Were using EXOS/Extreme and want to implement acl to segregate the traffic further. I know ACL for vlans is stateless and doesn't care about initiator traffic. My question is that what is considered egreess vs ingress? I know ingress means more so that traffic coming into the vlan interface while egress is outbound from vlan interface. How does that work with a virtual interface though? I imagine for example if I put a ingress acl on vlan 99 and traffice from vlan 100 interface sends data to vlan 99 it would be filtered via the acl. Now what about a device on vlan 99 sending out data to vlan 100? is it considered ingress as its flowing into vlan 99 interface and out to vlan 100 so it would be filtered by vlan 99 acl?

Or can ingress only happen that way if i apply it to the port the device is connected to that has vlan 99 access?

I work for a school district. We're doing hardware refreshes and have been purchasing Cisco 9164s to replace the Meraki MR42s and lower. We haven't enabled the 6Ghz band yet since we don't have a way to measure it yet. Working on getting a Sidekick 2 but they're pricey.

Anyways our sales engineer mentioned that whiteboards kill 6Ghz signal. Can anyone confirm, deny, or have any extra insight on this? The SE never elaborated.

I don't doubt it's possible but we also have an AP in every classroom so it probably won't be an issue. That just felt like an interesting claim to not elaborate on.

I have a C1121-8P which was upgraded by someone else and is now stuck under this Cisco FN without support or a way to revert: https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70585.html

I need to run an older IOS (non-smart license) but cannot due to that bug. Apparently rommon 16.12 writes some data to a cookie block that causes ANY prior IOS versions to report as not being supported on that specifc chassis.

I was hoping to determine which field has changed and program it back to the factory data. I'd like to compare cookies with someone who has data from another C1121-8P (or other C1100 series router). I've found a few other posts on how to do this with older routers, but most of them are ~10-13 years old. most of the links are now dead.

Rommon will not downgrade (rsync fails, folder structure is different)

IOS will not downgrade (platform is not supported)

Error: Package does not support PID:C1113-8PM Failed to boot file bootflash:c1100-universalk9_ias.16.12.03.SPA.bin

Here's the basic text of the FN:

Problem Description

Some devices upgraded to ROM Monitor (ROMmon) 16.12(1r) or later cannot boot due to a cookie Product Identification (PID) field that is incorrectly programmed on a limited number of units.

Background

Due to an incorrectly programmed cookie PID field, a limited number of affected devices could fail to boot after ROMmon is upgraded to Release 16.12(1r) or later. This problem can also occur after an upgrade to certain Cisco IOS releases because they automatically upgrade ROMmon to Release 16.12(1r) or later.

To prevent this issue:

Do not upgrade ROMmon to release 16.12(1r) or later.

For Cisco IOS Release 16.12, do not upgrade to a release earlier than 16.12.5.

For Cisco IOS Release 17.3, do not upgrade to a release earlier than 17.3.2.

For Cisco IOS Release 17.4, do not upgrade to a release earlier than 17.4.1

Much thanks for any and all help!

Some background first.

We have, in total, 10 PBX (phone) servers that service our customers. Geographically we chose to speard them out in different data centers for disaster recover reasons and the whole eggs in one basket reason. I came on when we only had about 4 so had no hand, and little documentation, on the first 2 installs.

Last week, we started recieving reports of one way audio quality issues from customers exclusivly on our first 2 installs which happen to be the only 2 primary server installs at a certain data center (We house a failover there as well).

Our own phones are on one of those servers (server 1) and we can confirm the issue ourselves. We test from our site to the server that services our phones and, sure enough, we get 3% packet loss. We ask a customer who is reporting the issue, and also who is on the second server (server 2) at that site to check for packet loss, and sure enough he has around 3% packet loss.

Simple right?

Here is where it starts to get weird. We notice that not all of our cusomters are complain about this fairly significant audio quality issue. In fact, some of the ones we normally expect to be up in arms about it, are strangly quite. So we reach out to some and check in on them. They have no issues at all. Packet loss from their site is 0%..... So packet loss is isloated to certain Locations coming out from that data center. Maybe a bad route?

We are baffled, and in testing we are able to show that the packetloss is happening on the outbound traffic from our server to our customers, and not on inbound traffic. Which further supports the route theory.

So, knowing that my site is one of the ones having the issue, I decide to test for packet loss from my location to the second server at that location. Remember, I get packet loss to server 1 at that location. Turns out, i dont get packet loss to server 2, and further, it uses a different route. Interestingly though, i notice that despite their IP's and programed gateways being different, Server 2 uses Server 1's gateway. I am informed that there 2 servers not only are on the same Date center, but my predecesor had them places on a VLAN together. Even futher pointing to a network based issue.

Solved right?
Maybe not. The data center says the different routes are part of how this work, and does not prove the issue is on them and wont look into it. They want an MTR report to nstart looking. Due to some old gentoo nightmare, it took me a few days to get and MTR report for them on Server 1 (have not been able to do it on Server 2 yet).

In these two days The packetloss changes from a constant packetloss, to intermitant intervals. Sometimes we get 0% packet loss for an hour or 2 and then randomly a 10-15 minute interval of 3-5% loss. (This of course makes gathering data much harder as i have to catch it at the right time). Durring those packetloss periods, both servers are effected.

The addition of MTR to Server 1 required a brand new fresh ISO install (gentoo is fickle when its old. This was the simplest method). Clean slate software wise and yet, prior to installing our pbxware systems and restoring, we see the same pattern of packetloss. Again, clear it cant be on our end and everything points to a route.

Simultaneous MTR's, one to my location and one to google, show that google has 0% packetloss over a 10 hour session. While my location had 4%. Packetloss on the MTR to my location shows on EVREY HOP. hops 1-14 all show some degree of packet loss. Notably our gateway has 3%, so hop 1.

Again, solved right? how could it not be a route?
well 10 mminutes ago I realized that I had a cusotmer locally who use the same Fiber conneciton we do.
They are on Server 1. They do not have packet loss. and MTR done at the same time from Server 1 to my location and theirs shows the same route. 0% packet loss to them and an average of about 4% to us.

Same route. Same server.

So here I am now. 2 servers that dont communicate with each other on the same VLAN with simultaneous sessions of packet loss to just a subsection of the IP's the communicate with. The IP's that the drop packets to dont interlap, even if they both service the same IP one coudl have packet loss while the other does not. And when pinging 2 locations with identical routes outbound from 1 server, one has packetloss and the other does not.....

How do i even begin to figure out what is causing this or what can i suggest to my Data center people to start looking into. They have not been welcoming to my suggestion that something on their end is at fault and what more proof that this is the case. Ive had multiple sleepless nights this past week looking at this and im at a loss on what to even do anymore. Any suggestions?
If you made it this far, thank you. I know this was alot. but its been alot and im fucking tired.

Hi Folks,

I have had an interesting debate today with a colleague around best practices surrounding MSTP. We have over 100 access stacks connected to a typical core-dist-access architecture and are looking to refresh the hardware soon. We have around 800 VLANs and currently we DO NOT prune. We inherited this network and essentially every VLAN is configured everywhere (but not used!.) After doing some research pruning is not recommended - this is because we may have an instance forwarding whereby the VLAN may not be allowed on that link. But if i don't need that VLAN on that stack am i OK to prune/not configure the VLAN. In my mind yes that is OK it's just a caveat that is raised in documentation like i explained before . I'm trying to limit the amount of flooding for VLANs we don't need. I'm assuming that will be fine as long as i have the NATIVE vlan communicating fine for the MSTP BPDUs.

Thanks in advance for any tips

Ned

I have a 5GB circuit with an ISP which goes into their WAN Switch (Cisco) which we obviously don't have control/management over. I am then coming out of the Cisco and going into my Aruba switch which we will be using as a WAN switch as we have control over this.

However, I couldn’t get this working. I was getting a link light on our Aruba Switch, but not getting a link light on the ISP switch. I swapped modules etc and swapped the port to confirm if it was a faulty module or port which it isn’t. My guess is our module isn’t compatible with the Cisco. I contacted the ISP they confirm the port is activated so it should work.

ISP Switch: Cisco - WS-C2960X-24TD-

ISP Module: SFP-10G-LR-C

10GBASE-LR SFP+ 1310nm 10Km DOM

Class 1 Laser 21CRF(J)

The switch I am using is: Aruba Instant On 1930 24G 4SFP+ Switch (JL682A)
The module I am using in my switch:

J9151E-C

10GBASE 1310NM 10KM DDM

Class 1 Laser 21CRF(J)

Can anyone confirm if this is compatible or what module I need to be using in our Aruba switch to get this to work.

I am looking for a software router. Not a firewall, but an actual router. I have a program that I cannot easily change the ip address on without rebuilding the entire software and touching over 200 endpoints. I just need a simple router that can emulate something like a cisco router. I can always run gns3 with a cisco router, but that is a pretty heavy and complicated solution for what I am looking for.

Hey I'm sure this is a simple task but I haven't had to set this up before.

Easy story, multipal public IPs for office hosting services, vpn etc. I need to point isp IP a and ip b to the same A record hosted on cloudflare. With one being "primary" and the other kick in when the primary is down.

Again I'm sure this is easy, but I'd rather get some advice before potentially causing a network issue!

Thank you!

We use tplink omada based load balancer hardware / router.

We have 500Mbps on each provider and we set it to WAN 1 and WAN 2 accordingly.

The issue during performance issue, where ISP 1 is delivering say, 20Mbps only for a good few hours, I believe WAN 1 is still getting the same amount of requests (balanced at 500Mbps setting) therefore many users are experiencing very very slow internet.

It would be nice if the Load Balancer can detect real time bandwidth of each ISP instead of a static setting, and balance traffic accordingly - and in the above example, sending more requests through WAN 2

is there a way to do this on Omada Load Balancer, or any other hardware?

Let's take the I-frame as an example, is its structure like this: 0 | N(S) | P/F | N(R) -- 1st form Or N(R) | P/F | N(S) | 0 -- 2nd form As some resources (most of what I saw) say the HDLC form is the first, and some others say it's its reverse which is the second form like what is said in Wikipedia page of HDLC and also my university teacher said that's it's the second form Now which one is HDLC?

When I thought about it I found out that in serial transmission the bits get reversed, so I said maybe the second form is what the sender sends so that the receiver receives the 1st form, is that how it works? I've also read that the transmission starts from the LSB which will work if the sender used the 2nd form so that the receiver gets the 1st. Or does the sender send the bits normally without reversing them at first and then the receiver reverses them back to their original form before interpreting them, the question here eho does the reversing operation? Because it has to be done by one of them.

I'm so confused about how this works, can anyone help to clarify please?

I'm looking for a wireless solution that would cover a 2 floor plaza. 7000 square feet on each floor. It's not that large at all. 10 tenants with 1 to 2 (3 people max) working in each office. I'd like to provide wifi for tenants and have it multi vlan/ssid so that they can share their own printers, etc within their office, but each business would not route between each other, for security purposes. What are some economical solutions/designs for this?

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

For those that have used these tools NetSpot, Ekahau, and Hamina, WiFi Explorere how do they compare to each other? Is price the just what separates them? I'm unsure how they compare in terms of coverage accuracy, and value for money. I do understand that the hardware addon of a sidekick2, or Oscium Nomad add more spectrum analysys for detecting rouge interference from devices other than what is using wifi. Is the hamina/Oscium nomad married like the sidekick, when licensing expires it's a paper weight? Will the more affordable app like NetSpot still provide decent validation for coverage, or should I steup up to WiFi Explorer and Oscium and Wi-Spy Lucid. I'm looking for advice and or reviews from those who have used them in smaller environments, not exactly enterprises.

I am attempting to set up a content filter for a guest network. I am working with a Comcast Business router and a Netgear switch. What I have done so far was create a vlan that will function as the guest network (Using Unifi UI to assign the guest network to the vlan, I only have Unifi's access points). Am I missing something? There does not seem to be any way to block certain websites for a specific vlan. I am very new to this so please try to give answers in layman terms! Thanks!

How do you address this. We are 100% MFA compliant for user accounts, but service accounts still use a username and passwords. I was thinking to do public key authentication, would this be MFA compliant. Systems like Solarwinds, Nessus cannot do PIV

TIA

Hey everyone I just learnt that when I buy a Cisco AP, I can opt out of buying the DNA subscription license unlike the switches for which I'm forced to buy a DNA subscription and choose not to renew it after it expires. So, if I buy an AP without the DNA license, can I only use it in an environment that has a EWC-AP or will my AP still be able to associate with the on prem WLC?

My company is wanting to implement Private APNs across multiple carriers. I have never worked with these. In the past we just established IPsec tunnels between our Sierra Wireless RV55 Routers and CradlePoint routers. My brick wall that I am beating my head against is how will my DC be able to talk to devices behind the private cell IP? Some sites will have just 1 device behind that Router and others may have multiple devices. Should I just NAT those IPs? What have others used to make this happen?

Question: Briefly explain the relationship between a Packet and a Frame in the context of communication over the internet.

Answer: A packet, containing a frame, exists in LAN 1. The destination device is connected to LAN 2, which is on an unrelated network, 3,000 miles away, across the ocean. Since the Packet contains the IP address information, it encapsulates the frame containing the MAC address. The packet is sent to LAN 2, and upon arrival, the frame is used to identify the correct MAC address within the network.

Throughout the assignment, it seems to be worded that a Frame, which operates at layer 2, is encapsulated within a Packet during transmission, which operates at layer 3. Based on what I've double checked on google, a packet does not encapsulate a frame. It seems to be the other way around, but I'm still not sure about variations depending on if its communication within a LAN, or outside a LAN. Any support greatly appreciated.

Ok we have a switch C9500 ios 17.12, configured with 2 ports set up in LACP port-channel. We have these two ports plugged into the ports into a server, however the switch ports go into suspended mode…and I can’t get the system on the internet to install the OS.

Is there really no way to get the switch to allow the ports to act as “normal” ports for me to perform the OS install and then configure LACP on the server when it’s up and running?

Seems really awkward to have to reconfigure the switch to remove one of the ports from the LACP or have to use a separate port on the switch to install the OS.

I tried to set the ports as passive and that didn’t seem to have any impact.

Has anyone successfully configured Cisco gear to use authenticated NTP with Chrony? I've looked through different reddit posts, tutorials, and Chrony & Cisco documentation but I can't not find how to get Cisco routers and switches to successfully pull authenticated NTP time from a server running Chrony. It works fine unauthenticated with the same Chrony server. I have the keys file populated with both MD5 and SHA1 keys and matching keys on a switch; however, Chrony serverstats shows no authenticated NTP packets are being received but the regular NTP packets count keeps increasing. So I can confirm the NTP server destination config on a test switch is correct, but all I get on the switch NTP logs is "NTP Core (INFO): <NTP-Server-IP> C01C 8C bad_auth no key." Any info is greatly appreciated. Thanks!

Pasa que he estado una herramienta que haga algo similar a ngrok para exponer un servidor de juego , pero ngrok solo soport TCP , conocen alguna herramienta que me permita hacer port fordwarding para trafico UDP ? .... Si es asi agradeceria me iluminen con esto.

Necesito que el cliente pa poder acceder a esta direccion no tenga que instalar nada.

PD: soy cliente de starlink y la red ala que pertenezco es una CGNAT

Currently have about 3 years experience in networking, got my CCNA, Degree and have been progressing slowly but surely in the field, but when I’m around the senior guys I feel like a fish out of water. I currently do things like deploy Cisco switches and routers, assist engineers in managing SDWAN, work on setting up tools like PRTG and SDN.

What dictates when someone would be considered mid level? Years experience? Duties? Credentials?

Right now I’m considered a Junior Net Admin but I’m not sure if I’m ready to take the plunge of applying for mid level Net admin jobs yet. I usually match most of the job requirements except for not having a CCNP usually.

As shown below there appears to be a routing loop within Tata Communications' network that's impeding IPv6 traffic to some hosts, which has been in place for several days. I've tried emailing their service@ (bounces) and ip-addr@ (no response) with no luck. Is there another way to make them aware of this?

$ sudo traceroute -n6 www.jhmg.net
traceroute to www.jhmg.net (2604:a880:800:10::c68:6001), 30 hops max, 80 byte packets
 1  2601:1c0:5600:c367:eaff:1eff:fed2:b036  0.297 ms  0.435 ms  0.429 ms
 2  2001:558:100d:7d::3  14.522 ms 2001:558:100d:7d::2  12.102 ms  11.951 ms
 3  2001:558:f2:401f::1  12.181 ms  12.317 ms  12.171 ms
 4  2001:558:f0:30f::2  12.077 ms 2001:558:f0:216::1  14.480 ms  15.053 ms
 5  2001:558:f0:216::1  15.187 ms  15.131 ms 2001:558:f0:21a::1  24.060 ms
 6  2001:558:f0:21a::1  23.869 ms 2001:558:3:94e::1  16.902 ms 2001:558:f0:21a::1  23.436 ms
 7  2001:558:3:1f2::2  17.818 ms 2001:558:3:94f::1  15.451 ms 2001:558:3:94e::1  15.393 ms
 8  2001:558:3:1f2::2  15.485 ms 2001:5a0:4404::1d  13.577 ms 2001:558:3:1f3::2  15.288 ms
 9  2001:5a0:4404::1d  13.439 ms  16.219 ms *
10  * * 2001:5a0:4404::1  62.811 ms
11  2001:5a0:40:100::1c  79.730 ms  83.630 ms *
12  2001:5a0:300:200::202  83.770 ms 2001:5a0:40:100::1c  81.990 ms 2001:5a0:300:200::202  80.154 ms
13  2001:5a0:300:200::201  80.145 ms  78.524 ms  89.119 ms
14  2001:5a0:300:200::201  89.099 ms  87.330 ms 2001:5a0:300:200::202  85.752 ms
15  2001:5a0:300:200::202  82.872 ms  81.835 ms  85.996 ms
16  2001:5a0:300:200::201  82.918 ms 2001:5a0:300:200::202  88.873 ms 2001:5a0:300:200::201  82.479 ms
17  2001:5a0:300:200::201  80.760 ms  82.468 ms 2001:5a0:300:200::202  88.800 ms
18  2001:5a0:300:200::201  85.638 ms 2001:5a0:300:200::202  82.167 ms 2001:5a0:300:200::201  83.879 ms
19  2001:5a0:300:200::201  83.873 ms  83.900 ms 2001:5a0:300:200::202  84.982 ms
20  2001:5a0:300:200::201  86.197 ms  81.943 ms 2001:5a0:300:200::202  79.784 ms
21  2001:5a0:300:200::202  78.215 ms 2001:5a0:300:200::201  78.349 ms  84.750 ms
22  2001:5a0:300:200::202  79.198 ms  84.836 ms 2001:5a0:300:200::201  84.937 ms
23  2001:5a0:300:200::201  80.890 ms  80.884 ms  83.045 ms
24  2001:5a0:300:200::201  83.023 ms  82.817 ms 2001:5a0:300:200::202  85.896 ms
25  2001:5a0:300:200::201  84.020 ms  83.809 ms  83.638 ms
26  2001:5a0:300:200::201  83.710 ms 2001:5a0:300:200::202  81.916 ms 2001:5a0:300:200::201  81.048 ms
27  2001:5a0:300:200::201  78.000 ms 2001:5a0:300:200::202  83.095 ms 2001:5a0:300:200::201  81.508 ms
28  2001:5a0:300:200::202  81.400 ms  79.104 ms 2001:5a0:300:200::201  82.164 ms
29  2001:5a0:300:200::201  81.647 ms 2001:5a0:300:200::202  81.656 ms  82.891 ms
30  2001:5a0:300:200::201  81.701 ms 2001:5a0:300:200::202  80.850 ms 2001:5a0:300:200::201  79.318 ms

$ dig -x 2001:5a0:300:200::201
[snip]
;; ANSWER SECTION:
1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.0.0.a.5.0.1.0.0.2.ip6.arpa. 21524 IN PTR if-ae-0-2.tcore1.mtt-montreal.ipv6.as6453.net.
[snip]

$ whois 2001:5a0:300:200::201
[snip]
NetRange:       2001:5A0:: - 2001:5A0:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2001:5A0::/32
NetName:        TATAC6-ARIN-1
NetHandle:      NET6-2001-5A0-1
Parent:         ARIN-001 (NET6-2001-400-0)
NetType:        Direct Allocation
OriginAS:       AS6453
Organization:   TATA COMMUNICATIONS (AMERICA) INC (TCA-51)
[snip]

I have a weird issue I am trying to solve. We recently moved and use Comcast for our phone system (polycom phones and Edgewater 4550 gateway). We have 1 switch and 1 router (both Cisco). We are a smaller company (~18 employees).

All of our phones are showing as unregistered and are unable to send/receive calls. When we reboot the phones, they will register and work for a number of hours before going back to an “unregistered” state. Comcast replaced/upgraded the 4550 but the problem persists and they believe it is on the network side.

We do have vlans. Both our clients computers and phones share vlan 10. The 4550 is also on vlan 10. The computers are plugged into the phones and never lose internet/network access. Even though the phones go unregistered after a few hours… they still have an IP that I can ping and I can also ping the 4550 voice gateway. We do not have a firewall internally that would be blocking this traffic (we do have one between the Cisco router and the modem but no internal traffic goes through it).

Has anyone had this issue before and may provide some direction on where to look? If both the phones and gateway are on vlan 10, pulling IPs correctly, both pingable, no packet filtering/inspection occurring, and they work for a few hours after the phones are rebooted… I am at a lost 😮‍💨😅

Edit: Unfortunately, if you are reading this because you have the same problem, the fix for me was just to run both the SRX320 and the quieter PA-850 simultaneously and have the 850 be dedicated to wireless subnets. I’m sorry I can’t provide a better answer than that.

Topology: https://imgur.com/a/bevYGTt

Firewall port configuration: https://imgur.com/a/rcfqRM4

SRX configuration (this is old, but essentially when I cut the wireless stuff over I just deactivate the routing options and the BGP group): https://pastebin.com/D4JQ4GfJ

================================================================================

Hey guys, I've been migrating to two SRX320s from two PA-850s. Everything works great.

However wireless just does not work. Not in the slightest. And I do not understand it. WLC 3504 + C9130.

Everything is configured IDENTICALLY. Same IPs. Same security policies. Same zones. Same NAT.

When I cut over to the 320s:

no vlan 161,1020,2021,2023,2117,2329,3700,3710,3716,3724,3732 tag trk1-trk2
vlan 161,2329,3700,3732 tag 21,24
vlan 1020 tag 19,22
vlan 2021,2023,2117,3710,3716,3724 tag 20,23

Everything wireless stops working.

Clients get an IP address from the SRX. Clients can ping the WLC interface and every single other thing in the subnet except for the gateway. There are ARP entries for the gateway, and vice versa. But clients cannot do anything, cannot ping the gateway, cannot leave their subnet.

The wired subnets, including ones that are in the same zone (e.g., 3416, where the wireless version is 3716), work fine. Everything wired is fine.

Those wireless subnets are the only remaining thing on the 850s, everything else is on the 320s.

Sessions are established, and considering I am testing from a zone that is permitted to hit anywhere and anything (same with all infrastructure segments... including the wireless infrastructure), I do not think there is any issue with policy enforcement. To me, it is very difficult to see what on the SRX could be causing all wireless to fail, and yet at the same time not impact anything wired.

And then you have sessions being established on the SRX from clients in both directions despite a seeming lack of connectivity.

Session ID: 30064818854, Policy name: permit-int-trusted-dns/10, HA State: Active, Timeout: 4, Session State: Valid
In: 10.37.16.3/49321 --> 10.20.11.2/53;udp, Conn Tag: 0x0, If: reth1.3716, Pkts: 4, Bytes: 248,
Out: 10.20.11.2/53 --> 10.37.16.3/49321;udp, Conn Tag: 0x0, If: reth0.2011, Pkts: 4, Bytes: 312,

Session ID: 30064819260, Policy name: permit-int-trusted-dns/10, HA State: Active, Timeout: 32, Session State: Valid
In: 10.37.16.3/59344 --> 10.20.11.2/53;udp, Conn Tag: 0x0, If: reth1.3716, Pkts: 1, Bytes: 83,
Out: 10.20.11.2/53 --> 10.37.16.3/59344;udp, Conn Tag: 0x0, If: reth0.2011, Pkts: 1, Bytes: 531,

When I roll back to the 850s:

vlan 161,1020,2021,2023,2117,2329,3700,3710,3716,3724,3732 tag trk1-trk2
no vlan 161,2329,3700,3732 tag 21,24
no vlan 1020 tag 19,22
no vlan 2021,2023,2117,3710,3716,3724 tag 20,23

Everything starts immediately working.

What kills me is that a), there is zero impact on wired, b) DHCP works, so there is some amount of communication between the gateway and the device, c) sessions are established in both directions, and d) You can ping the WLC interface but not the gateway, but the WLC from the interface can ping the gateway.

(mdc-wlc1) >ping 10.37.17.254 vlan3716
Send count=3, Receive count=3 from 10.37.17.254

I really don't know where to go from here. I have looked at everything I can think of to look at. Any help is appreciated.

I have about five years of experience with a strong background in routing and switching. I currently hold a CCNP, and my role is project-based. I’ve spent time in operations (NOC) but prefer to stay in engineering.

Currently, I make around $130K + 15% bonus in a MCOL area (Atlanta, GA).

I’m looking to specialize in automation, network security, or sales engineering to increase my earning potential.

Is $130K + 15% bonus a competitive salary for a mid-level route/switch network engineer in 2025? Would love to hear your thoughts on salary expectations and potential career growth.

Hello, I am looking for some help with a network deployment that I am a bit over my skis on. I am a jack of all trades but a master of none and this one has me stumped. In a managed switch environment with multiple VLANs I would create the VLANs on the switch and firewall and have the firewall as the gateway on each of those VLANs. In an environment that I took over the managed switch is the gateway. I have never administered a network like this. I am in the process of swapping out a Cisco ASA for a Fortigate 90G. Here is a breakdown of the setup and where I am stuck.

There are about a dozen VLANs on the switch but for simplicity's sake let’s just focus on 2. VLAN 100 is 192.168.100.0/24 and this is where the client devices and servers live. VLAN 150 is 192.168.150.0/24 and is where the gateway sits. The gateway on VLAN 100 is 192.168.100.1 which is the IP of the Aruba switch. The IP of the Cisco is 192.168.150.254. I setup the LAN interface of the Fortigate with an IP 192.168.150.251. If I connect directly to this interface I can get out to the internet, so my policies and routes are good in that aspect.

When I plugged the Fortigate into a port assigned untagged VLAN 150 I could not ping it from VLAN100. I reviewed the Cisco and found some route commands and after entering this route into the Fortigate I was able to ping the Fortigate from any device on VLAN100

Route 192.168.100.0 255.255.255.0 192.168.150.1 (the IP of the Aruba on VLAN150).

I thought I was almost home but no. On the Aruba here is the route out command.

ip route 0.0.0.0 0.0.0.0 192.168.150.254

So I grabbed a test device on VLAN100 and create this additional route in the Aruba.

Ip route 192.168.100.21 255.255.255.255 192.168.150.251

I immediately lost internet access on that device.

Here is where I am stumped. I am assuming I am missing some additional policy or route on the Fortigate. My current policy is an ANY ANY from that LAN to WAN.

My goal is to route VLAN 100 out via the FG to test and once it is working I will route all traffic out the FG and remove the Cisco

Any help is appreciated.

Hello everyone newbie here, so apologies if this is super obvious but, I need to provide a room on the ground floor of a 7th story building with internet by just using patch panels, since not all of our networking equipment has not arrived/installed yet.

The setup is as follows

the ISPs modem connected to the IT room's keystone lan port, that port is connected to a labeled patch panel in the server room, I then jumped a lan cable from the IT room patch panel port to the ground floor's supply port on the same patch panel, now on the ground floor's patch paneI I attached a lan cable from the supply port to the office port I need connection in.

The problem I'm having is that it's not working. To my understanding patch panels are just extension cords for networkin, so there's no need configure the modem or anything. I've verified that we do have internet from the modem, from the IT room port via patch panel as well, however the supply going to the ground floor port is not working properly, when connected to a sw on the same floor I can access from the ground floor, but when I connect the cable for the internet it does not provide connectivity.

I've did basic troubleshooting with replacing cables, changed ports and restarted the modem, idk what else to do

I currently have four camera poles that need to be connected via Teltonika routers, each using an AT&T SIM From my research, obtaining a public AT&T IP requires creating an APN. Is there a way to bypass this requirement. Port forwarding is not an option.

Hello

I Have a 4321 and I will migrate from 16.X to 17.X and I need to know what happen with the licenses that are installed in the 4321? I know the 4321 use only Smart but I have to convert them to smart after I upgrade the 4321 or it is not neccesary to upgrade it?

The 4321 has uk9 and ipbasek9 permanent, they will keep being permanent?