IPv6 Proxies: 2021-09-26

Saturday, October 2, 2021

Detecting and mitigating BGP peer black holes

We're a small regional ISP and data center. We have several upstream bandwidth providers and networks we peer with. One of the bandwidth providers we peer with on a 10G link recently had a power failure, and their link went down, no big deal, BGP handles that just fine.

2 days later we started to see 35% of our traffic dropping. After investigating for 10 minutes, it became clear that traffic we send to them or traffic reaching them via BGP looking to hop into our network was being accepted and then dropped, creating a traffic black hole.

Because the BGP sessions weren't flapping, flap protection didn't kick in, and because there's no downed link, BGP didn't bypass the link.

1) There's got to be an elegant way of handling this without manual intervention? Massive networks with hundreds of similar providers can't be managing the quality of those peering relationships manually

2) Are there route table rules that can detect these situations and downgrade it's weight to not get used?

TIA!

Cisco ACLs between VLANs not preventing traffic

I have set up ACLs to deny most traffic between VLANs on a 3750x switch (which is also acting as the inter-vlan router), however it does not seem to work at all. More specifically, I have the Servers VLAN 10 and Clients VLAN 15.

Despite the below configuration, Clients in VLAN 15 have full access to both servers in VLAN 10 (i.e. I can access the Web GUI on Server1 - 10.1.10.10 and can RDP into Server 2 - 10.1.10.11, while the ACLs do not allow that). Additionally, they can also access the Web GUI of the internet router that is on 10.1.20.1, while I believe the ACL below should not allow that.

Ideally I would only want the Clients to have access to:

a) DNS Server running on internet router (10.1.20.1)
b) Access to DHCP server running on internet router (10.1.20.1) so as to receive addresses
c) The TCP 10050 & 10051 ports on Server 10.1.10.12
And then no further access to the internal network, while being allowed to access the internet.

The configuration is as follows:

VLAN 10 (Servers): 10.1.15.0/24
VLAN 15 (Clients): 10.1.15.0/24
VLAN 20 (Internet Gateway): 10.1.20.0/24

interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip access-group 110 in
ip helper-address 10.1.20.1
!
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
ip helper-address 10.1.20.1
!
interface Vlan20
ip address 10.1.20.2 255.255.255.0
!
access-list 110 permit udp 10.1.10.0 0.0.0.255 host 10.1.20.1 eq domain
access-list 110 permit udp any eq bootpc any eq bootps
access-list 110 permit udp host 10.1.10.11 host 10.1.20.1 eq 2056
access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1645
access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1646
access-list 110 permit udp host 10.1.10.12 host 10.1.10.1 eq snmp
access-list 110 permit udp host 10.1.10.12 host 10.1.20.1 eq snmp
access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10050
access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10051
access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.10
access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.20
access-list 110 deny ip 10.1.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.1.10.0 0.0.0.255 any
access-list 110 deny ip any any
!
access-list 115 permit udp 10.1.15.0 0.0.0.255 host 10.1.20.1 eq domain
access-list 115 permit udp any eq bootpc any eq bootps
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10050
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10051
access-list 115 deny ip 10.1.15.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 115 permit ip 10.1.15.0 0.0.0.255 any
access-list 115 deny ip any any

Is my configuration wrong? Is the latest IOS version for this switch buggy? I could post the entire configuration of the switch if need be, since this is a lab environment.

Thanks!

Architects of large enterprise networks, how do you handle the sizing/categorization of sites?

In any large environment, I'm sure that there is quite a bit of standardization that needs to occur in order to keep things clean and scalable. When it comes to standardizing the design of new sites, how would you typically determine which design the site will be built using?

I imagine that it is some combination of user count, number of IDFs, and how critical it is to the business. But I'm curious to get a bit more detail as to how that process works. I'm in vendor-land today, and when I last worked for an enterprise I wasn't involved with their design process; so I'm not super familiar with how this would typically be approached.

Is it possible to connect 2 firewalls directly for a site-to-site VPN?

Is there a way to connect 2 Cisco firewalls directly to establish a site-to-site VPN over straight-through cabling? I need the features of the firewalls on each side of the networks but I don't want to lose throughput. In the past, you could do this with a switch in the middle but I hated having that extra device to keep up with.

I think it's possible with crossover cables but I'm also don't want to lose throughput.

Any features on modern enterprise firewalls that would allow this? Cisco preferred if possible but I'm comfortable with other brands if it's definitely possible.

Will high latency due to distance ever come to an end?

No matter how fast my internet connection is, there will always be a delay between two network nodes separated by huge distances.

South America - Europe, about 250ms

South America - Asia - 350-400ms

Will this ever come to an end?

I know every node that exists between two points add some delay, thats why in the end we have high latencies between two very distant places.

What phisical changes would be necessary? 100% fiber optics communication? I heard even fiber optics communication degrades at some point.

Thanks

PPPOE Issue

I want to know my PPPOE Username & Password ,but when I contact my ISP they know nothing about PPPOE ,So how can I get this info? (I've tried backuping my Router /other ways to check this on your own ,but it's all encrypted).

SSH certificates?

Hello,

We use ssh certificates on our server infrastructure. It removes the problem of having a large amount of ssh keys on every system. Is it possible to do the same on our network infrastructure?

Is it common for switches to support ssh certificates?

Network Engineers!!! Please help... I am a junior IT Support

I have a firewall (fortigate) connected to ISP and a SOHO linksys router connected to firewall. Firewall's IP address range is 10.10.10.x and router gives IP address range of 192.168.1.x.

The problem arises when i try to ping device connected to linksys router from device connected to firewall whereas if i ping the other way which is from device connected to linksys router to device connected to firewall, it works. I believe the solution lies in the "static routing", but I couldnt make the static route between my firewall and SOHO router. Thanks in advance!!!

Get BGP uptime in seconds Cisco

I'm trying to pull the BGP neighbour uptime in seconds via Python. From the output of the cli commands "show ip bgp neigh" it puts it in human readable format e.g.

BGP state = Established, up for 3w0d

Does anybody know of a way to get this value via cli output in seconds?

Thanks

What would a Lucent OLS 800G have cost brand new in the year 2001 approximately?

As the title says. Just interested in the history of Australian telecommunications and I see this device cropping up a lot. Just wondering what one of these would have cost brand new back in the day.

Friday, October 1, 2021

SNIF ~ e2e TLS trust for IoT - an open source project

SNIF enables anonymous end-to-end public trust TLS communications between apps through a designated SNIF relay. By providing TLS public trust on a full end-to-end level, SNIF creates a peer-to-peer app-level VPN, eliminating the middle-man and any corresponding ability to intercept, monitor or read the private communication.

Any app on any device can utilize a designated SNIF relay to allow any other app on any device to directly communicate with the SNIF enabled app via a trusted, certificated and anonymous host name using full end-to-end TLS encryption.

https://snif.host

https://github.com/vesvault/snif

Huge quantities of quiet devices

I've got a greenfield job to set up a network with a large quantity of industrial switches. The plan is to have 6000-8000 devices connected to this network, all within a few hundred metres. Each device is a quiet and well behaved microcontroller with wired ethernet. They'll each be shifting mere kilobytes per hour. Let's assume wireless isn't an option.

I can handle layer 2 easily, but what should layer 3 look like? I'm torn between allowing many/all of the endpoints onto a very large subnet and dealing with any broadcast malfunctions when they happen, or staying strong with the old "If you think you need larger than a ~/24, you're probably doing something wrong" viewpoint and creating at least 32 different VLANs. Then what, just creating 32 SVIs on the core switches, pointing them to the central DHCP server, slapping the same ACL on each of them and calling it a day? I'm sure that'd "work", but it feels dirty somehow :) Or maybe it feels too easy.

There will be a few other elements to the network. A few servers, a few workstations, some internet, etc. But the bulk of it will be those microcontrollers.

VLAN Help on PowerConnect 5500 Series switches

I don't know if this switch is capable of doing what I want or I am doing something stupid (this can very well be the case)... I am trying to get VLAN 1 to communicate with VLAN 110 and vis versa. I tried setting up a General VLAN, assigning IPs to the VLAN and as well as assigning interface te1/0/1 with an IP... nothing. I have a MS DHCP server (Scope already made) on VLAN 1 192.168.69.5 and enabled DHCP Relay on the switch. That is not getting through either.

If someone would just give me a little hint.

Here is the config: Untitled - Paste-bin

interface te1/0/1 goes to a non-managed SFP "dumb" switch. VLAN 1 = 192.168.69.0/24 and VLAN 110 = 10.1.10.0/24

PCs unable to obtain IP addresses from the DHCP Server

So I'm doing a simple lab on PT where 2 PCs are connected to a 3560 switch and the switch is connected to a router. I created a DHCP on the layer 3 switch but the PCs are unable to get an IP address. If I create the DHCP on the router, the PCs get an IP address. Please check the configuration below and tell me what am I missing.

Router#sh run

Building configuration...

Current configuration : 798 bytes

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router

ip cef

no ipv6 cef

license udi pid CISCO2901/K9 sn FTX15248UZ5-

spanning-tree mode pvst

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

interface GigabitEthernet0/0.200

encapsulation dot1Q 200

ip address 10.100.200.1 255.255.255.0

interface GigabitEthernet0/0.210

encapsulation dot1Q 210

ip address 10.100.210.1 255.255.255.0

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface Vlan1

no ip address

shutdown

Switch#sh run

Building configuration...

Current configuration : 1516 bytes

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Switch

ip dhcp pool POOL

network 10.100.200.0 255.255.255.0

default-router 10.100.200.1

ip dhcp pool POOL1

network 10.100.210.0 255.255.255.0

default-router 10.100.210.1

spanning-tree mode pvst

interface FastEthernet0/1

switchport access vlan 200

switchport mode access

switchport nonegotiate

interface FastEthernet0/2

switchport access vlan 210

switchport mode access

switchport nonegotiate

interface FastEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

interface FastEthernet0/9

interface FastEthernet0/10

interface FastEthernet0/11

interface FastEthernet0/12

interface FastEthernet0/13

interface FastEthernet0/14

interface FastEthernet0/15

interface FastEthernet0/16

interface FastEthernet0/17

interface FastEthernet0/18

interface FastEthernet0/19

interface FastEthernet0/20

interface FastEthernet0/21

interface FastEthernet0/22

interface FastEthernet0/23

interface FastEthernet0/24

interface GigabitEthernet0/1

interface GigabitEthernet0/2

interface Vlan1

no ip address

shutdown

ip classless

ip flow-export version 9

line con 0

line aux 0

line vty 0 4

What Are the Different Fiber Optic Speed Grades?

Hi, I've been searching online to see if there are distinct speed grades for fiber optic networking cables and equipment just as there is for ethernet but so far I haven't been able to find anything. Would anyone be able to link a article or video that discusses this or would you be able to explain it yourself? Any assistance would be greatly appreciated. Thank you :)

Hyper-V Guest VLAN Connectivity Issue - Or lack there of

This is my first Hyper-V Guest that I have tried to run strictly in a VLAN. I"m trying to create a backup server to run off of my 10G Server / Storage switch. This is my Environment:

X3 Dell R440 Win 2019 Servers in Failover Cluster with 4 Port 10G NIC
- 10G NIC 1&2 Teamed VLAN4 for Storage 10.4.0.1X/24
FreeNas JBOD 10G Teamed Dual NIC VLAN4 10.4.0.10/24
Dell T340 Win 2019 with Dual 10G NIC Teamed No VLAN Assignment 10.4.0.20/24
- Hyper-V Server for Backup with 10G VSwitch 10.4.0.31/24
Synology 12 Bay NAS with Dual 10G NIC Teamed VLAN 4 10.4.0.30/24
X 2 Netgear XS716E Prosafe
- 10GSwitch01
- Port 1, 2, 3, 4, 16 - Tagged VLAN4
- ClusterServer and JBOD Connected to Ports 1-4
- 10GSwitch02
- Port 1, 2, 3, 4, 16 - Tagged VLAN4
- ClusterServer and JBOD Connected to Ports 1-4
- Port 11, 12, 13, 14 - Untagged VLAN4
- BackupServer and NAS Connected to Ports 11-14

From the BareMetal T340 I can ping all IT assets, from the installed Hyper-V Guest I cannot ping anything including the Hyper-V Host

This is what I have tried:

Set VLAN4 in the 10GVSwitch - breaks the BareMetal Connection to the other network assets
Set VLAN4 in the Hyper-v Guest NIC through the Hyper-V Manager
Set VLAN4 for in the Windows Network Properties in the Hyper-V Guest
Set Ports on switch to Tagged VLAN4
Ran PowerShell command to set VM Adapter as untagged (Get-VM VMGuest | Set-VMNetworkAdapterVlan -Untagged)
Set Port on switch as Trunk

Why? 2 reasons - I don't want this backup on my main network for obvious RansomWare reasons and secondly we have about 120 TB of data and growing that needs to be backed up and it bogs the network down when the backups run.

Help me Obiwan, you are my only hope!!

Help with Aruba 6200F and VLAN tagging.

Jr of a 2 man team and my lead engineer has left the company. Leaving me with a bunch of 6200F switches with no training and now all of his fires lol, It's been an exciting few weeks.

I am CCNA certified but struggling with replacing an older device with one of these by converting the cisco config I have to Aruba.

I am a bit confused with the switchport voice vlan and having 2 access vlans on the interface. I have a found a few posts in regards to having the DATA vlan untagged and Voice Tagged. Trunk 66, tagged or untagged?

I appreciate any input

Here is a simple snippet of what I am working with

Cisco Conf

interface 1/1/24

vlan access 138

switchport voice vlan 2138

interface 1/1/28

switchport trunk native vlan 66

switchport trunk allowed vlan 122,138,703,830,831,920,2138,2603,3138,3238

switchport mode trunk

Aruba VLAN

VLAN	Name	Status	Reason	Type	Interfaces
1	DEFAULT_VLAN_1	down	no_member_forwarding	default	1/1/25-1/1/52
66	TRUNK_NATIVE	down	no_member_forwarding	static	1/1/28
2138	Voice	down	no_member_forwarding	static	1/1/1-1/1/4,1/1/6-1/1/7,1/1/9-1/1/12,1/1/24,1/1/28
3138	Data	down	no_member_forwarding	static	1/1/5,1/1/8,1/1/13-1/1/23,1/1/28

Moving to a Senior Engineer role.

Hi all,

As you might see in my previous posts, I have been stuck in a rut for a number of years and I am starting to believe I am not as good of an engineer as I think I am.

I am very slow in regards to obtaining certifications (in the process of getting my AWS solutions architect associate for the last 6 months) and I am in a conglomerate where the most important thing I do is rack devices in the DC since I live nearby.

Recently I have been looking around for a more senior role, but the questions I got asked make me want to cry afterwards. From questions that make me think "I read and knew about this 10 months ago" to "Why is this a network engineering question, this is more of a linux/developer one".

I am thinking of getting a pay cut to join a smaller organization that does more work so I feel more productive and not hate my life that much. Unfortunately job satisfaction is important to me and I do not know how to do anything else, although I have tried having hobbies. I definitely do not want a career change because I cant live with minimum wage.

The fact that I live in London, UK makes the whole job market a lot more competitive.

Ideally I want a more hands on project role with the opportunity to learn stuff in a "normal" pace. By normal I mean a place where you can do your job and have a bit of a challenge unlike some small MSP that you are constantly firefighting, or a huge company where all you do is paste the config given to you by the architect team (what I am currently doing).

My previous role was Technical Design Authority in a small company of 50, only to find out that the company was a scam to put it simply. Its like I was given the job and title from Michael Scott from "the Office" which means nothing since there were no designs to authorize.

I tend to learn by doing instead of studying and this is why I have been struggling a lot. I like being pushed and having a mentor. Does that make me inadequate for a senior role? I am curious to know more about networks but it seems that I have missed the boat because everything is slowly moving to the cloud and more roles require automation/programmability which I am really bad at.

Thanks for listening, I would appreciate any input.

Connecting three servers with QSFP+

Hi!

I have a chance to get three DL380 G9s, each with a HPE 544 dual-port QSFP+ FlexLOM adapter. The entire system should be a (probably Proxmox based) virtualization cluster with two main VM hosts (with all of the client VMs) and a third smaller "office"/"admin" VM host, and I'd like to use the 40Gbit links for replication inside the cluster.

However, I'm not sure whether I also need two QSFP+ switches (i.e., server{1,2,3}-port1 on switch1, server{1,2,3}-port2 on switch2) or if I can manage to connect them into the cluster with a physical loop (i.e. server1-port1 <-> server2-port1, server2-port2 <-> server3-port1, server3-port2 <-> server1-port2) and use Linux's bridging and STP to achieve redundant links.

It is ok if there are performance degradation in case of failures (e.g. if the cable between vmhost1 and vmhost2 fails, it is ok that the CPU on officehost can't handle 40Gbit in & out), but it would be great if it could utilize the 40Gbit links in the fully-functional case. This also raises the question, if the STP tree is global (i.e., all bridges use the same tree and ignore the same links) or local (i.e. vmhost1 uses its direct link to vmhost2, but falls back on the link via the officehost bridge).?

Do you have any recommendations about the most cost-effective and power efficient way to connect the three hosts?

Thanks!

Dual VPN Routers?

I have a bit of a situation. First the setup. I am part of a 3 part stores. We have a system that is mostly managed by the software supplier. I say mostly because the vender allows me to take care of many of the small support issues due to my basic knowledge, to the point that they have given me admin access to the server. Store 2 has the main equipment, server, static ip, generator exc. Store 1 and 3 connect to store 2 through VPN. There are a lot of other aspects with our server connecting to our main warehouse and so on so out inventory can be check by online shopper's. The problem. Our sales staff used to be able to connect to our store server when on the road using RDP. We had some attempted hacks bring our system to halt, so they disabled the RDP options for now. They are having a hard time finding newer secure routers to replace the ones we have that will work with everything. My sales staff is having a lot of problems not being able to connect. I have a spare static ip on the WAN I'm not using. Can I connect a second firewall to the network using to manage VPN's for my sales staff? That would eliminate the need to change the entire setup at all 3 locations. The router that is there currently is static. Any DHCP's that are handed out, are sent from the server. I just can't find much information about one LAN being connected to the WAN with 2 separate units, and not sure if this is possible. All the information I have found seam to relate to having to connections for splitting the bandwidth. In this situation I just want to have a way for my sales staff to connect. Thank you in advance for any help. I am also not very experienced with reddit yet, so if I am doing anything wrong with this post, please let me know so I can correct myself. Thanks, Partsjunky

Mesh wifi and network gear recommendation

What would you recommend for an integrated mesh wifi setup and PeE network switch ?

My requirements: Absolutely no "cloud" features (so ubiquiti is out), integrated AP config (logging onto the switch gives access to all AP configs), with ability to add and remove APs from a mesh, WPA2 and WPA3 support, the switch has to support VLANs, and would be real nice to have IGMP.

The plan is to havw 4 APs in a mesh and 2 outside of the mesh, with 5 of them on one vlan and the lone one on another vlan with a separete SSID and password

This network is for a large room with high ceilings, but the 2 un-meshed APs will be in normal-height rooms.

BGP Lookup

Normally use lg.he.net for BGP lookups but it's not mobile friendly and looks like it's the first website ever created in the Internet's history. Pathetic on HE's part if you ask me.

The reason why I use this ugly site instead of the others below is because the results are closer to real-time and it has far more information such as IRR, IX, Whois, ASN info, etc.

Others lacking info and real-time lookups:

https://lg.twelve99.net/ (basic info, poor readability)
https://bgpview.io/ (very poor results, outdated all the time)

I've tried many others like Sprint, Century Link, etc but they're all ugly and/or crowded looking, not easy on the eyes.

Any alternative suggestions? I love ipinfo.io but doesn't seem like the results are real-time or close to recent status.

If anyone can suggest a good coder (or Github repo) that can translate something like ipinfo.io API into a site that has it all including real-time results for BGP lookups (perhaps even using another API for that tool specifically) while keeping the site mobile friendly, all the info like whois, asn info, IX info, etc that HE has, that would be appreciated.

Is amazon having routing issues in my region? How do I contact amazons peering team?

My region: south east Europe.

It worked nice until yesterday.

We have direct peering with amazon in our DC and in an IX and it worked great until yesterday.

Traffic going from us to AWS is going nicely where it should, trough our peering. However, all or most traffic goingn from AWS to us is going from Frankfurt to roundabout ways, several dosens of hops, to Romania, Bulgaria and then to us. Trough one of our uplinks, and it seems to pick the worst ones :)

We have tried emailing amazon to peering-to@amazon.com but in 6 hours we got no response yet. Is there any other better way to contact their peering or network team?

Rumor is that another local ISP has similar issues with Amazon right now.

Searching for a new business class, simple-ish router

I hope this is OK to post here.

I'm looking for a business router that supports the following and does not have WiFi. Going for a smaller form factor, and will handle WiFi with APs.

Needs to be able to support OpenVPN

Needs to be able to support Port Forwarding with the ability to whitelist IPs and block all other traffic

Needs to be able to disable the DHCP of the LAN ports

The two routers I've been using are the Ubiquiti ERX and ERX-Lite3, however they are becomming much too difficult to acquire.

I was looking at the TPLink ER605, however its a bit vague if you can whitelist IPs using its "Virtual Servers" for port forwarding. It doesn't appear so. There is also mention that you have to use their Cloud Management tools to setup OpenVPN. I'd like to be able to setup everything locally or with a config file.

Is there a device/computer app that will let me get network information from any ethernet port

Hello everyone! I work in a few hospitals and I am constantly required to get IP information from various ports throughout the area. The problem is I currently have to put in a ticket with IT and wait 3-5 days for this to be resolved. IMO this is incredibly inefficient because it is something I can easily do within 5 minutes if I had all the proper tools. So I am wondering is there a way I can plug my laptop directly into that port to get the IP, Subnet, and Gateway address. If not an app, some sort of external device that plugs straight into the port. If it matters all the IP addresses in the hospital as static.

FortiGate web inspection issues - LetsEncrypt root cert expired

FYI. We've been dealing with this for a day or two now. A root cert from LetsEncrypt expired and FortiGate is detecting this and blocking various sites that would otherwise be allowed.

"Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires | ZDNet" https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-root-ca-certificate-from-lets-encrypt-expires/

The workarounds we've found and TAC has recommended are to enable "Allow untrusted certs" in the web filter profiles doing inspection. You can also set the rule itself to flow-based.

Setting EAP-TLS with freeRadius

I have successfully setup a full functioning EAP-TLS authentication with free radius. But, am having trouble setup EAP-TLS authentication while integrating freeradius with a PKI system. For testing purposes I pasted PKI CA cert in (/etc/freeradius/3.0/certs) folder and updated eap file in mod-available. When I run the eapol-test it throws an error saying "unknown ca cert". Any idea how am I solve this?

Computer Networking Courses

Hey guys. Can you recommend to me some good websites where I can learn Networking and become certified for it?

My dads company is in need of a product index/database containing product numbers and descritions of all/any products sold by:

End of service life products included. Cisco IBM DELL/EMC Hitachi Oracle/Sun HP

We are in a bit of a situation and im new here so it would be a big deal for me if someone was able to at least point me in the right direction. Thanks in advance

My apologies if this isnt the place to ask.

Thursday, September 30, 2021

Two switches/routers "sharing" routing tables?

Noob/terminology question!

If I have a managed switch with two vlans, I understand that all traffic between the two vlans must go through a router. I was wondering if there are switch / routers that can share routing tables (say every millisecond) so that traffic that's local to switch (between two different vlans) doesn't have to go to the router and can be handled by switch alone.

I am sure something like this must exist: what is such a sharing protocol/mechanism called? Or is this part of what they call "software defined networks"?

Ethernetp device similar to ont

We are looking to find a device that would work similar to a fttx ont but do it on copper(ethernet). It would need to do dhcp snooping and relay for v4 and v6 adding option 82 in v4 and 18, 37, or 38 for v6. Ideally something like mikrotik's gpen21 would be perfect, however that doesn't have the v6 tagging capability we are looking for. Has anyone seen something that would do this?

Thanks!

Not sure what's happening with my Dell PowerConnect 5548... help!

I am pulling my hair about this and it's making no sense.

I have two Dell switches 1x PowerConnect 5548 and 1x PowerConnect 5524P. they are stacked using HDMI. When I plug in my HPE ML350 Gen9 port 1-4 (ILO seems fine) to any of the 5548 ports it always show it's down. However, when I plug it to the PowerConnect 5524 it lights up. Here is the twist to the story. I plug another device to same port from the ML350 it works just fine.

ex. if I plug in to port g1/0/11 from the ML350 it stays off. Plug another device to the same g1/0/11 works just fine. Plug the ML350 to g2/0/14 works just fine. plug the ML350 to g1/0/28 same thing no lights, plug another device on g1/0/28 works fine.

I don't have any ACL setup nor protection set... anything I might be missing or I need to check?

It does this even if I unstack them.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

PSA: AnyConnect Pre-4.10 pulled from Cisco Downloads

I noticed that Cisco has done some housekeeping recently and cleared out all previous builds of AnyConnect, leaving 4.10 as the only train available. The release notes say that AnyConnect 4.10.x will become the maintenance path for any 4.x bug. Makes me wonder what was going on with previous builds that the needed to be pulled.

Juniper/Mist AP32/AP33 Wall Mount

Anyone able to get any pictures for an AP32 or AP33 mounted with the stock bracket (APBR-U) on the wall? Ideally over a 1 gang or double gang box? Any pictures at all would be great, a few side profile and bottom pictures would be super great. So far my google research hasn't been successful.

Bracket looks to have a .8 inch offset, for thermals i assume. If its up near the ceiling, looking from below, the way i think the cable routes, i assume you can see the cable plugging into the ports?

Cisco/Meraki has always been good with mounting, brackets, and aesthetics.

We are working with aruba, and there slide mount method leaves a little bit to be desired for wall mount situations.

Mist was out of our price range right now, but we will have more to buy next year and things may be different. Curious how much "better" mist would look/be if mounting on the wall.

Independent benchmarking of WIFI6 access points

Is anyone aware of any independent orgs publishing benchmarking test results on enterprise grade WIFI6 access points? It's time for our gear refresh and my plan is gather a mix of wifi-5 and wifi-6 clients for automated tests. The tests will focus on:

-Speed

-Capacity

-Airtime utilization (measuring retries, packet loss, etc..)

I'll get half of the inventory this year and add WIFI6e APs when the market becomes more mature.

Vonage IP Networks

We have Vonage Business for our office phone system. Prior to that, we just used Vonage residential units at each desk. When using the residential gateways, I found a document years ago on Vonage's support site that listed the IP blocks and ports that needed to be available for a two way conversation to happen. I can't find that for the VB service and they definitely aren't the same, as the softphones on user's PCs aren't working.

I've now spent about 3.5 hours on the phone with their business support trying to get this info. I'm currently on hold with their Advanced Support trying to get the info. I don't suppose anyone has it or can point me to a support doc?

Hope this is okay to post in /r/networking

Wireshark setup to capture HTTPS

I'm trying to troubleshoot a performance issue with an application for a client. This application sends HTTPS calls which I can see in Fiddler. Unfortunately the client uses ZScaler which doesn't allow Fiddler as proxy. There's a workaround for this but client would prefer not implementing this.

I thought of using Wireshark but I can't seem to get it to capture HTTPS?

Testing on my own machine, if I load an HTTP website in the browser I can see entries, if HTTPS no entries.

Then if I load the application in question on my own machine in HTTP, I still cannot see anything logged. The client has the same application but with added security (HTTPS) but I can't seem to log HTTP traffic locally let alone HTTPS. I know the calls do go through as they're logged by Fiddler (which I've closed while testing Wireshark).

Is this possible to achieve?

Cisco SDWAN Python SDK

I am looking at automating some of my Cisco SDWAN deployment with a python script.

I was going to use the rest API but then I saw they have a python SDK. Does anyone have experience with the SDK? As I would like to use the SDK as it is easier but I am not sure if it has feature parity.

EVPN and Anycast Gateway on Juniper

I want to use the Anycast Gateway feature on Juniper MX. The reason I want to use it is to provide resilience to some customers that only have a /30 IP address configured (unable to run VRRP with a /30) between the two routers. I only have 2 x MX devices and that's the only place I need this Anycast Gateway feature to work (not extending it anywhere else in the network)

I can't use MC-LAG because they are MX5 but also the downstream switches are two separates switches (not a stack)

I have labbed it up and it seems to partially work but I'm getting about 20% packet loss but I can't seem to work out why. If I just create a normal IP address on ae1.107 on one of the routers it works fine and no packet loss which makes me pretty sure it's related to the EVPN/Anycast Gateway config.

Below are the configs from my two routers.

AE0 is used for connectivity between the two routers for OSPF, BGP, MPLS.

AE1 is where I want to put customer interfaces. I have configured one IP address on irb.107 (100.100.100.2/30)

I have another device in VLAN 107 and if I leave a ping running to 100.100.100.1 (Anycast IP address on the MXs) it responds fine but there is the packet loss.

Can anybody see any obvious issues with this config?

MX1

set interfaces ae0 flexible-vlan-tagging set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 106 description "new iBGP connection to MX2" set interfaces ae0 unit 106 vlan-id 106 set interfaces ae0 unit 106 family inet address 2.1.1.1/30 set interfaces ae1 description "Aggregate to Customers" set interfaces ae1 enable set interfaces ae1 flexible-vlan-tagging set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family bridge interface-mode trunk set interfaces ae1 unit 0 family bridge vlan-id-list 107-109 set interfaces irb unit 107 family inet address 100.100.100.1/30 set interfaces irb unit 107 mac 00:00:00:01:01:01 set interfaces lo0 unit 0 family inet address 50.50.50.40/32 set routing-instances EVPN instance-type virtual-switch set routing-instances EVPN protocols evpn default-gateway do-not-advertise set routing-instances EVPN protocols evpn extended-vlan-list 107-109 set routing-instances EVPN bridge-domains NETWORK1 domain-type bridge set routing-instances EVPN bridge-domains NETWORK1 vlan-id 107 set routing-instances EVPN bridge-domains NETWORK1 routing-interface irb.107 set routing-instances EVPN bridge-domains NETWORK2 domain-type bridge set routing-instances EVPN bridge-domains NETWORK2 vlan-id 108 set routing-instances EVPN bridge-domains NETWORK3 domain-type bridge set routing-instances EVPN bridge-domains NETWORK3 vlan-id 109 set routing-instances EVPN interface ae1.0 set routing-instances EVPN route-distinguisher 1000:1000 set routing-instances EVPN vrf-target target:1000:1000 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 50.50.50.40 set protocols bgp group ibgp family inet-vpn unicast set protocols bgp group ibgp family evpn signaling set protocols bgp group ibgp neighbor 50.50.50.48 set protocols ldp interface ae0.106 set protocols mpls interface ae0.106 set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ae0.106 set routing-options autonomous-system 6500 set routing-options forwarding-table chained-composite-next-hop ingress evpn

MX2

set interfaces ae0 flexible-vlan-tagging set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 106 description "new iBGP connection to MX1" set interfaces ae0 unit 106 vlan-id 106 set interfaces ae0 unit 106 family inet address 2.1.1.2/30 set interfaces ae1 description "Aggregate to Customers" set interfaces ae1 enable set interfaces ae1 flexible-vlan-tagging set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family bridge interface-mode trunk set interfaces ae1 unit 0 family bridge vlan-id-list 107-109 set interfaces irb unit 107 family inet address 100.100.100.1/30 set interfaces irb unit 107 mac 00:00:00:01:01:01 set interfaces lo0 unit 0 family inet address 50.50.50.48/32 set routing-instances EVPN instance-type virtual-switch set routing-instances EVPN protocols evpn default-gateway do-not-advertise set routing-instances EVPN protocols evpn extended-vlan-list 107-109 set routing-instances EVPN bridge-domains NETWORK1 domain-type bridge set routing-instances EVPN bridge-domains NETWORK1 vlan-id 107 set routing-instances EVPN bridge-domains NETWORK1 routing-interface irb.107 set routing-instances EVPN bridge-domains NETWORK2 domain-type bridge set routing-instances EVPN bridge-domains NETWORK2 vlan-id 108 set routing-instances EVPN bridge-domains NETWORK3 domain-type bridge set routing-instances EVPN bridge-domains NETWORK3 vlan-id 109 set routing-instances EVPN interface ae1.0 set routing-instances EVPN route-distinguisher 1000:1000 set routing-instances EVPN vrf-target target:1000:1000 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 50.50.50.48 set protocols bgp group ibgp family inet-vpn unicast set protocols bgp group ibgp family evpn signaling set protocols bgp group bitco-ibgp neighbor 50.50.50.40 set protocols ldp interface ae0.106 set protocols mpls interface ae0.106 set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ae0.106 set routing-options autonomous-system 6500 set routing-options forwarding-table chained-composite-next-hop ingress evpn

libbgpdump

I am unable to find any tutorial about libbgpdump. I need tutorial because after i ran command ./configure with gnu,it did not recognize it.

1- I extract a1 folder within which bgp exists.Unable to compile ./configure . Any help would be appreciated.

What is the difference between instant on 1930 switches and entry-level Aruba switches like 2530 and cx6100.

We are planning to deploy some Access layer switches in our network, we want to integrate these switches with Clearpass, initially planning to buy cx6100 but instant on 1930 is cheaper than CX. How do these switches compare regarding Clearpass integration?

Automatically join reverse proxy.

I'm trying to get ssh on remote devices. Currently I run a reverse proxy server but I have to add every connection and map every port I want by hand. This is tedious and error prone, as you can imagine. What I like about it is that once the work is done, everything stays where it is as far as telemetry is concerned. Is there a more automated way to do this. I can imagine scripting it myself, but I assume there is a more robust off the shelf option.

PTMP in a small Congolese city

Hy guys

I have a small telecom company in Congo, we would like to deploy a Point to multi point service to offer affordable residential internet.

We will use ubiquiti equipment ( rocket 5ac lite and omni 5g13 antenna) wich will be connected to a v-sat with a bandwidth of 20mbps/6Mbps for wich we pay 600$/month

The plan is to provide unlimited 2/1 internet to our customers in the range of 50/70$ per month.

My question is, how much customers will be able to share that 20/6 bandwidth without it being saturated?

I know it depends of a lot of factors, but take in account that most users here only use internet for basic stuff, like whatsapp, Facebook, YouTube, etc

Password complexity for TACACS+ (running on Linux server)

Hello,

we have a Huawei based network - around 35 L3 switches - and we use a Debian server with Tacacs+ installed to manage access to these swtiches as well as privilege levels.

At this point we have 3 privilege level groups configured and 10 active usernames. What we need in our environment is to enforce password complexity but I cannot find any information on how to configure it on our Tacacs+ server - is it even possible? If not, is there alternative to Tacacs+ we could use? Preferably a free solution.

Any help is appreciated.

Thank you

How to configure IP block to use with a server over GRE Tunnel?

Hello,

I was given an IP block by a friend to test on, these are public ips and they gave me GRE details that include

my public ip their public ip their private ip my private ip

I was wondering if there is any guide on how to configure these ips to use over gre tunnel.

Any help is appreciated.

Wednesday, September 29, 2021

Classic Firewall - Configuring ACL Inbound

How would I apply an ACL 110 inbound on an appropriate interface to deny all IP traffic, an ACL 120 to permit TCP port 443 traffic and permit any ICMP traffic and configure an inspection that inspects appropriate packets?

Is this right? Here's my reasonable effort displayed, just confirming:

access-list 110 deny ip any any

access-list 120 permit tcp any eq 443 any

access-list 120 permit icmp any any echo

hostname(config)# class-map inspection_default

hostname(config-cmap)# match access-list inspect

Can Ping Some Printers on Printer Network and Can't Ping Others

Recently we've had a strange occurence where two of our Xerox (the only two we have) copiers are unable to receive jobs and can't be printed from. These copiers were working fine two weeks ago and then just suddenly stopped working. No changes were made on the network at all.

I've tried to ping both of them with no luck. Assigning different ip addresses to the copiers still doesn't allow us to reach them.

Both of the copiers will receive pings for about 20 seconds every 30 minutes or so. Within those 20 seconds I'm able to reach the GUI of the copier as well as badge into the machine within 2 seconds. When the connection drops, it takes me about 60 seconds to badge in and the GUI is unreachable.

The other strange thing is that I can ping every other printer on that network from various other different networks. It just seems to be these two xerox copiers don't want to communicate anymore.

I can ping the printer network gateway and we do have the necessary trunk link established to allow the staff and staff wireless VLAN to communicate with the printer VLAN. I've confirmed that the switchports these devices are connected to are configured for that printer VLAN.

We have a Cisco 4500x that acts as our core switch that is connected to two Nexus 5ks. The Nexus 5ks have our virtual interfaces for our VLANs.

I can ping the printer from the Nexus5ks but not from the Cisco 4500-x.

I can ping the Nexus 5ks and the printer gateway from the Cisco 4500-x.

I haven't added any sort of ACL or anything that would have suddenly blocked the xerox machines so I'm at a loss at what could be cause this sudden block. I've added an explicit rule to our Cisco ASAs that would allow ANY connection to the copier IPs just to see, and still no luck reaching it.

I've had Xerox out about 4 times and they haven't been able to figure out what's going on and keep saying it's "something on our network". They've assured me multiple times that their hardware is working.

I know this might be better suited for r/printers , but since they keep saying its our network, I'd figure if I could pick any brains here.

I appreciate any tips or suggestions!

Question about Contract-to-Hire

Hello! First time posting but lurked for a long while. So apologies if this is not a valid topic.

Quick background been a mid level Network Admin for a year at an enterprise and prior to that a team lead NOC tech in an MSP for 4 years. Aside from experience have CCNA and studying CCNP ready to sit within 60 days. No bachelor.

I had a question if anyone has experience with contract to hire positions I recently had an agency reach out to me in regards to one. The agency provides full benefits until converted to full time, I’m awaiting what the packages look like, I’m currently at 84.7 salary and this new position would be 48 hourly then converted to salary (99.8) once brought in full time which is the most enticing part of it considering I have a 1 month old and 2 year old I support (my wife is stay at home with them).

My only concern of course is the after 6 months I’m taking their word at they would convert me to full time with having a young family relying on me financially. The hiring manager used all the right verb-age never mentioned any sort of review or evaluation once the contract expired when I asked them multiple times, I’m assuming they have some form of interview at the exit of the contract to bring me on.

It really seems to me all that is out there in my area are these contract to hire positions, I’m assuming due to COVID just would be my first time not being a formal full time employee and wanted to get a feel for someone else’s experience with a similar job opportunity in a network engineer role.

Aruba VPN heartbeat issue

I'm stuck.

Clients are doing cert auth and can download the VIA profile.

The network tab of the VIA client shows it receives an inner IP, but what is odd is the VPN Packets Sent/Received shows most often 0/and some quantity received.

So it appears the controller sends to the client but the client is not sending a reply.

Wireshark says the client is pinging the controller but no response seen.

We're using ECDSA, Suite B for auth.

Sometimes the client shows it sent data but nothing received.

If I remove the ECDSA (Which used to work) and go with User/pass auth and a more basic encryption, hash, and DH group 14 it stays online just fine.

So its not network but it's perplexing why it can't send when using the more secure configuration.

Any suggestions?

Network documentation and diagraming tips?

I have never had to do this before outside of lab environments and I am relatively green at networking (I do have my CCNA). The whole IT team is new at my site and I seem to be the one with the most networking knowledge and am tasked with these things. I now have to document our physical environment in a server room that has had three previous engineers who did not document anything. Two firewalls (HA) and 8 switches with wires everywhere and nothing really labeled.

How the hell do I go about all of this? I have access to all the management consoles. What do I use to diagram? Are there any tips or tricks? What to consider? I guess just muscle through it and trace each wire?

Flat to Vlan question Pfsense and SG500x

Hey all,

I am trying to move away from a flat network to vlans but ran into some issues the first time I tried this.

Current network is one flat 192.168.x.x address space. There is a LAN interface connected to my L3 switch. I added new vlans on the switch, created a new_LAN interface on pfsense and assigned a vlaned interface from the switch to the pfsense router. New vlans are 10.10.x.x/24 with a /30 address for that vlan interface to the new_LAN interface on the pfsense. Thanks to a fellow Redditor for pointing out my switch could not do a routed interface

I am able to talk between the new vlans but no Internet access. Also how do the old and new networks to talk? I assumed I needed to add some rules at the firewall level which I did. But all of the traffic is going out the default route on the switch which is the old 192.168.x.x network which is a problem for the new vlans.

I’ve looked this up a bit and there was a thread about creating policies on the switch that specify which route a vlan should take. Is that my only option at this point?

Virtual Machine for VPN Connections to Client Sites?

Is it possible to have a VM configured with many VPN network connections? My company has many clients that we can connect to to troubleshoot issues with in their networks. I have to configure all of my techs PCs to have access to all current and whenever we get a new client, the new environments. Then if they leave the company, I have to remove that access.

I thought of just giving them access to a machine at the office that has all of these devices configured, but I ran into routing issues. I ended up forwarding the RDP port thru our firewall, creating one user that everyone uses, and setting up all of the connections with in that setup. It has worked ok for us since then, but we have had issues with it:

The PC is susceptible to power and internet problems. A couple of times I have had to go in and power the PC on. It hasn't been often, but it is never a good time
Only one person can access the machine at one time. We are often fighting over the connection and kicking each other off since there is no warning when someone else connects.
I hate that I have this machine exposed to the internet

I thought that I could set up a Cloud Based server for this, and give everyone user-level access. But as soon as the VPN connection negotiates, the RDP connection drops.

Am I going about this wrong? Is there another service or device that will handle this issue?

Thanks!

Any good YouTube channels/videos/playlists on ACI networking?

We are in the process of fully converting to ACI from FabricPath and while most of the stuff I do on ACI is automated, I would like to find some good resources to learn more about it in an applicable way that’s not just reading from a book. I would like to be able to troubleshoot more on my own as well as just understanding what’s going on behind the scenes when I run an automated script.

What type of internet circuit(s) do you use for your UC environment?

I'm looking into moving away from on-prem UC to UCaaS. We currently run MPLS circuits at remote offices and though they are nice, they're expensive as all hell. I feel that with modern enterprise-class internet circuits could probably run voice/video with no problem as long as it's QoS'd and bandwidth is plentiful.

Do any of you do this? Have you had any challenges with quality? Am I going down the wrong path?

wifi network monitoring tool for windows?

We have a high profile user at my job who is having difficulties working remotely, he often gets disconnected from the Microsoft RDS and our VPN. It is my suspicion that it is simply due to poor wifi strength as i’ve seen the signal dipping a bit here and there. working on windows 10.

is there a wifi network monitoring tool that could be used to actively monitor his wifi connection quality/strength etc throughout the day? Then we could compare this to the vpn disconnect event logs. Native to windows would be ideal but open to third party. thanks!!

Dell PowerConnect 5500 Series switch question? VLAN Static Routes?

Have a question and see what are some of my option to make this all work. currently the network is pretty flat. only 1 VLAN that is isolated for all iSCSI traffic.

What I wanting to accomplish is separate Samba file share and NFS files hare.

There are two NAS boxes and both have Samba file share and NFS file share open. Currently they share the same interface. What I want done now instead is move Samba file share to VLAN80 (10.0.80.0/24) and then NFS file share to VLAN90 (10.0.90.0/24) Now each of these NAS box is running Linux (XigmaNAS) both server have multiple NICs. The one I am interested in configuring is a Intel X540-T2. Port 1 (10.0.80.2 NAS 1 & 10.0.80.3 NAS 2) will go to the Samba file share and Port 2 (10.0.90.2 NAS 1 & 10.0.90.3 NAS 2) will go the the NFS share. Regular traffic is 192.168.90.0

I need 192.168.90.0 to communicate to both 10.0.80.0 & 10.0.90.0 however I want 10.0.80.0 & 10.0.90.0 isolated from each other.

Do I need to setup a static route in the 5548? Do I need to assign an IP4 address to the 4 ports?

Is there a difference between cat 6 and cat 6a keystone (punch down) patch panels.

Title says most of it. I am running ethernet for an office for the first time. I am primarily a cloud guy, so don't rack and stack much. I want to terminate the solid core cat 6A cable into a patch panel, and then patch those into my switches. In looking for keystone patch panels, I dont see cat 6 or cat 6A specified anywhere. Are they all compatible since I will be punching down the wire myself?

Strange disservices with FireEye and FortiGate

Hello to all engineers, I would like to submit to you a rather particular situation to which I cannot find a solution.

I have a rather small network where in site A there is a LAN / 24 populated by physical PCs and VDI; the VDI reside in site B, which is equally large.
Site A is connected to Site B via a circuit managed by a 100 Mbps provider (which never saturates) that talks to an MPLS network to which a FireEye device is connected and immediately after it there is another firewall.

Site A and Site B firewalls are FortiGate v6.2.7 and do not suffer from any particular problems.
Every Wednesday morning, between 9 and 12, there are strong increases in response times between offices A and B, so much so that Teams calls and VDI clients freeze and then disconnect.

The FireEye is not in my management and the technician is investigating any scheduled jobs and errors, but until now he warns that everything is ok.
Randomness, however, wants FireEye to be connected only to the Master node of the firewall of location B and when there are slowdowns, I switch to the Slave node and the problem is solved, everything returning to normal.

If there is no saturation, RAM / CPU overload of the network devices, but if switching on the node to which FireEye is not connected the problem is solved, what can be the reason for the inefficiencies? What analyzes can I carry out? How would you behave?
The problem often happens on a Wednesday, but it is not mandatory, it may not happen again for a week or two.

I can't reproduce it on command.

Thank you associates!

Cisco ISR4331/K9 - How to connect to another Speed.

I have a Cisco ISR4331 that I use as a jumpbox to troubleshoot other switches and routers. I can connect to other Cisco switches no problem but when I am trying to connect to another vendor switch/router since the speed is different all I get is gibberish. From my regular lixus box I type the following Telnet hostname(Cisco ISR4331) port (2002) That allows me to connect to switch or router connected using cable port 2.

My question is how can I change the bit rate/speed so I can see the output of the other vendors console port?

FYI, I tried to see if I could add the speed on the command but it does not work and I can't find documentation about it.

Thank you

Agentless, certificate-less, transparent SSL content filtering?!

Back in 2014 I used to manage a bespoke SSL Inspection content filter, which we provided as a service to thousands of schools in the UK. The only catch? A root CA had to be deployed by the schools IT staff in advance. It was your bog-standard MITM as a service :)

For years, at subsequent jobs I've touted to many a director that filtering the content on an SSL protected website is not possible without a CA. Everytime it would just revert to me saying the same thing: "I can stop them from going to pornhub, but not searching Google images for 'Boobs', not unless we roll out a certificate". With the surge in BYOD, getting people to install this certificate, or agent or whateve, is becoming harder and harder, and guest WiFi is a whole different beast. The compromise has always been DNS filtering, or forcing safesearch etc

However, all this to say, I was having this exact same conversation with a colleague today - and he disagreed with me, having even claimed to have seen a product offering agentless, certificate-less SSL content inspection.

He didn't recall what the product was, or where he'd seen it and I can't find anything online (outside of some fringe DPI based stuff).

This violates my very understanding of how SSL works, and if true, surely the entire planet is screwed as suddenly you can just use this tech to catch people's bank pins in transmission?!

I'm not crazy right? Or is there some magical tech that appeared without me noticing?

Intel AX200 not working with 802.11ax and 802.11ac nonstable work

I created to much technical request to different equipment vendors about nonstable work AX200 with WLAN 802.11ax but all techhelp can't or not want deside my issues...

At first - AX200 connect to 802.11ac network with low speed. At example, another device with other ac adapter connect with stable maxixmum speed, but AX200 connect with half speed and speed connection always changing itself.

For connect AX200 to 802.11ax network should make a quest. Connection to network always fall with message " can't to connect to this network ". When trace wlan, the reason for the failure:The driver is disabled when the network parameters are negotiated".

Why all vendors still sell network devices if they are not working?
Why techhelp still not decide this issues if about this to much posts in internet?
When AX200 will be working normaly with AC & AX network?

Tool to Scan Network for Vulnerable CPE?

Does anyone know of an open source project or tool to scan networks for known CPE vulnerabilities? For example, I would like to find any vulnerable home wifi routers in the network that might be used to source or amplify DDoS attacks. I did some searching and couldn't find anything that really fit the bill or that wasn't targeted as a commercial product at enterprise networks.

CRC errors when swapping Gigabit switch with new Ten Gigabit switch

Hey guys,

I'm scratching my head on this one and decided to post to hopefully get some feedback.

We're swapping the switches in our VMware environment used for iSCSI for 10 Gigabit switches. We currently have 2x Cisco 2960X switches and they've been rocking this environment for years with no issues. The Ciscos are basically dummy switches and not connected together.

We have 2x DELL R730 ESXi servers using Broadcom BCM5720 Gigabit NIC to connect to the iSCSI switches.

The SAN, a DELL ME4024, has multiple 10Gb NIC connected to the iSCSI switches.

Everything is configured with jumbo frames (MTU >= 9000).

We're slowly upgrading our environment to 10Gb, so we decided to change the 2960X's for DELL S4128T-ON 10Gb switches (previously FORCE10 switches).

As soon as I swap the Ciscos for the DELLs, I start seeing CRC errors on the new DELL switches interfaces connected to the ESXi hosts. The SAN interfaces have no CRC at all; only the ESXi hosts. We never had any CRC with the Ciscos. VMware is heavily impacted when using the DELL switches, reporting high latency and you can feel the latency. I rolled back to the Ciscos for now.

Here are some informations I gathered :

The CRC errors happen on both new switches for all iSCSI NICs on the hosts. The CRC count increases based on the datastore utilization, but I've seen them as high as 1500 CRC on an interface within an hour of normal VMware operations.
The switches interfaces for the hosts and the hosts themselves in vCenter report the same speed and duplex (1000, Full). It does not seem to be a speed / duplex mismatch then.
I tried to limit to speed 1000 on the ESXi hosts and on the switches interfaces for the hosts; no change.
On those S4128T-ON, I can't seem to be able to remove auto-negotiation to force a Duplex Full, so I couldn't try this.
Cables are CAT6 and known to be working fine.
I ensured that jumbo frames are working fine in VMware by using vmkping with a high MTU. When the hosts are trying to write to the SAN (vMotion for instance), I will loose some pings (< 10%).
Firmwares for the hosts (including BCM5720) are up-to-date as of April 2021
Firmwares for the DELL switches are the latest available.
Running ESXi 7.0U2 from end of August 2021; so drivers for the Broadcom are quite recent.

The Ciscos are Gigabit switches while the DELLs are 10Gb switches. Could there be an incompatibility between the BCM5720 Gigabit NICs and the DELLs switches ? I haven't found anything relevant yet about this. There are new firmwares available that I can try to upgrade for the hosts and maybe newer drivers from VMware or Broadcom. But most of the firmwares/drivers are pretty recent.

As I said, I don't know if it is a networking issue or a VMware issue. I'm first troubleshooting the network, since the equipment that I changed is a network switch. I'm ruling out a defective switch for now, since both to the exact same thing for the hosts interfaces.

If you guys have any input or advice, that would be appreciated.

Thanks !

Neo.

Advice for upcoming comms room re-patching project

Hi guys,
First of all I just want to thank you all in advance for bearing with me on this. As a bit of backstory, I've recently started a new role as an IT admin for an SME in the UK. My background is primarily MSP-based, mainly Service Desk (1st/2nd/3rd line) with a little Projects, Field and Onboarding thrown into the mix too.

Anyway, I've inherited a project at the new place to install 3 new 48-port switches to combine to a total of 8 switches across our 3 48U cabinets. While I have installed switches in cabinets plenty of times, these were either totally new builds or emergency repairs where cable management etc was not of major concern. This time however, we're looking to completely re-cable all 3 cabinets for ease of management and to improve the overall aesthetic.

The caveat is that we currently have a total of 27 24 port patch panels in the cabinets, with an expectation for this to grown by a few more in the next year or so. Of course, this means we have a pretty large overlap of patch panels to switches. Luckily, not all of the ports on the patch panels are used, however there will be an expectation to be able to quickly/easily move cables between the panels/switches in the future, as-and-when they're needed.

I'm currently planning the layout of our 3 cabinets and am trying to work out how best to set it all out. There's no set deadline so I can spend as long as I need (within reason) researching, planning and testing solutions before the final implementation. I was wondering if there are any resources you guys could point me to please so that I can learn how best to plan my racks? This is a project far larger than I'm used to, but I still want to get it right. I'm struggling to work out where I should be placing each patch panel and their corresponding switches.

Some additional info that may also help:

3x 48U cabinets, side-by-side
Around 16-20U of each cabinet is taken up by miscellaneous equipment (UPS and routers etc)
No servers or rack-mounted computers, apart from one SFF PC that we may end up rack mounting (used for general IT admin and hosting a very lightweight server)

Thanks for reading, and I hope I've provided enough information. I'm not asking for the project to be planned out for me, but if you have any suggestions of how I should lay this out, can tell me any keywords I should know to help my research or can point me in the direction of any good resources out there would be of great help to me.

Cisco branded Finisar transceivers ?

I've found some weird transceivers which are CISCO Branded but when checking the firmware they are Finisar.

When checking the transceiver via a Nexus switch they report part number:

FTL410QE2C-C1

Which is a Finisar model, but they are branded as CISCO QSFP-40G-SR4 (Which usually we expect AFBR-79EIPZ-CS2 or similar)

When checking the CISCO label, the only difference is that the serial numbers use different prefixes and the construction is slightly different.

Has anybody seen something like this or knows what they are?

To me they seem like Finisar transceivers sold by CISCO, but I don't really know.

They also don't report TX and RX power, they just report N/A.

Could they be different manufacturer transceivers or just counterfeit ones? (Even if for a counterfeit maybe would make much sense to use high quality after market transceivers like finisar)

Thanks!

WIFI Analyzers Recommendations

Hello Everyone,

I just wanted to thank everybody in advance for taking time to read / comment on my post. Any help is greatly appreciated.

I'm not a IT specialist. By job is mostly with programming Logic Controllers in on the industrial side of things. Therefore I have to get involved in the Operational Technologies networking side of things.

We recently had a customer complaining that the WIFI for manufacturing floor is extremely slow. After going to site we found out a contractor went to the plant and setup their equipment to communicate out of the OT network and back to corporate. We're still waiting on details about what information is being sent out from the contractor. Since they completed the work, the operational WIFI network has been very slow (Trouble connecting to controllers, uploading/ downloading logic).

The customer is asking us to come up with a solution to fix the slow WIFI since know its causing issues for the techs to connect to the controllers across the plant. But they're asking us to investigate, analyze and show them a report.

Does anyone have any recommendations or experience with WIFI Network analyzers? Any recommendations on how we should approach this?

Multicast VRF with one single different channel stream

Hi,

We having a multicast vrf with a single RP point (provided by the IPTV provider) where we want to import a single IPTV channel from a different source (other provider).
The issue is how can we tell the vrf that a single multicast address is on a different (other VLAN interface) source then the RP? So our setupboxes getting the single IPTV channel source from the multicast cloud/vrf

Kind regards,

Michiel

LAG vs. one single port

This might be a foolish question, but what are the main reasons for doing a LAG (e.g. 10x10G ports), instead of just having a port with the same throughput (e.g. 1x100G) ? Is it redundancy, is it cost, or something entirely different ?

How to send and receive multicast on two laptops?

Hi guys,

In my lab I have a setup with two switches (of different brands), in which I have to prove, if the multicast configuration on both is correct and multicast traffic is traversing the MPLS network or rather VPLS orderly.

I have two laptops (MacBooks) connected, one on each switch at the end of the VPLS. So, what is the easiest way/tool to send out multicast traffic between these two laptops?

Anyone has a fast to establish idea?

Tuesday, September 28, 2021

Cheapest gigabit router?

I was told that I shouldn't have my computer connected directly to my modem for a myriad of security reasons. I am fine getting a router for it, but I want one that is super simple and cheap. I don't need wifi or anything. Any suggestions?

Multicast/PIM between 6500 and Nexus9k via vPC

Hello

Decided to add a pair of Nexus 9k into our multicast network, but scratching my head about proper way of doing that while using vPC link for upstream redundancy, considering that we using ASM and according to the cisco manual:

"A PIM adjacency between a Switched Virtual Interface (SVI) on a vPC VLAN (a VLAN that is carried on a vPC Peer-Link) and a downstream device is not supported; this configuration can result in dropped multicast packets. If a PIM neighbor relationship is required with a downstream device, a physical Layer 3 interface must be used on the Nexus switches instead of a vPC SVI."

Here is the schematic drawing:

[vpc-pim-nexus-6500-1.png](https://postimg.cc/Z9rFqWqc)

As soon as I enable link B - server looses some multicast flows (they are still being pushed by static join from 6500); if i disable link A and only leave link B up - no multicast flows at all even though "show ip mroute" shows them properly. I haven't tried to configure interface for Vlan B on the secondary nexus yet, but maybe going to give it a shot and additionally to enable an hsrp on it (don't think it will help though).

From that I read - it should work fine if i convert interconnects between my 6500 and nexuses into individual L3 links. But, I really don't want to do it as there are some other vlans going through the vpc at the moment.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Server keeps crashing while running nProbe and PF_RING ZC. Possible reasons?

Hi everyone, thank you for welcoming me to the networking subreddit. I'm a thesis student trying to analyse my universities campus traffic and my first step is getting my hands on the NetFlow records. This is my first foray into networking so I appreciate your patience with any dumb assumptions I make and for missing things that appear obvious to you professionals.

I've got a Ubuntu server 18.04 with an Intel X710 card and 2x 10G interfaces that I'm feeding the campus traffic to. The server is running ntopng, nProbe and PF_RING ZC as systemd processes. Campus traffic is consistently around 6 Gb/s. Whenever traffic is turned on, the server crashes. Without the traffic I can't get my hands on the NetFlow records.

Would love to know possible reasons for the server crashing and possible workarounds?

I really appreciate your experience and advice. Thank you.

When do we get to stop defending the network?

Does there ever come a time that we get to stop defending the network and people stop immediately jumping to “it must be a network issue” without doing any basic troubleshooting? I’m getting burned out answering tickets escalated to me that should never have crossed my desk. And also when I have an issue with something and loop in an external vendor. It’s always “our stuff is configured properly. It must be your network”.

Linux - TCP traffic to IP without ARP entry vanishes

I've spent some time today trying to debug IP traffic that wasn't going anywhere. Our application was sending it out, but tcpdump wasn't showing the traffic leaving the interface (Not a routing issue).

Turns out, ARP was "broken", and there was no entry for the IP we were sending too. I've manually added an entry and asked someone to investigate our ARP issue however....

Is there anywhere in linux to help me debug this? What happens with traffic that gets dispatched from an application but doesn't reach the network? Any logs or "tcpdump" like commands to capture traffic like this in the future?

Staging Area Setup (UAT)

Hi Guys, I have a requirement of setting up a staging area for test environment.

Basic requirement is

not have communication between Production and staging area.
Staging Area to reside on same L3 switch.
Actual requirement of /24 subnet no more than that. Utilization will not exceed more than 20 IP's

Current Setup:

2 TOR Catalyst 9500 switch (acting as Core Switch) [Interconnected over 2 40G ports in LACP]
1 Mgmt Catalyst 9200 switch.

Query:

How can I design a staging Area where these requirements get fulfilled.?

My Planning/Thoughts:

I am thinking to configure a separate VRF for staging area and keep the production network on global vrf and have separation in this way.

Any suggestions are welcome, thank you in advance.

Apologies, if this query seems a bit noob. I have taken a role of Lead recently and this part comes along with it.

Question regarding Sandvine (Activelogic) bandwidth shaping

I created a netobject (10.130.0.0/16), a shapingobject (50 mbs,split by none) then I created the shaping rule and linked the shapingobject to the netobject. There are 3 ip addresses in that subnet that I want to set their speed limit to 5 mbs, but I’m not sure exactly how to do it. Would really appreciate it if someone could help.

The inevitable "Why are my transfers so slow" and how to fix it

Greetings everyone,

Our company connects sites using MPLS and S2S IP Tunnels.

There is a requirement for file synchronization between three primary sites (US site hands off to China site to keep 24/7 development in play). As always, due to the latency involved the file transfers are less than optimal , especially considering the size of the syncs.

The files that need to be transferred are several hundred and about 100GB a night. Primarily US to Taiwan, then Taiwan to US.

Site: 1 - USA
Site: 2 - Taiwan
Site: 3 - China - Mostly sources files from Taiwan.

My IT team is struggling with how to improve this - sftp, scp, MT robo copy while showing some marked improvement, are still unacceptable.

We are planning to install direct 1GB MPLS links between the sites (I know, latency) - so what are some more tricks I can try? Should I just purchase hardware network acceleration devices? The other thought was using a service like raysync.io.

Any thoughts or insight greatly appreciated!

Security Cert (SSL/TLS) Lifecycle Management

My team will be responsible for managing the expiry of certs on some of our network gear going forward. If they lapse, the entire network goes down due to the deployment design. What best practices and protocols do you use to make sure these expirations don’t get missed? We can set email reminders to an AD Group/distro but these things are liable to change or disappear over the years.

Switch and server connection questions

I have a server with an added in pci labelled as 10G 2-port Ethernet/Copper NIC and the it has a built in 10/25Gb 2-port Fiber Optic NIC.

I have SFP to RJ45 1000Base modules - this means 1Gb instead of 10Gb right.

Also the switch has all fiber 10Gb ports configured.

—

My questions are: Can you or can you not mix 1Gb and 10Gb speeds on different ports on the same switch? (Does it depend on the switch or is it bad practice?)

Cat6 cables only support 1Gb right? (Package doesn’t specify details). I think it only supports 1 Gbps because I think cat 6a is 10Gb.

1000Base SFP is 1Gb right?

10GBase SFP is 10G right?

So I would need to buy either PCI Fiber NIC cards probably.

Also all the labels and packaging for these only show “G” and “Gb” so I’m assuming Gigabits… and Gigabits per second.

Need some career advice...

Guys, can someone please provide me some career insight on this offer I am about to get? I know I must ultimately make the decision myself, but any insight would be helpful...

Currently, I am a lead engineer making pretty good money for my age. I am very happy with the company and basically run the entire network...

My downsides: they will not give me a raise and they do not have the $$$$ to expose me to emerging techs (I really want to get involved with ACI, SD-WAN, etc..... Additionally, there is nowhere for me to go upward. I asked them to create a new role and let me try to fill it.. they said no.

I just got an offer for a fortune 50 company... Double the pay I have now, deep into 6 figure territory. BUT... Contract to hire. I do genuinely believe I would be converted. Additional downsides: 1.5 hour commute... Working in the office is mandatory. Right now I WFH 100%.... Also, they marketed the position to me as an Sr ACI engineer, but it seems that really what happens is: Design team sends me a design, I design the "implementation work", and then a layer 1 team deploys the tech... So it is almost like a Network PM role. However, there would be room for expansion

Idk, I was really excited to work with ACI finally but it looks like I wont be touching the APIC that much at all.... There are a lot of cons, but the $$$$ is the biggest pro. Should I take it? Or wait until CCNP and try to get something better.

Also, I know there is always the saying money doesn't buy happiness and not to chase the money, but this salary range would literally be life-changing for me.

Lead times

What sort of lead times are people seeing for the major vendors? I am planning for a major refresh (switching/routing/wireless/firewalls) in 2022 and just wondering how much consideration I should give to delivery times. Thanks!

Versa SD-WAN to AWS

We have a co-managed Versa SD-WAN appliance and we have two BGP tunnels set up to AWS. The tunnels are up and connectivity is across the tunnels. Can ping and transfer data/RDP sessions. From time to time the tunnel will drop a few packets, before starting to communicate again. I have worked several times with the ISP and been escalated/what have you and issue is still occurring. I have matched the exact setting from the AWS documentation. The Versa appliance we have seen issues with a Meraki site to site VPN, which may have been isolated to Merakis not playing well in a multi-vendor environment. We keep seeing no proposal chosen, on both sides. Although the settings match as best as I can tell, and as well as the ISP Tech. The IPSec in the Versa appliance is set to 1 hour, and the IKEv1 or 2 is set to 8 hours. AWS Technician stated that there is a misconfiguration on the Versa appliance, I'm not an expert on the Versa side. I have the ISP technician reviewing on their side, possibly opening a ticket with Versa.

I know it sounds simple, but the error we are seeing is no proposal chosen, and when 3 or more packets are dropped it causes issues with the application. Any suggestions or has anyone ran into similar issue? Any help is greatly appreciated.

Multigigabit switch

Need a switch with at least 2 2.5gbe, 5gbe or 10gbe ports besides the uplink. Preferably the uplink being 10gbe and the other ports can just be gbe. Doesn't need more than 8 ports and preferably quite/fanless. Also managed is a must. Ports have to be rj45. Have found switches like this for under 300 euro but they were unmanaged.

Switch Recommendation 10GBe

I need a recommendation on some affordable decent 10GB Ethernet Switches (Stackable), will mostly be used for iSCSI, so I think packet buffers are important here. It's key that within the range they have 10GB Ethernet and SFP+ models, that can be stacked together

In an ideal world I would have the following all stacked together and all switches would have dual redundant PSU's

2 x 24 Port 10 GB Ethernet Switch
1 x 24 Port 1 GB Ethernet Switch
1 x 24 Port SFP+ 10 or more GB Switch

I think I am struggling to find what I am looking for as 10GBe looks like it is a thing of the past with everything going over to SFP, however I have a SAN which we invested a lot of money into which has 8 x 10GBe Ethernet Connections.

Look forward to your recommendations

How to fault find a bandwidth issue?

Hi all, I’m a Jack of all trades master of none edu ICT systems guy, I have HP/Aruba gear generally speaking.

What I have a problem with is that I have 10gb fibre from the core to edge switches that are then gig to client. In a bunch of the edge switches the clients get as close to 1gb up and down as I could want, however, in a bunch of locations I get between 500-300mb.

For the general clients that’s really not a big deal, but my AP’s plug in to those switches and then the problem obviously becomes bigger as instead of 1 client for each ~300mb I could have one AP with 30 users on it and then they only get that same bandwidth between them.

They are all the same config, the switches. They all go 10gb fibre to the core. There is no obvious damage to cables, I’ve tried going from a fly lead to a laptop straight into the switches to cut out patch or room cabling issues, but with no joy.

I’m not a mega network geek, I can and do get by in the cli doing some vlan stuff and some diagnostics on issues now and then, but I don’t know how to trouble shoot this issue - is there some way I can do something on the switch to see where the slowness comes in?

Any thoughts would be most appreciated.

Also, im ok on the edge switches cli (procurve/Aruba) but the core is Comware and the cli on there scares me! Dunno if that will matter to any options I might have.

Do fibre cables degrade? I just can’t understand it.

Thanks

Where to find old network topologies

My friend is working on a project on SDWANs and wants to use an old Network topology to compare against the Improved version. The problem Is we don't know how to find any used network topologies, so I thought to ask online for help.

The examples could be for a school, business, or something else which could benefit from SDWAN.

L2 vs L3/L4 problems prevalence in enterprise networks

Hi there,

I've been working in a NOC for a little over two months and so far the vast majority of problems are related to either routing (L3) or firewalls (L4). L2, on the other hand, seems to just work - I have, for example, not seen a single STP related incident.

I am thus wondering if this is the case for my organisation only or for most setups and what is the relative benefit of further learning about each category of technologies.

Identifying wifi clients in a guest network

Hi, a customer of my company has a bit of a unique request. We manage their wifi network and they have 3 SSIDs. One is for very secure clients and has a lot of logging and restrictions. But there is also a open guest wifi, which is basically open and you can access it with a voucher. And everybody can create vouchers for any guest. Now, there are a few very smart people who use the secure clients in the guest wifi and the customer doesn’t like that. The clients have the randomized wifi mac enabled. But we have to find a way to block those in the guest network. Is there a way to identify these clients reliably?

Multiple IP networks on a single L2?

I have always followed the unofficial best practice of putting only one L3 net (IP network) on a L2 network. If I added a network, I added a VLAN.

However, technically there is requirement for this: one can not just assign multiple IP addresses to an interface but the IPs can have different prefixes (and hence constitute different IP networks).

I am considering the following scenario: I have two sub nets routed over two different providers. I have some machines which should be accessible on both addresses. So I am considering creating a single VLAN called “WAN” that includes both networks. A node on this VLAN can then add either an IP from ISP1, an IP from ISP2 or both, depending on requirements.

Is there anything wrong with this? Should I ALWAYS create a separate L2 network for each IP network?

Does Loop Protect Protocol work with Port-Security ?

Hello everyone,

I'm working for a company which wants to change its network equipment.

We are changing old aruba by aruba 6100. We are also changing network link, we remove network interconnection and we connect the switches to two network cores with fibres.

We don't need STP anymore, so I'm configuring Loop-Protect on every switches to prevent network Loop. I also want to increase the network security by implanting Mac port-Secuirty.

The problem is when I configure Port-Security on every port, Loop-Protect doesnt detect any loop anymore. When I disable Port-Security, it works again.

My conclusion is that Loop-Protection doesn't work with Port-Security, is that normal ?

Do you have any ideas ?

Thanks !

Monday, September 27, 2021

ACI Uplink hard set 40 gbit

Working with a VAR on my first ACI implementation. Gear was purchased before I came on board. We've got 40/100 bidis for spine leaf, but only 40 gig for the gigamon optics to tap the spine leaf connections. The bidis are doing their job and negotiating to 100 quite well. Tried some interface policies to get them to slow down, but so far no luck.

Anyone done this successfully before?

Web Server reachable from internet but not on site where it's hosted

So we have a web server with a private IP on the LAN side and a public IP is NAT-ed to it through the firewall

When we hit the url from anywhere outside we are able to access it but when we are on the same network as the web server, the url doesnt load. I can ping the server on the network but can't reach it through the url

How should I set this up so that on-site network can reach it via url as well?

Should I add the private IP in the DNS record?

Any help is appreciated. Thanks

Cellular Service Show-And-Tell?

For everyone that has cellular based equipment, what are you doing for service? Who is the carrier/provider and what do they call the service? How does it work? Any caveats, design gotchas, other notable attributes of benefit or concert?

I ask because as a more traditional network engineer, I understand the idea of putting a sim chip in a cradle point and it getting an Internet connection (possibly an RFC 1918 address)… but where i get stuck is the different service options for what I would call small to medium scale deployments (not talking about doing a 10,000 soda machine rollout).

I have previously done standalone carrier issued SIMs with buckets of data and getting private ip addressed which a CGNAT to the Internet. On a larger scale, about 75 sites, I have used an aggregator with a private APN (possibly wrong terminology) which worked well. Charged per active SIM with a pool of shared data, provisioning was done via their portal which was nice, just keep a brick of sims on hand and provision as needed. Portal also gave data usage reports (with a few hour collection delay) so I could tell how much I was using across all sites. One design challenge was all connections were presented in a single customer private VRF with private addresses and backhauled Internet to their data center in a single place which made for some suboptimal Internet traffic flows. Hardware was USB cellular modem attached to Fortigate firewall, which strangely despite every modem being the same model, support and stability was very unpredictable, one modem not working (but worked fine in my laptop) while the next modem worked just fine.

I would love to hear more about what other people are doing and their experiences with the service.

Don't ever run WCCP on your core...

Figured out that when the proxies have an issue and all drop out of session that it bumps every other interface with WCCP configured on them making dynamic routing go apeshit throughout the enterprise. Solve by offloading WCCP to an L2 attached switch and turning the WCCP statements on the core interfaces into PBR statements. What a freaking day that was...

Just FYI, it worked fine for 10 years and was designed by a consultant for handling wireless byod traffic originally.

ICMP and Firewalls

There seems to be a lot of confusion on this sub about the need to explicitly allow ICMP into networks. In most cases, a properly configured firewall will allow necessary ICMP back in without an explicit Any ICMP Type X rule. This gives you the benefit of still passing ICMP error messages, without the risk of opening up your network to ICMP attacks.

Once the firewall receives an ICMP error message, it extracts from its payload the attributes of the original packet that caused this error message to be sent. Then, the firewall searches in its session table for a session entry with similar attributes. If a match is found, the error message is embedded to its corresponding session entry and is allowed to pass through the firewall in order to notify the sender that the sent request is not accomplished.

https://ieeexplore.ieee.org/document/8710298

I'm sure I'll get downvoted, but I am only concerned with those who interpret what some are saying in this sub as if they need define an Any rule that unnecessarily opens themselves to attacks.

MacFlaps from roaming clients on WLAN

I recently inherited a school district network from a guy who hated documentation. I finished a networking program in spring 2020 and that's the extent of My networking experience. My switch logs (primarily 9300's with a few 3850's) are filled with MacFlaps from AP ports. I'm about 60% sure it's a result of clients switching between AP's on a whim. I understand this is causing mac address tables to update more frequently than is desirable, but is it actually doing any harm? If it is, is there a setting somewhere in a wlan controller to adjust AP greediness or perhaps a different solution I can't seem to find with an internet search? Any help would be tremendously appreciated!

Redudancy over Layer2

First of all Hello to you.

I have a problem.

From HQ to A-Site I have 2 connection over layer 2

Layer2 connection is 200Mbps, the second one is 100Mbps.

On A-site I have 2 swiches(2960x) connected each other. And from them 1 connection through Layer2 to HQ Sw(9300)

The Layer2 con1 is on SwitchA, and Layer2 con2 is o SwitchB. Switch A and B is connected through fiber between them.

When I plug both connection the Site switches(1&2) goes down, and also the connections between HQ and A-Site as well.

How can I fix this without much trouble?

Thank you very much, have a nice evening.

looking for cheap 10GB managed switch

Hi all, we're looking at benchmarking our netapp and ESX servers over 10GB. We're looking for something cheap - 4 or 8 port. I found a Netgear XS708M and a QNAP QSW-M1204-4C but it looks like they don't have an option for jumbo frames. I can't seem to find a cheaper managed switch with that option. Any ideas? Thanks!

ProCurve 1810 Series Question

Hello all.

(Manually crosspost from /r/Homelab)

I am in the market for an 8 port ProCurve switch, and do not need L3 routing capabilities.

Per advice on this sub and /r/Homelab I am focusing on the 1810 series and less out the 19xx (3COM) series and 25xx (more than I need, unless a good deal comes up), and 182x (HPE/OfficeConnect).

That has me searching for the J9449A (1810-8G v1) and J9802A (1810-8G v2) models. The v2 consumes less power but otherwise seems similar on paper.

I just noticed that the v2 mode lacks any ProCurve lettering/logo in pictures, and has been updated less recently (2018) than the v1 model (2020):

Datasheets also only refer to v2 as an HPE unit - never ProCurve.

Is the v2 model really an OfficeConnect in disguise? Should I steer clear of it when searching out ol' reliable ProCurves?

Thanks!

[HELP] MAN Architecture

I've built fiber networks in the past for similar organizations covering an 80-100 sq mile area. So, plan has been a fiber network. Well, curveball thrown last minute was "why can't we just use 5G for connecting all our buildings? that's what we're doing at <X> where I work using Cisco 5G equipment."

I've beaten this issue to death. It simply doesn't make sense. We're trying to move away from a fixed wireless network that is expensive to maintain and provides poor performance and speeds to a redundant fiber ring to connect 40 or 50 facilities and a bunch of other "things" along the path geographically dispersed across what we'll call a Metropolitan Area Network (around 37 sq miles). One person in the executive approval chain has just enough IT experience to be dangerous and throw off months of planning and to disregard a collective 60+ years of operating this very type of network.

Of note, we're an all Cisco shop, mostly just 9300s with 9500s at our core. No frills. We don't currently employ any SDWAN technologies or anything of that nature. We run a traditional private MAN, all IPv4 private addressing with a few segments behind firewalls internally and our primary firewalls at the data center.

My current estimate for a full fiber build is around $5.5m with intent on pulling minimum of 96 strands in order to leverage dark fiber leasing to help cover any ongoing maintenance and even generate a revenue stream possibly.

I can't find anything on "site to site" connectivity using 5G, I mean, I'm sure it exists, but how real world is it, really? 5G isn't even a fully standardized technology yet. It's still considered a non-standard architecture. So why would I want to invest in that (when it's still going to need a fiber backbone) to provide connectivity for our facilities/users? I don't really know what it even looks like from a topology standpoint, my assumption is a whole other network overlayed on top of our existing.

Keep in mind, also, that I only have 2 network positions and myself. I feel like 5G is going to be a whole lotta extra to manage or we'd just have to lease from a carrier, but this person swears private 5G is where it's at. We are a very lean IT team and lean budgeted organization, this just all seems like a waste of cycles.

I may be completely wrong, I'm open to that. I've worked mostly within my bubble for years, so I know what works in traditional networking, just looking for some support and brainstorm items. Thanks in advance!