Is PPPoE an attack vector?

How dangerous are PPPoE Ethernet frames? I’ve always assumed you can tag them and put them on a VLAN and have them arrive at a Linux interface running pppd.

If I do this, can anyone on the Internet now get on that particular VLAN? Are they safely encapsulated inside PPPoE, or is it riskier than that?

My site has a dumb DSL to Ethernet modem at one end but the actual machine running pppd is at the other end, so the two talk over a VLAN. That’s not going to fly though unless the nature of PPPoE means the only attack surface is pppd itself, and not the VLAN or switch in between.

Switch a client from Ubiquiti Security Gateway to Netgate?

Long story short have a client that had a fire and destroy his server room, I've got him up and running with some spare stuff I had in inventory. He was running a full Ubiquiti setup, Unifi security gateway pro, 3x USG-8 (strip mall with 3 businesses) and 6 AC AP Pro's.

I'm looking at just putting in a 48 G2 Unifi switch and a Netgate 2100. Of course all of the AP's will stay the same, basically ditching the security appliance. Just seems like a way better security appliance, and the several clients I have running them have been doing so without issues.

VPN + Reverse Proxy for remote access - How will return traffic be routed?

Currently, I’m planning out how to remotely access some local servers (VMs) running behind a CGNAT that I have no control over. My idea is to install a VPN server (WireGuard) on a VPS and have a dedicated VPN client VM that will also run a reverse proxy (Caddy). My domain will point to the VPS, which will forward HTTP / HTTPS traffic to the VPN client, which will then reverse proxy the traffic to the respective servers based on subdomain. That takes care of getting traffic to flow in from behind the CGNAT.

What I’m a little unsure of is how the servers will try to route the return traffic. Each server’s default gateway is set to the local subnet’s router. So, if a remote user initiates a connection to the VPS which eventually ends up at a local server, won’t the server try to send that return traffic via the default gateway? Or will it know to send it back to the VPN client which will forward it back through the VPN to the VPS? I feel like I’m forgetting some networking fundamentals here…

I could simply configure each server’s default gateway to be the VPN client, but I’m only using the VPN to bypass the CGNAT and would rather use my local ISP connection for all other traffic.

TLDR: Will a host know to send return traffic via the same path it was received, or will it always try the default gateway?

Any suggestions on my plan are also welcomed. I’ve considered configuring each client to connect to the VPS VPN server directly and running the reverse proxy on the VPS, but it seems simpler to just to worry about one VPN connection instead of separate connections for each server.

Interactive Network Visualization

I'm looking for an Interactive Network Visualization Software (like the title says). I am an Infrastructure Architect for a blended Network that combines IT/OT, on-prem, cloud, and a fiber infrastructure that spans over 4000 miles of fiber in multiple states. We have over 1500 devices on our various networks and OT enterprise.

What I'm looking is something truly Interactive. We user various softwares for IPAM, NMS, threat security and SIEM, but have no single Network map that could display everything. Has anyone seen or have used anything that can display a Network, in an Interactive way?

By Interactive I mean something like I can click on a switch and see all VLANs, and select a VLAN to see if it traverses all switches end to end. Or select a trunk port and see all VLANs on that trunk. Or select a device and see the path it takes through the network to see what has access to see that device.

Does this software even exist? Any experience or ideas would be appreciated.

Radius - enterprise WIFI not working

Hi all,

Trying to set up WPA2 EAP with Windows NPS + Unifi WIFI but running into issues that I don't know how to troubleshoot further..

I can't post screenshots so I am going to skip past the setup for now and keep it simple:

-Radius Access request is sent out from the NAS and received on the Radius server

-Radius server replies with Radius Access Challenge

-Request and Challenge are repeated half a dozen times until the client finally reports "Unable to connect to this network" or similar.

Tested with laptop wifi, smart phone, desktop+USB wifi stick. All are the same.

I verified this by taking PCAPS on the firewalls VLAN interface which is connected to the wifi workstation, a PCAP from the Radius server using Wireshark, and a PCAP from the Access point.. The AP itself shows the Radius Access Challenge packet. Is my understanding correct that the radius server is asking for more info (challenge) and not getting it?

Tried to take PCAP from workstation WIFI interface but not able to see any packets.

I am not sure about how efficiently our network is setup

The way it is setup is, internet wire comes from the antenna, goes to an adapter which is connected to our firewall, at the same time, our firewall is connected both to our Server, and switches.

The last part is where I am not so sure, when I connect the internet cable to a laptop the connection is very stable, once i connect to the firewall it starts dropping packets.

My questions are as follows 1. Should the firewall be directly connected to the server as well as the swtiches 2. Where do i start the debugging of the network dropping packets

For context i am not an network specialist, my senior is out of town, and when i told him abiut the situation, was just met with a " we'll see" but shit is driving me nuts because it slows up the connection.

I am also suspecting there is a loop somewhere but i aint sure

ONYX Port Security

Looking at Mellanox switches right now. I can't seem to find anything that indicates if Mellanox Onyx OS supports port security like Cisco or Cumulus. Can anyone confirm? Thanks in advance.

Join and share :)

https://chat.whatsapp.com/BrBe1KnY72S528zUkZu1ES

Aruba -- Force all APs / Clients to IDC cluster

Looking for some help from anyone with experience with Aruba wireless infrastructure MM / MDs.  We have two clusters configured ... one at our primary DC with Primary MM and 4 MDs then one at our secondary DC with Secondary MM and 2 MDs.  The clients and APs are "load balanced" across all MDs (I'm not exactly sure of the load balancing mechanism though).  

We will be moving equipment at our secondary DC and I'd like to force all clients and APs over to the primary cluster during the maintenance.  Does anyone know of a way to accomplish this?

ISP gave /30 Subnet

I am setting up a network for a small office. The ISP installed a router and leased a /30 subnet. The 2 usable ip addresses are:

.85 - Router Address .86 - Usable address

Management wants 24 VOIP phones connected to 48 port POE switch

Separate Wireless access point w/ DHCP configured for 180 BYOD.

I'm reading a /30 Subnet is for Point-to-Point. I'm understanding that I would need more usable addresses for a maximum of 254 addresses. Is there anything I've overlooked, as to why the ISP only gave a single /30 subnet for the company? I'm sure management communicated the network setup that they want implemented to the ISP. Should I call ISP and request another /24 Network? Or is there another way to configure this?

Wifi and Collision Domains

Given that multiple clients in a single collision domain can impact performance, and given that a WAP functions as a single collision domain, does it follow that more clients on a single WAP will increase the number of collisions that take place, and if so, what performance impact might that realistically have?

I see WAPs that advertise support for 300+ clients. Would supporting, say, even half this number cause performance impacts from collisions? Or is this more theoretical with little real world impact?

Thanks!

Juniper vSRX in db> mode in EVE-NG

Has anyone ran into this issue? I am using the default values for QEMU Version which is 2.4.0.

After about 15-20 minutes, it goes to db>

trouble figuring out which job to take

a couple of weeks ago I was let go from a small msp. I started interviewing like crazy and got 2 job offers on the same day and no clue which to take and am curious what you guys think, the pay and insurance is the same on both:

1. Large msp, I will be sr network engineer, dealing with design, projects, support. Cisco and palo alto, sd wan, possible automation experience
2. 150 person law firm with 3 datacenters, will be working on a network refresh, going from cisco to arista,they use palo altos which I would be redesigning, possible work in azure. I would be a decision maker but due to the size they are less likely to do things like ACI and automation and once ospf and bgp are set there will be little work for me to do on it.

What do you guys think?

Could this cause excessive output drops on a link?

I have a link between a router and 3650 switch. The router’s interface is connected using an RJ45 cable, has 2k output drops, full duplex and using FIFO queuing. The switches uplink is full duplex using an SFP module. The interface is using class-based queuing.

There is nothing going on at the site, no collisions, unknown protocol drops, and late collisions. Where would you start with this? Stupid observation, but does the difference in QoS mechanisms on the link matter?

BGP & Routing -- Noob Asking Advice

Hello,

I hope it is okay to ask here because I am not sure where else to ask...

So here's the basics.

We have an ASN, several IP blocks (v6 + v4) etc.

We have a BGP server setup on a server with BIRD that is working fine and broadcasting blocks to upstreams.

Now the question is:

Do we need to make a router or can we install routing software onto the same BGP server and how to add the blocks to it so they can be mounted to the server?

Before we had BGP hosted but the routing was handled by someone else and I have no idea how they set it up, assumable was a Cisco all in one type setup.

Now that everything is in-house, I am wondering other than BGP, what next step is there to have like from them we had before a gateway, netmask, and all. If I mount them on same network BGP is running on like they were before and use the BGP server IP as gateway, does this work? Or how?

​

Sorry for the noob questions here. Just trying to get this up and running and really don't wanna go spend 1000s on some all in one solution when it seems a simple server running this connected to switch is fine.

Pretty much my assumption is that there needs to be a router that is capable of handling external addresses and not some normal NAT based router there, or router software. Just not sure what to use.

​

Thanks.

Why does 10 Gbps Ethernet require fibre optics while my 40 Gbps Thunderbolt cable is copper?

Hi! Networking noob here with a question:

To reduce the risk of getting strangled by the mess of cables on my desk I gifted myself a Thunderbolt 4 docking station which handles bandwidths of up to 40 Gbps. Rerouting all the cables made me remember a student job I had at a data center a couple of years ago, where I installed the hardware for a 10 Gbps network which included plugging in a lot of those large cables.

Click for an image

Now here's my simple question. How come my regular copper Thunderbolt cable does the job while the data center had to use fibre optics? It this only due to the fact that, in general, the required cable lengths are much larger for ethernet?

Thanks 🙂

ASR920 port down even though LEDs are green and remote end says link up

Hi all, I have a bit of a headscratcher here.

We have two ASR920 that we use for BGP peering with our ISPs, we're in the middle of setting up a new set of Fortigate firewalls and I'm having issues connecting them to the ASRs.

When connecting the devices I get green LEDs all-round and the fortigates mark the links 1000fdx, but no traffic is passed, the LEDs are solid green, no activity. If I look at show int gi0/0/x the port and protocol is marked as down, not errdisable or anything just down.

I've tried to shutdown the ports overnight, but it made zero difference, I've also tried to place a switch between the devices again with zero success.

On the ASRs the ports are in a basic ethernet service instance, same config as the ports to our current checkpoint firewalls.

The ASRs are licenced for 24x1G + 4x10G, so it shouldn't be a licensing issue.

I originally tried with the 10G SFP+ interfaces, but I'm having practically the same issue with the copper 1G ports.

Let me know if you need any config from either the ASRs or the FGs.

Embarrassing troubleshooting stories

There was an issue with a link between two devices today, and I was lucky enough to be on-site 😑. Mind you, this is a data center and I'm new to this type of environment. Long story short, I wasted about 3 hrs looking at the wrong port on one end because I misread the fiber patches panels. I was also going down a rabbit hole on the other end because the label on the fiber was not updated after it was moved to a different patch panel. There were about 30 people on the call, including my boss and his boss.

Any one have any embarrassing troubleshooting stories????

Thoughts on Alcatel Lucent

What are your thoughts on Alcatel Lucent networking equipment. I’ve been using it for about a year and really like it’s cli. I’m just curious cause I haven’t seen many posts about them.

Career moves

Hey everyone,

I will be getting my associates in December for cybersecurity and networking. I really enjoyed the networking aspect of my degree.

I currently work for a community college as a temp for the next few months mostly doing trouble shooting and imaging computers.

I have been offered a position for full time employment with a rural ISP that uses water towers to push their fiber out.

I would like to be work in the network field, I’m currently studying for my a+ then I’ll go after my networking+ then my sec+. I will be getting more certificates as I go.

My question is, which would give me an upper hand? Being an assistant to the help desk or working with an ISP with way better pay and full time employment?

Simple Bird ibgp config doesn't work

Hi, I'm setting up Bird on two hosts. First one got correct routes but second one got unreachable routes.

Network scheme:

┌────────────┐ ┌────────────┐ │ First host ├──────┤Second host │ │ 10.20.30.2 │ │ 10.20.30.1 │ └──────┬─────┘ └──────┬─────┘ │ │ ┌──────┴─────┐ ┌──────┴─────┐ │ Network │ │ Network │ │192.168.88.0│ │10.111.150.0│ └────────────┘ └────────────┘ 

First host:

router id 10.20.30.2; protocol direct { interface "*"; } protocol kernel { scan time 1; import all; export all; } protocol device { scan time 1; } protocol bgp fast { export filter { if net ~ 10.20.30.0/24 then reject; if net ~ 172.0.0.0/8 then reject; accept; }; import all; local as 64001; neighbor 10.20.30.1 as 64001; } 

Second host:

router id 10.20.30.1; protocol direct { interface "*"; } protocol kernel { scan time 1; import all; export all; } protocol device { scan time 1; } template bgp tmpl { export filter { if net ~ 10.20.30.0/24 then reject; if net ~ 172.0.0.0/8 then reject; accept; }; import all; local as 64001; next hop self; multihop; rr client; } protocol bgp msk from tmpl { neighbor 10.20.30.2 as 64001; } 

First host routes:

unreachable 10.111.200.0/24 proto bird 

Second host routes:

192.168.88.0/24 via 10.20.30.2 dev homenet proto bird 192.168.122.0/24 via 10.20.30.2 dev homenet proto bird 

Logs from host 1:

2021-10-30 03:17:54 <TRACE> fast: Connecting to 10.20.30.1 from local address 0.0.0.0 2021-10-30 03:17:54 <TRACE> fast: Got OPEN(as=64001,hold=240,id=0a141e01) 2021-10-30 03:17:54 <TRACE> fast: Sending KEEPALIVE 2021-10-30 03:17:54 <TRACE> fast: Got KEEPALIVE 2021-10-30 03:17:54 <TRACE> fast: BGP session established 2021-10-30 03:17:54 <TRACE> fast: Connected to table master 2021-10-30 03:17:54 <TRACE> fast: State changed to feed 2021-10-30 03:17:54 <TRACE> fast < added 10.0.0.0/24 dev virbr1 2021-10-30 03:17:54 <TRACE> fast < added 192.168.122.0/24 dev virbr0 2021-10-30 03:17:54 <TRACE> fast < added 192.168.88.0/24 dev br0 2021-10-30 03:17:54 <TRACE> fast < filtered out 10.20.30.2/32 dev homenet 2021-10-30 03:17:54 <TRACE> fast < filtered out 172.19.0.0/16 dev br-0a68aa090a88 2021-10-30 03:17:54 <TRACE> fast < filtered out 172.17.0.0/16 dev docker0 2021-10-30 03:17:54 <TRACE> fast < filtered out 172.21.0.0/16 dev br-0c8390fd6e37 2021-10-30 03:17:54 <TRACE> fast: State changed to up 2021-10-30 03:17:54 <TRACE> fast: Sending UPDATE 2021-10-30 03:17:54 <TRACE> fast: Sending END-OF-RIB 2021-10-30 03:17:54 <TRACE> fast: Got UPDATE 2021-10-30 03:17:54 <TRACE> fast > added [best] 10.111.200.0/24 unreachable 2021-10-30 03:17:54 <TRACE> kernel1 < added 10.111.200.0/24 unreachable 2021-10-30 03:17:54 <TRACE> fast < rejected by protocol 10.111.200.0/24 unreachable 

Multimeter and Coax/Ethernet/Fiber tester

Any recommendations for an Networking tool that has the capability of testing all 4? Multimeter/Coax/Ethernet/Fiber tester all in 1?

Aruba 6300 CX with Palo Alto issue

Hey all,

Having an issue when migrating from cisco 6900 series to our new Aruba 6300m series switches. I have the PA in a HA pair, so I moved one over to my Aruba switches, then flipped it over. Most of my traffic works except one of the interfaces has has multiple tagged vlans for some DMZ stuff (guest wifi is what I am testing here). Tried a few various configs on the aruba and not able to have this work.

Cisco config that does work:

interface GigabitEthernet10/39

description GigabitEthernet10/39-rta.pal3020.02.e1/5.trunk

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 25,152,154,160,161

switchport mode trunk

spanning-tree portfast edge trunk

​

Aruba:

interface 9/1/18

no shutdown

description paloalto.firewall.dmz.eth5

no routing

vlan trunk native 1

vlan trunk allowed 25,152,154,160-161

​

Palo Alto ethernet 1/5:

ethernet1/5 {

layer2 {

lldp {

enable no;

}

units {

ethernet1/5.152 {

tag 152;

}

ethernet1/5.154 {

tag 154;

comment "VZW Backup";

}

ethernet1/5.161 {

tag 161;

}

ethernet1/5.160 {

tag 160;

}

ethernet1/5.25 {

tag 25;

}

​

I have also tried changing the trunk native vlan 152 tag to test and was not able to get connected to the guest wifi. The interface for the guest wifi and dhcp service comes from the PA.

Any help is appreciated!

L2NAT Deployment - Production network

Hi all,

Are there people who use L2NAT in their production environment here ? Just curious on how you all go about it. We are trying to implement it using vrf on the cisco switch so that those internal devices are reachable by any host on our network (not just those defined in the translation table as with regular L2NAT).

Micro-segmentation/ZTNA with Juniper, Fortinet and Aruba

We have a relatively small network (under 5 locations, about 300 switches, access points and firewalls) and leverage Juniper for our core and switch backbone, Fortinet at the edge and Aruba for wireless. We'd like to start moving down the zero-trust/micro segmentation path, but I'm wondering if such a thing is even feasible with very disparate vendor platforms. We are open to switching (no pun intended) if necessary, but are pleased with what we currently have.

• Are there any tools or platforms which could help all of these vendors work in concert without adding ridiculous complexity?
• If you were to consolidate vendors for a specific area, which would you choose? (e.g. replace Juniper with FortiSwitch).

A Post About Packet Mismatches

Our company recently deployed two cellular devices which would act as bridges for downstream FortiGate firewalls. These firewalls would then build policy-based IPsec tunnels between each other.

The tunnel is unable to establish, although all IKE phases match, as well as traffic selectors. So, we thought, "can we even ping the other side of this tunnel?" We set up our ping -t and saw some pings go through, and others report a message

​

MISCOMPARE AT OFFSET 13 - TIME=118ms

MISCOMPARE AT OFFSET 13 - TIME=113ms

MISCOMPARE AT OFFSET 13 - TIME=108ms

​

So we thought this was odd, which led us to getting packet captures on either side of the tunnel with active pings running. What we discovered was pretty interesting. The packet leaving Site A would actually change (which we could see in the raw packet data shown in hex characters using Wireshark) when received by Site B. And sure enough, visa-versa. Site B would reply using the incorrect packet data which Site A would drop.

What this boils down to is something changing the packet during transit. We ran these same tests on different ISP networks and had no issue. Which leads us to believe that it is a carrier-related issue. We now have a scheduled call with some of their engineers to dig a little deeper into the issue.

It sure breaks up the monotony of our usual day-to-day so I thought I'd share it with you all for your own interest. Before today, I had never seen miscomparisons in a ping!

Video Playback on remote cameras not working on Corp network - It does work on Guest Network

Pulling my hair out here over an issue I've been troubleshooting, and just need any possible directions to look.

We have internal users that are able to view remote cameras in cars through a website in chrome. The website works absolutely flawlessly EXCEPT for live video playback. For whatever reason it starts to load the live feed, and then the screen will just flicker a black/grey and do nothing. You can view old playback from remote SD cards no problem, but live viewing is a no-go. If I switch to our unrestricted guest network, it works without issue.

I have combed through every wireshark pcap and firewall log to write down any IP address I see during video playback on BOTH corp and guest networks. I have whitelisted everything I can possibly whitelist according to the vendor.

Aside from the firewall we do have two edge security appliances, and I've checked all the IP ranges in those and no issue. I even removed one of the security appliances temporarily to see if that would help, and it didnt.

​

What kind of issues have people run into when dealing with remote live viewing of a camera?

Cisco SDA Network design queries & validation

I am working on a SD-access and data center networking design with green field deployment for our company I have attached a diagram to illustrate the design.

https://imgur.com/a/z2Qdiuj

​

Firewall would connect outside to fabric borders which has connectivity to Internet, WAN and DMZs. In addition, those firewalls are used for East-West traffic between servers in server farm as well.

Here are some technical questions prior to finalizing the low level design.

1-  At first place, is it a valid design? I would love to have your valuable inputs and recommendations.

2- For now, there is no plan for micro-segmentation using ISE and SGTs by customer. That said, macro-segmentation is way to go in the fabric for segmenting traffic between Corporate users, IoTs, Guest etc. VNs

In the design, I will use data center distribution switch for L3 handoff to handle communication between separate VN’s or VRF or from VN/VRF to Shared services residing at the Data Center. I want to ensure internet/unknown traffic originating from campus users is routed directly to firewalls.

What is recommended approach to accomplish it?

3- How should routing be configured when North-South traffic  from clients to servers  when some servers  have network segment behind firewalls? I am guessing I have to creates VRFs on Data center switch then import them Campus VNs!

4-  There would be full mesh connectivity between Border nodes and Fusion devices and cross-links between redundant border devices.  What routing protocols and configuration will be needed ensure no traffic is disrupted if any link or device fails?

5-  I have some IoTs devices for  Building Management Systems (BMS) like HVAC, Campus Security and their servers are located in data center block, however these devices should have L2 adjacency with the server ? What is the optimal solution since all the links in campus fabric is L3.

Hoping for valuable suggestions from the great experts in his reddit. Thanks in advance.

OSPF DR site w/backup default route

I think I know what needs to happen, but I'd like to make sure before starting the config:
All sites are using FortiGates for routing/firewall.
Company has 4 total sites - HQ, DR Branch, and two branches.
OSPF is currently in-place for static routes and directly-connected sites.
All sites currently connected with a layer 2 point-to-multipoint ring.

Currently, default routes are statically configured - HQ and DR sites have internet access. Branches point to HQ for their internet, DR uses its own because why not?

Goals:

1. HQ is default for all branches except DR
2. If HQ goes down, all sites use DR for internet access (easy - just make sure DR site is backup designated, manipulate ospf priority to do so).
3. In general, DR should always only use its own internet (I can use a link monitor to disable the default route in case it goes down for an extended period, I think)

Point 3 is the tricky one - I want everything else to use HQ, but DR to only use its own unless ISP goes down and I'm not 100% sure how the cost manipulation should work.

Cloud AD authentication

Hi,

The AD would manage the desktops and users' authentication and log in; remote users would use VPN to the office/on-prem to authenticate. How would this work on the cloud use Azure AD or AWS directory service for those remote computers and users? Do they need a VPN connection to the cloud? or can this be done from any internet access without any VPN?

Thanks

IDF Relocation

Looking to relocate an IDF which currently terminates about 200 data drops. The cabling is almost brand new feeding an assortment of IP cameras and IoT devices.

Is there a TIA compliant method of extending these runs to the new IDF location 75 feet away. Assuming all the runs still remain under 100 meters.

Obviously the real solution is to rerun all cabling from the new IDF to the existing endpoints, but there is some management pushback for that.

Operating Systems of Devices on Network- How to get useful information?

I don't know if what I want to do is possible. My goal is to detect what devices are connected to my network and push that to Splunk for further analysis. I want to get information that can identify what the device is. For example, I detect that 192.168.86.100 is a Windows 10 laptop, 192.168.86.101 is a windows 2012 server, and 192.168.86.102 is an iPhone 6.

What tools do you know of that can get this information? Is nmap -O and creating a log with that the best way?

Cogent vs Blended Option? PROS & CONS?

Hi,

I currently have a few server at a datacenter and they are giving me less bandwidth, only 50TB and I am planning to get a new line.

I am going to keep using the existing 50TB and get a new line. But i I torn which way to go for.

I have a Cogent option, which is costing me $430/mo with one time setup fees of $275.

1gbps at 10gb fibre.

And I have another option of $400/mo with $500 setup fees.

Again 1gbps @ 10gb fibre.

But it is blend of Zayo, GTT, Cogent and IX peering.

Which one should I opt for? Any tips?

unifi + tp-link + pfsense guest wifi

Hello,

I have read dozens of guides on doing this but can't for the life of me manage to create a guest wifi with internet access.

My current set up is:

ISP router (LAN CABLE)-> pfSense (LAN CABLE)-> port 1 (TP-Link switch SG108E) and out of port 8 (Unifi AP lite 6)

Having read through guides I managed to default my internet traffic to use a virtual private network. So I connect to my unifi wifi which gets routed through pfsense to default to a virtual private network.

This is what I have configured so far:

--------------------------

Unifi:

2 Networks

1. Guest VLAN only VLAN 10
2. LAN Subnet 192.168.1.0/24

Wireless networks:

1. Primary (uses LAN network)
2. Guest (uses Guest network)

-----------------

Tp-Link

802.1Q VLAN configuration

VLAN ID 1: Default Member ports 1-8 / untagged ports 1-8

VLAN ID 10: Guest Member ports 1,8 / tagged ports 1,8

------------------------

PfSense:

-------------------

System routing (Gateways):

WAN_DHCP / Interface WAN: Gateway 192.168.XXXX

WAN_DHCP6 / Interface WAN feXXXX

V.P.N / Interface V.P.N 10.16.XXXX

GUEST / Interface GUEST dynamic

---------------

Interfaces Assignments:

WAN igb0

LAN igb1

V.P.N (ov.p.nc1)

guest VLAN 10 on igb1 - LAN

-----------

VLAN Interfaces:

igb1 (lan) VLAN tag: 10

----

Firewall NAT outbound (see pfsense guide at top of message for WAN/Open.V.P.N configuration)

x4 WAN interface mappings

x2 Open.V.P.N mappings for XX.XX.27.0/24

which I copied for x2 GUEST mappings for XX.XX.10.0/24

----------------

Firewall Rules

GUEST Ipv4+6 Source / port / destination * * * allow all

-----------------

DHCP server for LAN XX.XX.27.0 - 245

DHCP server for GUEST XX.XX.10.0-245

---------------------

Comments:

1. When I originally set this up, my devices on guest network wouldn't connect or grab an IP from pfsense until I tagged port 1 + 8 on the switch; so now my devices can connect to the guest wifi and will all have an IP of XX.XX.10.XX which means the DHCP is working fine however the internet isn't.
2. The Gateway for GUEST is stuck in Pending; I have tried deleting the gateway to see if this makes any difference but no luck.

TLDR; my devices appear to connect to the guest network and successfully grab the correct IP from pfsense belonging to the subnet I configured on the DHCP server but none of those devices are able to connect to the internet.

Any help would be appreciated!

Do you guys use something to store useful commands for your team to access for various vendor tools?

Let’s face it, we can’t remember every CLI command that Cisco, Palo, Shell, or whatever you use has. I was wondering if anyone uses software or a wiki to store some of the more useful commands. We currently have Confluence as our wiki documentation but having worked with it, it’s not a very quick tool to get around. I was wondering if anyone uses anything specifically to store commands so you and the team can have quick access to them.

LRL (Lite) modules compatible with LR?

I am in a small bind right now till we get more LR modules to arrive. On a short distance run under 10Km can I use a LRL (Lite) module and the opposite end a LR module? The length of the cable is within the building just from floor to floor reach so it maybe at best 500ft (Well under the 1Km for a LRL). We ran out of the LR modules and only a few LRL modules on hand.

Black list problem today?

A few of my costumers reached out to me today complaining of returned email with an error 5.2.1 521 which is getting blocked by a blast list. Seems strange that multiple customers with different domains started reaching out at the same time.

Anyone else?

Using /32 vs /24 for Endpoints on a /24 Subnet?

I feel like this is a terribly basic question, but when I try to look up the answer, all I find is posts referring to Subnetting. On my firewalls, I originally was instructed to use 192.168.40.X/32 (255.255.255.255) for each endpoint, which seemed odd to me, as previously I had always used a /24 (255.255.255.0) for endpoints.

I understand how subnetting works, but I am struggling to understand why I need to use a /32 when adding firewall addresses? From my research, it appears that would only be pertinent if the endpoint never had to communicate with anything else on the same subnet (such as a gateway address/loopback).

Again, I feel this is something I should already know, but I have had zero "formal" training, and learned on the fly. Is it proper to use a /32 for endpoints on a /24 subnet, or am I thinking of this the wrong way?

Remote Data Transfer using TCP

Hi everyone, hope you are having a good day.

I am currently using a python script to create a local server and then send commands over TCP to an ESP32 microcontroller (acting as a client). The ESP32 then reads ADC data and sends data back to the PC Server.

This works great on a local network, but I am stuck on how to do this remotely i.e. over internet. I have looked into port forwarding and VPN tunnelling but unsure how to implement this and whether there is a simpler solution.

Any suggestions on a simple approach would be greatly appreciated,

Thank you,
Will

Trying to troubleshoot an inherited enterprise environment with a Cisco Backbone

I was wondering if someone could help educate me here. Mods if this is against the rules feel free to remove.

My understanding of VLANs is that they cannot communicate between each other unless there is some layer 3 routing between them. I am working in an environment where we have several layer 2 switches connected back to one layer 3 core switch.

The vlans on the core switch are as follows:

interface Vlan1

description ***** DATA *****

ip address 192.168.10.1 255.255.254.0

no ip proxy-arp

!

interface Vlan10

description ***** VOICE *****

ip address 192.168.42.1 255.255.255.0

ip access-group DENY-VOICE-SECURITY out

no ip proxy-arp

!

interface Vlan20

description ***** SECURITY *****

ip address 192.168.0.1 255.255.255.0

ip access-group DENY-VOICE-SECURITY out

no ip proxy-arp

!

interface Vlan22

description **** GUEST ****

ip address 192.168.22.1 255.255.254.0

!

interface Vlan100

description ***** ASA-UNTANGLE *****

ip address 192.168.100.1 255.255.255.248

ip access-group DENY-UNTANGLE-ASA out

no ip proxy-arp

​

Everything is trunked back to the main switch which then goes to an Untangle firewall. Everything is currently running on VLAN 1 apart from the IP phones

What I am confused by:

1.) If I put a switch port on vlan access mode 22 ie:

interface 0/40

vlan pvid 22

vlan participation exclude 1,10,20

vlan participation include 22

exit

and connect a computer to it with a static IP in the 192.168.22.1/23 subnet I cannot get internet access or even ping the 192.168.22.1 gateway. Shouldn't I be able to ping the vlan interface?

I'm not even sure if I am asking the right questions but I hope someone here can put me on the right track.

part IP, host/domain name address?

Background: I have no issue that needs to be solved just trying to expand my knowledge.

I was just reading a software manual. in there was a configuration step with the example:

<sendToAddress>DEN.RED.60.169</sendToAddress> 

in lots of software I have seen where you can put either a hostname or a numeric IP address but I have never seen the above where some of the octaves are in characters.

is this a standard capability in IP protocol?

how does this work with DNS/domain controllers?

ISP restricting access to the internet

Hi, not sure if this’s the right sub. There’s a lot going on in my country (Sudan) demonstrations, civil disobedience … etc. Telecom companies throttle the internet and holding our rights to show the world what’s going on, they only allow one or two banking apps through LTE is there anyway to to use this to bypass the restrictions (I used iHTTP tracker to lookup the app URL https://i.imgur.com/06kfFvV.jpg) if this can help.

Thanks in advance

Is a job in networking as cruel as they say it is .. in terms of working hours

I was just wondering if network engineers have to work on weekends and even public hols just to ensure network connectivity is up ? .. just deciding on a career path with good work life balance.

Fiber TX/RX dBm specs with QSFPs

All,

​

Trying to understand the optimal dBm for SFP/QSFP.

From looking at Cisco command show int f01/1/1 transceiver detail

Now I have been told that it should be close to 0 for the XMT/RCV or within +5/-5 (unsure which is correct) I understand distance, and # of connection come into play in this.

THe outputs I am trying to figure out are:

Optical XMT Power

Optical RCV Power

High Alarm Threshold

High Warn Threshold

Low Warn Threshold

Low Alarm Threshold

Say we are using Cisco-40GB-ER4. I have seen connections with

XMT: 0.0 RX: -0.7 all the way to

XMT: 3.0 RX: -13.00

Ubiquiti UDM-Pro to replace Mikrotik

Hello everyone, need some help replacing a old Mikrotik crs125-24g-1s-rm switching router in new space I've moved small buisness into.

​

will the Ubiquiti UDM-Pro do the job? there's Unifi AP-pro access points around the place already and I use ubiquiti in a home setting as well so I know the UI and how to setup stuff.

the premises is wired up with data points already and 2 x patch panels and I dont need POE for anything. If I need to extend off the UDM-Pro then I figured I can just get a switch to extend it too.

​

any help on this would be great, I need to purchase it all pretty quickly.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Traffic Generation set up in lab environment

I hope this is the right place to post this. I work for a smaller ISP (<40,000 home customers). We use to have a very nice lab set up with a Shenick server for traffic generation that was in someway connected to dozens or more ONTs to pass traffic across our PON lab. This lab was taken down and basically cannibalized over the last few years. We are now in the process of choosing a new PON vendor and I would like to get the lab back in a state to do meaningful tests of across XGS ONTs. For initial tests we just used iPerf on a laptop connected to a single ONT then feed across the OLT chassis to a server running iPerf on the uplink port. This worked okay for a beginning test, but I'd like to be able to do more stateful traffic, and pass more than the 7-8Gb a single laptop was able to create.

As I said the lab was cannibalized over the years and one of the losses was the license on the Shenick. In talks with other team members it sounds like there is no way to recover the license. In the interim we have found a cisco open source project called T-rex that can do up to 200Gb/s of stateful traffic with the right hardware.

​

Working with our current vendor they have a lab set up with a traffic generator connected to numerous ONTs, which passes up to the OLT and then back around to the traffic generator. What I don't understand is what is necessary to connect the single server to multiple end devices in this fashion. The server has a dual SFP+ card installed, and 8 1gb nics. The only thing I can think is to connect the 10gig ports to the uplinks of the shelf, and I guess then will have to connect individual 1gig ports to ONTs. This would give me at most 8gb of traffic.

​

Just wondering if anyone else has recommendations of how to build up a lab with preferably 20-30 ONTs generating traffic. If we need to purchase more equipment to make it happen then so be it. I'm just struggling to figure out how to make this work.

Networking hardware question

Not sure if this is exactly the right place to ask, please point me to the right place if this is the wrong one. I didn't see Hardware as a post flair, that seems weird to me, or like there might be another community that I'm overlooking.

The short version is that I'm looking for an inexpensive router or smart switch that'll provide DHCP for the LAN but also let me not set a default gateway for a /24 network.

The longer version is below

There is a small LAN on a vehicle that allows things on the LAN to talk to each other, These can be statically addressed and don't require internet access.
From time to time, laptops will need to be connected to the LANs to talk to the devices on the LAN.

However if there is a default gateway in the LAN's DHCP offer then the laptops try to use the LAN's Default Gateway rather than their cellular connection.

Seems like Window's network stack should be smart enough to go "oh, that DG is dead. let me use the other" but sadly no.

While I could just statically address the network adaptor of the laptops, that would be problematic with multiple machines as well as those machines need to be able to connect to regular networks with a valid DG

As far as why it needs to be cheap, we'd rather not spend hundreds of dollars for what is basically a little bay LAN that is mobile (because the vehicle is mobile), plus it'll be cheaper to replace when it fails and I can just restore a config file and have the operators just pop them in to place.

Anyway, if you guys have any recommendations, that'd be great

Is it normal that NCP announces my prefix with my own ASN in his upstream ASN?

I have a prefix which I announce in my own AS.

I use a BGP tunnel as well as Vultr to connect my AS. Vultr's AS20473 acts as my upstream.

Both bgp.tools and bgp.he.net show my prefix as not only being announced by my own AS but also by AS20473. The same thing does not happen with the BGP tunnel providers.

In my opinion, this is wrong: Even though Vultr is my upstream, the announcement should still only come from my AS. Do I get this wrong?

This also suggests that this is not "normal": https://bgp.tools/kb/more-than-one-asn-per-prefix

I wrote to Vultr support. Not that I would expect this to be solved by them but in their response they claim what they are doing is right:

As you engaged in peering with us, we act as your upstream provider.This is the actual BGP service we provide.Once you start announcing your prefix to us, we will forward your announcement to major transit providers in order for your prefix to be seen globally in the internet.

​

I do not see why this is required or correct: The prefix itself only needs to be announced by my AS. It is the routing information (i.e., that the prefix is reachable with my AS and that my AS is reachable via AS20473) and not the prefix announcement that would need to be forwarded by Vultr.

Can anyone help me understand if they are right and what's going on here?

Dumb question - from amateur trying to connect things and giving IT dept a solution

Let's start with background:

1. main corporate network, on-board IT watching it, with redundancy, VPNs, proxies, etc.

Things like intranet, management and apps for it work there. Regular full corporate.

1. additional network, with security measures (firewall, anti-malware) moved outside of our company (on ISP side, packet scanning, semi/full-automatic). Reason? 2nd network is used for live streaming, Zoom/vMix/Skype/other needed connections, sharing big files (videos) outside + video editing from shared NAS/server; whole 2nd network is bandwidth/CPU limited internally during work hours. Plus my/our personal preference - Parsec - as on-the-run/from-home access tool. So as you may gather from that - 2nd network may throttle easily on switches/routers already (especially on 4K RAW, yes, we need to move to 10Gbps), and CPUs hindered by suprisingly heavy corporate anti-malware thingies would lower video editors efficiency (-10-15% on mixed workload from my limited measurements)

So, what I'd like to get from you is - is it possible to connect network no.2 to no.1 (for intranet/mail config only, maybe letting IT access said PC remotely), without hindering video editing station performance? As in even some app that would let "outsiders" access 1st network intranet, without routing all of their traffic inefficiently?

PS.:

Both networks exist in the same building - but since we'd like to eliminate human factor when it comes to white/black-listings and other stuff that usually happens withing regular work hours (so when live streaming usually happens - and there was an accident when outgoing streaming packets were blacklisted by one of the admins mid-conference) - 2nd network is void of any major internal IT Security influence (aside from their suggestions - which can not override whitelist settings due to how we/ISP made it).

Everything else like anti-DDoS, Firewall, AntiMalware, is handled by ISP; we have logins like admin/every-other-obvious-points-of-entry disabled on every router/NAS/PC within the network; and MS Defender+Malwarebytes(lowest CPU usage from tests).

Understanding and Implemetning a Session Border controller

I've never came across a SBC and I'm hoping to get some advice on understanding them and where to put them in the network.

We are currently using Asterisk as our PBX system and hoping to use a SIP trunk service by our MPLS provider. This SIP gateway will be within our MPLS VPN so it will contain a private IP address we can route to. We've been informed we must use a SBC to connect to the SIP gateway.

This is the first I've heard of a SBC. Can't Asterisk do the same functions as a SBC with registering and managing the calls? And where would you implement this sort of equipment in a collapsed core network that has two HA firewalls facing the outside of our network towards the PE router?

design help: adding a distribution layer

planning of adding a distribution layer to some of our network closets. currently we're running a collapsed core (access->core) w/ the access layer doing L3. the main goal is to conserve ports in the core side. we have old buildings and running new fiber is just not feasible at the moment.

what's the simplest way to add the dist layer as far as svi's (on the A layer) go. can i just L2 the uplink trunks from the A layer to the core? i'm familiar with the concept but have never put it in practice.

Double USB pass-through for remote desktop?

So I am not sure if this is the right sub, but I am looking for a way to do double USB redirection using remote desktop. Normally I would say ok that isn't possible, however I tried it yesterday and although the webcam didn't work on the 2nd remote session. The USB mic I had did, so that makes me think it might be possible and was wondering if anyone on here knew anything about this and could help me find a way to get the webcam to work as well. Thanks.

Edit: I am using Windows native remote desktop btw.

Starting my CCDE Journey

I will start my journey for the CCDE Certification. New v3 is soon ready, and the Learning Matrix is also available.

Is there any interest here for some sort of Documentation of my journey? How i study, what i study, labs and so on?

And is there some feedback from all already CCDEs how to go for the Written Exam? When i look at the learning matrix, it seems a Huge amount of stuff to read and watch. Im comparisson to the ENCOR (CCIE Ent. Written) exam, which is one book.

Also should i rather post this in the Cisco channel

Does automation result in you having more downtime?

Is anyone having their jobs become easier as a result of automation or more modern software in the amount of time spent sitting around and waiting for something to break?

When upgrading IOS versions on 6807 and 4507 series switches that my corporation uses, upgrading the IOS version requires copying the .bin file manually, verify that it is not corrupted, and reboot the secondary SUP card manually. Recently when a Catalyst 9K witch with dual SUPs experienced a hardware a SUP card failure, I had the tech plug in the new SUP and the IOS was upgraded to the version that the active SUP was running without me running any commands. For work on the 4507s and 6807s the only thing that Ansible does is copying and verifying the integrity of the .bin file on the primary SUP.

Once Catalyst 9k switches are widely deployed, this process will become simpler and done through DNAC (which is better than Ansible for the work in question). The only common denominators here is that a tech needs to be present to perform the physical work. The more advanced software in the 9K switch resulted me in just waiting while the switch did it's thing.

This is an example of automation not making roles go away, just making them more easier.

Question on acceptable db loss with SM fiber

I have recently been gifted a Fluke power meter and have begin testing our single mode network for loss. Is there a formula or recommendation for calculating the acceptable db loss over distance? For example I have a 1450' run of SM with an ST bulkhead at each end.

F5 BIG-IP as SP in IdP-initiated configuration

Hi engineers!

I've to configure F5 BIG-IP as SP in IdP-initiated configuration for SSO (SAMLv2).
Do you know documentation that can help me?

I also know that IdP-initiated conf. is dangerous because is not secure, and man-in-the-middle attacks are effective.
Does it make sense to create a site-to-site VPN between SP and IdP?

Thank you.

Iperf between UDM Pro <> Win10 PC with 2.5 GBPS is not symmetrical why?

I have a UDM connected to my win PC via SFP+ PC has a 2.5g nic card. Trying to determine why the speeds arent idenctical?

There are no other devices in between the UDM PRO and PC

When running the test from the PC >> UDM I see the following speeds Desktop\iperf> .\iperf3.exe -c 192.168.86.1 Connecting to host 192.168.86.1, port 5201 [ 4] local 192.168.86.247 port 50881 connected to 192.168.86.1 port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 271 MBytes 2.27 Gbits/sec [ 4] 1.00-2.00 sec 257 MBytes 2.16 Gbits/sec [ 4] 2.00-3.00 sec 268 MBytes 2.25 Gbits/sec [ 4] 3.00-4.00 sec 253 MBytes 2.12 Gbits/sec [ 4] 4.00-5.01 sec 247 MBytes 2.06 Gbits/sec [ 4] 5.01-6.00 sec 253 MBytes 2.14 Gbits/sec [ 4] 6.00-7.00 sec 254 MBytes 2.13 Gbits/sec [ 4] 7.00-8.00 sec 238 MBytes 2.00 Gbits/sec [ 4] 8.00-9.00 sec 241 MBytes 2.02 Gbits/sec [ 4] 9.00-10.00 sec 258 MBytes 2.16 Gbits/sec

---

[ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 2.48 GBytes 2.13 Gbits/sec sender [ 4] 0.00-10.00 sec 2.48 GBytes 2.13 Gbits/sec receiver

iperf Done.

When running the test from the UDM >> PC I see the following speeds

root@ubnt:/# iperf3 -c 192.168.86.247 Connecting to host 192.168.86.247, port 5201 [ 4] local 192.168.86.1 port 53452 connected to 192.168.86.247 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 96.6 MBytes 810 Mbits/sec 892 18.5 KBytes [ 4] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 819 18.5 KBytes [ 4] 2.00-3.00 sec 95.2 MBytes 798 Mbits/sec 871 17.1 KBytes [ 4] 3.00-4.00 sec 92.6 MBytes 777 Mbits/sec 995 18.5 KBytes [ 4] 4.00-5.00 sec 94.3 MBytes 791 Mbits/sec 973 17.1 KBytes [ 4] 5.00-6.00 sec 90.0 MBytes 755 Mbits/sec 948 17.1 KBytes [ 4] 6.00-7.00 sec 95.4 MBytes 800 Mbits/sec 1010 17.1 KBytes [ 4] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 1116 18.5 KBytes [ 4] 8.00-9.00 sec 93.7 MBytes 786 Mbits/sec 878 18.5 KBytes [ 4] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 986 17.1 KBytes

---

[ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 935 MBytes 785 Mbits/sec 9488 sender [ 4] 0.00-10.00 sec 935 MBytes 784 Mbits/sec receiver

Complex VLAN Setup Failing: No Internet Access

I'm somewhat new to networking and may be over my head. While trying to learn about Active Directory Domain Controllers for my job, I'm attempting to create two VLANs for my own "noraml use" computers outside the Windows Domain and another for the Domain.

There are 3 pieces of networking equipment in play here:

1. Main router to which I have no control (DHCP on 192.168.1.0/24)

2. Ubiquiti ER-X router which i control completely. Has it's Internet port set with an IP on main router's subnet, i know that IP is available from the upstream router"s pool.

3. TrendNet SmartSwitch with VLANs configured with single VLAN trunks to ER-X (my router) set as tagged for each VLAN. Client ports set untagged and communicating proven via ping.

No Internet access is provided when i plug the ER-X into thr upstream router via an intermediary switch.

My issue seems to be the default gateway settings. Each VLAN will give out DHCP addresses on other /24 subnets once those servers are set up and active, currently using static IPs on clients until then.

I'm at my wit's end with this. I cannot find resources to explain the default gateway settings for clients or the equipment under my control. I'm willing to pay someone to explain this to me and set it up at this point.

There must be a concept I'm missing. I really want to learn this for my personal setup and move toward a networking role for work. I'm very willing to learn and cannot find what I need.

Any help is appreciated.

Predictive Wireless Surveys - Ekahau alternatives

Hi All,

My company is recently opening many new locations from small offices to huge warehouses. Wireless is our main connection type. I came on board recently and been asked to prepare BoMs for all new locations across the globe.

We have no budget to do site survey each time. I though predictive wireless site survey tool would help me a lot. Looking at Ekahau, but cost may be to high. Do you know other options on the market worth checking?

I need a tool mostly for predictive surveys. Will not have a chance to be on site in 95% of locations.

Thanks for any suggestions.

[Question] IPv4: Does the last IP in any subnet imply multicast?

Hey folks,

I'm currently implementing an OSINT tool that tries to parse all IANA-assigned IP ranges, including IPv4 ones. Therefore I'm gonna refer to the related RFCs 791 and 1878 here in advance.

I've got a question related to whether or not addresses are unicast/multicast by default, and implied by their prefix notation.

For example, in a 192.169.0.0/24 network, the last IP 192.169.0.255 would be the multicast address for the D-subnet. In regards to RFC 791, this is dependent of the subnet bitmask (later: prefix length).

For example, /24 means that 255.255.255.0 is the bitmask that decides whether or not a switch or router will send the data packet to an uplink port or keep it within the same network.

Now the question is regarding multicast. As per the old RFC 791, an IP like 192.169.255.255/16 would imply that it's a multicast, not for the D-subnet, but for the C-subnet as well. Later specifications seem to imply that multicast addresses don't necessarily depend on /8, /16, /24 or similar notations as the prefix is variable and applied as a bitmask.

This means that for example, an not-dividable-by-8 bitmask could lead to different IP ranges, depending on the bitmask, and therefore leading to a different IP address that represents the multicast address for the specific subnet. For example, a network like 10.0.64.0/18 network would have a multicast address for the C-subnet that isn't necessarily a 255 as implied by the older RFC 791.

Now my question into the open is kind of this:

• Is the last IP of a declared subnet with a variable prefix always the multicast address for a specific subnet?

• If not: Are only the specifically mentioned IPv4 addresses assigned by IANA a multicast address, and every other address should be regarded a unicast address by default?

Thanks in advice :)

Wireshark Question

I am pretty bad when it comes to networking so this may be a stupid question. I live with 3 other friends and we have 1 router. My networks are mynet and mynet-5g. If I am connected to mynet-5g can I use wireshark to sniff network traffic on the people connected to mynet? How can I prevent people I live with from using something like wireshark to view network traffic?

High-Density Wireless AP/VPN Over Wireless Bridge

Tagged 'Wireless,' but Includes VPN/LAN Routing as well.

This may be a common occurrence, but one of the few times I've been asked to consult on a compact, easy to manage solution. The requirements:

• Small Booth at A Large Conference (>250 Booths)
• Only Wireless Connectivity Permitted for the Booths (e.g. Vendors Don't Get Wired)
• VPN Backhaul Required for In-Booth Applications

My immediate default was a Linksys Wireless Router we'd updated with DD-WRT to provide the VPN and a wireless bridge. And, while this sounds acceptable (local booth clients will be both wired/wireless) it may end up being a "design on-site," job and I'd prefer to have something with which we're comfortable ahead of time.

Wireless was acceptable during last year's attendance, but the VPN was not required. Now, it would be preferable to have gear which (a) handled the wireless bridge and (b) handled the VPN. It doesn't seem available as a single package; rather, we'd need two components from just about any vendor. (Quick pass at Ruckus, Meraki, and Ubiquiti) A compact solution is preferred.

Are there recommendations for something like this? We would prefer to have the LAN side pre-configured and VPN tested ahead of time. That way, just connecting to the remote wireless gateway would be all that is required from the floor of the show.

Thoughts?

AC power vs DC power for new rack build

Is DC power generally cheaper than AC at data centers? We are looking to do a new rack build to expand our footprint, and I was curious why the pricing for DC circuits was substantially less expensive. we were planning on using a rack-mounted rectifier system until we saw that the costs of AC circuits were substantially greater than DC.

Not able to ping SVI on PA firewall

Hi friends, I created a simple lab topology in eve-ng connection from pc--> switch(cisco vIOS) --> PA firewall .. I created layer 3 link (10.1.1.10/24) on PA connecting to switch.(all links are up)

Assigned PC 10.1.1.15/24 default gw 10.1.1.10

switch config:-

To PC I created it as access port and assigned vlan 10 and to PA as trunk port and created svi for vlan 10 (10.1.1.20/24 and enabled IP routing as well and pointing DG to 10.1.1.10) I am able to PC but not the SVI on PA not sure what basic thing I am missing here? Please help

What are you using for TLS decryption these days?

I understand it's somewhat of a niche space, so I've asked in a few places.

I'm looking to replace some aging SSL visibility appliances that I have deployed today.

My current requirements are: 10Gbps / 1.5 million pps. I'm regularly pushing 7.5Gbps encrypted traffic on each of my various devices.

I have all of my connections tapped today and will regardless of scale.

I may eventually be scaling to 400Gbps, but I'm not opposed to scaling horizontal for the right solution(s).

What are you using for your SSL decryption setup? Having your load balancers decrypt and output to a span port? Big iron? Firewalls doing decryption and passing along to your tooling? There are a lot of ways to skin this cat, and I'm just curious what everyone else is doing...

Small business network becoming more complex with IP camera needs

Hi r/networking. I'm the "IT guy" (really a software eng by trade) for a small business who is in the process of having an IP-camera and recording system installed throughout a building. The camera installer has understood my concerns with their plan to add the video recorder to the existing simple network, and expose access to it it to the internet directly, but still insists "it's safe". It's going to be up to me to network it in a way that I think satisfies my security concerns, since I can not completely trust the video recorder server to be secure itself. I would like to separate it from all other devices on the network, so in the worst-case if the video server is compromised by some OS/net stack exploit or the camera server manufacturer neglects to release patches for their software, the attacker is prevented access to the rest of the network.

The problem here is that the current network is dead simple. For ease of managing it, the entire network is comprised of a mesh Eero router system, sitting behind a modem/router provided by Comcast for business. Eero provides very little configuration for more complex networking layouts, so it will not support additional subnets or rules preventing access from the NVR server to other local addresses.

What the network looks like now:

Comcast -> Comcast Modem/Router -> Eero routers -> Devices 

What I hope the network can look like:

Comcast -> Comcast Modem/Router \ |-> Eero routers -> Devices |-> (Managed switch?) -> NVR Server 

The intention is to enable access to the NVR server over the internet, and preventing the NVR server from accessing the other network.

Does this approach achieve my goals, and more importantly, will it even work? If not, how can this be accomplished simply, and with what additional hardware?

Would a managed switch placed between the Comcast Modem/Router and the NVR server enable me to configure the rules I'm hoping for?

One way or another, I'm going to have to expose some server to the internet in order for the business owners to get remote access to their camera footage. I considered additionally securing the video recorder behind a VPN, but I do not have any experience configuring something like an OpenVPN server. I am imagining the managed switch/additional router approach should make later setting up the VPN and not exposing the video server directly to the internet easier.

In my quest to keep it simple, I was thinking was that I could enable the guest Wi-Fi network, and attach the video server wirelessly to take advantage of the client isolation provided by the guest network. It's stupid, but it does get the isolation properties I wanted. Unfortunately I don't think Eero supports port forwarding for clients on the guest network.

Thanks

IBNS (Identity Based Networking Services) - serious industry direction or Cisco pushing Cisco?

tl;dr - is IBNS Cisco SEs pushing Cisco proprietary designs or is this an actual, solid long-term industry direction? Can IBNS configurations be used with something other than ISE? General Googling isn't helping me with the answer (or I haven't had enough coffee yet.)

------

I've just run across a customer that has recently replaced their NPS installation with ISE. On the switch side, the Cisco nodes they've recently deployed have been configured using IBNS 2.0 for 802.1x.

I'm generally vendor-agnostic, try to use open standards and keep my configurations easy enough for newbies to understand if they have to do emergency changes at 3 a.m. and are sleep-deprived.

The customer's parent org and project management often pushes open standards for interoperability purposes.

I've just started reading the marketing slicks, configuration guides and other docs but I need a sense of the bigger picture.

Is IBNS a real, functioning, good-for-use-in-the-real-world configuration process that I should be looking at moving my other customers to?

Is there a advantage to using IBNS-based configurations over Cisco's more standard 802.1x configurations?

Is there an increase in the O&M burden with IBNS?

Can Cisco's IBNS 2.0 configurations be used with something other than ISE?

Am I just completely over-thinking this and am just intimidated with all the classes and maps required to make it work versus a couple of global and port level commands?

Thanks!

Question about dual homed between two sites traffic flow design

What is the best way approaching the dual homed between two sites. We have two WAN links to the same provided and both links are at 1Gbps. Routers A and B are in site 1 and router C and D are in site 2. A is connected to C and B is connected to D. Should I load balance the traffic between the two links or make the second link standby and the first link active?

It seems like using both at the same time seems to be the best for me, but why would someone deploy active/standby between two sites?

Internet disconnects for a few seconds every few hours

Hiya networking gurus,

I've got this weird problem where my cable wired internet would drop off for like 10 seconds and then come back on, at first it was not noticeable but now its every few hours and every time it happens i gotta re-connect to databases or relogin to whatever external resource im logged into, it drives me nuts. Now an engineer will come tomorrow to check my setup which is router and 15m cable to my pc but i doubt it will find anything. So problems could be my cable, router or pc. PC has standard rj45 port and all network drives are up to date, at least according to windows. Anyway without guessing the problem is there an app or a way to identify why these disconnects occur? Some kind of logging or monitoring would be perfect.

Real life Fortigate perofrmace and everyday usage

Fortigate admins, can you share some everyday experiences with Fortigates? We have to replace our old firewall and we got quite attractive pricing for FG200. Datasheet parameters look great but as usual they contain some marketing. Our internet connection has 1Gb/s, so theoretical 3.5Gb/s threat protection is more then we need but how it looks in real life?

Two routers in a network: OSPF on clients, ICMP redirects or something else?

Suppose a subnet with two routers: R1 is the main router and set as default gateway for all other nodes on that network. R2 is a secondary router

R1 and R2 are part of a larger network and know the Network topology via OSPF.

Now suppose an ordinary node of that network sends a packet which is sent to the default gateway (R1). R1 realizes that the proper router is R2. But since it’s the same subnet, R1 can’t just forward the packet to R2. Instead, it generates an ICMP redirect for the client.

However, it is widely recommended to disable ICMP redirect for security purposes.

So it may not be too great to rely on ICMP redirect to make routing work.

Alternatively I could install bird (OSPF) on each client node. But I am not sure if this is the right thing: Shouldn’t OSPF only belong on routers?

Are there other options I’m not seeing?

Looking for low cost Cisco router for non-profit

I know "low cost" and Cisco don't go in the same sentence but I'm wondering if there's a used Cisco router I can get on eBay for a small site with the following requirements: single 200Mbps internet, 10-15 users. Being a non-profit their budget is limited so I'm trying to stay in the $200-400 range if possible.

Most likely I'll go for a low cost alternative like Mikrotik but having some Cisco experience I'm looking at some older models that might work: 1941 and 891FW but AFAIK their WAN throughput is limited to under 50Mbps

Trouble updating Cisco ASA 5505 firewall

I'm having issues updating a Cisco ASA 5505 firewall version (8.2) to software version (8.4). I keep getting the error message "error reading/unspecified error". How can I fix this? I'm also using SolarWinds TFTP server to update the firewall.

​

ASAFW(config)# copy tftp flash

Address or name of remote host [192.168.0.25]?

Source filename [asdm-641.bin]? asa841-k8.bin

Destination filename [asa841-k8.bin]?

Accessing tftp://192.168.0.25/asa841-k8.bin...

WARNING: TFTP download incomplete!

%Error reading tftp://192.168.0.25/asa841-k8.bin (Unspecified Error)

Best Bang-For-Buck Server for Windows Server 2019 Domain

I'm looking for recommendations for best bang-for-buck server for Windows 2019 Standard/Essentials. Budget is $2500 for Hardware - licensing in addition.

Open to learning more about Linux alternatives for domain management.

EDIT: Must be rackmount.

Where does Alcatel-Lucent keep their OmniSwitch scaling data?

I am looking at the OmniSwitch lineup and their Factsheet are pretty good.

But between their Factsheets and A-OS Release Notes they don't share the OmniSwitch scaling numbers. MAC address tables size, IGMP interfaces, IPv4 v6 Routes, OSPF adjacency limits, VRF limits. etc etc.

Where do they keep that data?

Sidenote: I did find a whole bunch of KB and document portals. But you need a login.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

VSX configure with 1 member, add second after

Hi all,

Has anyone ever implemented a single member VSX on the ArubaCX, with intent to add later?

We ordered 4x 8325 in April (Two for core and two for a new office build) and we received 3 of them this month. The fourth got lost (screw you purolater) and the replacement has a date of February.

New office move in is planned for November, so October was tight enough as is.

Obviously not pleased, and it’s not ideal.. but if I configured VSX sync, lags, isl, etc exactly as planned in a redundant fashion now… would be simple to plug-in once we get the second member, or would I essentially scrap and wipe entirely? This is my first big engagement with Aruba so experience with the platform is still growing

Cat6e to RJ11 - Known methods for landline phone systems.

We're building out a new office and I've instructed our IT sub to put Cat6e everywhere, which they have so we can use a new VOIP phone system with our two phone numbers and 7 handsets. Unbeknown to me at the time, but most VOIP providers charge per handset, not per number like our current traditional phone system. We obviously don't want to pay for 7 users as we only have 3 employees in the office (we're future proofing), so we're in a situation that I'm not sure how to move forward. I've looking into RJ45 to RJ11 converters, but am getting mixed reviews. Can we use our existing Cat6e cables to facilitate our current phone system and not use VOIP? We're only paying for 2 lines and that's how we'd like to keep it at the new office. Thank you!

Missing meta in netflow v9 (iosxr 6.4.x)

I'm writing this on my phone from bed, so I may miss some details. I'll be able to dig up more info if needed.

Anyways, I run the global routing table/interconnects/transit/ixp in a vrf on routers at the edges of an MPLS network where labels are of course popped.

I have basically ended up with a config from a forum that "just works" for the author, but I' m still not seing bgpnexthop, bgpdstas, bgpsrcas for the most part in show flow monitor.

Have I encountered some known issue with my config?

(Also I have the bgp attribute-download enabled, to get that out of the way)

I am pretty sure I had this working before moving full routing to a vrf, but don't have the history to confirm this.

Anyone? Pretty much open for any tips or gotchas.

I'll edit this with config and what I am seeing tomorrow.

RFC Testing Equipment

Our ISP is getting into some more MPLS/VPLS transport services and some of our clients are requiring RFC 2544 testing to verify large frame transport capability. I understand what the test is and why they would want it. What I am wondering is what equipment is typically used for RFC 2544 testing.

I found an Exfo device that does it, but it seems like a little bit overkill for our use case. GL Communications has a ethernet testing device that looks like what we would need, but I have never heard of the company and I'm not sure how reliable they are.

Does anyone have any experience with these tests? What equipment would you suggest for testing up to 10G with large frame sizes?

Is there a way to get an eval license for Aruba’s AP controller?

I’d like to test Arubas wireless controller without outside pressure from a salesperson if at all possible. Is there a way to get an eval license without going through their sales team?

Or should I just buy a physical controller off the internet? I am looking to test out a couple AP 335’s

QFX5k and MX480 EVPN VXLAN Troubleshooting

Hey everyone,

I am struggling to get the MACs learned over my VTEP to be forwarded down to the bridged devices.

Basically here is the topolgy
QFX 5k <---L2 Trunk---> MX480 <----BGP---> QFX10k <---BGP--> *QFX5k* <----L2 Trunk----> OLT

The VTEP is running between the MX480 and the *QFX5k*. Both the MX480 and the QFX5k are learning MACs being forwarded over the L2 Trunks from their corresponding directly connected devices. They are propagating those MACs successfully over the VTEP and both the MX480 and the *QFX5k* are learning MAC addresses in the EVPN database from both locations. The issue is the MACs learned over the VTEP are not being forwarded down over the L2 Trunks on either side.

We are seeing both MACs from both sides in the evpn database as well on the evpn bgp table on the MX480 and *QFX5k*

Any ideas why this might be the case?

Bridge mode vs DHCP

I have AT&T fiber with the Linksys Velop AC1300 set. All 3 are hardwired. Would it serve me better to be in bridge mode or should I just stay in DHCP? Thank you in advance!

Trying to implement TCP Hole Punching / NAT Traversal

Hey! Does someone have any experience with networking (NAT Reversal / Hole Punching)? I've implemented UDP hole punching in Rust and went to the deep water with the TCP protocol, I've been trying for a couple of days without any sign of success, can someone who has experience in the matter give me some insight?

I'm not sure if it's an issue at the API level (since there are available implementations like the nat_traversal crate), but I seem to do everything by the book.

It goes like that:

• A connects to S

• B Connects to S

• S sends A and B the others public and private addresses + ports (respectively)

• While the client gets the other client's information it starts listening on the same port it used to connect to S

• Trying to connect to the other client

In general the client has 4 threads:

• Connection to S

• Listening for incoming connections (same port that connects to S)

• Connection to B's public endpoints

• Connection to B's private endpoints

I've went with rust for the implementation

It just doesn't work for me and I have no idea why, I've tried many different APIs, that's why the code may seem messy in that way

This is the code for both the server and the client: https://gist.github.com/TheOnlyArtz/c47b651a429301a12c47aeb9ae4253f2

The issue is essentially in the client, the server works as intended

Need help creating a switch stack of 4 with FS Switches

I'm creating a stack of 4 switches using these:

https://www.fs.com/products/83325.html

I'm following this documentation here: https://img-en.fs.com/file/user_manual/s5500-48t8sp-bvss-configuration.pdf but it doesn't seem clear in a lot of places. The configuration for a 4 switch stack seems straight forward enough, but I get to this line:

Switch1_config_bvss# bvss interface # type TGigaEthernet port # group #

The explanation they give of this command doesn't help much at all:

" Configure the port port whose port type is type to be a virtualized port. The serial number is num and the port group number is group"

Funny thing too, is that the command on the documentation isn't even fully accurate. What I'd have to type on my FS switch is: "bvss interface # (1-4) slot (1-1) port (1-8) group (1-2)

I'm not entirely sure what the slot refers to, but I only have 1 option there. Port seems easy enough, just referring to the stacking port I'm using I'd assume, since there's 8 of those and I can choose from 1-8. Interface and group is where I get lost. I've tried a lot of different combinations of putting my ports in the same/different interfaces and groups but I can't seem to get all 4 switches to stack. I either get 2 to stack or none at all. Anyone with some experience here able to help?

Juniper VCF does anyone use it?

I am being told by my reps that VCF is dead. We just upgraded from QFAB about 3 years ago. Now being told no one uses it. Also our latest upgrade requires a full stack outage. Wtf

Where can I test my tool on outdated 80211 versions?

I coded a little deauthentication attack but cant debug it on my local network since I have 80211w where management frames are encrypted. Using Wireshark is not an option too as I only have one wifi card with monitor mode and packet injection support which I have to use for packet injection. I have an esp32, rasbpi3b+ and rasbpi zero w in case that helps.

APIPA not configuring nic with Autoconfiguration Enabled

I have a device that is managed via APIPA. I have tested this in my office and will autoconfigure it just fine. However, at my other facility where these devices are used, it is not.

I have found registry settings to disable this function, and they are not currently present.

I'm scratching my head as to why this is the case. I've honestly never seen this happen when no DHCP is available.

https://i.imgur.com/Zti8x8a.png

UPS Question

Hypothetically,

Would it be possible to program a server to tell other servers and switches to power off when the rack reaches a certain temperature?

Monitor printer smtp traffic with wireshark

We have a few printers that are getting ssl errors when trying to scan to email using MS365 smtp settings on about 10-20% of the jobs. So I had the brilliant idea to run a packet capture to try to get more info on where the packet is going and blah blah blah. So I connect my laptop to the subnet and assign it an ip in the range and i run a test scan but i'm not seeing any packets from or to the printer. any ideas on what I'm doing wrong?

Monitoring Traffic Type of Certain Port

I have been requested to find out how to identify what type of traffic is being used on a specific interface on a network switch. I know that I can do a wireshark and mirror the port, but the requirement is more of a pretty print, like something you would see with SD-WAN. The other requirement is to see what the traffic type is at each point in time in a 30 to 60 second interval. Is there something that can inspect a port mirror of a wire shark and present this or is this not a possibility and Wireshark is my only option?

​

Thanks for the help!

Stacking 2 Extreme Switchs X590 (16791)

Hello Guys! Can you please advise me on this topic? I wanna stack 2 X590 and I don't know if there is a necessary license that i should have to enable the stacking, or I can simply use 2 stacking cable (100G) on the 100Gb ports for stacking? Thank you.

Juniper MX240 : pic has no CoS queuing

I'm migrating a configuration from a Juniper MX104 to a MX240 which has the MPC Type 2 3D card installed and then a 4 x 10Gb MIC card in that.

I figured it would be pretty much like for like and it was largely.

What i've now noticed when trying to setup a circuit is that the MX240 doesn't like my class-of-service config. Or at least it doesn't believe the built in PIC is capable of it which I find hard to believe.

When I try to apply a class-of-service to an interface I get the below error:

[edit class-of-service interfaces xe-2/0/1 unit 2003] 'output-traffic-control-profile' cannot configure traffic control profile (pic has no CoS queuing)

From trying to find answers a possible fix seems to be to enable traffic-manager which I've done as below:

set chassis fpc 2 pic 0 traffic-manager mode ingress-and-egress

However it hasn't made a difference and I still get the same error?

Surely the MPC card on the MX240 can do what the MIC card on the MX104 can?

Thanks

MACSec 10G link encryption device for Non-MACSec switches

Does anyone know of an enterprise class link encryption device that can do MACSec encryption on a WAN link at 1G, 10G or 100G SMF, for when the switches connected do not have MACSec support? Ideally a device with two ports, one Plain Text and the other Cipher text. IPSec devices generally do not have the performance.

I am thinking like a Mini Catapan encrypter for those of you who know what they are, but with merchant silicone 100 times faster and 1/10th the price.

I am trying to standardize on using MACSec for all L1 Wave WAN circuits but I have some smaller sites that have fairly new switches, but they don't support MACSec. The larger sites have WAN edge switches that do support it. I would like to drop a link encryption device in to fix this (If such a thing exists).

The primary reason I want to use MACSec over IPSec is it generally is baked into the switch port silicon, and will run at line rate with minimal overhead. I don't want to install firewalls just to encrypt a L1 Wave circuit. To get a Firewall to do IPSec at 10G is prohibitively expensive, and forget about 100G.

How to re-enter DHCP config without starting over?

Hey all. I'm just wondering if it's possible to re-enter DHCP config on a Cisco router without having to start from the beginning (i.e, exclude address range, create pool name, etc). To this day, if for any reason I have to go back into the thing I find that I have to start over which is really inconvenient especially if it's been a while since the last time I was on that network.

[DNS] how to config a domain with an IP and all its subdomain with another one

Hi,

with DNS, is it possible to have a domain (example.com) connected to an ip, while all its subdomains are connected to another? In other words, can I insert two A records, one like example.com => 1.2.3.4 and the other like "*.example.com" => 2.4.8.16 (this last one should resolve one.example.com to 2.4.8.16 , but should not resolve example.com)?

I have several subdomains, all managed by a reverse proxy with a unique ip, and the only solution I have found is to add an A entry for each subdomain... but this is not really easy.

Suggestions? Thanks a lot!!!

(note: dns are managed by cloudflare; I need https and certificate too)

Help with "Slow" connection on SDWAN

So the company I work at is in the middle of migrating from MPLS to SDWAN (Viptela). Currently we have a large global group all migrated successfully with no issues mostly in a dual TLOC setup (1x mpls and 1x biz-internet per site). Starting with a few sites here in Australia, I'm setting up single biz-internet sites and migrating them completely away from MPLS (MPLS still in site as a fallback but not setup in SDWAN as a TLOC).

The control connections all work fine and the tunnels are up perfectly. All non-SDWAN traffic goes back to the closest datacenter (assigned using Centralized Policies) where it can then go to an MPLS site or out to the internet through a NGFW.

Latency is perfect, traceroutes and pings show sub 5ms to 8.8.8.8, RDP and other traffic is perfect, etc.

Here's the weird part. Some of the single TLOC sites have absolutely awful HTTP/HTTPS traffic. I'm talking 20+ Seconds of "Establishing Secure Connection" in Google Chrome before loading the website. Setting a static route pointing the traffic out the MPLS instead then returns the traffic to its lightning fast speed. This doesn't affect every site either. We have 3 sites - 2 of them are having issues, and 1 of them is totally fine. The site that is fine is using the exact same Viptela template as a site that's having issues.

Here's a crude diagram of the setup: https://i.imgur.com/558piBW.png

Wireshark shows a ton of TCP Retransmissions however there is no packet loss anywhere in the connection. The only thing I can blame is SDWAN as an almost identical traffic path through MPLS shows zero issues but I'm at a loss on how to troubleshoot and resolve it.

Where do I even start looking? I've stripped out so much of the template so that there's no shaping, no QoS, no sslproxy, etc, and the issue still occurs.

Any help would be appreciated.

IPv6 BGP session stuck in open sent. Anyone here using tunnelbroker.ch?

Is anyone using tunnelbroker.ch here? I literally try for three days to get a working IPv4 BGP session. With IPv6 everything works but for IPv4, no matter which options I use I receive an immediate TCP FIN,ACK after the OPEN message from the endpoint.

I have tried any conceivable option and setting (my endpoint is Mikrotik if that matters).

I have even intercepted and decoded the OPEN message and it is exactly correct:

• Marker=16x FF
• Length=45
• Type=1(OPEN)
• Version=4
• MyAS=AS_TRANS
• HoldTime=180
• BGP Identifier=MyIP
• OptParamsLen=16
• Optional Parameter: 2(Capability); Length=14
  • Route Refresh Capability
  • Support for 4-octet ASN Capability
    • my 32 bit ASN
  • Multi Protocol extensions capability
    • AFI: (1) IPv4
    • SAFI: (1)Unicast

​

My only explanation is that tunnelbroker.ch is broken. And only the IPv4 BGP part.

Hence my hope that someone here is using this and can confirm/disconfirm.

Or give me any advice what else I could try.

​

​

Least learning curve to (semi) auto config new sites switches and firewall from standard/template?

So my shop brings on a few new sites/clients a year and they all follow our standard setup for a standardized set of vlans, tunnel back to HQ network, and some configs for things like multicast/igmp etc etc.

We run Ruckus ICX switches and are using Palo Alto firewalls.

What automation tools have the least learning curve to be able to say

1. Define new customer site is 10.xxx.0.0/16

2. Plug in new core switch. Have it grab a core switch config for the 10.xxx site scheme.

3. Plug in second core switch. Have it grab appropriate config with next IP in the scheme.

4. Plug in a new access switch. Have it grab a access switch config for 10.xxx site scheme. And get an appropriate IP in the scheme.

5. Repeat for other access switches.

6. Plug in new firewall. Have it grab firewall config and maybe all I do is put in the wan provider details.

Etc...

I always hear Ansible or python this or that but have yet to find a solid tutorial tgat does a lot of hand holding. I need the hand holding.

Any favorites out there? TIA

MTU Configuration - Jumbo frames part 2

On my first input the question was about jumbo frames in general but now I would like to be more specific: L2 jumbo frames

workstations <-> 10GbE switches <——> hypervisor <———>isilon NAS

Will you enable jumbo frames in each and every device in here?

Or just between NAS and switch?

Is there a difference between Network Admin and Network Engineer?

^^^

Alfa wifi adapter

Hello,

My question is when we have wifi adapter in our Laptop then why do we use external adapter like Alfa, Tp-link etc

Internet Works then Doesn't - Is it Local or is it ISP?

A little background:

ISP Modem setup by ISP tech. WAN port on modem connected from modem to WAN port on firewall. LAN port on firewall flows into managed L3 switch, goes out to devices.

ISP Provides following for WAN interface port:

- Static IP Address

- Subnet

- Gateway

- DNS Server #1

- DNS Server #2

== INTERNET WORKS - LIFE IS GOOD

​

Current Situation:

ISP comes back, installs new hardware (modem box). Plugs WAN port on modem to WAN port on firewall. LAN port on firewall flows into managed L3 switch, goes out to devices.

ISP Provides following for WAN interface port:

- Static IP Address

- Subnet

- Gateway

- DNS Server #1

- DNS Server #2

== EXACT.....SAME.....SETTINGS....NOTHING....CHANGED....

Using Static IP address, with configuration on firewall, it would not resolve DNS = no internet. Only after re-configuring WAN interface port to use DHCP from ISP to grab an IP does it talk to DNS correctly, resulting in Internet.

​

My question is, how if the same ISP is used, with the same ISP settings as before, does the firewall fail to resolve using the exact same Static IP? The only thing that is different is a new modem box. Is it a local issue, or is an ISP issue not having the static IP routable internally through their end?

Love to hear your thoughts on this. Many thanks for those that respond. Harsh/snark responses not appreciated.

Help me choose a replacement product for Bluecoat ASG to look into

Here's the key and slightly problematic list of criteria we have (i.e. over and above the usual list of things you need in a security appliance like URL filtering, TLS decryption etc):

- On-prem required (VM is fine) - can't use a cloud solution

- Explicit proxy required

- Must support SOCKS5

- Can't be Fortinet

They really narrow the possible list of contenders down. I came up with McAfee Web gateway so far. Anything else?

Using 2 ISPs with their own wireless networks

I'm an IT administrator at a small school, and the principal is looking to improve internet stability on campus. We are currently receiving internet service from two providers, I'll just call them A and B.

A is setup with a modem and a single router. At the moment it's only used in a couple of teacher only rooms. B is setup with the Plume superpods, and there are several plugged in around the campus.

The principal wants to know if we can somehow maximize the total bandwidth of having both ISPs. Both ISPs offer packages with the Plume service, and so my question is would having two Plume networks be a bad idea? I know that Plume suggests you turn off your other Wi-Fi networks when you install it, but are they capable of working alongside another Plume network?

If it won't work, my alternative idea is to use one of the ISPs as a hardwire only connection, but that wouldn't be making the absolute most of the two bandwidths since only the teachers would be on the hardwired network.

Any ideas or things that I'm not thinking of? I'm relatively new to IT management so please forgive me if this is a newbie-ish question. Thanks!

Unifi APs set to DHCP on a VLAN and receive DHCP addresses on Guest Network (different VLAN) - but show correct IP in the UNCK controller?

I am having a strange issue where our Unifi APs (around 70 total) which are set to VLAN 10 pickup a DHCP address on our open Guest network with captive portal (VLAN 20) on our MS Server 2019 DHCP server. There is a SonicWall as the NGFW that is being used for VLANs assignment and DHCP relay. For some reason, the guest network scope on the DHCP server is the only one that keeps assigning IPs to the APs.

​

On VLAN 10, I have reservations set for the APs. No other device is assigned an IP cross VLAN like this.

​

I have tried recreating the networks, recreating the scope, ensuring that the Guest network VLAN is correct. The APs show the correct VLAN DHCP assignments in the controller and I can verify with a ping/ssh.

​

I am going to add a Deny rule on VLAN 20/Guest network for the APs, but curious as to why this may be occurring.

​

Thanks for any thoughts on this..

OS Images

I picked up a NIB SN2410-BB2F from eBay to familiarize myself with Onyx, SONiC and Cumulus and see if one of those would work well for an upcoming project. Is there any way to update or get install images for any of those OS? I contacted Mellanox to see about purchasing a support contract but evidently they consider their products throw away once they change hands.

Meraki down?

We just started having issues with our WIFI APs about 30 minutes ago and tried to log in to the Meraki portal, but apparently, the portal is down?

This site can’t be reached reached.
421.meraki.com took too long to respond.

Getting this from different networks on different ISPs. Unable to control our Meraki infrastructure.

Anyone else having this issue?

Wireless question(s)

Hi all

I am newer to the WiFi game out there and I'd like to do some preliminary research prior to seeking out a consultant to assess the space. I'm going to be deploying WiFi in an about 400,000 square foot warehouse. Obviously we are talking about a decent number of access points. A good amount of the space will be freezer space as well. I know most AP's won't be rated to survive that but if there are some brands that have a more rugged model I'd appreciate pointers.

I've used the Meraki AP's with great success, but I am not necessarily a Meraki lover. I want to do some searching of other products. I always hear about Ruckus and their products being great, and then I hear even more about Aruba being wonderful. My reading suggests that Mist leaves a lot to be desired and is very expensive. Is there any other product you think I should add to my list for DD? I want to make sure when the consultant comes in and makes recommendations I have some knowledge of the big brands out there so I can assess their recommendation.

I've had enough Ubiquiti for a life time already :-)

MTU configuration - Jumbo frames

Where do you stand on Jumbo frames?

I am trying to get the best out of my network and since I've got a 10GbE capable infrastructure I thought Jumbo frames could give me an extra boost. If I understood correctly, jumbo frames must be active for the entire collision domain so they don't cause any trouble. I have also come across some posts stating they had trouble with some internet browsing but I am unsure if this is correct.

I'd like to upload my network diagram but I don't see an option, I guess pictures are not allowed?

​

Deterministically Assigning IPv6 Addresses Given a Cryptographic Key

Hey all, I have a group of computers or nodes that will interact between them on a VPN-like network I am writing. Each node has a public key, I would like to programmatically (using a custom Go program I am writing) deterministically assign them IPV6. So, let's say I know peer A public key, given that information I can build its IPv6 address. The addresses would be Unique Local Addresses, each group or peer group would be in the same subnet.

So, given a Public key hash this into a valid ULA.

Any help would be greatly appreciated.

Python for Networking Classes

Does anyone have recommendations for Python training for network engineers? I know there is a lot of online stuff, but I am looking for something instructor led that people could reserve a week to dedicate to. The Skill level would be little to no programming experience. Either onsite or virtual would be fine.