I've built the following lab setup to learn about BGP and OSPF. I have successfully configured each protocol and redistribution between the two such that R1 and R2 have routes to every local subnet on each router. R4 and R6 can also see all routes from within the OSPF area. However, I cannot figure out how to make R4 see R6's local network, and vice versa. I have configured R1 and R2 to redistribute OSPF into BGP, and BGP into OSPF. What am I missing here? I can post configurations as needed but I didn't want to clog the post with each router config. Any help is appreciated. https://i.imgur.com/T38hqF4.png

Long essay incoming here....

Hi, i have a question around inbound inspection and what to do about it. In the first half of this year I designed and completed a 6 month long migration away from our ASA's that hosted our outbound firewall traffic out our main DC and another pair that all the companies hosted traffic went through. It was a mammoth task and one that I'm glad to say I accomplished with very few hiccups. The ONE issue that caused me problems (logistic ones more than anything else) was implementing secure TLS inbound proxy inspection (MITM). I ended up having to switch it off for our production environment but kept it on with our non prod and still no issues. The issue was one application in particular, an API gateway we have that clients call, these calls can come from all our clients anywhere online, the new TLS cert chain i placed on our F5 VIPS is one (after a LONG troubleshooting process) that passed all of the checks I had internally and externally (the Java cert store not trusting the original one being the first issue I had). The internal checks I covered mainly with the devs came back fine in the end when they tested all the VIPS from externally. We also have a non prod API gateway that i used as the main ground for questions to the devs and tests with them, i REPEATEDLY ASKED them...Do our external clients use and test against this API as well and can it be treated as a test to simulate the production API, they said yes. So, after a few days in the end of switching production on, everything was fine until one morning I get a dev come and say to me that some external clients can't connect to the API. My boss, goes bananas at me, has a go at me because of how crucial the production API is to the company! I felt completely thrown under the bus and wasn't backed up at all by my boss even after the job (whole migration) I'd done and the meeting and questions I did over the API as well.

What's everyone's thoughts on this? Will i ever be able to switch all of the production environment back on again or not? From the cert POV, is there anything else i can do? Some external clients don't trust the intermediate cert in the chain, the only thing I can think of is to send the chain to all our clients and ask them to install it in their trusted cert stores, does anyone else have any ideas?

I'm scared to even suggest it again, why should I bother when I don't get the backing and the devs are almost clueless as far as certs come with the API gateway.

Thanks for reading everyone

Hi All,

So I am looking for a bit of feedback regarding network segmentation (big subject, unless you break it down, pun intended :D)

How much segmentation you guys do for internal stuff, and I mean internal, not considering DMZ, Guest services.

Lets say I have production VRF, previous chap set it up in such way that desktops, printers and servers are part of same VRF, but live in different VLANs, however firewall does not come in play here as all these subnets are routed by Layer 3 switch and only when accessing other VRF's, Cloud resources or plain old Internet, only then traffic transitions across firewall.

When I started, I mentioned this to the Infra guy that this could be security concern, as then servers reply on them having firewall rules in place at OS level to lock down what is not needed and that I have limited means to block lets say PC speaking with particular server. Did say that ACL's will get out of hand and that is not something I am looking to do. I was shut down by infra guy saying that if I was to pass all traffic by firewall, I am complicating things and that it does not minimize attach surface etc. This from my point of view is plain wrong, as firewall is able to implement IDS/IPS and we would at least would know if something is not playing nicely.

Then the second part is more on servers, do you guys have some rule you follow if you are further breaking down the server network, lets say, VLAN for Domain Controllers, Database Servers, Application server, Web Servers, Infra Support servers?

I have lateral movement in my mind, if one server is compromised, there is nothing in a way to prevent poking at others using it as jump server etc.

So what is everyone's take on this? Article form reputable source would be nice means to persuade my infra guys.

Our company is going through a painful transition to be migrated to our parent company's domain. Networking Hardware is ready to go onsite and all online. All we need are local files in 2 servers and we should be ready to start imaging computers to our Parent Company's image. But at one point, they decided to go with this "Agile Work Place (AWP)" where we image computers to have hybrid access to our parent company's domain, and our current company's domain (shared network drives, e-mails). There is all these extra steps to get to a certain folder from our company's drive. To sum it all up, it's shit, way too many hoops to go through to access a file. Can anyone explain to me why the IT team in charge would want to do this, instead of having me image a computer to our parent company's image, then use our VPN in order for me to have access to our network drives. I have tried this and it was seamless. Are there network risks when doing this? Can they secure that VPN on their side?

I am no networking guru, so I am posting this as a genuine question because I want to understand the thought process for this method and learn.

Long story short - We're an SMB with niche requirements and are looking at alternatives that would suite our requirements as we've found UDM Pro to be lacking.

This is gist of our requirements -

• Standard VPN clients (Upto 500)
• Site to site VPN (IPv6 support)
• BGP support
• Sizzling hot failover
• Enterprise grade Firewall / Network segregation
• Good to have: Single Pane of Glass view of the network

We realise that the price point will not match with UDM Pro but we're looking for something without recurring software licensing and something that isn't far expensive. An earlier post suggested some brands regarding this but would be good to have exact models that I could look up. Appreciate any advice. Thanks in advance.

I am trying to learn VXLAN by labing. I have used Aruba switch simulator in EVENG but it has some limitations. Do you have a rekommendation on another vendor that has most, maby even all, VXLAN-features enabled? It has to work in Eveng.

I have a router that currently has a DMVPN route via BGP to our DC router and DR router on tunnel 1 and tunnel 2. We have installed a backup circuit at this location and are trying to test the backup circuit on new tunnels 3 to the DC and tunnel 4 to the DR router. Being that the primary and backup circuit are DIA and have Static IP addresses each has to have there own vrf VPN-OUT. I have noticed in testing when I turn down the primary the secondary does not come up. I think this due to the VRF of the primary is sticking around and not have the secondary VRF come up. Do we need to set a priority on each 1 so the router knows when to kick over to the second route?

Are there any recommended video series or lectures that go decently into BGP, but from a vendor neutral approach?

Specifically I need to focus on understanding more about multi-homing/traffic engineering and path selection in private ASs. Not ISP environments, but large-to-extra-large enterprises (like 30,000-100,000 users) with a blend of iBGP and eBGP. Bringing up peering between routers isn't something I'll be expected to work on, these are established/brownfield enviroments.

It's pretty easy to find Cisco-focused videos that are spending a lot of time showing how to work the info inside a Cisco CLI, but I'm going to be in a bunch of vendors and would prefer to focus more time on understanding BGP itself.

Does anyone have any good suggestions? Video lectures are preferred, seems to stick better, but books are fine if the info is good.

Howdy! I recently switched from my ISP provided "business" router to a UXG-Pro. I have a few statics assigned from the ISP which would properly resolve externally to the servers I assigned them with the old router, but with the new router I've been having issues.

All of the port forwarding appears correct, but with the email and camera machines, externally, they are resolving as the router's IP address instead of their assigned DNAT/1:1 NAT Ip addresses.

I'm sure this is my lack of knowledge but my google-fu has failed to turn up any decent troubleshooting for this specific issue.

I believe that this should be setup under Settings -> Routing -> NAT but I have tried every combination I can think of for source/dest/masq and nothing I've tried has resolved the issue.

Has anyone dealt with this kind of config before? Any tips?

Will a DNS server replying with a malicious IP address to a domain query do any damage on an HTTPS connection? What comes to my mind is, the browser will show warnings or reject the SSL certificate provided from that malicious IP address. Is this really the case, or can the malicious IP address will remain undetected?

I've two CBS350 series of switches that I wish to setup for connecting IP Cameras and accessing them from the Control Room.

IP Cameras will be connected to CBS350-8S-E-2G.

CBS350-8S-E-2G will be connected to CBS350-24T-4X over Single mode fiber via a pair of GLC-LH-SMD 1Gbit SFP

For testing purposes, I'm trying to ping a PC connected at gi10 (in CBS350-8S-E-2G) from a PC at gi1/0/24 (in CBS350-24T-4X), but I'm unable to do so. I can successfully ping the switches themselves from PC (IPv4 address of VLAN 2 interface).

I'm attaching my "running-config" from both of these switches and layout diagram.

Diagram (Postimg), Running config -> 8S-E-2G, 24T-4X

I am currently trying to setup dynamic VLAN provisioning using MAC Auth. I have done this currently for my wifi APs (2x Omada EAP670) with a FreeRADIUS server running the network and it works flawlessly. Unfortunately, for some reason the ICX7250 has been a bit more difficult. The core issue that I am experiencing is that when a MAC is authenticated by the RADIUS server it seems like the ICX7250 continues to do a _Call-Check_ any time network traffic flows and especially when something like a `ping` comes back `Destination Host Unreachable`. This in turn makes the client flip-flop between the restricted VLAN and the VLAN that the RADIUS server has sent back to accept as. It seems to especially happen with the clients on my network that are authenticated via the DEFAULT clause in my authorization file in my FreeRADIUS server.
I guess my expectation was that when a client connected, the switch reached out to the RADIUS server to validate the credentials (MAC address), this returns a VLAN (see below) which then the switch should use to provision the port as. Is there something else going on here? I can provide whatever would help.

Has anyone experienced this wonkyness before?

Thank you for any help

I’m working on a project and the client already has vSRX licenses and are wanting to take advantage of Azure vWAN. I thought I could save them on some money since they already use vSRX and are familiar with Junos OS. It seems live vSRX is not in the supported list of appliance. I was wondering if the supported list just means you can’t get support if anything break or if it’s not possible to deploy. Honestly I want to go with Palo Alto but it may outside the budget. Fortinet is also an option but am not super familiar with there platform and last time I looked the API was behind a paywall ( this is really sums up how Fortinet operates ) I have reservations about Fortinet. Hopefully this is on Junipers roadmap but have not heard back from our account rep yet

I can access the CLI but I can't seem to figure out how to access the WebGUI as per the guides online.

https://cs7networks.co.uk/2023/05/25/palo-alto-11-0-2-vm-on-eve-ng-with-initial-configuration/

Also is GN3 really better? Right now since I'm just doing testing and practice so currently only have 128GB RAM and 16 core CPU. Which I know limits the number of nodes I can have running as well...

UPDATE: Managed to enter the WebGUI. Turns out issue was adding the https://<IP-address>

Thanks to u/Dice102 haha

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

We have standard high volume network design diagrams we create that would be so much easier to create using an import from Excel instead of doing find and replace for variables.

Basically we want to populate things like router names, transport networks, AS numbers, etc. These are all text fields and not tied to the shape data. A thing like mail merge, like Word has, would be great but Visio doesn't have that feature because in the end we want to produce individual documents per line of data from Excel.

Does anyone do this kind of document creation?

I have a patch bay I made with two Ethernet connectors. One is for running video and the other is for running audio. They both run independently of each other and the rack its all in is a setup and teardown type scenario. I don’t want to risk someone setting it up and patching in the wrong Ethernet / ethercon cable because that could spell disaster for the hardware in the rack.

Is there any type of surface mount connector and plug that is compatible with Ethernet that isn’t a standard Ethernet port and plug I could use as a way KEY the connection so no one else plugs it into the wrong Ethernet port.
Hope that makes sense.

Looking to replace an aging stack of 3x PowerConnect 5548 switches for an office of around 100 staff.

The organisation is a non-profit in the UK so cost will be a factor.

The current switches are basically used for end devices along with 4x Wireless AP. These uplink to a VLT pair of Dell S14128F-ON which perform Layer 3 routing functions and connect to a 3-node ESXi cluster.

Requirements are pretty basic, Managed Layer 2, 48 Ports, PoE+, 1GbE or 2.5GbE, 10GbE SFP+ uplinks, 802.1x with Radius support. CLI management would be a plus but not a huge deal.

Not too worried about stacking, it obviously reduces the number of uplinks but it’s not a hard requirement.

Currently have a few vendor choices.

HPE Aruba 6100 and 6200F, Aruba Instant On 1960, Cisco Catalyst 1300 series, Extreme X440-G2, Ruckus ICX 7450, UniFi Enterprise.

Any others I should consider? I’m leaning towards Aruba as I’ve heard good things and the discounts can be good too.

Thanks

Does anyone have insight on darf fiber prices in SE Asia? We have some markers for Indonesia and Thailand (around US$50-60 / pair per km / month). Above all would be interested in Vietnam. Thanks!

hey
i have Forescout appliance EM (8.5.1) .1x stuck on Initializing state ( the bug was also on 8.4.0)
i tried this KB :
AnswerThe 802.1x plugin sometimes will get stuck in an initializing state due to the plugin upgrade to 4.x not creating the radius and redis directories in /var/log. If you experience this issue where your 802.1x plugin is not starting up and is stuck in the initialization state, please use the following steps as a workaround:
Stop the 802.1x plugin on the appliance experiencing the issue
Login to the appliance via ssh for cli access.
cd /var/log
ls -ltr and check to see if radius and redis directories exist.
mkdir radius
mkdir redis
run ls -ltr to make sure the directories now exist in /var/log
You will need to Repeat steps 3 through 7 on all other appliances experiencing the issue.
Go back to the CounterACT GUI and start the 802.1x plugin.
The plugin should now initialize and fully start back up and will operate normally.
***In another case it was found that the log file wasn't being written to and needed the following change. Go to "/etc/redis.conf" and change the "logfile" line to "/usr/local/forescout/log/plugin/dot1x/redis.log". Then we did a "fstool redis_server restart".
didnt work.
i did some log inv and i found this error's
3469:signal-handler (1731180208) Received SIGTERM scheduling shutdown...
3469:M 09 Nov 2024 21:23:29.008 * User requested shutdown...
3469:M 09 Nov 2024 21:23:29.008 * Saving the final RDB snapshot before exiting.
3469:M 09 Nov 2024 21:23:29.014 * DB saved on disk
3469:M 09 Nov 2024 21:23:29.014 * Removing the pid file.
3469:M 09 Nov 2024 21:23:29.014 # Redis is now ready to exit, bye bye...
23214:C 09 Nov 2024 21:23:30.436 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
23214:C 09 Nov 2024 21:23:30.436 * Redis version=7.2.0, bits=64, commit=00000000, modified=0, pid=23214, just started
23214:C 09 Nov 2024 21:23:30.436 * Configuration loaded
23214:M 09 Nov 2024 21:23:30.437 * Increased maximum number of open files to 10032 (it was originally set to 1024).
23214:M 09 Nov 2024 21:23:30.437 * monotonic clock: POSIX clock_gettime
23214:M 09 Nov 2024 21:23:30.437 # Failed to write PID file: Permission denied
23214:M 09 Nov 2024 21:23:30.437 * Running mode=standalone, port=6379.
i also tried to uni and re the console, didnt seem to work
any idea?

Hello telecom's colleagues! Would like to rise the new topic about what goes on in the industry and couple of global philosophyc questions.

Let me think out loud. My main concern is that nowadays(started from the last 3-4y when I started noticing it) we have to put several more variables into network design equation (lets call it like this), namely economic and vendor's reliability (or vendor lock/politician) factors.

I will give you an example for clearly understanding the situation.

During my carrier (it's more than 7y) in the begging of projects on the design stage I only (as minimum I tried) designed and calculated network's/infra solutions based on tech aspects like protocols and solutions from vendors based on their validated design, best practices and recommendations. Only one "economic" parameter which I considered was a common sense , for instance don't put a 48p nexus switch for a 3 office's users. I tried to choose maximal "elegant" , clear, reliable and scalable solution from a single vendor (single within a project). And everything was fine.

But nowadays I often notice that companies (even worldwide) started paying attention on money spending harder and closer. And they also consider the parameter which I've even never thought about, let's call it "political restrictions".

For instance let's imagine that you got a worldwide project with designing and deploying a network (enterprise, DC, industrial, wireless all together) and by the "worldwide" term I mean many sites in different regions (all of them without exceptions) on the planet Earth. And you can design it for instance on a vendor "C" or "A" comprehensive solution and the company or customer tell you something like "well it looks good , but too expensive, could you choose some cheaper vendors ? And one more detail: in regions "C", "R" and "I" this solution are blocked". And in this case you have only 2 options:

1)strat making a "zoo" by using different vendors per each region and suffer by a headache every single day thinking how to adjust everything.

2)using the open-source 3rd party solutions like pfsense or any kind of linux/bsd based distro that you prefer + alsible/another control system.

And talking about the option 2 : one more negative moment is that companies understand that it's much cheaper and they try to force you to do this for money saving(their money, not yours), without even understanding how it works. I can understand it a bit because some vendors solution quality is really nightmare (especially software).

And I have no idea what's a hell on earth I have to consider and even think about this shit be an engineer. And I spend a lot of time learning vendor's solutions and cert programs and seems that now I should switch to open-sources and whiteboards. I know that AWS, Facebook etc have enough time and funds for creating private hardware and protocols, but it absolutely another story. Sorry for my English. And what do you guys think about what goes on ?

Hello everyone,

Has anyone managed to start sinec nms as control and monitor on a station (single node) and willing to lend me a hand?

I have a big shopfloor network and I want to have it monitored and organized using sinec nms.

I have started with Sinema server and it was okay as a trial, then found it discontinued and sinec nms is the one now.

any help would be much appreciated tia

Hi. I'm trying to understand what the the purpose of a fiber splicing tray is for. At work we have a fiber connection into our server room then I see it has been fused to fiber cabling with an LC connector on the end. Why isn't it a single cable run from street to server room and straight into our edge device? Thanks for the clarification.

Guess I'm wondering as I read on networking. New to it and looking into VPNs. This is my kinda understanding.

Packet is encrypted (HTTPS)

VPN applies it's IP to your packet

Your packet leaves your modem and ISP routes to VPN server

VPN server routes to your destination

Destination decrypts it

So is this kind of the correct process? No one can see the contents of your data until it is received at its destination?

Hello, we are running into some issues setting up Azure ExpressRoute with Lumen (ISP). Our topology includes 2 Catalyst 9200-cx as edge switches, with Primary circuit on port tengig 1/1/4 Edgesw1 and Secondary on EdgeSW2 port tengig 1/1/4 and they are connecting to our MXs with HA on them.

We are using VLAN 515 on the Azure ExpressRoute Circuit with 2 subnets primary 10.6.510.0/30 and Sec 10.6.510.4/30. we have 2 SVIs on the Edge Switches as vlan 510 and 511.

We have also configured VLANs 510 and 511 on the Lumen routers. but we are running into issue, where with different configurations, we are not getting any kind of communication to the Azure side which in this case would be 10.6.510.2/30 and 10.6.510.6/30.

we have had cisco and Azure techs on the line for hours, and tried different configurations, but were not able to get any L2 connectivity between the on-prem and Azure ExpressRoute. Lumen is not seeing any traffic or MAC from VLAN 510, or 511.

Please let me know if you need more information and or understanding this situation.

this is my first time configuring Azure ExpressRoute, so any recommendation/assistance is highly appreciated.

Was in the process of implementing a failover. We have a Sonicwall tz500. The main isp is a fiber line the backup is 5g, both static. I wanted to test the backup isp so i unplugged the main isp. It didnt work, I tought it was probably a setting so i decided to plug back in the main isp line while i check the backup but now the main isp doesnt work. I spoke with sonicwall support and they told me it was an isp issue. I dont understand how, the issue happened as soon as i started messing around with this.

Service provider wont be able to give me service until Monday and we have operation tomorrow. Any advice?

I would like to conduct experiments related to network simulation, specifically with the following requirements:

1. The router needs to conditionally modify the payload of packets, with the specific modification strategy implemented by a custom algorithm. In this scenario, if the router decides that modification is needed, the packet forwarding should occur only after the modification is complete. I need to simulate this delay.

2. I also need to customize the router's resources, such as simulating the router's buffer size, CPU, and memory resources. Specifically, when simulating the CPU of a large router, I expect a shorter algorithm execution time, whereas for a small home router, I expect a longer execution time. Additionally, I want to assess whether this simplified algorithm would introduce excessive delay.

Could you suggest any simulation software (or any ideas) that could help implement such modifications?

I have already tried the following:

1. ns-3: However, it’s challenging to directly program the router model in ns-3. I mean, while it is possible to use event-based callbacks to modify packet contents in ns-3, it’s difficult to simulate the process of running an algorithm on the router.

2. GNS3: However, it is also challenging to simulate the execution of custom algorithms on the router.

Thank you for any suggestions!

Not sure if this is a common issue y'all run into, but I've just spent the better part of 20hrs getting to the bottom of this issue so I figured I'd try and save someone elses sanity if they run into the same thing.

One of our clients Yealink T41S phones suddenly entered a boot loop. The phones were able to obtain an IP address via DHCP, and were briefly able to register with the PBX prior to powercycling themselves and repeating this process.

After spending far too much time troubleshooting various different things (updating the firmware on the phones, factory resetting our switches and firewalls, and contacting the PBX vendor), I ended up figuring out that my companies network management tool of choice, Auvik, was the cause of the issue. It turns out that Yealink phones, for whatever god forsaken reason, will reboot themselves if there is a lot of broadcast traffic on the network (i.e SNMP traffic).

You could definitely get Auvik running on the same network as the Yealinks if you properly segment the phones onto a seperate VLAN and subnet, but AFAIK I haven't been able to locate a fix from Yealink and the phones began working as intended once we removed our Auvik collector from their on-prem server. With that in mind we just opted to remove Auvik from that network entirely as to prevent anyone from accidentally causing the issue again.

TLDR: Auvik and other network monitoring applications that send a large amount of SNMP requests on a network will cause Yealink phones to reboot themselves.

-----

On another note, 2 months into my first network engineering gig and I'm already feeling my wits start to fray; I can see why people get burnt out of this field quickly. Conversely, the high I got from finally fixing the issue is second to none.

Hi, I would like to ask if CCIE security is going to be a good option to go with as I am currently a cybersecurity Architect, I notice that mostly we are working on network design and security technology (good understanding). I have also hearer about CCDE but it mainly focuses on R&S and SP. your inputs/opinions are highly appreciated.

Background: CCNP sec and Enterprise, ejpt, ewpt, CISM, CISSP

Thank you

Cisco sge2000 not able to log in to configure it. Tried lots of PDFs but no success.

Not able to log in for this used second hand switch. Tried Putty, no use. Used cat5e cable and address 192.168.254 Failed. 192.168.1.1 unresponsive from just laptop and switch with no online internet connection. Switch operates just fine from Router to sge2000 then to laptop to hard-wire for internet. Looking for solutions.