Fortinet vs Juniper

So we're in need of a switch redesign in our Colo and upcoming DR data center locations. We're not a huge shop but big enough. Currently were a Fortinet shop with 2 fortigates (ha) and 4 500series fortiswitches.

Due to storage and other enhancements were looking to upgrade to 1048e's to get more QSFP density.

My question is I've been looking at other options other than Fortinet. Although Fortinet hasn't given me any major headaches, I'm not a huge fan. Cisco route looks to be out of scope from a price point and quite frankly I think may be overkill so I'm looking at Juniper.

What's the overall consensus on Juniper these days? It's been a number of years since I've worked with them and recall at least at the time enjoyed working on them.

Ruckus 7150-12 POE and Ubiquity Edge X POE

I'd like to power my Edgerouter X with POE from a 7150 Ruckus switch. Other POE devices work from the switch, but the Edgerouter will not turn on (even with the other POW devices removed). I am using about 20% of the switches POE budget normally.

I have looked at both the switch and router's config and everything seems fine. Does Ubiquity/Ruckus use incompatible POE standards?

HP DL20 gen9 rack help

So, I just procured myself a great deal on one of these from eBay, and got it home, and realized the rack ears are weird!

The captive screws are offset from the center, so don’t line up with the holes of a 1U slot in the rack. What am I missing!

For reference:

http://www.duosquared.com/shop/wp-content/uploads/2016/08/hp_hpe_proliant_dl20_gen9_server_front.png

You see there is also a hole in the rack ear that I’m sure would take a bolt - but that’s also off-center…

Are layer 4 PDUs (segments and datagrams) packets? How do they differ?

Learning about the TCP/IP model, it's pretty basic so I really want to know the basics well.

A quick google search gave me this answer:

The Layer 4: transport layer PDU is the segment or the datagram. The Layer 3: network layer PDU is the packet. The Layer 2: data link layer PDU is the frame. The Layer 1: physical layer PDU is the bit or, more generally, symbol.

Source: https://en.wikipedia.org/wiki/Protocol_data_unit

However, diving a little bit into what's the difference between segments and datagrams, I found this on Quora (Not quoting the full answer since it's kinda long)

...In the end they all are packets, and the "frames", "datagrams" and "segments" (etc), are just names so people can know in what kind of layer the packet is being referenced.

Source: https://www.quora.com/What-is-the-difference-between-datagrams-and-segments-in-the-TCP-IP-and-OSI-models

If so the layer 4 PDUs are packets then the layer 3 PDUs are packets too?

Sorry, I know this is very basic stuff, but my head is a mess right now. It seems like despite being very basic stuff every source, every website I check has a different definition for everything :(

Also, trying to find information on certain stuff is very complicated. Most of the time if I want to google "What's X?" almost every resource has answers like "Oh, easy! That's just the layer X PDU" or something like that.

I googled it because I saw it's the layer X PDU I don't need you to tell me that, I want to know what it is and why it works, I already know it's layer X PDU :(.

And the worst part is that most of the times they will just tell you that without any further elaboration, and the few times that they do elaborate, it's using terms and jargons that I can't understand and trying to google about them will just give me definitions using the terms I was googling about to begin with.

I could just take the easy route and memorize what's what, but I really want to take the time and effort to comprehend it :(

Any Docsis/Cable Engineers Here?

I'm working on SCTE's Docsis Engineering Professional certificate right now. One of the questions in the module seems to be graded wrong. - I think.

Does this look like the right answer? I included part of the text that makes me think I answered right.

https://imgur.com/a/m8pq0GO

As a junior network admin with Net+, is the CCNA a waste nowadays? What cert(s) to get next?

The networking we do at my job is all done through a GUI and not a CLI. The networking we do doesn't really use BGP vs OSPF. Seems like most "normal" networking for small to medium sized businesses is just plugging the devices on and configuring Firewall + Content Filtering/WAPs/VLANs and you're done. CCNA doesn't really seem like it will help me propel my career forward outside of just having the 'CCNA certified' credential. Are there any other network certs out there you'd recommend or do you think the CCNA,CCNP, CCIE cert path will be my best bet to getting into a Senior Network Admin or Junior Cloud Admin role in an enterprise environment? Do you think Software-defined networking technology is making it so these certs are very, very slowly becoming useless? Where should I come from here as a junior network admin? Things I need to be learning?

Anyone experienced with Cisco WSA? How do I detect and proxy "non-browser" traffic?

I have configured the policies to shape browsing traffic and it's working fine. Websites are blocked and allowed as per rules.

But I'm having a hard time detecting traffic from other agents. Meaning not Chrome or Mozilla but for example internet traffic from the Skype app. Or internet traffic from Autocad, VPN clients, command prompt etc.

Traffic is blocked (because users cant connect with VPNs, Autocad doesnt connect to the Adobe server to update) but there are no logs showing this blocked traffic.

Only HTTP/HTTPS logs from browser traffic are shown.

I checked L4Monitor traffic and has 0 data. Google didnt help.

Any help

DHCP not working on VLAN

I may be being an idiot here (highly likely) but a very simple setup doesnt seem to be working for me.

I have configured ports 1-12 on a dell N3000 on the default VLAN1 and 13-24 on VLAN 2.

I have connected 3 Wireless APs on to ports on VLAN1 and another port to my firewall with the exact same setup for 3 different APs on VLAN2 with a port to the firewall.

VLAN 1 / 2 ports connected to the firewall are configured to trunk the corresponding VLAN, on the firewall side it has a default gateway and when I run show mac address-list i can see the APs and trunk ports all reporting as active.

On the firewall I have configured it to provide DHCP addresses to the corresponding VLANs with 192.168.30.1 range 10-30 for VLAN 1 and on VLAN2 for 192.168.40.1 range 10-30.

The APs on VLAN1 are picking up an IP address on DHCP but nothing on VLAN2 is getting a DHCP address nor are any logs being recorded. The firewall is a Sophos XG 310 and we have multiple DHCP scopes all dishing out IPs correct, so suspect the error is with the switch somewhere.

Wondering what I could be doing wrong, ideally I dont want any interface IPs except OOB on the switch but my last resort is to do that and enable DHCP on the switch side.

Any advice is appreciated.

No internet access when static

I was setting up a fire alarm station that has an IP dialer and when I gave it a static address it could not access the internet, but it could access the rest of the network. I connected my laptop and let it DHCP to get an address. When on DHCP I have internet and network access. If I switch my laptop to static, with the same address the DHCP server gave me, I loose internet access but still have access to the network. Can not wrap my head around this one.

Issue on drawing a network design

Hello,

I have a question regarding the drawing of a design I'm planning. I'm using Visio but I'm open to switch if the alternative is better.

I need to draw the physical part of the network, with every component. I found the stencils for almost all my hardware but I'm stuck to a stupid task. I cannot resize the rack altogether to make it cover most of the drawing area (which is an A4). I get to resize the containing part of the rack but all the rails inside stay their dimension.

Here a pic of what I mean.

How can I solve that? I'm sure it's a dumb question but it's three hours I'm trying to make it work.

Unifi Switch not Found

My work IT Dept. upgraded network switches and gave me a Unifi 16 150w switch. I plugged it in and did a factory reset. I installed the controller software, setup an account, and everything else. I plugged a cable from my current 8 port TP-Link switch into the Unifi switch on port 1 and it doesn't show up in the devices for adoption.

I logged into my router and it shows up in the DHCP list as 192.168.1.100. My DHCP range is 100 to 249. What am I doing wrong? Should I got direct from PC to switch for initial setup? I kind of just wanted to connect it to play with it before moving all my devices to it, that's why I ran a cable from my current switch to it.

Cisco SG350X - Login issues "mts/config/log_off_page.htm"

Quick saturday job has turned into a long saturday job. Stuck with a couple Cisco SG350X-48P Switches after reboot not allowing me to login with current credentials. No firmware updates were performed just a simple power pull off to move them up a few rack U's and plugged back in.

"Invalid user name or password. Please try again."

Its also showing "/mts/config/log_off_page.htm" in the address bar?

Tried clearing cookies/cache/history. Tried https. Tried a fresh machine that's never touched this network. All blocking access. No network SSH access and no console cable handy to do password recovery.

Any tips? Thank you in advance.

My traceroute is not responding at a certain hop

import socket import time def main(): dest_name = "google.com" dest_addr = socket.gethostbyname(dest_name) port = 33434 max_hops = 30 icmp = socket.getprotobyname('icmp') udp = socket.getprotobyname('udp') ttl = 1 try: while True: recv_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, icmp) send_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, udp ) send_socket.setsockopt(socket.SOL_IP, socket.IP_TTL, ttl) recv_socket.bind(("", port)) send_socket.sendto("".encode("utf-8"), (dest_name, port)) curr_addr = None curr_name = None try: tic = time.perf_counter() _, curr_addr = recv_socket.recvfrom(128) toc = time.perf_counter() curr_addr = curr_addr[0] try: curr_name = socket.gethostbyaddr(curr_addr)[0] except socket.error: curr_name = curr_addr except: pass except socket.error: pass except: pass finally: send_socket.close() recv_socket.close() if curr_addr is not None: curr_host = "%s (%s)" % (curr_name, curr_addr) else: curr_host = "*" print ("%d\t%s\t\t%f" % (ttl, curr_host, toc-tic)) ttl += 1 if curr_addr == dest_addr or ttl > max_hops: break except: pass if __name__ == '__main__': main() 

Here is my code, there is nothing on the terminal after a certain hop.

Have you run a production network with patched binaries?

Does anyone have experience with running production network with patch fixes? i.e. Software was released with version-A, but because of a bug, the vendor released a new binary for just one process.

If so, would be great to hear your experience/advise on accepting this. Are there best practices that have worked well for you? Would you accept this to run for 3-4 months while waiting for next big release?

A tale of TTL and being stumped for weeks

This might be a bit long. I'm mainly posting it in case some other poor soul runs across a similar situation, and because this is the first problem in my networking career that I almost had to walk away from.

I'm a senior somethingorother at an enterprise that's fairly distributed, and highly reliant on "the cloud". Due to our size there can often be 10-15 hops before we even reach the internet from our enterprise, which is an important detail that plays in later. I've seen a lot of problems in my time but this specific one had me and quite a few others confused for a while, especially due to a lot of contradictory evidence.

Users start reporting connectivity issues with a $cloud_vendor API from one of our datacenters, DC in North America, cloud API being in Europe. Previously this was working fine, and they indicate no changes were made on their side. Just this one region wasn't working, we hit the same API service from the same cloud provider in both north american and APJ regions with no issues from the same machines.

A packet capture from the client shows that there is likely packet loss here, with TCP retransmissions occurring until the death of the TCP flow via a FIN from the cloud provider's API server. Right away we saw that the TCP three way handshake worked fine, but our TLS client hello was seemingly never making it to the far end, the client was retransmitting it until the FIN came from the cloud provider because of them never receiving any data and just seeing it as an idle connection. It turns out this was possible to replicate 100% of the time from any CentOS 6/7/8, Ubuntu 18/20, Debian, or FreeBSD server in the datacenter, VM or bare metal.

Begin troubleshooting, and we do a packet capture at the datacenter edge where we connect into the wider enterprise network. This packet capture shows the lost TLS client hello leaving our network, with the packet being well-formed and not borked in transit. We engage the enterprise network admins, and in turn they do a packet capture at the enterprise edge on the cross-connect to the transit provider that was handling this flow; TLS client hello is also seen leaving here. At this point, we see the packet leaving the edge of our network and believe that we have exonerated our network and needed help from the cloud provider to determine if they were receiving the packet.

While waiting for the cloud provider to get in gear (And stop blaming our datacenter network, enterprise network, firewalls, "outdated" Linux kernels (that are as up to date at the still supported distro ships...), "outdated" TLS libraries, "outdated" curl, missing root CA certificates on our client, our TCP/IP stacks all being configured wrong, the color of paint in the datacenter not being to their liking) we did a bunch more troubleshooting. The default TTL on these Linux distros is 64, and we don't mess with that since we have NEVER had an issue with it. One of the first things we did was a traceroute, and we consistently saw the destination IP at hop 48, which we felt was far enough away from 64 for comfort. Additionally, a packet capture at our enterprise edge, datacenter edge, and host shows we are not getting an ICMP TTL exceeded back. So we moved on.

MTU/MSS was our next thought, the TLS client hello was only 300~ bytes but it needed to be ruled out so we pulled at this thread for a while as well, but it went nowhere since we were quickly able to rule this out based on some testing and playing with MTU + MSS clamping. For what its worth, most engineers I talked to about this problem quickly thought of MTU or MSS being the issue, so this wasn't time wasted by any means.

We determine that MacOS and Windows work fine from the same datacenter VLANs as the broken Linux clients, which confuses us a bit more and we start to rabbit hole on the fact its the TLS client hello getting lost and start to consider weird possibilities like the ciphersuites, extensions, or something else in the packet is tripping up a middle box somehow since of course the packets look very different from each OS. Honestly we did so much more troubleshooting in here like turning off TCP sequence randomization on our firewalls, bypassing TCP state checks on our firewalls, fast pathing traffic through any middle boxes, deploying machines right from vendor ISOs, etc. Nothing worked.

Since the API server is cloud service provider managed its not like we can get a packet capture on our own, so we were stuck here since the cloud provider kept telling us getting a packet capture wasn't possible. We argued that talking to all three transit providers between us in North America, and the cloud provider in Europe with like 30~ hops doing packet captures to determine where the packet was being lost would be insane. Again, we knew the lost TLS client hello was leaving our network, but we could not know if it was making it to the cloud provider and this seemed the best thing to check first. Their network engineers did not agree and fell back to the good old "Well no one else is having problems, and we're big, so clearly your network is broken"... Even though we were the only ones to ever provide packet captures.

Around this time we figure out that $cloud_provider's own Linux distro which is based on RHEL works fine from our datacenter, in the same VLANs. We ask the cloud provider what they have customized in this distro, and start doing our own A/B comparisons for proc tuneables related to TCP/IP. Turns out they touched a lot, and this was going to take time.

We setup our own instances running an httpd in the same region from the same cloud provider, and could not replicate the problem with clients from the same datacenter VLANs. It was only to the cloud provider's API.

I walk away from this having been working on it from weeks and decide I need to take a fresh approach. We knew that HTTPS wasn't working (using multiple clients like curl, openssl s_client, etc) due to the TLS client hello getting lost, but what about just telnetting to the API and sending data, would that data get ACKd at least even if that application/httpd didn't understand it? This turned out to be key. Even the tiny telnet packets with junk data weren't getting ACKd, and we saw the same retransmissions until the death of the flow via FIN from the cloud provider. In fact, NO data packets from this made it to the far end, the very first data packet never gets ACKd. At this point this eliminated a whole whack of possibilities, and I knew it was time to focus on the lower layers. I went to the working $cloud_provider distro VM and checked the default TTL, 255. Set the default TTL on our other Linux VMs to 255, and of course things start working.

There was a lot of conflicting data here between the traceroute showing this being 48 hops away, the TCP handshake working, the data packets not, the FIN,ACK packets from our side working to acknowledge the teardown of the flow, mixed in with a bunch of other things. As best we can tell (because $cloud_provider won't tell us any of the secret sauce) the cloud provider offloads some of the mundane TCP stuff, but the data packets to this service go further to some backend, either over load balancers or some ECMP/other load balancing setup that decrement the TTL but DO NOT originate an ICMP TTL exceeded message helpfully. We brought this up to them and it was more or less shrugged off, had we gotten this ICMP message we wouldn't have wasted to much time on this. We also indicated that this totally could be hit by any customer sufficient hops away, and their claim of "its just you" was not very convincing. I really doubt any transit providers are filtering these ICMP TTL exceeded messages, so its pretty likely the cloud provider isn't originating it because we know for sure it never even hits our enterprise edge.

A lot of lessons learned here, and I probably even missed some of the more obscure things we tried while trying to debug this.

Anyway, hope this helps someone or least was an interesting read. This was genuinely the first problem where I was starting to doubt my sanity.

Cisco NX-OS devops automation pipeline guidance

Hi All

I'm trying to take a stab at building a fully automated deployment of Nexus 9k switches using the whole devops approach. I have a greenfield project and some of the requirements need to have this configured only by IaC.

My question is mostly around pyATS. Don't suppose anyone has some experience in deploying this successfully within a CI/CD pipeline and would be able to share some insights on the best approach to tackle this new world of automated provisioning?

​

Thanks in advance for your assistance.

Wildcard Mask CCNA Weirdness

Hello, I'm trying to wrap my head around one of my CCNA lab's wildcard mask that they used versus what I believed to be correct.

Basically it goes like this, they wanted only the 10.10.2.0/24 and 10.10.3.0/24 networks to be allowed to communicate between 3 routers with an ACL permitting only the two mentioned networks. Later they show one way to find this out by laying out all of the common bits, and I did that.

10.10.2.0/24: 00001010.00001010.00000010.00000000
10.10.3.0/24: 00001010.00001010.00000011.00000000

If we were basing this off of the common bits, the only common bit would be the 2^1 bit, or the bit with the value of 2. Translate this into a wildcard mask (and to my knowledge netmasks must be contiguous but wildcard masks do not need to be contiguous) would be, in my mind:

00000000.00000000.00000010.11111111 or 0.0.2.255. This should cover the 10.10.3.0/24 and 10.10.2.0/24 networks, right? Edit: They also want the wildcard mask to include as little IPv4 addresses as possible

The lab however used the wildcard mask 0.0.1.255 which only covers the 10.10.3.0/24 network, in my mind.

Am I wrong or is the lab using 0.0.1.255 wrong? Can anyone explain to me what I'm missing this is actually making me lose my mind.

Seeking some recommendation ref ease of polarity change on LC-LC fiber patch cords (types/manufacturers)

Been a [very] long while since my team last needed to do something with high volume of IDF connects, using fiber patch cords, and found ourselves in position to having to manually change polarity on a lot of patch cords, the day of deployment. The problem was that the team in the field had to rely on what the customer acquired, and no tools, with jacks extremely difficult to take apart, and also questionably re-assembled. I would like to get some good fiber patch cords, ASAP, with options to acquire both A-A and A-B types, and also - very important - ease of switching polarity, if need be (no fancy tools needed). I looked at Anixter's site, and the amount of options is overwhelming. Any practical advice, from what is available nowadays?

Edit: prefer OM3

How does VoIP impact the network security in a company?

I need help to discuss this in a report.

In a bind - Anyone in the Denver Colorado area have 32 10gb SFP+s laying around I could take off your hands?

I dropped the ball and didn't ship out our package early enough.

There was a shipment delay on top of it, and now our package with SFPs wont arrive until after our maintenance window.

Trying all options. Someone please be my savior.

Network Consulting Insurance?

Hello fellow networkers,

Like many of us, I do some network consulting as a side job outside of my normal 9-5. It usually amounts to about 10 hours a month at a pretty high bill rate. Most of my activities include helping this business select new networking products and often times implementing said products. They pay me directly as an independent contractor, so I don't have a LLC and I'm not incorporated. Do I need to get some insurance to protect myself from unforseen events? For example, what if they get hit with a cyber security attack? What if their network goes down from my stupid mistake? If so, where do I look for insurance and what types of policies should I consider?

TLDR: I do side consulting, should I get insurance to protect myself?

Thoughts on switch provisioning lab?

Hey, working on a switch provisioning lab in my office. So far I have a 2post 6ft rack. Want to get up to 24 switches doing ZTP at the same time. So far I know I want a vertical PDU with short power cords & 48port provisioning switch, and a 24port console server. Looking at getting a bunch of these 1U shelves, make it easier to slide in switches without having to mount brackets. any other thoughts on building a provisioning lab?

How to deal with an ISP not seeing random Internet drops?

Specifically Comcast. I'm tired of reasoning with their Tier I bots and ask for escalations and callback from Tier II (never call back). Client's internet randomly drops and comes back on its own. I know it's Comcast because I'm monitoring the WAN static block gateway IP and it also goes down. I have the logs and can tell them exactly when it dropped but every single time I call Support it's the same "the modem is online, I don't see any issues, do you want me to reboot it?". Sending a tech onsite does nothing because every time they troubleshoot onsite internet is up and don't see any issues. Besides, I don't think it has anything to do with Layer 1 at this point

Do I have any options here or just ditch Comcast and look for another provider?

YANG use

Hello! I am a newby in YANG language and trying to learn to work with it. I have one question: is there any other use of the YANG language other than in the SDN networks?

Thank you for any answer

Aruba CX Jumboframe disable

Hi,

I have first Aruba CX Switch (6300). How can I disable Jumboframes?

I have set below commands to ArubaCX, but still when I check logs from Huawei, where this ArubaCX is connected to, it shows Jumboframes both input and output. (if I disable Huawei's Jumboframes, it shows giant frame errors). Other switches are Ciscos and no jumboframes coming from them.

swi042(config)# int 1/1/50

swi042(config-if)# mtu 1500

swi042(config-if)# int 1/1/49

swi042(config-if)# mtu 1500

Mellanox Onyx Inter-VRF routing possible?

I have a pair of Mellanox SN2410s running Onyx (MLNX-OS) current version. I'm looking to start moving some spanned VLANs to layer 3 and VRFs, but cannot figure out how to route between VRFs in Onyx.

Just looking for a small number of static routes between VRFs to keep some heavy things on the switch itself. I've thoroughly explored pbr and route-map on there and cannot figure it out a way to achieve that.

Does anyone have any experience with Onyx or am I going to have to move to SONiC/Cumulus?

Router-On-A-Stick configuration with a Firewall VM on ESXi and a Physical Switch ?!

Hi,

I have the following in my lab.

• Physical Managed Switch
• Physical ESXi server (connected to port 5 on switch)
• Windows 10 VM running on ESXi Server (connected to vmnic1, port 6 on TP-Link)
• OPNsense Firewall VM running on ESXi Server (connected to vmnic1, port 6 on TP-Link)

The OPNsense Firewall VM can do Sub-Interfaces, and VLAN tags.

I'm looking to have Router-On-A-Stick configuration where the Router VM is running inside ESXi while the switch is physical. All VLAN configurations will be on the physical switch. I have read that VLAN configurations must be done on either the physical switch or vSwitch, not both.

The way I see it the traffic flowing this case is as follows:

• Traffic from Windows 10 VM will come to vSwitch11 (VLAN 11 vSwitch connected to vmnic1, port 6 on physical switch)
• Traffic from Port 6 will go to Port 5 on physical switch (Port 5 is trunk and is vmnic0 in ESXi)
• Firewall VM vNIC is vmnic0 will receive VLAN11 traffic

My question is whether Router-On-A-Stick possible this way and will traffic will ever leave ESXi vSwitch ?

Thank You

What do you guys use to monitor your networks?

Hey all,

At my company right now we're averaging about 50-100 users on our main site and about 20 at 4 remote sites with more sites to come. We mainly use Ubiquiti with a few cisco devices here and there. At this time I'm curious as to what the best tools are to watch network traffic, we have inappropriate sites blocked but I'd like to do better.

Looking forward to hearing what you guys use c:

How to: Edge router and BNG optimization | APNIC Blog

This article contains details and tricks for ISPs. I don't need to elaborate on this one.

Source: https://blog.apnic.net/2021/06/24/how-to-edge-router-and-bng-optimization/

'Adding' existing AnyConnect Client Software to ASDM

Hi all,

Bit of a noob at ASDM (and AnyConnect if I'm honest) - There are existing AnyConnect packages on the ASA within the Flash, but on ASDM these are not being picked up within the AnyConnect Client Software section. You can 'Add' and then browse the flash within the ASA, and select the existing AnyConnect Client packages from there, but I wanted to make sure this will make no kind of change to the ASA?

Machine Learning Ideas

Hi, I am reaching out for help on Reddit! I work in a telecommunications company in a data analytics department, and currently, we are exploring new ways of machine learning models that could help the business. I have done some internet search on some use cases, which include network optimization, fraud detection, chatbots, and so on, however, I have not been able to find more specific examples. The company I work for mostly works with fixed networks (i.e. not mobile networks, such as 5G, 4G, etc.), and providing B2B services. Is there anyone here, who works in a similar area that could give some ideas as to what machine learning we could employ in the future (maybe some examples from your company)? Any ideas are highly appreciated. Thank you in advance!

IPV6 address instead of IPV4 address on googling.

When I google for my IP, why my IPV6 address is shown instead of IPV4. I reloaded "Whatsmyipaddress" many times to get my IPv4 address. Many times it showed not detected and finally after so much time and attempts I got it.

I was trying to connect with a Mongodb cluster since yesteday using mongodb compass. At first it showed "CONNECTION FAILED", I asked fellow operations developer to whitelist my IP. Probably he whitelisted my ip and now the error is changed to "AUTHENTICATION FAILED.

I copy pasted the exact same connection string they sent me but failed. After that they asked me to try with appending "Authsource=admin" to the normal string. But still authentication failed.While my fellow operations developer was able to connect to the database using the same string. But I failed😑😑😑.

Sysadmin to Net Engineer

Hey guys,

I'm currently the equivalent of a Jr sysadmin at my university and I'm looking into a possible field change into Net Engineering. I know basic routing and switching stuff like EIGRP, OSPF, inter-vlan routing etc (nothing too crazy). I know the basics of the Net+ pretty much.

With this in mind, how long will it take to become a net engineer? What skills am I missing?

Clarity on TLS 1.3 decryption in blog...

Hi, I'm in the middle of going through the process of implementing SSL decryption on Firepower and going through what I should/need to decrypt but have also learned that if a website is using TLS1.3 then I won't be able to decrypt the traffic regardless. Are there many sites anymore that use TLS1.2, if not then is there much point in SSL decryption anymore?

I came across this blog here: https://mikeguy.co.uk/posts/2018/11/tls-1.3-decryption-misconceptions/

It comes across as a really useful informative blog on it and I understood 99% of it, up until the part where he mentions....

"Firstly, passive out-of-band decryption is out. The fact all key-exchanges will use Diffie Hellman means that devices such as IPS etc. cannot passively decrypt traffic even with a copy of the private key. They only way they would be able to decrypt data would be for one end of the conversation to provide a copy of the actual session key somehow. Not something that really exists at the moment, but potentially something that could end up coming out the back of this in the end (e.g. some sort of agent on your endpoints sends it securely to the appliance in question).

Inline “Man in the middle” decryption (as implemented on many firewalls and proxies) however will still be entirely possible. As long as your internal clients trust the device’s CA certificate then it will still be able to spoof the certificates and sit in the middle just as it does for TLS 1.2 today."

The first paragraph makes sense to me but then he contradicts himself it comes across like when he says MITM decryption is still possible, well that's what an ISP/SSL next gen firewall does for the job and in the first he's saying it won't be able to do it because of the way TLS1.3 works now. So which one is it guys?

Also, just so I'm clear as well, TLS1.3 works via both ends creating 2 values and sharing the "shared key" value and keeping the private key to themselves, when each receive eachothers shared key, then using their own private keys they can come to the same shared master key and use that to encrypt and decrypt traffic and use it to pass through the symmetrical AES key used for actual encryption?

Help with QoS on Cisco cat9500 16.12.x

Hi folks, I'm looking for help doing an QoS config. The overall egress policy needs to police at 5Gbps, and within that 5Gbps, EF traffic needs to get absolute priority, no matter the bandwidth up to the 5Gbps.

class-map match-any Match-Video match dscp ef ! policy-map PRIORITY class Match-Video priority level 1 class class-default ! policy-map WAN class class-default police rate 5000000000 conform-action transmit exceed-action drop service-policy PRIORITY interface TwentyFiveGigE1/0/1 service-policy output WAN 

The part I'm not 100% understanding is how to have an aggregate policer. Nested policy maps seems to be the way, and i'm also unsure about the inside service-policy seeming to be within in the "police" statement but this could just be a visual artifact within CML(VIRL). Anyways, thanks in advance for your advice/help!

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Secondary NTP Time Source Recommendations

I'm working on a project to setup a secondary time source in our environment.

We currently have most stuff pointing at a Loopback on our Core Switch, which is acting as an NTP Master. The Core is synced to 4 public NTP servers and then everything points at the loopback.

I would like to have a secondary source. My first thought is to replicate this setup in our DR site with another NTP source (we use pool.ntp.org in our primary site, I'm thinking the National Research Council [Canada] time servers for the DR site.)

Thoughts and opinions welcome.

Oxidized Github inactivity

For those unaware, Oxidized is a backup tool for network devices.

It seems that the Oxidized Github page is quite inactive. CI/CD pipeline failing due to outdated ruby version, last commit on master somewhere in Februari, owner seems inactive on Git, no responses on Issues etc.

I'm thinking of implementing Oxidized as this backup solution because:

• Its open source
• Wide support of the community with many models
• It being recommended widely on this subreddit and as replacement for RANCID.
• Has an API
• Does not use traditional scheduling (start a backup job with 300 devices at 02:00. Instead, spread them out over, let's say, 24 hours.)

But now I'm debating due to the project being quite inactive. What do you all suggest / use? Is there an alternative that fulfills these needs or should I go for Oxidized regardless?

Remote Control

I am an IT consultant, and i am looking for a program that i can remotely control all my client computers from an admin console. i have used Logmein, splashtop, comodo, which are too expensive. what are some of the cheaper solutions that have worked well?

Front Facing Web Server

Hey,

Im about to migrate an internal web server to be opened to the internet. Just want to make sure if im being overkill on my setup

LAN -> DMZ -> WAN

ACL

LAN -> DMZ

Ports: 22, 443, 80 - ALLOW

DMZ -> LAN Deny all except ICMP

I feel like im being overkill restricting LAN to DMZ ports?

UPDATE: Copying config from legacy Arista routers/switches to replacement JunOS appliances?

You probably don't remember this post from me, a systems engineer, asking for advice on how to be a network engineer in production.

Well you'll be happy to know I caused an outage!

Happy Thursday, I hope you're all doing fantastically.

Cisco ISE - iOS PEAP Authentication Invalid Credentials and AD lockouts

We have a wireless network that uses ISE for PEAP authentication (username/password). We started receiving reports of AD account lockouts for a few users. After digging into it we found that ISE was showing that the clients entered invalid passwords. This is where it gets weird.... We worked with the users to ensure they had the proper passwords. It seems that iOS devices specifically are having an issue where they are able to connect successfully initially but after some time the phones start sending invalid credentials. The phones will keep trying to authenticate and it eventually leads to a lockout in AD. Has anyone seen this time of issue specifically related to ISE, iOS, and PEAP?

EDIT: At this point I don't think the phones have invalid credentials stored, it almost look as if they are abandoning their PEAP sessions which is causing the invalid password to trigger.

Replace Cisco 1921 for 1Gbps Internet?

We recently upgraded our office to a 1Gbps fiber Internet connection. I am still using the Cisco 1921 router, which is not spec'd for those kinds of speeds. When a run a speed test, I get close to 900Mbps (so not too shabby) But I don't want this older router to be a bottleneck. What would be a good SMB replacement that can handle our faster connection?

The router does not need to do anything other than route traffic to/from the Internet. All the other work (VPN, IDS/IPS, VLAN) is done by devices behind the router.

Meraki firewall

Hi All,

Is there a Meraki guru out there that can confirm if the upstream firewall rules on the Meraki dashboard for cloud controller pushes policy to AP and if the AP then does the blocking of client traffic or does the client traffic still traverse the Lan to cloud controller before traffic is blocked there?

Performance differences in switches - negligible?

This is a very noob question, sry about that... I have a small cage in a DC, there are 3 servers in it... I am using a really basic 1GBps switch with 5 ports, probably it's really for home use idk, bought it off Amazon for $25. It does exactly what I want, is there any point to spend more money? The only reason I would spend more money is if different switches were faster, as internet latency to one of the servers is critical, but people have told me that basically switches are all so fast (<1ms) that it won't make any difference. Is this true?

Cisco ASA 5508-X K9 replacement options

If this post should be in a different sub, please let me know.

We are preparing for End of Life in a few years for the Cisco ASA 5500 series firewalls. What would be a good choice moving forward. I primarily work with Cisco Devices but I can learn just about anything. Does anyone have experience with the Firepower 1000 series devices?

Edit: 90% of the devices we have now are Cisco ASA-5505-SEC-K9 and Cisco ASA-5508-K9, One company has 2900 series routers that are being replaced with new 5508-X firewalls. All Cisco switches

Planning to take bsnl air fiber franchise

Hi 👋

I am planning to take bsnl (India ) airfiber franchise at my place. Right now we don't have any network providers at my location.

So I started to think about it and contacted bsnl. BSNL will be giving space and powe but we need all other equipment for transmission.

The equipment BSNL suggest costs around 75000.

It would be hard for me to get 10 customer in next 3 months. I am thinking if you can suggest cheap alternative network design/devices.

I am thinking of one sector antenna instead of 3 which reduces cost drastically. I know one person used to run network with just power beam and airgrids. Can someone suggest me cheap alternatives please? I am not trying to earn profit , I am just trying to provide connectivity 15 coastal border villages to help the children connect to online classes etc.

I don't need any profit I just need network up and give a chance people to able to use it

Juniper SRX PXE boot

I have an SRX which is working as a DHCP server for my user subnet. I want to send PXE requests from clients behind the firewall to the PXE server located in a different location in the network. What is the correct method to do this on the SRX?

Is it with the dhcp-attributes line?

set access address-assignment pool usr-pool family inet dhcp-attributes option 129 ip-address 1.1.1.1 

Has anybody got a working example of this?

I also see talk of a next-server

https://www.juniper.net/documentation/us/en/software/junos/dhcp/topics/ref/statement/next-server-edit-system.html

Is this required for PXE or not?

Thanks

Black v Blue Colored 9pin RS232 cable

Another day, another stupid question from me to Reddit's networking community.

I have two RS232 9 Pin Female-to-Female cables and an old style Cisco SG-300 console port in following pics:

https://imgur.com/a/D8gSD2Y

The blue one is a null modem cable I think. It doesn't work when I use it on an old type 9 pin Cisco SG-300 console port. The black one DOES WORK when you use it on the SG-300 console port.

Whats the difference? Pinout obviously, but more importantly to me, I need to know what type of cable the black one is in order to buy another one identical to the black one that does work on SG-300's. I don't know what the difference is, or what type of cable that black one is I'm looking for.

I'm thought it might be this below.. but on second look this looks more like a null modem cable like the blue one I already have:
https://www.amazon.co.uk/dp/B002DEM02M/?coliid=I2B2WYUI0YK2J7&colid=FTPQIRXTI3LP&psc=1&ref_=lv_ov_lig_dp_it

I need study guides for the network + exam

I'm taking a course and at the end of the course we get to take the network + exam, while i understand some topics i struggle on others.

​

I can apply stuff really well, when we do labs i know exactly how to setup different topological types of networks, and how to configure servers, but when it comes to the key-words and tests i struggle.

​

whats a good study-guide / book that will prepare me for the latest network + test? alternatively does anyone have any tips on what i can do aside from reading / studying via books?

​

thank you so much guys.

Probably a stupid question but where did you learn what you know now?

So I’m 17 and I know a lot about networking considering the age (came within a couple of questions to passing the CCNA) and I’m kind of paranoid that if I get a job at a company in the distant future that I may not be 100% able to do my job well. It’s really stupid of me to think like that especially since I’m 17 but the fact that I get so worried about that kinda stuff is bugging me. Maybe I’m speaking too soon since I’m not even in damn college yet but where did y’all learn the majority of the stuff you know and are applying in your workplace. I also doubt my abilities when I browse this sub and I see things I’ve never heard before and think to myself like what the fuck are they on about lol.

Anyways thanks for reading my Ted talk

OSPF broadcast vs. PtP modes for routers with switch chips

I'm planning an OSPF network where there will be a lot of routers with at least 2-3 connections to other routers. The array of ports on every router has a link to the processor with a speed lower than the total speed of all of the ports combined. However, to help with this, each router has a switching chip built in to switch frames at wire speed. These switch chips don't support switching VLANs, so they're pretty basic. Therefore, would it be better for performance to use OSPF broadcast mode instead of PtP that I was originally planning? The only problem with that is that some router will have to be supersized to distribute all the routes, and I'll also have a giant L2 network which may or may not be a good thing.

Cross-posting this here from r/sysadmin: Web application is currently prompting TCP Error Code 10061

Good day everyone! I'm currently having trouble trying to fix this issue.

Full error:

Could not connect to net.tcp://206.101.216.19:7008/wcfapp. The connection attempt lasted for a time span of 00:00:00.9999808. TCP Error Code: 10061: No connection could be made because the target machine actively refused it 206.101.216.19:7008.

I've read forums that solutions that worked for them. I've already double checked this with our systems admin.

Things I checked:

I made sure both server and work computer has windows firewall turned off The server services does not have a TCP Listener adapter but it has a TCP Port sharing service and I asked our admin to restart it. 

It still prompts the same error from the employee's computer. Any advice?

Site-to-Site VPN between Juniper SRX and AWS VPC

I'm fairly new to VPNs but am trying to set up a VPN connection between my AWS VPC and my Juniper Edge Router. Now, I've got a bit of a wonky set up here that creates a double NAT situation.

Host computer (192.168.1.2/24) -> First Router (Source NAT to 192.168.252.2/24) -> Second Router (public IP address configured for VPN to aws) -> AWS VPC (destination of 192.168.250.2/24)

I went to AWS and gave it my public static IP address and said I need the 192.168.252.0/24 subnet to be able to communicate with the VPC. It spits back a config which I enter and from the second router, I can ping a device in the VPC so long as I set my source of the ping to be 192.168.252.1 (the "inside" interface of the second Router). So I think GREAT!, it works.

Then I try to ping from my host computer... and it does not work. I'm sure the NAT is to blame since it works when I ping directly from the router, but I'm not sure what else to do configuration wise. I am dreading a support call with Juniper.

Software Routing Resources

Hello

I am trying to find some titles of books and/or some online resources regarding software routing. I understand hardware routing, but am trying to learn about the pure software side. Any suggestions?

Expected signal and signal loss values for mechanically spliced fibre?

I think this slightly goes beyond the scope of r/homenetworking so asking here (as some of you guys may be experienced with mechanical splicing and what values look normal).

Planning to move part of my lab into the shed (~30m away from the house), and am planning to use fibre to avoid any lightning risk causing damage to equipment) and will be using a mechanical splice joiner to connect it to a pigtail (to terminate it in a wall box). I have some unterminated armoured stuff I picked up from work I'm planning to use.

I've tried doing a test run with the fibre and pigtail compared to some connectorised stuff I have to check how bad the loss is and things I should worry about.

Table below has the figures my optical meter read out, can someone see a massive issue in the numbers that would make mechanical splicing a no-go? I can get a solid 10G BiDi link on the cable which was sustained upon testing overnight with no CRC/FEC errors. Testing with a VFL only shows a tiny glow in the mechanical splice window, and the dBm range does fall in the receiver sensitivity for the optic at the other end. However, aware if something just 'works' it's not always advisable to deploy.

There is one SC APC coupler and one SC APC to LC UPC patch lead being used (the LC plugs into the optic). Cable lengths for both are around 31 meters (~102ft).

​

	Pre-terminated	Mechanical splice
dB value	3.48dB	2.85dB
dBm value	-6.59dBm	-7.36dB
uW value	219.2uW	183.4uW

Super grateful for any guidance!

IE-3300-8P2S can't set the power supply max wattage

Hey folks,

These switches take power supplies that are connected by just two wires, so we have to tell the switch how big the power supply is. In the past I've been able to set this with the line "power inline wattage max" but on this switch that command doesn't work.

What am I doing wrong?

It seems like the "power" configuration parameter is completely gone. Has it been renamed?

Thanks!

Site-to-site VPN solutions for small-medium businesses

Hey all, was recommended to cross-post this topic here.

I've recently come on board with an MSP that primarily manages small-medium size businesses (I believe most of our clients are dental practices) that have maybe three or four sites at absolute max. My work experience in the field has primarily been inside the LAN so far and as I get trained for our operations and build my skills one of the things I want to get more familiar with is site-to-site networking so I can recommend solutions to our clients according to their needs and budget. Most of our operation is vendor support for practice management software but we do manage core networking infrastructure as well.

If our company has administered network equipment for a client then it will be Unifi switches and Sonicwall firewalls, both of which I'll get up to speed with hopefully shortly, but some have very basic ISP-provided hardware. I believe that we do not administer to home offices.

I'm familiar with the overall concept of site-to-site networking but as far as the execution, I was looking for some pointers; are there pure software solutions in the FOSS domain that can feasibly be utilized here, possibly with improvised hardware like a spare computer to act as a server, if not then what would be a good budget hardware solution for a small-medium business and what would the limitations be (e.g. number of concurrent users and/or licenses, etc.), particulars of different VPN clients/protocols, what are any HIPAA-related caveats, so on and so forth. A brief explanation of the overall logic of each solution would be helpful as well, if I need to do some research/reading that's perfectly fine too.

Best Practice for FW hardening

Hey Network World,

Long time lurker seeks advice. So I'm in charge of hardening our Cisco FTD 1140 firewall (we also have FMC for global management) and I want to do it the proper way.

This is why I'm seeking any good advice / recommendation / documentation / book / video etc. etc. for Best Practice when it comes to Firewall hardening ( I'm aware that each company is different but some general guidelines would greatly help). If it includes restricting access of Annyconnect groups that would be SuperB !

Outdoor Wifi for Cornhole Matches

Hello All!

I am looking for advice for setting up a portable Wifi rig for Cornhole tournaments. I am looking at a solution that will allow me to connect 40 Tablets, 5 Wifi Connected Displays, and 5 Laptops for a total of 50 devices to the internet. I am using an online service.

I currently have a cradlepoint, but am looking for a decent WAP solution that will cover a 300 x 200 area. Looking for a single antenna solution if possible, but if I can use multiple with a controller that can be centralized, that might be ok also.

Have any of you had any luck with outdoor WAPS?

US source for: Cat-8 1u patch panel with punchdowns, not keystones?

Does anyone know of a US source for Cat-8 1u patch panel with punchdowns, and does not use keystones?

Is it possible to treat two directly connected 100gbe ports as 4x25gbe links?

Like the subject says. Let’s say I have two servers and each of them has a 100gbe NIC. Can I directly connect them using some sort of cable and have the OS/hypervisor/etc see it as four discrete 25gbe links?

Why? I thinking of deploying a 3 node Starwind VSAN cluster (see https://www.starwindsoftware.com/resource-library/starwind-virtual-san-3-node-hyperconverged-scenario-with-windows-server-2016/). They recommend you directly connect all the nodes to each other for the iSCSI and sync traffic, without using switches. That requires each host have 4 ports just for Starwind, on top of whatever else I’d need for general VM traffic and management. On a Dell 1U server with 2 PCIe slots and the mezzanine slot, it frees up a PCIe slot for a BOSS card or something else.

CDO, FTD 7.0 and DHCP Relay

Good Morning Folks,

Wondering if anyone has ventured into FTD 7.0 with their CDO Deployments, and how they are handling DHCP Relay if using it?

Currently have a large deployment of FPR1010's that I am upgrading to 6.6.4, but EIGRP broke on a handful of them after the upgrade, prompting the upgrade to 7.0 on the broken ones (quicker than rebuild, which is pretty much the only solution TAC gives right now).

We have the DHCP API Built out using the CDO Macros and understand how to deploy the DHCP Relay changes to the device, but are now running into the issue of how the hell do we pre-stage our DHCP servers on our devices using CDO, so we don't run into 300+ duplicate objects in CDO when creating them locally on each firewall? For reference, CDO will only add an object to your firewall, if it's in use in a policy. Selecting the firewall in CDO, and picking objects then creating the object in CDO doesn't build it on the firewall either, only on CDO.

Since DHCP Relay isn't a firewall policy, we cannot simply specify the object ID we want to use in the API, since that object doesn't exist in the firewall.

Currently my options are: Add my DHCP Servers as network objects into CDO, then add to an existing network object group that exists on all firewalls and do a mass deploy, but that really feels like a bandaid solution to get these objects created on all of my firewalls, and keeping them in a policy they shouldn't be in really isn't a great practice.

Does anyone with CDO experience have any other ideas or suggestions?

Question about low cost backup network

Hi guys,

I am in a rather unusual situation. I am trying to make my network resilient to power outages (which are frequent), but my network gear uses too much power for a battery backup to be cost efficient for me (just take my word for it).

So the plan is to have a separate router attached to a small battery, but this doesn’t seem like a common setup at all lol. My understanding is that if I put a switch between the WAN connection and the router, that it should be ok so long as nothing else is plugged in. Is that correct? ie I can have both routers plugged into the WAN via a switch and it won’t cause problems so long as they aren’t both on at the same time? This is a PPPoE fibre connection.

Ideally I’d like a way to have the backup network automatically switch over in the event of a power cut. If you have any advice for how to set that up please let me know. I was thinking about using a micro-controller with a battery, similar to some commercial solutions that I have seen. I am not interested in the SMS notification style though.

Any advice appreciated.

Stuck on a new job choice

Hi everybody, I want to share my doubts about a new job/career opportunity. I worked for a big system integrator for 2 years circa and then moved, 8 months ago, to my current company where I have a more consulting role.

At the moment I'm no more engaged in implementation/configuration activities and I carry out mainly documents for calls of proposal and (very) high-level design activities. I'm feeling quite useless and my technical skills are getting rusty, but I appreciate the advisory activities and architectural ones (even if at a high level).

Now, a customer of my previous company asked me to join the team as Senior Network Engineer. I would be more practical, I will have to carry out changes and implementations, all things that I like but I would lose my architectural/consulting role.

I worked for them for about a year and I enjoyed the experience, the infrastructure that we made is nice (VXLAN EVPN Fabric, F5 load balancers, Check Point firewalls, etc), now they say that there's the possibility to become a focal point in the company and maybe have a management career in the long term, while it could be quicker in my current company.

Any suggestions? What would you do in my position?

Thank you!

Simulation tool for evaluating performance of the link-layer for wired technologies.

Hi all, I'm writing my college thesis on Smart metering on the 5G. I've made my computations for the 5G wireless link-layer with the software given by my professor but, in order to make a comparison, I need a simulation tool for evaluating the performance of wired technologies relevant to my use case (Ethernet (copper), DSL, PLC, fiber optics, Homeplug, M-Bus; any of these will do).

The simulations I have to run consist of 3500 devices who send packets at a very low constant rate, so it has to have configurable packet size, rate of packet transmission and possibly lenght of the link. I need to evaluate average latencies, packet loss, throughput. Does anyone know a tool that does this?

As a reference this is the tool I've used for the 5G, it is a compiled C++ code for Linux which it's launched via terminal, that gives out a text trace, then through grep and awk I extracted the KPIs I needed.

Sorry for any stupid english mistake, I'm not a native speaker. Thanks.

VMware SD-WAN Edge - View traffic stats for subinterface

Hi all. Trying to find a way to view traffic stats for a WAN subinterface running on a VMware SD-WAN Edge. GE4 is configured as the main WAN interface (WAN overlay) and then I have a second interface 'GE4.102'. There doesn't seem to be any way to do this via the orchestrator, so I was hoping there might be a way to do this on the back end (Edge software is based on Ubuntu). Have tried ethtool -S ge4.102 with no luck! Thanks

Site to follow/read about latest cabling, Racks, DC technologies in MDF/IDF

Came across Cablinginstall.com today while browsing for a 4 post rack. Are there other good/recommended sites like this out there? I have not been involved with physical layer stuff from years so trying to get myself up to speed.

20KM SFP pairs on fiber links shorter than 200m

Hi,

I have some fiber links (SMF) between some industrial buildings, distance is between 150 - 250 meters and I'm in need for some SFP modules but currently no SFP modules for short range 3KM are available in stock on my location BUT I did find pairs wich advertise 20KM range. Are there any issues on using those SFP for such short distances? I'm relatively new to fiber optics.

Seeking advice regarding PTP configuration (NXOS)

Hello gang,

I'm looking for a clear explanation of PTP commands on NXOS platform.

TL/DR:
which IP I should use for ptp source
1) Grand Master
2) Boundary Clock's own IP addr (loopback/etc.)

The topology is like this

GM(GPS)(192.168.0.1) --- Arista Low-Latency SW (BC) --- Nexus01 (BC) ---Trunk --- Nexus02 (BC)
(BC = Boundary Clock)

Here's the configuration I used for Nexus switches.

Nexus01 feature ptp ptp source 192.168.0.1(GM IP addr) int eth x/x (trunk) ptp ptp vlan xxx int eth x/x (edge ports towards Ordinary clock) ptp ptp vlan xxx Nexus02 (about the same) 

What I'm confused about is "ptp source" command

According to Cisco and Arista whitepaper, source IP should be BC's own IP address and it is used for restamp PTP messages, and it's used only in Hybrid profile(unicast ptp).

But my boss says I have to use the IP address of the Grand Master clock.

Now, I checked the PTP counters on both Nexus switches and it seems to be working fine, and I presume that the current network is configured that way(source ip set to GM on every BC device) as well.

We only use multicast ptp only, so I figured ptp source command has no effect on our environment.

​

Which one is correct for ptp source ip? GM's IP or BC's own IP addr?

https://ift.tt/35JQTf0

Stochastic Optimization of Multipath TCP for Energy Minimization and Network Stability over Heterogeneous Wireless Network

Anyone using Cisco SecureX?

Just curious…and opinions!

GRE tunnel over IPSEC

Hi everyone, I am a bit fresh for networking and still junior. I was wondering if anyone would be available to give me some tips/advice regarding building a GRE tunnel over IPSEC tunnel I have. GRE tunnel is built with a cisco router to another cisco router on the other end of the tunnel and the IPSEC tunnel is built from a pfsense to a cisco ASA.
In the pfsense I have a phase 2 portion under my phase 1 IPSEC tunnel that has the LOCAL interface as a loopback interface on my cisco router. The remote is another cisco loopback interface on the other side of the tunnel. I cant get my phase 2 portion to come up for some reason. This is to share eigrp packets between routers for dynamic route sharing.

IPv6 Gateway for German Telekom LTE / 4g Router

Hi all,

I am working with an external company that is going to setup a vpn connection to one of our sites. They perfer IPv4, who wouldnt, but we can only get a static IPv6 on the LTE / 4G router from Telekom.

​

Dont ask me for details, but short version, installing a wire would cost us up-to 200.000 euros over the next 20 years we are renting the property, so LTE is the only way to go for now. Seriously, there is no other way.

​

Now, for some reason, they need the gateway from Telekom. I can provide the static IPv6 we have on our router, easy-peasy, but how do I find out the gateway from German Telekom on our Router? We are using a Fritzbox 6850 LTE.

​

Thanks!

Comcast EPL Circuit Azure configuration

Hey Y'all,

I've got a provisioned Comcast EPL from our on-prem DC to our Azure tenant. When I look at the EPL in Azure, all of the Connection options want a virtual gateway assigned for routing; my understanding of an EPL is that it shouldn't require layer3 routing of any kind. It's supposed to be a 'ethernet cable in the sky', from our perspective. Comcast tech support is like talking to my 9-yo; lots of 'Ummms' and 'abovemypaygrades'.

I have a Azure network/subnet already defined I would like to drop this thing on, and the on-prem is a small DMZ subnet that shares that IP space. The idea being that we have an EPL between them to unify the two environments.

Am I way off base with how this is supposed to work? Why can't I assign this to an existing subnet as a connection?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

VRF understanding

I’m having trouble understanding how VRF works. I have 25 sites and I want to start segmenting each site because they have networks with building automation equipment etc. Basically stuff that shouldn’t be accessible through interVLAN communication. My question is how does VRF work when I segment it at the site and up to the backbone switch? I plan to keep segmenting up to the firewall, but I want to do it slowly so nothing breaks. How can I slowly do this? I’m just not understanding how to get the traffic out of VRF at the backbone.

Options for 802.1x

I'm looking to setup 802.1x on a network with about 90 Catalyst 9300's. Most clients are Windows and Cisco IP phones. I'm looking at ISE but don't have pricing back yet and I expect it to be fairly expensive. I have seen other people using FreeRadius and NPS. I currently use NPS for admin logins into these switches. Anyone have any recommendations?

AWS/EC2 Network Congestion?

Hello All!

Was wondering if anyone could help me our guide me in the right direction:

Issue:

I Have a Web Server ( EC2) Within AWS. This has a front end for users and a backend for Dev's. Often everyday We "lose" the ability to do anything within the Server, ie. browser too our backend Console, browse to basic sites such as Google, yahoo; All while the frontend stays intact for our users. During this time we will be "offline" for 10-15 mins then we are able to browse again until it happens again in another 20-30 mins, sometimes less.

During this time, i look at wireshark and im filled with TCP Retransmissions, TCP Dup ACK's.

On this server i have Two Connections(Nics), Eth 3 and Eth 4.

Eth 3 is bound to the Website and Eth 4 is bound to our Playground/Dev version of the site. On the AWS site they are within the Same VPC

Edit: After some testing i added another NIC too the server too attach to the DEV Environment to hopefully control network congestion Or even Turning that "Site" off from IIS manager and that was not the issue

Any help/tips are appreciated

[Cisco 3020] Does a port need to be connected to show trunk?

Configuring some ports on a Cisco 3020 ahead of a migration, so nothing is connected yet, but it’s showing the default VLAN instead of TRUNK when running sh int status. Mode is not set to access. I don’t work on this legacy gear too often, so not sure if it’s hardware specific that there needs to be an active connection for it to actually start trunking. Thanks in advance

Mesh AP/Wireless Bridge RF Power

Hi,

We've got a pair of Cisco 1540D series outdoor mesh access points forming a point to point wireless connection between two buildings.

Today, one of our facilities contractors raised concerns about the radio frequency and said that the APs on the roof should have a 1m exclusion zone around them etc. I think they believe someone is going to get fried if they step in front of it.

I always believed the power of these things to be minimal and have never been concerned from a Health and Safety perspective. They're powered from PoE and I don't imagine they any more dangerous than the normal Cisco wireless APs dotted around the campus.

Can someone give me any tips on how to respond to this?

ISP faster than what modem supports leading to timeout issues?

I have a dual router/modem that supports 300 mbps, recently I upgraded to 800 mbps with my ISP because it was the cheapest option. I’ve been experiencing timeouts regularly (3x per day) and was wondering if the issue lies in my supported speed or something else? I’ve already had a tech come out and replace some cables (they found water in one) but still experience issues. Open to any options like - buy a separate router and modem, reduce ISP speed, etc. I am no expert, but this seemed like the right group to ask.

Building a network

In the process of building a “pretend,” network so that I can have hands on experience getting it up and running.

So I want to have a plan on bringing the network online. This business will have different sections. For this task I’ve divided it up by managers, Human Resources, and finance. What would be the best way to configure network switches, Subnetting strats, and different routing tables . Cost wouldn’t be an issue .

Full BGP Table Router Suggestions

Does anybody have suggestions for an internet edge router capable of handling full IPv4 and IPv6 BGP tables and also with at least a couple 10G ports (some 40G ports would be even better)?

Whitebox/Open-Source is totally an option (preferred even) and I also don't mind older [pre-owned] gear. Cost is a concern.

I've been looking at ASR1001-X's with licensed 10G ports. Those look to be around $7k/ea. Also been considering using VyOS on bare metal, but I'm worried about data-plane forwarding capacity. I've seen stories about people using VyOS for route-reflection with full tables, but not for actual packet-forwarding.

Any suggestions or even critiques of my ideas are appreciated.

Tech Janitor Inherits mess, Send Help?

Hello All, I very recently got a job as the IT guy for a smallish company, they recently needed to expand into a second building in the complex, and now their satellite office is connected to the primary office's network via a chain of ethernet cables and switches, which at one point exits and spans a field.

​

I am looking to use the fiber internet line from the satellite office to build a site-to-site vpn with openVPN,

​

I am at a bit of a loss however, the boss wants to use the fiber, doesn't want to be strung out across the field, however I am trying to go for reliability and cost effective-ness. at the moment the best solution to this mess is either:

​

-Ubiquiti UDM pro and AP in the primary office, Edgerouter and ubiquiti AP in the satellite.

-Ubiquiti Edgerouters on both ends and some other APs.

​

I believe I understand how to configure the openVPN but I am struggling to find the best configuration of hardware to restore order to the mess I have found came with the job.

​

TIA.

Automatically Trace Switchport

Hi All,

I've been having to manually trace IP addresses to switchports alot lately and am starting to get fed of doing it manually. Is there a tool that can automatically do it? I have a big list of IP's to trace.

Only accept/announce RFC 1918 IPs on BGP peering? Routing policy?

Hi, We are using Juniper as PE router and Cisco as CE router. The issue is that I'm able to see the routes on PE(Juniper) and from "advertising-protocol bgp" output able to see that prefixes (ex 222.1.1.x) is being advertised but when I check on CE router.. there is noting related to 222.1.1.x and seeing routes related only to RFC 1918 (10.x.x.x, 172.x.x.x, 192.168.x.x).

We are not using any filtering on CE and as far as I can see on PE there is no much filtering applied on the peering.

Is there any way that global policy is kicks in somewhere(PE or CE)? and does the output from "advertising-protocol bgp" is actually being prefixes advertised to it peer(CE)?

a. CE CE#sh ip route 10.254.78.96 <- Working Routing entry for 10.254.78.96/27 Known via "bgp 100", distance 20, metric 0 * 1.1.1.1, from 1.1.1.1, 7w0d ago Route metric is 0, traffic share count is 1 AS Hops 3 Route tag 65000 MPLS label: none CE#sh ip route 222.1.1.0 <- ISSUE - NOT VISBLE % Network not in table CE#sh ip bgp 222.1.1.0 % Network not in table CE#sh ip bgp | i 222.1. router bgp 100 neighbor 1.1.1.1 remote-as 500 neighbor 1.1.1.1 password xxxxxx b. PE (JUNIPER) PE> show route advertising-protocol bgp 1.1.1.2 | match 331. * 10.254.78.96/27 Self 802 331 ? * 222.1.1.0/28 Self 802 331 ? set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 type external set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 export red:BGP-STATIC set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 multipath set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 minimum-hold-time 8 set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 passive set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 import deny-as-500 set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 family inet unicast prefix-limit maximum 5000 set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 family inet unicast prefix-limit teardown 90 set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 authentication-key xxxxxx set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 export red:BGP-STATIC set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 peer-as 100 set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 disable-4byte-as set routing-instances vrf-CUST protocols bgp group vrf-CUST_IPv4_1 neighbor 1.1.1.2 as-override 

Design advice for 802.1x authentication on wired ports

Goal: Looking to set up 802.1x authentication on the wired network. Machines and users granted full access is simple enough to configure, but we need to decide how we will be limiting access for non authenticated machines and users.

Topology: Two PAN 5050's in HA, two Nexus 7706 core routers with 3 VDC's (datacenter, admin, residential), 20 administrative buildings we are looking to deploy to. The administrative buildings are set up in a three-hierarchy of core, distribution, and access with distribution being within the buildings themselves.

Scenario: When a user fails authentication, we will segregate their network traffic via...

Options:

1) Trunked VLAN's all the way back to our firewall which has zoning capability. We already have a guest zone in place for our wireless users, so any new subnets trunked to the firewall for "guest" (or in this case, unauthenticated) users will just be placed into that zone. It goes against every principle we've learned in networking to plumb layer 2 from the edge through the core and up to our firewall, but visibility into the network has tremendous value.

2) Set up VLAN's in each building with access control lists at the SVI level. All visibility is lost, but the L2 domains are restricted to each building.

Thank you for the time in reading this, much appreciated

How far off is consumer implementation for 40/100 gb LAN?

I recently set up my LAN as 10 gbe. From what I can tell 40 gbe is more for server to server infrastructure and 100 gbe is Internet backbone stuff.

In your opinion, when will I be able to order a 40 gbe switch? A 40 gb NIC? Cat 8.2 can handle 40 gb/s so we're headed there!

'netsh winsock reset' . Need help with an issue that might have occured after I ran this command.

I ran the command 'netsh winsock reset' for properly installing Windows Subsystem for Linux ( WSL ) on my windows 10 laptop. Now a particular website - netscalar gateway for Citrix, isn't working. Not sure if it is because of this command or not, but if anyone knows what this command does please let me know. If possible, I would like to revert the effects of this command, and try connecting to the Citrix website again.

Help with accessing a server via SSH within a university network

Sorry for the long post!

​

TLDR: How to access a server via SSH from a PC connected to a different router, but both are within a university network, without getting help from the IT team?

(Note: The PCs and the server are properties of the lab, so we are not hacking or doing something illegal)

A rough representation of the network: https://postimg.cc/LhVm6vZB

​

Hi everyone,

I hope my question comes under enterprise networking as it concerns a university.

A little backstory:

I work in a university lab and our internet is provided by our uni. So the IT team of the uni controls which PCs and routers can be in the network.

Little over a decade ago, much before I joined the lab, my boss bought a server for backing up data from PCs used in experiments (Setup PCs 1-3). There are also some legacy scripts in them which connect to the server via SSH to access data from it for analysis. The Setup PCs are connected to separate routers.

Everything was running fine until our uni's IT team recently decided to take the server off the network and forced us to use other network drives. They said that the OS has to be updated, I did that, then they added that the server was out of warranty, and did not cooperate with us further.

My boss is understandably upset because he wants to run some old scripts that use the server, but he cannot do so. He spent thousands of euros to get the server exclusively for our lab, and now when he is about to retire, they are asking him to switch to a new system. Apart from the time spent on setting up the drives and changing the scripts, there is also additional cost for the network drives, which further strains our limited budget. Moreover, I don't see a need to update our server for our purposes. So I was looking for alternative solutions and I put the server behind the router that we use for Setup PCs. I want it to be accessible from other PCs within the uni network, but since the people in our lab and I are not familiar with networking protocols, we ran into a few problems.

​

Problems:

• (refer to the image) We can access the server via SSH on the Setup PCs 1 and 2 which are connected to the same router, but we want to access it via the PC 3 on a different floor. We couldn't find out the correct (public) IP for the server because the public IP displayed is that of the uni's main router (or hub? sorry, I don't know the correct terminology).
• I found that port forwarding can be used in the routers to direct SSH requests to the server. But since the routers we use are within the uni network and since we don't have access to the main router of the uni, I am not sure if we can actually do SSH tunneling.
• I tried OpenVPN to make it seem like the PC 3 is in the same router as the server, but the same public IP problem persists, and so the PC 3 couldn't connect to the VPN service running on the server.

​

Could someone please guide me on how to solve this? Or even if you could suggest some resources that would help me understand the problem better, it would be much appreciated.

​

Please let me know if I should clarify something. Thanks in advance!

Cisco 2960X Landing Some Recently Updated PCs in Native VLAN When Passing or Failing Dot1x - WHY?

I have a deployment of about 150 Cisco 2960X's that have dot1x authentication running on them back to a cluster of Windows NPS servers.

This works flawlessly 99% of the time. Anytime we have Windows updates however, I will get 5-10 PCs out of about 2000 that will come back up and pass or fail dot1x but then instead of being placed in the appropriate VLAN, it will be dumped into VLAN 1 which isn't configured on the port anywhere.

We have updated the IOS on some of the switches. We tried rebooting the affected PC as well as unplugging the cable to the switch and plugging it back in, but it will keep coming back and either pass or fail dot1x and land in VLAN 1.

There is nothing in my NPS server logs to indicate anything went wrong.

The only way I can get the switch to assign it to the proper VLAN based on whether it passed or failed dot1x is to default the interface and reconfigure it.

​

Below is an example of the configuration that exists on essentially every one of these 2960X ports. In some situations the access VLAN that it is used when it passes dot1x is not 20, but otherwise it is identical.

 switchport access vlan 20 switchport mode access switchport voice vlan 30 srr-queue bandwidth share 1 30 35 5 priority-queue out no cdp enable authentication control-direction in authentication event fail action authorize vlan 40 authentication event server dead action authorize vlan 20 authentication event server dead action authorize voice authentication event no-response action authorize vlan 40 authentication host-mode multi-domain authentication priority dot1x mab authentication port-control auto authentication violation replace mab mls qos trust dscp dot1x pae authenticator dot1x timeout tx-period 3 auto qos trust dscp spanning-tree portfast edge 

Thanks in advance.

Question about Palo Alto Dynamic External Lists?

Hi everyone,

First time posting here and I am far from a networking expert let alone on the PAs. But I am assisting our network admin with a small project. We would like to set up some automation to gather a list in a txt file of domain joined hosts that utilize SMB traffic and create a Dynamic External List the PAs can use going forward.

Now knowing very little about the procedure our network admin had mentioned to me that we could set up a web server to host the txt file. I'll be generating the file on a weekly basis with some simple PowerShell script.

However, my question is this...

I think it sounds pretty silly that we would need to set up a static web server running IIS for example all for the purpose of hosting one text file? So I had suggested is it possible that we could host the TXT file on say an S3 bucket and allow the PAs to grab the TXT from there? Is that possible?

SONiC NOS - GNS3

Has anyone deployed SONiC NOS on GNS3 before and had sucess working with simple configurations (i.e. L2 vlan)?

I was able to get it deployed. All I want to do is configure a simple L2 network on a specific VLAN with two interfaces, connect two VPCS, and have them ping each other.

Followed these instructions with no success.

If I do a tcpdump on each interface in SONiC I can see arp who-has packets, but it does not look like the interfaces are set up properly in GNS3.

By default, in GNS3, there are 8 interfaces configured, are all e1000. If I perform a ip -br addr show in SONiC I can see eth0-eth8, which will show up or down depending on connecting devices to them. There are 48 other "Ethernet" interfaces which SONiC seems to work with directly. All show "UNKNOWN"

I think SONiC is not working with the correct interfaces :( Does anyone have notes on how the interfaces should be configured in GNS3?

ST Fiber

I had a company come in to update some of our wiring. We have a few hundred fiber connections in the building that they are going to work on next. They want to take the network down for over a week to rewire. Most of that time is replacing fiber ends. All of our fiber has ST ends on it right now they are wanting to change that stating the we are going to have a hard time finding ST in the near future, and claiming that it will help our bandwidth. They also want us to change everything over to our SM stands instead of our MM strands claiming that will help bandwidth. They want us to abandon our MM and only use SM with they are going to re-terminate. To my knowledge the only reason to choose between SM and MM is distance and cost bandwidth should be the same. I can not think of any reason that changing the fiber ends would help with bandwidth either. Sounds to me like they are trying to pull one over on us.

Campus bridge recommendation

Wondered if anyone has any recommendation of products that can be used in the UK for doing line-of-sight bridging up to 500m to temporarily backhaul ethernet to small-ish buildings but looking for 250Mbps or greater due to the application we need it for. Ideally, I'm looking for something that is fairly idiot-proof in terms of alignment and sold/configured in pairs for bridging. If they do encryption and one end can be powered by PoE, that would be a bonus.

​

Weirdly, I'm not finding much out there on Google and wonder if most microwave stuff falls into licenced bands and is for multi-km type reach, so asking r/networking for advice. Thanks.

Issues with DHCP snooping / DAI

Having some issues with snooping and DAI. We run a collapsed core type setup with all cisco equipment. We have had both snooping and DAI setup on our access switches for some time now with no issues at all. Recently we decided to implement it on our core switch, just to satisfy security requirements that we have be avoiding for a while now. We do have access ports on the core, which I know isn't always normal, but this is why we are implementing it. Anyways, here are the commands I put in.

ip dhcp snooping ip dhcp snooping vlan 100,101 ip dhcp snooping trust (on all trunks and servers) no ip dhcp snooping information option ip arp inspection vlan 100,101 ip arp inspection trust (on all trunks and servers) 

When I first implemented this, everything worked, no issues at all. After a few days, we started having issues with vlan 101. This vlan is mostly thin clients that do PXE booting. The thin clients started to not pull images or even connect to the DHCP server to pull an IP address. Then not long after, the hard boxes started losing connection as well. I then took off DAI and snooping just for that vlan and everything started working fine.

Yesterday, vlan 100 started having issues. This vlan is more of a byod network. We just connect laptops and Microsoft surface pros to it. Some devices yesterday started losing connection, mostly devices going directly to the core. Then this morning, even more devices started having issues, including devices that get connection from the access layer switches. Took off snooping and DAI and everything started working fine.

I want to stress too that everything was working fine for days, and then slowly things stopped working.

One more detail to note, we do have a DHCP relay going to the DHCP server. This is done with our ASA via a router on a stick setup with intervlan routing. The ASA sits right above the Core switch and is connected over port channel with five 1gb links. This port channel is configured as a trusted port for both dhcp snooping and DAI.

So a few questions...

1.) The devices going straight to the core are connected with a media converted (fiber to cat5/6). Would these cause any issues? From my understanding media converters do not have any type of MAC to identify them, so I wouldnt think they would cause issues with any settings on the switch.

2.) Is there anything that needs to be done on the actual DHCP server to make things work correctly? The DHCP server is just a service running on Windows server in our data center, which is managed by our sysadmins.

3.) Are there any other commands I need to run. I used the same commands I have on the access switches, which have had no issues since setup.

Openstack Nodes, treat them as normal servers or extended network?

Hi,

From a network engineer’s point of view. I’m trying to learn Openstack and trying to build a learning environment for it.

Main question is, do we simply trunk all traffic down to the servers or make the servers run vxlan or let openstack do the config dynamically on the switches via ML2 or something? (how did you deploy yours in your DC?)

The other question is, can we use a simple 29xx switch just for a learning lab or do we need something with vxlan and ML2 like plugins? (i’m planning to run IRONIC on my GPU nodes for ML Proof of Concept)

If you have learning resources that properly explains this in a network engineers perspective, please do share, thanks in advance!

Copying config from legacy Arista routers/switches to replacement JunOS appliances?

Alright so I'll preface this by saying I'm no network engineer. I'm a systems engineer who dabbles in networking more than my colleagues.

Unfortunately, we're incredibly short staffed and our network engineers have recently been reduced to 0, with one guy still around who used to be a senior network engineer but is now in charge of his own project - so it's not his job and hasn't been for over a year. We're looking to hire network engineers but the process is slow. I'll re-iterate - I understand that a systems engineer can't just hop over and replace a network engineer without proper experience, I know this situation isn't ideal, but it's the one I've found myself in.

As I'm the closest thing we have right now I've been asked to perform this task, but I don't really know that much about actual appliance-based networking.

So.. The running-config of the Arista switches isn't super complex or anything. I guess I've just gotta figure out what their equivalents are on JunOS. I mean, I understand the concept of documentation because I'll dive into the docs with Ansible, Linux, Python, or whatever when I have to, but I guess I'm just looking for some advice, or even thoughts, from actual network engineers here. I've worked with network security appliances before so switch/router CLI's aren't a totally alien concept to me. NTP servers, SNMP, IP nameservers and domains, users, spanning tree (shudder), vlans and their associated interfaces, and the routing/mlag config.

I know nobody is going to be able to give me a step-by-step guide so generic advice on what resources to use or whether any guides for this kind of thing already exist is what I'm looking for. Any help, rants or other general thoughts are more than welcome. Feel free to tell me how fucked I am because I can appreciate the comic value of the situation as well.

#WiFiGATE

Hello, what do you think about certifications? Of course, If you hire a person who shows you different types of networking certs like CCNA it shows you that he somehow passed an exam.

But what about "Wi-Fi CERTIFIED"? Do you insist that your access points have to be certified? Do you trust the certification sheet? Really? What does it mean that a vendor received a certain certificate from Wi-Fi Alliance? Did that access point passed any test checked by wi-fi.org people? Are there any tests at all? Postings like this let me think that wi-fi certifications turn out to be kind of worthless.

Should I run 802.1w if my entire topology is hub / spoke with no change of a L2 loop?

Any benefits to running 802.1w on all my vlans as an MSP? 90% my traffic is north / south with the remaining 10% east/west so I dont' really have "unused" links as all my links are live via lacp.

Cisco SFP Question

Good evening folks, question for you:

Am I crazy, or does Cisco not have a 10G LC mm SFP that that can also be adjusted to handle 1Gb/100Mb/etc. ?

We have a large project at work that is fully 10G LC fiber; however, we want the capability to connect to 1Gb devices. All the connectors we have Cisco 10G-SR-S which are locked in at 10G and not connecting with slower 1Gb devices. I pop in a 1Gb gbic and it works perfectly, hoping there is an SFP that can do it all.

Help, firewall forcepoint, anyone understand?

Could someone help me with the Forcepoint NGFW Security Management Center I need to add a new Firewall, I have 140 Firewalls currently linked to the system, I currently have forcepoint 100 series Firewalls and I must include 3 300 series Firewalls to the system, the problem is that no I can apply the old policies, there is communication and initial configuration but it does not accept the previous policies, does anyone have any idea how I could solve it?

​

LINK

Wireless bridge to outbuilding

I work at a small school with an outbuilding that currently has good Wifi coverage but would ideally also have ethernet to a few devices. We have Aruba IAP-205s throughout, so I'm looking at the 501 Wireless Bridge

Does this work?

Main Building > IAP-205 ->

OUT BUILDING ---> Aruba 501 Wireless Bridge -> 8-port Dumb POE Switch -> IP phones & desktop PCs

Cf. related post in r/k12sysadmin.

rConfig - possible to change device names?

Hey everyone!

We have repurposed and recycled a few IP's/devices in our network for new purposes. rConfig is still working and backing up the configs, but I'd like to change the display name of the device.

The GUI doesn't allow this, and I wanted to see if there's a way that this can be done in the config files directly?

Making the leap to Design/Engineering (looking for advice)

I'm currently at the crossroads. Been in the field about 6 years.

Currently in Operations where I am relied upon to identify/resolve complicated issues and implementations. I work closely with our engineering/design team as well and have the respect of pretty much the entire team.

Some positions are opening on that team and I'm basically a shoe-in and have been encouraged to apply, for what may be a 20% raise, but no overtime. It's still a significant increase over my gross income with OT. Current boss is also willing to give me a pay increase if I stay(no mention of what amount).

Most of the work I do now is enjoyable - including the stuff I work on with the Design team. I also enjoy troubleshooting when stuff gets really complicated. Some of the work is really not enjoyable, lots of weekend implementations in the DC or WAN Edge, cut-overs at small branch offices every Friday, on-call rotations, etc.

I'm sure people here have made similar moves (inter-company or not), I'm curious what it was like - if there were any challenges or things you did not expect afterwards.

Any advice would be very much appreciated.

Help with Configuring EdgeRouter Infinity to use NAT (while using BGP)

I currently have an EdgeRouter Infinity, and I am using two separate providers. In addition to this, I have my own IP range (given to me by ARIN). Right now, I am able to reach my EdgeRouter from both IP's given to me to me by my ISP's (each on a separate interface) and I am also successfully advertising my own IP range using BGP. This setup is working correctly and as expected. If one ISP goes down, my own IP range is still getting advertised through the second provider.

My issue is that I am now trying to create a LAN behind the EdgeRouter that should reach the internet with an external IP of my own range, not the IP given to me by my ISP's. The reason for this is for redundancy. So, in the case that one provider goes does, LAN will still be reaching the internet through my own IP range which is getting advertised now by my second ISP.

I have done a lot of research and testing including using support channels of Ubiquiti, most of which refer me to using sNAT rules and Policy Based Routing but I have not been able to get this set up to work correctly.

Has anyone had any experience with this type of setup? Or maybe knows how I can get this working? Any help is appreciated and I'd be happy to provide more info if needed. Thanks!

setting up multicast routing for allworx phone system paging

i have a client inquiring about getting paging for their allworx system working between branches. As i expected, its using multicast for paging.

ill be honest, i just dont work with multicast routing much at all. In a situation like an allworx phone system, do i need to setup sparse or dense mode? im just not familiar enough with multicast needs and when to use one vs the other. since there are a number of phones at each location that would be listening, does this mean its a dense mode application?

im pretty sure the client just has one system at their main branch with remote phones, but its possible they have more than the one, i don't think they have a system at each location though.

if they are using carrier MPLS, or even metro E, does either throw any sort of monkey wrench in setup? or is the multicast router going to covert the traffic to unicast to the other routers before the multicast is sent out the local interface/vlan thats listening?

Best practice / order of operations to change network ip scheme?

So I have been tasked with re engineering a small MSPs network structure so we can have proper VLANs for voip, servers, hosts, etc.

The MSP has the HQ and a data center site connected via IPsec tunnel.

I've come up with a pretty simple plan for numerology with no overlap between sites for better clarity etc.

What should my order of operations for the changeover be?

Make remote side changes first, then local, and hope the connection comes up?

Make local side first, build a tunnel to the remote site, then change remote site, then destroy old/bad tunnel once I see new one come up?

I'm trying to plan this so I don't get backed into a corner and have to drive anywhere (the remote side should be available by it's public IP anyway)....

Any advice or wisdom here? The sites are routed by Fortigate 200E