Why cant i use private DNS on mobile network?

I've tried everything to fix this, no matter what i change or override, it always uses no DNS or if i use automatic, it will use a random GOOGLE DNS. But i cant use CloudFlare no matter what i try. Does anyone know the reasoning behind this. Any help would be greatly appreciated.

Network Engineer Salary in Michigan

So I am having a hard time figuring out where I should be salary-wise. Let me explain...

I was in the Army until 2012; I was medically retired after a combat injury. I started going back to school in 2019 and have my BS in Network Security with a minor in Mathematics. My current employer is a reseller and channel partner for thousands of OEMs; as such, they ask a lot of their engineers.

Since working there, I have obtained my CCNP Security, Palo Alto PCNSA, Fortinet NSE 5, Aruba Clearpass ACCP, and other certifications from Ekahau, Dell, and HP.

My current title is Associate Regional Engineer, and my salary is 65,000 with the potential of up to 6500 in yearly bonuses.

I was fully prepared to start at the bottom, but I think the work I have put into learning, along with my employer sending me on solo projects, puts me above an Associate (entry-level) position. What I have trouble reconciling is that I literally just graduated, and I have less than a year of actual OTJ experience. While I am older than the majority of entry-level employees (38) and I have been working with IT personally for many years, on top of military leadership/project management experience.

I haven't worked in a civilian role since I was 19, so I just want to ensure I don't get taken advantage of.

thoughts / opinions?

Edgerouter-12 and SonicWall - Internet connectivity issue

Hi all,

I am running into an issue between a SonicWall and Edgerouter ER-12, ill try to be as specific as possible since the diagram isn't too detailed. Been knocking my head against the wall because this seems like it should be a no-brainer.

The Ciena SDS patches into the WAN X1 port on the SonicWall. The X1 interface is configured with a static IP from a /29 provided by the ISP.

The SonicWall X0 LAN interface connects to the WAN interface eth9 on the ER-12.

Interface eth0 is configured with several VLANs. eth0 connects to the trunk on the switch and connected devices on the access ports work as expected. Devices on VLANs configured with DHCP pickup their intended IP addresses. So no problems there.

The issue that is occurring is that the router is not passing internet traffic from eth9 WAN to eth0 LAN. I have plugged in directly from the X0 interface, assigned a static IP/DNS, and have full internet access. However, when connecting to any VLAN on the eth0 LAN port of the ER, I get no internet access. IP and DNS gets assigned via DHCP, but no internet.

I can ping to the eth9 interface (10.10.10.2/29) successfully from other VLANs on the eth0 LAN interface. I cannot ping the Interface X0 LAN (10.10.10.1/29).

However, when I set a static IP on my laptop and connect to another interface on the SonicWall (X2) that is in the same interface group as the LAN (X0) I can ping the ER interface eth9.

I don't have access to configs at the moment, but can try to post them later. However, I can provide more info if someone is willing to give advice. Thanks for any help.

Network diagram - https://imgur.com/QAdfQtY

Anyconnect VPN, granular access based on multiple AD group membership

Hi all!

The company I work for has the following setup:

• ASA VPN
• ISE
• several subnets (/26-/30)
• Azure AD
• Integration between ASA and Azure AD via NPS server (MFA, AAA)

Each subnet is mapped to an Azure AD group via ISE (see SGT explanation below).

The business would like the anyconnect users to reach these subnets only when the user is member of the corresponding group, in a mix and match fashion. Example:

User 1 belongs to group A and B = can access both subnet A and B
User 2 belongs to group B = can only access B

(explained very similarly here)

SGT setup: In ISE, we map each subnet to its own SGT tag, and each AAD group to its own SGT tag. The ASA ruleset is therefore based on SGTs (src/dst) instead of IP/Subnet objects.

The big limitation in this approach is how the ASA sees the anyconnect user: when the user connects, it belongs to only one AAD group (SGT) at a time. This breaks the mix-and-match-multiple-groups requirement.

I have been searching for a solution to this need, and all I could find is the following:

• implement DAPs
• Multi-match authorization policy in ISE (https://community.cisco.com/t5/network-access-control/can-ise-asa-anyconnect-support-multiple-ad-group-membership/m-p/3503688/highlight/true#M540280)
• meta-groups containing several destination sgt/subnets at a time - best effort solution, business doesn't like

I am afraid both of the above would not scale, as we are talking of hundreds of subnets/ad groups and consequently SGT tags.

Any idea? I am willing to radically review the approach. My knowledge of ASA and ISE is not so extensive, I am sure I am missing some bits.

Thanks!

VeloCloud Edges Disconnecting from Orchestrator and Enchanced HA Setup

Hi Team. I was wondering if any of you has experiencing this kind of issues on the VeloCloud Edges. I understand that there are certain configuration in the VeloCloud Edges that requires the device to reboot to take effect (even though minor configuration change-https://kb.vmware.com/s/article/60247), however we start seeing issues that the Edges are online as we can ping its external and internal ip addresses, but it is showing down from the Orchestrator. We have to manually unplug the edges from the power to reboot it, and regain connectivity back to the Orchestrator.

Another issue we experienced today while working with VeloCloud Support, the VC TAC started to perform debug and tcpdump on an GE2 interface as we are troubleshooting an SNMP issue, then suddenly the GE2 interface went down from the Orchestrator but we can ping its IP address.

Our set up looks like this -- Two VC Edges in Enchanced HA having two ISP connected on each Edge. What is your take on using Enchanced HA instead of Active-Passive HA? Echanced HA link -- https://docs.vmware.com/en/VMware-SD-WAN/3.3/velocloud-admin-guide-33/GUID-AD69349D-E008-4D11-9F08-550FE3AE9981.html

As you may notice I have a lot of questions, yes this is our first VC setup. So far its doing great in terms of its SDWAN performance, but we have issues on managing it, even making simple changes, and trusting its stability.

Help! Need to rewrite source address on Cisco ISR 1841

I did something very dumb and missed configuration of a default gateway on printer at remote site connected over MPLS through a Cisco 1841. There are no computers at the remote site I can remote into and big boss needs to be able to print to that remotely next week. I am quite rusty on my Cisco (I would know how to do this in a snap on a SonicWall). Is there a way to rewrite the source address of my port 80 traffic to the printer to an address on the inside interface so the printer doesn't have to use a gateway?

10.x.y.z (server in datacenter)

10.a.b.c (outside MPLS interface of router)

10.g.h.1 (inside interface of router)

10.g.h.107 (stupid printer)

Port 80 traffic destined to 10.g.h.107 gets intercepted by router and source rewritten to 10.g.h.1 and translated back out or port 80 to 10.a.b.c gets translated to 10.g.h.107 with source of 10.g.h.1 or something else?

Thanks for you help!!

EHWIC-4G-LTE-V on Verizon for home use

Have any of you managed to setup this Cisco(Verizon-LTE MC7750) card with a prepaid data plan?

When I try to activate this card on their prepaid website, I get this message after typing IMEI: "The phone associated with the Device ID you entered is not compatible with the Verizon Wireless network"

I tried the procedure on my existing cell phone service using the "Change Device" option. This is what I get when IMEI is entered: "We're Sorry! Unfortunately, we are unable to complete this request. You will not be able to change your device online at this time. Please call 888-294-6804 for further assistance."

My equipment is Cisco 1921 + EHWIC-4G-LTE-V

The signal is strong and the SIM card registers to the network without any problem.

Router#show cellular 0/0/0 network

Current System Time = Sun Aug 29 17:53:32 2021

Current Service Status = Normal

Current Service = Packet switched

Current Roaming Status = Home

Network Selection Mode = Automatic

Network = VZW

Mobile Country Code (MCC) = 311

Mobile Network Code (MNC) = 480

Packet switch domain(PS) state = Attached

Registration state(EMM) = Registered

EMM Sub State = Normal Service

​

Router#show cellular 0/0/0 radio

Radio power mode = ON

LTE Rx Channel Number = 3230

LTE Tx Channel Number = 23530

LTE Band = 13

LTE Bandwidth = 10 MHz

Current RSSI = -56 dBm

Current RSRP = -84 dBm

Current RSRQ = -11 dB

Current SNR = 8.8 dB

Radio Access Technology(RAT) Preference = LTE

Radio Access Technology(RAT) Selected = LTE

Arista -- setting up several multicast groups with different rendezvous point addresses

I am trying to set up an Arista DCS-7048T to listen to two different sets of multicast groups that have different rendezvous point addresses, all over one physical link. These are the commands I have tried so far. Note the addresses have been anonymized.

ip access-list standard WAN_1 10 permit 239.0.0.0/24 20 permit 239.0.1.0/24 30 deny any ip access-list standard WAN_2 10 permit 239.0.2.0/24 20 permit 239.0.3.0/24 30 deny any ip pim rp-address 192.168.0.1 access-list WAN_1 override ip pim rp-address 192.168.0.2 access-list WAN_2 override 

This doesn't work, joining the groups on a machine connected to the switch causes no packets to be received.

Setting up one set of groups individually, with one RP, works.

Sorry if this question is vague or doesn't make sense.

Here is more info about the switch:

Arista DCS-7048T-A-R Hardware version: 01.05 Deviations: Serial number: xxxxx System MAC address: yyyyy Software image version: 4.9.7 Architecture: i386 Internal build version: 4.9.7-1070657.EOS497 Internal build ID: 7517c179-ca6d-4e31-b0b0-bb2edfa04c58 

Understanding ARP

Hi all,

I apologize if this isn't the right place to be asking these kind of questions, if it isn't I'll remove my post.

Anyway, I am new to networking and am studying to take my Net+ soon. I am having some difficulty with understanding ARP, so hopefully one of you can help.

I understand the basic principle of it - a computer is trying to talk to another on the same network, but it doesn't know its MAC address, only its IP, so it sends out a broadcast asking for the appropriate machine to send back the MAC. What I don't get is how would the machine sending out the ARP request already know the IP address of the destination machine? Do computers automatically query all other machines on the network for their IP's, or are they possibly stored in an accessible table on the network? I would get it if the ARP request was broadcasted to every computer asking them all for their MAC, but I don't get how it already knows each individual IP on the network but not their respective MAC addresses as well.

Am I over thinking this, or is there something that I am missing? Thank you all for your help!

IKE Phase 1 Error 4021 on Juniper SRX

I am configuring a remote access VPN on an SRX320 and when I test with the NCP client I am getting an error 4021 cannot contact gateway. I am not seeing what the issue is and if someone here is available to assist I will happily provide my config.

mac address table constantly adding/removing devices every few minutes

Has anyone seen this issue in particular with Cisco switches in L2 mode where the mac address table is constantly adding/removing devices, mainly just printers or ip phones, every few minutes?

This is causing some huge issues with out dot1x as they keep having to re-register. As seen below this is some of the information:

 

Switch ver: * 1 52 WS-C2960S-48TS-L 15.2(2a)E1 C2960S-UNIVERSALK9-M

 

Printer below over a period of 10 minutes (no sleep mode turned on):

 

Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Added Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6 Operation: Deleted Vlan: 108 MAC Addr: 9c93.4eb7.1b5b Dot1dBasePort: 6

 

run commands: On the port: snmp trap mac-notification change added snmp trap mac-notification change removed

 

On the switch:

mac address-table notification change interval 15 mac address-table notification change history-size 200 mac address-table notification change mac address-table aging-time 1000 

TCP Retransmits and wierd ACKing bottlenecking w/o packetloss

Hi!

Relevant image from wireshark capture at client: https://zerobin.no/?659ba3fb227ee99d#GHWgarZnReicdZWGb75R9CumYD5GbtQAbv2mog1wChzn
(3 segments recieved at the same time, 1st segment re-transmitted 0.02s later and just after the client ACKs the three first segments)

We're struggling with a machine "here and there" in our ~1000 machine network where suddenly connections to servers are dropped from ~850Mbps down til 2.5Mbps. This happens -within session-, it can be SQL-requiring application, SQL-performancetesting, SMB and iPerf - anything, really.

If we have to computers simultaniously transferring data from a server, both located at the same place in the network, one can struggle, and one can be fine. The next day it's opposit. This happens at any of our ~100 directly fiber-connected sites towards our DC. The DC has 4 ESX hosts, and different switches, none which seems to have any problem and the issue can arise on whichever server. I'm also sure we've managed to get for instance 2.5Mbps on the iperf while at the same time 850Mbps in SQL performance tester - same client<->server, at the same time!

We seem to have drilled it down to the above linked image. Everything works well, until suddenly TCP ACK's from the client is delayed by 20ms as opposed to the normal ~0.1ms (as seen on client capture), at which time the server has already started re-sending segments (see TCP Duplicate-package). When this first starts happening, it happens a lot that day for that client, but may be fine again the next day, while another machine gets the problem.

The 10.82.66.16 is the client in this case, and 10.82.24.115 is the server. A full capture of the stream as seen by the client can be downloaded here: https://dropmefiles.com/QJ1ZA (never used that service before, but seems legit). Stream from FW and server looks the same, but I no longer have the files :|

We don't expirence any other problems really, we have low jitter and practically no packet loss with pingflood/UDP-iperf. We did try to set the TcpAckFrequency to 1 which temporarily did actually for some reason help, although we also see the problem with UDP. It works when the client is on WiFi, APs connected to the same switches. There's no dropped packets on switches, firewall or router.

We've tried not offloading the sessions in the firewall as well, but it really doesn't seem to make any difference, and the captures done at the server, FW and client simultanously are quite identical. On all three, we see the problem arise when the client waits those magic 0.02s before ACKing and the server starts retransmitting frames.

​

Hopefully someone can help, this is a true headache...

Having a hard time passing credentials to proxy server for PIP and my IDE

Hello,

​

I have been struggling to solve this problem all week. Essentially I have been unable to pass proxy authentication so I can add/ update modules for PIP and other things. I've tried statically setting my proxy credentials through Windows command from the CLI and adding credentials to the command itself to pass them through the proxy server.

​

python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --proxy http://USERNAME:PASSWORD@PROXYHTTPADDRESS:PORT --PIPCOMMAND OR MODULE

​

The error codes being kicked out in Splunk and on command line are:

407 TCP_DENIED_CONNECT authentication_failed DENIED

​

(I know we can utilize a bypass but I really want to figure out why this is happening)

Cisco WLC - Flexconnect AP's - Airplay/screenshare

Hi,

I'm having a bit of an issue at the moment.
We're running two different WLC's due to the fact that we have some locations which has older AP's still in use which are locally configured. The other (newer) WLC has flexconnect APs with local outbreak.

​

On the old locally configured WLC I managed to get airplay with screenshare working through mdns configuration, but that's not an option on a flexconnect network. Right now I'm at my wits end trying to figure this out.

Anyone have any specific tips on setting up airplay and screenshare on a WLAN with flexconnect configured AP's?

The switches all have igmp snooping enabled.

The router I'm running is a Meraki MX68.

Thanks in advance!

Philosophy on right-sizing a Cloud DC / ISP PoP

Dear sub,

I am working with a cloud provider / internet service provider in the SME market.

We are planning to build a new location and I am tasked with designing the new DC and ISP networks.

At the moment I feel somewhat overwhelmed by the available options and looking for some guidance and seconds opinions.

​

Cornerstones of my though process on requirements:

- The initial size with be about 4 racks and grow about to 10-20 racks in the next three years.

- We are serving the SME market but require a somewhat enterprise-ish setup to achieve high uptime.

- Growth comes in surges and is hard to plan ahead. So the network should be scalable and easy-to-understand.

- The ISP network-side uses a distributed PoP design, every PoP has two core routers and varying numbers of routers for peering/access and the like.

- Our existing DC locations have layer2 spine-leaf DC networks implemented, as it spans only a couple of racks.

- A layer3 spine-leaf network is high on the wishlist though.

- The DC network will host both VMware NSX with VXLAN as well as Openstack with VXLAN, where in both occations software VTEPs are used "within" the cloud environments.

- There will be some 'traditional' workloads, to something like VXLAN on the physical network is required.

- Budget is tight as always, so we are not even looking at Cisco, maybe at Arista/Juniper but more likely towards affordable vendors like FS.com and Mikrotik.

​

Now here's the struggle:

The spine leaf network in itself will be rather small (2 spines, initially 8 leafs) and might grow into a 40-ish amount of leafs (2 per rack).

Is it worth the 'overhead' going all L3, or on the other hand is it worth the 'risk' of building an L2 network (again)?

Most L3 spine-leaf designs go eBGP all the way. Spines into one private ASN, leafs into another private ASN (or more). Can I / should I dual-use my beefy spine switches to also act as core routers in the ISP PoP? We carry only a small amount of routes internally. I sense trouble having both our public ASN and the private spine-ASN on the same boxes. Could be a management nightmare, even if technically possible. But it is appealing from a budget perspective.

The latest and greates in L3 spine-leafs seems to be the introduction of EVPN. Does that make sense for a small deployment or should we stick with 'only' VXLAN?

We do have access to two independent DC rooms at the new location and we can utilize racks in both DCs. Given the small footprint it seems a total overkill to build two completely independent networks in terms of required components. But spanning the spine-leaf network over both rooms bears a cost in the many required cross connects.

I appreciate any thoughts and suggestions. I got a feeling to have driven into a mental corner on how to right-size this :-)

Have any of you built virtual labs for training other teams? How?

I work for a service provider (mix of cisco and juniper) and we'd like to start training 1st and 2nd level support teams on various technologies related to our company. (we mostly do MPLS and L2 stuff, with some L3 BGP).

The dream is to have some kind of remote server with GNS3 or something where people can log into and load pre-built topologies with scenarios to train on (like ospf misconfigured or something like that). It would also be nice to have a sandbox mode where people can build their own topologies. If the topology gets really messed up, we can always blow it away and reset it.

Does anyone have something like this? Does it handle layer 2 technologies ok? (I remember a while ago GNS3 had issues with L2 tech and you couldn't virtualize switches, not sure if that's still the case)

Looking for Sonicwall 7th Gen devices' maximum configurable number of DHCP leases

Gen 6 Sonicwalls have a limit on the maximum DHCP leases that you can configure based on the spec of the device:

http://help.sonicwall.com/help/sw/eng/6700/26/2/4/content/Network_DHCP_Server.042.02.html

Have theses limit changed in SonicOS 7 devices? I can't find any info on the TZx70 range or the NSa x700 range.

Does anyone have some secret documentation?! or have a 7th gen device and is willing to test for me?

Thanks in advance

Fortinet WebFilter services down?

Hi everyone.

Last night a user on my network reported to me that he could not browse the internet. I check and in fact google search worked but every web page was then blocked by the webfilter. So I investigated on the Fortigate and noticed (by going to System> Fortiguard) that the WebFilter and AntiSpam services were down.

After a few hours they came back up on their own.

I just contacted fortinet to try to have a confirm from them if there were any problems on their servers but they told me that for now they have not noticed any problems on their side.

Everything else (connectivity and various services on our side) worked perfectly, I checked.

What can I do? Did anyone else have the same problem last night? It happened around 6PM CEST on September 2nd. If needed, the Firewall is in Europe.

Stuck in a Network Innovations Department Manager; No Idea What These People Should Do

Well, got stuck in charge of a network innovation team. My tech credentials: high level, night non-existent. Was put in charge because I'm a good project manager. And previous technical people proved to be horrible at managing projects. So here I am -- yay...

My team appears competent, but they focus on small tasks and have no larger ideas.

So I'll just ask (because I don't care what people say, Reddit is probably the best invention ever): Does anyone have any simple ideas to improve enterprise networking?

At this point, not a lot of money, so Cisco programs and router refreshes are off the table. Does Reddit have any simple, low-cost suggestions I can put this team on? At this point, all valid ideas are welcomed. Thanks, Reddit, because at this point I'm phucked, yo.

Industrial Enterprise OT/IT

Are there any members of this community that work for an industrial enterprise that work with some operational technology? I will start a new job soon as an OT Network Engineer and I'm wondering if people have continued to pursue their CCNP and CCIE while in OT roles. I'm currently working on my ENCOR and plan to continue to do so. I'm just interested to know the different paths of OT that people have taken and also the balance between OT and IT for anyone that does both.

ISP or Microsoft Teams Issue? | RST Packet Seen but from different TTL Value | TLSV Handshake Failure?

Hi All,

Ran into an issue where we desk phones connecting to Microsoft teams failed to authenticate. We did several troubleshooting and comparisons to narrow down the issue. Key point below. 

 -> We see that client is able to complete the TCP handshake  -> Client able to send a "Client Hello" with TLS version 1.2 however no response from server and so it falls to TLSv1 record table.   -> From the Microsoft team document both client and server should agree on TLS1.2 min.   -> We are seeing RST packets from different shops  

From the picture depicted below. (Wireshark Capture on WAN router).

a.   RST was triggered from closer to our CE. about 3 hops away.  b.   RST was triggered from closer to Microsoft TTL value of 101 is Microsoft, TTL 100 is still unknown.  The commonality is that the reset packet comes from the public space. 

PCAP: https://ibb.co/Ms96RNz

1. Based on these captures, Is this actually an ISP or Microsoft issue?

2. Does the ISP possibly handles Microsoft traffic differently as compared to other public destinations which can is working / can communicate using the latest TLV1.2/.3

3. Is this something on Microsoft end not allowing the client hello and not participating in TLS handshake? 

4. What approach in your opinion is best for this issue? should we go ask our ISP to route to a different path ?

Thank you

Microhard Bullet LTE - SMS Forwarding to Local Network?

We have a Microhard Bullet LTE deployed on a remote site. Able to SSH into the device and read SMS messages, send SMS messages, etc. But the commands seem rather limited (e.g. it's like your typical Linux commands are disabled). Our intent is to be able to issue custom commands/payloads to the device via SMS which it can then forward to specific host names which are DHCP'd on a 12 hour cycle. It is desirable to do this via SMS because it is quickly performed while operators are on the road.

Just wondering if anyone has any ideas or work arounds for how to achieve this. The only thing I can really think of (with my limited experience) is to get a bash script going on a separate machine on the network which will SSH into the device, read the most recent message, and then relay accordingly. Although my intuition tells me this is inefficient, despite being simple.

routing drops to single site across wan link

I have two buildings (A & B) that connect to our network provider WAN via 10gb links. All other buildings (15+) connect via 1GB links. Network provider equipment is not seen by my equipment as being there, just my equipment.

Simple static routes:

ip route 10.1.0.0 255.255.0.0 172.16.1.1 (building A)

ip route 10.2.0.0 255.255.0.0 172.16.1.2 (building B)

ip route 10.3.0.0 255.255.0.0 172.16.1.3 (building C)

and so on

​

Buildings A and B have static routes for all buildings, as they have servers/internet access that is provided to the other buildings.

Buildings C+ have three static routes, one each for A & B networks, one for 0.0.0.0 to either A or B, depending on where I want the internet traffic to exit the network

​

Issue pops up between buildings A & B, the 10gb links.

Buildings A & B lose the ability to directly talk to each other over their respective 10gb links.

Buildings A & B could still talk to the other buildings that have 1GB links, still using their 10gb links.

Building A could talk to building B if I routed the traffic through building C.

​

​

​

Rebooting the core switch at building B resolves the issue for 15/25 or so hours.

The switch was originally up for 80+ days.

No config/firmware changes made to either switch at building A or B in the weeks prior

New site/link added to network provider wan in late June without issue

​

Nothing jumps out in the event logs of the core switch at Buildings A and Buildings B. Basicaly nothing logged on either side prior to the random loss of connection.

These switches are different, but the current config has been in place for over 12 months with this network provider, and the switches have been in place for some 8 years or more.

Building A = Dell PowerConnect 8000 series, aka Force N4000 series

Building B = HP 5406zl

​

I had a second Dell switch at building A as a spare.

moved it to building B... setup WAN port like the HP 5406 was. swap fiber from 5406, 10gb link comes up/connected.

ping 10.1.0.1 or 172.16.1.1 - fails

ping 10.3.0.1 or 172.16.1.3 - GOOD..no drops.

like WTF????

switch fiber back to 5406... ping [10.1.0.1/172.16.1.1](https://10.1.0.1/172.16.1.1) \- GOOD... no drops 

switch back to Dell...failure occurs..

network provider says nothing has changed with their config/equipment.

Just waiting for the connection loss to occur tomorrow sometime, just like every day this week.

I'll provide configs if desired when I go back in the morning.

any thoughts?

EVE-NG Aruba CX and Nexus9k virtuals ACLs not working

Hey all

racking my brain cause somethings not adding up here.
tried doing IP ACL, VACL, IP port access groups and none of them are working.

I even port a simple "deny ip any any" on a vlan-interface on a nexus9k virtual and it didnt stop a thing.

anyone come across this? any idea of a valid method to make them work (or work around at least?)

Even the 'switchport block multicast' command doesn't stop anything.

​

Is this just a limitation on EVE? maybe to do with the way it structures the virtual switching?

cross platform or vendor agnostic port security

Looking at options for doing dynamic port security, currently looking at ISE and Clearpass. Are there any other options out there that can do a simple assessment on device connect like is this device AD joined to x domain, put on vlan #, if it's not ad joined but matches a list of approved mac addresses on the IOT list put on ## vlan, otherwise put it on ###vlan?

​

Environment is mixed but primarily cisco.

Comcast supervisor lying about troubleshooting policy?

This is what a comcast business technical operations supervisor told me in regards to my request the a technician plug their laptop into THEIR modem and configure THEIR static public IP they provide and verify internet connectivity. Anyone ever heard this? They aren't allowed to fully troubleshoot the services they provide?

"As I have said before we do not connect to the static IP directly. However tomorrow I will have a tech onsite with my computer to check the static. He will enter your Static IP 50.215.29.85 into my NIC and ping 8.8.8.8 for 5-10 minutes, after which he will delete them and return my computer. I will update you on those findings ASAP. Going forward we will not be trouble shooting anything outside the scoop of our normal Comcast policies."

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Recommendations for a stackable 25gbe switch

Hey guys,

Any suggestion to replace a core in a fairly small network.

Requirements are really quite simple:

• Stackable with 2 units*
• 48 ports of 25gbe sfp28 ports on each unit
• Very basic L3 routing - basically intervlan (about ~100 vlans) routing and OSPF to upstream routers
• Dual PSUs in each switch

Currently there is a pair of Dell/Force10 S4810 switches doing the job quite happily but we need to bump the speed from 10gb to 25gbe.

Before that a pair of 1gb EX4200's was used.

*A stack is desired because there is a significant number of /27 VLANs that have their gateway IP residing on the core. There is no room in the subnets to shift to a VRRP type setup.

Stack seems to be the simplest way to achieve the gateway IP floating between two different physical switches in the core.

Open to suggestions of how to do it better though!

Another post looking for a cable tester

We have a few cable runs that we're seeing some issues one. Our HP switches can do some diagnostics and are showing intermittent shorts or open connections. I'd like to be able to verify that with something else and our existing tester isn't doing it.

This would be used for testing cables after their run and troubleshooting any issues. Not a heavy duty use item. We probably run 1-2 cables a month, if that.

Looking at the Fluke MicroScanner and the Fluke CableIQ. Is the CableIQ worth the extra money?

Enterprise proxy

Hi All, I’m a developer and new to networking side of stuff. If someone can help answer I’d really appreciate that. Currently in our company jira(issue tracking tool) is exposed over internet in production and also a checkpoint firewall is behind jira instance. We also have a QA jira instance which is solely internal to our Corp network but right now the problem we have is we are trying to ingest data from several third party vendors but because our QA jira is not exposed to internet we can’t test it out and currently testing is happening on prod I know that is not good but that is what it is. Why can’t our network admins configure an enterprise proxy server before our qa jira instance and expose it to internet? Also, do you guys recommend any enterprise proxy solutions for such scenarios?

Did i noob error?

So i was looking at my routers options trying to make an exception for a specific device in my network. And my laptop i was using to look through lost connection. I have an alienware area 51m r1 and ive gone through every post i can find and trouble shoot every option i can find. Ive uninstalled and reinstalled, tried static ip settings, dns flush, Still my laptop will not connect to my network hardline or wifi. Ive gone to dell and got the drivers on a usb and got them over to the pc to try and redo that way. But nothing seems to be making a difference... Did i just watch my networks adapter card burn out? (Hardware not software?) All my other devices have no issue, even the device i was in there for is working properly. It seems to be just my laptop.

S2S - Route-Based VPNs

Hello All,

For a route-based based VPN, does the remote-end firewall need to have ping connectivity to a local device for a VPN to establish?

Device-A-->Switch-A--> FW-A ---> Internet---> FW-B -->Switch-B XX ---Device-B

For example, prior to a VPN being established let's say two route-based VPN firewalls are attempting to connect via a Site-to-Site VPN across the internet. Device-A initiates the interesting traffic towards Device-B, but Device-B is not accessible via the Site-B (right side). Traffic egresses FW-A but the VPN does not establish. Is the cause for the VPN not establishing between the two route-based VPN firewalls because Device-B is not actually online or is it still an issue with the VPN configuration settings?

I understand the concept between IKE-phase-1 and IPsec-phase-2, but wasn't sure if the concept of policy-based VPNs was any different from route-based VPNs in terms of establishing the VPNs.

P.S. Be nice!

TYIA

Librenms and oxidized

I have librenms install and running without any issues. I have added on oxidized, and when i attempt to run oxidized it throws the following error

/usr/lib/ruby/2.7.0/net/http.rb:960:in \initialize': Connection refused -connect(2) for "localhost" port 443 (Errno::ECONNREFUSED)

I have run ss to see what ports are in use:

icmp6 UNCONN 0 0 *%ens160:ipv6-icmp *:*

tcp ESTAB 0 0 172.16.10.14:ssh 172.16.20.31:1047

v_str ESTAB 0 0 4017246897:1023 0:976

I can not identify what is using port 443.

I am running ubuntu 20 with nginx as the web server.

Can't connect to Router

So I bought myself an cisco rv340 for multi wan purpose. Today I wanted to connect it with my network so I followed the Instructions from the manual and the onscreen instructions. At the end I came across the step to update the firmware which I wanted to do but the rv340 said that there was no Internet connection, so i checked out my Internet-router via WiFi to see and It had no connection.

Then I tried to connect to my Internet router but all i get is a timeout, i can ping anything in my network except my router. Not even over the failover IP. The router is not even listed on windows explorer network monitor, its only listed when I plug a lan cable directly into it, but I still can't connect to it. If I click on the Listed router it sends me to an Ipv6 address which has the same GUI as my router, but I can't login.

Does anyone know what happend ?

Copper Ethernet cable flapping situation

Hi

I have a weird problem that I need some suggestions on:

I have an ethernet switch in one rack and a router in another rack in the same DC row.

Both pieces of equipment are connected via AC power to their own APC PDU ( in each rack )

When we racked the router, we connected the MGMT port of the router to the switch via a 5m direct ethernet cable in the aisle of the row.

we saw that the link negotiated at 100mbps and kept flapping.

we checked the config as both the switch and router have 1Gbps ethernet ports.

Both interfaces were set at auto neg and nothing defined for speed or duplex.

we swapped the 5m cable for another cable fresh from a factory baggie.

the same

we swapped the cable again

the same

we set the switch and the router to be 100Mbps full duplex and turned off auto-neg.

the link was at 100Mbps and still flapping.

​

We then reviewed the firmware versions on both the switch and the router and upgraded to recommended versions.

the link was still the same.

as each rack has a RJ45 patch panel back to a central cross connection frame ( that had been tested and certified on installation ), we routed the link through that structured wiring.

the link was still the same.

​

we then connected a direct patch between the router and another switch in another rack.

1gbps , rock solid.....

​

we then installed a patch between the original switch port and a laptop.

1gtbps, rock solid.

​

thus there seems to be a weird situation between the original switch and the router, as we linked the router and switch separately to other devices and they both worked well independently.

​

I open a TAC case and after review they said to check the grounding of the equipment/racks.

​

I have had the DC team review the rack grounding and they have confirmed that the equipment is bonded to the rack and the rack is bonded to a ground point somewhere in the DC.

​

the issue persists , will only auto neg to 100mbps and flaps continuously.

​

any suggestions?

many thanks

Cisco telemetry pipeline recommendations? problems with big muddy pipeline :(

Problem: my telemetry stack I am using will not update the influxDB measurements to add new sensor paths no mater what I try..

My system: I was able to set up our Cisco IOS XR to send model driven telemetry data via gRPC to a telemetry stack I stood up. The stack is based off the git repo for big muddy telemetry, found here. Note: the the repo is archived, you need to change the branch to "final" to see code / issues / etc.

This stack includes some example subscriptions which I employed and do work. They uses these sensor paths:

 sensor-path Cisco-IOS-XR-wdsysmon-fd-oper:system-monitoring/cpu-utilization sensor-path Cisco-IOS-XR-nto-misc-oper:memory-summary/nodes/node/summary sensor-path Cisco-IOS-XR-fia-internal-tcam-oper:controller/dpa/nodes/node sensor-path Cisco-IOS-XR-procmem-oper:processes-memory/nodes/node/process-ids/process-id sensor-path Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters 

But I CANNOT for the life of me figure out how to get the pipeline not to drop any new entires I add to its metrics.json file. I tried adding the tcam yang file found here.

• Checked to make sure Cisco registered the sensor path
• Checked cisco to make sure its sending data for that path to my pipeline
• Checked the pipeline dump file (no new entries for new sensor-paths I add)

The main issue is the big muddy pipeline is dropping any data I am sending to it based off the new JSON structure I created. It DOES preserve the original JSON structured data (CPU, Memory, interface info) but drops any new json structs I add for new yang modules I want to add. This is based on how the big muddy pipeline module uses the JSON format to parse through yang structured data. I have yet to find a automatic way of converting YANG to JSON, so I am forced to trial and error structure (mostly error).

Question 1: Has anyone else used the big muddy pipeline with success? How do I add new sensor paths / convert JSON for this system not to drop gRPC data being sent?

Question 2: Does anyone recommend some other type of gRPC pipeline gatherer besides the one I am using? I really dont want to use this anymore as its archived and not in development anymore, but its the only thing I found that works made by the Cisco team. I like how the system uses influxDB with Grafana, any recommendations for a pipeline that links to these services would be great.

Help require with inter vlan multicast routing on IE2000 series switches

Hi Everyone, Hope you are doing well. I require some help with multicast routing between vlans.

Scenario: I am using 2 nos. IE2000 switches in network which are connected to ws-c3650-24ts.

I enabled the pim sparse mode on all switches with rp point at c3650-24ts. But that not worked with laptop connected at ie2000 on different locations.

All the communication at talking about is about multicast. Unicast is working fine in all cases.

Then I connected 2 laptops on c3650-24ts with two different vlans then that worked.

The for second experiment I connected 2 laptops on same ie2000 switch with different vlan. But it failed.

The 3rd experiment I did, connected the 2 laptops in same vlan on same switch ie2000 it worked. Multicasting is ok.

I tried configuring the same switch in dense mode also but still same result.

Request you to please let know what to do.

License is already there in all switches.

Send a mail on Docker Oxidized (e.g. : events: [node_fail])

Hello everyone, I hope you are all doing well.

I'm having trouble to configure the email notifications for Oxidized. I have a 100% working configuration of a Non-Docker Oxidized :

hooks: email_output: type: exec events: [node_fail,post_store] cmd: '/etc/oxidized/.config/oxidized/extra/oxidized-report-git-commits | mail -s "Oxidized updates for ${OX_NODE_NAME}" -a "FROM:oxidized@univ-smb.fr" myself@me.fr' async: true timeout: 120 

But on the Docker version the mailutils and the msmtp packages aren't installed.

What command am I supposed to use ?

​

Thanks in advance :)

Redundant routes for a client on two isolated networks

Need some assistance with coming up with a solution for the following:

A server that has two network interfaces connected to two seperate isolated networks. These networks are just an 8 switch ring, but have no connectivity between each other.

Currently one firewall is in place connected to one of these networks.

The issue is that if one of these networks fails in anyway, there is no longer any external connectivity through the firewall.

So, I considered a pair of firewalls which are connected to both of these isolated networks.

The issue I'm seeing is how the client is going to handle this. As two default gateways is bad practice and (I believe?) unworkable, i'm not sure how the client can handle this.

Just a couple caveats:

I cannot change the two isolated network infrastructure, nor add/remove interfaces from the server, that MUST remain as it is.

Below is an image of what im trying to achieve:

https://imgur.com/a/sWZV1Ba

​

**EDIT** - I forgot to mention a rather important point. The server does NOT require outbound access directly. However, external servers have limited connectivity (RDP and a couple other ports) to this server through a Nat'ed rule on the current firewall. I guess then I would need some kind of 'conditional' NAT rule on the new firewalls to ascertain if network A or B is up? Is such a thing possible?

​

Thanks in advance.

Looking for tool to retrieve switch config for backups and change control

Like the title states, I’m looking for a software tool to collect switch and router configs, backup and do change control I.e. audit who/when changes are made. Any recommendations?

WLAN vs LAN

We have a rather large site coming up with approx 1200 users. This will be a very simple setup with Users using local DIA egress. There are no servers, labs or prod services going to be hosted on-premises. Would it be a good idea to only provide a wireless access and no LAN ports (except for few use cases)? What could be the potential challenges with providing only WLAN assuming we will never have more than 50% attendees with COVID situational. This will avoid having multiple stacks of switches with only few ones on each floor for connecting APs.

How to realize our full potential

I'm a rookie K12 SysAdmin (mostly experienced in SOHO) and I took over a few years ago as the solo IT guy at a small, private school. We have been blessed with stable, fast fiber to our building. We currently have a Meraki MX84 that's working great (specs on page 12 here), and our speeds run ~200Mbps and currently (at 9PM) getting 290Mbps down. This ISP offers "our best possible speed" and I know that other locations in our city with this service can get up to 1Gbps, so I'm naturally curious if we could get better speeds by upgrading the Meraki to a newer model.

The MX84 specs show "Advanced Security Throughput: 320Mbps", so this seems to align with the 290 that I'm getting right now. (We have Advanced Security running, so I don't expect to get the nominal 500Mbps mentioned on the spec sheet.) The MX85 says "Advanced Security Throughput: 750Mbps", so this might give us quite a boost.

We have GbE switches, cat5e & cat6, so this Meraki box is the only candidate for a bandwidth bottleneck (AFAICT).

A) How likely is it that upgrading this equipment will "unleash" our WAN speeds?

B) Can I test this without a) messing up our current configuration or b) buying the newer MX model? (There are other ethernet jacks in the fiber ONT, but I'm hesitant to just start experimenting with it!)

So, I finally got a cable testing kit and 500ft of shielded cabling. Did my first termination.

I couldn’t find anything relevant. Many thanks in advance!
According to my tester, it works but isn’t being reported as ‘shielded’. Did I do something wrong? If so, could it cause damage?

VRF and Core Network Help

First I am just a jack of all trades master of none type of guy. My network knowledge might be outdated as we had a network guy doing the networking and I was basically handling the virtual environment. and would like some advice...

Problem: The network guy quit at my job who manages the datacenter The network in the datacenter has a single modular switch acting as an Access, Distribution, and Core Router so basically SPoF. There are also close to 400 cables going into one cabinet from 8 other cabinets. The worst part is there are about 300 lines of deny ACL statements. I did some reading and it looks like there is something called VRFs. On top of that MSTP is not enabled so getting or plugging in additional network equipment will be fun.

I believe I got approval for 2 separate switches and I am hoping to set up some kind of redundancy. I also need to secure it. I was reading through the ACL statements and it is confusing. I did some research and I think there is a better way. Basically, each VLAN is dedicated to the clients. I see there is something called VRF which was not around when I was learning networking. So I was hoping to put each client in their own VRF, but there is one issue we offer some services on our core network. In network terms, I need to "route leak" one VLAN to all other VLANs.

​

I need advice is it better to put the core network on the global routing table and just leak or is there a better way with doing it with OSPF? I saw some articles that use BGP, but I am confused because I thought that was more for configuration on a Edge router.

Example: I have a client A 10.20.10.0/24, client B on 10.20.20.0/24 and I have a core network 10.20.0.0/24. I put client A on VRF-A, client B on VRF-B and core network on VRF-Core. I am trying to find a way to add the core network to both client A and client B. Core network should have routes to client A and client B. There is no routing protocol, but my first order is to start setting up OSPF. Sorry again, maybe ACLs are better or I am not totally understanding VRF. Appreciate any help I get.

Btw there is no dynamic routing protocol. So this is all part of the fun is setting up. I am enjoying the moment because it is a break of the norm ESXi stuff. I also don't want to take us down.

Question

Does opening a cached browser tab send data over the internet. I was trying to access my work from home router wirelessly to properly secure it and I accidentally opened up a cached browser tab that I wouldn’t want to be logged on the company network. I just need some help from any network experts out there.

Aggregate links to Active/Standby HA Sonic Walls

Is it possible to have an aggregate link going to a pair of Sonic Walls in Active/Standby HA mode? I think the traffic load-balanced over the aggregate uplink that goes to the secondary FW would just get dropped. Is this correct?

If so, whats the best way to ensure traffic goes to the Primary then switches over when there is a failover on the HA pair?

Monitoring Inside ACI

I'm curious if anyone monitors an ACI environment with an external tool, and if so, what tool that is. It Has Been Decided that we will move to ACI, but there are a bunch of unanswered questions I'm trying to get in front of.

We currently do a fair bit of port-level and IP SLA monitoring through PRTG so that we can alert on various marginalities. Unfortunately, it doesn't appear that PRTG and ACI talk well enough to get IP SLA information out via SNMP. I expect that we could probably cobble together a custom solution, but this might be the last nail in our PRTG coffin, and I'd rather move to a new system now rather than later.

Specifically, physical and logical port status, errors/drops and IP SLA status, RTT, and errors/drops.

Skills and Qualifications useful when applying for Field Engineer positions?

I am UK based and wanting to start a career in Field Engineer/technician for companies such as BT, Openreach, Virgin etc. I am already tech savvy however what training or qualifications can I get to give me an edge in interviews, hopefully getting a job and for my own knowledge?

Differences between these two Klein Tools tester kits?

Hey all,

I'm having trouble figuring out the differences between these two Klein Tools tester kits. To me, it looks like they both do the same thing but surely I must be wrong.

One has the 6 Test + Map remotes, and the other has 18 "Locator Remotes"

Any help is appreciated. I'm just trying to understand the difference, especially considering the difference in price.

https://imgur.com/a/CfNISyC

Advice on how to make code more useful to others

I write a lot of useful code for myself.
I want to get better at writing useful code for others.

Take my latest project for example, Network Search and Rescue: https://github.com/austind/net_sar

It does exactly what I need. Pulls hosts from my NMS (Solarwinds Orion), pulls CDP neighbors, and finds any CDP neighbors that aren't in my NMS.

I didn't use Ansible because get_facts doesn't return important details about CDP neighbors (specifically IP address and capabilities). Also I've found ansible is a lot slower than plain multithreaded netmiko.

I want to make this more useful to others as "canonically" as possible, but I need some feedback. for example:

• For starters: am I reinventing the wheel here? does this need to exist?
• I know most people don't use solarwinds. What would be a good agnostic source of inventory? plaintext/yaml file?
• I assume most people want LLDP support. but both protocols return different values. is it better to treat CDP and LLDP separately and let the user decide which to use, or normalize/combine the results into a generic data structure?
• How should I package the project? seems like a pypi module is inappropriate because this is a script, not a library you would import into another project. Is a github repo good enough?

any other feedback would be great.

Cheers!

-Austin

Setting up wifi for a local festival with an estimated 5000 (potential) devices, someone hold me I'm scared

I feel very out of my depth but here goes:

the company that I work for is providing wifi for a local festival and I've been tasked with making sure it goes well.

I'm planning on using a netgate fw (or similar with QoS/traffic shaping) and ubiquiti high density APs for providing the setup. of concern is that they are going to have lots of those ipads with square readers on them for payments and I need to make sure those have priority to bandwidth.

I am setting up two VLANs, one for Guest and one for POS systems.

I literally learned about

https://en.wikipedia.org/wiki/IEEE_P802.1p

while setting up a test bed just now, and I'm wondering if I add in QoS/traffic shaping on top of this if it will help, do nothing, or hurt performance of the network.

​

also i suppose while I'm here if anyone has setup stuff like this before please drop your protips. In my head I'm setting up a portable rack with my firewall and a POE switch in it, then just connecting all my APs up to the switch and setting it up like it's a normal office network, but I've gotta be missing details here.

Full Time Remote Engineer

I recently accepted a new job as a permanent remote network engineer. I've been working as a network engineer for about 5 years now, but all of the positions have been on-prem.

I'm a bit concerned about there being a lack of social interaction as well as being able to know my team on a personal level. I'm also stoked about it though because its a very reputable company, adding shine to my resume and diverse experience under my belt.

If you've worked full time remote as a network engineer, what is your experience in relation to my concerns?

Newbie asking for Help on EVPL/Point to Point Ethernet

I'm trouble shooting with a customer, he can ping across good but when he is generating traffic at the same time there is packets loss. Is running the both test at the same time making the packet loss?

Slower speeds on Ethernet ?

I’m getting about 1/4th of the speeds I get on WiFi. My isp is Comcast Xfinity I use the gateway they sent. I pay for 400 mbps and I actually get around 470 guessing im just in a good area, but over WiFi I will get around 400-430 but on Ethernet I only get 100-120. It’s not the cable, I tried with 3 different cables all the same outcome. What can be going on?

SD-WAN designs: Additional Firewall/IPS?

I'm curious to what people are doing in the real-world when it comes to SD-WAN designs. I currently still utilize a next-gen firewall and a SD-WAN box for site-to-site VPN's (meraki. I know, not the greatest).

DESIGN 1:

Both the next-gen firewall and SD-WAN box is connected to the internet. All user traffic goes through the next-gen firewall first, and either egresses straight to the internet, or routes to the SD-WAN for site-to-site VPN traffic.

The problem with this design, is that we are not utilizing SD-WAN tech for internet egress traffic. Internet egress goes out ISP1, and if ISP1 fails (according to a SLA), it goes out ISP2.

DESIGN 2:

The other design only has the SD-WAN box connected to the internet. The next-gen firewall does not connect to the internet. The default route of the next-gen firewall goes out the SD-WAN box. So the SD-WAN box controls internet egress and site-to-site VPN.

How are other people designing their network? Are they skipping the next-gen firewall completely? Are the designs I'm using seem dumb?

Digital Phone line troubleshooting question.

Hi, this may not be the right place to post this but the telephony subs seemed pretty deserted. It might be a dumb question but how would one go about troubleshooting a single pair digital phone line? (Not VoIP) I’m trying to half step starting with the cross connect at the 100 block next to the PBX. Would you just terminate the cross connect to an RJ11 and plug in a digital phone to see if it works? Is there such thing as a digital butt set?

Pfsense encryption

I need help

Device to receive UDP audio broadcasts

Is there a device that does one thing, and does it well: listen for UDP multicast audio data and converts it to analog through, say, a 3.5mm jack output?

Ideally it would connect to the network with an ethernet cable but wifi would be fine too.

The digital audio format doesn't really matter. Could be ADPCM 8bit 22khz mono or anything else. MP3 even. We use ffmpeg to broadcast the audio from another system so we get to choose ;)

We currently have a SNOM PA1 device that does its job well of being a PA device for the IP phone system. It also does what I described above but the darn thing gets updates once in a while and its configuration changes and it stops listening to multicasts without warning. It's a nice feature of the PA1 but sometimes I wonder if we're the only ones using it.

Now I know I could build one myself with an ESP32 or ESP8266 and some DAC but I'd prefer not to reinvent the wheel, if that's the case here.

Any suggestion of such a device? Does it even exist?

ZTP not working on Viptela SD-WAN

Hi, I have been tasked with testing and setting up a bunch of ISR 1100's for use with our SD-WAN environment. All of the config behind the scenes has been done as far as creating the template and the custom device values along with registering the device on vManage to.

The cert is showing as "installed" on Configure > Devices and also showing as "valid" on Configure > Certificates.

I have plugged the router into our network, it has obtained a DHCP address but nothing else happens. vManage never sees it and it never downloads the config. I'm stumped to be honest. The router itself can ping the Internet (8.8.8.8) so there is definitely connectivity out.

I have ran a "show control connections" and it returns nothing via the console port on the router. When running a "show control connections-history" command i can see it displays the following:

for "LOCAL ERROR > RXTRDWN" which indicates it receieved a "Received Teardown" message

for "REMOTE ERROR > BIDNTVRFD" which says it is a "Peer Board ID Cert not verified"

But when i do a:

"show orchastrator valid-vedges"......on both vBonds, it shows that the device as "valid"

At the moment i'm stumped, any help or input would be massively helpful.

Isolating a VLAN Help (Aruba)

I need a VLAN whose purpose is solely to connect two devices between two switches without being able to see any other VLAN (and vice versa). Unfortunately, even without assigning an IP on that VLAN to allow inter-VLAN routing, it can still manage to see IPs on other VLANs.

Aruba 3810M <--> Aruba 2390

• Interface VLAN 20 created on both switches.
• ip routing is enabled on the 3810M, however no IP address has been assigned to the VLAN (on either switch).
• A single interface on both switches configured for that VLAN (untagged 1/10) and the trunk port going between the two switches configured for that VLAN (tagged trunk1).

On a Cisco / Arista, I'd just throw these ports in their own VRF -- but (unless I'm missing something, which is possible) it does not appear that an Aruba 3810M can do VRFs. (I found it in ArubaOS-CX, but not ArubaOS-Switch.)

Any ideas on how I can isolate this thing? Much appreciated!

Cisco Firepower vs Fortinet/Palo

Hey all,

I've seen a number of posts of people recommending pretty much anything over firepower, but why?

Personally I'd like to consider changing vendors, but there is pressure to stick with Cisco and roll it into an EA. We have a number of Cisco security products, and quite frankly, they seem pretty good, and the integration with one another is pretty nice. I need to refresh the hardware within the next year or so (currently have a bunch of ASAs running firepower). Also, can't get fired for buying Cisco...

I've inherited these devices and have been learning how to use them, I wouldn't say it's a happy experience, but it's not horrible. Of all the security products, I think firepower is the one that could be replaced with something better. Upgrading them to 6.6.4, it has been a little bit better from when they were running older code (one upgrade caused an outage due to firepower deciding to not advertise routes on the secondary appliance and cisco tac couldn't tell me why). I hear things are supposed to get better with 7.x, and the addition of snort 3 offering better performance.

Is anyone able to offer more details as to why other platforms are better? I need some technical reasons as to why one is better than the other (ex: Antivirus/antimalware, SSL decryption, App control, IPS, and for the OT space). There isn't a whole lot of time before the EA decision, so can't really do a PoC.

Some of my grievances so far with firepower: - No ospf bfd support - active/passive HA only - This is fine except for my datacenter. - ssl decryption performance sounds terrible - not doing it today, but looks like I'd need to get another product to handle it - like F5. - firepower doesn't detect applications running on different ports without me telling it to look there - I hear this should change with the newer snort version - I wish reporting was a little bit better with FMC. - Newer FTD devices you have to update FXOS, then firepower services... - Initial setup of a firewall is a chore.

Just an idea of the appliances that I've been getting quoted for my sites (excluding DC) since I plan on doing a lot more with the firewalls: - FTD 4112 - Fortigate 1800F

Thanks.

How to thoroughly test an ISP connection ?

Hello everyone,

We have been battling with our management service regarding network issue faced by partners using a dedicated 100 mbps line used to stream events in our office. They are apparently facing drops on their streaming tools that connects to differents streaming services.

I've done multiple tests, icmp and iperf mainly with absolutely no result so far, so i'm not even able to replicate the issue.

What could be use on Windows or Linux to continue my tests ? I would love to see if tcp sessions are dropped after a while, is iperf the best solution to validate both bandwidth and sessions flows ?

Or maybe the best test would be to directly stream a live event from a laptop and see by myself if i face any issue ?

gPTP 802.1AS

Need some inputs on the IEEE802.1AS standard. I'm looking to design a FPGA based End Instance in a PTP network that complies to IEEE802.1AS. I'm aware of the time synchronisation part. Need to understand the flow of other messages like the Announce message and Signalling message. As a End Station device, what should my device's role be for these two messages?

Daily Netconf/Restconf?

Netconf/restconf, what are some ways you guys are using these in your work? I've only used them academically so far.

Viptela SD-WAN ZTP not working?

Hi, I have been tasked with testing and setting up a bunch of ISR 1100's for use with our SD-WAN environment. All of the config behind the scenes has been done as far as creating the template and the custom device values along with registering the device on vManage to.

But when I go to plug the device into an Internet connection (straight into a broadband router and out for testing), I can see it obtains a standard 192. address from the router but vManage never sees it and it never downloads the config. I'm stumped to be honest. The router itself can ping the Internet and things like ztp.viptela.com to etc...

Anyone any thoughts?

Port forwarding to Ubuntu Server Issues (Help!) 20$ crypto to whoever solves my problem

I have set up port forwarding for ubuntu servers so that I could connect to them via ssh before.

For whatever reason im unable to get in to this persons server. (getting connection refused).

ssh status is looking good, 22 port is open when I run a port scanner on their Wan ip, and I made sure to directly port forward the servers ip in their router.

Its not my computer because I tested other servers.

SSH is enabled and running on the ubuntu server.

What could possible be blocking me out.. Any ideas?

Best Budget router/s under $100

Hi guys ,I'm looking for the Best router under $100 that can connect to a Verizon modem (internet) if you can recommend some that has high speed,no lagging and bandwidth is high .

VPN concentrator

Hi All,

Looking at getting peoples advice/recommendations for some on premise devices we can use to terminate site-to-site VPN's with customers and 3rd parties.

Currently we have some ASA's doing the work however they are showing their age and we need some extra features that they currently don't offer.

I want to be able to run multi-contexts, like VRF's for example. The idea here is that if a customer wants site to site vpn's to replace their MPLS then we can terminate their VPN and dump them straight into their VRF. However, security will want access controls and next gen type capabilities on these to filter traffic before making it into the customer VRF. We would also need BGP routing capabilities.

We currently have 30 customers, not all using site-to-site VPN's however that could be the required scale long term.

I have thought about a cisco routers to terminate the VPN's using a FVRF for to build their tunnels over and placing the tunnel interface into their forwarding VRF. Then using a L2 firewall to bridge the connectivity between the Cisco router and their VRF. The reason for using a router is that they in my experience have been great for VPN's and provide all the routing capabilities we need.

is Zayo down?

asking for a friend

Stream the screen laptop to a Smart TV via LAN Wired

Hello Guys

I would like to know if there is a way to stream the screen of my laptop to a Smart TV via LAN wired?

In Internet I haven't found a solution. Someone told me that maybe VLC Player could be the solutions but I think this just transmit just video or images storaged on my laptop and not to stream on live the screen of my laptop.

If you know a solution I would appreciate it

Cisco AnyConnect DNS weirdness

Hello everyone. I configured Cisco AnyConnect with a split tunnel, and users have noticed that DNS lookups fail in some cases. This may be because our computers send all DNS queries to both the DNS server via the tunnel and to the regular DNS server for the host, resulting in a negative lookup result from the local DNS server.

Today I implemented split DNS for the two domains we use for production equipment. This worked as expected for MacOS, but Windows users ran into the following issue: When a user tried to connect to a device using the FQDN, their computer would send a query only via the tunnel and get a (quick) response, but Putty, WinSCP, and Firefox would fail to use the DNS reply, and would complain that the host couldn't be found.

When I rolled back the split DNS changes, Windows users could resolve FQDNs as before. Has anyone run into this before and found a fix? I don't want to tunnel all DNS traffic b/c this would keep the AnyConnect sessions from ever timing out, and we don't really want to answer irrelevant DNS queries.

Can’t see any published CNAME reocrs

When I look up any CNAME records for any domain. Using any tool, dig, whatsmydns, mxtoolbox. Nothing is visible. What’s up with the world?

Aruba CX Networking VRRP or VSX

Hello,

Got some new Aruba-CX switches and looks like this is different than the HPE Comware switches. Just want to hear some feedback if anyone has deployed a pair of them on the core level with VSX. I am trying to decide to either go with VRRP or VSX.

Full PCAP

We are looking at implementing full pcap for internet based egress traffic. We are pushing around 3-5 Gbs daily. Any recommendations?

cheers

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Internet Redundancy

I'm looking to build out redundant internet to a new backup data center. Is there any new technology out there anyone would recommend that would be helpful? I'm checking to see if there is a new method other than just doing BGP to two different ISPs...

Problem with tplink harware settings

It feels like its a dumb problem but I can't find any solution...

I have a 4Gbox with internet access. But wifi is bad through the 2nd floor (where I have 4G...). I always reached the box at 192.168.1.1.

I got the archer C60, then sent the internet access into a RJ45 to first floor into the archer C60. Now I have nice wifi, I reach the archer at 192.168.0.1. But now I can't reach the original box anymore at 192.168.1.1.

Is there a way ???

Thanks in advance so much

Cisco DNA. Business Buzzword overkill or is it actually nice?

Title.

Going through training on Cisco DNA right now, and my eyes and ears are bleeding. So much 'automation' and how its open, software driven bla bla bla bla.

Has anyone here actually used it? Does it really save time? I run a campus of ~80 buildings across a couple of states. Automating a network deployment would save me..... an hour of work?

Company Wants to Enforce the Use of VPN for ALL Traffic ALL the Time for Clients *On Premises*

Multinational. 40,000 physical clients.

I would like to take the pulse of the community as to whether you have heard of anyone doing this, whether you think it's a good or bad idea.

It's certainly creating a number of significant logistical nightmares preventing clients accessing anything locally and all traffic going to one of only 4 sites globally.

Very limited options for split tunneling - apparently the vendor requires IP addresses and cannot use DNS for that (wtf??) and the list is severely limited.

Current picture is that all Windows/O365 patch traffic will choking the VPN links. Client will not be able to use local content servers for any app installs.

But the flip side.....what exactly is the benefit on prem to warrant VPN for ALL traffic for a device in an office?

To me this plan is like a shopkeeper making all his customers climb through a cramped long tunnel to get in and out of the shop to save paying for security staff... Am I missing something??....

Are you using Opportunistic Wireless Encryption, also referred to as Enhanced Open for your Guest Networks?

Hi all,

I've been spending some time testing and researching wireless deployments and I came across the topic of Opportunistic Wireless Encryption (OWE). There is a WiFi Alliance Certified standard called " Enhanced Open" that is built on OWE. For anyone unfamiliar, this is a method of encrypting wireless traffic without requiring a PSK, which makes it ideal for Guest networks. You don't have to provide a Pre-Shared key to your clients and yet they still have the benefit of encrypted traffic between the clients and the APs. The purpose is to seamlessly encrypt traffic from the client to the AP. One downside is that there is no access control to the network inherent in Enhanced Open. This can be combined with a captive portal to limit access to the network.

This certification plan for Open Enhanced was announced back in 2018 but, I've only learned about this in the last few months. I wanted to get a sense of where the rest of the industry stands on this feature.

• Were you familiar with Open Enhanced before reading this post?
• Do you currently utilize Open Enhanced/OWE to add an additional layer of security to your guest networks?
• How would you prioritize this feature when considering vendors for a new WiFi deployment?
• Are there other ways of securing guest networks that should be considered instead of OWE and is that in response to meeting certain security requirements, ease of implementation, or some other reason.
  

Thanks for taking the time to read and respond to this. If you disagree with my interpretation of OWE/Enhanced open, feel free to light me up in the comments section. I don't want to participate in spreading misinformation!

Intermittent Network Issues

Hello all, I know I won't be able to put enough detail in this post for you to know everything but here goes nothing.

We've started having issues where people would VPN from home and then RDP into their desktop and it would connect for about 15-20 seconds then just reconnecting every few seconds. When they connect its pretty much unresponsive and then it drops again. If I am on the LAN and rdp to that machine I have no problems, but if I try to run a speed test, it starts out fine at 200mpbs and then errors out shortly after, but its not just RDP issues. I can't really download any kind of files from the internet during this time or we've had people on Teams calls that just don't work at all due to the network issues. It's pretty random and happens to multiple computer regardless of OS. Its happened on desktops and some ubuntu servers as well so I've ruled out our AV or hardware.

The only thing that seems to fix the issue is a complete shutdown and then start back up. I've run packet captures on our ASA from the IP but don't see anything alarming, a few duplicated packets and out of order but they correct themselves.

We do have old cisco catalyst 3560G switches with a pretty flat network and we are working to replace this as well as redo the network configuration but I've got 30 day lead time on equipment.

Any help on other things to try would be appreciated.

Hurricane Ida Aftermath

Hey Reddit,

So the company I work for was based out of Metairie, LA which was just brutally slammed by Ida this past Sunday. We have a generator for power but the office does not have internet at all. We have been trying to use Verizon MyFi hotspots to get some employees online to work but they are spotty and don't work great for more than one person.

My question is, is there are better way? I've looked up a better hotspot device made by netgear, or my father is also sending me a KVH TracPhone and suggesting we slap one up on the roof. Or do we just buy each employee a Verizon MyFi and just let them scatter around to try and find service?

Any help is much appreciated.

VLAN discovery

Won't mention the brand for now, but I'd like to pose a question to fellows networking-guys:

Is it normal, in your opinion, that if you plug a linux computer (with no vlan set on the NIC) in a $that_brand switch port which is set on a tagged vlan only (only 1 tagged vlan and no untagged vlan allowed), you get an ip through dhcp anyway?
you won't ping anything, no way to exit the internet, but you get an IP anyway and so you acquire information on what subnet that port belongs to?

Aruba ClearPass radius/tacacs+ w/ MFA for switch/router SSH access

Has anyone here successfully set up an MFA mechanism with clearpass for radius or tacacs purposes?

Preferably with Duo or M$ Authenticator.

I've seen examples of freeradius w/ google authenticator where the OTP is appended to the password,

so a solution like this would probably work alright or use push verification.

I've hit page 5 of Google already with little success.

It seems like if I use radius and have duo access gateway as a radius auth source it may work for push verification but I haven't verified that as viable yet.

Keen to hear from those who have made it work.

Tracker for viptela DIA dual router and dual internet connection?

Hi All, 

I'm setting up a LAB wherein I have 2 vEdge with direct internet connection. 

vEdge-A is acting as the primary router; it has also a TLOC-Extension to vEdge-B. I also enabled NAT and applied a tracker on vEdge Tloc-extension interface. 

I'm able to validate that this is working with both lines active/enabled. However, when the tracker goes down. I can see that the packet is still being sent to TLOC-Extension causing the packet to silently drop since internet connection via TLOC-Extension is down.

The objective is to reroute the traffic to the active internet connection if the tracker applien on tlo-extension interface at vEdge-A goes down. 

Here's what I configured. 

a. Applied a tracker and created a data policy with nat fall-back. 

from-vsmart data-policy VPN1_DIANAT direction all vpn-list VPN1 sequence 10 match source-ip 10.0.0.0/16 destination-ip 10.0.0.0/16 action accept sequence 11 match source-data-prefix-list VPN1-Sites102060-Services action accept nat use-vpn 0 nat fallback set local-tloc-list color biz-internet public-internet default-action accept from-vsmart lists vpn-list VPN1 vpn 1 from-vsmart lists data-prefix-list VPN1-Sites102060-Services ip-prefix 10.0.50.0/24 

b. vEdge-A(Primary):

vEdge-A interface: Tloc-Extension: 0 ge0/2 ipv4 192.168.20.2/30 Up Up Up null transport 1500 50:00:00:11:00:03 1000 full 1416 0:00:30:31 39078 46931 Direct=-Internet: 0 ge0/4 ipv4 192.88.88.1/24 Up Up NA null transport 1500 50:00:00:11:00:05 1000 full 1416 0:00:00:03 417 2277 - Tracker is up 0 ge0/2 0 udp 192.168.20.2 200.1.10.1 12386 12346 192.168.20.2 200.1.10.1 12386 12346 established 0:00:00:59 704 115104 704 125527 - 0 ge0/4 0 icmp 192.88.88.1 200.1.1.3 716 716 192.88.88.1 200.1.1.3 716 716 established 0:00:00:05 1 98 0 0 - From NAT statistics able to see that both interfaces are used. 

The issue is when both interface are enable, Somehow client can't reach the 8.8.8.8 but if I disable one of the link I can see that client can reach 8.8.8.8.

REFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS

---------------------------------------------------------------------------------------------------------------------------------------------

0 0.0.0.0/0static - ge0/4 192.88.88.254- - - - F,S (direct)

0 0.0.0.0/0static - ge0/2 192.168.20.1- - - - F,S (Tlocex)

​

vpn 0 interface ge0/4 ip address 192.88.88.1/24 nat ! tunnel-interface encapsulation ipsec color public-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown ! ! vEdge-A# show running-config vpn 0 interface ge0/2 vpn 0 interface ge0/2 description "TLOC" ip address 192.168.20.2/30 nat ! tracker track_public_internet tunnel-interface encapsulation ipsec color biz-internet restrict no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown When a Did a TCP dump on both interfaces it seem like no data passing through. Switch#ping 8.8.8.8 repeat 1000 source 10.0.50.10 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.0.50.10 ...................................................................... ............................... vEdge-A# tcpdump vpn 0 interface ge0/4 options "host 8.8.8.8 -n" tcpdump -p -i ge0_4 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_4, link-type EN10MB (Ethernet), capture size 128 bytes # tcpdump vpn 0 interface ge0/2 options "host 8.8.8.8 -n" tcpdump -p -i ge0_2 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_2, link-type EN10MB (Ethernet), capture size 128 bytes 

Disabled one of the interface

SITE-C_ID500_MPLS(config-vpn-0)# interface ge0/4 SITE-C_ID500_MPLS(config-interface-ge0/4)# shutdown SITE-C_ID500_MPLS(config-interface-ge0/4)# commit Commit complete. - Ping works after disabling ................!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <> !!!!!!!!!!!!!!!!!!!! Success rate is 87 percent (878/1000), round-trip min/avg/max = 1/1/7 ms 

Question:

a. Is it possible to use both biz-internet public-internet transport connections, however if the tloc extension tracker goes down the traffic should flow to the active internet connection? How can I achieve that?

b. Am I missing something in my configuration?

Strange issue with network driver

I currently have in the system im working on a broadcom netxtreme 57xx gigabit controller. but for some reason its limiting itself to 100mbps. Theres another identical computer on my network which works fine at 1gbps and ive tried a laptop on the same cable im currently using at it defaulted to 1gbps. therefore i can only assume its the driver. Ive installed the driver that was loaded on the functioning system mentioned before and it still wont work. I cant tell whether is a driver issue os issue or bios issue since the card worked at 1gbps for a minute but i dont understand why.

Lab design help

​

https://imgur.com/a/OVLp7gu

​

We're converting a room into pc lab. Due to the room location of the lab, their lab switch runs thru the IDF and ultimately to the FW. So I'm running a transit vlan from lab to FW (the gateway). This prevents this lab network from touching prod. My question is, what's a better way of designing this?

Where to filter OSPF routes?

on the annoucing router? or on the recieving router? or is it just a matter of preference?

PoE issue with Cisco 9300 switch and Aruba APs - requesting class 4 (30W) but only returning class 3 (15W)?

I'm having some issues in a lab setup with a Cisco 9300 switch, and some Aruba AP-325 APs.

We recently changed from a Ruckus to a Cisco switch. However, now the Aruba APs have a steady amber system light. According to this link, this means they are in power restricted mode (802.3af).

If I check the Aruba MC (AOS 8.8.0.1), this does seem to be the case - the AP's are showing the r (power restricted) flag:

(FOO) *#show ap database long AP Database ----------- Name Group AP Type IP Address Status Flags Switch IP Standby IP Wired MAC Address Serial # Port FQLN Outer IP User ---- ----- ------- ---------- ------ ----- --------- ---------- ----------------- -------- ---- ---- -------- ---- 00:4e:35:c9:51:32 default 325 10.134.1.54 Up 4m:31s 2r 10.134.1.5 0.0.0.0 00:4e:35:c9:51:32 CNH2HN77X4 N/A N/A N/A 00:4e:35:ca:cf:aa default 325 10.134.1.175 Up 4m:41s 2r 10.134.1.5 0.0.0.0 00:4e:35:ca:cf:aa CNHGHN7242 N/A N/A N/A 48:4a:e9:c5:de:a2 default 375 10.134.1.192 Up 3m:56s 2rI 10.134.1.5 0.0.0.0 48:4a:e9:c5:de:a2 CNHQK8018F N/A N/A N/A 48:4a:e9:c5:df:f2 default 375 10.134.1.189 Up 4m:28s 2rI 10.134.1.5 0.0.0.0 48:4a:e9:c5:df:f2 CNHQK80198 N/A N/A N/A b0:b8:67:cd:e7:18 default 325 10.134.1.59 Up 4m:13s 2r 10.134.1.5 0.0.0.0 b0:b8:67:cd:e7:18 CNGZHN700L N/A N/A N/A Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2 B = Built-in AP; C = Cellular RAP; D = Dirty or no config E = Regulatory Domain Mismatch; F = AP failed 802.1x authentication G = No such group; I = Inactive; J = USB cert at AP; L = Unlicensed M = Mesh node N = Duplicate name; P = PPPoe AP; R = Remote AP; R- = Remote AP requires Auth; S = Standby-mode AP; U = Unprovisioned; X = Maintenance Mode Y = Mesh Recovery b = bypass of AP1x timeout; c = CERT-based RAP; e = Custom EST cert; f = No Spectrum FFT support i = Indoor; o = Outdoor; s = LACP striping; u = Custom-Cert RAP; z = Datazone AP p = In deep-sleep status; m = Protocol Mismatch 4 = WiFi Uplink r = Power Restricted; T = Thermal ShutDown; t = Temperature Restricted Total APs:5 

I checked the POE status on the Cisco switch, and it's showing class 4 for those ports:

Switch>show power inline Module Available Used Remaining (Watts) (Watts) (Watts) ------ --------- -------- --------- 1 755.0 107.8 647.2 Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Gi1/0/1 auto on 15.4 Ieee PD 0 30.0 Gi1/0/2 auto on 15.4 Ieee PD 0 30.0 Gi1/0/3 auto off 0.0 n/a n/a 30.0 Gi1/0/4 auto off 0.0 n/a n/a 30.0 Gi1/0/5 auto off 0.0 n/a n/a 30.0 Gi1/0/6 auto off 0.0 n/a n/a 30.0 Gi1/0/7 auto on 15.4 Ieee PD 4 30.0 Gi1/0/8 auto off 0.0 n/a n/a 30.0 Gi1/0/9 auto off 0.0 n/a n/a 30.0 Gi1/0/10 auto on 15.4 Ieee PD 4 30.0 Gi1/0/11 auto on 15.4 Ieee PD 4 30.0 Gi1/0/12 auto off 0.0 n/a n/a 30.0 Gi1/0/13 auto off 0.0 n/a n/a 30.0 Gi1/0/14 auto off 0.0 n/a n/a 30.0 Gi1/0/15 auto off 0.0 n/a n/a 30.0 Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Gi1/0/16 auto off 0.0 n/a n/a 30.0 Gi1/0/17 auto off 0.0 n/a n/a 30.0 Gi1/0/18 auto off 0.0 n/a n/a 30.0 Gi1/0/19 auto on 15.4 Ieee PD 4 30.0 Gi1/0/20 auto on 15.4 Ieee PD 4 30.0 Gi1/0/21 auto off 0.0 n/a n/a 30.0 Gi1/0/22 auto off 0.0 n/a n/a 30.0 Gi1/0/23 auto off 0.0 n/a n/a 30.0 Gi1/0/24 auto off 0.0 n/a n/a 30.0 --------- ------ ---------- ---------- ---------- ------ ----- Totals: 7 on 107.8 

I thought class 4 means they should be able to draw at 802.3at power levels? (And the max watts is showing 30W - although I do note they're pulling at 15W).

I took a POE tester to one of the ports on the Cisco switch - and requested Class 4 - however, it seemed to return to me Class 3 - so to my untrained eye it seems like an issue with the Cisco switch - but the Cisco power inline output shows Class 4 for those ports?

https://i.imgur.com/OFMMbWd.jpg (POE Tester Output)

Does anybody have any ideas what's going on?

Do you see any issues here (diagram included)?

Apologies for the quick/dirty diagram, it was quicker and easier to create this vs try to redact existing document and post that.

Image is located here, https://i.imgur.com/7bI7KfP.png

First, here is a quick explanation of this topology.

The router/fw's are directly connected with a crossover cable and they talk to e/o on a High Availability interface configured in the firewalls. The connection from the FWs to the ids/ips device...we can call this interface 1 and it handles a few VLANs. Meaning, all the links in the diagram are VLAN trunk ports. I don't think my issue exists at this level, so I'll move on.

The next device is an IDS/IPS that is configured by a vendor, all we are required to do is cable the device into our network. They are aware of the topology and have told us which interfaces are in and which interfaces are out. Also, this device is passive and all traffic passes, but not inspected, if the device has a failure. I don't think my issue is here, but more on that, below.

The fiber switches don't have redundant power supplies (part of the issue) and are directly connected to e/o with the link being configured as a port channel, in this case, port channel 1. From there, I have redundant fiber links to the buildings in our environment.

Here is the issue I am running in to. Today there was a power blip and all of our equipment is connected to UPS units, but the UPS unit that fiber switch 2 is plugged in to either has a bad battery or some other issue caused the UPS to fully cycle (no battery power). That is another issue, but that's what caused me to create this post. While fiber switch 2 was rebooting, there was no network connectivity for all users/devices connected to buildings/switches 1-4. I am running STP (mstp) and I assumed that when fiber switch 2 dropped offline that traffic should flip to fiber switch 1. Fiber switch one is set to 8192 and fiber switch 2 is set to 12288. It seems to me that fiber switch 2 was running as the main switch since all traffic stopped when it was rebooting. Once it fully rebooted, everything was back to normal.

Is it possible that STP was reconverging during the reboot of fiber switch 2 and that was the cause of the delay? I can't say for certain that the delay was the exact time of the switch reboot, but it was fairly close. It has been a while, but I feel confident that I tested this scenario prior to this setup being in production and when I pulled the power cable from either fiber switch I only dropped a few pings to remote devices and the turn around time was less than 10 seconds. When I was testing this before it was put into production, the IDS/IPS box was NOT in play. We had not contracted with this company, at that time, and there was no way for me to test with an IDS/IPS since we didn't have one. When I did my testing, the topology was the same as what you see above except that the firewalls plugged directly into fiber switch 1 and fiber switch 2, respectively.

Also, yes, I should probably be routing here, but this network/interface is just a section of our network (a small one) and there are other projects that are being worked on. There has been talk to move these links over to the routed portion of our network, but other things need to be done prior to that happening.

Thanks.

strange error with netmiko (send_config_set)

i am trying to enable ZBF in gns 3, it 's worked many time but when i created new router wiht this setting :username ahmad password ammar

!

username ahmad priv 15

!

ip domain-name aspu.com

!

enable secr ammar

!

int f0/0

!

ip add 192.168.122.140 255.255.255.0

!

no sh

!

int serial 0/0

!

ip add 10.0.0.1 255.0.0.0

!

clock rate 64000

!

no sh

!

exit

!

ip route 192.168.150.0 255.255.255.0 10.0.0.2

ip route 192.168.130.0 255.255.255.0 10.0.0.2

ip route 11.0.0.0 255.0.0.0 10.0.0.2

!

line vty 0 4

!

login local

!

tran input ssh

!

exit

!

crypto key generate rsa

!

1024

!

the code is :

from netmiko import ConnectHandler

router_1= {

'device_type': 'cisco_ios',

'ip': '192.168.122.140',

'username': 'ahmad',

'password': 'ammar'

}

config_commands = ['zone security IN-ZONE', 'exit'

,'zone security OUT-ZONE', 'exit'

,'access-list 101 permit ip 192.168.122.0 0.0.0.255 any', 'class-map type inspect match-all IN-NET-CLASS-MAP','match access-group 101'

,'exit','policy-map type inspect IN-2-OUT-PMAP','class type inspect IN-NET-CLASS-MAP'

,'inspect ','exit','exit','zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE','service-policy type inspect IN-2-OUT-PMAP','exit'

,'interface fastEthernet 0/0','zone-member security IN-ZONE','exit'

,'inte serial 0/0','zone-member security OUT-ZONE','exit'

]

my_cmds = "important.txt"

net_connect = ConnectHandler(**router_1)

output = net_connect.send_command('show ip int brief')

print (output)

output2 = net_connect.send_config_set(config_commands)

the error :Traceback (most recent call last):

File "netmiko1.py", line 22, in <module>

output2 = net_connect.send_config_set(config_commands)

the error :

File "/usr/local/lib/python3.8/dist-packages/netmiko/base_connection.py", line 1921, in send_config_set

new_output = self.read_until_pattern(pattern=pattern)

File "/usr/local/lib/python3.8/dist-packages/netmiko/base_connection.py", line 655, in read_until_pattern

return self._read_channel_expect(*args, **kwargs)

File "/usr/local/lib/python3.8/dist-packages/netmiko/base_connection.py", line 575, in _read_channel_expect

raise EOFError("Channel stream closed by remote device.")

EOFError: Channel stream closed by remote device.