network segmentation for internet facing servers

Hi folks

Healthcare network admin here. We are deploying some internet-facing (for public use) web servers and we are looking at implementing most of the best practices in the new infra.

From an architecture standpoint, NON-PROD and PRODUCTION will share two different networks behind the firewall. We currently do not plan to separate the network for non-production for web/app/DB, they would share the same network. All communication with different internal LAN servers like AD has to pass through the centralized firewall.

We are doing a reverse proxy with a WAF as two-tier architecture, WAF is DMZ and handling termination of external traffic.

We have to stay HIPAA compliant.

What's your opinion on this.

Interesting ASA VTI Behavior

So I have a 5506 running 9.12 with a route based VTI setup to an Azure Virtual Gateway. BGP is setup on the ASA and is peering with Azure. I see my routes and things seem alright.

My problem is from the ASA side, let’s say I send some ICMP traffic to the Virtual Gateway peer IP, I seem to have some weird route switching going on mid ping. I can reliably reproduce a 5 packet burst then drop. Using the ASA to ping, my first 10 repeat burst is fine, the next right after it clearly states no route to subnet. Then try and ping again and it’s good. Tunnel is up the entire time.

From the Azure VM I can reach on premises with no issue. From on premises is where this issue originated so with the ASA being the default gateway I’m assuming the issue lies in there somewhere.

I have a static route for my Azure subnets on a /16 versus individual /24s, sending to the an IP on the VTI subnet.

Inside is a 10.1.0.0/16, Azure is 10.0.0.0/16, so there’s no overlap. I’m not sure what I’m missing with this behavior, as it seems pretty unusual. If anyone has anything in mind to check in all ears, thanks for your time!

VxLAN lab | Understanding physical connectivity in real world from Host to Leaf

Hello everyone,

I am trying to understand VxLAN(very early days) and I haven't been able to get a 'visual picture' of how devices are connected in real-world environment.

I am hoping someone can point me to the right article, or even better, give a brief idea on how devices are actually connected.

This is the topology I am working on.

My Topology

I keep on seeing designs/intros where they say there is no leaf to leaf connectivity.

What I am trying to understand is, how do they then achieve redundancy on server?

My ESXis have 4 network ports.

For redundancy, lets say I connect 2 ports to Leaf-1 and 2 ports to Leaf-2.

Then the next step would be to create a vPC.

But how can you create vPC without connecting Leaf-1 to Leaf-2 on east-west direction?

Need help finding the dumbest 48 port switch that supports port mirroring

I have a weird use case where I need to mirror just the TX of a port to another machine. A TAP is not an option. The existing switch in the system is just a dumb switch. The switch will be in a remote location and I won’t be able to manage it. Anybody know of a switch that will work well for this?

Housekeeping: old vlans

I'm trying to tidy up an legacy mess of layer 2 vlans etc on our juniper environment.

Anyone recommend a way of checking for any device's/traffic that are active?

I'm hoping some I can just delete while others will need to do more investigation/migration to layer 3 etc

Question about extend the range coverage

Hello guys whats up? I am planning to setup a network coverage to the whole building by using one router as main getaway and 6 AP all i want is to configure them to cover the whole building.when i mive from one place to other or from one floor the other without being disconnecting and connect to ther other or without losing the signal thanks

Havnot decided which vendor will i use yet .

Any recommendations for the product of router and ap? Thanks

Setting up a low cost RFID system for my fabrics store ?

Hey people,

I need to setup a barcode and rfid system as part of modernizing a traditional fabrics retail business.

The idea is to build a system that will allow dedicated employees to key in all fabric and machine (computers, printers, fans, desks, sewing machines etc) details. This person would also scan the items routinely to make sure it tallies with what’s expected. There is a manager who would be able to track / review the scanned items on a dashboard. The manager can also scan a barcode to get information about the item and other related items.

What’s the best software and hardware combination to achieve this ?

So far what I have in mind is a rfid system to read items within a 2 meter range and the barcode system to get details of items

Every time when I download big files, the connection drops!?

what should be the reason? the files are like 1GB or bigger.

SMB Network Overhaul Advice

Hey everyone,

I am looking for some advice. I'm currently an IT manager at a small to a medium-sized manufacturing business. I inherited the previous manager's decision of having a Fortigate infrastructure. Starting now, we have to scale up the access point infrastructure to cover a 200,000 sq ft. warehouse so that handheld scanners can scan barcodes.

Over the past few years of supporting this business, I have noticed that Fortigates are a pain in the ass to configure. Along with Site-to-site VPN connection is not very reliable.

Fortigate doesn't allow any other brand access point on their network. I've noticed that the Fortigate access points start around $250+. In contrast, Ubiquiti is $100 to $180 depending on the long-range or regular. The cost savings justify switching manufacturers.

The primary commercial/enterprise features we need are:

• Extensive access point coverage for a warehouse, maybe 15 access points?
• A reliable site to site VPN connection
• Regular VPN connections for remote workers

I know two of those can be done with consumer-grade Netgear routers. But controlling up to 15 access points is a specific commercial/enterprise-related feature.

A few questions for this scenario:

- What is a real-world radius or diameter for a 2.4ghz access point? Real-world meaning I'm not going to get a call that there's a dead spot in the corner of the warehouse because some engineer said that the real-world is 230ft (Google). I want to draw up a rough CAD drawing for our electrician. This would help him create cut lists for CAT 6 along with PoE switch placements. Going off of Ubiquiti's website, they have regular Wifi 6 AP's and a Long-Range, which complicates this question.

- My preference the management interface needs to be simple as possible. I would instead like to spend my time helping the company create more efficient systems than fiddle around with a router all day. Are there any other manufacturers that I might be missing out on?

Thanks ahead of time for your advice.

Tiny Site-to-site Recommendations?

Need to set up a STS for a very small business, looking for something budget friendly.

Use case: Two single-person offices with network resources on either end that need to be securely accessible to both users.

Ideal solution: A device or software package that is capable of a split-tunnel site-to-site vpn while also serving as primary router/firewall on either end. A GUI wouldn't hurt my feelings, but am open to whatever. If I was performing this without checking for external suggestions, I'd probably use VyOS. I've used it before and while I didn't explicitly use the VPN it offers, I'm sure it probably supports STS. Checking here though because networking isn't my primary job function and I don't keep up to date on it as well as a dedicated engineer would.

Bonus points: Budget friendly wi-fi mesh solution that will work with the above and support wifi-6.

​

Thanks friends!

VPN router detection?

Would a work vpn(one you must connect to for work) be able to detect a VPN router? I have a router with a static residential ip vpn and was wondering if my work would see that I was connecting to them via a VPN. Thanks.

Need help configuring an IPv6 ACL

I want to configure an ipv6 ACL called PORT80 that:

• Permits an IPv6 LAN (2001:10:1:1::/64) to browse port 80 to a server (2001:202:1:1::254)
• Deny any IPv6 TCP packets with source port 80 from entering a LAN 179.1.1.0

This ACL also must not prevent other ipv6 traffic.

Is this right?

• 10 permit ipv6 2001:10:1:1::/64 2001:202:1:1::254
  
• 40 deny tcp any eq 23 any

(Don't laugh, still new to all this)

Best way of moving vPC port-channels to different interfaces

Hello,

We have a pair of 2 Nexus 3548X switches that we use together with the vPC functionality to create port-channels across the 2 switches.

We connect these switches to VM Hypervisors and each hypervisor has two port-channels: one for regular traffic (WAN/LAN) and one for migration traffic (for moving VMs between servers). We plan on moving the migration traffic to a separate switch in order to fit more servers on the same switches, as we are almost out of ports.

Moving the migration traffic isn't hard; we can just disconnect the cables and move them to the new switch.
But afterwards, of course we'll be left with a lot of empty ports on the existing switches, and we'd like to move all the remaining interfaces (used for regular traffic WAN/LAN) to the physical ports where the migration network used to be.

For example:

The current configuration is something like:

interface Ethernet1/5 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 100 mode active no shutdown interface Ethernet1/6 switchport mode trunk switchport trunk allowed vlan 1004 spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 101 mode active no shutdown interface Ethernet1/7 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 110 mode active no shutdown interface Ethernet1/8 switchport mode trunk switchport trunk allowed vlan 1004 spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 111 mode active no shutdown 

Here we have:

Channel group 100: WAN/LAN -> to hypervisor1
Channel group 101: Migration -> to hypervisor1

Channel group 110: WAN/LAN -> to hypervisor2
Channel group 111: Migration -> to hypervisor2

After we move the migration network to separate switches, port 6 and 8 with channel-groups 101 and 111 will be removed.

So what we'd like to do is change the configuration to:

interface Ethernet1/5 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 100 mode active no shutdown interface Ethernet1/6 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 110 mode active no shutdown interface Ethernet1/7 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 120 mode active no shutdown interface Ethernet1/8 switchport mode trunk spanning-tree port type edge trunk spanning-tree bpduguard enable channel-group 130 mode active no shutdown 

So it would be:

Channel group 100: WAN/LAN -> to hypervisor1
Channel group 110: WAN/LAN -> to hypervisor2
Channel group 120: WAN/LAN -> to hypervisor3
Channel group 130: WAN/LAN -> to hypervisor4

I'm thinking of the best way to do this. I am thinking of doing it like this:

Let's say we have nexus-01 and nexus-02 for the WAN/LAN traffic

1. Remove all the physical cables we now use for the migration network from both switches (this will of course down the migration network which is ok)
2. Remove all the physical cables we now use for the WAN/LAN traffic from one of the Nexus switches; i.e. nexus-01. At this point I would expect there to be no (or a very minimal) traffic disruption as the port-channel on the secondary switch (nexus-02) would remain operational and forward traffic. I think that if we do not remove the cables at this point and started reconfiguring the interfaces there'd become a mismatch in the channel-group id and there might be a traffic disruption / port-channel going down.
3. Then from nexus-01 we remove all the port channels we used for the migration network and reconfigure the physical interfaces to have the correct channel-group (as shown in the most recent previous snippet above)
4. We then reconnect the WAN/LAN physical cables to the correct/new physical ports on nexus-01
5. Verify that all port channels are completely back up on both switches
6. Now repeat for the other switch: Disconnect all physical cables we use for WAN/LAN traffic from nexus-02 At this point there should again be no or a very minimal traffic disruption and the port-channel remains up on nexus-01
7. Repeat step 3, 4, and 5 but now for nexus-02

Does this seem like an okay way to do it? Or is there a better way / are there other things we should think of?

Thank you!

Arris router resets multiple times a day

Hi, My Arris TG1652 has been having some problems lately, Each day the connection would drop multiple times and or the router would just restart itself.

The interenet is being provided via a COAX cable which is connected to the router through a COAX Isolator.

In the settings, everything seems fine, and I've done factory resets and etc, and still hasn't helped, Jumped into the more "advanced" details of the router, and I see this: https://imgur.com/a/mfD1wRs

Then while checking the event log I see these errors:

No Ranging Response received - T3 time-out;

TCS Fail on all Upstream Channels;

Unicast Ranging Received Abort Response - initializing MAC;

DHCP RENEW FAILED - Critical field invalid in response;

and it happens ALL the time.

How can I connect to my NAS on a public network?

I live in a student residence and have ethernet ports and wifi that hooks me onto the residence's network. I have a router that can be put into Router mode or Wireless Access point. What can I do to connect to my NAS? Can I use the router to create some sort of subnetwork or can I access my NAS in some other way?

Thank you.

weird lag/packet loss

hi guys I have an extremely weird and annoying bug or lag of some sort I have no idea what it is. My game runs smoothly at all times low ping, high frames etc, but once I get into a gunfight the player models start gliding & moving around unnaturally, sometimes I will peak and just die without even seeing the player. The hit reg is also strange, bare in mind this is all with low ping & 0 packets lost (according to valorant anyway) I’ve tried so many different ways to fix this including reinstalling and factory resetting my pc but nothings working. It’s definitely not placebo either as I’ve quite literally watched a enemy teleport back and forth mid gunfight with me.

How to permit SSH from any source address to a router?

I'm trying to permit SSH from any source address to a router's fa0/0 address (142.1.1.2)

I'm not sure if this is right, could someone correct me?

permit tcp any eq 22 any

How/where do I include the IP address?

OSPF between two sites but not accept default route from ABR

I'm not sure if this is the right way to do this but I'm weighing up the best options to set this up. I have the option to use BGP and it might be the better option but tell me what you think.

I have a main firewall in Area 0 which is currently redistributing the default route to the inet, ospf, bgp, connected etc into the network as intended. We have some remote sites that are connected via some means, be it, ipsec tunnel, or mpls etc etc. Basically I'd like to do away with having to change statics on the remote sites and making it all dynamic.

The problem is each site has it's own default route to the internet which I need to keep but want to have the local remote site subnets announced back to the main firewall. because they all need to talk in a mesh config. If I create a new Area 1 on the main firewall and make it a stub and call the remote Area 1 stub, this works except the default route is overwritten with IA on the other side of the main firewall which I need to avoid.

Would using Stub no summary fix this? I'll try test this virtually next week either way but thought I'd see if I'm going the right way about this.

Thanks

Kabel Jaringan Komunikasi Bawah Laut

Apakah teknologi komunikasi menggunakan sambungan kabel bawah laut memang lebih murah daripada menggunakan teknologi satelit.????

Seberapa amankah teknologi kabel bawah laut ???

Teknologi kabel saat ini memiliki nilai penghantar lebih baik dari pada menggunakan sinyal atau gelombang udara dalam komunikasi data. Kehandalan penggunaan kabel inilah yang membuat opsi penggunaan instalasi kabel bawah laut menjadi pilihan untuk daerah yang memilki topologi kepulauan. Teknologi bukan tidak memiliki kerugian atau kelemahan jika dibandingkan menggunakan teknologi sinyal seperti teknologi satelit. Karena meskipun telah di desain sedimikian rupa agar tahan terhadap tekanan air atau kelenturan di bawah air tidak membuat teknologi terlihat sempurna sebagai arsitektur "backbone" . Instalasi kabel laut juga ternyata dalam proses instalasi dibutuhkan waktu yang cukup lama , karena diperluakan analisa lokasi penempatan kabel laut yang dirasa cukup "aman" dari segala gangguan yang mungkin terjadi baik oleh alam maupun non-alam.

Kerumitan inilah yang membuat masalah dalam beberapa hari ini terjadi di Indonesia , dimana salah satu provider penyedia layanan Internet disana mengalami permasalahan pada jalur kabel laut. Penyebab pastinya sampai saat ini belum dipublikasikan secara pasti, karena permasalahan alam atau permasalahan non alam ( Tersangkut jangkar kapal, atau terkena lemparan bom ikan :) ). Namun netizen saat ini diberikan disinformasi terkait permasalahan kabel laut ini yang disebabkan oleh gigitan hiu... Apakah benar kabel laut menarik naluri alami dari Hiu untuk memakannya? adakah hal lain yang bisa menarik mood hiu untuk menganggapnya sebagai salah satu makanannya?

Sebuah disinformasi yang menglinding bak bola salju dan tersebar cepat di berbagai media sosial. Semuanya masih perlu digali lagi informasi baik dari pihak provider maupun pendapat para ahli....

FMC 7.0 AD integration issue

Does anyone faced AD integration problem with FMC 7.0? It works for VPN but not for corporate network. All users coming from internal network identified as unknown. Of course realm is configured, AD users are downloaded. Identity policy with passive authentication is created and it`s selected in access control policy. TAC told that i need to chose identity source. In 7.0 agent is removed and only option is to use ISE. So I think it`s weird and ISE must not be only solution for this case. Is there any way to identify users?

remote job opportunities for different networking roles

Over past one and half year, most of us have been working remotely (perhaps not fully remote). With offices opening up slowly, some companies are not adapting or encouraging remote work. In Network Engineering there are some roles that can do most of their work remotely while others require the presence on campus. I would like to start a discussion about different roles and their likelihood of remote work opportunity. This will help people looking for new remote job opportunity and which role they should target. Listed below are my thoughts about different roles, please provide any comments/feedback.

- Network Automation Engineer

This is a good candidate for remote work.

- Cloud Network Engineer

This is a good candidate for remote work.

- Network Security Engineer

Most of the work can be done remote but you might need to be on campus for some work like SW upgrades, HW refresh etc. In some bigger teams, Firewall racking, installation and initial bring is network infrastructure team's responsibility so you might not be needed frequently on campus.

- Network Engineer

This is very common role for enterprise, data center and service provider's networks. This role is involved in network design, deployment and operations. In larger environment, you might be doing a specific part but in medium and small environment you are wearing multiple hats. For this role most of the companies will require some one to be on campus. It is possible that for larger environments people take rotation as all network engineers are not needed on campus simultaneously.

- Network Architect

This could be good candidate for remote work. The role requires some meetings and presentations but I believe this can be accomplished remotely.

- Technical Marketing Engineer

This role mostly belongs to vendor side. This will most probably require to setup a lab so you can test and write papers. Initial lab setup could be on campus or in the cloud. Once that part is done, testing, writing and presenting can be done remotely. I would say this role is also good candidate for remote work.

- Product Manager

Again this role mostly belongs to vendor side. This involves lot of meeting with development teams as well as with customers. I think when physical meeting becomes the norms in the near future, remote work for this role would be a bit difficult.

- Network Test Engineer

This is typically found in vendor's test labs. If you are not involved in setting up the lab, then chances are you will be working remotely.

- Support Engineer

This role could be with network equipment vendor, partner or managed service provider. You typically provide support through email, phone, web and remote sessions. This role is good candidate for remote work

- Sales Engineers

This involves meeting with potential customers and sometimes setting up demos and proof of concept. A lot of companies require building relationship with customer for this role, so remote work may not be encouraged with employer's point of view.

- WiFi Engineer

Some large enterprises have network engineers dedicated for WiFi. This role does not seem to be suited for remote work.

Project Manager

This role requires to run a lot of meetings, and communicate status to stakeholders. Depending upon company culture, this can be a good candidate for remote work.

Dell EMC N3200-ON vs. HPE/Aruba 2930F ?

Are Dell switches considered to be as reliable and performant as the Aruba switches?

I was looking at an Aruba 2930F with 24G just for using as a core switch with basic L3, but the Dell rep is trying to sell an N3224P-ON and has come down on the price a LOT.

I'm currently using all Cisco and Juniper, so does it matter which one I choose, since I'll be new to either ecosystem?

Thoughts?

BGP Advertisement Question

At my company, I have two offices that are currently using dual DIA circuits with default routes and IP SLAs for failover. Obviously there are some limitations to this design--especially for inbound traffic during a failover event. This has led me to looking at implementing BGP and peering with our providers. As I expected, when I spoke with our carriers, they said that they do not accept any advertisements smaller than a /24.

So to my question: In speaking with one of my carriers, I was told that I could break up a single /24 and essentially advertise a /25 with BGP. This is attractive to me, because 1.) 128 addresses at each office is more than enough and 2.) there will be less cost in buying a single /24 block instead of two. I've been reading up on BGP and how I would implement it for our network, but I haven't read about anything like that. I did some digging and found how you can use BGP communities to influence upstream paths, but is that really what they were talking about? Can you really take a single /24 and effectively advertise it as two /25s at separate locations?

This is my first foray into BGP, so I appreciate any guidance you can offer.

HSRP neighbors peering with one another - Okay or not okay?

I have a pair of N7706's and lets say some random routed device connected to both via a VLAN tagged to a switchport. I want to run HSRP on the N7706's and have both peer to the router, but in the process the 7706's now peer to each other's HSRP address as well and shows as a routed path.

Is this okay?

In the past I've typically just passive'd the VLAN interfaces to prevent them from peering to one another, but now that I'm actually trying to peer something to the VLAN I can't do that.

Nautobot + Dolt for Git-style network automation

dolthub.com/blog/2021-09-24-announcing-nautobot-on-dolt/

Do anyone know the default TCP MSS between two VMs in azure?

The default MTU for Azure VMs is 1,500 bytes. The Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes. So I take 1400 as the reference MTU on their SDN, So i am assuming to have a tcp mss of 1400-20(tcp header)-20(ipheader) = 1360. Any thoughts?

BGP convergence time on Atom C2538 vs Xeon D-1548

Hi guys,
I know that BGP convergence time with 8 mio routes (4 peers) to TCAM on Xeon D-1548 takes aroud 100 seconds. Now I have an option to buy much older router, which uses Atom C2538. ASIC on both is Qmran MX + external TCAM.

I wonder can anyone tell me, how much time will / would take to get BGP full table of prefixes calculated and entered into TCAM when using Atom instead of Xeon?

Fiber Optical Power Meter Recommendations

Hi everyone! Looking for an optical power meter, however the market is flooded with heaps of cheap and not so cheap options, usually all slight variations of a few core products.

Am looking for a power meter rated for -70 to +10dbm, which will detect 1310, 1490 and 1550nm.

Irrespective of price, any recommendations (or products/resellers to steer clear of) would be greatly appreciated. Thanks!

Cisco IP Source Guard and APIPA Addresses

I've been trying to setup a Cisco 3750x in my lab. So far, I've successfully configured DHCP Snooping & DAI (ARP Inspection). However, I'm having issues with IP Source Guard.

The problem is that some dynamic IP clients (e.g. Windows) sometimes assign themselves an APIPA address in the 169.254.0.0 subnet when their interface goes up and they don't immediately receive a response from the DHCP server. When they do, all their DHCP requests have this APIPA address as source instead of 0.0.0.0, and of course are dropped by IP Source Guard. This results in the Windows client never getting assigned a proper DHCP address.

DAI was also blocking these APIPA addresses, but I managed to resolve it by including the APIPA subnet in the ARP ACL. However, IP Source Guard seems to only allow static bindings (i.e. single IP Address to single MAC), and I haven't managed to find an equivalent solution.

I usually see this issue happening when the switch reloads while the clients are on. When that happens, the switch turns on the windows clients' gigabit ethernet interfaces a few seconds before the Port-Channel where the DHCP Server is located. In these few seconds the clients switch from 0.0.0.0 to APIPA because of some internal timeout.

Has anyone faced the same problem? Any potential solutions?

Synology LACP Hash / XOR

I have a Synology connected to a UniFi switch via LACP. My understanding is that both the switch and Synology use L2 hashing.

The Synology sits on its own subnet for traffic control at the firewall level. This, everything goes through the firewall to connect to it.

Does this essentially limit the LACP hashing since it’s always the same MAC of the FW interfaces?

I am considering using the adaptive load or balanced XOR options of the Synology for my use case, or moving the LACP to a switch that has more hashing options. UniFi is very limited here.

Appreciate any insight.

signal booster

I am looking to boost my wi-fi signal for a small holiday complex, about 300msq, and was wondering what equipment would be best suited. There’s 12 cottages with thick stone walls, one of them has a new phone line installed with standard (plusnet) router. I am able to install an antennae if needs be. Any advice would be greatly appreciated

High packet loss

Hello!

Firstly, just want to say that I’m not from the most networky background - more live events type stuff.

I’m setting up a small-ish network, and am having an issue with constant ~12% external packet loss and every few minutes the connection is lost for 20 seconds or so. When I connect the WAN directly into a PC I get 0% and it’s very stable. (Using StarTrinity continuous speed test to monitor).

I’ve tried resetting the router (a Cisco RV345) to factory settings to see if it’s anything I’ve done setting it up, but it’s exactly the same on a fresh config. Have obviously double and triple checked the WAN IP details.

Any ideas?

This might be a stupid question, but I recently started networking and had this doubt regarding subnet mask.

In a network, if the CIDR is /25, does that mean the first available IP address in the network would start from X.X.X.130 ? Would the routers address be X.X.X.129 or X.X.X.1?

Noob Question: Tier 2 Network

I have been looking at network deisgns and watching a few YouTube videos. I am trying to get my head around the whole SPOF thing. If you have 2 WAN's, 2 Routers etc. how do you manage only having 1 default gateway address?

Noob Question: ISP Provided a /26. I subnet it further to 4 x /28. How can I route b/w subnets OR How to get to the Gateway IP on the Original /26?

This may be a noob question, but I just can't seem to figure it out. So I have been assigned a /26 by the ISP. ISP can't or wont subnet it further for me. I can subnet this further using "Subnetting a subnet" and carve out 4 x /28's. But I get lost here... For now, there is no routing requirements between the subnets but that might change in the future. Also the primary gateway IP exists on the original /26 and will remain that way. How and what device (inexpensive/cost effective way) do I use as so far firewalls have failed me trying to configure this, Router, RouterOS, something else? I need to be able to get each /28 on its own ether interface, the primary gateway will belong to the same subnet (I understand that) but I can't seem to figure out what device to use in front of the firewall to put in the 4 x /28 subnets and configure routing so everything goes out from .1 on the original /26. Please help. Thanks.

Example (ISP Provided Subnet):

Subnet ID: 100.25.80.0/26
Broadcast: 100.25.80.63
Host Range: 100.25.80.1 - 100.25.80.62
Gateway: 100.25.80.1

Subnetted by me: 100.25.80.0/28 ; 100.25.80.16/28 ; 100.25.80.32/28 ; 100.25.80.48/28

Now 1st subnet will have the routable gateway IP of .1 but then subnet 2, 3, 4 will need to have their own gateways of .17 , .33 and .49. Offcourse they will be on my end, so all this needs to be defined somewhere in someway so that device can route traffic to .1 on the first subnet.

OR am i thinking this all wrong?

versa and viptela difference

hello everyone,

I have just joined a new company and the company is using versa, I really want to learn cisco viptela . so my question is,

if I start studying cisco viptela , will it help me in versa also

how similar are versa and viptela ?

Are Public IP addresses ever re used over time? If so, what are the limitations for doing so.

Title

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Port-Channel Not Dropping When Altering Allowed VLANs

Hello everyone,

Just making sure I understand this correctly as I'm happy but also confused! so I've been deploying some new VLANs on some trunks between some 3850 switches running IOS-XE 16.12.5b and I create the VLAN, interface on the main switch then create the VLAN and update the port-channel on the far switch expecting the Port-channel to go down because the vlans allowed are mismatched.

Instead the far switch never goes down. Is this something changed in IOS-XE versus running the old IOS code?

Appreciate any answers.

Connecting multiple locked down machines.

Hello, I am a machine operator and programmer for a small sheet metal shop and am tasked with networking various CNC machines together for managing NC files more easily. These all support networking and run windows, but are all extremely stripped down and locked down embedded versions. The issue is that each has its own fixed subnet 172.14.3 is one of them, our office network is 192.168, and I haven't checked the other two yet. I cannot install software on any machine and I cannot change the IP addresses as the machine networks have several peripherals I can't reprogram on them. I have been told I need a layer 3 switch. Is this the best approach? I've also been looking into upgrading the router to handle multiple lans, but this is outside of my expertise

ASN Private

Hello, I am looking to create a sponsor asn with my name with a cheap ipv4 range.

Do you know a sponsor and how can do that ?

Weirdness - give me your theories on the cause

So, I had something interesting happen at work today. I've put in a successful workaround (mentioned below) but neither I, nor any of my coworkers have any idea what is going on.

A few things to get out of the way ahead of time here:

1. There are no firewalls anywhere in this path
2. There is no IP conflict - trust me, it's been investigated very thoroughly
3. Everything that isn't an L3 point-to-point link is a /24 subnet
4. There are some ACLs, but they were unbound from the SVIs for the sake of testing.

So here's the scenario:

I have two PCs on the same subnet, in the same VLAN, on the same L3 switch. They are IP address 10.50.206.30 and 10.50.206.31. They both need to reach a particular IP in the data center (10.50.0.51) - for the purposes of our situation, a ping can be considered a success.

The topology is this: L3 Edge switch (4510R+e), dual uplinked with one link to each of two campus core switches (N77-7710). The data center destination switches are a pair of C9300. Each of these two switches is uplinked to both campus core switches, and there is also a trunk between them. The VLAN of interest on these two switches contains the IP we're trying to reach, each switch has an SVI in that subnet, and HSRP between them is used for the gateway on that subnet.

OSPF is used for routing everything.

The problem itself is pretty simple - 10.50.206.30 can ping our destination of 10.50.0.51, while 10.50.206.31 can not ping 10.50.0.51.

Now, you're going to see some pretty stupid steps taken here, but it's because anything that made sense as a possible solution did nothing for us. While trying to determine what was going on here, the following steps were taken:

1. Disabled one of the uplinks between the edge switch and campus core. Didn't help.
2. Moved HSRP active to a specific C9300, downed both the uplinks from the second C9300 to the campus core switches. Didn't help.
3. Brought those links back up because nobody wants to be running non-redundant.
4. Did pings from the edge switch, sourced from the SVI for the 10.50.206.0/24 subnet against the C9300#1 SVI, C9300#2 SVI, HSRP address, and 10.50.0.51 - all succeed.
5. Moved the 10.50.206.31 machine to another port (hell, why not?) and the pings continued to fail (note, 10.50.206.30 was in production, couldn't just swap IPs between them to see what happened).
6. Disconnected the device at 10.50.206.31, connected a laptop to that port with an address of 10.50.206.31. Pings failed. (I was surprised, I was sure it was something wrong with the original machine)
7. Changed the laptop to a new address at 10.50.206.33. Pings against 10.50.0.51 succeed.
8. Disconnected laptop, changed the device that was originally 10.50.206.31 to 10.50.206.33. Pings succeed.

And after that...think really hard as to what could be going on here, because "bad IP address" seems like the only possibility. And that isn't actually a thing.

Anyone have any good theories on what we could be a possible cause here? If there's a good enough theory that won't impact production I'll go onto the campus, static myself a 10.50.206.31 and see if I can ping the 10.50.0.51.

Type of WiFi network?

Hi! I have a small network problem and I think the people here can help me, since I don't understand even half of the threads underneath hahaha

Context: There is a business Wi-Fi network at my work, said network appears "without password" and anyone can join, but once connected it opens a web page in which it requests a password and only after authenticating on said page does it give you Internet access.

Question 1: What type of network is it? That is, where can I start to learn how these networks are built?

Question 2: There are some devices that the authentication web page are not "invoked". How can I know the IP or URL address to which I should connect?

I tried to do something simple like use nmap to scan open ports and the type of service it offers, but being an enterprise network this is obviously blocked (or is it just that I don't know how to use nmap) anyway, I am stranded. I found an old android device that in the wifi information, it shows what the IP of the web page is, but in modern devices it is not.

5G vs Wi-Fi 6 Latency

It's well know that 5G will bring much improved latency with respect to the 4G protocol, but how does this latency compare with a typical WIFI6 connectivity? That is, if I need to minimise latency and I have the option to choose between cellular vs home/office WIFI connections, which one should I use?

I'm aware that there is no way to know for a specific situation other than making a test, but since I'm interested in multiple deployments (over EU and USA), it's unfeasible to probe all locations.

Can we make any meaningful statement about 5G vs Wi-Fi6 latency which is true over a large number of samples?

The answer is particularly relevant for companies that need to rollout a low-latency product, but don't want to use cellular connections if not necessary.

Redistribution between VRFs

Hey guys, I‘m trying to redistribute routes from an eigrp AS within VRF A into the bgp process of VRF B on a Cisco router. (No mutual redistribution, just one direction) Is that even possible? Or am I missing something? I can‘t get it to work.

My config looks kinda like this (written from my head)

vrf def A rd 1:1 route-target export 1:1

vrf def B rd 2:2 route-tatget import 1:1

router eigrp HELP address-family ipv4 vrf A autonomous-system 99 blablabla, doesn‘t matter, I have EIGRP routes in that VRF table

router bgp 69 address-family ipv4 vrf B redistribute eigrp 99 route-map X

There are no routes which I have learned via EIGRP of vrf A appearing in the BGP process of vrf B. Any hints on what I‘m missing here?

Sonicwall Global VPN is slow over wired connection

I have a client who accesses their corporate network via IPsec on Global VPN Client. They use a wired connection and after connecting their speed drops from 500/40 to 50/40. Unfortunaly the RSC on wireless issue is so prevalent that I can't find any information on the web about slowdowns on Wired connections.

The split tunnel connection is functioning as it should, but something is amiss.

Has anyone else seen this in the wild?

Business line bandwidth, how to know I am getting what I paid for

We are a school district in very rural alaska, we pay quite a bit of $ for our bandwidth. My networking skills are good for lans, but basic for wans. So we have 10 sites with x amount of bandwidth per site. Our biggest site has 100 mbps symmetrical. But we get lots of complaints of slow internet. When a complaint is made to the isp they refer to netflow by solarwinds, showing us that the bandwidth is not maxing out. Even Though they admit that those metrics show an average, not actual bursts. My question is,

1. how do organization know that they are getting the bandwidth they pay for all the time?
2. Is there a way to monitor the network including bursts to know that I am getting the bandwidth I paid for?
3. Will using a cloud based BGP, so my ISP just delivers my bandwidth to the cloud for routing be a liable solution?

​

I am open to suggestions or comments, thanks in advance.

Moving from a SMB to an Enterprise with 1000's of employees

Hi All,

I will be soon moving from a SMB (less than 1000 Employees) to an enterprise with 5000 plus employees (5+ years in Networking and CCNP). I worked really hard to reach there. The scale of the network at new company is much bigger than existing company network and wanted to understand how others in this group handled such a transition? Is it normal to get a bit anxious with this kind of move? What are some of the common mistakes to avoid in a large network environment?

​

Thanks,

Networking wizards who love solving problems...

The company I work for want to test some device functionality of some software on a PC.

PC talks to a server and must at least establish the three way handshake. Once established if the connection is severed the PC will see the connection is no more and then forward the traffic to a different server.

The problem here is the transaction is immediately after the three way handshake.

I attempted killing sessions but the session is just far too quick.

What do you guys think I could do to test this? Is there some sort of policing I can do?

Guaranteeing that a sniffer only sniffs, not sneezes

We need to do some testing on a product that consists of a networked system of computers. We'd like to do some verification testing where we sniff the traffic on the network to demonstrate that things are as expected. One thing we're thoughtful of is that we only want to observe, and not add any traffic.

1. Is it correct that Wireshark and similar applications act as we need?
2. Is there some hardware that we can add to ensure that packets only go into the sniffer, and it doesn't inject anything of its own?

Thanks in advance.

OSPF preferred route using cost

Looking for help on prefering OSPF routes from one datacentre over another - without having adverse affects.

I have 2 datacentres and 1 office that all have ipsec tunnel interfaces between them - full mesh

DC1 = 10.10.0.0/16

DC2 = 10.20.0.0/16

OFF1 = 10.40.0.0/16

Both DCs have direct connectivity to another DC3 = 10.30.0.0/16 - and will receive OSPF routes from it.

OFF1 does not have direct connectivtiy to DC3.

​

From OFF1 I want traffic destined for DC3 to route through DC1.

So I could put a high ospf cost on the tunnel interface from OFF1 to DC2 and make it less preferable.

​

My concern is that DC2's 'own' network of 10.20.0.0/16 will be less preferable and OFF1 will route traffic to DC2 through DC1 - which would be suboptimal.

I've simplified things here - in reality i have 5 datacentres and 20 offices - not a massive WAN !

Any help much appreciated.

Design Question

it's been years since we upgraded from 3750s to 3850's for our Core switch at our primary facility. Since then the company has grown by alot, and the 3850 line is not doing it for us. the specific pain points are general throughput issues within the Virtual infrastructure (Vmware using SANS and iSCSI for storage). We're a Cisco shop if the above models didn't point that out already. i'm looking at the 9k series, or possibly a low level Nexus (which i have no experience with). I want to go Chassis based this time around as I think the Stacking approach has run it's course for our needs. I'm wondering what people on here can give for insight on a budget (although i don't know what that number is i need to justify what i buy) for this sort of project, and what equipment configuration/topology items should I be thinking of. Our CDW reps pitched this as less of a core network refresh and more of a push to make the server/compute system like an onsite data center and keep that seperate from the user networks.

Huge data usage on cell modems - Tips for narrowing down the culprit?

Hi there, been working on a strange issue. We have about two dozen cell modems (Sierra GX450s) that we have had deployed for about 4-5 years to provide remote management for our traffic light controllers. Things have been fine until about a month ago when all of a sudden we started getting huge data usage on these devices, upwards of 30GB a month and more than 70GB a month on the worst offenders.

These devices are all on a M2M network through Verizon that tunnel back to a Cisco router at our datacenter. I've checked all of the stuff I can think to do - packet captures on the router outbound interface, ensuring all connectivity to the modems is shut off except the serial port used by the traffic controllers and the cell connection, upgrading firmware, etc.

I'm not a packet capture expert but the traffic I see looks pretty benign, just mostly control traffic between the traffic server and the remote controllers. Is there any easy way to see bandwidth or "big talkers" type stuff? I setup NetFlow in PRTG for the router but again, don't see much.

I'm half wondering if the traffic leaving the modem is split tunnel or something and I'm just not seeing the traffic I'm looking for. We also don't have support with Sierra so I can't really call them for any help. Any advice on how you'd proceed? Thanks so much.

Is #networking becoming #police ? Why Network Admins behave like this when pushed out of their comfort zone?

Hi there,

So I am a regular in IRC libera, in many channels actually , I find it such a good place to get help and also pop by for a little human interaction everyday.

One of the channels I am in is #networking , which is great, with people with professional experience in the field there is always expertise to be pulled from there.

I'm a freelancer developer, and I quite have an understanding of the different networking layers and their technologies , but lastly most of the questions I do are related to troubleshooting some connectivity issues in my co-working space, to say an example the last issue I had was when trying to connect multiple computers on the same LAN via SSH so I can use them as multi-monitors with tmux , it seems that this LAN have implemented a quite restrictive polic y which is difficult to cirmcumvent. I'm not even able to connect to my VPN on ports 80 or 443 easily (the connection get's established but it tends to drop out for some reason) .

So it is coming to the point again where my working environment is yet again blocking my workflow. And I am trying to get around this problem asking in this Channel, and I always receive the sort of answer of "Do you own that LAN?" "Ask the Network Admin" , "Sorry that may be a firewall policy and you shouldn't be doing that" . While other people bring up some creative workarounds (which are actually the sort of answer I'm looking for) such as "try udp port 993 is normally opened" or the like ...

I have learned and try to omit the comments of the first kind, but sometimes is just impossible to get by this, and I end up having to ask this sort of things in #hacking , channels and subreddits. The other day one of the moderators of the channel silenced me for no reason because I was trying to explain myself , so I completely left #networking

My point is, providing that I go to work with my back-pack loaded with 2 laptops and 1 tablet , I don't want to have to carry a switch with me, nor ethernet cables (I would look weird) plus I want to use this Wifi AP I am paying for so I don't use my Mobile phone WAN data and battery.

I am changing my mind to see Network Admins as having a guild mentallity where either : - They know about the problem you are asking but they don't want to give you information about it (which only expertise will give you) - They don't know about the problem and they are trying to block anyone's request trying to get deeper into the matter.

I use to see networking Professionals as magicians on the Networking Stack, been able to fully understand the technologies and giving you ideas about how to do this and that, instead some people tend to be ignorant about certain top ics , and they stay in their comfort zone of daily tasks of checking equipment , buying X-Cisco Switches , change the RJ-45 cable, "have you seen the new ubiquity equipment?"

I am starting to see this behaviour in Network Admins as toxic, that if widespread will just lead them to Understand about L1 , L2, L3 and maybe L4 , been ignorant about the rest , making them unable to effectively provide a good se rvice to the Companies they are working for.

And just saying that #networking , shouldn't only be a place for Network Admins, but for everyone (developers and sysadmins included) to exchange ideas, plus IRC libera be a place where noone gets silented. I also see a big chunk of people trying to get initiated in the Computing field, and they sort of like Cyber Security, and they all enroll on this udemy courses to prepare for the CCNA , see people like "Network Chuck" on youtube wh ich mostly provide of Click-bait sort of videos with really brief explanations of the technologies lying behind that. This newbies genuinely think that after finnishing those videos they will be able to become the Guards of a corpor ate Network while there are people out there that out-smart them in many ways.

Is it #networking becoming #police or is just me that I am becoming a hacker ?

I am a developer, I am using legit services for legit purposes, SSH'ing into your own computer should not be restricted and I shoulnd't have to end up asking on #hacking . Not everyone has the same Workflow and works from home with a Apple MAC multi-monitor station, technology is out there to help people. By limiting this services you are encouraging people to find their way around been able to discover vulnerabilities of some sort that will be "tempting" to be attacked otherwise

OpenVPN and DNS

Is there any reason that an OpenVPN client would fail to connect to a server addressed by IP number, if port 53 is blocked?

It still errors out with a DNS resolution error, but there doesn’t seem to be any QDN involved.

2 edge routers in same rack need lan communication

So 2 Ubiquity UDM Pros in the same rack. Separate isp link for both.

I need them to communicate locally. Not over the wan (that would be silly they are right next to each other)

I did not choose this arrangement, before you ask. I was hired and the guy things "this provides better segregation" he's a good guy, but now I need to make it work.

So the Ubiquity interface is hot garbage. But forget that.

I do have a CCNA, so I knew to try giving an interface on both an IP and then connecting them and useing static routes. I also tried a static route with interface names and not IPs.

Well no dice. Before I bang my head against the Ubiquity UI anymore I just want to know this is the correct way to go about this.

Campus network design

Hi guys. I have set up a virtual network. Pfsense firewall, 2 L3 core switches, 2 L3 distribution switches, and 2 access switches. Very simple setup with not much more that interface ip addresses setup and OSPF. Everything can ping the pfsense interfaces. My Core switches can ping out onto the internet. My pfsense can ping out. Everything else from the distribution and access can’t. Surely I’m missing something easy but can’t find it. Any ideas?

Ps the pfsense has the rule any any on all interface while I try to figure out what’s wrong.

Securing a 10gbit wireless bridge.

We're want to install a 10Gbit E-Band (70-80GHz) bridge between a couple of buildings where we can't run fibre. The radios are Layer 1 and implement 'scrambling', but it's of the kind that I guess anyone with the right hardware and knowledge of the likely config can unscramble.

I'd like the bridge to still be layer 2, but to book-end the radios with something capable of proper crypto to secure the link and to be able to keep the 10Gbit throughput (allowing for some acceptable encapsulation overhead). Ideally it would look like this:

[B1 Core]---[Crypto box]---[Radio1] -air- [Radio2]---[Crypto Box]---[B2 Core] 

Such that B1/B2 cores just treat it as a link. I see a lot of 'virtual-wire' ipsec type features available in beefy Cisco, Palo Alto gear, but nothing in the way of dedicated - and hopefully much cheaper - hardware. Can anyone suggest any alternatives?

Problem converting ASR920 from traditional to smart licensing

Hi,

I have an ASR920 with local licenses, which we would like to convert to smart licensing. We've done this many times for other devices (ISR1100, 4300 etc.), so we're not exactly new to the process.
Smart Licensing is enabled on the 920, the device is registered and has attempted to get the currently (local) licenses from the server. Anyway, the "license smart conversion" command is not available, all I get are the commands clear, deregister, export, factory, register, renew and send. What am I missing here? IOS version is 16.12.5 ...

Can someone help me with our company effort to block smart spam/phising?

Dear Network Gurus

I have a real life case as follow:

Our sales email is one of the emails that is exposed to so many people while we cannot hold the receiver security status. Some of our customer's laptop that receive our sales email is infected with virus(es). Just a total insecure device. The virus took control of the email access and stole all kinds of email addresses including ours. And now we are bombarded with spams and phising emails, but specifically for sales email.

Now if it were regular, I can just put a block on the sender address and mark as spam, but this time the hacker use our own email as the sender and the receiver. How do one face such issue and stop this spam madness?

Thank you in advance

PS: We use Email Server hosted at our hosting company and we access the settings via CPanel.

Does drops on queueing affect IP SLA icmp-echo?

Hi All,

Is there any possibility that that drops on output queue affects the IP SLA probe when sending icmp-echo? Drop is randomly happening and when I ping point-to-point I'm not able to detect any drops.

LOGS: 05:00:20.847: %TRACK-6-STATE: 11 ip sla 11 reachability Up -> Down 05:00:20.847: %TRACK-6-STATE: 21 ip sla 21 reachability Up -> Down 05:00:20.847: %TRACK-6-STATE: 31 ip sla 31 reachability Up -> Down 05:00:55.899: %TRACK-6-STATE: 21 ip sla 21 reachability Down -> Up 05:01:00.899: %TRACK-6-STATE: 11 ip sla 11 reachability Down -> Up 05:01:00.899: %TRACK-6-STATE: 31 ip sla 31 reachability Down -> Up 06:38:26.360: %TRACK-6-STATE: 11 ip sla 11 reachability Up -> Down 06:38:26.360: %TRACK-6-STATE: 21 ip sla 21 reachability Up -> Down 06:38:26.360: %TRACK-6-STATE: 31 ip sla 31 reachability Up -> Down 06:39:06.408: %TRACK-6-STATE: 11 ip sla 11 reachability Down -> Up 06:39:06.408: %TRACK-6-STATE: 21 ip sla 21 reachability Down -> Up 06:39:06.408: %TRACK-6-STATE: 31 ip sla 31 reachability Down -> Up 11 ip sla 11 reachability Up 00:48:28 21 ip sla 21 reachability Up 00:48:28 31 ip sla 31 reachability Up 00:48:28 #ping 10.1.2.1 source 10.1.2.2 repeat 5000 size 1500 df-bit (cut) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (5000/5000), round-trip min/avg/max = 1/2/32 ms #sh policy-map int g0/1 GigabitEthernet0/1 Service-policy output: etm-GrupoSalinas-Elektra-lima Class-map: class-default (match-any) 261661475791 packets, 146841546500637 bytes 30 second offered rate 11024000 bps, drop rate 0000 bps Match: any Queueing queue limit 4096 packets (queue depth/total drops/no-buffer drops) 0/1011428/0 <--- no inc. as of now (pkts output/bytes output) 261660459030/152073955468691 shape (average) cir 30000000, bc 140000, be 0 target shape rate 30000000 Overhead Accounting Enabled No Congestion at the time that the total drop increased.. Could be bursty traffic.. 

Here's the QOS policy:

Router in question: policy-map parent-policy class class-default shape average 30000000 140000 0 account user-defined 20 queue-limit 4096 packets 

From other site, Nested QOS is being implemented. Should I replicate this on this site and this purpose of this child policy is prioritize the traffic and smoothen the connection?

Working site: policy-map parent-policy class class-default shape average 150000000 600000 0 service-policy child-policy <-- Child ! policy-map child-policy class realtime priority class priority bandwidth remaining percent 40 random-detect dscp-based class missioncritical bandwidth remaining percent 39 random-detect dscp-based class transactional bandwidth remaining percent 16 random-detect dscp-based class general bandwidth remaining percent 1 random-detect dscp-based class class-default bandwidth remaining percent 4 random-detect dscp-based 10 ip sla 10 reachability Up 1w2d <- Stable 

Thank you

Display IP and MAC addresses in Packet Tracer

Hello everyone, I just started using packet tracer and follow a tutorial on networking...

How do I display the IP and MAC address right next to the device?

I can't seem to find anywhere in packet tracer, maybe Im missing something. It's inneficient to hover or clock the device just to remember what IP or MAC it has in the entire network.

The guy on the youtube tutorial displays the addresses but he doesnt show how lol...is it just a simple text box he writes manually?

Im learning about routers, arp, dns etc...

Thanks!

Junos MPLS Question

Hey guys, i’ve been studying for my JNCIS-SP and just got introduced to the deeper concepts of MPLS. There is one thing I can’t wrap my head around though.

Juniper devices have the inet.0 table for IP routes and the inet.3 for MPLS routes (or LSPs).

If the same destination IP is listed in both tables, how is it decided which “path” the traffic will actually take? Is it going to be routed or label switched to its destination?

Any clarification is much appreciated!

Interview questions too hard??

I've been interviewing people lately for a Senior Network engineer position we have. A senior position is required to have a CCNA plus 5 years of experience. Two of these basic questions stump people and for the life of me, I don't know why. 1. Describe the three-way TCP handshake. It's literally in the CCNA book! 2. Can you tell me how many available IPs are in a /30 subnet?

One person said the question was impossible to answer. Another said subnetting is only for tests and not used in real life. I don't know about anyone else, but I deal with TCP handshakes and subnetting on a daily basis. I haven't found a candidate that knows the difference between a sugar packet and a TCP packet. Am I being unrealistic here?

Anyone built a PCIe network yet?

One of the technologies on the horizon is CXL, which rides over PCIe5 layer2 networks. I have done a couple of searches, and can't find out much about it. I know it is early days, which is why I am asking here, if anyone has run into it.

I am trying to figure out if CXL is going to be very disruptive to networking as we know it.

On it's face it probably won't change things too much, but it does have some potential to disrupt things. e.g. why have a 100gb network card in a server if you can just attach the server directly to the core over CXL at 800Mb/s? and much lower latencies.

Admittedly gen1 and gen2 of the CXL switches will probably not allow this, but when they do, (in the immortal words of Doc Brown) "you're going to see some pretty serious..schtuff".

Video Conferencing Outbound Video Doesn't Work

I posted this in /r/sysadmin a couple of months ago and most people said "networking" but couldn't get into much detail. I'm hoping some of the experts here can educate me.

When our employees are in our small office they consistently have the problem where the remote side cannot see their video stream or the desktop/application they are sharing. However they can successfully see the video and desktops/apps presented from the remote users outside our office. Audio is usually fine both ways. When our employees are in coffee shops, hotels, home, other offices, and so on they do not have this problem. Employees inside this same office cannot see each other's video either. It happens with employees BYOD devices as well, personal laptops, personal cell phones and tablets, etc. Also, if employees disable wifi on their BYOD devices and use 3G/4G/5G video works again. It's happened with 1 employee in the office trying to video conference as well as 5-6 at the same time. Time of day doesn't make any difference.

The internet connection in our office is pretty good, 50Mbit circuit. Speed tests report good results, comparable to the coffee shops, hotels, etc. Our network link isn't saturated that I can tell. Download speeds are good.

It happens with all video conferencing apps. Zoom, WebEx, Skype, Facetime, Bluejeans, MS Teams, Google Meet. The worst part is that none of those apps report any problem, and none of them see to have any way to dig into the weeds to see what he problem might be.

Our perimeter firewall is basic and only does layer 3/4 filtering. BSD based running pf firewall. No "NextGen" filtering, no application filtering, no layer 7 anything. All outbound is permitted, NAT'ed out our firewall's external interface.

I got a couple of good responses in the /r/sysadmin thread about STUN/TURN, WebRTC, and UDP hole punching. What would I need to change on our firewall to see if it is somehow interfering with these things? I don't even know how to set up a test scenario or what variables to change to start ruling things out.

Has anyone experienced this? Any help is very appreciated!

Fluke Tone Bleed

Hey guys!

​

I've got an odd situation. A partner and I are going room to room and verifying cable runs and labeling and such. As part of the process, we're using a fluke to tone and locate which cable goes where in the patch panel to label.

​

Curiously, a few drops tone all the way through the actual switch, and bleed really aggressively into other cables. I'm aware that there can be actual signal bleed from cables that are super close together, and that usually presents itself as the cables directly next to the toned one getting a "4" or so on the toning wand, whereas the primary cable gets a solid "8". But with a handful, before unplugging the cable from the switch, several other cables on the switch (sometimes even opposite ends of the switch) tone a 6-8, and then immediately stop when unplugged from the switch.

​

This is WAY stronger than I've ever seen regular bleed go, and it's my understanding that the signal from the intellitone should NOT be able to to come back OUT of the switch and onto another active cable.

​

I'm a SysAdmin who's fairly new to the routing/switching world of networking, so I could totally be missing something, but I'm concerned that there may be some misconfiguration in the switch causing some kind of broadcast storm.

​

Things I've checked:

​

• There are no active LAGs on the switch
• Storm control is intentionally disabled
• None of the ports are VLANned off
• Rapid Spanning Tree is enabled

This is a Dell N2048 in a stack.

​

Is there something obvious I'm missing? Is this actually to be expected? Am I crazy?

​

Hopefully this is just a case of me misunderstanding and not some error on the part of the person who configured the switch previously.

​

Thank you in advance for your help!

SG500x - Routed interface help

Hello,

I am trying to setup some vlans on my network utilizing a pair of SG500x-24's in stacked mode and a pfsense firewall but running into some issues. The switch is in L3 mode, with an interface connected to the pfsense (10.100.30.1/30 on pfsense side and 10.100.30.2/30 on the cisco side). Typically with Cisco I would also issue a "no switchport" command on the interface to designate it as a routed port but that command returns incomplete. On the pfsense side I also setup a gateway and static routes of the vlans so that pfsense knows how to route the traffic. I also added an ip route for the vlan traffic to go out the pfsense interface.

I cannot find anything that says the SG500x even supports a routed interface. There was an article about setting up RIPV2 but I'm not doing that. I am not seeing any way around this aside from spending money on some new L3 switches. I could create the vlans at the firewall level but I don't really want to do that at this time. Currently on the flat network I have an uplink port without an IP on the cisco side, but with an IP on the pfsense side. Default gateway on the switch is set to hit the pfsense IP.

Second set of eyes would be great, I've tried a bunch of things on my end but no matter what I cannot get the pfsense to talk to the cisco switch when I setup that interface and vice versa. A test PC in my vlan is able to hit the cisco interface but nothing further. I am thinking it has to do with that routed interface.

Cisco IOS-XR and Huawei ztp

Hi, I want to build a ZTP setup for Cisco and Huawei. Is there anyway that neighbor switch can detect a new switch and send the information to ztp server?

Cisco ISR 2901 - Should I add expansion modules, or upgrade to new router?

We are a non-profit with around 60 users on-site, 10 in remote offices, and 20 VMs.

Currently, it is five Cisco 2960s, an ASA, and an ISR 2901K router all plugged into another Cisco 2960 switch which we call the core. It is 100% 1Gb and no LAGs.

it’s actually working pretty well and is very stable but could be a little faster.

My first thought is that we coukd get a router with 8 or more ports to be the core which would eliminate hops. The 2901 has expansion slots so that’s an option as well.

We don’t have a lot of discretionary money to throw around.

Thoughts?

Voice VLAN on an old Cisco 7600?

Hey Gang,
I've inherited an incredibly old Cisco 7609 to use as a PoE switch for our office. I've got everything working the way I want except voice VLAN which is driving me mad.

I've combed everywhere I can for instructions on how to ensure LLDP-MED is turned on but I'm not sure the switch even supports it. I've also turned on CDP as the Polycom handsets say they support that too.

What I've noticed so far is that the LLDP neighbor list seems to be in moderat flux with the phones showing up and disappearing, and some disappearing permanently until they've been rebooted.

Here's what I've tried as a relevant config.

Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.3(3)S6, RELEASE SOFTWARE (fc1) System image file is "sup-bootdisk:c7600s72033-advipservicesk9-mz.153-3.S6.bin" ! cdp tlv-list VoIP port-id capability version platform native-vlan vvid cos power-available hello-protocol cdp filter-tlv-list VoIP ! lldp timer 20 lldp run ! interface GigabitEthernet9/48 description Default-31 switchport switchport access vlan 31 switchport mode access switchport voice vlan 4006 logging event link-status mls qos trust cos spanning-tree portfast 

!

The cdp stuff is kinda a shotgun approach just from desperation. Any ideas how to get this working?

Good and Readily Available 48-Port Unmanaged Switch?

Hi All, simply just looking for 24 reliable 48-Port Unmanaged Switches of the same model. We managed to get 2 x Netgear GS348 switches and they work great. Wanted 24 more, but can't find a source. Even called Netgear and they said, "Sorry.".

I don't want to have to go Managted and have to disable things in each switch, not really my thing either.

Anybody have any ideas? Thanks.

ASA VTI for IPSec Tunnel with Static Routes

All,

I need to migrate some old ASA VPNs (policy-based) to new ASAvs (VTI/route-based). The VPN will do static routing, but inject into BGP towards our own LAN (redistribute static). The far ends are a range of kit like Fortigate, Juniper, Stormshield.

With VTI configuration it's necessary to:

1. Put an IP address/mask on a tunnel interface (this wasn't needed with the old crypto maps)
2. Install a static route towards the destination via the tunnel interface

In the old policy-based config, it looks like the ASA was creating a static route based on the proxy-ids sent by the kit at the far end (set reverse-route). My questions are:

1. With VTI, are the tunnels UP all the time, hence any static route would always be up?
2. What should be the next-hop ip of the static route?

​

route <name-of-local-tun-if> 10.0.0.0 255.0.0.0 <what-can-I-put-as-next-hop-ip?> 

Thanks in advance for any advice.

opensource networking monitoring/ticketing system?

At my first networking job, I worked at a NOC that had their ticketing system built into their SNMP server(Nagios).

It didn't have a lot of customer-facing functionality, but a big plus was that if the alarm state change which you opened a ticket on changed, then the status of the ticket would be green - OK ... indicating that the condition has abated. ( stateful monitoring)

​

Currently I work in a NOC where all of our systems do not talk with each other. Worse, our ticketing system does not have a GUI(runs on a Windows application) so I cannot build any interoperability between our different systems unless our iT grants me access to our ticketing system's database and our IT is so useless I'm pretty sure they don't even know how to do that, or the solution is entirely vendor managed and they don't have a way to access the database.

​

Does anyone know which solution / plugin/ GUI I might have seen so many years ago which had a ticketing system integrated to Nagios' SNMP server? Is there a similar system I can deploy?

I know there are open source solutions that do ticketing well(like OSticket)... and I know that there are open source ways of creating an SNMP server(Nagios Core)... but is there a Nagios core plugin or nagios XI plugin that can help me do both?

​

thank you

Palo Alto - Force Link 'Up'.

All,

Have an ethernet port on a Palo that I want to always report as up regardless if it has link or not. I know Juniper supported a 'link-up' command. Is there an equivalent on the Palo Alto FWs?

Radius Attributes

Hi everybodies,

in my company we have a Fortinet WLC (ex Meru) in order to deploy/manage all wireless access point.

We would like connect WLC at out radius server (freeradius model) in order to have some users with admin priviledge and others with user only.

By configuring we have always "user priviledge" for all people.

Anyone have already seen this problem and solved? What are the correct paramenter that radius has to send to the WLC?

Thank you very much.

I create OEM compatible codes to flash to pluggable hardware, AMA

Just interested if anyone has any questions surrounding this.

How can I bypass vpn block

Is there any way or better vpns to bypass vpn and other sites blocks?

What is LTE CAT - 6 ??

WHAT IS LTE CAT 1, CAT 2 etc.

How does adding a switch to an already existing stp topology with spanning tree default configured create the possibility of layer 2 loops?

I understand that bpdu guard will prevent layer 2 loops from forming if enabled by shutting down a port that receives hello messages but how exactly are the layer 2 loops happening in the first place?

problem to login windows when using 802.1x authentication

Hi Guys

At my company, I have implemented 802.1x authentication service using Radius.Join Domain's systems. A problem that has occurred to me is that when the system is connected to the network only in the Windows environment and is not available network when loggining to windows, and if the user information is not in the Windows credential, the system will not It can connect to the domain and log in to Windows.

error:

we cant sign you with this credential because your domain isn't available.make sure your device is connected to your organizations network and try again .if you previously signed in on this device with another credential ,you can sign in with that credential.

What is the core of the three tier network in this situation

I'm doing a project for college that involves adding a new building to an existing network. I'm very new to designing a network (this is a software degree!) and am a little confused about the 3 tier system. If each floor of my new building has multiple a bunch of access switches that all lead to a single distribution switch/router and the router connects back to the original building (where the ISP, servers, etc are) what constitutes the core? The original building?

Strange EVE-NG Interface Issues (CSR1000)

I connect my Gi1 to Management Cloud-

Interface is showing as up/up, but cannot ping my gateway (with statically assigned IP), nor pick up a DHCP address.

I connect other interfaces to the cloud and 0 issues. Both DHCP works and I can do static and ping my gateway. Configuration is the same. Did default all, configure from scratch. Only Gi1 is having issues. So I edited the router to give it 8 ports. It now has

Gigabit 1, 2, 3,4 and 9,10,11,12. What happened to 5-8? In router Gi12 is Gi8 in EVE-NG so they are not lined up.

Has anyone ran into this issue with the weird behaviour of interfaces?

​

EDIT*

Using VIRTIO-NET adaptors and lowering the ports to 4 seems to fixed it.

From here:

https://www.reddit.com/r/networking/comments/nm7cgk/eveng_interface_issues_with_csr1000v/

​

Fiber: 10Gg/s vs 40Gg/s vs 100G/s over strands of fiber over om4

I'm looking up the different speeds that om4 can support and it says that it can do 10, 40, and 100 G/s, ok that makes sense.

I look into what it takes to do 40G/s over om4 and it appears I need eight strands of fiber. It seems like they're bonding the pairs four for send, four for receive. Ok, that makes sense to me.

Then for 100 G/s, you need 12 strands, six send, six for receive. Ok, that makes sense to me.

What doesn't make sense to me, is that om4 can support 100 G/s, but a disclaimer of * Yeah, but with 12 strands.

Isn't that kinda like saying Cat5e can support 10G/s, but with 12 copper wires?

It seems kind of misleading, or am I missing something?

Access Lists for end devices using DHCP

Hey all,

Maybe I'm overthinking or missing something here, but let's say you wanted to create access list further down "the stack" at the switch level. How do you create access list rules for end devices when the IP addresses are constantly changing because of DHCP?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

VMware "Observed IP Range" not showing on both vNIC's in portchannel

Hi, we are having an odd issue with some inconsistencies on our VMware hosts, these hosts are physically uplinked to 2 meraki switches in a portchannel on both ends, everything works but what we have seen is that on one of the vNics, the "observed networks" will be seen (so all the relevant VLANS via broadcasts) and the other vNIC doesn't see any networks (just blank), this is odd considering that both sides of the portchannel load balances traffic via scr/dst ip/VLAN and port id's. This is the case for 2 out of our 3 hosts in the cluster.

I have ran a packet capture on both the Meraki ports as well in the portchannel on the Meraki side and can see that broadcasts are going down both links on the same VLAN to.

I have had a Google as well and the only thing I've seen is NIC teaming active/standby configurations, but the portchannel (vNIC's) on the vSwitch isn't in HA as well. Does anyone have any ideas as to why this might be occurring?

Cheers

Any recommended outdoor IP speakers to use with Informacast?

I have some failing outdoor speakers used for PA announcements. The old ones were ok but the housings weren't exactly waterproof and the paint rapidly failed exposed to the elements.

Anybody got suggestions?

CLI through Firepower?

Does anyone know if the Cisco CLI can be accessed through the Firepower GUI? I'm much more comfortable with the CLI but as a contractor I was only given access to Firepower 🤦‍♂️

My manager is a cheap arse & has bought dell switches... everything else is cisco.

​

We've got a stack of 5 dell switches connected to a cisco 10gig switch using 4 fibre interfaces in a port channel. On the dell side we had to specify 'speed 10000' on each fibre interface, the cisco side is as normal. It works fine.

The problem happens when the dell stack is rebooted, once rebooted we lose the fibre links. We tried adding the speed 10000 to the cisco switch interfaces it made no difference.

We can get the links back by, on the dell switch, removing each fibre interface from the port channel, removing the speed command from each interface, readding the speed command & then finally readding each interface to the port channel. This brings them back up everytime but is a right ballache.

Anyone got any ideas as to what we're doing wrong?

Latency/Retries only from one VLAN (Please help a new network engineer)

Hi, I am having an issue where the network is experiencing latency only from one vlan.

Here is a brief summary:

We have several vlans

200 , 201, 202, 206

All the vlans besides 206 can communicate with each other with no large latency increase.

​

206 to any other VLAN is slow and has a lot of retries when testing with iperf. When doing a traceroute, i noticed that anything going to or from vlan206, hits the firewall gateway 192.168.1.1 first instead of just going directly to each other. Other vlans (200,201,202) do not hit firewall gateway first when doing tracert and have no retries/latency.

​

Not sure what I am missing.

Figuring out if there’s a proxy on the network

Hi, so I have some issues trying to figure out if there’s a current subscriber on the network utilizing a proxy/VPN.

However I’m unable to determine how to go about searching for that. We use an rXg, and Amazon Prime Video seems to think we’re acting on one - which is blocking users from viewing things. We contacted our ISP, and they distributed a new block of IP’s, and it worked - until it got blocked again.

I’m not sure sure if this a subscriber abuse, or an issue on AMZ’s side, or our ISP. I searched our entire network and nothing looks alarming.

Any ideas ? Tools I could use to check?

Thanks for any and all help!

Struggling to setup networking for Poly Studio X50 Webcam system

The Poly Studio X50 is a conference room webcam setup with a wall mounted webcam/soundbar, and a tablet that allows you to control/join meetings.

The room has a Ubiquity AC Pro access point.

Upon receiving the X50, it seems like both the camera and the tablet require Power over Ethernet (PoE) to function correctly. Apparently the device has onboard wireless but I can't tell how it's utilized.

How would I go about setting this up? I have never used PoE before and unsure of what the requirements are. The AC pro is powered over PoE, but that is from the main box and there are no additional PoE ports that I can see.

What am I missing here? Does Poly Studios just expect people to have a couple closeby PoE enabled ports? I realize I'm going to have to order a couple PoE rated cables, but I'm unsure what I'd even be plugging them into.

Router With Captive Portal and Built in Radius Server

Followed by my last post about DHCP looping. I am a forcefully selected voluntary internet admin of my dormitory, and I am searching for a device with built in radius server for internet authentication. We currently have WAVER device, which is wonderful, but the firewall is close to nothing, and internet output speed is overall 20-40 Mb, while my actual internet speed is 1000 Mb. I have tried Draytek Vigor 2962, but its user account and local radius are crappy and not always redirects to the login page, so I had to return it. And there is no way I’m going to install a radius server because even if I am able to install it, there will be no one who can help me, since I can’t be doing it all alone and it doesn’t worth that much trouble without being paid. We are 120 residence and I want them to login with user account and password. Can anyone suggest me a device?

Thanks

I need help with crimpers.

I started a networking class and bought the tool kit which comes with non pass through rj45 crimpers. My question is can I use those crimpers with pass through ends and just cut the excess wire with snips, or do I need pass through crimpers for pass through ends?

Pros and cons of Splunk SOAR vs IBM resilient SOAR

Let's say I am a small to medium business that wants to automate my incident response. What would be the pros and cons of Splunk SOAR vs IBM Resilient. Could anyone break down the pros and cons. Thank you!

Moving configuration from an old Tacacs server to a new Tacacs server. Both are running on windows server.

I tried to find any documentation on how to save Tacacs config files on the old tacacs server and then moving it to the new tacacs server but I could not find any. Do you have any pointers or advice?! Thanks!

ISP ipv6 deployment and DHCP-PD

We operate a small ISP and I have gotten a /32 ipv6 block from ARIN. Our upstreams support ipv6 so we will add ipv6 do our bgp routes. The end user routers also support it so we should be good to go throughout the network.

What I have been unable to find so far is a DHCP-PD server. I would of course need to see what customer gets each block with some historical logging. I see it mentioned as a requirement constantly but no actual products mentioned for providing it.

Other than that I will probably do static assignments of a /48 for the isp business and a /48 for the business network.

Dell Powerconnect 5424, Access mode port

hi, I grew up learning in cisco and mkt but I have a dell powerconnect 5424 switch installed 4 years ago that I have not touched but I need to pass a trunk interface to access mode and I have very little experience with this brand, being in config mode of the g18 interface and write the command "switchport mode access" I get the message "port g18 belongs to wrong number of vlans" what would be the steps to leave the interface in access mode and then in vlan 5?

​

switchport mode access

switchport access vlan 5

​

I leave here a capture of the cli where I was working

​

I would appreciate a lot if you can help me with this

WiFi 6 AP recommendations?

I'm building out my office network, and have been frustrated trying to select appropriate hardware for the WiFi side of things. Right now we're in a very small office (literally one room) and only need one access point, but when (if, heh) COVID stops being such a nuisance and we go back to a greater in-person presence we may move to a significantly larger office where multiple APs are required.

Here's what I'm looking for:

• WiFi 6 compatibility - doesn't need to be blazing fast, I'm more concerned with network reliability while maintaining reasonable speeds. Wondering if 6e might help (by using the theoretically less congested 6GHz spectrum), but not sure what's available and if it's worth it cost-wise.
• Controller-based management - while we're starting out with a single AP, if/when we move to a larger office I want to be able to expand, and manage all APs from a central controller. I DO NOT want cloud-managed for a variety of reasons; it's fine if it supports cloud management, as long as I can turn that off.
• Reasonable price - looking at the ~$200 price range, maybe $300. Our entire buildout budget right now is like $3000 and that has to also cover a NAS, two switches (most of our equipment is wired), and a router.

Currently considering TPLink EAP620 or the UniFi U6 Lite. I have experience with an EAP245 at home and have played with the Omada software before, so I have familiarity there. However, I'm frustrated that the Omada controller requires outdated software (MongoDB 3.x and Java 8), though I'm eyeballing running it from a docker container so it can play with its outdated crap in an isolated box. UniFi looks intriguing and seems to check the boxes, but of course there's the whole security breach snafu... not sure of the extent of what was compromised there, or if a similar breach could compromise an AP that isn't touching their cloud infrastructure (I'll block traffic to/from their telemetry and management sites by force if necessary).

Curious what other reasonable options I might have. The Netgear WAX610 looked interesting, but there doesn't seem to be any sort of central management solution; it appears to only offer either on-device local management or cloud management. The Zyxel WAX510D looks interesting but it's the priciest of the three (and appears to be their lowest tier that includes controller management)... also it looks like you may only be able to manage it with dedicated controller hardware (driving the cost out of our range)?

How exactly does Pulse Secure interact with SAML?

I have a Pulse Secure VPN that is using SAML authentication by Okta. Everything works fine if I use native Pulse Secure client. I am interested in getting openconnect to work, but be default it does not support any kind of MFA.

I was able to find how SAML works with Palo Altos, for example - user gets to a web page where they login and as part of response they get a cookie with specific name. Then there's a specific url on palo alto where vpn client connects to using that cookie as a password. You can follow the whole process manually, you can write a script that will handle it for you, but ultimately you can make palo alto work with openconnect and saml.

I can't seem to find anywhere how exactly interaction between Pulse and SAML is happening. I am assuming process should be similar. Before I start reverse engineering it all with packet captures, I figured I'd ask - maybe somebody knows how it all works and can share their knowledge? It would greatly simplify the process of writing a script to make openconnect work with pulse secure.

Can you connect a NAS to a node on a mesh network?

Total newb here. Please treat me like a child. I have a mesh network. I just want to know if it would work if I connect a NAS to a node and not on the main router? Nodes are not wired btw, if that helps.

Connecting a SFP28 NIC to a SFP+ Switch

Hey guys, I'm a Sysadmin that needs your help!

I have to configure an Application Server that should be connected with 10Gbit/s to SFP+ Ports on our HPE Aruba Switches. But for the specific server only NICs with SFP28 and 25Gbit/s are available from the manufacturer, which we never used yet.

It seems SFP28 is in general compatible with SFP+. Is it correct, that I...

1) ...can use a SFP+ Module/Tranceiver on both sites including the SFP28 NIC Port without problems?

2) ...can use a SFP28 Module/Tranceiver on both sites including the SFP+ Switch Port without problems?

3) ...can use a SFP28 Module/Tranceiver on the NIC and a SFP+ Module/Tranceiver on the SFP+ Switch Port?

Thanks!

Network Simulators Suggestions

Hi,

my company is currently using EVE-NG for LAB purposes but I recently had troubles with its customer support so I am looking for valid alternatives. Any suggestions?

Router-to-L2 vs Router-to-L3

I’m probably overthinking this, but I am genuinely curious as to what advantage one scenario has over another. Granted it does depend on the gear you’re working with but let’s say both are L3 WAN switches…

Scenario 1: Nat router connects to a switchport with an SVI gateway living on the switch.

Scenario 2: Nat router connects to a routed port as its gateway in a /30 subnet.

Both get the networks behind the nat router out to the Internet, but what’s the rhyme or reason for doing one over the other?

This doesn’t exclusively apply to WANs, but this is a scenario I’ve run into recently.

Cisco Network Engineer Interview Tips?

Hey Guys and Gals, I’m currently researching things that could help me out when preparing for a Network Engineering position at Cisco I’m currently a senior at university. Any tips would be greatly appreciated!!

Puzzling multi-network routing behavior

Hello, I have a puzzle. I have sought a solution through the usual Googling, and even found a Spiceworks thread from someone with almost the exact same puzzle! But alas there was no resolution there, and it was posted in 2015.

Cast of characters:

- A new virtual hosting system to be configured in the lab, connected to an isolated layer 2 switch. It is destined for an industrial plant site, and will be set up in the lab using the subnet that belongs to that site. This subnet is 172.20.149.0/24.

- A laptop sitting in the lab. Its ethernet adapter is connected to the aforementioned layer 2 switch, with a static IP of 172.20.149.11 (no default gateway obviously). Its WiFi adapter is connected to the corporate WiFi, and has a DHCP address of 172.24.201.27 and an auto-configured default gateway and DNS etc. This is also a /24 subnet.

- My colleague, who is trying to set up the new virtual cluster remotely, as we're all still WFH. She uses our secure remote access system to get a screen session with the laptop via the WiFi adapter.

The mystery is thus:

So far there is nothing on the local private 172.20.149.0/24 subnet configured aside from the laptop. But when she probes for certain addresses, she gets answers! From actual devices that are at the actual plant site. I would have thought this to be impossible. The route table is clear- the interface for destinations in 172.20.149.0/24 is 172.20.149.11

But when I ping 172.20.149.1, instead of getting "Destination host unreachable" every time (it did it once, then never again), Windows for some reason decides to try the WiFi adapter, which of course leads to the corporate WAN and eventually to the plant. I verified with tracert.

How can I convince Windows to be LESS helpful and to just give up if it finds nothing on the local subnet? I do not want it to try the other adapters. I feel like there must be a setting for this, but so far have utterly failed to find it.

Any thoughts on Dualcomm's new 10TGbe TAP? (ETAP-XG)

I'm looking to get a small portable 10Gbe network TAP, for quick ad-hoc network troubleshooting in the field, connected to an analysis laptop/workstation.

Previously, we were using a 1Gbe copper one (SharkTap USB Gen 2).

This basically acts as an inline tap - and then connects to your analysis laptop via USB 3.0, so you can use Wireshark etc. on the packet dumps.

It was basically a low-cost version of something like the Profishark 1G.

I saw that Dualcomm has a new 10Gbe network TAP, which supports SFP+ (so copper or fiber):

https://www.dualcomm.com/collections/network-tap/products/etap-xg-10g-network-tap

What are people's thoughts on Dualcomm, as a network TAP vendor?

This won't be for long-term use in a production network - more for debugging/troubleshooting, or maybe some analysis - so it would in place for hours, to days at most, I would think. (We have passive optical taps for anything long-term).

Dualcomm claims zero packet delay, although I don't know how verifiable that is.

The Dualcomm is $699, whereas the Profishark 10G's I believe are over $10,000.

(I do lose the POE passthrough from the SharkTap, so I guess I'll still keep that in the toolkit)

Issues accessing video equipment GUIs via Cradlepoint.

Just wondering if anyone else has noticed issues lately access http GUIs over a cradlepoint LTE connection lately? We started having issues accessing video device http GUIs over several cradlepoint connections. Different geographical locations in the U.S. Both Verizon and At&t SIMs. Signal is fine. Connection times out.

Tips on finding 100% remote automation work?

Looking to make a switch soon. 5yrs neteng regional ISP/MSP, Cisco/Palo/Aruba, ansible, python, netmiko/napalm, REST APIs, etc.

having a hard time filtering down to only 100% remote roles. any advice?

Any thoughts on Dualcomm new 10Gbe network TAP? (ETAP-XG)

I'm looking to get a small portable 10Gbe network TAP, for quick ad-hoc network troubleshooting in the field, connected to an analysis laptop/workstation.

Previously, we were using a 1Gbe copper one (SharkTap USB Gen 2).

This basically acts as an inline tap - and then connects to your analysis laptop via USB 3.0, so you can use Wireshark etc. on the packet dumps.

It was basically a low-cost version of something like the Profishark 1G.

I saw that Dualcomm has a new 10Gbe network TAP, which supports SFP+ (so copper or fiber):

https://www.dualcomm.com/collections/network-tap/products/etap-xg-10g-network-tap

What are people's thoughts on Dualcomm, as a network TAP vendor?

This won't be for long-term use in a production network - more for debugging/troubleshooting, or maybe some analysis - so it would in place for hours, to days at most, I would think. (We have passive optical taps for anything long-term).

Dualcomm claims zero packet delay, although I don't know how verifiable that is.

The Dualcomm is $699, whereas the Profishark 10G's I believe are over $10,000.

(I do lose the POE passthrough from the SharkTap, so I guess I'll still keep that in the toolkit).

Dual WAN gateway to gateway VPN

Hello,

I am looking to connect 2 geographically distant (> 5 miles) sites. Both sites have dual WAN fail over, and dynamic IP's from each ISP. I am looking for a hardware (or general solution) recommendation to allow a secure connection between both sites that could withstand a WAN fail over at either or both sites.

This is a small group of computers (<10) with low bandwidth (< 1MB/hour) requirements.

Thanks!

Fortigate vs Ruckus vs Cisco wireless

Curious if anyone has ever been in a position to use two or the three vendors mentioned in the subject (Fortigate, Ruckus, Cisco) for wifi implementation. If so, which one did you like best?

Looking at Budgeting for an upgraded wifi infrastructure in 2022-2023, in time to replace a Cisco one running on a 5508 wireless lan controller that goes EOL in 2023.

Needs to do multiple ssid's with different authentication schemes, remote offices can tunnel to HQ or they could just exit traffic at the local switchport - both options are nice to have.

The only thing that I smirk about is the Fortinet branding "forti-"everything... I could be taking a FortiPee on the FortiToilet using my FortiPhone connected to a FortiAP, etc... Just makes me chuckle, though it has no bearing on the decision what so ever.