Saturday, October 9, 2021

4 years till Meraki renewal: what would you do?

I work at a nonprofit that got one-time COVID-19 funds from the federal government. It was decided, against my opinion, that the funds would be used to upgrade the network infrastructure of the campus (we have 5 buildings). They bought Meraki switches and APs. We previously had Cisco switches and Cisco APs.

In 2020, 5 years of service were bought for the Meraki switches and APs, so we are good until 2025. We have liked Meraki and its interface.

I've done the math, and our annual Meraki costs will be about $60,000 per year starting in 2025. We cannot sustain that. I would say our networking costs need to be more like $20,000 per year in terms of feasibility.

If we don't renew Meraki in 2025, my understanding is that our network becomes a brick.

Besides panicking and looking for a new job, what would you be doing or thinking right now if you were in this position and you had 4 years to do/think about it?

Aruba 8320 interface is showing up as down Configuring port

I am trying to configure a pair of Aruba 8320s and the ports are down no matter what I do. I believe it is the transceiver since they are 3rd party. Am i missing something? Just went to through the menu and even the command guide and could not find any information on why it says configuring port.

show run int 1/1/31

interface 1/1/31

no shutdown

no routing

vlan access 1

exit

1/1/31 1 access QSFP+SR4 yes down Configuring port -- --

Tagged Management Vlan TP Link

Hello all, I have a TP-Link SG3452 L2+ and a Sophos UTM 220 in use. I would like to introduce a separate management vlan as is common. The plan is that all vlans including mgmt vlan on ETH3 of Sophos go to the switch. That is tagged traffic for to the switch. This in turn would mean in my understanding to configure a trunk port for the uplink on the switch. Also creating a vlan interface for the mgmt vlan on the switch, and giving it an IP from the mgmt network. Unfortunately, the Switch is then not reachable under this address and the Switch cannot reach the Omada Controller. A test has shown that it only works if management traffic from an untagged interface of the Sophos leads to an access port of the switch. Thus 2 ports would have to lead from the Sophos to the switch. One access port for the management untagged and one trunk for the remaining vlans. Does anyone have an idea if it is somehow possible to route all traffic including management through the trunk port and the switch is reachable and in addition further to the next switch to trunk the management vlan?

Route Policy Disabled Sonicwall NSa3650

I am trying to figure out why a Route Policy in my Sonicwall NSa3650 is disabled. The route Destination is an Address Object with a VPN policy as the zone assignment. The VPN policy is bound to a specific Network Interface that is up and flowing traffic.

That Network Interface was down yesterday for 3 hours but is back online now and working fine. During this time there was no change to any of the Route Policies, Address Objects or VPN Policies. Everything else besides this one Route Policy has come back online and is working fine.

I don't have much experience with Sonicwall firewalls so I am struggling a bit with what else might be causing the problem. Thanks in advance to anyone that can help.

Vlan creation

Hi everyone,

I got a question on interview as below:

What happens at the back when VLAN is created?

I googled with no luck

Please help

I cant afford to pay for any certs but i want to be able to walk into a company and connect their switches, routers and pcs. Are there any tools i can use to learn?

Help guys!

5 minutes output rate extremely low on serial port: ping timing >400ms

Hello Everyone, I just changed my router on service provider end, and now the user is not getting stable connection from the server. Usually the ping takes 60 ms from server to the end user, now when I changed the router it is taking around >400ms of time. When I use old router, it agains come back to 60ms. I am just made all the configuration of new router similar to the old. Need your help on it. This specific connection is the only problematic part on this router, I have tried changing ports and cables already, still the issue is not resolved. Below is the output of the serial link:

Serial0/0/0 is up, line protocol is up

Hardware is HWIC-Serial

Description: CISCO1 SER0/0 - 'XXXXXXXX'

Internet address is X.X.X.XXX/30

MTU 1500 bytes, BW 252 Kbit/sec, DLY 20000 usec,

reliability 255/255, txload 5/255, rxload 64/255

Encapsulation PPP, LCP Open

Stopped: CDPCP

Open: IPCP, loopback not set

Keepalive set (10 sec)

Last input 00:00:00, output 00:00:08, output hang never

Last clearing of "show interface" counters 12w6d

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5682

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 64000 bits/sec, 8 packets/sec

5 minute output rate 5000 bits/sec, 9 packets/sec

833506 packets input, 681752542 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

62 runts, 0 giants, 0 throttles

2075 input errors, 1993 CRC, 0 frame, 0 overrun, 0 ignored, 20 abort

778407 packets output, 195311494 bytes, 0 underruns

0 output errors, 0 collisions, 227 interface resets

39 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

1678 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

IPSEC/GRE

I am currently going through High level documentation of an enterprise. Would you guys be able to explain this statement and the requirement of such VPN setup, what is achieved by it.

The architecture uses Internet circuits to build IPSec VPN tunnels between St. Louis and the remote site. GRE tunnels are then built within the IPSec tunnels in order to handle multicast, provide traffic shaping / HQOS, exchange routing, etc.

Any better approach if any??

stateless firewall acl return traffic?

I am working with a cisco router and need to implement some acls. I have up till this point, only worked with stateful firewalls.

Before I started messing around with this, I wanted to confirm something.

I understand that with stateful firewalls, any outbound traffic is generally whitelisted so it can return by default since the firewall is aware of the state of a connection.

My understanding is with stateless I would need to create a rule for both directions. Is this correct?

Friday, October 8, 2021

Are there devices which use virtual addressing/translation for links

I have a Artnet Node that used for translating Lighting data from Artnet (IP based packets) to dmx data. In lighting, the most common Artnet device IPs are in the 2.0.0.0/8 and the 10.0.0.0/8 range.

The device that I have only seems to be able to be set with IPs in the 2.0.0.0/8 range. I don't particularly want to put my computer in the 2.0.0.0/8 range; and was just wondering what is best practice in this scenario?

I don't think I can use a NAT device to avoid this. But is there a device/router that can take packets destined to say 10.6.103.56 and send it along a link to 2.0.0.1 or something? While packets originally destined to 2.0.0.1 are still routed correctly?

Google DNS Flush Tool

https://developers.google.com/speed/public-dns/cache

Was chasing down why NS records were taking longer than anticipated to propagate onto Google's public DNS. This worked extremely well, figured I would share!

Novice network human looking for some guidance

TL;DR - If I only want to monitor uptime, latency, packet loss, and jitter on network devices (ideally, just routers) and I have the known IPs for, will LibreNMS plus netdisco get the job done?

Thanks anybody for reading this, I am sorry to bug you guys but I am learning so slow (I am a networking novice) and I at least want to know I'm indeed heading the right direction.

Hello - long story short, I am helping out my buddy who has a small business he started three years ago. One part of his business he added is basic circuit monitoring for customers. That is: uptime, latency, packet loss, and jitter.

I would describe the current system as less than optimal. I'm being nice. From about a month of research and studying the subject, it looks like he needs a network monitoring solution. Right now, I don't want to spend money on a COTS solution. I would like to use LibreNMS with netdisco to track, manage, and monitor the nodes. I have been using Linux for about 5 years now and I am fairly fluent in Python if that means anything in the networking world. Once I believe I know enough to be dangerous, then I would either keep the system I build and hire somebody to maintain it or I would recommend my buddy buy a COTS solution. That's for later though.

In simple requirements speak:

The system shall monitor and report uptime, latency, packet loss, and jitter metrics on deployed/connected/lit/whatever network devices (mainly routers and switches).

The system shall notify (someone) when the above metrics ^^^ do something outside specified bands ("Hey NOC (that being me rn), this node is down." --- "Hey, thanks computer thingy, I'll call the customer and see how pissed off they are and walk them through power cycling their equipment (because that's all I know how to do rn).")

***I don't need anything fancy right now, if I do everything from the cmd line and it's dumping data in csv or txt files or whatever, that is perfectly fine rn. I can add pretty front end stuff later.

Thanks so much for any input provided. I really appreciate it.

3rd Party Optics with Aruba-CX Switches

Has anyone had any luck using 3rd party 25/40/100Gb optics with Aruba CX switches, specifically the 8360, 8325 series? We have a couple 10Gb transceivers coded for J9151A which have worked fine in our 6400s, but we're wondering if we'll run into issues if we try using higher speed optics.

What does the "C" mean in "CSR" MMF optics?

Hey all, I have a curiosity I'd like to put to rest.

I recently bought some generic optics to split a 40Gb QSFP into 4x10Gb interfaces. It has an MPO-12 and each 10Gb "lane" is physically split out into a pair of those MPO fibers. IOW, the cable has MPO-12 on the transceiver end and a split of 4 LC connectors that I can plug into individual edge devices. It's pretty neat, and pretty straight forward.

Then I started to fixate on the part number having a "C" as in "CSR4" and I did some googling to calm my inquiring mind. I know what ordinary SR4 means, but what's that damn "C" about? I thought maybe it follows the same general vocab as in video applications where one combined type was "composite" (yellow RCA) or "component" (red-green-blue RCAs) but those are my best guesses.

I got extra curious when I found this Cisco datasheet which has both of these parts listed with "CSR" in them:

Cisco QSFP-40G-CSR-S (S-Class)

The QSFP-40G-CSR-S is a pluggable optical transceiver with a duplex LC connector interface used for connectivity using MultiMode Fiber (MMF). The Cisco 40GBASE-CSR Modules support link lengths of 300 and 400 meters, respectively, on laser-optimized OM3, and OM4/OM5 multimode fibers. Customers benefit through the reuse of their existing 10 gigabit duplex MMF infrastructure as they migrate to 40 Gigabit Ethernet, while maintaining the same supported link distances as 10G Ethernet. Each QSFP-40G-CSR-S operates at four different wavelengths. Each of the four wavelengths operates at 10G over existing duplex multimode fiber using standard LC connectors. The Cisco QSFP-40G-CSR-S transceiver does not support FCoE.

Cisco QSFP-40G-CSR4

Cisco 40GBASE-CSR4 QSFP Modules extend the reach of the IEEE 40GBASE-SR4 interface to 300 and 400 meters on laser-optimized OM3, and OM4/OM5 multimode parallel fiber, respectively. Each 10-gigabit lane of this module is compliant to IEEE 10GBASE-SR specifications. This module can be used for native 40G optical links over 12-fiber parallel cables with MPO/MTP female connectors or in a 4x10G breakout mode with parallel to duplex fiber breakout cables for connectivity to four 10GBASE-SR interfaces. Cisco QSFP-40G-CSR4 is optimized to guarantee interoperability over the complete specification range of 10GBASE-SR.

Does anyone know exactly what that "C" means?

Cisco Lead times and alternatives

Hi all,

We are a small local law enforcement agency (about 350 users) and are upgrading our networking infrastructure. We are currently a Cisco shop for all our switching gear, but they are giving us lead times in the 4-6 month range. I know we aren’t the biggest fish, but we are looking to buy around $200k in gear. Meanwhile, we are doing the same with our server infrastructure, spending about the same amount, and they are telling me they can do comparable gear, better pricing by ~30%, and have hardware to me in 6 weeks rather than 6 months.

The question is this: has anyone here used the S5248F-ON? We were planning to get the Nexus 93180YC-EX, and the Dell gives up some ground in total performance, but I’m sure it’s enough to matter. Are there other alternatives you guys would recommend?

Host Identity Protocol -> Internet

General question: has Host Identity Protocol been used over the generalized internet?

Has anyone used it internally?

OMNET++ simulation for a project? advancement of their models? tips?

Basically, we have a simulation project.

We are suppose to pick one of their example simulation models and make some kind of advancement and simulate and the plan is to gather data to present.

For example the labs used to introduce us to omnet++ is the TicToc tutorial, and the wireless tutorial they have.

What could I do with these, change etc and find some interesting data? change some parameter and see what happens etc?

https://inet.omnetpp.org/docs/tutorials/wireless/doc/index.html

https://docs.omnetpp.org/tutorials/tictoc/

Anyone have similar experience? I feel lost..

Thanks.

NAT in ASA (5505) Firewall is not working for VLANs configured in Layer3 Switch?

Toplogy: https://drive.google.com/file/d/1gTY1kLaCppo7mtcyjCWxyh7acNpODQh_/view?usp=sharing

Tool Used: Cisco Packet Tracer

Scenario:

NAT for hosts in any of the VLANs of Layer3-Switch not working.
Ping requests reaches outside server, but NAT is not working so ISP Router can't route the request back to ASA (because destination ip is Private IP address).
NAT is working if I ping outside server from Layer3-Switch

PKT FILE: https://drive.google.com/file/d/1qbVw9XsCtTbjeGmY5OpxK1552CULkq-C/view?usp=sharing

-------------

The configurations, if you don't want to download file.

ASA Configuration:

interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 3 ! interface Vlan1 no nameif security-level 100 ip address 192.168.1.1 255.255.255.0 shutdown ! interface Vlan2 nameif inside security-level 100 ip address 172.16.0.2 255.255.0.0 ! interface Vlan3 nameif outside security-level 0 ip address 51.1.1.1 255.0.0.0 ! object network LAN subnet 172.16.0.0 255.255.255.0 object network VLAN10 subnet 192.168.10.0 255.255.255.0 object network VLAN20 subnet 192.168.20.0 255.255.255.0 object network VLAN30 subnet 192.168.30.0 255.255.255.0 object network VLAN40 subnet 192.168.40.0 255.255.255.0 object network VLAN50 subnet 192.168.50.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 51.1.1.2 1 route inside 192.168.0.0 255.255.0.0 172.16.0.1 1 ! access-list local-to-internet extended permit tcp any any access-list local-to-internet extended permit icmp any any ! ! access-group local-to-internet in interface outside object network LAN nat (inside,outside) dynamic interface object network VLAN10 nat (inside,outside) dynamic interface object network VLAN20 nat (inside,outside) dynamic interface object network VLAN30 nat (inside,outside) dynamic interface object network VLAN40 nat (inside,outside) dynamic interface object network VLAN50 nat (inside,outside) dynamic interface

Layer3-Switch Configuration:

ip routing ! ! spanning-tree mode pvst ! ! interface FastEthernet0/1 no switchport ip address 172.16.0.1 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 switchport access vlan 10 switchport mode access switchport nonegotiate ! interface FastEthernet0/5 switchport access vlan 20 switchport mode access switchport nonegotiate ! interface FastEthernet0/6 switchport access vlan 30 switchport mode access switchport nonegotiate ! interface FastEthernet0/7 switchport access vlan 40 switchport mode access switchport nonegotiate ! interface FastEthernet0/8 switchport access vlan 50 switchport mode access switchport nonegotiate ! interface Vlan1 ip address 10.0.0.1 255.0.0.0 ! interface Vlan10 mac-address 0001.426c.9901 ip address 192.168.10.1 255.255.255.0 ip helper-address 10.0.0.2 ip helper-address 10.0.0.3 ! interface Vlan20 mac-address 0001.426c.9902 ip address 192.168.20.1 255.255.255.0 ip helper-address 10.0.0.2 ip helper-address 10.0.0.3 ! interface Vlan30 mac-address 0001.426c.9903 ip address 192.168.30.1 255.255.255.0 ip helper-address 10.0.0.2 ip helper-address 10.0.0.3 ! interface Vlan40 mac-address 0001.426c.9904 ip address 192.168.40.1 255.255.255.0 ip helper-address 10.0.0.2 ip helper-address 10.0.0.3 ! interface Vlan50 mac-address 0001.426c.9905 ip address 192.168.50.1 255.255.255.0 ip helper-address 10.0.0.2 ip helper-address 10.0.0.3 ! router ospf 1 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0 network 10.0.0.0 0.255.255.255 area 0 network 172.16.0.0 0.0.255.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.0.2

What domain for SSTP SSL VPN certificate?

I'm trying to setup an SSTP on our Windows 2012 Server. We have a .local domain and a dynamic ip. We were planning on connecting with a dyndns address. I wasn't sure what domain to use on our cert purchase. We'd prefer not to use a self-signed one if possible.

On-premise to Azure routing with multiple regions

Diagram here: https://i.imgur.com/Wij2xc4.png

I have two VPN gateways in two regions, one in Asia and one in UK. Singapore and Shanghai offices both use S2S Route based VPN to connect to VPN Gateway in SouthEast Asia. Singapore and Shanghai offices can talk to each other via Azure gateway.

Same situation in South UK region for London and Amsterdam offices. Additionally, we have some VMs in Azure, based in South UK.

I would like to achieve two things:

Make sure that Singapore and Shanghai offices can reach VMs in UK South region via Azure backbone. They could have a tunnel to UK South VPN Gateway, but I guess connecting to closes Azure region and then using Azure networks to get to UK Souch should be better?
Make sure that Singapore and Shanghai can talk to Amsterdam and London the same way. Each office should connect to the closest Azure region, and they should be able to talk to each other via Azure backbone.

How do I do this? When googling I keep finding instructions for vnet peering with gateway transit, but this does not seem to work when both VNETs have a VPN gateway. Should I do VNET-to-VNET VPN? Or S2S VPN between gateways? Do I need custom routes to make it work?

Thanks!

Mininet - minievents

Hi! I am simulating a traffic on a network in mininet. I need to change bandwidth of the links during the traffic. The problem is, that after I get my data and calculate the bandwidth from details from ports on switches, the bandwidth is not, what it is supposed to be. I need to check, whether framework minievents is changing bandwidths correctly or not. Is there a way for me to write bandwidths of links into terminal? If so, how? I implemented the minievents framework from cgiraldo's github. It is implemented on more switches with one loop, so I am also using STP. I am using a RYU controller

MS CA template name not in Cert extension

Haven't really found any help on the internet so hoping someone here could help me...

I'm trying to configure up Anyconnect with MS CA. I've managed to get Proxy SCEP and OCSP to work so users can autoenroll and the firewall checks with the CA to make sure the ID cert from the user hasn't been revoked. My only problem now is making sure the CA only issues out 1 cert for each user, this stops them using multiple machines.

I've enabled the no reenroll if duplicate certificate exists in AD as from my understanding this will stop the CA from dishing out multiple certs to the same users. But this still does not work. Online research suggests its to do with the certs not containing the template name in the Certificate Template Information extension. I've checked out my ID cert on my test PC and only my OID is in there. How do I add the template name to this extension, I can't find anything about it.

The machines the users that are logging in with are NOT on the domain, I have a bad feeling this has something to do with it...

Any help will be greatly appreciated.

Allowing only zscaler internet access on Palo firewall

Im looking to lock down internet access on a PA firewall to only allow traffic from computers with zscaler agent installed and working.

Looking at the available app-ids, I can see zscaler-internet-access and zscaler-private-access. Great, job done..... except not really. If I create a rule allowing just these two applications, the agent never connects and no access is possible - I have to add http-proxy application to get it to connect.

Ive also noticed logs showing traffic going to zscaler IPs but the Palo is categorising the traffic based on the actual sites being accessed rather than just zscaler-internet-access.

Before I go any deeper down the rabbit hole, just wanted to check if anyone else has successfully configured their Palos to only allow internet access from zscaler agents?

I guess I can get all the potential zscaler IPs from their support and build a policy which matches on those, but it feels a bit old-school when the Palos are supposed to have the intelligence to do it with app-ids.

Repair/replace a broken/bent SFP-Port?

Hello, have anyone attempted replaceing a broken SFP port?

Any advices?

I have spare switches/routers for replaceparts. And sometimes I recive broken SFP-ports which needs to be bent back which is no problem.

But sometimes I recive networking gear with too much damaged ports.

Any ideas/advices?

Best regards

Thursday, October 7, 2021

anyone knows omnet++ here?

thank u

Catalyst 2960-S stuck at boot?

Hey admins,

Got a 2960-S that's stuck on this message:

Using driver version 1 for media type 1 Base ethernet MAC Address: REDACTED Xmodem file system is available The password-recovery mechanism is enabled.

and nothing else. I've got it consoled in but it's not accepting any input and the mode button doesn't seem to be doing anything. Any ideas?

I need help understanding tagged and untagged ports on vlans.

So recently I got a job in networking and am having trouble understanding vlans and when to tag or untag a port. I understand the basic concept of vlans and why you use them. They have been teaching me as I go but I’m having difficulties understanding when it is appropriate to tag/untag a port in a vlan. For example, I was told that you would put a printer or a pc on an untagged port and a phone or access point on a tagged port. Reason being was because phones and APs are “smart devices” but that only confused me even more. I was also told that you could put anything on an untagged port but each vlan can only have 1 untagged port while tagged ports can have as many as you want but not everything can be put on a tagged port (unless i misunderstood something). Can someone please explain why that is and how you determine what devices should be tagged or untagged in the simplest terms possible. I have tried googling it and all it did was confuse me even more. Thanks.

Recommendations for 48-port gigabit PoE SFP+ switches with redundant power supplies?

Just as the title says, looking for some recommendations for a switch

48-port
Gigabit
PoE (af is probably fine)
4x SFP+ (need 2 for fiber uplinks)
Redundant power supplies (this is the biggest point)
Layer 3 is not needed
Stacking would be nice

Going to need 7-8 of these for a warehouse that is going to be moving to 7x24 operation. Most of these are going into IDFs - one switch per IDF. IDF switches will only be used for PoE cameras and wireless APs. MDF would probably get 2x of these switches and used to power phones, connect some other APs, and desktop machines. While there will be a few VLANs, there is no inter-VLAN routing. SFP+ to connect existing fiber - trying to make some redundant paths since whomever wired the place daisy-chained the fiber at the IDFs - only 2 of the 5 IDFs have fiber runs back to the MDF. Sigh.

Was looking at Meraki MS250 + license + power supply, and Ruckus ICX7550 2 PSU bundle + cloud controller license. Figure there are some other options that are escaping my Google-fu.

Not looking to buy used. Don't have a budget, but I'm guessing I'm in the 2,500-3,500 range on switches.

Unable to split internet from MPOE with switch or direct

I got a couple IP's and an MPOE T1 drop.

I quickly configured a while ago to connect my Router to the MPOE drop and things worked fine. I'm trying to utilize a second internet connection so I connected the MPOE drop to a switch, to which the router was unable to get a connection. I tried a few different setups and uplink ports etc.. but nothing seemed to work.

I even plugged my laptop directly into the MPOE port and it said "network cable unplugged", so it didn't seem to be detecting anything. The connection is HALF 100 mbit and I tried setting all ports on as witch to this. Nothing worked. Plugging directly back into my router worked w/o an issue.

Am i missing something here? I feel like a switch or direct connect to laptop should work, and I do not know what makes the Router anything special?

Thanks for any help

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Dhcp being sticky on windows 10

I am working on a segmentation project, which means reIPing windows desktops.

Its a fairly standard migration of creating new scopes and changing vlans on the switch ports. I also recommend the admins lower the existing lease time as the phased cutovers approach.

I'm impatient sometimes and try to force a machine to renew by shutting the switchport down, waiting, then doing a no shut. This is when the dhcp addresses seem to be sticky because the machine doesn't send out a dhcp request when it gets link BACK. Ive let it sit in a shut down state for 5+ minutes before bringing it back up, and it just comes back up with the previous dhcp address. A packet capture shows the machine doesn't send out a dhcp request.

If you do an ipconfig release/renew on the machine it pulls from the new range fairly quickly.

I might be crazy, but I'm pretty sure shutting down the port in the past has nugged machines to do a new dhcp request. Am I just imaging that? Is it some kind of timeout setting in their gpo?

Is it valid TCP to ack each byte rather than each entire packet?

I've already looked at a lot of resources explaining TCP sequence numbers and ack sequence number, but they all assume(under normal circumstances) you just ack once per received payload, with the ack seq num incremented by the exact payload length received.

Let's say we last received and acked seq 500, and now we receive 100 more payload bytes. Is it technically valid TCP if instead of acking 600, we ack 100 times: starting with 501, 502, 503, ... 599, 600?

This is for an extremely latency sensitive application.

Is this idea to warm the socket by sending acks for 1 byte at a time a viable idea, or completely nonsensical and get me disconnected?

How to find out where traffic is originating on your pc?

We recently implemented Cisco Umbrella and have a variety of sites blocked like a typical corporate environment. There are several computers that are frequently reaching out to numerous blocked sites, some on the list are: zillow.com, snapchat.com, etsy.com, youtube.com, myspace.com, netflix.com, facebook.com, target.com. All of these sites get hit and blocked within the same minute.

Information about these computers, all different makes and models, some brand new, some older than 4 years old.... I have ran malwarebytes, Sentinel1, Ccleaner. Rebuilt local profiles. Rebooted. I have been in front of one of the computers and can say there was no browser open actively going to these sites. This type of behavior makes me think that maybe it is a program trying to reach out to these sites.

How do I find out where this traffic is originating on these computers?

Thank you

ASA 5506 VoIP Service Nextiva Not Stable.

Howdy All,

I have been tasked with investigating a long term issue(Several months). Of five sites the HQ has been reporting since the migration to the new phone service several symptoms have arisen.

Random call drops.(Unable to replicate)
Phone unregistering for short amounts of time.
Phone will ring inbound, once answered no audio is heard or received on the far end as well.(Unable to replicate)

None of this has caused an outage to production but the longer NetOps does nothing about this the more irate the client becomes. I'm attempting to do some RCA in an area I'm weak in.

That said I have done the following.

Investigated Nextiva ASA configuration guide.(All ACL's and SIP inspection disabled). I confirmed all five sites had the same configuration in regards to the VoIP requirements.
Confirmed QoS is enabled for VoIP traffic.
Confirmed priority-queue enabled.
Investigated dropped/discarded packets on interface(nominal).
Worked with Nextiva support.(No additional insight)
Worked with ISP support.(No additional insight)

Is there something definitive I should be checking? Or a show/place to look on the router for more information on a specific counter I should reference?

How would you approach this systemic issue?

Gigabit LC multimode fiber from second building is very slow

There is a blue LC fiber line from a new building office coming into the main building. The fiber is using a transciever to terminate at an HP 2920 switch. The port is configured to auto duplex and speed. The other switch is an unmanaged Netgear switch, the transcievers are differnet.

Pings to the internet from the second office are very slow and internet as a whole is very slow. This is a new line, and I am trying to determine what the problem is. Not sure if a transciever mismatch( different transcievers ) coule be the problem.

New factory design

Working to redesign a factory environment and looking for opinions.

We are looking to ensure the factory has 100% uptime or as close to it as possible, so we are designing it to be fully self-sufficient so that if the front office goes offline, the factory will continue to function.

We have 60 industrial Cisco switches that are scattered throughout the factory floor that will need to connect back to the cores. Looking for a model suggestion to hooking up 60 switches with dual connections and then vPCs to all of the switches.

With 60 connections connecting to the cores, best to look at two 9504s or something else you'd recommend? The connections from the 60 remote switches are all copper.

I lost the rj45 end to my southwire m400tp. Does anyone know how it's wired so that I can build one?

I figure it has to be pretty simple, as it's just a tiny little rj45 circuit. Are the pairs just matched?

Management VLAN internet access

Hello! This is hopefully a simple and easy question,

Do you give internet access to your management VLAN? Or is it considered "best practice" to block it from accessing the internet?

Turn NAT address into Web Server

Hi all,

I have an office at a coworking space in my city where I want to run an on-prem web server. They provisioned me an NAT IP address with an internal IP and a public facing IP. I cannot seem to figure out how to make the address publicly available at port 8000 so that I can run a web server. What needs to be done at both the private IP side and the public IP side? The OS is Ubuntu if you have any specific documentation. Thanks in advance guys! :)

Utilizing a SAN field on a Client Certificate to identify a dynamic ACL to apply - Cisco ISE

Hi all, just wondering if anyone knows if the title is feasible. Essentially we are attempting to deploy a certificate to client devices (using Intune), but with different access levels per device. We have had an idea whereas we will use a SAN field to enter information that ISE will then read, and then apply the relevant DACL.

I'm aware ISE does read the SAN fields of certificates, but I'm curious to know if I can create some form of Authorization Policy/Result that would be able to apply the DACL as required.

Level3/CenturyLink routing issues

Hello!

Is anyone having issues reaching IPs that route through CenturyLink's AS?

I've got a PBX that is normally accessible from my business internet connection, but it and several other random sites have become unreachable for the past few days. Switching to mobile data, I can reach those sites fine, and the issue sometimes goes away at random times during the day.

I ran traceroutes and found that the requests stop after a few level3 ip addresses in Nashville TN.

Anybody else experiencing this?

Can some recommend some articles that explain a hybrid network well.

I’m relatively new to networking and I’m getting down basics like different network types and all that and I’ve found out that a hybrid network model is a thing but everywhere I find information about it doesn’t explain it simply they are using terms I’ve never heard of and it just isn’t comprehensible to me.

physically securing a access layer device

I am looking to provide an element of physical separation of several devices in a standard shared comms cabinet. For core and servers i can use something like this reasonably successfully, but i can't find anything similar that can accommodate 48 patch cables connecting a switch to floor ports (which are outside of the 'separation' zone).

anybody know of any solutions?

thanks

Wednesday, October 6, 2021

DHCP, company runs out of IP addresses, smoothest way to define a wider range

Hi,

My issue is pretty easy to explain:

The company I joined has an established network for like 30 years in 192.168.0.0/24 (I know, that sucks). This is the site #1.

The DHCP server is Windows Server 2012 R2 and is setup to deliver IP adresses ONLY on this range.

With this kind of bad design, we will soon be out of available IP adresses to deliver.

Question is, what would be the smoothest way to make the range wider, say 192.168.0.0 /16 without having to reconfigure many things...

My first idea was to simply assign that range 192.168.0.0 /16 or 255.255.0.0 instead of that one 192.168.0.0 /24 or 255.255.255.0 in Windows DHCP server but some machines like printers and stuff have 255.255.255.0 manually set to it, and all of the VPN (FORTINET) is setup like that on all sites :

Note that the company has other buildings, with their own DHCP servers but reachable from site #1 via VPN.

Buildings #2 to building #8 are 192.168.2.0/24 to 192.168.8.0/24

So knowing all of that, now I think that would be way better to create a second 255.255.255.0 range assigning from say 192.168.10.0/24 as it would be way enough for the "small" company devices, and will not break everything else, I guess, but I have NO IDEA how to do that...

Thanks for your help!

Help Understanding an Outage

Had an outage caused by a device that effected every single device connected to our WAN switching in a vlan for provider 1. The other provider with devices connected in another vlan functioned fine.

Ultimately rebooting this device fixed the problem. However, I'm a bit miffed at what the issue actually was and was curious what thoughts what others may have and/or ways to mitigate this off possible.

I added the flair for switching because I'm assuming it's a L2 problem.

More detail:

Connectivity:

Cisco wan switches running vPC
Provider 1 connected in vlan via upstream HSRP routers as the gateway
provider 2 connected in different vlan via upstream router as gateway
an HA pair of SDWAN appliances running VRRP are connected to provider 1 and provider 2 in each vlan
other edge devices such as firewalls in HA connected to each provider

Issue:

all devices connected to provider 1 started experiencing packet loss ~80%, latency, and all of a sudden unable to ping 8.8.8.8
all devices that have a connection to provider 2 had no issues using this path.

To me, this indicated wan switching was probably ok. We've have had some failures before so it was a concern. I checked critical interfaces for any errors that could show a problem. Issues appeared to point to an upstream issue with provider 1. Ticket opened with provider 1 and they aren't seeing any issues or have any other reports of issues.

We noticed some oddities in the SDWAN appliances in which the tunnels were bouncing on both appliances on both circuits even though provider 2 was functioning fine. We also noticed errors in HA Status dropping in and out.

I decided to reboot the SDWAN appliances as it was effecting some of our troubleshooting and magically after reboot everything started working. Packet loss and latency went away, ping to 8.8.8.8 immediately came back responding, and all other edge devices began to operate normally again.

Opened ticket with SDWAN vendor for analysis on their end and waiting

Facebook Outage Caused BETTER Internet for Egypt and Oman??

I just finished this article:
https://blog.cloudflare.com/october-2021-facebook-outage/

I noticed that this graphic shows an increase in bps for Egypt and Oman during the outage:
https://blog.cloudflare.com/content/images/2021/10/image7-6.png

Does anybody know why these countries see an increase while the others see a decrease?

Why do we only learn Cisco in schooling?

Maybe this is just me, but I've been on the path of Computer Network Management (Degree title) for the past few years. Grad HS in 2020, went to a tech school the last two years. Got my CCNA. Learned all about cisco this cisco that, in the cisco networking academy. Entered university as a junior, guess what? Cisco networking academy. I've never touched anything but cisco or soho equipment. Juniper, Palo Alto, Aruba, Fortinet, all these things I've heard of but never used or interacted with. Is it just because Cisco has the most funding?? they already have their foot in the door everywhere so it's just easiest to make everyone learn Cisco?

Would it be advantageous to me to buy used hardware from other vendors and just play around with it?

SonicWall Configuration

I have two NSA 5600 SonicWall appliances that are, of course, HA sync. I was wondering and this just me thinking outside the box; is it possible or does it make sense to configure say, the primary unit with one ISP and all necessary rules, address objects, NAT policies in regards to this one ISP and configure the secondary appliance with the secondary ISP with necessary rules, address objects, NAT policies in regards to the secondary ISP? So if one fails, it can failover to the secondary unit using the secondary ISP with all necessary rules in place? Or is this somewhat too much thinking outside the box??

Ports aren't labeled or organized?

I recently started at a new place, and I've decided to fix up the port security since it needs work. To my dismay, I found that nothing is labeled, and the switch ports don't have descriptions. I have no clue what ports go where.

What are my options? Fox and hound? Plug my laptop into every port in all the buildings and search for the MAC? Offer a sacrifice to the networking gods?

Can I enable keepalive on one side of a GRE tunnel?

Or do both sides need to be configured for this to work? From what I'm reading it seems like it should be possible, just wanted to double check.

How does Aruba Clearpass calculate concurrent endpoints?

They say the following in the documentation

" If we believe that ALL the endpoints will be concurrently connected to the network, we will need to license for 9,000. However, given the network data available (e.g. DHCP max pool size and lease times, max firewall session usage, etc), we are able to determine that only 6,000 endpoints are ever concurrently connected to the network and therefore we only need 6,000 Access licenses. "

But does anyone have any information on the accuracy of doing this with DHCP? Also does this require integration with IPAM/DHCP server or do they snoop something in the network?

Best Campus Network on EX4600?

Anyone running MPLS on EX4600? It seems to have decent L3VPN support, but no VPLS/L2VPN which is a a deal breaker. l2cirucit is almost workable, but you can't bind it to an IRB. Dedicated interfaces only--doesn't really help me.

I'd love to move away from our current campus VRF-lite core/dist/access topology, but I've been handed EX4600s for dist switches. Access layer is pure 2, needs aggregation on dist switches.

I have MPLS on IRB working in the lab, but docs say it's unsupported. I can run one MPLS VLAN, do all the L3 stuff on there, and run the global L2 on VLANs in a traditional topology.. but I dunno--I got no confidence it late model Juniper code. I'd run with it if someone else went first.

-EVPN-VXLAN is an option, but no support to terminate l3 on EX4600. Almost a downgrade from our current VRF life at dist topology.

-MC-LAG at core is another play, but I read endless horror stories on here about MC-LAG on EX. Same with virtual chassis.

I feel like I'm back to the tried and true VRF lite. Spanning tree dist to core for global VLANs, and terminate what you can in VRF at distribution.

What's the best campus topology built around EX4600?

Cisco 2960 High Output Drop

Hi everyone. I'm troubleshooting some high output drops on our edge switches that handoff to our customers. Originally I suspected this was a result of QoS policy, however we have since removed QpS config from the ports. Can anyone enlighten me on if having QoS enabled globally, but not on each port has any effect? As you can see the Output Drops are substantial.

show version

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)

show int fa 0/4

FastEthernet0/4 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0019.06fa.2984 (bia 0019.06fa.2984) Description: Primary DIA 100Mb Updated 10-05-2021 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 120/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters 03:45:51 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 12337827 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 223000 bits/sec, 112 packets/sec 5 minute output rate 47111000 bits/sec, 4903 packets/sec 9967718 packets input, 4870732901 bytes, 0 no buffer Received 2727 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 49327585 packets output, 51225878591 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

How do I connect to microtik router when all it says is unable to connect

Pls help

Arista SFP Port Licensing Question

Hi, I'm looking at a used Arista DCS-7050T-64-F Switch 48x 10G SFP 4x 40G QSFP+ Port Switch. https://www.ebay.com/itm/264525177426

Does anyone know if I need licensing to use this switch? I'm not looking to do anything beyond using it to connect our computers to our on site NAS at 10gb/40gb speeds. I've been trying to get ahold of someone at Arista.. without any luck.

Thanks!

Juniper EVPN Multihoming | eBGP peering

I have setup EVPN multihoming in a lab and managed to get it working. This is my topology:

https://drive.google.com/file/d/1Sj4l477AFJVmx1qsD4yqxGqd8oEHvcNN/view?usp=sharing

Here is my config if you wish to see but for the most part it's more of a conceptual question:

https://www.reddit.com/r/networking/comments/q1fhxa/juniper_evpn_multihoming_activestandby/

I have one IRB setup on both routers (irb.107 - 100.100.100.1/30) between the two routers with EVPN Multihoming.

MX1 is the Designated forwarder and MX2 is the Backup Forwarder. My understanding this is achieved through a DF election process and one device is elected to be active for the ESI.

If I try and ping my CE device (100.100.100.2) from MX1 this works fine. If I try and ping from MX2 this does not work but I believe this is correct but this device is the Backup Forwarder.

On both routers I have a connected 100.100.100.0/30 for the IRB. On only the Designated forwarder (MX1) I also have an EVPN route for the CE (100.100.100.2/32)

100.100.100.2/32 *[EVPN/7] 00:46:51 > via irb.107

So far all good, I can ping from the CE to 100.100.100.1 (irb.107) fine.

I would like to eBGP peer from both MX devices with an upstream router (outside of EVPN) and advertise the connected IRB interfaces for inbound traffic. What I was hoping when reading the EVPN Multihoming documentation was that irb.107 (and thus the connected route) would not be up on the Backup Router.

Quote:

If you specify an ESI on a physical or aggregated Ethernet interface, keep in mind that an ESI is a factor in the designated forwarder (DF) election process. For example, assume that you configure EVPN multihoming active-standby on aggregated Ethernet interface ae0, and given the ESI configured on ae0 and other determining factors, the DF election results in ae0 being in the down state.

From here:

https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/example/evpn-mpls-esi-logical-interfaces.html

So basically now I will be advertising the /30 from both MX1 and MX2 to the upstream device. From what I'm seeing, If the upstream device sends traffic to MX2 (Backup Forwarder) I think it might not work (just because of the fact that it is the Backup Forwarder and the ping testing I did)

The /32 route for the CE is only on the Designated forwarder so I could advertise that route as being more specific to hit the correct router but that doesn't seem scalable at all.

What is the best way to achieve this? I was really hoping that the Backup Router would not have the connected route for the IRB interface and thus not advertise the connected route but unfortunately it doesn't behave like that. My other hope was that MX2 should know about the 100.100.100.2/32 EVPN route via MX1 but it seems this is not the case. If you do a show route 100.100.100.2/32 on MX2 it shows the route as the connected interface (local)

Any suggestions or comments welcome. I'm sure this has been done before so don't think it's anything out of the ordinary.

Thanks

Purpose of GRE tunnels from a physical data perspective

Hey all.

I was thinking about this, and just wanted to get everyone else's perspective.

When creating a GRE tunnel, the two endpoints act as if there is a physical link between the two. The physical data travels across the physical topology though, so if the two endpoints are 20 hops away per se, latency would still be an issue correct? Aside from hop count, what would be the purpose of creating GRE tunnels from the aspect of how the 1's and 0's travel on the medium?

Cisco CXP-100G-SR10 transceiver MPO breakout cable question

The Cisco CXP-100G-SR10 are meant for MMF cables that part I know. However, would it be possible to use MPO to SMF LC breakout cable? or I have to use a MPO to MMF LC breakout?

DNS/DHCP + Network Architecture pro-tip, best practices

I'm looking to pull together a tips and tricks/best practices guide for customers in the early stages of their journey (feedback I get is there's a gap between the way things are taught and the ways the pros have learned things ACTUALLY work after 10+ years in the trade). I'm trying to uncover any and all pro-tips, when you do X always remember Y, best practices, here's something I screwed up big time once and how it fixed it...

Any input is appreciated (even if it's to troll and say "always make sure your device is plugged in"). I realize this is a vague and broad ask, but based on the feedback it might help me to dig deeper into one area or another. Some more specific areas that might be of interest for your insight would be....

What’s your redundancy config? have you tried the failover? what’s your availability objectives? do you know?
How to assign access rights - can tagging, templates, blocks, etc help?
Common Challenges and strategies
How Dynamic DNS actually works
Multiple hostnames, cleaning + maintenance
IPv6 Planning Considerations - IPAM focus
Certificate deployment + Key rotations
Zone Best Practices (zone forwarding vs delegation + Zone Architecture)

Windows 10 with Intel WLAN not joining multicast groups after wakeup, printers unusable

Hi !

I've been troubleshooting some printer discovery issues, for WSD devices (printers) discovered through DNS-SD on WLAN :

some clients fail to discover the printer, it can be fixed by rebooting the machine, or by disabling/enabling the WLAN adapter
the problem appears frequently, it looks like it can be caused by toggling airplane mode, suspending, and roaming through base stations for the same SSID
it only happens on machines with Windows 10 and an Intel WLAN adapter
even if the printer is already discovered, if the client has not joined the multicast group, it's unable to print (I suppose this is because Windows attempts to locate to device to determine if its address changed).
Linux/Apple and non-Intel Windows clients have no problem at all discovering and using the printer
printers are on a specific VLAN, clients are organized in specific VLANs, mDNS traffic is relayed by avahi-daemon

It looks like this problem is known :

The engineering team has investigated this multicast issue with Microsoft. Microsoft is aware there's an issue with the multicast address managed by the OS. The issue has been introduced together with Windows 10 (WDI arch for WiFi Drivers.) Any scenarios of WLAN reconnected (i.e. Airplane mode, roaming out and back into RF range, or disconnect and reconnect to the same SSID) and then the multicast packets might be affected by this issue. Currently this issue is expected to be fixed for Windows 10 Version 21H1.

However, upgrading to Windows 10 Version 21H1 did not fix the problem, so I'm asking here if anyone experienced the same problem and/or has found a nice workaround to make the clients able to discover the printers.

So far, I've thought of :

hardcoding the SRV/TXT records of these printers in our DNS resolver (not ideal because the printers change often (yes..))
writing my own mDNS proxy (currently the mDNS data is proxied through subnets by avahi-daemon), that would only reply in unicast (i'm not sure if Windows would accept these replies)
writing a script to disable/enable the WLAN driver on each BSSID change and on wakeup, and deploy it to all the potentially affected clients
sharing the printer on all VLANs through SMB (this is not ideal because some proprietary functions of the printer don't work when the printer is shared through SMB)

I'm a bit stuck, because this location hosts a "coworking" setup, where users come and go (often with multiple devices), there is no AD and so deploying scripts to all machines would be a lot of repetitive work. It looks like the best solution is to stick to hardcoded SRV/TXT records in our resolver, and update them whenever the printers change, but I wanted to ask if anyone sees a better solution, or if anyone knows of an upcoming fix for this problem.

Thanks a lot !

Can I ask a basic question about VMware vDS in this sub?

Maybe my search skill is rusty, but I just can not find the answer for these questions: Does VMware vDS perform local layer2 forwarding? If so, how to see the ARP table of a particular vDS on a ESXi host?

Say VM1 (192.168.0.100/24) and VM2 (192.168.0.200/24) are both running on host1 which associated with a vDS via vCenter. When VM1 wants to communicate with VM2, will this traffic leave host1 northbound to physical switch and then back down to host1 to VM2 OR will vDS just forward the traffic within host1 directly?

If vDS would forward this layer 2 traffic within host1, how to get the ARP table for vDS on host1?

Lastly, will the behaviour be different between vSphere 6.7 and 7.x?

Need Advice Post CCNA exam

I passed me CCNA exam Today.

I am a US Citizen but reside in another country. I currently work in customer service remotely for a company in the U.S. My primary focus is to find a tech related job working remotely. After this CCNA, what other certifcations would you guys recommand for me that will open more doors into working remotely?

storm control on AP-connected ports

Setup: Cat9k switch with some Cisco APs connected to it. Access ports where the APs are connected have storm control configured on them. APs are managed by WLC. There are two SSID: one internal (super secure) and a guest access (users are only allowed to go to the internet).

Issue: An user connected to the guest network sends an excessive amount of broadcasts (like ARP requests) and brings the switchport down (because storm control steps in). This affects both the guest access SSID and the internal SSID.

Question: Can this be mitigated at the AP/WLC level? So far I've ran some packet captures on the switchport to identify the offending MACs and blacklist them in WLC, but this is not scalable. I'd be interested if there's something similar to storm control, but on the WLC, so that the broadcasts won't react the switchport.

Using the peering IP to access a server for VPN? | Cisco ASA

Hello all,

First and foremost, sorry for the title but could not figure it out how to explain my question using just few words.

So we have a customer of ours that want a VPN tunnel between them and another company, let say Company B

Our customer peering IP: 50.50.50.50 & Company B peering IP: 90.90.90.90. The traffic or subnet that should go over the tunnel are 192.168.10.10 and 192.168.10.20 and they need to access 90.90.90.90 on port X.

From the technical aspect, is this possible? Like the peering IP is 90.90.90.90 and the server our customer needs to access is also the IP of 90.90.90.90, which for me does not make sense. They should have a separate IP for that server.

Because I was given this task and Im wondering how this will be possible. The reason is that from my point of view, the 90.90.90.90 is just a peering IP but not an IP of a server or so. I asked them of course about this (have not got any responses yet) and maybe I look stupid but I have configured several VPN tunnels but not in this way.

The access-list will look something like this:

access-list X.X.X.X extended permit tcp 192.168.10.0 255.255.255.0 host 90.90.90.90 eq X

but I have a hard time to understand this setup..

Appreciate any help.

Your network load pre, during and post covid.

Because I’m just a curious guy, what was your ISP and firewall load pre covid, during covid and now post covid.

Post covid assuming you have a hybrid workplace now.

Would be good to know what industry your serving, if you’re an MSP what you may have noticed across all businesses your manage.

We have a few companies and the VPN load has obviously gone up and thankfully we put in all the right firewalls before covid even happened. Our big clients all have either a 500/500 or 1000/1000 line so bandwidth has never been an issue.

Looking forward to seeing everyone’s comments and insights. I’m all about the stats!

Watchguard firewall vs FortiGate & Sophos

Hi guys,

i was wondering if there are any users of Watchguard Firewalls, i have good experience implementing Fortinet, Cisco and Sophos firewalls, but i never worked on WatchGuard before.

how do they compare to Fortigate and Sophos, in terms of reliability, and support?
what features that you think that are different from FortiGate and Sophos?
apart from basic firewalling, has anyone used Total security features such as DNSwatch, APT and SD-WAN.

BR.

Cisco Packet Tracer

I'm new to Cisco packet tracer. Why router has 2 Ip address on starting and ending point? Please tell?

https://prnt.sc/1uzqaab

Tuesday, October 5, 2021

ARP Request w/ all 1 bit in ARP target hardware address

Hi,

I just noticed that one of my embedded devices is sending ARP request with all 1 bit in the target hardware address of the ARP packet. I think the protocol is using all 0 in the target hardware address. And the destination address is all 1 bit in Ethernet frame which is normal for ARP request.

Anybody has idea why the ARP request is different than other normal ones? Is that a special case?

Thanks.

cPacket or Netscout?

Hi,

Curious if anyone is using these systems for continuous packet captures and analytics and what you think of them?

We trying to decide on a system to give us historical captures but also rich analytics to basically find the issues before opening a wireshark.

Brad

SOA or NS Records for authoritative DNS?

I made a YouTube video yesterday attempting to analyze the Facebook outage and realized I have a pretty big gap in my knowledge regarding the DNS hierarchy and what records actually are authoritative for DNS. The SOA designates the primary name server, but I think DNS resolvers only ever actually look at the NS records for a host. Is the SOA primary name server entry actually used for anything? Is there ever a case where the SOA listed primary name server would not be present in the NS records for a domain?

Why hasn't the layer 2 domain been phased out of Data Centers?

recently started working as an Onsite Engineer.

My boss was showing me around one of the data centers in our building and explained why we had a few empty racks with patch panels and all the copper completely cut. He was telling me how they have transitioned from a tier 3 network architecture to a "Spine and Leaf". From my understanding Copper patch panels are generally capped at 10gigs/port. In addition to having to run STP on your layer 2 switches you are sort of forced to lose bandwidth for added redundancy in order to prevent loops within the layer 2 domain. Why hasn't everyone stopped using layer 2? It seems alot smarter to just have everything being routed at layer 3 for maximum bandwidth. You can still have redundant links and you won't be limited to only having one route throughout the domain.

Cisco ISE as a certificate authority

ISE documentation on CA is 100's of pages long. Can someone please provide practical examples on when ISE is used as a certificate authority?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

AC6605 stuck in BootRom

I have a Huawei AC6605 in the office working nicely for several years, until a month ago when an energy blackout hit it.

Now the port LED's remains off (except for the internal LEDs),

When I connect to the serial COM port shows:

BIOS Loading ... Init BootBus ... done init DD3... Press Ctrl + A to show DDR details.. en: 1, clkf: 11, p11_MHz: 550, ddr_hertz: 550000000, error: -17000000, best_error: 533000000 Measured DDR clock 533314908 Initializing DDR interface 0, DDR Clock 533314908, DDR Reference clock 50000000, CPUID 0x000d900a row bits: 15, col bits: 10, banks: 8, ranks 2, dram width: 8 size: 4096 MB {MORE LINES OF INFO} ROM start.

And the sequence starts again in a loop.

Full dump:

https://ibb.co/d4sw30g https://ibb.co/5v9bKJJ (sorry for the poor quality)

I think it's a BIOS issue because don't enter in the BootLoad sequence, But I don't have experience with these deep errors.

https://download-hk.huawei.com/mdl/image/download?uuid=33811a5621b048289f602cf018770f5a

Thank you in advance.

Switch Stack Connections to ESX

We are deploying a new network stack which uses stacked switches at top of rack. According to VMware, stacked switches must use EtherChannel, either static or LACP, and the IP Hash load balance method.

In our case, we are still very much a L2 shop so stacked switches eliminates STP for us which is huge. Just looking for a sanity check that stacked switches and lagg to the hosts using IP hash is a sane choice given the circumstances. LACP is up for debate since we don't have enterprise licensing, although the VDS load balance options would be nice for iSCSI compared to the VSS options.

Thanks.

Cloud networking stack alternatives to Meraki

Looking for suggestions on a full stack (routers, switches, wireless APs) networking solution that is cloud-managed. I've used Meraki in the past, as well as Unifi, but curious what else is out there that is recommended? I loved the simplicity of Meraki, as well as the fact that they're hosting all the cloud-related things themselves, but the hardware and licensing costs are a bit much.

This would be for a multi-location, enterprise-grade roll out across thousands of locations in the US and Canada, likely expanding to other countries. Locations are independent and no VPN would be required for day to day functionality, though a VPN would be necessary for ad-hoc troubleshooting.

Happy to add in any more info!

Facebook Engineering : More details about the October 4 outage

Facebook gives more detail into what caused the outage

https://engineering.fb.com/2021/10/05/networking-traffic/outage-details/

IPSec Tunnel on Azure Palo Firewall

I know that Azure does not support GRE tunnels and that is not an option.

I need to be able to make an IPSec IKEV2 connection from a Palo host in Azure to Zscaler.

Eth1 has a public IP address attached to the NIC in the azure portal.

I understand that Azure handles the NAT of private IP of the eth1 interface to the public ip attached.

My security policy is fine.

However, I am still getting a connection timed out. My NAT policy is being hit, but not getting a response. It may be ZIA that has the issue or I configured something wrong there.

Curious to see if anyone has had to do this.

Trying to figure out if location of server has changed.

Not a tech guy so hoping someone can help. I looked at the header information of a 6 year old email and found the IP address associated with the web server. I looked up the address at https://whatismyipaddress.com/ and it shows a location in Atlanta, Georgia.

My question is this. Can I be sure that the web server was physically located in Atlanta back when the email was sent, or is it possible that it has changed locations. The site says its a static address.

eBGP routing question

Hi folks, I have a pretty basic question regarding how BGP works. I think I understand the fundamental princilples, but what I don't understand is why every router needs to see all routes, and how this information is actually used to make routing desisions.

I guess my main question is, does every participating BGP router have it's own routing table which BGP creates using data that is shared from it's peers? why does every router need to know about every prefix/route? is this so it can use the info to build it's own routing table?

For example, say i am a eBGP router (ASN 0) connected to 2 other ASNs : ASN 1 and ASN 2

I only have two possible routes to send traffic out, does BGP take the info shared with it for all possible routes/prefixes and then create a dedicated routung table just for me (ASN 0), so that I know which of the two ASNs directly connected to forward my traffic to?

Understanding How Facebook Disappeared from the Internet

https://blog.cloudflare.com/october-2021-facebook-outage/

Dell's Switches DHCP Relay Option 82 question

So the Dell PowerConnect Switch I am looking at allows Option 82 to be enabled or disabled. Our organization uses MS DHCP Servers. How do I sort out which VLAN's has what Agent Circuit ID, Agent Remote ID, Subscriber ID. These are the type of information that is required on the MS DHCP's side, probably when a MS Relay Agent is deployed. But for a switch DHCP Relay Agent... where do you even find this information?

Anyone have a link to manually download callback detectors for McAfee Network Security Manager?

Our Mcafee IDS is having issues pulling updates for callback detectors, but for some reason the signature sets are downloading just fine. While I troubleshoot, I was going to just manually update the callback detectors so they are up to date, but I am having issues finding a location to download from. Does anyone know where to go to find these?

WLC On-premise or Cloud based Solution?

Good Day to all,

Im asking for your expertise which you think is the best on getinng the Wireless Lan Controller.
The vendor is proposing the MERAKI CLoud based. and im thinking to get the On-premise solution (9800 WLC). Im not yet familiar with the cloud based technology when it comes to Wireless but upon checking its very manageable and simple.
With this, can you share a bit of information which you think is the best?
On premise or cloud based?

Thank you very much

Prevent Linux OS from sending packets on an interface

Hi,

I have a device on my network that is monitoring network traffic by promiscious mode of a NIC (let's call it NIC1). Is it possible on the OS side to enforce that this device won't be able to send traffic on NIC1, and only receive ?

Thanks!

dhcps Lease host name not found issue on Archer C24

Model: TP-Link Archer C24
Hardware Version: V1
Firmware Version: 1.4.3 Build 201022 Rel.55840n(5553)

62 WARNING 0days, 00:04:38, [dhcps]Lease host name not found. 63 INFO 0days, 00:04:38, [dhcps]Send OFFER with ip 192.168.0.103. 64 WARNING 0days, 00:04:38, [dhcps]Lease host name not found. 65 INFO 0days, 00:04:38, [dhcps]Send ACK to 192.168.0.103. 91 WARNING 0days, 00:07:13, [dhcps]Lease host name not found. 92 INFO 0days, 00:07:13, [dhcps]Send OFFER with ip 192.168.0.104. 93 WARNING 0days, 00:07:13, [dhcps]Lease host name not found. 94 INFO 0days, 00:07:13, [dhcps]Send ACK to 192.168.0.104. 121 WARNING 0days, 01:04:39, [dhcps]Lease host name not found. 122 INFO 0days, 01:04:40, [dhcps]Send OFFER with ip 192.168.0.100. 123 INFO 0days, 01:04:41, [dhcps]Send ACK to 192.168.0.100. 124 WARNING 0days, 01:07:14, [dhcps]Lease host name not found.

[Full SysLog Attached]

My System Log is flooded with this message : [dhcps]Lease host name not found. It's happening with all the devices connected to the router. I've also noticed when it happens with an IP, the device with that IP looses internet connection for a short period of time like 30 seconds or sometimes even looses the WiFi signal. My DHCP setting is pretty basic without any modification to the defaults [image attached]

Most of the time there's 5 to 6 devices connected. Sometimes there's 1 to 2. I have a computer which is connected via Ethernet. The problem can also be seen there. I've tried factory resetting the router and configuring it from scratch. But to no avail, The problem returned after some time later. I've also tried mailing TP LINK and they are yet to respond. Posted it on their forum and no replies so far.

My educated guess is the problem lies within the firmware or might be a bug. The problem is really really problematic when you need a stable connection. Please help me how to solve it if the problem is from my end.

Thanks in advance

End Users Not Receiving Password Reset Emails

Hi, not sure if this is the right place...butwe have end-users who are not receiving password reset emails. It only affects users with email addresses with the company's domain. Works ok with hotmail/gmail etc.

On the cloud provider's end, their identify team displayed logs that showed the emails were successfully sent out.

There is no domain blocking or firewall issue. What else could be an issue on the domain end that's causing end users to not receive their emails then? Currently using Microsoft O365.

Monday, October 4, 2021

ThousandEyes's Facebook Outage Analysis

Some interesting extra information at https://www.thousandeyes.com/blog/facebook-outage-analysis

Network Infrastructure Design Help

Hey Everybody,

I'm going to preface this with the fact that this is all theory. But I've been tasked with creating a network infrastructure for a new company, sticking to cisco hardware 100% if possible.

I have a main HQ in 1 part of the country, the DR/Backup site in another part, and 4 smaller sites to all interconnect. 6 sites total.
I would primarily like to stick with Cisco devices if possible.

I'm trying to design a resilient core/distribution/access for the main hq. The sites are all connected via dark fiber mpls, with dsl as a backup. Each site will also need two ISP connections as well, so all in, each site will have 4 connections.

There's approximately 175 people at each site, I would essentially be mirroring the setup designed for HQ to the DR/Backup site.

Each site will require a firewall, and wireless access points. The data center located at HQ will be where all the primary traffic goes.

I'm just looking for some assistance in deciding what hardware to use and where it would fit in the topology. I was thinking nexus 9000 series for the distribution at HQ and DR/Backup sites, would a single nexus be sufficient for redundancy due to the dual supervisors and multiple psu's, or would multiple still be required? Cisco ASR's for my core, what should my smaller sites look like for a topology? Just an ASR connected to a stack of layer3/2 switches, with a wireless ap attached?

Any help is appreciated!

NDR appliance

Hi Any suggestions for an NDR.

We mainly wanna know what is going on inside our network, we already have some firewall set, but internally we don't have any, for traffic monitoring.

We did try the Dark Trace which is quite expensive i might say.

Any other suggestions?

RIP Facebook Network Engineer

So Facebook released a cause for today’s outage. May we all raise a glass to our fellow engineer!

Facebook RFO

Anyone know this network connector?

I haven´t found much information about this network connector. It´s labelled IRIG-B https://pasteboard.co/j8G6LzyWR3BG.jpg

PFSense newbie

I'm not a sysadmin, I'm more of a tech who's picked up a little of everything else along the way. I was hoping I could pick y'all's brains though. The company I work for has a current network setup of ATT feeding the WAN port of a Netgate firewall. Behind it, it's split into the LAN port on a network 172.16.0.0 /22 with a default gateway of 172.16.0.1 (LAN interface IP), OPT 1 set up 10.10.10.10, and OPT 2 with 10.10.69.1, running an NVR at 69.10 and I forget the netmask on that network. Unfortunately thanks to the network topology of the building, a handful of cameras ended up connected to the LAN network with IP addresses of 172.16.0.xxx and it's not really plausible to add additional wiring at this stage to split the cameras off onto their own networks. Apparently whatever pings the NVR sends out to find network cameras aren't making it somewhere, because the NVR can't even see that there are cameras on a network. I suspect it's because I need to bridge or route the two interfaces, but I'm new to networking in general, so I'm not sure which it is here.

Network Automation on Windows workstations

I've over the last few days been researching and picking up the pieces to learning Ansible. It looks interesting, and I'm sure with some toying around with it, it could very-well improve my workflows. The main problem here is that my organization has me locked into a Windows workstation (we're sans-BYOD). Their security controls have me locked out of installing WSL as well, so Ansible is a straight nope in this environment.

I'm relatively comfortable in Python as I've taken a few courses on it before. That said, I'm only just now exploring Netmiko, Napalm, and various other libraries specific to network automation in Python, and I'm not entirely sure which libraries are purpose-built for which functions. For example, if I want to make a small configuration change to a large number of network appliances, is there a specific library that I should be focussing on? From what I can see, Napalm is excellent for reading information (getters), but I don't have any ideas brewing as to how I could integrate those into any automation logic yet.

Another hypothetical scenario: I want to update the firmware version on a group of devices. What would be a good set of libraries to use this?

TL;DR: I'm limited to using a Windows workstation without WSL, but I have the ability to utilize VSCode / Python. What are some good ways to begin introducing network automation into my environment?

Juniper EVPN Multi-Homing Active/Standby

I want to use the EVPN-Multi homing feature on Juniper MX. The reason I want to use it is to provide resilience to some customers that only have a /30 IP address configured (unable to run VRRP with a /30) between the two routers. I'm trying to lab this up on 2 x Juniper MX5.

I'm use the following Juniper article for guidance.

https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/example/example-evpn-multihoming-configuring.html

AE0 is used for connectivity between the two routers for OSPF, BGP, MPLS (on a subinterface)

AE1 is where I want to put customer interfaces. I have configured one IP address on irb.107 on 100.100.100.1/30

Below are my configs:

Router1:

set interfaces ae0 flexible-vlan-tagging set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 106 description "new iBGP connection to MX2" set interfaces ae0 unit 106 vlan-id 106 set interfaces ae0 unit 106 family inet address 2.1.1.1/30 set interfaces ae1 enable set interfaces ae1 flexible-vlan-tagging set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 esi 00:22:44:66:88:00:22:44:66:88 set interfaces ae1 esi single-active set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 107 encapsulation vlan-bridge set interfaces ae1 unit 107 vlan-id 107 set interfaces irb unit 107 family inet address 100.100.100.1/30 set interfaces lo0 unit 0 family inet address 111.68.166.40/32 set routing-instances BETA instance-type evpn set routing-instances BETA vlan-id 107 set routing-instances BETA routing-interface irb.107 set routing-instances BETA interface ae1.107 set routing-instances BETA route-distinguisher 111.68.166.40:300 set routing-instances BETA vrf-target target:300:300 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 111.68.166.40 set protocols bgp group ibgp family evpn signaling set protocols bgp group ibgp neighbor 111.68.166.48 set protocols mpls interface ae0.106 set protocols mpls interface lo0.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ae0.106 set protocols rsvp interface ae0.106 set routing-options router-id 111.68.166.40 set routing-options autonomous-system 6500 set routing-options forwarding-table chained-composite-next-hop ingress evpn

Router2:

set interfaces ae0 flexible-vlan-tagging set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic fast set interfaces ae0 unit 106 description "new iBGP connection to MX1" set interfaces ae0 unit 106 vlan-id 106 set interfaces ae0 unit 106 family inet address 2.1.1.2/30 set interfaces ae1 enable set interfaces ae1 flexible-vlan-tagging set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 esi 00:22:44:66:88:00:22:44:66:88 set interfaces ae1 esi single-active set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 107 encapsulation vlan-bridge set interfaces ae1 unit 107 vlan-id 107 set interfaces irb unit 107 family inet address 100.100.100.1/30 set interfaces lo0 unit 0 family inet address 111.68.166.48/32 set routing-instances BETA instance-type evpn set routing-instances BETA protocols evpn set routing-instances BETA vlan-id 107 set routing-instances BETA routing-interface irb.107 set routing-instances BETA interface ae1.107 set routing-instances BETA route-distinguisher 111.68.166.48:300 set routing-instances BETA vrf-target target:300:300 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 111.68.166.48 set protocols bgp group ibgp family evpn signaling set protocols bgp group ibgp neighbor 111.68.166.40 set protocols mpls interface ae0.106 set protocols mpls interface lo0.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ae0.106 set protocols rsvp interface ae0.106 set routing-options router-id 111.68.166.48 set routing-options autonomous-system 6500 set routing-options forwarding-table chained-composite-next-hop ingress evpn

I only have 2 x MX5 devices so it will be a collapsed model compared to the example Juniper have given (no P router, only PE) From that article I'm choosing the bits which I think are relevant so it's possible I have configured something wrong.

iBGP peering is working correctly (BGP session is established) If I ping from a device on the same VLAN I can actually ping the IRB interface (100.100.100.1) but I'm pretty sure it's not working correctly. My problem is this. One of the routers is supposed to be the Designated Forwarder for the ESI and one is supposed to be the Backup Forwarder. If I do some troubleshooting commands I'm not seeing this. It's like each router is acting independently. For e.g. in the command output of :

show evpn instance extensive

I'm seeing two things which look wrong:

Number of neighbours is showing as 0
There is only "Designated forwarder:" and no backup.

Instance: BETA Route Distinguisher: 111.68.166.40:300 VLAN ID: 107 Per-instance MAC route label: 39 Duplicate MAC detection threshold: 5 Duplicate MAC detection window: 180 MAC database status Local Remote MAC advertisements: 2 0 MAC+IP advertisements: 1 0 Default gateway MAC advertisements: 1 0 Number of local interfaces: 2 (2 up) Interface name ESI Mode Status AC-Role .local..8 00:00:00:00:00:00:00:00:00:00 single-homed Up Root ae1.107 00:22:44:66:88:00:22:44:66:88 single-active Up Root Number of IRB interfaces: 1 (1 up) Interface name VLAN VNI Status L3 context irb.107 107 Up master Number of protect interfaces: 0 Number of bridge domains: 1 VLAN Domain-ID Intfs/up IRB-intf Mode MAC-sync IM-label v4-SG-sync IM-core-NH v6-SG-sync IM-core-NH Trans-ID 107 1 1 irb.107 Extended Enabled 47 Disabled Disabled Number of neighbors: 0 Number of ethernet segments: 1 ESI: 00:22:44:66:88:00:22:44:66:88 Status: Resolved by IFL ae1.107 Local interface: ae1.107, Status: Up/Forwarding DF Election Algorithm: MOD based Designated forwarder: 111.68.166.40 Last designated forwarder update: Oct 04 17:27:27 Advertised MAC label: 49 Advertised aliasing label: 49 Advertised split horizon label: 50 SMET Forwarding: Disabled Instance: __default_evpn__ Route Distinguisher: 111.68.166.40:0 Number of bridge domains: 0 Number of neighbors: 0

Any idea why this is happening? I can't see any obvious issues with the BGP config (iBGP peering is up) but it seems like it's not functioning for EVPN.

Any suggestions appreciated. First time setting this up.

Thanks

Who to make spanning-tree root

https://imgur.com/jjzPVie

Configuring rapid per VLAN spanning tree. Each switch would participate in the same VLAN's.

Looking at the diagram above, who would I make spanning-tree root in this scenario? The 2 sites are connected via fiber and it's a layer 2 link.

You can see next to the switches the priority I thought about assigning. Does this idea make sense?

Downloading kills WAN response

Hi Everyone - very strange problem which popped up out of nowhere. We have a corporate 100up/100down link (fiber) going through Crown Castle ISP here in South Florida and out of nowhere whenever anyone utilizes 100% of the WAN downloading something, traffic stops responding until the load is removed. Before, it used to still go out no problem, the WAN would just give 50mbit for one user and 50mbit for the other if necessary and just keep splitting/dividing up bandwidth to let everyone out, but not anymore.
Nothing changed, we are going from a fiber DEMARC>CISCO 2921 router> Firewall>Core switch> users (only 25 end users). Flat network, no VLANs or anything so we tried bypassing core switch and firewall, hooked directly into the CISCO the same thing happens. If i run a constant ping to say www.google.com and then run a speedtest.net, it will timeout most replies (not all but enough to effectively be "down") and people will come asking if the internet is down since they cant access websites.

How do we even approach our ISP about this? Is this a "thing" and why would it start happening all of a sudden? We've been in the same building with the same service and same equipment for 8 years. Literally, nothing changed (at least that we can see). Were we oversubscribed on the ISP-side? What should we tell them when we call and ask what the heck is going on?

Thanks!

What is going on with this WAP setup in this lecture hall?

The setup in question: https://imgur.com/a/Zj6bEtQ

I took this photo in my lecture hall. As you can see there are two Aruba access points on either side of the projector. This lecture hall is only about 200 seats. I am trying to figure out what is going on here as far their configuration. In addition, I didn't check for hidden SSIDs but, as far as I know there is only one SSID for staff and students.

Given that they are so close to each other don't they interfere with each other? Don't modern APs have 200+ client capability? So is this a client limit issue? Are they maybe setup on different channels to minimize congestion? If so what stops the clients from just connecting to the one? Are they setup to only take 100 clients each or something and that forces clients to connect to the other AP? Are they maybe setup to only do one band? If so what's the advantage to that? Are there any other possible explanations for what is going on here?

TL;DR - What is the most likely configuration for these two APs sitting next to each other?

Thanks.

Cisco 9300UX high OutDiscards

We have a Cisco 9300UX-A connected to some vsan ESXi hosts and on the 10gig ports we are seeing a bunch of "outdiscards". From what I can gather... this looks like it could be buffer related. Below is the output I got from a cisco KB article, however I'm not a network guy. I don't know how to read this output to see if this a issue with the buffer.

Screenshot

Cisco 9200 Flush Mount Ears

Hello!

Anyone know if there are any oem/aftermarket flush mount ears for a Cisco 9200? The stock ears are inset a good 1/4" to 3/16" and we're looking for ears that will mount completely flush.

How can Facebook have an entire system outage when they have datacenters all over the world?

I do devops and programming, and I'm not too versed with networking outside the realm of devops. I setup load balancers often. I attended a Facebook conference where I learned they do adopt the devops philosophy at Facebook. And this is why I can't understand how a huge system like Facebook could have a major outage when they have servers all over the world.

In a well designed network architecture how is something like this possible? Asking because I'd like to learn how these things happen.

Thanks.

Should I use Apache Kafka or gRPC to communicate between robot fleet and cloud?

Hey, people! I'm currently working on a project in my company where I'm trying to stream data between our robots in the field and the cloud. The robots have connection to the cloud either through 4G or wifi all depending on if they're deployed inside or outside, but generally the network connection tend to be very poor in certain areas. I'm trying to decide on whether we should go for PubSub (publish-subscribe pattern) or RPC (request-response, bi-stream pattern) for communicating with the cloud. Two obvious candidates would be to go for gRPC in the case for RPC, or to go for Kafka in the case of PubSub. However, I'm a bit undecided on which of the two would be the best fit and I could need some expert advice from the Reddit community.

What data are we sending?

zipped files, streaming of sensory data like robot position, battery levels, pointclouds
streaming of mission commands like forward and backward gain (robot telepresence)
unary requests like mission plans, occupancy grid maps

Some requirements:

Data encryption
Authentication and authorization
possibility to prioritize data persistence over low-latency, and vice-versa

Some limitations to be aware of:

We generally have poor network when driving/flying around. Stable network connection is only assured at robot docking station.
In the case of poor connection we need to be able to persist data to disk (or memory) for things like sensory data, so that it can be uploaded/streamed once stable connection.

Any good advice on which of the two - gRPC or Kafka - that I should choose and why?

Some limitations / drawbacks that I should be aware of?

Any useful experience people have encountered that I should be aware of?

THANK YOU IN ADVANCE!!

Explain to me like I'm 12. Why is Facebook & Co. Down?

I hear it's something to do with BGP etc. But what is actually happening in simple terms?

Optical fiber network and its components

Could somebody suggest a good book to read about it? Most of books just briefly touch this field and almost none of them talk about real life implementations. Thanks in advance

Prevent, Protect, Cyber

I'm a network engineer applying for a job in UK banking industry, coming from insurance.

The job description asks for "Prevent, Protect, Cyber knowledge" but I applied anyway thinking I'll just read up on it later, but Google has failed me!!

Anyone fill me in?

Cisco 2960X, unable to pass access traffic.

I have 7 2960X switches that are unable to pass user traffic. Trunks are allowing all vlans with no errors. VTP is properly configured to match the core switch. On the 2960X we can ping across the network using our management VLAN. However when we attempt to ping with a source
IP other than the management VLAN it fails to do so. The switches are configured to be as bare as possible for right now as we are only focused on solving this problem. Is there some trick to making a 2960X function at a basic layer 2 level? Any and all help is welcomed.

Did Facebook just go down?

I see several services related to FB not responding here in West EU. Downdetector points out I’m not the only one, anyone else here who knows more about this?

Any good training out there for Cisco Firepower?

We are getting ready to implement a Cisco Firepower 2100 Threat Defense into our network. It has an IDS module in it and is going to replace our current McAfee IDS. I guess with the purchase, we did not get any type of training. So I was curious if anyone had any suggestions on training out there to just jump into the basics of how to use this device, set up polices, etc.

DNS outage - Google

We had to move away from google's DNS servers

HP 2920 SSH Access

I am trying to disable telnet on some HP switches but when I connect via SSH the username and password won’t work.

I have logged into the gui and gone through the security wizard, disabled tenet, enabled ssh and set the manager and operator passwords.

I connect via SSH and the username and password don’t work, I enable telnet and login fine with the manger and operator.

Any help would be great.

Thanks

Advice

I currently have 48 HP switches in various levels of decay. I need to start replacing them, and I would like some advice on vendors. I need something that can be centrally managed (no Ubiquiti). I do not want ongoing licensing or mandatory support costs (looking at you, Cisco). I do not want to get familiar with switch CLI syntax. I'm a server guy who has to do networking. I have all fiber backhauls. I need at least a 10 Gb backbone, but probably more or upgradable in the future. Also, let me know if there is some magical software that can manage across vendors or manage HP switches from ancient Procurves that EOL'd over 5 years ago to the Aruba switches they sell now.

EVE-NG MAC Address Manufacturer OUI?

Hi,

Does EVE-NG emulate manufacturer OUIs for MAC Addresses? I need to build a lab for NAC testing and evaluating its ability to identify devices by OUI is a key requirement.

Thanks

Training with Eight-o-Two Technology Solutions for CWNA

Have anyone taken any training with Eight-o-Two Technology Solutions? If so, what were your thoughts on the instructor(s), the content, how the content was taught, etc?

I'm looking at their CWNA virtual course.

Industrial networking

I am using a bunch of Allen Bradley stratix family switches, they are based on Cisco L2 iOS (I’m told it’s basically the same as the 3750 code but this isn’t verified) and sometimes when I have a switch to switch connection the switches are both setup as trunk with a native vlan set, sometimes when that switch to switch comes up it will dump all of the other ports on one or other or both of the switches (similar to a spanning tree issue) and go back to orange blinking then will we negotiate and go back green and communicate as needed, I thought it was a bpdu thing but I changed that setting and it didn’t fix it Any help is appreciated, thanks

pls help me resolve problem of router

guys i need help i hv a nokia router and a connection with speed 100mbps i am sitting under my router and this is the speed i am getting is 0.85 mbps download and 8.35mbps upload pls help me about it

Connecting Two Offices with Site-to-Site VPN?

Hi.

I'm currently doing my first networking related course at university and have an assignment to create a network topology for a business. This business has a main office with 40 users that needs to be able to privately communicate with a production office of 10 users more than 200km away. The production office has stable internet connection. My question is would connecting these two offices by a site-to-site vpn be viable? My main concern is there will be too much traffic for the VPN to handle but I'm not sure. As far as I can tell using this website https://azure.microsoft.com/en-us/pricing/details/vpn-gateway it should be able to handle the amount of users. The main reason I'm steering towards VPN is to save on cost as apposed to using MPLS or private ethernet services.

What are you thoughts?

Upgrading a Cisco switch

Hello all,

Maybe a dumb question but I was wondering if it is possible to upgrade a Cisco switch (a 3850 in this case) without network connectivity, i.e doing it offline by just connecting my laptop to the Cisco switch (via console port)?

Any tips?

Measuring connection quality?

I'm wondering what all of the factors to consider when measuring the quality of a connection.

There are a bunch of terms I've heard, all of which help determine whether or not there's a "good" connection: RTT/latency, jitter, packet loss. I'd like to read up on this - and I'm sure at every layer there are different factors - e.g. at layer 3/4 maybe you're dealing with ping, jitter and latency but at layer 1 you might be dealing with EM interference which obviously would affect the higher layers.

Can anyone point me in the right direction to read up on this a bit?

Also: are there any really good definitive software tools for breaking down the quality of a connection? I know iPerf is recommended by many as a good tool for measuring .. throughput? And obviously ping can measure RTT. What other tools are you guys using to quantify the quality of a connection?