Many of us in the corporate world have a device we use to land VPN tunnels and might have upwards of 100 IKE peers. Back in the day it was probably an ASA, but we are in a post-ASA world. I am scoping out a project to move tunnels from an ASA to Palo and starting to rethink if it is even worth it based on how Palo does policy based tunnels which is the vast majority of my connections.

If anyone is using something besides a Palo or an ASA - what is it and to you like it?

We have Aruba switches that pull their configuration from Aruba Central, but since the switches have all their ports as access VLAN1 configurations, I have to do a little configuration before dropping them in our environment to complete the configuration, as VLAN1 is disabled in our environment for security reasons. I’m a relatively new admin and an only really trained in “best practices” rather than what actually works, so I’m hoping to get some guidance from someone that has been there.

Is there some configuration I can put on our main site switches (which are Cisco if it matters) that these plug into that would allow them to pull a DHCP address out of the box without making any changes to the Aruba switches? We have DHCP running on Meraki routers for other VLANs if there is a way to make that work.

I know this probably reeks of incompetence and inexperience, but I am truly grateful for any help.

I've seen some interviews on being a network development engineer, but I'm more interested in the support side. Getting tickets, troubleshooting, talking with customers. Anyone here in that kind of role with the big 4 - AWS, Azure, GCP, Oracle?

What's your day to day like? Do you speak to customers and get to become familiar with their network as well? What's your background? How did you get into it?

I tried asking this in ITCareerQuestions but only 1 got answer from an IAM guy.

Hi All,

I have the following hardware:

Dell PowerVault ME4024 SAN (Ethernet)
Dell PowerEdge R640 Server
Cisco Nexus C9372TX
Netgear XS712T

I have configured a LUN on my PowerVault SAN and have configured the PowerEdge Server (running Windows Server 2019) to map this iSCSI LUN as D:\

If I use a Netgear XS712T switch and not the Cisco Nexus 9K, when I run a Disk Benchmark on the iSCSI LUN I get the following results

Global Flow Control (IEEE 802.3x) Mode = Enable
1MB - 1.58 GB/s Write & 2.30 GB/s Read
2MB - 1.79 GB/s Write & 2.30 GB/s Read
4MB - 2.03 GB/s Write & 2.30 GB/s Read

Global Flow Control (IEEE 802.3x) Mode = Disable
1MB - 391.27 MB/s Write & 2.28 GB/s Read
2MB - 526.03 MB/s Write & 2.28 GB/s Read
4MB - 516.59 MB/s Write & 2.28 GB/s Read

From the above results, enabling Global Flow Control on the Netgear Switch has a dramatic positive impact on the performance of Write to the iSCSI LUN.

I want to swap out the Netgear XS712T for the Cisco Nexus C9372TX.

I connected this, configured the required VLANS and didn't configure any flow-control related config and achieved the following:

1MB - 492.31 MB/s Write & 2.28 GB/s Read
2MB - 490.21 MB/s Write & 2.28 GB/s Read
4MB - 636.82 MB/s Write & 2.29 GB/s Read

I then enabled flow control using the following Port Configuration:

switchport access vlan 1001
priority-flow-control mode on
flowcontrol receive on
flowcontrol send on
mtu 9216

Ran another benchmark and got the following results

1MB - 640.00 MB/s Write & 2.28GB/s Read
2MB - 628.99 MB/s Write & 2.29GB/s Read
4MB - 801.93 MB/s Write & 2.28GB/s Read

This is where I get stuck, reading online, I need to create a Traffic Class for iSCSI Traffic (CoS 4) and a QoS Group 3 policy - https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/cisco-nexus-switch-configuration-guide-ps-series-scg.pdf

Can anyone point me in the right direction on this ?

When I run the below command I get an error:

switch(config)# class-map type queuing class-iscsi
^
% Invalid command at '^' marker

We've got Fibre installed in an office, and it doesn't seem to be working particularly well. The speed seems to keep going up and down.

Several times, it's degraded the connection from automatic to 100Mb/s, and I think fallen beyond that, but I didn't test that at the time just that it pretty much ground to a halt. I think that we've got to call out the installers again, but they're saying that they can't see a problem so far.

I've had to patch it through a wall socket like:

Fibre Point > Wall Socket > Patch Panel > Firewall

I know that the cables from the patch panel and the fibre point are Cat 5e cables, but I don't know when the wiring was done, or the standard in the wall socket.

What I'm wondering is, how does the wrong standard of cable perform over time?

Would it immediately degrade the connection, or is this something that would happen over time?

I'm wondering if anyone have personal experience with migrating old legacy core based on spine-leafs FabricPath design to ACI?

I know most of well known knowledge sources and read them, but from my experience - things do not look that good as in theory. Yes, I know that ACI is a hub ;P next question, please ;)

For example, the redundant L2 uplinks from spines to ACI leafs are complete mess. One per site, no vpc (as spines doesn't do vpc cross site). It yelds multiple MCP triggers due to TCN BPDUs without any reasonable source in the old core. So, the effect is that we need to manually shut one link and operate on one.

Other example is the ASA firewall connected to spine, multicontext, multi vlan - typical core firewall. Whenever the bunch of vlans are stretched to the ACI, we are experiencing strange behaviors during units failover never observed before alone. Like blocking of mac learning on the core Nexus 7Ks.

And few others. I was thinking about some intermediate approach of moving vlans to ACI. I used OTV usually to do such things but on ACI it is not possible/viable.

I'm missing some intermediator/proxy/whatever soultion that would stop such issues when two cores are interconnected using L2.

Any ideas? Free discussion wellcome.

Hi,

Our ISP provide us with 2 lines with different public subnet. One is /29 and the other is /30. However both of these lines are coming out of one physical link from the ISP router/modem.

We have 1 switch and 1 firewall. If I understand this correctly I can, lets say, configure a vlan 500 on the switch and connect it to the ISP port. And 2 physical ports from the switch, with this vlan, to the firewall interfaces, with configured static IP's. This way I will be able to have 2 interfaces on the firewall with /29 and /30 subnets.

Would this work with 1 vlan?

Small company (currently 20 people) with ambitions to grow to 50 people in the next 2 years. 90% of business is done via online voice and video calls (Teams & VoIP). So we dont have any Server or Storage its 100% cloud based and we just need internet acces.

We are about to move to a larger office and are trying to work out which network provider is the right choice. I have been looking at Ubiquiti and Aruba InstantOn.

Ubiquiti setup:

• Dream Machine Pro
• Standard PoE 48 switch
• 3x Standard 48 switches
• 3x U7 Pro Max or U6 Long Range

InstantOn Setup:

• 1830 Switch 48 PoE
• 3x 1830 Switch 48
• 3x AP22 (or similiar)

Now my questions:

• Is it right that InstantOn do not need a additional management Device such as the Dream Machine Pro?
• Is it possbile to do content filtering with the InstantOn Setup? For Ubiquiti i would be possible to block Domains/IPs for specific devices
• Which Brand is better/more reliable?
• Is there some Device missing (e.g. seperate firewall? I think no need because we also do not have any servers)
• InstantOn Setup is roughly half the price of Ubiquiti any reasons or benefits why Ubiquiti would be better?

Thanks <3 :)

Hello, I'm new with the h3c switc. I need help on what is the equivalent command below to h3c switch? Im currently trunking cisco to h3c and i think im missing this code.

CISCO :

interface port-channel1

I'm interested in using rConfig as my main backup tool for Networking equipment, If anyone has an experience with rConfig, does it have a proxy feature. for example I want to put rConfig proxy server in my remote infrastructure which will handle getting config info from the network devices. my main rConfig server which sits in my DC will get all the info from proxy server. Can i do that with rConfig?

To give you some context, I work at LATAM in a container terminal, which is a global corporation based all over the world. I am currently working as a network administrator receiving a low salary according to my country's market, however by international standards it is a very low salary of approximately 27k USD per year.

The corporation is offering me to work for the Americas region, where the work will be split between USA, Canada and LATAM which includes leading implementations of new sites/offices. The problem is that they propose me to stay in my country's payroll and the salary increase is 12%, which I consider too low if the rest of my colleagues of the same engineering team are in USA payroll, where according to what I read here and in Glassdoor the minimum salary for a Network Engineer is 120k USD per year.

I have the feeling that they are taking advantage and getting cheap labor taking advantage of the fact that in my country the salary level is much lower than in the USA.

What would you do or what do you recommend me to do? For reference I have bachelor, CCNA, Palo Alto, Fortinet, Checkpoint certifications and 8 years of experience.

Has anyone over paid for the 10G, 40G, and 100G paid protections plans from Fastnetmon? if so how would you rate it?

I swear building controls are going to give me an ulcer.

How are ya'll dealing with this mess securely? Vlan, microsegmentation and mfa? PAM tools? (Privileged access management)

Vpn has been our castle wall, but vendors, engineers and our maintenance staff are getting seriously annoyed. I'm to the point of wanting all of them air gapped but that is a seriously not going to happen.

We are at at least 20 different pieces of shit programming.. errr different control programs right now. We had 3 at the beginning of the year. Smallish networking and system admin group.

Before this year i liked our building engineers...

If someone has access to cellular towers for a particular area, can they see each and every cell number that connected to its network? Like a list of 100s of numbers? Are they logged relative to its positions from the tower? I.e. are two phones shown as being used in close proximity to each other? Or are they treated as just two devices requesting to be connected to a network without any hints that these two are in close proximity to each other?

Does anyone know which phone carriers use the same towers?

Bare with my terminology, I had lost quite a bit of my memory. I used to have better knowledge of things.

Please comment if u have any questions about what I am trying to inquire about.

I can't for the love of god could figure out how is it done?

I have ubuntu VM installed on a Host machine(M1) and run iperf3 -s (making VM as an iperf server). Now I am connecting it using some different machine(M2) using the VM's IP address(static DHCP set through netplan). The network is flowing from client side to server side(-R flag in iperf3). I want to look for the path that ack packet followed from client side to server(vm) side.

The VM is set up with a bridged network configuration using Oracle VirtualBox with default paravirtualization enabled.

In this setup, an ACK packet must travel from M2, reach M1's NIC, and then be routed through the VM's virtual NIC (vNIC)[i have checked it by running tcpdump in both vm and host]

My question is: How exactly does this process work? Are the packets being copied during this journey? When the NIC selects the VM's IP packet, how are they processed in the kernel using sk_buff? I understand that the VBoxNetFlt-linux.c file is responsible for handling packets between the host and the VM, but the specific mechanisms remain unclear to me.

Below are some resources I found that suggest packets may be copied during the process:

- https://www.virtualbox.org/ticket/15569

- https://www.reddit.com/r/networking/comments/wgavik/packet_flow_within_hypervisors_between_concurrent/

- OVB manual

what i want to learn?
- are packets getting copied from NIC to vNIC, if so, is there any overhead?
- do other type of paravirtualisation settings affect this network path.
- as vm is now like a different machine on the network(bridged network), what advantages it has over baremetal, if any?

any help is much appreciated

Hello All,

I am a network engineer mainly working in a ISP background since I started work 10 years ago. I’ve only ever done traditional MPLS, MP-BGP networks working on Cisco also with some firewall expirence PA, Checkpoint and Juniper.

I keep hearing and see jobs posted with requirements for knowledge of Automation, AI, SD-WAN, Cloud Computing to name a few.

Feel like what I work on is going out of date and I’m being left behind, I am keen on learning these technologies but can’t imagine companies matching salaries if you haven’t worked on these.

Do you think it’ll be a good idea to maybe learn Cloud computing and AI in my spare time to help me develop my career further?

Feel free to PM

Thank you

EDIT - THANK YOU ALL FOR YOUR COMMENTS, CAN ANYONE SUGGEST TRACK TO START LEANRING AUTOMATION, AI FROM SCRATCH?

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Hi I’m wondering if somebody could help me find this tool, I vaguely remember a website that would allow you to design a network online and then would evaluate it for compatibility / security issues, similar to buildapc but for networking. Anybody remember the name of this tool or others that are similar? Thanks.

Hey All,

Pretty much as the title describes, I have a /24 TEST VLAN on our PROD core switch (lets just say its 192.168.0.0/24) strictly for testing our PROD environment (it's isolated from everything except established/related connections to the internet).

Our PROD router connects to our ISP via BGP with a bunch of prefixes/public IPs and such... so I'm trying to emulate this in my TEST environment.

TLDR: is there any reason I couldn't emulate our entire PROD environment in TEST using the following logic:

TEST PC > TEST Access/Core Switch > TEST Firewall IN (Private IP) > TEST Firewall OUT (NATs to Public IP) > TEST "EDGE" Router IN/OUT (BGP Advertises This Public IP) > TEST "ISP" Router IN (BGP Connection) > TEST "ISP" Router OUT (NATs everything back to Private IP within "Test Environment" 192.168.0.0/24 VLAN on PROD Core Switch/Router) > The Real Internet

Thanks

Does anyone here use peering-manager to manage BGP sessions on Juniper routers and use it to create IRR filters? I'm not finding the documentation on how to do this task although the documentation suggests that it's possible.

Looking for recommendations on Network Architecture Books to read. I’m familiar with much of the Cisco Press line. Curious if anyone has any “go-to” books on the matter as well.

I need to setup a temporary wireless point to point connection between two buildings using a Nanobeem kit.
The source building has a a switch setup for DHCP so it is giving out IP's. I want to connect between this building and a portable office building. My question is - can the receiving end (portable office) have a PoE Non-managed switch to connect client machines to? Would the switch (at the source building) still assign IP's to those machines through the Nanobeam connection that way? Or would there be any other configuring I need to do to make it work (different switch config etc.)? Thanks for any suggestions!

What software do you guys use for vulnerability tracking for cisco devices? I have used solarwinds, but my current location is against it due to the issues they had in the past.

Hi all.

I work for a telecom provider and I’m trying to gage what the average price per IPv4 is when leasing IP’s.

Has anyone leased a block from a company?

Thanks

Currently using Unifi and their recent software upgrades are making things unusable. Need to replace 3 firewalls. Requirements listed below, would prefer no subscription based packages but I do realize that's what the world is coming to.

2X WAN ports.

1X DMZ port, can do without though.

2X SFP ports, 1/2.5/10GB doesn't matter really.

Preferably rack mount or the ability to rack mount.

The amount of data they can pass is really negligible. Their biggest thing is having sites connected together for backup purposes. I know most firewalls doing IDS/IPS can do 600Mbps or so and that's fine. VPN needs to be able to pass at least 250Mbps.

I'm familiar with Fortinet and Cisco, I can make them work but the cost may turn the client.

Forgive me on this, I'm not great with IPv6. Inherited a solution from previous networks admin. Solution 'used to work' but the previous guy is long gone.

Not 'anti-IPV6' at all. Just not used it too much,

We've got some temperature controllers that run use IPv6. We have a central Windows server that's supposed to manage the controllers. When I run the config utility the control server doesn't pick up the controllers. The controllers have link-local fe80:: addresses.

The server has fe80::/64 in it's routing table

From the server I can ping the controllers fine, straight through. Single hop.

The server (for some reason) has loads of temporary IPv6 addresses. & one link-local address

From the core switches I can see that NDP picks up the controllers. But can't ping the controllers from the core switch.

If I use the same software on my laptop & connect straight into the access switch. It picks up the controller fine.

On the core switch both the server facing interface & controller interface are all in the same vlan. IPv4 connectivity is fine.

My vlans all have link-local fe80::xxxxx:xxxx:xxxxx:xxxx/64 addresses.

Not sure what I need to do. It's as if the controllers & the server are in the same broadcast domain for IPv4 but not IPv6. But honestly not sure how to set that up on IPv6. I've tried enabling ipv6 routing on the core but that hasn't helped.

I configured syslog on Arista DCS-7280SR3

logging host 10.84.192.156 add 514 protocol tcp
logging host 10.84.192.157 add 514 protocol tcp

The management interface is on mgmt-net vrf, i can get to the syslog servers from this vrf but i can't get to them from the default vrf (no route to it from this default vrf route table).

how do i make this work? or do i have to have a route to the syslog servers from the default vrf?
does it automatically know to send the traffic to the mgmt-net vrf

I'm stuck on the very first step of designing my WAN. I have 3 branches each with their own departments and I have absolutely no idea how to IP config them.

My thinking is that I can use /30 for any router to router connections i.e. from the PE router to the CE and from CE to C(s) and then I can start from fresh at either 192.168.0.0/24 or 10.10.0.0/16, depending on how many addresses I need and use NAT to convert from one address to the other.

This way just doesn't seem right to me but I tried CIDR for every LAN making sure there were no duplicate IP addresses in the entire WAN but again that seems like a waste of IP address space

I've looked at lots of resources online about how to IP address a WAN but they're out of scope for what I am trying to do. I want just a basic diagram of router IP addressing and connection schemes. No user configs, no switch configs etc. etc. just the routers, IP addresses and prefixes

A bit like this: https://cdn.networklessons.com/wp-content/uploads/2017/01/local-area-network-connected-to-wide-area-network.png but with IP addresses

Hi everyone,

I'm currently managing a Site-to-Site VPN between Oracle Cloud Infrastructure (OCI) and a Palo Alto PA-450. OCI, by default, sets up two IPsec tunnels (primary and backup) for redundancy. However, we are encountering a situation where the backup tunnel sometimes interferes with the primary tunnel, causing it to go down unnecessarily due to Dead Peer Detection (DPD) or keep-alive issues.

Unfortunately, OCI does not allow us to disable the secondary tunnel, so we're looking for ways to properly handle this from the Palo Alto side. Here's what we want to achieve:

• Ensure all traffic flows through the primary tunnel unless it fails.
• Prevent the backup tunnel from interfering with the primary unless a legitimate failover is needed.
• Monitor tunnel status effectively and automate failover.

Here's what we've done so far:

1. Set routing priorities using static routes with different metrics for the primary and backup tunnels.
2. Enabled Tunnel Monitoring for the primary tunnel to detect connectivity issues.
3. Adjusted DPD settings to avoid unnecessary state changes caused by keep-alives.

However, we’re still seeing occasional issues where the primary tunnel goes down unexpectedly when the backup tunnel sends keep-alives or state updates.

Has anyone successfully managed this setup with Palo Alto firewalls and OCI? Is there a specific configuration or best practice we might be missing?

Any guidance or tips would be greatly appreciated!

I am trying to have me as much monitoring as possible in my network I have several vpn connections in different branches and the main one has more than 100 computers, I monitor with LibreNMS.

My problem is that sometimes the network goes down in some machines, it is not so frequent but I would like to know why it happens, I check the logs of the cisco switch but I do not see anything strange in the specific port.

Do you think there is a way to enable snmp on windows machines in a massive way?