happened? Looking at Solarwinds, PRTG and Open engine.

Fluke Etherscope II software archive?

I recently acquired a working Fluke networks etherscope II, it didn't come with any software and was wondering if it was up to date. It is version 5.0.02.
Please hit me up if you know of any software archives for this unit, or if I am already at the latest firmware. Thanks!

Understanding Wi-Fi Speed and How 6 GHz Compares

TL;DR:

• Wi-Fi 6E uses the same PHY standard, MIMO, and modulation rates from Wi-Fi 6. The only thing new is the 6 GHz spectrum.
• 6 GHz can be faster, if you’re near an AP using wide channels.

- 2.4 Ghz and 5 GHz still have advantages, such as longer range, better wall penetration, and legacy compatibility.

Before we talk about the nature of 6 GHz Wi-Fi, it’s helpful to understand the components of Wi-Fi connections and how they interact to determine performance. Consumer routers claim numbers like 10,800 Mbps of throughput, but where does that number come from? Why are the numbers what they are, and why don’t I get 10,800 Mbps on my speed tests, dang it!?

Start with 10,800 Mbps

• 2.4 GHz: 4x4, up to 1,200 Mbps with 40 MHz Channels
• 5 GHz: 4x4, up to 4,800 Mbps with 160 MHz Channels
• 6 GHz: 4x4, up to 4,800 Mbps with 160 MHz Channels

1,200 Mbps + 4,800 Mbps + 4,800 Mbps = 10,800 Mbps.

Go Down to One Band

Since Wi-Fi connections only happen on a single band, you’re only able to access one band at a time. If you use 5 GHz or 6 GHz, you’re down to 4,800 Mbps. This is using 160 MHz channels, and 4 spatial streams.

Limit MIMO to 2x2

MIMO (Multiple Input, Multiple Output) is a direct capacity multiplier, and it multiplies capacity using the same spectrum. While most high-end Wi-Fi 6 access points support 4x4:4 MIMO, the vast majority of client devices top out at 2 spatial streams. Battery operated Wi-Fi clients like your smartphone or laptop are almost all 2x2:2 devices. Going from 4 streams to 2 streams cuts our maximum link rate from 4,800 Mbps to 2,400 Mbps, if using a 160 MHz channel.

If Using 5 GHz, Set Channel Width to 80 MHz

Using 160 MHz channels in 5 GHz requires the use of DFS, and not all devices support DFS operation. 80 MHz channels are much more realistic option for 5 GHz, limiting maximum link rates to 1,200 Mbps. With Wi-Fi 6E, you get access to 6 or 7 more 160 MHz channels, and don’t need to use AFC or DFS if operating indoors. Range is less though, since 6 GHz attenuates faster, wider channels increase background interference, and 6 GHz indoor low-power AP transmit power is limited. For more details, see the Device Class and EIRP Limit section of Wi-Fi 6E's Current Status.

Set Modulation/Coding to 256-QAM or Lower

The maximum link rate requires 1024-QAM modulation, and a very high signal-to-noise ratio (SNR). The highest data rates are only possible in the best situations, with an AP nearby and limited interference on the channel. A more realistic modulation is 256-QAM or 64-QAM, resulting in a maximum link rate in the range of 600-900 Mbps for 80 MHz 2x2, or 1,200 to 1,800 Mbps for 160 MHz 2x2.

TCP/IP Overhead

Even in wired networks, there’s around a 5% overhead in TCP/IP connections. That 5% comes from all the data that’s required to setup the connection and address the packets and frames being exchanged. Jumbo frames can help a bit here, but come with their own issues. See Wikipedia for more details.

Beacons and Management Traffic

Beacon frames are how an AP advertises networks to client devices. In order to ensure that all devices in range are able to understand them, access points send out management traffic such as beacon frames at the lowest supported data rates. This expands the range of the broadcasts, but also acts as a speed bump, consuming precious airtime. The amount of management traffic increases with additional SSIDs, and features such as beamforming. You can limit the impact of management traffic by restricting minimum data rates. That’s usually only necessary in dense multi-AP networks, where small cell sizes and careful channel planning are important.

Half-Duplex

Wi-Fi is half-duplex, meaning on one device can be transmitting at a time, and only in one direction. To make an analogy, Wi-Fi is a walkie talkie, not a phone call. Ethernet is full-duplex, and allows transmissions in both directions at the same time. Wi-Fi does not. Wi-Fi being half-duplex doesn’t mean that throughput is cut in half, but it does mean that Wi-Fi devices can’t multi-task. When downloading a large file, a client device has to take many short breaks to transmit TCP acknowledgement frames back to it’s AP, or to allow others to transmit. Wi-Fi devices can’t download and upload data at the same time, or talk when others are talking.

Wi-Fi is a Shared Medium: Collisions and Re-transmissions

In addition to being half-duplex, Wi-Fi is a shared medium. When one device is transmitting on a channel, all other devices in range must wait their turn. If multiple devices transmit at the same time a collision can occur, causing the transmissions to be jumbled. When collisions occur, devices need to wait for a random length of time before re-transmitting. This can also cause link rates to be lowered temporarily, resulting in lower effective throughput for everyone.

PHY Link Rate is an Estimate, and an Average

When you see a link rate of 1200 Mbps, that doesn’t mean every single frame gets sent at 1024-QAM modulation. Individual frames may get sent above or below the current link rate values.

In Summary

• A 2x2 device on an 80 MHz channel can achieve a maximum link rate of 1200 Mbps, resulting in throughput around 800-900 Mbps in ideal conditions.

• A 2x2 device on a 160 MHz channel can achieve a maximum link rate of 2400 Mbps, resulting in throughput around 1400-1600 Mbps in ideal conditions.

This isn’t even all of the factors. If you’re interested in reading more, the CWNP blog has a great list of sources of overhead in Wi-Fi .

6 GHz Wi-Fi Characteristics

There’s nothing special added in 6 GHz to reduce latency, or increase speeds. Wi-Fi 6E uses the same PHY standard, MIMO, and modulation rates from Wi-Fi 6. The only thing new is the 6 GHz spectrum. An 80 MHz channel in 5 GHz is going to perform essentially the same as an 80 MHz channel in 6 GHz, with a few caveats:

• Higher frequencies attenuate faster, so 6 GHz signals offer slightly less range than 5 GHz.
• Indoor, low-power 6E devices like the RAXE500 are limited to a slightly lower EIRP (2) in the 6 GHz band compared to the 2.4 GHz and 5 GHz bands.
• 6 GHz outdoor operation is more complicated, and regular-power outdoor APs require the use of the new AFC system, which is similar to DFS in 5 GHz. Standard-power APs will need to report their location before being able to operate at their full power.
• Indoor, low-power devices don’t need to worry about AFC or DFS. Combined with a big chunk of new spectrum, this makes 80MHz and 160 MHz channels more practical to use.

Maximum allowed transmit power in 6E increases with channel width. You’ll get the same 30 dBm maximum EIRP allowed in 5 GHz, but only with a 320 MHz wide channel. 320 MHz channels should be supported in Wi-Fi 7 (802.11be), but for now 6 GHz indoor range will be less than the maximum possible with 5 GHz. - 160 MHz channels reduce maximum allowed EIRP by 3 dB - 80 MHz channels reduce maximum allowed EIRP by 6 dB - 40 MHz channels reduce maximum allowed EIRP by 9 dB - 20 MHz channels reduce maximum allowed EIRP by 12 dB

6 GHz offers more bandwidth and less interference. 6 GHz allows for up to seven 160 MHz channels or fourteen 80 MHz channels, making them much more usable in the real world. Because of this, 6 GHz can be faster, if you’re near an AP using wide channels. 2.4 Ghz and 5 GHz still have advantages, such as longer range, better wall penetration, and legacy compatibility.

Cisco's VIC, Adapter FEX, and Nexus 9K

Many years ago, I deployed Cisco C-Series servers in standalone mode to Nexus 5Ks via VICs, and I enabled Adapter-FEX (switchport mode vntag) in order to allow for deploying many vNICs to each server.

However, these days it seems that the Nexus 9K has no support for Adapter-FEX, or at least I can't find documentation for it. Does this mean we can no longer configure multiple vNICs on standalone servers with VICs? Or is there a more modern methodology for enabling vNICs this way? Any insights would be appreciated!

Network documentation tool to generate packet headers

Hi,

Please delete this is deemed inappropriate.

A few months ago I stumbled upon a website/tool that could generate images for use in documentation such as IP headers, tcp segments and frames, tcp flows among others.

I have searched for days and for the life of me I'm unable to find it.

It could generate images that look like this and this from the web browser.

I have already found http://www.luismg.com/protocol/ but this is only ascii.

Managed switch with a fibre connection - can i unplug without a restart?

Do managed switches such as the netgear gs110tp with a 1000base fibre module (SX/LC) need restarting or any config changes when you unplug the fibre cable (OM3 50-125) then replug it back in later? Probably overthinking and it just works like normal Cat5e switches but wanted to check? I need to borrow a fibre cable from a working switch to test on a potentially faulty setup elsewhere in the building.

I have experience within networking just not much on the fibre side of it and the person who deals with this is out for next couple of days.

How to secure RDP?

Hi Looking for a solution to secure a remote connection to my small office. I randomly need an outside person to connect to it remotely, and I have a dedicated pc on the network for this purpose, with Remote Desktop from MS. Running windows server and a small number of clients.

I see in the logs of our router a lot of brute force attacks on RDP. So would like to secure it better.

I am looking for an easy way to improve security.

Maybe something like the following?

• A new firewall with a inbound VPN connection?

• Software installed on the PC that use Google Authenticator?

Suggestions? I can’t afford costly equipment or big expenses on software… but surly a safe and easy solution is worth the money. Thank you.

Securing Dedicated Link communication?

Hello, i have problem figuring out proper and cheap solution to secure communication on Dedicated Link between two offices.

Infrastructure:

Main Router running pfSense. Eth0: WAN, eth 1-2 and local LANs (including intranet services that both offices need to access),

eth3 goes directly do ethernet port on my ISP device configured as an Transparent Dedicated Link to my other office.

In the other office I have ethernet port on ISP device that acts like it would be directly connected to my Eth3 port on my main router, so we have it connected to UniFi switch and there it branches down on workstations.

All of their traffic (including internet) goes through Dedicated Link and my main router.

Link speed is not an issue.

https://i.postimg.cc/L6xsN0ZC/2021-06-01-08-56-29-app-diagrams-net-4b743ac90764.png

Right now it acts as LAN network and is easy to manage, but if my ISP makes mistake, security of my Dedicated Line can be compromised.

​

I'm searching for a way to encrypt this communication without sacraficing the ease of management of the second office and i need to make it cheap :(

Do you guys have any ideas?

What could cause packet loss one-way

I'm relatively new to the field, and don't have much experience with enterprise equipment.

I'm a technician that works on RF equipment, so I don't have much experience with any sort of IP data structures, however there is some sort of communication issue between the Modem (which I set up) and our Level 3 switch (which I believe is Cisco, and was set up by the technicians in another department).

When we have the switch ping our modem, it reports a 10% packet loss, however when the modem pings the switch, they all go through fine. We've replaced Cat 6, SFP adapter, and plugged into a different SFP port on the switch. I'm sure the other shop has taken more troubleshooting steps, I just don't know what.

We haven't tried a different port on the Modem yet, as custom configuration is not particularly easy with it. We don't have any useful documentation on its CLI, it's GUI is confusing. All we know is that it runs some proprietary software in some Unix-like operating system (likely a Linux kernel). No one here knows anything about this equipment, so far I was the only person to get the modem-to-modem RF communication working. If anyone has used iDirect equipment, tips would be appreciated.

stable version of controller unifi

Hi guys.I am very happy to join you...

I want to use radius and hotspot service of unifi controller.

now when i enable hotspot service,it doesn't redirect web auth for authenticate Voucher based.

version controller:6.0.40

firmware access point:4.3.20.11298 AP AC LR

I just want to ask from someone who use unifi controller and radius and hotspot, which version of controller and firmware access point they use ?

Thank you.

How can I find out which devices use the Treck TCP/IP stack?

Hi there, I have recently come across a vulnerability in older versions of the treck tcp/ip stack (CVE-2020-11896) and wanted to test it out on my devices. I wanted to ask: is there a way I can find out which devices use the treck tcp/ip stack so I can try the exploit on them? I have an HP printer, and a few other IoT devices. Thanks for any help!

BGP issues on Fortigate

Currently I'm trying to advertise my /22 IP Blocks using BGP using Fortigate 600E (OS 6.4.4). I understand a router it best fitted to do BGP but due to current financial situation, we cannot buy a router.

I have a X.X.120.0/22 IP Block that I'm advertising to two independent provider. I am advertising X.X.120.0/23 and X.X.120.0/22 via ISP1 and I am advertising X.X.122.0/23 and X.X.120.0/22 via ISP2. Each provider is sending me a default route and their respective IP Blocks. Using Weight, I can chose which default route I want entered in the routing table.

I assign a static IP on laptop of X.X.120.2, Gateway .1. If I make the default route from ISP1 to go in the routing table, everything is ok. If make the default route of ISP2 to go in the routing table, I am unable to browse. DIG DNS (UDP), PING (ICMP), and traceroute work ok. I do notice that I can browse some google or youtube sites but this is because its served using UDP. With this, it seems that its affecting TCP traffic only.

I even tried adjusting the TCP MSS (1300 - 1430) but that didnt help.

If I turn off ISP1 link, everything works using ISP2 only. If I turn off ISP2 link, everything works using ISP1 only.

The reason I'm trying to advertise two /23 is for loadbalancing and to maximize the link usage since each link is not cheap.

Things I've tried: * enabled asymmetric routing * enabled tcp-session-without-syn in both in to out and out to in firewall rules. * enabled auxiliary-session * route look up matches the default route. * policy look up matches the in to out firewall rule. 

I have a support case opened with fortinet but even them seem to be lost and puzzled.

Multicast Question - Does a router always need to be present to handle Multicast traffic?

I'm trying to learn about multicast protocol and all the material I can find alludes to IGMP running at the router level. My confusion is, multicast groups have a unique MAC address, derived from the IP range that's a part of the group.

With the above in mind, for a local network (e.g., all devices on a single switch and on the same VLAN) does the Router need to be involved? Can't the switch itself run IGMP and use the Layer 2 MAC address to forward multicast packets to appropriate recipients?

Is there a place to download complete bgp peering data for ASNs?

Is there a place to download complete bgp peering data for ASNs updated daily?

Workaround to CIDR overlap using site-vpn between AWS and Cisco Meraki on DX?

We are trying to setup a site-to-site VPN from AWS to customer Data center running Cisco Meraki Gateway. This shouldn't be much of hassle setting up and getting the tunnels up, however the issue is we are both on overlapping subnet CIDR.

The problem is that AWS transit gateway/site-vpn setup doesn't allow SNAT/DNAT and in this case the customer gateway (Meraki) also doesn't support SNAT/DNAT as a workaround.

I looked up setting up Openswan to SNAT/DNAT but the https://aws.amazon.com/articles/connecting-cisco-asa-to-vpc-ec2-instance-ipsec/ mentions setting up NAT on the destination side as well.

What are the some of the workarounds I can do to get this tunnels up and running?

A subnet with two gateways.

I have some problems understanding a subnet with two gateways.

Let say we have a subnet 192.168.31.0/24. There is a computer (192.168.31.2), two gateways: a router port (192.168.31.1), anoter pc running gateway service (192.168.31.3) (in fact, I don't know what is a gateway service, does it like a http service? you also need a port and ip address to access it?).

• 192.168.31.2 's gateway is 192.168.31.3
• 182.168.31.3 's gateway is 192.168.31.1

When the computer access internet, the packet go to 192.168.31.3, then go to 192.168.31.1. So far, I have no problem.

What will happen when a packet come from internet to 192.168.31.2. Let's say I have a webserver running on 192.168.31.2:80. Please give me as more details as possible.

If 192.168.31.2 is connected to a switch then to a router. How the packet get to it?