Better firewalls for inbound traffic failover and 10GB LAN upgrade

background: We have multiple Internet connections with failover configured on our cisco ASA's that works well for outbound traffic. We also host services that must failover (we use external DNS failover and other application-level failover mechanisms. BGP/ARIN is too much for us).

I was never able to get the inbound traffic to work with the NAT on the single ASA pair so my current solution is using PBR on a crappy dell N3048 layer 3 switch and another firewall that hosts the second ISP for incoming services. The application servers have multiple IPs, and they route out the correct firewall (NATed) using PBR. I really hate this setup because I hate the extra firewall (another point of failure), but it works well. I wish everything was terminated on a single set of HA firewalls, and we had a core switch that wasn't hot garbage. When I set this up it was my understanding that ASA's do not do PBR and they are NOT routers so don't even ask!

So now it's 2021, and it's time for all new stuff (core switch and firewalls, going to upgrade to 10Gb). Can anyone make a recommendation of some products? I'm mainly a programmer, but I have to deal with this networking stuff when it comes up. I've been watching some Meraki videos, and I'm trying not to drink the flavoraid, but their stuff does look cool. I do love the reliability of the ASA's, been running them for 10 years and never a single problem once I got them setup. This is a very HA environment and we buy 2 of everything, so reliability is king. I also like as few brands as possible. all our computing equipment is dell. Would like all of our networking equipment to be a single vendor as well.

Our WAN links are 1GB metro ethernet. I may end up just hiring a firm to install a new network and take over management of it, but I'm trying to get a feel for the technology so I don't get taken for a ride.

Getting old

I wanted to change local preference of prefixes with community 65535:1001.

route-map MYRM01 permit 10

match community 65535:1001

set local-preference 50

See what I did there? It's been a number of years since I did communities with BGP. Guess how many hours I was trying to troubleshoot this mother f888er.

I ask the new guy for help. He spots the error right away. All fixed.

I buy him a beer after we wrap up

I'm just amazed. I mean, there was a time where I WAS THAT GUY. I'm getting old I guess, but it's nice to see the next generation picking up our slack.

Where to learn about peering types, internet exchanges, etc.. ?

I'm interested to learn as much as I can about BGP and peering on the Internet. I've learned how the BGP protocol works and is configured, but I don't have practical experience yet and there are many things I'm missing about how the economics work, what are the various types of peering that exists, how do internet exchanges work, etc...

I've found "The 2014 Internet Peering Playbook: Connecting to the Core of the Internet" by William B. Norton, which was a very interesting read that I can recommend; but it's a bit dated at this point and it also mostly covers the economics and doesn't cover much technical details such as how IXPs are usually setup or how configuration is agreed between peers, etc...

Is there some other resource/book/site that you would recommend as a read to learn more on this topic?

Thank you

Upgrading Network devices for small business - Advice?

Hello all,

I came into a admin position for a smaller business a couple years back and since then its been mostly up keep. I upgraded our firewall to a SonicWALL, but everything else is pretty much what was there when implemented. What I'm wondering is, I'm looking for new devices and would like to stay uniform across the board if its better. Right now there are a wide variety of devices within this business. SonicWALL for the Router and Security, an old EOL Cisco Switch that has to be gotten rid of, a couple HP / Aruba 48 Port POE Switch that will probably be good for a couple more years, and then Small Cisco VPN Routers that connect certain aspects of the network to other parts. There is also a Unifi Wi-Fi setup. I know its all over the board.

The cisco switch is going to be replaced very soon and before that happens I believe I will talk to the business about moving to one provider or something easier to keep up with. This business hosts around 50 years and 75 devices. I would like a system where I could easily create and manage VLANs. If there was some type of monitoring or dashboards built in that would be great but not required.

Does anyone have any suggestions on hardware? I've looked through Aruba and Cisco's sites but you know how that is. They have a switch / router for any scenario and I'm starting to get a headache looking at all of them.

​

Thanks!

More routable ports per a router?

Hello, I am a bit new to networking and I apologize for any mistakes

currently working on a school project, design a network that has at least 3 physical locations, and a few other non-relevant requirements (in cisco packet tracer).

I have designed a partial mesh (aka controlled chaos) with some redundancy at key locations.

Now the Issues that I am having is not having enough ethernet ports, in packet tracer I can add a NIM ES2-4 module that will give me 4 switch ports, but I would not be able to configure them for router to router communication(each building has its own router and at 2 locations there are 4 routers).

I could use serial connections for router to router (building to building) communication, but as I understand serial is much slower than an ethernet connection.

What would be the proper way to connect several routers together?

my original thought was "Oh I can just have a switch in the center that all the routers connect to" but I was told by my prof that this is impractical and did not elaborate on other potential methods.

​

Thank you,
Sincerely,

A Massive Noob

Meraki Layer 3 Roaming With A Concentrator

I have a small campus type of environment: a bunch of buildings connected with fiber, several hundred users, maybe 50-100 APs when we are done. We are looking at migrating to Meraki and have been doing a pilot program. The buildings are connected with Layer 3 connections to the other buildings, so each building has its own voice VLAN, data VLAN, etc.

One of the issues I have is that we have one "Staff LAN" SSID set up to authenticate users with RADIUS and place them on the appropriate subnet depending on which OU they are part of. There are three OUs of interest. I see that Meraki supports Layer 3 Roaming with A Concentrator. Apparently I would need to purchase a large enough concentrator to support multiple tunnels from each access point so that I can have the same subnet between any building for the proper OU. Has anyone used MX devices for this purpose? Did you find that there is a bottleneck within the MX device?

I'm trying to wrap my head around a different way of designing our network to meet the security requirements between the wireless subnets, but change at this scale won't come easily. Tunneling everything through an MX seems like a band aid, especially because Meraki says that not many customers do this. We are currently using a Cisco WLC, which makes all of this easy....but we really like how much easier Meraki is to manage, especially on the guest Wi-Fi side of things.

Pricing circuit strategies

Does anyone here have experience or is responsible for ordering circuits from service providers? If so, could you share pricing strategies, discounts received, or general tips used when shopping around? Thanks in advance.

lab env getting the full route table.

One question brought up when I was conversation with a team mate, that I'm curious if we could simulate a router receiving the full routing table, without the lab router ever making a connection to our production routers.

Is it possible to create an *Ethernet* hotspot?

I know that it's possible to use an Ethernet connection to create a wifi hotspot.

What I'm trying to do is the opposite. I'd like to connect two machines together with an Ethernet cable and route traffic though one of the wifi cards.

I'm doing this because I have a computer that doesn't yet have its own wifi card yet, and I don't have an Ethernet socket nearby. Is it possible?

Where did Checkpoint go wrong vs PANW? (Non Tech)

I have worked in IT Sales for a while right now.

A common them in Firewalls is the preference of fortinet(if low budget) or PANW(if high budget).

I see slower demand for Checkpoint - its been over a year since I sold one. PANW or Fortinet on the other hand, I keep getting inquiries and sales.

Reps from PANW are always organizing meetings and pitching it to us, while Checkpoint staff has never contacted my team unless we bring a lead to them.

I notice that Checkpoint is one of the apex cyber security companies but is it in a waning phase? like many legacy companies that started to bottleneck?

Anyone with experience evaluating performance of Checkpoint vs PANW or FTD?

DHCP issues only on one SSID and on one AP

APs: Unifi AC Pro. Unifi Switch: US-24 layer 2. Aruba Switch: 2930m layer 3. Unifi controller: VM on Windows server. DHCP server: Windows Server domain controller

Hey. We're experiencing an issue were devices connected to one particular VLAN/ SSID can't get a DHCP IP and instead assign themselves APIPA 169.254 addresses. The strangest thing about this is it's seemingly isolated to only one AP in the business - when the same devices connect to the same SSID/ VLAN on different APs in the building they get an IP via DHCP.

Even more stranger and confussing is that devices can SOMETIMES get an IP via the problem AP whilst connected to the problem VLAN - it's seemingly intermittent. At first I thought maybe the problem VLAN has been incorrectly configured on one of the switches between the AP and the DHCP server but, if this was the case, surely the issue wouldn't be intermittent?

I've checked the DHCP server, which is running on our Windows domain controller, and there aren't any errors so it seems like the DHCP requests travelling via the problem AP whilst connected on the problem VLAN aren't even reaching the DHCP server.

I'm not even sure where to start looking from here as no one in the IT department has been at this company for more than 6 months and VERY little has been documented. It seems like the problem AP is able to handle traffic fine for the other VLANs/SSIDs, so other than it being poorly configured to channel 8 on 2.4Ghz radio, the AP seems ok and the DHCP server seems ok as it's able to dish out IPs error free for every other VLANs and even for the problem VLAN so long as devices aren't connected to the problem AP.

Could it be that somehow the DHCP broadcast isn't being relayed between the VLANs on the switches? But if so why would it be intermittent?

If you need more information then please let me know!! I'm happy to elaborate on anything you need me to.

Secure HTTP and TCP tunnels that work anywhere

I thought the r/networking subreddit might be interested in this project I just found!

https://github.com/inlets/inlets-pro

Any good books/resources for Network Sales Engineers more geared towards business and less technical?

Hello fellow network people ! I've recently took my career towards the sales side and I'm looking for a good resource for a Sales Engineer. Most of the books from Cisco and other vendors do a good job of the technical execution of design, but seem to lack high level business use cases. I need to learn what gear to use for certain situations. Current business needs in the networking world. A general guide for upgrading older networks. Comparing and contrasting different vendors and price points. Being cost effective. Any help or guidance is much appreciated! Thanks.

Looking for new datacenter core router

I'm hunting for a new datacenter core router for a new PoP. Right now we'll only be handling two 10GE uplinks from tier-1's, and within a few weeks we'll be linking a 10GE local IX connection.

That being said, here's our minimum requirements:

• 4x10GE ports
• handle default routes
• line-rate regardless of features enabled (within reason)

Some preferences sit around the BGP, namely we'd love to handle two full tables but I'm doubtful we'll find anything within our budget. Management has crossed-off an MX204 and a few other "nicer" routers.

I've contemplated setting up an Arista 7124 or 7050 to be the BGP "router" and then terminate it to other switches/nodes directly, but I believe that won't handle the full tables (which is somewhat of a shame).

All said, what would you recommend?

Best way to expose SSH service behind CGNAT?

I have a remote server running 24x7 which as a normal DSL connection over a router.

As a backup, I plugged in a Huawei LTE stick. Of course, the LTE connection is CGNAT, so I cannot open any services. What is the best and most reliable way to access my server in case the DSL connection is down that, if possible, does not need another server under my control?

The most basic options require another external server; then an SSH connection could be built to that server. Or an openvpn connection.

Another thing I thought of is a tor hidden service. But I'm not sure if this isn't overkill.

​

Any creative advice?

ASA to ASA - Simultaneous VPN possible? PBR & VTI

Hey there...

I have to move two ASA's with a policy based tunnel to a VTI VPN link.

Can I stand up the VTI without breaking the PBR?

It "seems" like it should work... different connection methods and keys...

Traffic shouldn't move over until I add the routes.

But before I break something I thought I would ask.

Unmanaged 8 or 16 port gigabit switch with full POE+ power budget

Does anyone know of an unmanaged switch, 8 or 16 ports, that can do POE+ across all the ports? As in it has a power supply large enough to cover all the ports running POE+ simultaneously.

Pretty much everything I find says POE+ on all ports, but only has a power supply that can fully power about half the ports in the switch.

Question regarding Cisco 9410R and Quad Supervisor Installations w/ Stackwise Virtual

• Cisco StackWise Virtual can be configured only on one supervisor module per chassis. You can install two supervisor modules in each chassis used in the Cisco StackWise Virtual solution. However, only one of the supervisor modules will be active; the other module will be powered off.

Wtf am I supposed to do with the completely powered-off supervisor modules? Have an identical backup config of the primary supervisor above it and have it cross-connected to the other supervisors? How would I even copy over a config to it?

I have experience setting up quad supervisors on Cat 6800's but I have these two 9410R's in front of me and when they say the supervisors are powered off, they literally don't register as a line card on any show commands.

These were purchased and I was asked to set these up in a stackwise virtual config, but it seems like two of these supervisors are about to be cold standbys in a box?

Aruba switch and vlan question

I'm new the the Aruba switch world, and am having a bit of an issue. We've got a TP-Link switch that I can define port 1/1 for example, with something like:

switchport general allowed vlan 10 tagged switchport general allowed vlan 2 untagged switchport PVID 2 

I've tried to find something similar in the Aruba world, but after pouring over a lot of documents/posts from people online, I haven't seen anyone trying to do something similar

Does anyone know if its possible? And if so, how ?? :)

Thanks

Private VLANs and non-private VLANs over same trunk ports?

We recently set up a DMZ vlan for any device that is not controlled directly by our company and only needs direct internet access. This was simple enough to do and it's working fine.

We would like to set up an additional layer of security between these devices by using private vlans to separate devices from different vendors. Basically, each vendors' devices would live in their own private community vlan, associated to the single primary DMZ vlan, all with access to the internet but without being able to communicate to another vendor's devices.

I'm testing this in a lab setting right now and the issue I'm having is that I can get private vlan hosts on a switch to access the internet, and I can get non-private vlan hosts to access the internet, but not both at the same time.

Here's a simple diagram: https://i.ibb.co/YDskJXR/2021-07-16-14-52-43-Untitled-Diagram-drawio-diagrams-net.png

When the router-facing port is in trunk mode, host B can reach the internet. When the router-facing port is configured as a promiscuous port, host A can. But only one of the hosts can ever reach the internet at once.

Obviously this will cause problems in production because unless I can figure this out, enabling the DMZ hosts in their private vlans to reach the internet will cut off access for all other non-dmz devices.

What am I missing here?

Slow connection from home to work

Background:
- Work Internet: AT&T Fiber (Business) 250mbps synchronous
- Firewall: Fortigate 61E
- My Home internet: xFinity cable internet 800Mbps down / 25 Mbps up
- Speed test results: 532 / 42 Mbps

Some of my users are complaining that file transfer is slow when they transfer files from the work machine to the home machine via the VPN. I decided to test it out myself. I did a speed test with both Google and Speedtest.net and got a download/upload speed of roughly 500/42. So home internet is fast. I did an iperf test with the file server acting as the iperf server. The file server is behind the firewall. When I VPN into the network and do an iperf test with my home machine as the client, I get speed of 38mbps. So I am thinking, it could be the VPN. So I did the same test, except this time I configured the server so my home machine can connect to the file server without VPN but it still goes through the firewall. I get a speed of 41mbps. OK, I am wondering if it's the firewall that could be causing the problem, so I set up a Windows 10 machine acting as an iperf server outside of m y firewall (with a public IP address). Testing that against my home machine, I still only get speed of 41mbps. I have another coworker run the same test. The result of all the tests are below (initials are name of the users):

MN: xFinity 800/25, Speedtest Results 532/42
home workstation to filesever (with VPN) - 38mbps
home workstation to fileserver (no VPN but through firewall) - 41mbps
Home workstation to work computer (no firewall. Direct connect to the internet) 41mbps

MW test: xfinity. Speedtest results 250/15.
home workstation to filesever (with VPN) - 17 mbps
home workstation to fileserver (no VPN but through firewall) - 18mbps
Home workstation to work computer (no firewall. Direct connect to interthe net) 18 mbps

EC test: ATT fiber. 800/800. Speedtest results 630/510
home workstation to filesever (with VPN) - 52 mbps
home workstation to fileserver (no VPN but through firewall) - 227 mbps
Home workstation to work computer (no firewall. Direct connect to interthe net) 229 mbps

First: Why is the connection from the home machine to the (MN), why am I not getting closer to 250mpbs?

For the EC test, the transferred speed slowed down considerably when connected via VPN. I am guess that's a VPN issue possible. I will work with the vendor on that. But I am still curious why I am not getting closer to 250mbps.

Dell 5212 VLAN Confusion!

So I've got a Dell 5212 switch.

Loaded some pre-made configs onto it. Trying to modify them a little and assign a few interfaces to Vlan 100.

Error: "Vlan 100 does not exist."

Do show run: interface Vlan 100 shows up. No shut

Do show vlan: The other vlans that were loaded are on there. Vlan 100 is not.

No int Vlan 100: this Vlan does not exist. Yet still shows up in the running config.

New Network Engineer troubleshooting laptop wireless connection

I'm the new Network Engineer for my company and I've got some decent networking skills, but my skillset is on the AD/server/storage/virtual infrastructure side of things.

We've got a specific Windows 10 laptop that has issues connecting to our wireless network, but eventually after enough attempts the laptop will connect (about 10 minutes). There may be a few laptops that have this issue, but for the huge majority no one has issues connecting.

Here is our setup:

WLC - Cisco 3504

NPS - Server 2008 R2 running RADIUS

AP's - mix of Cisco AIR-AP2802I-B-K9 and AIR-CAP3602E-A-K9

WLC RADIUS config

Error - AAA Authentication Failure for Client MAC: xx:xx:xx:xx:xx:xx UserName:host/HOSTNAME.FQDN User Type: WLAN USER Reason: Authentication failed

Is a site to site pass-through possible?

Say I have 50 networks with a site to site connection with our datacenter network.

I want to spin up a VM in Azure but instead of creating 50 site to site tunnels from each location to the Azure network. Is it possible to create one from the datacenter to Azure and then route all the networks to communicate to the Azure network through the datacenter tunnel?

Problem : Connection bad between myself and 1 specific person.

Our problem is that me and this one specific person have a horrible connection with each other. But only with each other. We always need a third person to host any type of Peer to Peer game/event. Our internet is smooth and great. Both on cable. If I host for friends, they have no issues. If he joins, he has a horrible time. If he hosts for our friends, they are fine As well. If I join, then I have a horrible time.

We also tried pinging each other on Hamachi. MS went from 16 up to 800+. While our friends have 16-20 to both of us. Any game that we play we always need a third person to host for us. We have no clue what to do, or what to try. Any suggestions would be amazing.

We have tried so many things, our ISP also gave up.
Things we have tried :
Resetting router/modem.
replacing router/modem.
Fresh install of windows.

On other devices we have no issues with each other.

So any tips or tricks or things we can test would be awesome.

7 Free Ways to Grow Your Business

Not everyone has thousands of dollars to put into growing an online business. There is a lot you can do without spending lots of money, but you will still be spending to get started.

ACL on SVI filtering traffic to the default gateway?

Sorry if this is a dumb question, but this isn't making much sense to me. Essentially I have an ACL applied to a server vlan on a layer3 cisco switch. The ACL seems to be working as expected for the most part. Traffic to/from the permitted items works, and all else is denying. The only issue however is that the servers can't ping the SVI default gateway. To me logic would dictate that all the servers should be able to ping the GW since it's all within the same subnet, and therefore shouldn't be hitting the ACL for that traffic, however if I remove the ACL there is no issue. Can somebody explain this to me?

Here's an example config:

ip access-list Servers_in

permit ip any host 10.1.1.10

ip access-list Servers_out

permit ip host 10.1.1.10 any

​

interface Vlan120

ip address 10.120.2.1 255.255.255.0

ip access-group Servers_in in

ip access-group Servers_out out

Submarine Cable Maps 2013-2021

Hi,

Each year Telegeography makes some awesome submarine cable maps. They've been doing this for some time now, and the versions for year 2013 through 2021 is available here;

• 2013
• 2014
• 2015
• 2016
• 2017
• 2018
• 2019
• 2020
• 2021

They used to be interactive (i.e. you could zoom/pan the entire map), but since 2020 that is no longer possible (as far as I know). They have JPEG-versions available for download in somewhat OK resolution. However, they still seem to use the same system to generate the spinning globe and some other aspects of the website, which makes us able to stitch together maps. Fortunately, the 16K version was available for both 2020 and 2021.

During the last few years, I've stitched these together as high resolution pictures (.png). The initial method was provided by /u/mcgroarty (thanks!). They are listed below in cut versions (letterboxes in top and bottom removed), but uncut versions is also available at the bottom.

My personal favourite is (still) the 2015-version, which I made a custom version of with some minor edits to be better suited for print; I removed the year ("2015") so that it won't be "obsolete", and also made the "sponsored by" logo less intrusive (made it greyscale + removed the ®).

The 2020-version is a close call to the 2015, but I still think the 2015-version is cooler to have on the wall (more "old map"-feeling imho).

• 2013 (cut) (80MB)
• 2014 (cut) (27MB)
• 2015 (cut) (126MB)
• 2015 custom: PNG-version for print (144MB)
• 2015 custom: JPEG-version for preview (27MB).
• 2016 (cut) (13MB)
• 2017 (cut) (178MB)
• 2018 (cut) (49MB)
• 2019 (cut) (49MB)
• 2020 (cut) (135MB)
• 2021 (cut) (31MB)

Uncut versions;

• 2013 (uncut) (90MB)
• 2014 (uncut) (28MB)
• 2015 (uncut) (130MB)
• 2016 (uncut) (14MB)
• 2017 (uncut) (184MB)
• 2018 (uncut) (53MB)
• 2019 (uncut) (49MB)
• 2020 (uncut) (136MB)
• 2021 (uncut) (31MB)

How to tunnel a nmap scan through node and ssh?

So I want to do a sort of asset discovery of local and remote locations using ssh tunnels. Want a frontend so I’m using node. Is it possible?

Dev has moved their SQL databases to Azure and now "it's slow". How have you explained the impact of latency on hybrid solutions?

Specifically their apps are on prem and their SQL databases are now in Azure and now their work is 20-30x slower. I'm trying to explain, unfruitfully, that increased latency will directly affect their transaction times if you do 1000 transactions at 1ms that's 1 second but now it's 30ms so it's going to take 30 seconds. If you have a resource that explains this simply please share. I've already provided articles explaining how latency poorly impacts some hybrid cloud solutions. If you have something that can ELI5 this please for the love of god share it.

​

Edit: I should mention we have 10Gbps Express Route over Megaport from our DC with no packet loss, congestion, etc. Even ran ping plotter, packet captures, etc. during their performance testing but they still want us to tell them why it's slow. I fucking can't.

Is Cloudflare/Google's DNS faster than the default DNS your ISP provides?

Is setting custom dns (Cloudflare/Google) on android phones slow down the internet connection?

SSL Decryption

Just curious to hear what enterprise vendors everyone is using for SSL decryption?

Dumb question related to uplink

Hi Guys,

Noob question from a guy returning to R&S post 3-4 years as I have mainly moved to security roles in my organisation. But I have been handed a project where we are deploying few switches in customer's location. Mock up diag will be shared at the end of this post.

As we are deploying multiple layers of switches in their environment.

Currently, as per plan, TOR switch will connect to Core switch (Spine SW) in this new section in full mesh and same goes for L3 uplink with their existing switch.

Switch modes:

Tor SW	L2 Switch
Core Switch	L3 Switch (All L3 Vlans reside here)

​

Uplink Info:

Tor to Core SW	L2 - Full Mesh uplink
Core to Existing NW switch	L3 - Single Vlan to be passed

​

Mock Diagram:

Click here for network diagram

​

My query:

• How will I Achieve L3 uplink between Core and Exisiting NW SW with full mesh redundancy intact.

Network Device state management with puppet

Anyone uses puppet to manage state(in terms of how the configuration should be) on network devices? How is your experience so far? If you use puppet, do you only use puppet or use it with ansible and/or python netmiko or something similar? Also is it just puppet you use or puppet bolt?

Meraki VLAN -> UniFi Switch -> HyperV VM

Hi /r/networking,

Router = Cisco Meraki MX64
Switch = Ubiquiti UniFi USW Pro 24
Hypervisor = Windows Server 2016
VM = 3CX SBC (debian)

As the title suggests, I'm trying to setup VLAN's for a 3CX SBC (VM) running on Hyper V.

Currently the router/ firewall is a Meraki MX64 with VLAN 100 created and DHCP running.

I've created a VLAN-only 'network' on the Unifi Controller and provisioned to switches.

I've created a Profile called 'Tagged' which includes the native VLAN1 and tags the VLAN100, applied to all ports on the switch.

The NIC on the VM has VLAN identification switched on with '100'.

The VM cannot seem to get an IP address...?

The Hypervisor is able to ping the Meraki's VLAN100 router IP (10.100.1.254).

removing oconfig lines with a wildcard for cisco ios.. or replace?

have a dumb question.. trying to automate some password changes for a cisco switch and an annoying part is changing aaa authentication.

typical manual way to do it is to login, conf t, show running config, scroll down to aaa group server radius GROUPNAME, copy out the server x.x.x.x auth-port 1000 acct-port 1001 ENCRYPTEDPASSWORD lines, type exit, type no "pastehere".. then manually go back and type server x.x.x.x auth-port 1000 acct-port 1001 NEWPASSWORD with whatever the command is to encrypt the password

i wrote a script to change the admin passwords with invoke-ssh, and can navigate to the point to where im in the aaa group server radius configuration, but i am pretty shit at powershell and was wondering if there is a command to avoid having to type "no server x.x.x.x. auth-port encrypted password" and instead either type a command to replace the current lines that are already in there, or a way to wildcard the no command, such as "no server x.x.x.x.x auth-port * * * *

that would be 10x simpler than having to parse all of the ssh output to select the line for the "no" command.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

[HELP] Commercial Wifi Setup for a Hotel?

So I'm new to all this but trying quite hard to help out a friend.

He's not technologically literate so it's all on me. And I suck at networking so here I am!

Building: 3 Story Hotel

Clients: Guests using wifi to stream internet/media, can throttle

ISP Plan: 25mb

Current Setup:

Main router on 1st floor at front desk, connects to 2 different extenders on ceiling of 2nd floor.

On first floor signal is strong, but extenders are doing a bad job despite me going in multiple times for config. I set up WPA2 (open network before) and passwords. During the setup the extender had a 50% connection rate to the 1st floor wifi. It constantly drops/breaks and requires manual restarts. Guests who are at the ends of the building get no connectivity whatsoever.

Requirements:

• Strong wifi signal throughout entire building
• Secure, prevent any malicious torrenting/illegal stuff if possible

My naive understanding so far is that I'd need to buy new routers/extenders and place them on the 2nd or 3rd floor. Hopefully if I can get away with 1 per floor by placing them in the middle or if I can place 2-3 on 2nd and have their range reach the 3rd floor that'd be great.

What kind of commercial router/extenders would I need? What is the best way to solve my use case?

What 20% of Networking knowledge gives you 80% of the effectiveness?

Also, were you to try to teach fundamental networking principles to someone with some decent exposure setting up default gateways and understanding the general OSI Model that would give them 80% of the results they'd need for a career in Networking (or, for my purposes, a technical interview), what would your study/practice recommendations be?

Need public trusted certificate on Microsoft NPS RADIUS server with non-valid AD Domain (.local)

I apologize if this is too simple a question, but we recently lost our SSL/Security admin who normally handles this and it's been many years since I dealt with it.

We have a legacy AD domain name (company.local) that was created back when it was standard practice no not use the same domain as your public DNS or other valid root domain name. Our Windows NPS is named radius.company.local, and it has a cert issued by our AD CA. Now that WPA3 is being enforced on Pixel devices, we can no longer auth them over WiFi via RADIUS since our CA isn't trusted.

I understand I can get a cert from a trusted root CA (we use DigiCert), but what SN would I use? I can't get a cert for radius.company.local, and if I got one for our public domain (like wifi.company.com) wouldn't it fail because the server is reporting as radius.company.local?

We do have a wildcard cert for the public domain but it didn't work, and there's plenty of pages out there saying MS NPS really hates using them. So I'm at the point of just buying a single cert for this but can't wrap my brain around what SN to put in the certificate request.

My guess is something like this:

Subject Name

Common Name: wifi.company.com

OU: IT

Organization: Company Name

Locality: City

State: State

Country: US

Alternative Name

wifi.company.com

Since this is going to be public I don't want to use my company.local domain, correct? Would I need to add a public DNS entry for wifi.company.com?

If I'm in the wrong sub please msg me or post it here so I can go there instead.

SD-WAN vs Site-to-Site VPNs

What is the difference? Forgive me, I'm SD-WAN stupid, and haven't had the opportunity to work on, training on, or evaluate an SD-WAN solution.

What are the benefits of SD-WAN versus site-to-site VPN connections?

(The amount of marketing BS out there about how SD-WAN will fundamentally change your life and solve world hunger is aggravating for someone trying to stay up-to-date on what's going on in networking.)

Alternative switches to Ubiquiti EdgeSwitch with OSPF features?

I'm looking to replace some ~20 year old Cisco Catalyst 3750G-24T switches that are on their last leg. Use case is two access switches in a single rack in a remote colo serving mostly HTTP web traffic and some minimal video streaming.

Details:

• 1G access and uplinks. 10G not required but I would really want LACP support.
• RJ45 preferred but SFP is okay too.
• serial console port.
• L3 routing with OSPF. I could potentially get by with another routing protocol but static routing won't cut it.
• Not super tiny buffers.
• A hardware warranty would be nice but I don't need an active support contract.
• I'm okay buying used.
• Full non-blocking forwarding and switching capacity.
• Lower power usage, if possible.
• Targeting $300/switch (sans optics) but I'm flexible on price (I know that's really pushing it).

I was looking at Ubiquiti EdgeSwitch 24 Lite but that unfortunately seems to only support static routing and the buffers are on the small side otherwise that would be a great fit. Anyone have recs for another switch platform that could potentially fit my criteria?

802.1x Authentification for off-site location - best setup considering security and resiliency?

Hi all,

I work at a small university, and have recently been charged with setting up Wi-Fi for a student residence building located away from our main campus. This is the first time that we have to set up network access in a location other than our main site (so, no direct access to our Domain Controllers), so I'm trying to figure out the best option for authentification of users at this remote site.

Wi-Fi authentification on our main campus is through 802.1x, with NPS on our Domain Controllers functioning as the RADIUS servers. Clients authenticate using PEAP-MSCHAPv2 with their domain credentials.

At the remote site, we'd ideally like to have the same SSID and same authentification method, so that users' devices can seamlessly roam from one network to another. Apart from authentification, the two networks do not need (and should not have) any connectivity between them.

Both sites have reliable fiber-optic connections, so the reliability of the connection itself is not a major concern.

The options at which I'm looking so far are:

Option 1: Remote access points authenticate directly through NPS on main campus Domain Controllers via a VPN tunnel:

• Pros
• Relatively easy.
• Cons
• If VPN link goes down, so does... everything.

Option 2: Set up a Read-Only Domain Controller running NPS at the remote site, with a VPN tunnel for synchronisation with the main campus's domain controllers, and the access points talking to NPS on this local DC for authentification.

• Pros
• Most reliable - authentification will continue to function if the VPN link goes down temporarily or if there is any other kind of service outage at the main campus.
• Cons
• The security of putting a domain controller in an off-campus location seems questionable.

Option 3: RADIUS proxy at remote site connecting directly to RADIUS on our main campus, without going through a VPN:

• Pros
• Easiest option to configure - no need to set up VPN access to our main network.
• Using Anonymous Identity, theoretically, no usernames or passwords will be transmitted outside of the encrypted EAP tunnel.
• Cons
• Although no VPN is required, Wi-Fi authentification would still go down if there happened to be any issue reaching NPS at the main site.

...or perhaps I've missed some other great option!

If we had a truly 100% secure location to put a read-only Domain Controller, I'd probably go for Option 2, but without that being guaranteed, I'm leaning toward Option 3.

If anyone has any advice for this situation, it would be much appreciated!!

Why do I not see all traffic in ASA Real Time Viewer?

Ping traffic just for example. I can ping from my hot site to cold site successfully and 2 ASAs are in between, yet real time viewer never picks up a single ping.

​

If i do a show run logging:

​

Result of the command: "show run logging"

​

logging enable

logging standby

logging console debugging

logging buffered debugging

logging trap alerts

logging asdm debugging

logging host **_***\* 158.56.1.152

logging class auth trap informational

logging class config trap informational

​

​

As you can see ASDM is set to debugging so shouldnt it see every and all traffic that passes the firewall? What am I missing?

Business using public IP range for local network

Hi everyone, I was asked to help regarding an issue a friend of mine has with his internal business network. Networking is not my force, but I can understand some basic stuff.

Their network was created a while ago, more than 15 years ago, and they used a public IP range (1.0.0.X). That range resolves in Australia from what I see, but we are in Canada.

When people are 'inside' the business, either wired or wireless, everything seems 'fine' in a sense that all their tools (NAS, inventory network software, firewall, etc.) works, they can all be reached with their IP address since it's local and the firewall knows it, from what I understand.

The issue comes from people outside the business, connecting to the VPN and trying to access local services (the ones I named earlier) via their IP addresses, sometime it works, sometime it doesn't, it's like if the computer is dancing between the local service and Australia, all this while connected to VPN.

The weird thing is this : each IP address seems to be independant.

Take this : on their network, there's 4 network devices let's pretend. 1.0.0.1 to 1.0.0.4, when making a tracert to all those 4 IP, I get many hops, always heading to an IP located in Australia. But when I connect to VPN and make the same tracert, some will directly point to the local network device (one hop) and the other will give many expired hops, until it reaches 30 or so, then it stops. So some service work temporarily and others don't. I though the whole range would either work or not.

Apart from changing the range of the internal network, is there something to be done about it ? Is there something I can do to make sure all those services (IP) works as intended when VPN is on instead of trying to reach something in Australia or so ?

Thanks a lot everyone.

Cisco EA Partnership

Hi there, hoping someone can help. We are evaluating different partners for an upcoming Cisco EA. From your experience, what have different partners done/ or maybe haven't done, that made your Cisco EA easier/ harder to manage?

I have a couple good partners, one in particular, that I think would take feedback or these key points and work with it, so any advice or gotchas I should look for will be greatly appreciated as this is a huge undertaking for our organization.

Cisco ISE 2.7 Patch 4 June 11, 2021

Anyone use the new Patch for 2.7? If not I'll be sure to report back. (My management wants me to patch this month).

Can a Web Developer also work as a Network Engineer?

Hey people,

Can a web developer who makes web apps, let's say Django/Python/HTML/CSS/JS/Bootstrap/Databases etc...

Can he/she ALSO work as a Network engineer?

The reason I'm asking is because I was watching a networking video where the guy said "Us network engineers stop at the Application, Presentation, Session Layers from the OSI model".

Basically he said that software engineer work at layers 7, 6, 5 and that network engineers work at levels 4,3,2,1....

Does that make sense?

I'm learning to become a Web Developer and make apps plus mobile apps. Is learning or becoming a Network Engineer a whole bunch of stuff not needed?

In a real life scenario, can a person make apps and at the same time work on servers and all its communications?

Noob here...thanks for reading!

Need help understanding F5 and exchange azure cloud modern auth deployment with CAS servers..?!

I need some input on this f5 deployment I am working on.

They currently use the normal APM AD auth (with AD query) for exchange, ActiveSync, /owa, etc.

This is the flow and diagrams, I am unable to find any similar deployment guides from f5 online. 

I found this thread on Reddit asking about a similar config - https://www.reddit.com/r/networking/comments/258k7g/office_365_hybrid_deployment_with_f5_ltms/

MS vendor guys have also mentioned o365 cannot support SSL offloading, in which case I believe f5 can only work as an LTM load balancer for the CAS servers, however, we want to know what other options are available so we can have some control of the traffic on the f5 instead of letting the traffic directly hit the CAS servers.

Has anyone tried something similar or can share some best practice suggestions?

Flow and Diag:

https://i.imgur.com/5BwqnPF.png

1. The F5 APM will redirect the request to CAS Servers Pool. F5 at this stage should not do SSL Offloading or Present an NTLM Challenge.

2. The CAS Server will reject the request with 401 Unauthorized Error Response. However, will ask the client to authenticate against Azure Authentication Services [EVO STS and Azure AD].

3. Client will directly reach the Azure using the Public Internet and request the Token. At this time Azure will Encrypt the credentials and perform a Pass-Through Authentication.

4. Upon successful validation of credentials from the Local Active Directory. Azure will return an access token to the client.

5. Client will make another Autodiscover request with the new token.

6. F5 will again redirect the request to Exchange CAS Server. CAS will Accept the Token as it is Oauth relationship [Federation Trust] setup during Oauth Configuration through the Intra[1]Organization Connector.

7. User will get authenticated and fetch the Autodiscover XML and get connected to the corresponding Mailbox Server.

https://i.imgur.com/gwHo8FT.png

Hardware recommendations for software routers?

Is there a canonical reference on how to select hardware for software routers? Or any kind of decent documentation on what the best practices and trade-offs are from one architecture to another?

Even with the advent of kernel offload forwarding I assume the choice of hardware will have a material impact when interface speeds are 10G and above.

Off the top of my head here are a few questions about selecting hardware:

• Intel or AMD. Intel is referenced a lot, but does this necessarily mean that AMD CPUs should be dismissed out of hand?
• How much is performance tied to CPU generation and/or model?
• CPUs should be evaluated on base frequency. Should turbo boost always be disabled?
• Given the choice between more cores or more Ghz, which is the optimal choice? Assuming that two CPU cores for the control plane and one CPU core per interface have already been allocated.
• Only use server CPUs or also look at consumer CPUs? Referring to the previous question, as consumer CPUs can have higher base frequency.
• Should CPU cache sizes and/or types influence the choice of CPU?
• What kind of memory is best? Fastest, ECC or non-ECC, etc.?
• How much memory is "enough"?
• How many PCI lanes do I need? Enough to feed all the NICs or is there any benefit to excess capacity?
• Does the choice of motherboard affect performance?
• Does the NIC vendor matter?
• Is it better to bond 10G/25G ports or use NICs with 100G ports?
• Something else I'm missing completely?

I'm tagging a few redditors who have previously posted about software routers in the hope that they will share experiences and tips.

u/gonzopancho, u/Jammy_Stuff, u/Cheeze_It, u/error404, u/Enrage, u/amaralarama, u/FidelityFM

Testing Polarity on BiDirectional QSFP

I am adding some switches to an existing network using 40/100 QSFPs. Normally, I would just look to see which side of the fiber has light, shut one port or the other, connect the cable, and bring the port back up during a maintenance window.

With the bi-directional QSFPs, both sides have light, but the polarity still matters. I'm using patch panels so I can't just make sure 1 goes to 1 and 2 goes to 2.

I really don't want to have to come in at midnight to plug in some cables. Any ideas?

(SonicWALL) Pinging WAN interface from LAN. Help understand why this solution works? (x-post from r/sonicwall)

I know by default/design, pinging one interface IP from behind another interface is not allowed. I was able to get this working by following the instruction in this support article: https://www.sonicwall.com/support/knowledge-base/ping-or-access-the-interface-ip-using-a-host-connected-to-another-interface/170505874136212/

I don't really understand why this works though and I'm hoping someone can help me understand. The NAT rule described in the article translates the original destination (X1 - WAN) to X0 instead. To me, this seems like it sees the destination of the X1 interface and sends the traffic to the X1 interface instead, in effect pinging the LAN interface instead of the desired WAN interface.

However, packet monitor does show echo replies being generated from the X1 WAN IP.

Can someone please help clarify what is happening here?

Post Network Upgrade Cabling

I work for a large hospital (20K+ staff). I recently completed a network replacement project in our adult inpatient building. The closets were a disaster, with some where'd you look and go hey there's the chassis behind all those cables. With only a 4 hour change window it was difficult to replace all of the connections with appropriate length cables but when we finished they looked amazing. Butterfly on some chassis (where we could) or funneled all in from the cable management side on the corresponding blade to make replacement of a failed line card quick and painless. Velcro to hold the cables in place. As with any upgrade you have the potential to miss some connections so you can imagine my face when I walked into a closet and good old device support has already started running cables straight up from the below the 10 slot chassis (some patch panels are below where we had to rack the chassis) up to the 2nd blade. For those that do depreciated network replacement of the hardware, do you take the time to cable in a tidy manner? Does your staff who has access to the comm closet follow good cable management practices? It would be great if we had like an activation team where only a select few individuals had access to the comm closet but that isn't the case.

Which CDN WAF/DDoS protection service for publishing web sites from on-prem?

We've been pretty much "on-prem" but now we're having few services that need to be published to users in the internets. Previously we've had a DMZ and tried to limit everything from DMZ to the internal network, but as the demand is growing I'm thinking we should get something more advanced.

Something that could block the basic exploits and DDoS's, as we run software that we've not developed ourselves and can't be sure how secure it is... For some software we would like to limit the URL in HTTP request that is allowed as we know what the allowed URLs are (not sure if this is reasonable to do?)

As we're pretty MS house Azure is of course one of the option (App Gateway + WAF?) but how about Cloudflare, Fastly or this Prophaze I just Googled?

We're not really looking for the "global distributed CDN features" rather than ways to protect our web servers (some of them are IIS...) and web softwares

One option is to use FortiADC/F5 BIG-IP/Citrix ADC which we use today, but those would be only for the WAF part and not the DDoS part as we have only couple gigabits worth of internet capacity.

Changing IP Helper Woes

Using Extreme IQ as our wireless controller, L3 switch and core switch are Cisco Catalyst 4500X. I change the IP helper for a VLAN that is used for addresses for our APs and they get an IP address from the new DHCP server, but cannot connect to the AP controller or be pinged from the core switch. The scope was copied directly from our current DHCP server to the new one. I've tried clearing arp cache on core switch and L3 but that did not allow connectivity.

Any suggestions on what direction to take? Thank you!

Anyone accomplished micro segmentation in a Hyper-V environment?

I'm currently evaluating SDNv2 in a SCVMM configuration. So far it has been bug after bug in the deployment of SDNv2.

VMWare NSX is a fully fleshed out product. I'm looking for an equivalent option so that I can offer the same level of SDN configuration in a Hyper-V environment. Has anyone accomplished micro segmentation in a Hyper-V environment? I'm willing to look at third party vendors who can offer NSX level config.

We have three datacenters with around 3k VMs at each DC that need to be containerized individually through a SDN solution.

Switching

I just started working in a distribution facility with 50+ desktops on the plant floor. My manager is on vacation this week, go figure, and I am tasked to deploy another unit with domain access. I have a need to use an existing connection from the switch that runs to the plant floor. It is right beside another desktop that has domain access, plugged into to a double gang wall plate. Thinking the other port would be hot, I had the desk moved and everything powered on, but I dont get any signal from the other port.

I have a PoE switch that was used in another office, and I think it was plugged into our general network. I want to use this switch here for this purpose. In my training this is a huge no no, as it could cause switching loops, but I know it was used in another office for a similar purpose. Can anyone talk me out of using this PoE switch for this purpose? I would have to find out if the Cisco switches are running STP I would expect, which I could do hopefully by the end of the day.

Help Reddit!

How do you add a switch stack to Netbox

We are building a Netbox from the ground up and I'm about to start adding devices. I have a stack of 3850 switches and I'm trying to figure out the right way to add these to a site. The entire stack has the same host name so do you guys add the multiple devices with the same hostname but with it's unique SN's and Asset Tag Numbers? Whats the best practice here?

Most in demand certifications?

What certifications would, if gotten, be most likely to get me a job in this industry?

[question]

How can I block the pornography websites by changing the DNS in the internet modem ? EVEN when using VPN connection !

UDP loss - Arista 7150

Hi All,

I have 2 x Arista 7150s in play.

TCP traffic is fine, but when i try to pass UDP traffic i get tons of packet loss.

The set up i have is 1000mb forced on 1GB SMF SFP both sides.

When i place a media converter between them - i can hardcode speed down to 100MB and wallah the packet loss is gone with UDP.

(i can not hardcode the 1GB SFP down to 100MB, nor have i had to in the past).

Any ideas on a solution around this without the media converters?

How to broadcast aaa accounting to more than 1 radius server on 8540 WLC?

I want to send aaa accounting to more than 1 radius server. I added the 2 radius servers in security->aaa->radius->accounting the chose those 2 servers in the WLAN but the accounting data is only being sent to the 1st server and not the 2nd one.

Ipsec not working with organisation issued certs, works with self signed certs, strongswan

I've set up an ipsec connection in Linux using strongswan transport mode so that users can remotely connect into the network, its set up so that traffic is in transport mode and uses certificate aswell as eap authentication to connect.

When I use self signed certs from the server, and pass the ca over to my device connecting, it let's me connect no problem, however when I use my root ca for my organisation aswell as my own p12 aswell as some certs and keys for the server, it doesn't let me connect remotely.

Unfortunately there is nothing in the logs with debug on, there is one thing moaning about nat however I've tried putting the server on the same network with no natting and same issue persists where self signed work and root ca doesn't

Any tips? Thanks

What your Linux distribution of choice for DevNet?

Just trying to see where I should start learning.

Advice requested - School Network Inquiry

I hope I've come to the right sub to ask this, and please feel welcome to point me elsewhere if there's some place more appropriate. I'm the "tech guy" at our school, and understand networking/routing *kind of* enough to hack my way through this challenge - but I'm in a pickle here, and hoping there's a straight-forward solution.

Here's the project: I am trying to connect phones to each classroom of the school via our ethernet ports. This has been straight-forward for a single line (I'll explain the topology shortly) - I've been able to both strip the terminating ethernet cable and splice it with an exposed/empty phone line successfully (this can only be done for phones direct to hub 3, as it's just a pure "raw wire" sequence), and I've also been able to route a single line to “switch” of sorts that can convert an ethernet connection to the Nortel phone "hub" (which is a black box to me, personally, but..it works).

However: I am struggling to do this for multiple lines. I am worried that this may not be possible, but that's why I'm asking here. It would be possible for *internet* lines simply using switches, but I tried a switch for multiple phone lines and it didn't work out.

Here's the topology: There are 3 hubs in the school (labelled 1, 2, and 3). Hub one is central, and hubs 2 and 3 are both separately connected to Hub 1. My pathway is from Hub 2, to Hub 1, to Hub 3 via the backbones. At hub three, I connect the line to an available port in the “Nortel switch” do-hickey and into the phone hub it goes to function with a dial-tone.

With a single line perfectly routed, the phone connects and functions. BUT I'm hoping there's a way to send ~10 phone signals through the backbone, into the Nortel switch, each being their own independent line. Is this possible? I thought using plain old switches would be plausible, but I'm either using them incorrectly, or it's just the wrong approach. Any suggestions would be VERY appreciated!

I do know that I could rig 4 lines using the backbone line by stripping the ethernet cable, but this seems kinda “hackjobby”, is not enough lines, and it feels like there may be a more proper/elegant solution.

Here are labeled pics of each hub, so you can see what I've rigged up so far:

https://imgur.com/gJrFXxP

Dumb problem with STP/MST. Am I doing this wrong?

So I have a medium-ish sized network (~30 sites) in a semi-mesh fiber topology. I'm trying to migrate from my predecessor's design of "stretch all the vlans, STP all the things" to routed OSPF underlay with VXLAN overlay. In the mean-time, I'm part way through migration and having unexpected issue: MST is blocking my OSPF peering vlans.

Sample config:

switch 1 port1 <----> switch 2 port 1 switch 1 port2 <----> switch 2 port 2 #Switch 1: int 1/1/1 vlan trunk allow 1,10 int 1/1/2 vlan trunk allow 1,20 int vlan 10 ip address 10.10.10.1/24 int vlan 20 ip address 10.20.20.1/24 spanning-tree spanning-tree priority 0 spanning-tree mst 10 vlan 10 spanning-tree mst 10 priority 0 spanning-tree mst 20 vlan 20 spanning-tree mst 20 priority 0 #Switch 2: int 1/1/1 vlan trunk allow 1,10 int 1/1/2 vlan trunk allow 1,20 int vlan 10 ip address 10.10.10.2/24 int vlan 20 ip address 10.20.20.2/24 spanning-tree spanning-tree mst 10 vlan 10 spanning-tree mst 20 vlan 20 

Now, it is my expectation that:

• vlan 1 would be permitted on all ports
• vlan 1 is a member of mst instance 0 (default)
• mst instance 0 should be designated on both ports of switch1
• mst instance 0 should be root on port 1/1/1 of switch 2
• mst instance 0 should be blocking/alternate on port 1/1/1 of switch 2

(all of the above statements appear to match what I see in the running switches)

further, it my expectation that:

• vlan 10 would be permitted on 1/1/1 of both switches
• vlan 10 is a member of mst instance 10, of which instance 10 on switch 1 should be root
• vlan 10 should be a designated port on 1/1/1 of switch 1 and root port on 1/1/1 of switch 2
• vlan 10 should not be fundamentally capable of blocking anywhere, as it only exists on 2 ports.

(all of the above statements appear to match what I see in the running switches)

further, it my expectation that:

• vlan 20 would be permitted on 1/1/2 of both switches
• vlan 20 is a member of mst instance 20, of which instance 20 on switch 1 should be root
• vlan 20 should be a designated port on 1/1/2 of switch 1 and root port on 1/1/2 of switch 2
• vlan 20 should not be fundamentally capable of blocking anywhere, as it only exists on 2 ports.

This is where the problem lies:

Vlan 20 is blocking/alternate on port 1/1/2 of switch 2.

is My config wrong or is my understanding of MST operation wrong?

I am trying to build a set of OSPF routed point-to-point links using vlan 10, vlan 20 between these two switches so that I can remove vlan 1 from both links, create a vxlan SVI routed between the two switches, and bridge vlan 1 from switch to switch over a routed vxlan, rather than using STP to block these two routed links.

Thoughts? other config or output that would help?

L2TPv3 over GRE/IPsec MTU

I was curious how MTU worked with a L2TPv3 over an IPsec VTI. If I put the ip MTU command on the tunnel interface, it is unable to send a fragmentation needed message to the host for PMTU discovery because there’s no route to the host in a pseudowire/xconnect configuration. And even if it could, it would not be the correct MTU size because it would take into account the L2TPv3 encapsulation. What am I missing here? Is it possible to set the mtu in the pseudowire class?

Format flash: good enough?

Curious if there is any reason not to use this to wipe a ton load of 3750s?

Don’t care about the person who buys the equipment. Their problem.

What do you think of the philosophy of "Hosts have IP addresses, not interfaces"?

I've heard this a couple times, and it always refers to not be in a situation where multiple interfaces on one computer have different addresses, but rather the whole thing has one address and the interfaces are simply a means to access that address. However, it seems to only come into play with really basic networks (SOHO ones) or bleeding-edge dynamic routing meshes. What do you think of this?

Question about 802.1Q VLAN tagging

Just a general sort of theoretical question I guess, where does the VLAN tag get inserted into the frame? Does the device itself tag the frames with the VLAN ID when sending them, or does the switch insert the tag when the frame enters the trunked port on the switch?

Follow up question, if its tagged when it enters the switch, how does the switch know which VLAN to tag the frame with? Does it assign the tag based on the MAC address in the frame?

Help on landing my first networking job

I’ve been working in IT for the last 6 years. For the last 4 I’ve been working for an organization doing a little bit above help desk. I have some server experience but mostly help desk tasks. I recently passed my ccna 2 weeks ago and I have my Sec+. Anyone have any insight on how I can stand out when trying to land a networking role?

Cisco 9200 licensing

I have installed and licensed 9200's before, but never any that were stacked. I am getting a bunch of them tomorrow that I need to make stack and install right away, and I don't see the licenses in the portal yet.

My question is this - if I stack them and configure them, when I go to license them later, will I just license the stack the same way I did an individual switch, but it will consume the number of licenses as switches in the stack? Is there anything else I need to know about doing it this way?

ROAT vs L3 Switch

Are now a days still viable getting ROAT on your branches? Let's suppose you have say a Catalyst 9300 with advantage license, you just need your basic EIGRP protocol, maybe some ACL, DHCP services and your routing. Do you really need a router if the switch can perform all those functions? Are there any benefits on having a router? What's faster the router or the switch?

​

A little backstory, back in my college days I interned in a networking solutions company installing network equipment on clients sites, and on on particular client (which didn't had much money) paid a pretty big sum of cash on their network refresh project, I understand some ISR can act as gateways, so you obviously need your ISR Router with the module card BUT this sales guy at the time sold them a router on each site, plus new catalyst 9300 switches, which even if you get them with the essentials license, you're still able to get a site up and running, but in this case the sales guy go them advantage. In my opinion the sales guy just wanted to add as much to the bill since the sales people work on commission, that's just my opinion, but what's really the benefit of having a router if you can perform the same tasks as a L3 switch?

Remote access software question

Hello all!

So the owner of the company I work for is having an issue with Chrome and needs me to remote into her system since she’s over 3000 miles away from us.

Since this is a one off situation, what would you recommend that’s free in order for me to access her pc?

I’m thinking Team Viewer, but I’m open to something easier since she’s not the greatest with PCs/technology.

Thanks in advance!

Need advise regarding fiber line and contractors

We have lots of construction going on at one of our buildings and the electrical contractor ran temporary fiber to get out of the way for demolition. Since the temporary fiber is in, every day or two I’ll have a random 2-3 minute outage at that building. Last night, that building went offline for a whole 45 minutes. I keep telling the contractor that I think there’s something wrong with the fiber they put in place, but they seem like they don’t know what they could do as a next step.

I haven’t had to deal with contractors and installing fiber before. Any advise on what I could tell them to do/check to start making some progress?

Update: I also noticed they ran dark blue fiber lines (which I believe is single mode) and our original fiber line was orange (multimode)

HPE 562SFP+ & Aruba 2540

Goodmorning,
I have been trying to solve this problem for a couple of days without success.

I have an HPE 562SFP+ (flashed with the last firmware: https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_c967b9da294b44c9b2454162a3#tab2 ) that I should connect to an Aruba 2540 switch, unfortunately regardless of the i40 driver version in use (currently 2.13.10) the switch continues to report port-flapping. At this point I am concerned that the DAC cable (j9283D-C) is not fully compatible with the NIC/Switch. Has anyone encountered a similar problem?

If I want to abandon the DAC in favor of fiber cables + transceivers which transceivers should I get? It seems that all those compatible with the HPE 562+ are not compatible with the Aruba switches.

Thanks in advance

Speed Up Gigabit Ethernet Network Connection

Hi guys,

I need to speed up the office ethernet connection.

Configuration:

• NAS: Qnap TS-563 - 5 HD SATA 5200rpm in Raid 5
• Router: MicrotiTik RB3011
• Switch: TP-LINK TL-SG2216
• 6 PCs with 1gbit Ethernet connection CAT6

The Nas is connected to the switch using 2 Eth. cable (ethernet link aggregation).

Each PCs transfer a big file at 110 mb/s (PC-NAS or PC-PC).

We need more speed over the network/NAS.

Can you give me some advice? 10GbE network?

​

Thanks

Panasonic tda600 incoming calls outbound calls not working

Panasonic tda600 incoming calls outbound calls not working For more then a week our system isnt working good,i cannot make calls outside or receive calls from outside sometimes works but 95% of the time doesnt work. anyone had the same experience? what do you recommend me to do? + When i call outboud.

Trying to wrap my brain around a routing question.

I have two sites.

Both sites have their own internet (redundant internet in fact).

Both sites have FW clusters on their egress.

Each site is also connected to the other over a double-redundant L1 dedicated fiber on the inside with diverse pathing. Cuts on one path do not effect the other, I incur no noticeable outage in that event.

Each site has a default-gw to egress out it's local internet connection.

My question is this:

How would I maintain local internet-egress at each site, while also auto-failing a site to the others internet in the event of an outage?

Most of the options I can think of end up favoring one site or the other. I do peer BGP out both sites internet connections, I'm no where near strong enough in BGP to try to do anything fancy with it internally.

My other possible option is to setup SLAs on my cores, pinging out to (maybe) my bgp peers, and then rewriting my default route on the internal cores to flip it to the other site in the event that both ISPs shit the bed.

In case anyone is wondering how likely it is this would happen, I'm about 150 yards from the surf in hurricane central. My Dr site is currently 60 miles inland.

Thanks for the responses in advance.

Prefix-list sequence

Hi, I need to modify prefix-list. Currently my output is: R1#show ip prefix-list PL ip prefix-list PL: 2 entries seq 10 permit 192.168.1.0/24 seq 999 deny 0.0.0.0/0 le 32

I need to change subnet mask from /24 to /25 so which version of implementing this is correct and more reasonable?

ip prefix-list PL seq 9 permit 192.168.1.0/25 no ip prefix-list PL seq 10 permit 192.168.1.0/24

Or

no ip prefix-list PL seq 10 permit 192.168.1.0/24 ip prefix-list PL seq 10 permit 192.168.1.0/25

Apologies for bad formatting.

Thank you in advance.

Exact bandwidth difference of a LAN2LAN compared to MPLS? LAN2LAN uses mainly GRE?

Exact bandwidth difference of a LAN2LAN compared to MPLS? LAN2LAN uses mainly GRE?

Double Access Inquiry

I am not a networking expert and cannot seem to find an answer to my situation. I own a small business (too small to hire an IT guy so I am it), an auto parts store and am wondering if its possible to connect to two firewalls at the same time. Ill try to explain how our network is set up. ISP>Modem>Firewall 1>Switch>APs/Devices & Firewall 2>Switch & Server>Devices.

A little background, I do not have enough wrinkles in my brain to understand everything network related but have a general understanding and can research or lookup most things you suggest. I also do not have the financing to afford high end equipment so the best we were able to do is Ubiquiti's Unifi. I am familiar with navigating the Unifi controller and am just wondering if this can be done. A simple point me in the right direction is good enough for me. Best way to learn is to jump in and start doing. Thanks.

Basically the software for our inventory ordering and parts lookup for vehicles is controlled by our parent company and any computer that needs to look up or order parts must go through firewall 2 and the server that is provided by them; unfortunately, their firewall has multiple restrictions on it that won't allow for simple things like credit card readers or VOIP to connect through it (thus they are connected through firewall 1). Is it possible to set up something where firewall 2 is behind a vlan (say V2) and everything is connected to the same switch that is on V1. This would need to be so where V1 can access and see V2 but not the other way around. I am thinking of it this was so I can use wireless computers for inventory management and have the access points on V1 but they can still use the parent company's software. I could just install APs behind firewall 2 but that then means I will have to have 2 ssids to connect to for simple things like emails access (also blocked on firewall 2). I have 4 workstation computers that we purchased from said parent company that also receive their updates from them but cannot access competitor websites for price comparison (these are all ethernet lines to the switch behind firewall 2). I am an independently owned store and our parent company prices are way to high so I have to compare with competitors to keep our pricing low enough to compete.

If this is outside the realm of this community, please let me know so I can take it elsewhere. Furthermore, the way I am currently getting around this is by having wifi adapters on the workstations and using ethernet. When we need to look up parts or place orders, we simple turn off the wifi in windows. When we need to check prices or emails and such, we simply unplug the ethernet cable and use the wifi.

Weather map with location alerts?

Hello,

My job requires me to monitor for WAN outages and a common theme is for weather related outages. I was wondering if there was a selfhostable app or website where I can load in a list of locations and if there is bad weather in that area then send an alert for those sites?

Thanks

Clearpass onboarding trust chain issue

Hey guys,

I'm building out a new onboard setup in clearpass and I'm running into an issue with Mac OS 12 that I was hoping maybe someone else has encountered (though in all honesty, I haven't tried other platforms yet). The services are all built, everything works in policy manager, all good.

In the network settings, I have a wildcard cert trust listed under trusted server names and I have the root CA uploaded in the trusted certificates section. The documentation doesn't specify you need the full chain for the EAP in that section so I'm leaving just the root.

However, the problem I'm seeing is not in regards to the EAP cert, it has to do with the device cert. The device cert is onboarded fine, however the .cer that is downloaded when you go through the onboarding only includes the root CA for device certs and not the signing intermediate so the device cert shows as untrusted.

How can I get onboard to

A) Include the full chain in the profile

B) If A is not possible, include the root and intermediate in the mdps_profile.cer that is downloaded.

Thanks.

Company router was factory reset…

Hello, our company router was reset to factory settings, and as a result the web server/domain is no longer responding and as a result the order creation function from shopify is unable to send orders to our filemaker database (via webhook that’s hosted on web server) and we are not receiving orders to our database. I have been told this is a port foward problem, but am not exactly sure how to fix this. Could it possibly be more then a port foward problem based on the information provided? Any info helps thats

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Can Ncat scan a range of ports?

I'm aware that Nmap is much more effective for such tasks, but I'd still like to know. I've searched online but am having a hard time finding an answer.

When I run:

ncat -vzw1 scanme.nmap.org 20-25 

It outputs.

Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Invalid port number "20-25". QUITTING. 

Whereas when I use traditional netcat it works.

Thank you.

Learning about Subnets, but I can't shake a question I have that I think prevents me from fully grasping the concept.

Hello All,

I'm studying to get my Network + certification and have looked up a number of resources on the subject.

I think I understand what subnetting is, but at a certain point I have a difficult time grasping the concept of why someone would need to do it, even on a larger private network. Maybe there's pieces I don't have yet, and I'm hoping maybe someone here can fill those cracks that makes me "get" it.

Lets say we have 192.168.1.0/24

That gives us 254 addresses to use. Now, subnetting this further down to say, 192.168.1.0/25 would give us two groups, 192.168.1.1-192.158.1.126, and 192.168.1.128-192.168.1.254. We have this subnetted, but we don't get to use 192.168.1.127 now.

What benefit does someone have subnetting below 254 hosts? I can't wrap my head around the idea of giving yourself even less IPs than you started with. If the two subnets can intercommunicate, why remove an IP that the network could use (192.168.1.127)? If they can't intercommunicate, why not just use a different Network ID all together and now open yourself to two networks with 254 IPs to use?

I think I can understand on a larger network (Internet) the need for subnetting as a means to allow for more IPs to be accessible to be used (just as so many people CAN use 192.168.0 /24). But once the network reaches the LAN, I just can't seem to make sense of why you would need to.

I feel like there's a critical bit of information that I'm not seeing, or that I haven't somehow come across yet that allows me to understand this better. Something that I couldn't know to think of because I haven't used it or seen it. If someone could provide an example of why subnetting on a smaller network would make sense, I would appreciate it.

Accepted methods of measuring/projecting link capacity

I need give 500-600 links a "congestion score". Are there any accepted models or methods for doing this? When I asked for more specifics, my boss was no more specific than "congestion score", so I imagine he doesn't know what he wants either. I feel like there has to be an existing accepted best answer to this question. percentiles? standard deviations?

I found some papers on measuring congestion in a link but it's too much https://www.researchgate.net/publication/270894492_Congestion_Score_Computation_of_Big_Traffic_Data

I feel like some kind of stock market technical indicator would be perfect. Bollinger bands? To me, boiling this down to a single score would be answering the question "How likely is this link to reach capacity in the next X days".

Microsoft discovered another SolarWinds vulnerability

CVE-2021-35211

https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211

Makes me wonder how many other holes exist that they STILL haven't discovered.

How to adjust Fragment thr: on Linux and Windows?

Hello Everyone,

Not sure if this is a valid question. But, can I adjust the fragment of the MTU? Or, is that a hardware specification?

If I am able to change it, can you direct me on how to change on Linux and Windows?

Failing over IP Range to DR with BGP

Been a while since I've done this so just need a quick refresher

Currently building our DR site with the intension that our pool of WAN IPs will be able to failover from Site A to Site B.

Both sites have ISR routers and /30 fixed subnets as the point to point between us and the ISP.

Our pool of production IPs is a /24 that's currently statically routed to Site A by the ISP.

Plan is to enable BGP at Site A + Site B and inject that /24 route ourselves.

That much I can handle, but remind me how I set the metric so that Site A is the Primary and Site B is the secondary?

Site A goes offline, ISP updates it's routing tables automatically and sends traffic for that subnet to Site B instead.

Network Scanning - Gathering Device Models

I need to get the model types for all devices within our network. Without scripting this, are there any tools, free or not, that will do this (gather device models and counts of each model)?

Is there a way I can get a pcap on cisco 8540 WLC?

Our WLC is not sending radius accounting info to the radius server so I want to get a pcap to check what’s the issue. Any idea how to do that? Thanks in advance.

24 port vs 48 port 1U patch panel?

Hi,

I've tried to look online about the difference between the two, and the only difference I can really see is the price and the relative lack of supply of 48 port 1U patch panels

Everywhere I've worked, they've always used 24 port 1U patch panels, instead of 48 port 1U patch panels. Is there a reason for doing this, other than cost? Kinda like why you'd use DACs instead of fibre SFP transceivers?

I guess the other reason that I can think of is that two 24 port patch panels, would be "better" from a cable management POV, given you could plonk 24 ports in the top half of the switch, and 24 ports in the bottom half of the switch without necessarily needing a cable management arm. I'm struggling to think of any other reasons, however. So any help would be appreciated. Is it a case that the 24 port ones might just be more reliable somehow?

typical MLAG convergence time

Working on an industrial application which requires end station redundancy. Looking at a redundant star topology. Does anyone know or point me to data on redundancy convergence latency numbers. I'm looking for 200ms or below.

Using NRL's MGEN?

I need to start off by saying; networks and network things are not my strong suit. At all. Like, I'm not even playing the same game.

But, I need to learn how to use MGEN. And I think I've mostly almost got it? At least enough to sort of do what I need to?

I'm struggling with the data, though. I need to transmit data with it, ideally have it read it from a file, and output in the receive log what data was in the packet.

When I use the DATA command, it does that, but it puts the same data in every packet, and if there's more data than the packet size, it doesn't send any at all? At least it doesn't list it in the log?

Help. I'm frustrated. And there seems to be precious little information on how to use this. The manuals from NRL are.....not great, and most of the Google results are about some STI. Even if you could just load me up with some keywords or search terms, that would be fantastic.

Like I said, network stuff is not my jam. So please, please, talk to me like I'm all of four years old. Assume I know nothing, and use very small words, lol.

Mist AP stuck on "disconnected" status

dashboard settings screenshot

I'm testing a Mist Access Point (AP41) for an office, I have it plugged in with a POE Injector. The injector has a "data in" port that is connected to a router. I've claimed the AP in the mist dashboard and set up a wifi network. LED Light indicator gives no flashing error, just solid green.

When I was initially setting it up it had a status of 'disconnected' until I ran the ethernet cord from the router to the 'Data In' port on the injector. It then connected and did an update. I walked away but it seemed like after that update process it's been back to 'disconnected' and no amount of resetting/restarting/reconnecting will fix it.

---

Not sure if this is helpful BUT: I disconnected the ethernet cable from the POE Injector, so the AP had power through the POE port but no internet. The LED then started blinking series of 3 which according to their chart means there is no IP address.

So I plugged it back in, the LED flashed in series of 2 which means no internet link, and then settled back to a solid green light.

Good resources on networking troubleshooting for Systems Engineering interview.

Anyone have some good resources for studying for networking interview part of a systems engineering loop? I know the basics pretty well so I can talk how a packet travels from layer 7 to 1 and back to 7. I know my protocols. What I was not able to find a good resource; is networking troubleshooting. How do you use ping/traceroute/tracert/ check dns/ telnet/ when do you go to tcp dump/ etc?

Is it possible to connect to a SQUID proxy from another network

Hey guys,

I'll warn you, I'm an amateur.

I've been playing around with Squid on Ubuntu to set up a proxy server I can use when I'm out of the country.

I was able to set it up so that any device in the proxy's network can connect through it, but then realized that it might be limited to just that.

So, Is it possible to connect to the squid proxy from another network? If so, what should I do/change?

Any suggestion/advice is appreciated

Thank you

Cisco FMC - AnyConnect Client with DUO

Hey guys,

I configured SAML authentication on my FMC, because I want to configure AnyConnect client with DUO.

Everything works fine. However, When you try to authenticate to the AnyConnect using DUO, the DUO authentication screen takes 15 seconds to show up.

is it normal?

Thanks

Is there a document superseding NIST Special Publication 800-41 Revision 1?

Hey geeks. Thanks for checking in. I'm diving into the Guidelines on Firewall and Firewall Policy published by the ITL and NIST. This document is incredible - but I noticed it was published in Sept. 2009.

The latest update I've seen was from August 7, 2015 stating this rev 1.0 is still the current standard.

Anyone have source on an additional document that's as high quality as the ITL's?

Guidelines on Firewalls and Firewall Policy Source:

https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf

I'm sure very much of this information is still relevant - would be awesome to delve into a newer version featuring some bells and whistles, maybe taking cloud security into deeper consideration.

Thanks again!

Visualizing flows in cloud (GCP)

Hi,

I'm looking for solutions that will visualize traffic flow inside cloud environment (Google Cloud to be specific). One of the solutions I'm considering is to use Elastiflow which I've used in the past in on-premise DataCenter in the past.

I know that Elastiflow is built so that is supports network based protocols (sFlow, NetFlow i.e.), but idea is to use Elastiflow as a base and utilize its Kibana dashboard for graphs and logstash logic for log enrichment. Idea would be to create a logstash configuration so that it will be able to read format of Google VPC flow logs.

Just to clarify - planning to use Elastiflow from GitHub

Anyone tried that or is aware of any other tool?

I got a new router from my ips and my internal network speed went way down.

Ok, I had a 300Mbps connection with a router / TV decoder combo. Everything was working fine at that time. I own a pc connected with an ethernet cable and a laptop connected to the WiFi. I share a folder on a pc. Before the "upgrade" uploading and downloading files from pc was going at the consistent speed which was about 40MB/s. Now with the new router I have a better speed when it comes to downloading. Now I have 750Mbps but when it comes to internal file sharing pc to laptop can still send at the same speed but uploading from laptop to pc got way slower, between 5 - 20MB/s. Any idea how to remedy that?

[Small Business] What's the best way to connect guest LAN computers separate from a private staff network?

Hey guys,

I'm struggling to find the appropriate hardware for my makerspace setup where I need to separate staff & automation devices from guest/member devices. If this is the wrong place to post this, let me know.

Our needs aren't so high (and limited budget) to require enterprise hardware. Just hoping to get a second opinion whether this is even the right way to approach this, or potentially recommendations for hardware.

tl;dr: Should I try to find hardware that can separate networks with VLAN or can I do something like nested routers?

---

Setup:

• Staff devices include 3 LAN computers, and another 3 WIFI computers, all our phones and about 4 dozen WIFI IOT automation devices spread across a fairly large warehouse (70ft x 140ft).
• Guest/member devices are purely LAN connections to communal computers and a few extra wall ports. Ideally these should be on a separate network from the staff devices.
• Our internet provider gave us a Hitron CODA-4582 that is acting purely as a bridge. I don't seem to have the ability to get into to it to adjust any settings. Of it's four ports, 3 of them go to access points given to us by the provider which is doing a private and guest wifi. The remaining port goes into our router.
• Currently, we're using a second-hand Buffalo WZR-HP-AG300H running DDWRT which came out 10 years ago and is really struggling to provide adequate throughput/speeds on the staff computers. It doesn't help that it's a wifi router tucked away in a server closet.
• Everything is set up in a server closet where a patch panel and 24 port switch connects all the wall ports throughout the building.

Here's a map of our ideal setup, assuming the Hitron could be setup with some firewall or security settings to protect the guest computers.

---

Research:

• I originally thought I might do VLAN but apparently that's mainly an enterprise feature and is rare on consumer hardware
• I'm attempting to see if our provider will find a way to give us access to the hitron gateway but I'm not holding my breath.
• I was recommended a VPN setup by a friend but I don't think that's suitable with IOT devices. I don't really have that many device to device connections anyways, it's mostly just giving staff a connection to internet (most work is cloud based) and connecting to the odd printer or google cast device.
• I don't think I can use a single wifi router as without VLAN I'm not sure how to separate the public network. I could theoretically run a cable from the closet to where we want to mount the router, and then back to the closet to the patch panel. I might be have to find something with additional number of ports as I need 3 for the staff LAN and potentially one or more for a second access point expansion in the future if the coverage isn't good enough.
• My current thought is I might need a wired router at switch 1 before my wifi router. I feel like it should be possible to setup the secondary router as a private subnet or something separate from the connections to the primary router, I'm not entire sure how as it might depend a lot on the firmware.

---

Not having a clear understanding of the best way to map this has made it pretty difficult to choose hardware. At first I was ready to just grab some ubiquiti stuff for the VLAN features, but with such meager requirements I was wondering if one or two consumer routers would be adequate.

Thoughts?

AWS VPC CIDR Range Help

Hi. I need to create a subnet on AWS for some new servers but I need some advice about the IP plan as I'm confusing myself. Our on-prem sites use the range 10.0.0.0/8 globally (10.10.0.0/16 for office A; 10.20.0.0/16 for office B, etc). I want to be able to add a subnet on AWS with the range 10.10.240.0/24 but I don't know how to set this up without clashing with the on-prem range.

For the VPC I cannot use 10.0.0.0/8 as the CIDR range as it's taken. What's the most efficient way of doing this for the VPC and subnet IP range? Thanks in advance!

Some IP/ISP subnet questions

I currently have subnets that are announced by my ISP. So what do I need to do to them so they show up as residential IPs? Lastly, do I let them update the geolocation organically or whats the best method to do this?

What's a decent protocol/FOSS implementation for naive multiplexing of multiple tcp streams over one port?

Hi. Long time lurker, first time poster. Wasn't sure if this would be more suited to /r/networking, /r/linux, /r/cpp, /r/programming or others, so I'm starting here.

Hopefully one of you kind souls will have a simple solution.

What's a decent, free, off the shelf, method to multiplex multiple TCP streams on the same IP over one stream/port number?

I could implement my own library without TOO much thinking (and w/ plenty of time), but I'm trying to get out of the habit of rolling-my-own just because I can. It's a bad habit.

What I have:

• Working server code which implements several off-the-shelf TCP based services, as well as a custom one. Less vague: VNC (port 5900), Chrome DevTools (port 9222), custom-thingie (port 9999).

• Working client code which connects to the server, and all 3 services, given all 3 port numbers.

What I want:

• Some sort of middleware (stand alone or library), which lets me put all of the server protocols "under" a single port number (aka multiplex), and a counterpart for the client. From an admin perspective it's easier to manage a single port number than several, and it's more correct to have my service use a single port number, than a tuple of them, where the tuple might change as implementation progresses.

• For this middleware/library to be LOW OVERHEAD and trivially cross platform. I only touch Linux, but I've taken care, so far, to write cross platform code and use protocols and libraries which work on other platforms, and I'd hate to sacrifice that now.

What I'm considering/am aware of:

• vtun?

  • overkill? it encapsulates at the IP (tun) or Ethernet (tap) layer, and I don't want all that. I just need to multiplex multiple TCP streams over one. Also, I have no idea if it works cross platform or how much work it would be to make it a library.

• ssh?

  • even more overkill? Authentication is already handled out of bound, so I'd need to disable all of that in ssh.. somehow. And encryption. I have no idea how easy it is to use as a library. Also using ssh SIMPLY for it's port forwarding-multiplexing abilities seems bloated, but maybe I'm wrong.
    

TL;DR: I could write it myself, but what's a free and easy way to wrap multiple existing TCP-based services, both client and server (which I control the code of) so that they can use a single port number instead of several. I'm thinking something like socat except with fan-out.

Thanks for your time.