CAT6 bends ( Ubiquiti Access Point )

Hi Guys,

I run solid CAT6 23awg Plenum in my attic to two Ubiquiti APs.

I know solid shouldn’t be crimped but I didn’t want to add keystones and patch cords.

But I’m little concerned about the bend/kink due to design of AP just radius is pretty sharp

Is that safe with PoE ?

I enlarged hole for cable a little but that didn’t help much.

Feedback would be appreciated.

On another note, I would like to fill hole around the drop with silicone or caulk so there is no air penetration, any concerns with that ? Potential damage to wire, or maybe I will just use 3M fire stopping caulk ?

Or maybe there are some kinda grommets for this ?

Network engineer interview soon, have some questions!

Hey everyone, I have a network engineer interview coming up this Monday. The job description highlights the following: network hardware, LAN, internet protocols, fiber and copper wiring standards, Ethernet, and wireless technologies.

I feel my weak points are the cabling/wiring standards and subnetting by memory. How likely is it that they’ll ask me subnetting questions even tho it’s not explicitly stated in the description? Also, could anyone recommend any good study resources for wiring standards? Thanks a lot!

So what's the point with python for network automation?

I'm a CS student whos been interning at a rural ISP for a couple of years now. As of recently, I've been researching the roles of DevOps engineers and network administrators and automation techniques and technologies that are used in the industries. What I find interesting about the two is that they both seem to have an emphasis on using traditional programming languages to automate tasks that they or others might do on a manual basis. I'm just having trouble finding a point with using a programming language over tools such Terraform and Ansible. What kind of tasks can you do in python that you couldn't do in the aforementioned tools. Being someone who is a fairly competent programmer (albeit in an unprofessional capacity) and works in IT, it just seems like a better idea to use tools that are specific to what is trying to be accomplished. Especially if tasks can be expressed in a more declarative manner and the implementation can be left up to the maintainers of the tools. I haven't actually used Terraform or Ansible before but seeing how they're used, suggesting the use of python seems like we're teaching people to reinvent the wheel each time they want to automate a task.

Terminology question about internet redundancy

Can someone here help me remember a networking term?

The internet (TCP/IP) was designed such that if one section of it went down, it would re-route to other parts and keep working.

There was a term for this. I don't remember if it had the word "redundancy" in it, but it might. Can anyone help? Thanks.

Spineless EVPN fabric design

Hi All

For cost purposes, I am working on a design to build out a network but I would like to leverage EVPN for the setup as it has several advantages one of them being able to use distributed anycast gateway. Following was going to be my proposal:

https://ibb.co/0fvD6W0

I need to connect servers to the RR1 and RR2 and this will also connect upstream to a firewall via L3 BGP. On RR clients A, B, C, additional servers will be connected and I wanted to be able to use the distributed anycast gateway as well on them.

I have had several outages in regards to spanning tree not to mention at times vendor incompatibility as well and have decided we no longer need to depend on this legacy technology any further.

Any help or advice is you see any problems on the setup or improvements that could be made would be much appreciated.

What types of networking related questions might I expect for a Java backend engineer interview?

I have an interview round coming up where they'll be quizzing me a little on networking knowledge. I don't know how advanced it'll get. At my job, all networking is handled through the cloud so I'm definitely going to need to study up on concepts.

I found a resource online: https://www.softwaretestinghelp.com/networking-interview-questions-2/

Not sure if these questions about cover what I should know?

Help! TCP / UDP port forwarding. Internal vs External port?

Currently trying to go over some Port Forwarding to play COD Warzone. I've been unable to play since a year ago, went over some posts and apparently the issue is something related to port forwarding.

However even tho I made it to my router security settings where I can setup the port forwarding, I don't understand the ports that I'm given

TCP: 1935, 3478-3480

UDP: 3074, 3478-3479

It wants me to provide an Start - End port, and a Protocol (TCP, UDP, or both).

Not sure how to go about it. Tried using in both (start and end input) the 3074 value, but did not work. Also tried Start: 3478, End: 3480, using the "Both" Protocol, but apparently did not work.

I have no way to know if I'm doing it the wrong way, or if it's not working at all.

I would like to design a system for my camper van.. don't know where to start

Im trying to decide on a system for my camper van and have been looking at some options... I really like the cradlepoint r1900 router with the rx30-mc for dual modem support but for over $2000 usd that's just a joke... too expensive but has everything im looking for.. i also like the Peplink transit duo cat 12 but will need to provide my own wifi as it's not wifi 6 (yes I've actually been to places where wifi 6 made a huge difference).. i don't know of anything dual modem that's cat 18 or 20 except for the r1900... so might be left with cat 12.. (just want cat 18 or 20 for future proof) but mostly my demands require me to load balance 3 sims (AT&T and Verizon internal and T-Mobile/Sprint as wifi as wan/ wan hardwire) really don't need many lan ports as most everything is wifi but will need everything to be able to run on 12v without any 12v to 110v inverters or Poe... Any suggestions?

Ping - ICMP

I just put up a continuous ping to a destination which sent around 180 thousand packets.. Result shows 0% loss because only 75 packets got dropped. is this acceptable?? Or is it something that need to be checked?

PPPOE Security

I hope this is the correct place to ask this. We firstly need a “PPPOE credentials” to connect to a service provider (ISP) and then its connects to a modem and then finally to a router, then lastly internet is provided to devices. My question is. Let’s say someone somehow gets a hold of the PPPOE login credentials (which the password is only changeable upon request to the ISP provider), can they (the hacker or whoever that has the PPPOE login credentials) hack into our internet traffic such as connected devices, access our pc or devices connected or access our router? Thanks in advance boys!

Cisco - tcp port 53 open...

Good morning,

I do normally run a quick nmap on my external after a deployment, but for whatever reason I decided not to until this morning (go figure).

I have a Cisco router w/ a PPPoE DSL connection with a static IP.

I ran an nmap and I see port 53 (tcp) is open externally -- great. I can telnet to 53, I can do an nslookup using this IP, etc. -- which is less than ideal.

The router has "no ip domain-lookup" enabled, and when I do a "show control-plane host open-ports" -- port 53 is not listed.

Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN tcp *:22 i.p.i.p:1026 SSH-Server ESTABLIS udp *:67 *:0 DHCPD Receive LISTEN udp *:123 *:0 NTP LISTEN udp *:4500 *:0 ISAKMP LISTEN udp *:500 *:0 ISAKMP LISTEN 

Additionally, I have an ACL on the dialer1 interface (inbound) with the following:

! ip access-list extended OutIn remark *** Guards *** permit tcp any any established deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any remark *** Tunnel *** permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp remark *** Management *** permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit icmp any any traceroute permit tcp any any eq 22 remark *** Deny *** deny ip any any log ! 

And yet -- 53 remains open (externally) and nslookup still works perfect.

How is this even possible?

Note: If I reboot the router and try pinging the IP, it does go offline -- so it's not an incorrect IP with false positives or anything like that.

Thank-you!

Looking for good books to learn networking from.

I wanna learn about computer networks, i know next to nothing about them. I wanna learn stuff like what the dns is, what a mac address is, what "nat vs brgidged" is and how servers and clients form the internet, and how websites work and what https and ssh is, and how computers can connect to other computers using that, and stuff like that.

​

What are some good "intro to networking" books that you recommend? and more advanced books after that one?

Layer 2 issue with new switch setup

Hello,

I generally work with Fortigates and Fortiswitches, but recently got involved with a project that involved Brocade, Arista, and Mellanox switches.

Topology link: https://ibb.co/sg8WY2j

​

I am adding the middle 40Gbps Mellanox MLAG switches to carry traffic between the 40Gbps Aristas on either side. I thought by setting the links between the Aristas and Mellanox to only carry VLAN 40 as an access port and removing VLAN 40 from the trunk links going between Aristas and Brocades, that I would prevent any looping issues. I was apparently wrong. When we connect both Arista stacks to the Mellanox stack, the entire network goes down. I have modified the priority of the top center brocade stack to make it always be the STP root for the network, but that didn't make any difference. I think the Aristas and Mellanox are running MSTP and the Brocades are running PVSTP. Can you wonderful folks help point me in the right direction for troubleshooting this L2 issue using these different types of devices? I have spent going on 4 or 5 hours on this and haven't been able to make any progress. I can try to answer all questions to the best of my ability. The majority of my experience is with firewalls/VPNs/UTM etc, L2 and STP are not among my strengths.

MikroTik and Ruckus Gear

Hi,

I have recently come into possession of a bunch of Ruckus and MikroTik gear just wondering if anyone is interested? I know it could be a bit dated but may serve some use for someone?

I have 2 Ruckus Zone Director 3000 new in box, 2 used Zone Director 1100 (1 with 6 licensed APs and one with 25 APs Licensed)

-MikroTik SXT Lite 5 - new in box -MikroTik Metal outdoor APs new in box -33 x Ruckus 7372 (used) 9/10 condition -8 x Ruckus 7982 (used) 9/10 condition -40 x Xirrus XR-500 (3 Port Wall Switch) - New in box

About to join Palo Alto tac any advice ?

I am currently working at an ISP called GTT communications, some of you might have heard about it. Although it's a tier1 provider they have tonns of legacies which are basically ancient in nature.

I got selected based on my knowledge in mpls,bgp and iptransport technologies.

I have worked on fortigates and a little bit on juniper SRXs but I am clueless about Palo Alto as we don't use them anywhere.

I want to be prepared for the challenges and avoid imposter syndrome.

Experts your wisdom would be really helpful.

Looking for Information on the Addresses 0.0.0.132 and 0.0.0.0

My networking knowledge is rather limited although I do have some, but recently while playing a browser game, the page was redirected to https:// 0.0.0.132, which did not connect as it's not a public address. Note that this was not on page load, the site had been up and running just fine for a while.

I've asked around a bit, including r techsupport, and learned that 0.0.0.132 is not a valid publicly routable IP address. I found the Wikipedia article for 0.0.0.0, a similar address. Also, the site I was on did not have any odd code ( https:// jacorb90.me/DistInc.github.io/main.html ).

However, I'm still puzzled by what would cause such a redirect. I wasn't interacting with the page at the time, it was on a completely different screen.

---

I hope that maybe someone with experience in the networking field could shed some light on to what could cause such a thing:

• Anyone with a slightly similar experience?

• Or is such a redirection a common fallback or failure mode?

• Are these addresses used when setting up networks in anyway?

• Could such an address be used maliciously?

This is just a particularly odd occurrence, as I've never seen something like this. I've seen legit sites redirect due to bad ads and blank pages even, but I've never seen a website redirect to a local IP address.

NetBox with Nagios Core ?

Hello,

​

I want to ask if there is any way to connect NetBox with Nagios core ?

​

I have all my device on my Nagios core and I have my IP addresses added to the NetBox ? can I connect them together ?

​

Best Regards

MPLS replacement

I have 6 sites that are connected using dark fibre and PRIVATE MPLS (used to keep traffic isolated like VRFs). each site has a PE and CE. I would like to replace this with something like VXLAN and reuse the dark fibre since we own it. These sites are small and I only want to have 2 switches at each site. This is a fibre ring and each site should be in a different VRF to one of the sites that is the DC. SDWAN is definitely a good choice but the licensing for SDWAN bandwidth is expensive. Is there another way using a Cisco DNA like solution? A solution that is simple for operations that has a nice GUI is also a requirement.

Cisco Lab imagines

Anyone know a good site i can get free images for Switches, routers, and firewalls.

por favor!!1

Dragon Ball Super fan animation.South Park fan animation. Dragon Park Su...

please if anyone is interested in parody anime then check out this show that a friend and i have been working on called Dragon Park Super its on my youtube channel witch is not at all popular. So if any of you can id really appreciate it if you guys.. and girls can please hit that like and subscribe button

Palo Alto can only suppress inter-area routes

Since the title is the problem I'm facing, what is the best practice? I have a Palo Alto connected to an ABR. The ABR is connected to three other backbone switches. They are all in area 0. I would like to keep it that way, but seems like I would have to add an area to the backbone. I'm using a VRF setup and trunking the VRFs on VLANs to the Palo Alto through the area 0 backbone switches.

Would I be wrong to just make another area? Logically it seems like it would be confusing to troubleshoot later. I'm trying to keep the routing tables small. Right now, the VRFs have the full routes, but the firewall is in the middle stopping it.

EDIT: Thinking about it again. Maybe I should just use area 0 for the management, etc. Then create other areas for the VRFs. I just don't want my coworker yelling at me when he tries to troubleshoot this. Trying to keep it simple logically.

EDIT1: I'm limited by using VLANs on the switching and routing side. No MPLS.

How to enable level 1-2 desktop team members to make minor network changes without giving them too much access?

It's a reasonable request, desktop team wants to be able to make minor changes like changing vlan assignment on a physical port. However, I don't want them to be able to create vlans, or layer3 interfaces, or change assigned vlans on trunks. I certainly do not want them touching routing or spanning tree protections in place. How has other folks worked with this? We do have DNA in place, RADIUS 2FA Duo in place. I do not mind standing up an open source thing on a linux box if such a thing exists.. any thoughts?

Cannot ping IP address of switch unless it's assigned to VLAN 1

I have an Adtran NetVanta 1531P. This switch uses AOS - *very* similar to Cisco IOS.

The switch's port Gigabit 0/10is connected to my Windows laptop.  The laptop Ethernet port is static assigned 100.100.60.199/24.

(I have attached my 1531P config as an image to this post.)

If I assign IP address 100.100.60.97/24 to "VLAN 1", I can ping it from the laptop.

However, if I instead assign the IP address 100.100.60.97 to "VLAN 901", I cannot ping it.  Even setting "switchport mode trunk" on port Gigabit 0/10 makes no difference.

What am I missing?  Thanks so much. --Walter

HERE IS CONFIGURATION ON THE SWITCH:

! ADTRAN, Inc. OS version R11.10.4

! Boot ROM version R11.2.0.B2

! Platform: NetVanta 1531P, part number 1700571F1

! Serial number LBADTN1704AP198

!

!

hostname "AIB-SANDBOX-AS3"

!

!

!

ip subnet-zero

ip classless

ip routing

!

!

ip route-cache express

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

!

!

!

!

!

no dot11ap access-point-control

​

no dos-protection

​

no desktop-auditing dhcp

​

no network-forensics ip dhcp

!

!

!

!

!

!

!

!

!

vlan 1

name "Default"

!

vlan 901

name "VLAN0901"

!

interface gigabit-switchport 0/1

no shutdown

!

interface gigabit-switchport 0/2

no shutdown

!

interface gigabit-switchport 0/3

no shutdown

!

interface gigabit-switchport 0/4

no shutdown

!

interface gigabit-switchport 0/5

no shutdown

!

interface gigabit-switchport 0/6

no shutdown

!

interface gigabit-switchport 0/7

no shutdown

!

interface gigabit-switchport 0/8

no shutdown

!

interface gigabit-switchport 0/9

no shutdown

!

interface gigabit-switchport 0/10

no shutdown

switchport mode trunk

!

interface gigabit-switchport 0/11

no shutdown

!

interface gigabit-switchport 0/12

no shutdown

!

!

!

interface vlan 1

no ip address

ip route-cache express

no shutdown

!

interface vlan 901

ip address 100.100.60.97 255.255.255.0

ip route-cache express

no shutdown

!

!

!

!

!

no tftp server

no tftp server overwrite

no http server

no http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

!

!

!

snmp-server engine local 800002980300a0c8123456

!

!

!

!

line con 0

no login

!

line telnet 0 4

login

no shutdown

line ssh 0 4

login local-userlist

no shutdown

!

!

!

!

end

IAAS VS PAAS for a dummy.

just as the title suggests . I am trying to get my A+ and i just cant seem to understand the difference between platform as a service and infrastructure as a service. you are essentially renting hardware from both right ? so.... can someone explain this to me the way that Oscar explained surpluses to Michael in the office. like a 5 year old. thank you .

Is this DNS amplification?

We have authoritative DNS servers for our public domain in our DMZ that are being hit with some DNS requests for a domain that we do not own. UDP traffic, src port 80, dst port 53. My DNS servers are responding with "Refused RRSIG" for the domain being requested.

I've confirmed via https://openresolver.com/ that my DNS servers are not recursive resolvers.

I do see some other traffic similar to this(UDP, src port 80 and dst port 53) that Snort drops as DNS Amplification attacks, but not this one for example.

I'm considering blocking anything source port 80 and destination port 53 to these DNS servers.

Should I be considering something else?

No relay, different networks, still getting DHCP renewals

We are replacing our DHCP server in a location with multiple VLANs. DHCP server is on VLAN 30, and the clients in question are on VLAN 10, 15 and 40. My understanding is that you'll always need a DHCP relay for a DHCP server on a different network than the client. Relay is set up for VLAN 15, 40 but there wasn't a relay set up for VLAN 10. VLAN 10 is phones that are all tagged traffic. VLAN 40 is untagged traffic.

Just to be sure, I am waiting on our vendor to confirm that the phone equipment isn't doing the relay. If they are doing the relay, they haven't changed the relay yet. However, I have seen since the migration to the new server and deauthorization of the old server, that those clients that appear to not have a DHCP relay to the new server are still renewing leases. Is there something I am missing here? How would VLAN 10 still be getting address renewals if there is no relay set up to the new server?

This network was inherited from an MSP, and my manager has told me they had issues with this specific location before relating to phones. But unfortunately they also didn't document anything so I have no idea what the issues were and what they did to resolve them. My guess is QOS was set up to ensure the VOIP quality based on conversations of what the issues were from an end user perspective.

Question regarding WiFi channels for adjacent access points

I'm aware that WiFi channels for adjacent access points should be alternated to avoid overlap interference, however I also read somewhere that they should be alternated between 2.4Ghz and 5Ghz -- however this doesn't seem right to me, the two frequencies have different advantages and disadvantages so I don't imagine it would be a good idea to alternate between them for adjacent access points.

Is anyone able to shed any light on this? I did some Google'ing and couldn't find anything addressing this specifically.

​

Thanks!

802.1x per user ACL or VLAN steering with Aruba/Clearpass

Hi All,

I have a new client that is all Aruba networking gear. I've determined that all users authenticate to WiFi using 802.1x through a clearpass controller using AD creds. Currently, all users who connect to WiFi are connecting to the same vlan with full network access to all networking gear and servers. Most users do not need network access to those devices. Client will not allow for a separate SSID to be created at this time (this is possible, but they want to investigate other options first). So, I am looking into some sort of vlan steering upon authentication, or perhaps a per user ACL. It appears this may be possible using policies in clearpass. I have no past Aruba experience, so clearpass and airwave are new to me. Most of my experience has been with Cisco and Meraki WiFi products. If someone has a similar situation it would be helpful to see how you dealt with it, or what options I have with clearpass.

Thank you

What is your favorite 2FA provider?

For us 2021 is the year where the security trends are "clicking" in the heads of most customers, and we see a real increase in them wanting to comply with modern standards.

We are still exploring what is the best 2FA when looking at features/TCO. Right now looking at Cisco DUO and it looks quite easy to integrate, have yet to test it. Previously worked with RCDevs, but they proved unreliable, as push notifications where sometimes not arriving.

I wanted to ask you guys, what are you implementing, and what are your experiences?

Checkpoint Reporting on Firewall and NAT Rules

Hi,

We need a management report of the firewall and NAT rules. I want to save the "Firewall-NAT" page to a PDF, but they want something a bit more "readable".

thanks,

Any good tool to test the PoE ports on a switch?

Hello, I wanna see so the PoE ports are working well.

Currently im testing the ports to a device like accesspoint and see if they start lighting green.

Is there any good tool I can use instead to check if it delivers the correct Wattage etc?

6509 VSS cluster error msg.

Hello guys,

Been trying to find an answer, but no luck so far..

I've been getting messages in my log looking like this:

%EARL-SW2-1-EXCESSIVE_PARITY_ERROR: EARL 0: Parity error detected in VRAM

This is spamming the log, because i run an older firmware with a lovely bug, so it makes the system unstable.

With this error i know only a reload and reseat of the affected card helps. But i'm really not sure which card it is giving me this error on.

I'm aware it is switch 2 in my vss, but which module..??

Since it says no DFC, is it just the supervisor?

High ping despite HQ fiber connection (total noob)

Hi

I just got a fiber connection from Orange, wired with CAT 6 CABLE, which looks really nice on speedtest :

https://www.speedtest.net/result/11804192046

Despite that my ping in CSGO is really high : on French/German servers its on average 90 which as you might know makes it really hard to play and shouldnt be possible with those speed test results imo.

Things i've done but didnt help : update drivers on my netword card (Realtek PCIe GbE Family Controller), disable windows firewall, set network to unrestricted on CSGO, reinstall CSGO...

So is there a way to reduce my ping ? Maybe my netword card is baddly configured I really dont know much about that stuff...

Thx for help, cheers.

Separate Video Camera Subnet

End goal is to get my cameras off the main network for security. Can't use a VLAN this time. I have 8 video cameras connected to a PoE switch which is currently connected to the NVR. I access this NVR through a cloud VMS so it has 2 NICs. One connected to the main router. The other NIC I'm planning to connect to a cheap router that will sit between the NVR and the PoE switch. I can't seem to find out if this will work without buying them and plugging it all in. Will this be plug and play? Or will I need to configure the Router for DHCP. The IPs don't have to be static for my VMS.

NEXT@Remote vs FEXT

Had a NEXT failure today at the end of the day. Twisted myself up to get inside the cabinet to re-terminate what looked like a perfect termination. Same failure after testing again. I looked closer and noticed the failure was "NEXT at Remote".

Does NEXT at remote = FEXT?

Configuring Multicast

Trying to better understand multicast. I have a device / server that is supposed to transmit multicast data. Its configured as: Multicast IP Address: 239.192.31.31 Multicast Port Number: 14001 Local UDP port connations are to use: 14000 Number of upstream hops allowed for multicast packet: 1

I set-up a Rasp Pi with Node Red. Added a "UDP In" node configured: Listen for "multicast messages" Group: 239.192.31.31 On Port 14001 using ipv4 Output "a String"

then wired that to a debug node.

But, I'm not getting any output. I'm not sure if the server of node red node just are not configued correctly, or there is some other issue. Do the above settings look right?

I've disabled IGMP Snooping in my unifi switch. I've also tried Node Red UDP In with port 14000.

BGP and OSPF review materials or lab recommendations

I passed my CCNP more than a year ago, but has not got a chance to work on BGP nor OSPF outside basic configuration. I wonder if you know a good review material or labs that I can use to refresh and retain my skill

Thanks

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Peering with MPLS provider BGP? OSPF?

I'm curious how most people peer with their mpls provider? BGP or OSPF? we've done both at different times for different reasons, BUT with our SD-wan rollout cisco doesnt support redistributing replicated routes into bgp....so im thinking of switching back over to OSPF to avoid having to put hundreds of static routes then redistributing them into bgp.

do most shops peer using ospf? or bgp? also do you use one area? one AS?

Weird DHCP issue with wireless

We've got a corporate VLAN 1 on a Cisco 3650 switch with a DHCP pool configured on cisco ISR4321. Both devices interconnected. On the switches, I've got Meraki AP with corporate SSID that utilize the vlan1 dhcp.

Comcast ------ ISR ------ 3650 ------ Meraki AP

Everything worked perfectly until there was a bad storm and killed the connection overnight. Things came back up but now, some corporate laptops get the dhcp from the vlan 1 (10.40.10.0) which is good and some get dhcp directly from the Comcast modem behind the ISR. The weird part is, the users that get the Comcast IP (10.1.10.0) it shows they are connected to the corporate SSID, how is that possible? And how do I get rid of that? I tried rebooting everything, clearing DHCP, etc... it's almost as if it's cached on the laptops end. Laptops were rebooted as well.

I will get more time to troubleshoot tonight, just trying to get ideas. I could turn off dhcp on the Comcast modem but the ISR gets dhcp from 10.1.10.0 on the outside interface, any ideas?

Looking for literature recommendations on enterprise networks and telecommunications

I would like to learn more about the following things:

• SAML protocol and authentication flow
• RADIUS authentication
• TLS, mTLS & x.509 PKI
• most common cryptographic patterns, e.g. using KMI (such as AWS KMS) for storing private keys, doing encrypt-then-HMAC to ensure the integrity of the message, etc.

Is there a good textbook that covers any of this in a concise way, or should I just lurk online articles, standards & documentation?

Confused between copper straight-through and crossover cables

I've been confused on the devices a straight-through and a crossover cable would be used for because i have been under the consumption that straight-through is used for unlike devices(router to switch) and crossover is used between like devices(router to router). I keep seeing people using crossovers between unlike devices, but others using ST's on like devices. So i was just wondering if anyone could clarify for me which cable would be the correct one to use in a network between devices? Still kind of a newbie to all this.

Static mDNS-SD records on a Cisco WLC

First off, I'm not an expert on mDNS by any stretch of the imagination, so apologies if I get some of the terminology incorrect. TL;DR - Is it possible to create something approximating a static mDNS record that a WLC can cache and serve to clients, essentially saying "XYZ service is available at 1.2.3.4", irrespective of whether 1.2.3.4 has actually advertised that service?

I'm having a problem with a server that is supposed to serve AirPrint queues to wireless devices querying for them--essentially, the server is a wired client on an otherwise wireless subnet that serves up AirPrint queues. When things are working, the WLC sees the mDNS advertisements of these queues, and makes them available to iDevices and other things that query for ipp/ipps (AirPrint).

Initially, we ran into a problem with the server not sending out advertisements. I read through the mDNS RFC and I think I determined why that was occurring--I believe the RFC states that devices should not forward out unsolicited advertisements of available services, but should only respond to queries for those services, possibly to cut down on network traffic (no sense in a device spamming out that it supports GoogleCast if there isn't anything trying to cast content).

We have global multicast shut off, and if I understand the documentation correctly (https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/210835-Troubleshooting-mDNS.html), that means mDNS queries from clients remain local to the access point they're attached to, or maybe to APs in the near proximity--that way if you're sitting in conference room 101 in Building A, you only see the Apple TV in that room; you don't see the Apple TV that's in conference room 203 in Building E a half mile away.

Since the print server is a "wired" client, and global multicast is disabled, it's essentially positioned such that it's never going to receive a query from a client; if it only responds to received queries and it never receives a query, it'll never advertise the AirPrint queues, and they'll never be cached on the WLC and thus never be available to wireless clients. To address this, we attached a wired client to the otherwise wireless network and set it up to periodically send out queries for AirPrint; since it was a wired client, its multicast traffic would not be subject to the limitation of having global multicast disabled.

(As an aside: I've since seen in packet captures that the WLC actually periodically sends out queries for mDNS services on its wired interfaces, and the documentation linked above states as much: "When mDNS is enabled globally, the controller sends mDNS queries to 224.0.0.251 for all the services on wired (management and dynamic interfaces) and wireless network." That would seem to suggest the wired client is wholly unnecessary in terms of getting the mDNS server to respond to queries, but that's a challenge for another time.)

The above solution sort of worked for a while, but I'm finding lately that the print server doesn't seem to reliably send out AirPrint advertisements, even when I can see in packet captures that the wired client (and the WLC) are sending queries. It's probably not an ideal solution and I may be falling into an xy problem trap, but is there a way on the WLC to create something like a static mDNS record? What I mean is, instead of depending on the server at 1.2.3.4 to send out advertisements of AirPrint services for the WLC to cache and serve to clients, is there a way to explicitly configure an entry on the WLC saying "IPP/S queue ABC is available on 1.2.3.4" and serve that to clients? I know that runs the risk of advertising a service as available when it really isn't because of some unrelated issue on the server, but I just want to see what options are available.

Dell PowerSwitch N2048 Stack Firmware Help

Hello! We have 3 N2048 stacked we need to update the firmware. However, even after a successful upload and stack transfer, the firmware is not reflecting in show version. I've reloaded the Stack as well, but still same problem.

Latest Firmware Available:6.7.0.4.

STACK>show bootvar Image Descriptions active : backup : Images currently available on Flash unit active backup current-active next-active ----- ------------ ------------ ----------------- ----------------- 1 6.3.2.3 6.3.2.3 6.3.2.3 6.3.2.3 2 6.3.2.3 6.3.2.3 6.3.2.3 6.3.2.3 3 6.3.2.3 6.3.3.9 *[?]* 6.3.2.3 6.3.2.3 

~~

STACK#show version Machine Description............... Dell Networking Switch System Model ID................... N2048P Machine Type...................... Dell Networking N2048P Serial Number..................... TW0RHVDVDNG000710658A01 Manufacturer...................... 0xbc00 System Object ID.................. 1.3.6.1.4.1.674.10895.3056 SOC Version....................... BCM56340_A0 HW Version........................ 5 CPLD Version...................... unit active backup current-active next-active ---- ----------- ----------- -------------- -------------- 1 6.3.2.3 6.3.2.3 6.3.2.3 6.3.2.3 2 6.3.2.3 6.3.2.3 6.3.2.3 6.3.2.3 3 6.3.2.3 6.3.2.3 6.3.2.3 6.3.2.3 

~~

STACK#copy tftp://10.0.20.4/N2000Stdv6.7.0.4.stk backup Transfer Mode.................................. TFTP Server IP Address.............................. 10.10.10.10 Source File Path............................... ./ Source Filename................................ N2000Stdv6.7.0.4.stk Data Type...................................... Code Destination Filename........................... backup Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y TFTP Code transfer starting... 29018779 bytes transferred File contents are valid. Copying file to flash... Attempting to send the STK file to other units in the stack... STK file transfer operation successful. All units updated code. 

then

STACK#show version Machine Description............... Dell Networking Switch System Model ID................... N2048P Machine Type...................... Dell Networking N2048P Serial Number..................... TW0RHVDVDNG000710658A01 Manufacturer...................... 0xbc00 System Object ID.................. 1.3.6.1.4.1.674.10895.3056 SOC Version....................... BCM56340_A0 HW Version........................ 5 CPLD Version...................... 17 unit active backup current-active next-active ---- ----------- ----------- -------------- -------------- 1 6.3.2.3 **6.3.2.3** 6.3.2.3 6.3.2.3 2 6.3.2.3 **6.3.2.3** 6.3.2.3 6.3.2.3 3 6.3.2.3 **6.3.2.3** 6.3.2.3 6.3.2.3 

So even with a successful upload and distribution of the firmware to the stack, the current firmware still shows listed. I am new to managing the PowerSwitches but I am just going off the PDF detailing the process contained in the firmware download zip. I am connected via telnet and not console. Stack looks good

Best way to document VLANs in a large network?

Greetings all,

I work at an ISP and I'm wondering what is the best way to document VLANs in a way that is easy to visualize. With lots os vlans coming and going between devices a line diagram gets very busy very fast. I have a spreadsheet separating the vlans per device, but that not easy to grasp when the vlan goes through several routers and switchs.

Thank you in advance.

Cisco FMC - Access Control + Geolocation

Hey guys

​

I'm would like to deploy access control policies with geolocation.

We have some servers that are accessible from outside ( HTTPS and HTTP ) , and countries I'd say USA and Canada only.

** I don't wanna block AnyConnect clients by countries**

what do you guys think about it ?

how should I apply the geolocation policies?

Deny > OUTSIDE > ANY > ALL THE COUNTRIES EXPECT ( USA AND Canada)

permit > Outside > MY SERVER > HTTPS/HTTP

​

is it correct ?

Cisco RegEx

I'm still a little green to Cisco RegEx. I know that ^ represents the beginning of a string and $ is the end, but does ^$ with nothing in the middle essentially mean anything?

Edit: Think I found my answer here, I just didn't know how to find it at first.

https://community.cisco.com/t5/other-collaboration-subjects/bgp-and-null-path-announcement/td-p/479687

Does any RADIUS server support PEAPv1 other than Cisco ISE

I need to test an supplicant's 802.1X implementation which supports TLS, PEAPv0, PEAPv1, and TTLS. I am able to verify the implementation of all the above authentication methods other than PEAPv1 using FreeRADIUS.

Is there any other RADIUS server other than Cisco ISE which supports PEAPv1?

Network refresh

Hi,

We just got our quote from Cisco to upgrade our remote branches L2 access switches. 9200L 24 or 48 ports PoE.

I can't believe how expensive this is ! Around 150 switches for 800K$ CAD. That's about 5K$ each including stack cables, SFPs, licensing, 3 yr support, etc.

Crazy amount of money for just basic L2 switching !!

mellanox driver instalation

hello,

I have nodes with an Infiniband connection and a centos 7.9 installed.

when I execute the following

lspci | grep Mellanox

01:00.0 Network controller: Mellanox Technologies MT27500 Family [ConnectX-3]

lspci -vv -s 01:00.0 | grep "Part number" -A 3

[PN] Part number: MCX353A-FCB

I will reinstall the system to rockylinux.

My question is: how to install the Mellanox hardware

Is it enough to use the provided package from the distribution (yum group install Infiniband) or should I also use the package provided by the manufacturers in the following link:

http://www.mellanox.com/page/mlnx_ofed_eula?mtag=linux_sw_drivers&mrequest=downloads&mtype=ofed&mver=MLNX_OFED-4.9-3.1.5.0&mname=MLNX_OFED_LINUX-4.9-3.1.5.0-rhel8.3-x86_64.iso

Cisco Wireless | WLC redirects the Guest portal but not prompting automatic on client devices?

Hi,

We have a wireless setup in which guest client should authenticate through web guest portal from ISE server however when client connects to the SSID the client never prompted about the guest portal page. Client are Iphone,android,laptop windows users.

I have validated from logs WLC it is actually sending the guest portal page to client. To get this works, Client needs to open a browser and browse random sites after doing this.. Client able to see the guest portal and able to put their credentials.

From WLC configuration the " Web Auth Captive-Bypass " is already disabled which means it should auto launch on client end.

from logs: *webauthRedirect: Jul 15 06:29:34.205: [PA] **: Client configured with AAA overridden redirect URL https://loginguest.abcd.com:8443/portal/gateway?..... >show network summary Web Mode.................................... Disable ... Web Auth CMCC Support ...................... Disabled Web Auth Redirect Ports .................... 80 <----- Web Auth Proxy Redirect ................... Disable Web Auth Captive-Bypass .................. Disable <----- Web Auth Secure Web ....................... Enable Web Auth Secure Web Cipher Option ......... Disable Web Auth Secure Web Sslv3 ................. Disable Web Auth Secure Redirection ............... Disable ... 

from the network summary I'm seeing that the redirect port is 80/Http which from the above logs we are redirecting 443/https. Am I on the correct page in where I'm checking on global parameters in network summary or should I check the wlan configuration itself?

Any suggestion about the issue?

Remotely change uplink SVI?

Hello,

​

Is it possible to remotely change an uplink SVI? For example, A router (interface g0/0, ip address 10.10.10.1 /24) is connected to a switch (int g0/24 VLAN 5) and the switch has a management IP of 10.10.10.2 /24 on int VLAN 5 with a default route pointing back to 10.10.10.1.

How can I move 10.10.10.2 from VLAN 5 to VLAN 3 without having physical access to the router (console access)? I have SSH access but I'm afraid once I make any changes, I'll lose the SSH connection.

What Do Employers Want These Days?

Hello all,

What do employers want these days?

I've been working in the public sector for some time now and I'm planning my next move (1 year). Problem is, I've moved so high up I never touch actual equipment anymore--I just sit in on bullshit meetings. Which brings me to ask this fine group of professionals what they're working on or seeing in the field. What skills do employers expect senior network engineers to have these days? Any other advice regarding where my focus should be? I'm not looking to be this rockstar network engineer. As a man entering his 40s, those aren't my ambitions anymore. I'm just looking to be an easy hire, and able to keep up with what most organizations are doing.

For context, I currently maintain the following certifications:

PMP, CCNP, CCDP

My Mac keeps changing the link speed of my network adaptor to 100mbps rather than 1 gigabit randomly

While I was copying data to my NAS it disconnected and when I opened network utility It told me that my link speed is 100mbps so I unplugged and replugged it again and after a while the same problem happened again so I changed the adaptor and the same problem happened. I am using Mac OS Big Sur

Training certifications that centre around PKIs?

Hi all,
I was just having a discussion with my boss and we were talking about locating some form of formal training that centers around Public Key Infrastructures and certificates in general. I know there are a few well known provides such as CompTIA that touch on the subject in the lower levels, but is there any bodies out there that focus on it?

Enterprise Switching + Routing in a Single Device?

Hi,

Does anyone know of enterprise ready devices which do switching and routing.

The requirements are pretty basic:

• Switching - Predominately port density, so aiming at 24 ports, with probably around 25% PoE or less than 370w.
• Routing - Basic PAT and inbound Firewall, MPLS/VPN/SD-WAN NOT required.
• Cloud Managed (aka. Meraki-esque).

Looking at simplifying our non critical branches to have Internet connectivity and for support to have visibility, but to reduce the hardware as much as possible on site.

Does anything like this exist on the market yet?

Help! NAT inside private address range

I work in a big manufacturing company and today I was asked by our contractor for one IP address for outside interface. They build a small network for SCADA system (or something like that) and now want to put a firewall inside our network. So basically I wont be able to monitor or even ping anything in case something happens.

Is design like this normal?

I need advice and best practices about this (pros and cons) and how to deal with this situation!

Fiber Optic Tap Cassette port

This is going to be a long one. I’m new at this job and this is a foreign concept to me so I’ll make it as simple, yet detailed as I can.

I have a router to firewall to apcon monitoring setup via fiber cassette in a data center that would not come up on the apcon teams’ side during a cutover. When I shoot a light that would mimic the Tx from the router with a fault locator out of the cutover cable(the one not yet plugged into the sfp) I receive a light out of the TX side(the rightmost side) that plugs into first block of a 3-port cassette(6 if you’re counting Tx/Rx). This is what I call my “in” port. I should mention, this cassette is located about two rows down from the router. That first cable is a direct run. The adjacent block on the cassette is taking that light out its leftmost side and is being run directly to a patch jumper that leads to the firewall(located about ~17 rows “backwards”). This is what I call my “out”. The cable that’s at the firewall(yet to be cabled) is reflecting light out of it’s right side, which would correspond with the RX on the firewall’s sfp.

Now here’s where it gets tricky for me.

The 3rd block on the cassette is my TAP port. The light coming through is supposed to bleed out 30% of the signal and transmit that over to the Apcon. This cable is not a direct run, it’s being patched into a jumper that then leads to the Apcon itself, where the cable is being physically split (think x,y). This is my breakout cable. I feel I need to describe the Apcon and hopefully paint a clear picture. They’re sfps that have caps covering either the TX or Rx side of the ports. Forgive me, I’m home now and writing this from memory. The piece of my breakout cable that plugs into my X port shines a light. If I were to take the fault locator and place it on the other side of the cable that would be plugged into my router, then my Y would shine a light.

My problem is that those ports on the Apcon did not come up when I tried completing the cabling. I feel I’ve done my due diligence and verified the light sources are correct and cleaned the cables. One thing that I did not do that just occured to me is to clean the sfp on the apcon. I’ll try it in the morning. Anyway I’m not sure where I’ve gone wrong here. Any help or advice is appreciated. Any clarification needed on my end, please ask.

https://ift.tt/3f4IUi0

For anyone who wishes to learn more from Cisco, check out these FREE courses, you have absolutely nothing to lose.

Meraki Configuration Questions

Good Evening,

Just a simple question. I think I know the answer, but I'd rather be for sure before I deploy these new Meraki switches.

​

If I have some interfaces that currently ONLY have a PC on them, but in the future will have a VOIP that tethers to a PC is it okay for me to just preconfigure these ports with Access VLANS and VOIP VLAN?

​

I just want to make sure it's okay for me to preconfigure them this way in Meraki. It would save a lot of time to just pre add this VLAN now.

Anybody have any experience with Honeywell ct50/ct60 scanners and Meraki access points?

Very intermittent issue where scanners pop a code 0 network disconnected message and have to be rebooted. That exact scanners in the same spot will work fine after reboot. Trying to catch it in a trace but remote sites and very intermittent.

Scanners and APs are locked down to the same channels.

Bitrates are set to 802.11b per Honeywell documentation.

All load balancing, traffic shaping, 802.1r, and fastlane features are disabled.

Issue isn’t a lack of coverage/signal strength.

SSID is scanners only no other clients types on it.

Thinking next steps (besides getting the packet capture) is bumping the minimum bitrate up to 5.5 or locking down the SSID to only 2.4. If anybody has seen a similar issue I’m all ears.

Configuration Backup

Any suggestions on a free/opensource solution to backup config for cisco devices?

Right now I am doing it manually using Python/NetMiko.

When implementing RSPAN, can I use the same destination port for multiple sessions?

My coworker said you can, but reading cisco docs, the verbiage says you can't. It says "Only one destination port is allowed per SPAN session, and the same port CANNOT be a destination port for multiple SPAN sessions"..

I need to push traffic from my access layer up into the core, to SPAN over a V switch spanning port. I have about 15 access switches that need to be brought up.

If I use separate session #s for each access switch, can I use the one port (Vswitch Port Span) for the traffic?

Ex: Vlan 199

Sw1: Monitor session 1 Source interface fa0/2 Destination (ON V SWITCH) Gi1/13

Sw2: Monitor session 2 Source interface gi1/5 Destination (ON V SWITCH) Gi1/13

Sw3: Monitor session 3 Source interface gi1/2 Destination (ON V SWITCH) Gi1/13

Voip phone stuck at dhcp waiting

I have a Panasonic voip, if i plug in the phone to a poe switch it will sit at dhcp waiting, i can see in dhcp that it was given an ip address but it never gets past this point. If i plug the phone into a regular switch with a poe injector it does the same thing, however if i disconnect the network without removing power long enough for the phone to say cable disconnected and then plug the network back in the phone comes up like it should.

This has been working for 2 years until this week with no changes.

The switches are all configured as factory defaults, so no configuration.

My first instinct is to reboot stuff but i can't reboot until next week as there is an event going on and the phones that are already connected work fine but if unplug a phone it will get stuck at dhcp waiting.

​

Any idea on the cause of this??

Panduit NetKey vs PanNet

I cannot figure out what the difference between the lines are for the life of me. Anyone have any clues?

Cisco ASA - Dual WAN - Active / Active

Hello Everyone,

I came across this situation:

Customer has a Cisco ASA (5505 ??) as a CPE with 2 internet links terminated on it.

Behind the ASA is the LAN network, nothing fancy.

​

Customer would like to have the links in a active / active fashion to make the better use of the bandwidth available.

I've read about having multiple routes with equal cost, or some cases mentioning GLBP but I don't think it applies here.

Is there a way to accomplish this?

Thank you!

Cannot Access Management interface

Setting up initial config on a PA220

-I can access management GUI with default creds when directly connected through management interface.

-When I update IP, Mask, and gateway I can access GUI at new IP when directly connected through management interface.

-When I plug MGMT port into switch I cannot access the GUI or ping the interface. (Destination host unreachable)

When I console into PA220 and run “show arp management dns no” I see the following..

​

Address HWtype HWaddress Flags Mask Iface

10.3.1.100 (incomplete) eth0

10.3.1.99 ether 8c:8c:aa:3f:f6:f2 C eth0

​

10.3.1.100 is the gateway

10.3.1.99 is my consoled laptop

How can I get my management gateway to associate with the MGMT port MAC address?

This is PAN0S 9.1.4

Thank you

RSPAN session limits?

https://ibb.co/gRpyJCj

I need to push up my access layer traffic to a new program we are using. We are going to do this by using RSPAN. There are 5 access switches which we need to get information from.

Does RSPAN have a # limit on the individual sessions? I have to put RSPAN sources on the colored switches in the topology.

For example

Pink - monitor session 1, source giX/X, remote vlan 200

Purple - monitor session 2, source GiX/X, remote vlan 201

Green - monitor session 3 , source GiX/X, remote vlan 202

Red - monitor session 4, source GiX/X, remote vlan 203.

Can I use the same RSPAN VLAN across multiple different sessions? Also, I am potentially going to move the RSPAN destination to a Dell which looks like it only supports 4 sessions.

Is there a better way I can be doing this?

BGP Advertised Route Filtering in Cisco IOS

I'm poking around with network design in GNS3, using IOSv 15.2 and having trouble getting my route advertising to work as expected.

On my L3 switch I have a number of /29 subnets carved out from 17.0.0.0. Rather than put them all under separate network statements I am trying to advertise the entire /8 and then filter using distribute-list and an ACL.

Unfortunately this does not appear to be advertising any of my routes. In prod this works under IOS-XE, but I don't have any virtual XE L3 switch images to work with. Any ideas on how I can make this work?

Here are the relevant config sections:

router bgp 2000 bgp router-id 17.1.0.2 bgp log-neighbor-changes neighbor 17.1.0.1 remote-as 200 ! address-family ipv4 network 17.0.0.0 neighbor 17.1.0.1 activate neighbor 17.1.0.1 weight 15 neighbor 17.1.0.1 soft-reconfiguration inbound neighbor 17.1.0.1 distribute-list AdvertiseThese out auto-summary ip access-list standard AdvertiseThese permit 17.0.0.0 0.0.0.255 interface Vlan13 ip address 17.0.0.9 255.255.255.248 interface GigabitEthernet0/0 no switchport ip address 17.1.0.2 255.255.255.0 

Engineers using large layer 2 vlan trunking architectures, do you use VTP to manage vlans?

Working on a large 'classic' layer 2 design domain with vlan SVIs at distro and dot1Q trunks to trees of access switches - but no VTP. One vlan missed in a segment of the trunks to a set of access switches and the catch up is considerable in terms of time. Seems like a classic case for using VTP and they are all cisco. Do people using complex VLAN/Dot1Q designs use VTP to avoid manually adding vlans to trunks? Seems like a good use case.

Automated AP reboots on scheduled timer

Silly question. Is there a way to reboot APs from a wireless controller on a specific timed basis? One site per 2 days at midnight for example. I know you could script something to shut/no shut a port but I'd have to keep a running tally of all APs in enterprise. These have a tendency to get moved without notice :P

Any help would be greatly appreciated

nmap scan - Cisco - Port 33333?

Out of pure curiosity, I scanned the external IP of my Cisco 891 and noticed the following:

Host is up (0.059s latency). Not shown: 65535 closed ports PORT STATE SERVICE 33333/tcp filtered dgi-serv 

I've never seen this before, and don't recognize the port number.

What's interesting is if I launch "telnet i.p.i.p 33333" -- it just turns blank, returns characters, but doesn't do anything, whereas if I were to do a "telnet i.p.i.p 12345" it just dies instantly.

I ran a "sh run all" and tried searching for "33333" or "dgi" but came up with nothing.

Has anyone ever heard of/seen this before?

Thank-you!

Tools for testing bandwidth and throughput?

I'm prepping for network upgrades, but I want a baseline. What are some tools that I can use to test the raw speed of the network without having to worry about disk speeds or internet speeds being the bottleneck? Is there a way to simulate 40 people in the office when there are none right now? I'd like to test the WiFi and the wired connections.

Secure vendor access to replace vpn

We have been looking at Secure Link to manage vendor access to servers to replace VPN. The licensing is expensive and minimum of five vendor licenses. Is there a decent and secure alternative available that you can recommend?

Cant Ping cisco ap in ROM Mode

Hey, I am trying to change the IOS of a cisco access point, but I until now without any success.

I tried to config my access point in this way"first I formated the flash to remove the ios":

ap: set IP_ADDR 192.168.100.100                                                 

ap: set NETMASK 255.255.255.0                                                   

ap: set DEFAULT_ROUTER 192.160.100.1                                            

ap: tftp_init                                                                   

ap: ether_init 

and my computer with the ip 192.168.100.1 and GW 192.168.100.100, but I cant ping from my pc to the access point.

I disabled the firewall to test, but the result is the same I cant ping .

sudo systemctl stop ufw.service

sudo ufw disable

I also checked the route in my pc, but looks ok:

"192.168.100.0 0.0.0.0255.255.255.0 U 100 0 0 enxc4411e752c4e"

Any ideia what I should try ? i dont have any antivirus... it is really strange.

thank you for your time.

How to set up a gigamon

Hi All,

I have a gigamon device and want to set it up, do I need to set up a span port for the gigamon or does the gigamon capture the traffic without the need for span? This is new to me and need to understand it

Thanks

Best Networking Tools

What are some of the best networking tools everyone uses on a daily basis ?

Especially, tools that are free and make your lives easier

Small local management network - equipment options

We are setting up a small local management network for a few dozen machines. This network will be used for local "remote access", NTP, file transfers, and other misc tasks. The machines are already networked but we don't want to use that critical network for any of these non-critical tasks.
This equipment will likely get installed and then not changed again until it starts to fail physically. (thinking 10+ years)

I am looking specifically for equipment that supports local centralized management and nothing that is either cloud or subscription-based. I was considering the Enterprise 24port switches from Ubiquiti and a dream machine pro as the local controller.

Let me know if you have any suggestions for other vendors that I can look into.

Thanks

Hosting latest version of CML on a Pay As You Go server

Hi does anyone know if you can host the latest version CML on a remote server through someone like Equinix?

DAC cable question

I can't seem to find the answer to this after much searching.

If I want to connect 2 devices of different brands at 10G, is it possible to do it with DAC or do I need SFP+ modules for that?

For example,

Aruba S2500 switch <-> UDM Pro

Aruba S2500 switch <-> Server

Aruba S2500 switch <-> Synology NAS

UDM Pro <-> Synology NAS

etc.

I'm seeing only DAC cables with both ends being the same brand, is it possible to get a DAC cable for cross-brand linking?

Dell Z9100-ON problems and possible issues?

My company is planning to purchase a bunch of Z9100-ON switch'es for production use (in VLT setup). Everything on paper appears to be normal, we are also planning to perform pre-production testing on those switches but you can never be sure. Did anyone have some kind of history with those switches and could share their experience of possible bugs or issues?

How a request initiated by a HTTP client is served by HTTP server?

Here is what I think of this. Tell me if my answer is correct or not. If not correct, recommend some resources to learn this.

HTTP connection are of 2 types-:

1) Non persistent HTTP connection

2) Persistent HTTP connection

In Non persistent HTTP connection

a) Connection established.

b) Single request sent

c) Single response sent

d) TCP connection released.

In persistent HTTP Connection

a) Connection was established

b) Multiple request sent

c) Multiple response sent

d) TCP connection released after connection isn't used for certain duration.

This question came as long question for 6 marks in examination. So I am not sure if what I have written here is enough or not. Please help me out. Am I correct? Is this much enough?

I don't have access to professor's office hours. So asking in r/networking

Looking for Open Source HA Site to Site VPN Solution

Does anyone have an experience or know of an open source solution for configuring HA Site to Site VPN's? I have 3 locations to interconnect and have been labbing solutions but I can't find one that works without either loss or substantial downtime as the tunnel re-establishes. Layout is 2 PFSense boxes(running ht latest 2.5.2 release) in a CARP pair in each location using OpenVPN for the Site to Site worked but started to drop packets once we passed traffic through it (using iperf, it's maxing out at about 40 Mbps). I swapped the pfsense configs over to using IPSEC and that passed a full gig with no loss but while failover testing, there's a substantial delay in the tunnel re-establishing when the Master PFSense in the IPSEC responder roll drops and the Backup takes over as responder. IPSEC DPD settings in PFSense reflect in the strongswan config but aren't honored so it doesn't matter how low I set those.

At this point I'm thinking I'll have to go with either OpenVPN, StrongSwan or some other VPN server installed solo (straight to whatever OS flavor fits them best) and combine with some sort of vrrp/heatbeat/keepalived solution? which I'm willing to do but I figured I'd reach out to the masses first before I go that route and accept all the pain and headache that comes with it.

​

Also posted specifics and a diagram of my lab setup with 2 sites: https://www.reddit.com/r/PFSENSE/comments/oo6klq/help_needed_pfsense_carp_ipsec_vpn_lab_setup/

Routing advice for 5G PtP link

I've got a bit of an odd issue, looking for suggestions, thank you!

I recently joined a 150 employee company with two buildings, 500ft apart. Second building was recently acquired, currently 120 employees in B1 and 30 in B2.

Each building has a 20Mbps (i.e. slow) ISP connection. Currently there is an ipsec tunnel between Fortigates at each building. B1 has on-prem VMs that B2 users connect with. Each building is a separate subnet and communication is routed via the Fortigate ipsec tunnel.

Main problem is that there are some users in B2 that need to access/transfer large amounts of data (SQL, MP4s, etc) on VMs in B1. We have a 400MB test file we use as a baseline which takes over 6 minutes to transfer over the ipsec tunnel. (Same file on same subnet in B1 takes only seconds of course.)

Upgrading the ISP lines is not an option. Moving the impacted users to B1 is not an option.

I set up a test 5G PtP between the buildings, which is working great at around 700Mbps. Our 400MB test file takes 15 seconds.

So, I'm wondering what the best solution is to make this work?...

Only a few users (5 ppl) in B2 need this solution. What is the best way to give them connectivity to BOTH the existing 20Mbps ISP connection (subnet A) and the 5G PtP wifi connection (subnet B)?

I'm thinking, connect the 5G to the B2 Fortigate, then create static routes for the appropriate servers and route that traffic through the 5G?

Any other/better ideas? Thank you in advance.

Is there a good neighbor guide to WiFi setup?

I live in a dense environment filled with many networks and tons of WiFi noise. I am wondering if there’s a best practices guide with things like using a smaller channel width, stick to 1,6,11 for 2.4G, keep transmit power at a minimum (or higher transmit power isn’t the solution to interference issues)?

I was hoping to send a link to our community Facebook group and our Nextdoor group. Not sure how that would be taken.

FYI, I’ve managed to optimize my network properly (IMO) and therefore perhaps there’s no reason to post this. But I recently did a WiFi survey and saw some very powerful 2.4 signals and incorrect channels chosen as well as wider widths than make sense in this overly noisy environment. Thought it would be good to let people know.

Books about hardware architectures

Is there any books out there that discuss routers / switches hardware different architectures in details? vendor agnostic preferably?

The only good book that is out there is Russ White's Cisco IOS software architecture, while it's really good but very outdated and Cisco specific. I looked all around for something to describe more modern approaches but it's really some slides here and there and nothing gives a complete picture (eg. shared vs non shared memory), kernet interactions etc.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Thoughts on CCNP

I’ve been thinking about updating my resume and maybe taking the ccnp since a lot of places have it as a requirement. I started taking these online classes and I have to say a lot of the tech discussed so far has been proprietary af. Completely different from Back when I was studying for the ccna, I still I guess being away from Cisco gear really caught up to me.

I guess part of me feels like there’s a chance of me not even using a lot of the tech in the real world and in effect is demotivating to say the least. I know big picture I want to get paid more and this will give me a good shot at it. At the same time i was wondering if there are any comparable cert out there that’ll be just as useful say I end up in a non Cisco environment

Home made wall mounts for Cisco Access Points

Hi all,

I have a hatred of vertically aligned wall mounted internal-model antenna AP's due to some issues we've had with the 5Ghz antenna pattern not going back into the wall into other rooms. The University I work for has a bunch like this; once upon a time they were AP's with stick antennas, mounted in hallways, and worked fine until they were due for replacement. Whoever ordered the replacements just got regular internal antenna model ones and slapped em up (wifi just works, amirite?).

Recabling to the ceiling is too expensive to get approved for the small benefit it provides, and here in Australia getting purpose-built brackets is difficult and expensive. So I've been working on how to keep the AP's mounted to the wall but oriented the correct way. I've dodgied up some brackets made from metal bookends - the ones I used are here: https://www.officeworks.com.au/shop/officeworks/p/j-burrows-metal-heavy-duty-bookends-195mm-black-jb87010bk

Basically I have just drilled M4 size holes through the normal mount holes of the Cisco universal bracket into the bookend, and used M4 screws and wingnuts to attach the bracket. A tip is to mount the Cisco bracket far enough forward that you can remove the AP without having to remove the bookend from the wall. I have photos but I can't figure out how to include them :)

Anyway, thought I'd post here in case someone else is having the same issue

Industry standards for high school students

Hello everyone!

I am starting a new teaching job next week and will be teaching high school students about networking in a real-world sense. The class is kind of like a vocational school where the students will get hands-on experience making Cat5 cables, splicing fiber optic cables, and building their own networks (on paper). The overall goal is to prepare them for a networking job or internship with experience and a mindset that will actually be useful to them and the company.

Knowing this, can anyone that's in a hiring, management, or team lead position tell me things they would look for in a highschool student/graduate that applied or a job or internship? These can be soft skills or technical skills and I'll make sure they're aware of certificates and programs to look into should this be an actual interest of theirs.

I'm building my lesson plan and want to make sure I'm teaching them valuable info and not just stuff that goes in one ear and out the other. I wanna see these kids succeed. For my own background, I have a few years of IT experience along with A+ and Sec+ certs; I plan on getting Net+ in December.

Thank you!

RPKI (My)Lab Environment

https://link.medium.com/1uOtS0u0eib

Anyone used a Ubiquiti switch on a Meraki stack?

Hello, this is kind of a random question. I work for a small business (~80 employees) and we have a full Meraki stack and we're in need of a POE Switch but would prefer not to spend $2000+ plus licensing for a Meraki branded POE switch.

We're a small business so we only have an MX64, a few MR33 AP's and a few Meraki 24 port switches, can't remember the exact model, but they're not POE.

None of the switches we currently have are POE and our AP's and a few security cameras are being powered off POE injectors which aren't 100% stable (the injectors often need to be reset manually after a power outage) so we're badly in need of a POE switch, yet would prefer not to spend so much on a Meraki one.

Ubiquiti models are 2-3x cheaper for the same features... has anyone had experience or issues running a Ubiquiti switch on a full Meraki stack?

For instance our AP's would be connecting through the Ubiquiti switch and I'm wondering if they would encounter any issues with the Meraki Dashboard correctly displaying info/talking to the AP's, but as long as the Ubiquiti switch supports Layer 2/3 maybe there won't be any issues?

It doesn't have to be Ubiquiti either, also considering TP-Link Omada POE switches which have similar features/price point.

Basically if my company can save 50%+ by using a different brand switch, we are interested as long as there won't be any issues with our Meraki AP's or their communication with the Meraki Dashboard.

Any insight is appreciated! Thank you.

ASA:Tunnels using deprecated DH-How to check policy used

I am reading up on l2l tunnels(ikev1&2) and had a question which I wasnt able to figure out.
Looking at an existing ASA config, how do I figure out what crypto ikev1 policy is the tunnel configured to use, in case:

• When a tunnel is up (show vpn-sessiondb detail l2l)
• When a tunnel is not up (from running config?)
  

I know that the policies are sequenced and Prioritized but I am trying to find out which configured tunnels are using deprecated DH Groups(2,5) so I could create a database of tunnels that need to be updated .

Should new aggregation switch be 10 gbs or 1 gbs when ToR switches are all 1 gbs but my router is 10 gbs?

We have a datacenter with 9 racks, each rack has 20 computers connected via ethernet cables to a dedicated 1 Gb Top Of Rack switch for that rack - in other words, there´s a total of 9 TOR switches and 180 computers. Our router only has 8 ethernet ports and I need to connect all 9 TOR switches to the router somehow; so I was thinking to add a aggregation switch between the TOR switches and the router. Question #1) Should this new aggregation switch be 10 gbs or 1 gbs as the TOR switches are all 1 gbs (but the router is 10 gbs)? Question #2) Or are there better ways of doing this without having to buy a new router with more ports?

Does anyone know what is going on with American ISP Outages?

https://i.imgur.com/Gvfw9oj.jpg

I lost internet with spectrum for 15 minutes today and I also observed regional outages in different parts of the country at my job. Does anyone know if there are widespread issues going like what happened with akamai issues last week?

transport vs. routers

I'm looking at what Cisco and other router incumbent vendors are doing vs. Ciena and other optical transport incumbents are doing. It seems that both sides feel threatened by the other and are taking offensive actions (best defense is offense, right?) to extend their field footprint onto new turf. the spendings they put in are huge (e.g. Cisco buying Acacia for $4.5B) and the results are either the router will expand and assume the transport role as well as routing, the transport will do the routing on the platform, or the market will keep looking at these as separate entities (due to regulations, or politics, or tradition or whatever...).

what's interesting is that both sides are using the terms ״disaggregation״ and "Openness" to promote themselves and explain why their solution is better.

anyone brave enough to make a prophecy on who will win this battle and become the next dominant system in deployment? i am not willing to take bets on this but i am quite sure disaggregation will win from this...

thoughts?

An application I am the admin of is changing website URLs. How does this work?

I won't lie. I have my little niche of an application that I support and have since forgotten everything I know about networking that I learned in college a decade ago.

I have an application that is hosted on two servers that I am the admin for. Customers can access the application via a public facing URL. Their connection is routed via an F5 load balancer. We are re-branding and the URL is changing. Our network team will handle most of this, but I don't want to look like an idiot.

Can anyone give an explain what the process might be to make this happen?

Dell Networking OS10 Certificate Expiration and Solution

Dell Switches running OS10 in VLT pair need to upgrade to version >=10.5.1.0, before July 27, 2021...

https://www.dell.com/support/kbdoc/en-us/000184027/dell-emc-networking-os10-certificate-expiration-and-solution

Above link has walk throughs on solution.

Do I understand this subnet mask correctly?

I'm not entirely sure where to ask this, so I'll ask it here, I hope this counts as an educational question, though I'm not sure how well it fits into enterprise network design.

I'm working through old tests studying for my upcoming TCP/IP final, and I came across this question:

In a subnet with a mask size of /15, what type of address is 68.2.255.255 allowed to be?
a) Limited Broadcast
b) A host in the subnet
c) A private address with no meaning on the public network

d) Direct Broadcast to the subnet

e) An invalid address

The teacher who did the recording of the explanation claimed that the answer was d, a Direct Broadcast the the subnet.
This does not appear true to me, the mask being /15 means that we still have one bit left over in the second segment of the address which is outside of the subnet address and in this case remains a 0. Additionally the network address itself would fall under class A if we were using classful addressing (which we're not) so it can't even be confused as a class C direct broadcast.
So the way I see it, we have the following: 68.00000010.255.255 should be a host name, where the network address for the subnet is 68.2.0.0, subnet broadcast address is 68.3.255.255

Either the teacher did the work for a mask of /16, or there's something I'm missing.

Any help would be appreciated, and if the post doesn't quite fit the sub let me know and I'll move it elsewhere.

EVPN multi-site for multi-tenant single-DC design, and connection of non-VxLAN leafs

I'm evaluating an EVPN multi-site design for DCI, to connect a legacy and new DC so I can migrate workloads without readdressing, whilst minimising shared fate between the DCs. There's a mix of large STP domains and L3 leaf/spine designs in the legacy DC, with a common core switching layer connecting them to the WAN.

I'm considering consolidating that into an EVPN multi-site topology in the new DC (e.g EVPN multi-site for multi-tenancy inside the new DC not just for DCI, mapping availability zones in the DC to site-internal fabrics for failure domain separation).

I'm keen to know if others have had success operating EVPN multi-site as a multi-tenant single DC design, or is the additional complexity not worthwhile?

Is it a valid design to use a single set of spines to connect the VTEPs and standard L3 ToR switches, or do you use separate spines for the EVPN and non-EVPN parts of the network?

off the shelf switch can introduce a loop into network

Every so often, an off the shelf switch (netgear, trendnet, etc) manages to cause a loop in the network - an L2 Cisco network comprised of various Catalyst switches. I have bpduguard and loopguard in place everywhere. Trunk ports between switches will shutdown because a loop is detected. These off the shelf switches are merely just plugged in to one port, just their presence is all that it takes - they are not wired to create a loop (plugging in two wall jacks to two ports on the switch). I dont have broadcast or storm control enabled. I'm just curious what protections it takes to prevent a malfunctioning rogue off the shelf switch from drastically degrading the network. Any ideas, what have I missed?

thanks....

Why are access layer switches still based on RJ45 connectors and not USB-C?

It Might be the dumbest question here from a person two days into studying for a CCNA

Most client hardware these days does not have an Ethernet port on it. Wouldn't it just make sense to have an access layer switch have usb c connector ports instead of RJ45? Instead of having an adapters and docks and so on. Because that way you can have more than 48 ports on a 1U switch with only usbC connectors?

What am I missing? Or is this question completely absurd?

Multi Tennant SD Wan

Hi r/networking I help run a managed service provider with about 50+ clients including a number of medium enterprises.

Our larger clients who have multiple sites over the years we have design/built or just built a range of WAN technologies for them from telco MPLS to DMPVN through to static IPSEC tunnels.

We are currently investigating moving our larger clients about 20 or so onto an SD WAN solution. We are looking for a SD WAN offering that supports multiple clients managed from the one set of controllers. We plan to buy commodity internet connections then install routers at their sites and manage all the clients from a single pane of glass and use APIs.

We are big fortigate fans for their firewall products and price point but we are not sure if we can run a single pair of fortimanagers as controllers in a multi customer design.

Does anyone have any recommendations for SD WAN offerings that support multiple customers?

Anyone ever worked for Space-X? What’s it like?

I’m looking at some of the job postings there for network engineers and firewall engineers, and . . . my trigger finger is getting itchy. I’ve heard Space-X can be a difficult company to work for on the manufacturing and engineering side of things, and I wonder how much of that rolls over to the support rolls.

I’m currently the only network engineer for a small company outside San Francisco that pays me ridiculously well, but is generally quite boring and has no advancement potential. And every day I watch the webcams of what is going on in Boca Chica and I have a gut-twisting feeing that I’m supposed to be there, on the front lines of one of the most important thing that humanity can possibly be doing.

OTOH then I’d have to live in rural Texas, which . . . well it’s sure not going to be San Francisco.

unmanaged switch

i bought an unmanaged switch which is good bcuz its plug and play. but do i need to plug the switch it self on ethernet cable and on power ?

I'm wondering if this is possible...

Hi, I am a student and my college uses one of those fancy eduroam wifi setups that uses WPA2-Enterprise security that links to the college's AD database. I have a very hard time connecting my rasp pi 4 to the wifi. But i do have a pc with a lan port. Is there a way i can plug the pi into the pc where the pc acts as a router, where the PC connects to eduroam through wifi, while the lan port serves as a router for the pi?

I am still in my journey of understanding networking during my internship with an MSP company, happy to learn more if you have wisdom to share!

Windows tcp auto tuning and incompatible network gear

So in windows 10, windows defaults to using it's auto tuning feature for network traffic. Best I can tell this just allows sliding tcp window. Microsoft mentions that there may be issues using this feature with older network hardware. We have been seeing an issue with RDP where it will take 3 minutes for the password prompt to appear on an rdp connection. Setting windows auto tuning to off fixes the issue.

This issue is only through one of our vpns. Other VPNs to the same server have no lag for the password prompt. The hardware in the path is not that old as it's a fairly beefy srx.

I guess my question is... Does anyone know what Microsoft is referring to when saying auto tuning may not work with older network gear?

Secondary question, packet captures of rdp connections look identical between good and bad vpn, and yet bad vpn has this multi minute delay. So does anyone know how auto tune actually determines network health or if it does any probing I need to take into account?

Network related DNS issues?

I’ve been having this problem with both of my AD controllers (separate domains) since I implemented Cisco Meraki site-to-site VPN.

Here’s the issue- none of my VMs (or Vcenter itself) can resolve the AD domain name. If a computer is joined to the domain, it gets a DNS response when the domain is queried. Outside of this, the Meraki router is the only device capable of resolving the name.

Windows devices are not able to reach domains across the VPN. If the DC is local to the computer it can resolve the domain name.

I’ve tried everything and I’ve also never experienced this issue before when deploying AD. This (plus the Meraki resolving the domain) leads me to believe it’s a network problem.

Behind the Meraki is a catalyst 2960s 48p switch. It’s a bit aged but it does the job. Are there Cisco settings that I’ve missed? Regular domains resolve just fine, just my ones that end in .local cannot resolve (I know not to use .local but I did it in this case).

Is There a VPN Server That Won't Show Up On Port Scans?

We try to keep a very small footprint with regard to open ports on our routers. Virtually none, with the exception of some RDS servers and some VPNs. A software vendor installing their solution told me their VPN server doesn't respond to traffic unless it is from their client. Is this a common thing and/or is there a VPN server that won't respond to a port scan but would allow the client to connect from any IP?

F5 Load Balancing / WAF alternatives

Hey /r/networking,

A previous thread I posted in the sysadmin subreddit led me to the F5 Big IP virtual appliance.

I just got out of the meeting with them and the list price is $2800 for just the load balancing (partners get it for much less), and another whopping $6,800 for the WAF.

My question - is there another comparable service that is more cost effective. While we are prepared to spend $2800 if necessary we would like to avoid it.

This is for balancing Kubernetes ingress across a multi-master cluster with NGINX ingress controllers running on each worker. Each worker has the same ports for HTTP and HTTPS.

Thank you!

MPLS+internet provider forcing to use only 1 port

Our provider is using ASR920s and does not want us to use more than 1 physical port on the device. The port is 10G SFP. They are saying they can't provide Internet and MPLS on multiple ports because there's an issue with shaping multiple ports on the ASR920.

We have a Fortigate for internet traffic and an ISR4431 with boost license for MPLS. Everything is redundant including the circuits (they have 2 ASR 920).

The 1 physical port constraint forced us to use a layer 2 switch (NX3000) in between the provider ASR and our devices. Now I want to add bandwidth capacity on the ISR4431, I see now other way than configuring Layer 2 port-channel and use vlans. I am currently using layer 3 interfaces on the ISR. I don't know how much this will screw the QOS config and don't know If it will be better to attach the QOS to the L2 port-channel or the vlan interface. Do you have other scenario to suggest ?

How to set up a free public wifi hotspot in small, rural community.

I am in the process of writing a grant to bring a few free public wifi hotspots to a few small (less than 1000 people) rural communities in my area. The goal being that kids/everyone without decent internet access at home would have somewhere to go without paying for the convenience (e.g. McDonalds, a coffee shop).

The service area would likely be no more than one city block, and perhaps a main square with a courthouse on it. I was thinking anywhere from 2-4 mesh nodes would work per location.

I have agreements from ISPs to donate service and installation, as well as cooperative business owners that would donate roof space for network equipment.

My biggest issue is finding which equipment to buy. I need to write the cost into my grant budget. I've heard good things about Meraki, but of course cannot seem to get someone from CISCO on the phone to answer my questions.

Also if someone knows a management software that specialized in public wifi filtering and access that would be great.

Any guidance would be very helpful.

Thank you!

Forecasting Latency

Is it possible to use raw KPIs (CPU usage, I/O throughput, etc.) to forecast QoS metrics like latency? Most forecasting/machine learning approaches I have seen so far are not scalable to real world scenarios. Do you have any insights about stuff that could actually work in a real world application? Thanks

Split tunnel QoS?

Good afternoon,

I've been racking my brain for a good 10 days now and can't really make sense of what I'm seeing.

I have (2) Cisco routers -- (1) at HQ and (1) at a site office. These (2) routers have an IPSec tunnel between them both (loosely) following this guide: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

I have (2) VLAN's which I care about -- VLAN10 and VLAN20. VLAN10 is for LAN and VLAN20 is for Voice. The SIP provider is cloud based, so having voice traverse the tunnel just adds extra overhead/latency/etc. so I'd prefer a split tunnel approach.

This works, and works well... until I want QoS with NAT.

My configuration is as below: ! version 15.5 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname TEST01 ! boot-start-marker boot-end-marker ! enable secret 5 <NO DICE> ! no aaa new-model ethernet lmi ce memory-size iomem 10 ! ip dhcp excluded-address 10.99.10.1 10.99.10.99 ip dhcp excluded-address 10.99.10.200 10.99.10.254 ip dhcp excluded-address 10.99.20.1 10.99.20.99 ip dhcp excluded-address 10.99.20.200 10.99.20.254 ! ip dhcp pool Data network 10.99.10.0 255.255.255.0 update dns override default-router 10.99.10.1 dns-server 10.0.200.10 10.0.200.20 ! ip dhcp pool Voice network 10.99.20.0 255.255.255.0 default-router 10.99.20.1 dns-server 8.8.8.8 8.8.4.4 ! no ip domain lookup ip domain name <NO DICE> ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip cef no ipv6 cef ! multilink bundle-name authenticated license udi pid CISCO881-SEC-K9 sn <NO DICE> ! username <NO DICE> password 7 <NO DICE> ! class-map match-any class-voice match access-group name VLAN20 ! policy-map policy-voice class class-voice priority percent 25 policy-map policy-parent class class-default shape average percent 75 service-policy policy-voice ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp key VPN@Auth address IP_ADDRESS_GOES_HERE crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 5 periodic ! crypto ipsec transform-set Encrypt-AES esp-aes esp-sha-hmac mode tunnel ! crypto map VPN 10 ipsec-isakmp description *** IPSec Tunnel to TUN01 *** set peer IP_ADDRESS_GOES_HERE set transform-set Encrypt-AES match address VPN-Traffic qos pre-classify ! interface FastEthernet0 switchport access vlan 10 no ip address spanning-tree portfast ! interface FastEthernet1 switchport access vlan 20 no ip address spanning-tree portfast ! ! ! interface FastEthernet4 description *** WAN - ADSL - 10/1 MBit *** bandwidth 8500 bandwidth receive 850 ip address IP_ADDRESS_GOES_HERE 255.255.255.240 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map VPN service-policy output policy-parent ! interface Vlan1 no ip address shutdown ! interface Vlan10 description *** Data *** ip address 10.99.10.1 255.255.255.0 ip virtual-reassembly in ! interface Vlan20 description *** Voice *** ip address 10.99.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! no ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source list WAN-Traffic interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 24.114.6.193 ip ssh version 2 ! ip access-list extended VLAN20 permit ip 10.99.20.0 0.0.0.255 any ip access-list extended VPN-Traffic permit ip 10.99.10.0 0.0.0.255 any permit ip 10.99.20.0 0.0.0.255 any ip access-list extended WAN-Traffic ! control-plane ! line con 0 logging synchronous login local no modem enable line aux 0 line vty 0 4 password 7 <NO DICE> login local transport input ssh ! ! end 

In this current configuration, if I connect a workstation to port 1 (VLAN10), my traffic traverses the tunnel and if I issue the command "show policy-map interface fa4" -- I can see "class-default (match-any)" traffic counters increasing.

If I repeat the above with port 2 (VLAN20), I can see "class-voice" traffic counters increasing.

What I WANT to do is change my ACL to the following:

ip access-list extended VPN-Traffic permit ip 10.99.10.0 0.0.0.255 any ip access-list extended WAN-Traffic permit ip 10.99.20.0 0.0.0.255 any 

... But whenever I do this, "class-voice" traffic counters stop increasing and, everything gets grouped as "class-default (match-any)" instead. I'm seriously at a loss here, it doesn't make sense to me why this is happening.

Any assistance or pointers would be greatly appreciated.

Thank-you!

Did Cisco bother to use an editor for the CCNP ENSARI study guide? The book is riddled with grammatical errors.

Just flipped to the chapter on VRF to familiarize myself with how Cisco implements L3VPNs on their equipment. So far the pronoun "it" as been spelled as the abbreviation "IT", and a period in the middle of the following sentence:

"Therefore, each of these virtual networks need to have its own r.outing table to ensure isolation."

Probably minor overall but not impressed with what it says about these published works.

Subnetting in a largely unmanaged environment

Hey All,

Is there a way to segment devices into different subnets without VLAN tagging? Maybe, some janky multiple DHCP pools sitting on vlan 1? I'd love to be able to create a new "x subnet and vlan" but I have no way to tagging it before it gets to my core.

Note: I can get and use MAC addresses, I'm trying to avoid bringing in vendors to set/change static IPs for random BAS devices.

​

Context:

I have a site that through decades of neglect and the adding of system from different vendors is a mess. I've done what I can to get some visibility. The environment is daisy chain into daisy chain into more daisy chains dozens of different types of switches all largely unmanageable.

This is a remote location but I did get a chance to visit. I installed a firewall and a L3 switch did some basic mapping (identified 6 different subnets). I eliminated as many possible daisy chained switches as I could and connecting them directly to my new layer 3 switch but time was the big limiting factor and my primary concern was getting remote access and some level of visibility.

Possible to reboot a PoE WAP connected via PoE Injector to Managed Network Switch?

Morning Reddit,

Please pardon me if this answer is already somewhere else on the internet, I wasn't able to find it with the keywords I chose.

I am curious to know if it is possible to reboot a Wireless Access point that is powered via a PoE Injector that is connected to a Non-PoE Managed Network switch.

I want to make sure I can reboot the WAP by a simple shut/no shut as you normally would for any PoE device connected to a PoE switch, only problem is that the switch is non-PoE.

My fear is that the PoE injector will keep the device alive and the shut/no shut will do nothing.

What causes IP cameras to drop connection?

They're on their own VLAN, but every once and a while, all connections to the cameras will drop off, and come back within a few seconds.

https://i.imgur.com/Ndp2C1W.png

These are ACTi Onvif cameras, cameras use UDP multicast

https://i.imgur.com/wLFbAbM.png

BGP AS filtering

what's a good BGP command (Cisco) to filter an ASN that i don't want into my network. or just remove all if there is not one.

i want to filter AS 555 but replace-as will not work since it only replaces the 111 with my own. cant use remove-privateAS because im using a private AS.

show ip bgp 2.2.2.2/32

*>2.2.2.2/32172.16.1.11 1 111 222 444 555 9999