Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts

ER-4 Policy / Conditional NAT

I've tried searching and didn't come up with anything, but if this is a common or documented configuration, feel free to simply let me know the search terms or information I'm missing.

TL;DR: I'd like to see an example working configuration on an EdgeRouter (ER-4, to be exact) where NAT is only performed for specific destination addresses (non-RFC1918).

Situation: I rent a room, and the internet is provided to all tenants via a consumer-grade router running DHCP. I would like to run my own network behind my ER4--which is easy enough. However, the upstream router (which I can probably make config changes to, but not re-flash) only NATs destination IPs in its local /24 subnet.

I don't want to NAT everything as there are services that we do share on the upstream network.

What is working: I have a static route on the upstream router pointing to the ER6 WAN IP. The ER6 has a default route out to the upstream router. Subnet-to-subnet communication works fine.

What isn't working: Access from the ER4 LAN subnet to the internet because the upstream router isn't routing the ER4's subnet.

Basically, I'd like to turn on NAT from my ER4 LAN subnets to the ER4 WAN IP, only when the destination is a non-RFC1918 address (public). I believe this is possible given the configuration options I can see, but I haven't found a working config yet. That is, I don't believe there is a way around double-NAT for my Internet traffic, but I'd like network-to-network traffic to be exempt--mostly so I can control access on an IP basis instead of a port basis.

Basic Topology

In terms of the topology above, I'd like ER4 to source NAT from to iff the destination is not in the,, or range.

1 comment
r/ccnaPosted by
Now with more Cisco!
1 month ago

Gimme a C! Gimme an A! Gimme a T!

At my first Cisco Live, didn't expect to pass. While I'll definitely stick around, it's now time for me to move on to /r/ccnp

Thanks to everyone for the support, help, and encouragement.

r/ccnaPosted by
Now with more Cisco!
1 month ago

Cisco Live, anyone?

I know it's probably not part of many CCNA candidates plans, but a lot of you are here to teach, and I feel much more a member of this community than /r/cisco.

Is anyone attending Live! in Orlando next week?

This will be my first Live!, so I'm pretty excited about everything--except for the certification test I'm probably going to fail. Mostly I'm interested if anyone with a decent post history is going as well so we might meet up :).

Tales from previous conferences, dos and don'ts, and session recommendations are all welcome as well. Rants about how Live! isn't the same anymore, or what a bad value it is, or why DellJunipHPRista all leave Cisco in their dust are not.


Best Practice for Old Sensors

I'm curious if anyone has a best-practice for old sensors that you still want to keep historical data for.

Specifically, we have some old internet circuits that were monitored but have been disconnected. Currently, those traffic sensors are paused (as the interface is used for a different sensor). We need to keep the data around as we have a few Sensor Factories and reports that depend on that data.

The annoyance is that all the sensor factories are in the warning state because member sensors are paused.


Just "Hook It All Up"

Everything has been changed to protect the innocent. The guilty are getting a free ride on their account.

It's a perfectly lovely Monday that, due to some long hours over the weekend, we are looking forward at our maintenance schedule rather than backward. I get the rare privilege of moving a Critical ticket out of the in-progress bin instead of into.

Chief Assistant to the Vice President Undersecretary of Facilities and Maintenance: Hey, you know that suite next door the bagpipe tuners moved out of?

Me: Sure

Facilities: Well, we leased it last week.

Me: Good! (We've been running out of space since the first Bush administration)

Facilities: Yeah, we re-carpeted and installed cubes this weekend.

Me: Wow! That was fast. I'm guessing you're here about pulling cable and getting the network extended.

Facilities: Exactly. Well, we used the usual guy (read: lowest bidder) for the cables, we just need you to hook it all up.

Me: Umm, okay. I guess I'll stop by later today and take a look. How many desks?

Facilities: Oh! About 40 cubes, 5 offices, and two conference rooms.

Me: That's bigger than I thought. (thinking out loud) So like 60 ports, I don't have really anything in stock, but I can get a quote...

Me: Ok, I can probably work with that. We're a little busy at the moment, but as long as the cabling is all done it shouldn't be that big of a project. What's the move-in date?

Facilities: This afternoon.

Me: What!

Facilities: Yeah, we finished the cubes and network this weekend, we just need you to hook it up.

Me: Just "hook it up"

Facilities: Yes

Me: 65 ports

Facilities: Yes

Me: With phones?

Facilities: Yes

Me: In 4 hours.

Facilities: Sure!

I snap.

Me: No.

Facilities: What?

Me: We have nothing in stock--we don't keep stock. We work on datacenter hardware--the only reason we take care of the office equipment is that no one else knows how. I couldn't scare up 24 copper ports if my life depended on it, not to mention PoE.

At this point his eyes get that unfocused look like Elmer Fudd after stepping on a rake, or like a third-floor suit getting told that putting it on a spreadsheet doesn't make it true. I take the opportunity to rein myself in.

Me: At best, I can get a quote by the end of business, and if Finance will issue the PO tomorrow, we can overnight the switches for Thursday. That results in a best-case install time of end-of-day Thursday.

Facilities: Really? You can't just use some of this (waves in the general direction of a stack of recently decommisioned SAN hardware)

Me: No, that's for... Anyway, if you want it by Thursday, I'm going to have to get started now. I'll keep you in the loop, but honestly, I wouldn't plan on anything earlier than next Monday.

Facilities: (Grumbling, back-and-forth) Fine.

Me: (As he's walking out the door) Wait! You're going to need wireless too, right?

Edit: Thanks for "Quote of the Day"


Datacenter AP Suggestions

We are throwing around the idea of adding an AP to a few of our larger data centers. Running a long ethernet cable from the nearest open management port to wherever you are working is cumbersome, and many of our new laptops don't have wired connections, adding to the adapter creep.

I'm curious if any of you are doing this now, and if so, do you have recommendations or suggestions. Although almost any AP would support our 1-2 user load and sub-10Mbps traffic, we're not keen on using an off-the-shelf consumer AP, but don't have much familiarity with wireless hardware. Ideally, this would be something we can easily turn on-and-off while present.

Like I said, this is just an idea, and we are certainly aware of the possible security risks. We're just feeling the idea out at the moment.


N7k ISSU and Sup2E live install

One of the issues I've been handed is a recovery from the N7k flash read-only bug (CSCus22805). Due to this bug, the affected 2 vPC pairs are also very out-of-date. I've been working with TAC to come up with a remediation plan, and our current solution depends heavily on the In-Situ upgrade feature and a live install/uninstall of a secondary supervisor. The plan is basically:

  • re-seat sup A to clear flash issue
  • install new sup B to support ISSU
  • perform ISSU twice to get to the latest NX-OS version
  • remove sup B for use in the next switch

TAC seems very confident that both of these features will work correctly, however, I (and my boss) have our doubts--or at least don't really want to place an entire POP's uptime on them working.

Have any of you used either of these features in the wild? What were your experiences? Is this worth trying or are we risking more than a few additional reloads?


View ROMMON Logs from IOS?

The specific issue I have is an ASR-1002X that isn't loading a newer IOS image (moving from 3.16 t0 16.3 or 16.6). Images and configs have been verified, but the older image continues to load. I have a ticket in to connect the router to our console server, so I will get boot visibility shortly, however, this is only the start of an org-wide refresh of very out-of-date devices, and I'm sure this will come up again.

Is there any visibility, from the IOS command line, into what or why ROMMON loaded the secondary or tertiary image? Our syslogs skip right from the reload to the old IOS boot logs.

Edit: here are the relevant outputs:

ASR#dir bootflash: | i bin
   14  -rw-  463878176  ...  asr1002x-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
   17  -rw-  553377633  ...  asr1002x-universalk9.16.03.06.SPA.bin
   18  -rw-  669029369  ...  asr1002x-universalk9.16.06.03.SPA.bin

ASR#sho run | i boot system
boot system flash bootflash:asr1002x-universalk9.16.06.03.SPA.bin
boot system flash bootflash:asr1002x-universalk9.16.03.06.SPA.bin
boot system flash bootflash:asr1002x-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin

ASR#sho ver | i bin
System image file is "bootflash:asr1002x-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin"

Disable BGP advertisement when internal interface drops.

I swear I've seen this exact answer posted sometime in the last 6 months, but I cannot seem to find it--so links to documentation or just the Cisco term for what I want to do is probably sufficient.


Two edge routers advertising the same /24 to different peers. The edge routers are connected through a pair of edge switches, each router to a single switch, and the switches to each other.

When a switch fails, the inside HSRP interfaces and EIGRP respond fine, however, the edge router connected to the failed switch continues to advertise our prefix to the world, and data arrives that cannot be forwarded.

The current solution is to manually tear down the BGP relationships on the orphaned router.

What is the name of the feature or config I need to use to automatically disable BGP when the internal interface goes down? Any suggestions on better ways to configure or connect this?


Software Upgrade Lookup Tool?

We are (finally!) starting a project to regularly audit our network hardware for age and necessary software updates. We finished the information collection side today: we can produce a report of devices, serial numbers, model numbers, running OS version, and image filename.

Now we need to match those model / OS pairs against the recommended Cisco image, and while I don't think this is nearly as much of a problem I want to report on EoS/EoL devices as well. Does anyone know of an easier or more automated method than looking each device up in Cisco's support section and looking for the star?

On that note, any suggestions or insight into how you do this in your organization?

With a little luck, we might actually start scheduling downtime for maintenance sometime in 2018!

r/electriciansPosted by
Electrical Engineer
3 months ago

What would you do differently in your own home/shop?

I've had this discussion with coworkers in various industries, but never heard from an electrician. I'm curious, if you had a comfortable budget to build your own home, what would you do (if anything) differently than code or minimum spec with the electrical system? Not a win-the-lottery situation where anything goes, but if you could spend a few grand on improvements that weren't strictly necessary, what would they be?


Merging or Combining Sensors

If this has been asked before, I apologize. I tried searching, but this feels like a question where the answer is all about the correct terminology--which I do not know.

We monitor various site-to-site links using a combination of SMTP Traffic and Cisco IP SLA sensors from both sides of the link. This means when a link goes down, we generally get errors and notifications from 4 different sensors. Lately, we have had some issues where all but one sensor will clear, and the technician on call will assume that the problem is fixed -- even though one sensor might still be in an error/escalated state. Obviously, this is also a training issue, but I was curious if the below was possible:

Create a new "object" which would inherit it's warning and error state from the worst of four other sensors. That is, if any one of the four sensors were in an error state then the "parent object" would also be in an error state. Hopefully, this will help fix the above issue, as well as give us a single sensor to query for downtime reports.

Is this possible?

1 comment

Super Important Critical Issue! as long as it requires no effort on my part.

Backstory: I'm the newbie network engineer learning the ins and outs of the network by feeding on small non-critical tickets. The company has a half-dozen groups whose products all require a different flavor of OS. Because of the disparate requirements, our (network) responsibility ends at the server hardware: the OS and anything it runs is Not My Problem. While on paper this seems very clear, in reality, the division of labor gets hazy somewhere around the NICs.

Names and dates have been changed to protect the innocent.

I get an email from my boss; it's a forward from one of the other group's devop with a note from my boss:

$DevOp: We do not have connectivity on eth1 of $RandomServer. The switchport is broken. Investigate and fix.

$Boss: See what you can figure out, if it's a VLAN or shutdown issue, go ahead and fix it.

Cool beans, this is the kind of stuff I've been chomping at the bit to do. The very first thing I do is look up $RandomServer in inventory, and make sure I'm seeing traffic from the redundant connection--the MAC appears to have failed-over, so all is good. I then start to dig around, but before I can get very far, I get a phone call:

$devop: [Ignoring my greeting] What's the status of $RandomServer?

$me: I verified that your traffic has failed over to the other interface, so you shouldn't be in any immediate danger. Other than that, I can see that the primary port isn't connecting, but I'm still investigating.

$DevOp: Well it needs to be fixed immediately.

$me: Okay. I can assure you this has my priority until we get it figured out. Is this causing any downtime that I'm not aware of?

$DevOp: Yes, we're stuck until we get that connection up; it needs to be fixed immediately.

$me: Wow, I wasn't aware you guys had anything that was single-homed. I'll rope in a colleague and see if we can't get this expedited. I'll keep you in the loop via email.

$DevOp: Whatever, just get it fixed.

So I grab my coworker who has a little more experience--and access--to the server side of things and we quickly rule out the network or the config. It looks like this is a bad DAC cable. Unfortunately, this server is in a data center four states away. In this situation, we can overnight parts and pay the datacenter techs to install it. This is a huge inconvenience for Reasons, and obviously a non-zero cost.

But Wait, There's More! $OtherEngineers' family lives in the same city, so he stops by and takes care of any non-critical maintenance 3-4 times a year on his way out to birthdays or Christmas. He is, in fact, heading out there in 10 days for $Event. After speaking to him, he's happy to interrupt his vacation with a site visit.

So after conferring with $Boss, I call $DevOp:

$me: Hey $devop, I just want to confirm that this is an emergency situation. We can get this fixed tomorrow, but it's gonna cost. However, if you can wait 10 days, $OtherEngineer will take care of it on his way to $Event. I can see your (one) MAC on the other interface, so as far as I can tell, this can wait a few days.

$DevOp: Yes! I told you we can't do anything with that port down. It needs to get fixed ASAP.

$me: Okay, I'll call your manager and get the approval.

So I call $DevOp's manager because I can't authorize that expense, and it will get billed to his department:

$me: Hey $DevOpMgr, looks like we found the problem, we'll need to overnight and remote-hands the fix. It won't be cheap, so I just need to verify that you're okay with that expense. If you want to go through with it, it can probably be back up before noon tomorrow.

Note: It is entirely Not Our Fault that they have any downtime. If they failed to make use of the redundant network connections we provide (in your choice of 5 flavors), that's on them. However, we like to be good neighbors so we're On It, so to speak.

$DevOpMgr: Noon! We're going to be down for more than 24 hours! This is unacceptable, you need to fix it faster.

$me: [Apology] [Explaination] [Laws of Physics] [Not Our Problem]. Like I said, I am sorry about the downtime, but this is absolutely the fastest we can fix it. We would be happy to work with you to prevent this in the future, but in the meantime, I need your authorization.

$DevOpMgr: Fine! Get it done.

$me: Thank you, I'll CC you on anything involving this issue, and try to keep you updated via email.

$DevOpMgr: humph [click]

In the next 15 minutes, I get my coworker with the AmEx to buy and ship the cable, send the recording of $DevOpMgr with the expense report to finance, and submit a smart-hands ticket to the NOC. I also send a status update to $DevOp, $DevOpMgr, and $Boss, while thanking $OtherEngineer for the offer, but we're not going to interrupt his vacation after all.

Cue the next morning. I'm tracking the shipment every 10 minutes, and in a rare stroke of luck, it arrives before 10 AM. I'm on the phone with remote hands shortly walking them through the replacement. By 11:00, I can see the port come back up on the switch, and the MAC flips back to the primary port. All should be well in Narnia.

Another status email goes to everyone informing them of the fix, that we no longer see the problem on our end, and let us know if there are further problems. I also follow-up via phone, but $DevOp is out today (huh?) and $DevOpMgr isn't answering his phone. I leave voicemails, update $Boss, and head up to the third floor because today HR thinks that free ice cream will make us forget about the lack of organization and competitive pay in the company.

I promptly forget about the issue completely.

A few days later, I'm reminded of the snafu when recapping the week's activities during our sometimes-weekly networks meeting. I suggest that maybe (maybe) we have just a little more input--or at least visibility--on how the network gets used. Failing to use a provided redundancy seems to be criminally negligent for a critical piece of infrastructure. $Boss agrees, and we hook up after the meeting to do some investigation. We discovered:

  • $RandomServer was part of a hardware refresh--new hardware meant to take over from some servers who are about to be decommissioned
  • Our group is responsible for providing that hardware in a working state--three months from now
  • We have a visit scheduled to that data center in 6 weeks to install that hardware, but $OtherEngineer, on a visit home two weeks ago, staged the hardware we had "in stock" so we didn't have to worry about shipping them.
  • $OtherEngineer, being a nice guy, told $DevOp that the servers were installed, but not verified if they wanted to get a head start on configuration

So, in short, I spent half a day along with several hours of my coworkers time chasing down an "emergency issue" on equipment that was not in production, was not promised in any working state, and had two scheduled maintenance windows before the go-live date.

Oh yeah, and the problem $DevOp had that he couldn't get working with only one interface? Bonding the two interfaces for redundancy.

Edit: ELI5 version here


NetBox with VDCs and FEXs

I'm curious how others who use NetBox manage "devices" where there isn't a 1:1 mapping between logical and physical devices. We're evaluating several DCIMs and this seems to be the only major hurdle is using NetBox. Am I missing something?

More specifically:

We have a few Nexus 7ks that each have several VDCs. In this case, there is a single piece of hardware (rackspace, s/n, etc) but multiple logical devices, each of which needs to be tracked as there are some interfaces shared between contexts (Management, for example) and as we want this to be an inventory source for multiple tools.

Also, these same N7ks are linked to several N2ks which represent separate hardware (they take up rack space, have separate serial nos.) but are logically part of the same device.

It feels like the NetBox "Device" is unreasonably enforcing a logical:physical device relationship. Any suggestions?


r/electriciansPosted by
Electrical Engineer
9 months ago

Half Pigtail

Just got done replacing some receptacles for my mother (she likes the Decora style better) and discovered that they all have the neutral and ground pigtailed, but the hots were all pass-through. Is there a reason to install this way?


Scientific with Hex/Binary conversions

(If you want to skip the groveling and backstory, the question is just below the fold)

First, I apologize; you are about to read yet another calculator recommendation request which will ask about the Casio 991EX.

Second, in my defense, let me say that I do believe that I have done quite a bit of research here and via the Googler without quite satisfying myself.

I've kept a TI-whatever next to my keyboard since my first high school math class required its purchase. I'm rarely without a computer, but I find the physical device to be quite convenient for quickly checking my math (I'm an engineer, which means I can do Fourier transforms in my dreams, but I have lost the basic skills of a fifth grader). However, outside of math class, I've never needed the graphing features, and my computer has always had far better integration or statistical packages. I've also never quite liked the education-granted TI monopoly on graphing calculators. So last week when my last TI-83+ flipped it's last flop, I started looking for a new desk-side device as I am now left with only my Pickett N3.

I "borrowed" a well-used TI-30 from my father's island of misfit toys and I really, really love it compared to my normal fare. It's simple to use, I love the 70s square cornered aluminum styling, and every button has exactly one purpose. However, the solar cells are old enough to require a few 300W halogen bulbs for optimum use (and solar power isn't the greatest choice for an IT troll who lives under the bridge in the far corner of the cubicle farm) and a few of the buttons require a strike from Mjölnir to register.

I am now looking for a smallish scientific calculator, that doesn't exclusively rely on solar power, and has the ability to do hexadecimal or binary math (and convert between representations). Bonus points for slide-rule style, lack of a large graphing display, or simple configuration. I have a soft spot for HP devices and RPN.

Currently, the Casio FX-991EX and the Sharp EL531X are tied for first place. The Casio wins (barely) on style, while the Sharp seems like it would be slightly easier to use and is missing the ugly solar panel. I don't necessarily need a review (although if you want to provide or link one, I would be appreciative), but I'm hoping you can bring up a few models whom I might have missed in my search. It's not easy to search for "hex calculators" with any accuracy.

Thanks, and so long for all the fish...


Combining Cable and Telephone (VOIP) Modems

I have inherited a project to clean up the telecom and data networks in my parent's home. Upon inspection, I discovered that they are using a separate cable modem and telephone (VOIP?) modem. Their service provider is Cox in the Phoenix-metro area. Is it possible to use one of these devices for both purposes?

Currently, the cable connection is split between the phone modem (Cisco DPQ3212) and the cable modem (Motorola Surfboard SB6121). The phone modem then serves the security and telephone systems while the cable modem runs to their router and data network. If possible, I'd like to ditch the cable-only modem to save on space and clutter. Both appear to support DOCSIS 3.0. I'm not having good luck getting the information through Cox without having access to my parent's account, so I thought I'd ask the hivemind before imposing on them.



Ademco Vista 10SE Wiring and Telephone Line

I have inherited a project to clean up my parent's home office. Part of this is cleaning up the mess that is the telecom wiring. I believe I have traced all the connections, but there is an attached security system that I am unfamiliar with.

My primary question is: Is there a reason the incoming phone line runs through the security system rather than just running to the security system?

I've attached a wiring diagram and a photo of the security panel in hopes that you can make sense of it. Specifically, the phone line runs (only) to the "Incoming Phone Line" terminals of the security panel, and then the rest of the home's telephone outlets and handsets are wired to the "Handset" terminals of the same panel (the orange connections in the wiring diagram and the red box in the photo). Why is this?

Thanks for your time, I have zero familiarity with security systems. The goal is to move all the phone and network gear to a shelf on the other side of the room, and so I would like to terminate all these connections at wall jacks. I'm not sure how I'm going to accomplish this at this point, but I'd like to know what options are available to me.

Hardware List:

  • Security panel: Ademco Vista 10SE
  • VOIP Modem: Cisco DPQ3212

Troubleshooting API: DownloadedEpisodesScan

I'm having trouble getting the DownloadedEpisodesScan API endpoint to work, and I was hoping that one of you had some suggestions on how to continue to troubleshoot. As far as I can tell, everything is working, except the episodes aren't being imported.

First, I'm running the following Bash script:



/usr/bin/curl $BASEURL -X POST \
        --header "Content-Type: Application/JSON" \
        --header "X-Api-Key: $APIKEY" \
        --data "{\"name\": \"DownloadedEpisodesScan\", \"path\": \"$PATH\"}";

and it returns:

  "name": "DownloadedEpisodesScan",
  "body": {
    "sendUpdatesToClient": false,
    "sendUpdates": false,
    "path": "/media/inbox/sonarr/",
    "importMode": "auto",
    "updateScheduledTask": true,
    "completionMessage": "Completed",
    "name": "DownloadedEpisodesScan",
    "trigger": "manual"
  "priority": "normal",
  "status": "queued",
  "queued": "2017-09-25T14:22:12.584651Z",
  "trigger": "manual",
  "state": "queued",
  "manual": true,
  "startedOn": "2017-09-25T14:22:12.584651Z",
  "sendUpdatesToClient": false,
  "updateScheduledTask": true,
  "id": 576559
  • The path /media/inbox/sonarr/ exists on the device and matches exactly the path in the Manual Input dialog.
  • When I use the Manual Import tool, the episodes get imported correctly.
  • Drone Factory is turned off
  • I have no Remote Path Mappings
  • I've tried with, and without, Completed Download Handling enabled
  • The logs contain no information.

Any suggestions on what to check next? With the depreciation of the Drone Factory, this is the only thing holding up my media house of cards at the moment. Thanks!

r/ccnaPosted by
Now with more Cisco!
9 months ago

STP Hello Timer and BPDU Frequency

Do non-root switches send BPDUs according to an internal timer, or in response to a received BPDU on their root port?

Odom's ICND2 book seems to give conflicting information on this subject. I assume it must be based on an internal timer--or when the root fails, all switches would appear to fail--but I'm looking for a reference to confirm this.

The nonroot switches receive the Hello on their root ports. After changing [stuff] the switch forwards the Hello out all designated ports. (Odom, ICND2 OCG, pg 56)

This seems to state unequivocaly that non-root BPDUs are sent upon receipt of a BPDU, not based on an internal timer. However,

Note that all switches use the timers as dictated by the root switch (Odom, ICND2 OCG, pg 56)

implies that each switch runs it's own timer and simply bases those timers on values in the received BPDU.

This makes more sense to me, otherwise, a root failure could cause a cascade of assumed link failures. CBT's videos are equally vague.

Again, I'm thankful for any confirmations, but I'm hoping that someone can also list an authoritative source on the matter.

Thanks in advance!

r/ccnaPosted by
Now with more Cisco!
10 months ago

Interview Question

Hey /r/ccna,

I had a great interview today--mostly due to topics and tools I've researched because of this and other Cisco ring subreddits (topics beyond the CCNA purview). I wanted to pass on what I thought was a great interview question I got asked.

Are you ever able to use an IPv4 address which ends in .255 for a host? Explain.

I thought this was a great conceptual question for CCENT-level study. The interviewer mentioned it disqualified many applicants.


VM-Hosted server devices communicating with Hypervisor

I hope this isn't a common question--I don't visit this sub often--but I didn't see any stickies or a Wiki to check against:

Essentially, I am trying to get connectivity between my GNS3 instance and the outside world.

  • I have GNS3 running on a Ubuntu Server installed via Hyper-V on a Windows 10 machine.
  • The VM has a NIC bound to an "Internal Only" virtual switch using the subnet
  • The VM is using address .2 while the hypervisor (my workstation) is using .1

The above works fine. I connect to the GNS3 server via that address, can administer the VM, SSH, the whole nine.

What I cannot do is reach any devices in my GNS3 topology.

I have added the "Cloud" appliance, and have connected various devices to the correct network interface (eth0 in this case). I confirmed this by running Wireshark on the device-cloud link and I can see traffic between .1 and .2. However, I cannot ping between either of those two hosts and a GNS3 device regardless of address.

I have not been able to find any help online, as most of the help applies to running the server locally. I'm sure I'm just missing something small, or don't understand some detail about the Virtual Switch, but I'm hoping someone here can.


(Simple) Topology


Ansible Users: How are you storing your interface details?

I'm teaching myself Ansible, and am working on a configuration generating playbook (generate clean configs for all devices and upload). According to Ansible's best practices, host_vars are to be avoided. I'm curious how you are organizing your interface settings?

I'm currently using a list in each devices host_vars file--but this feels un-ansible. The only other way I can think of is to ensure that every device of the same role is implemented the same way and store generic information on a per-model basis.

Any wisdom from those who have gone before?

r/ccnaPosted by
Now with more Cisco!
1 year ago

Trunk VLAN vs. Unused VLAN

I've been reviewing some of my switch fundamentals for my upcoming ICND2 and I'm curious about two "best practice" statements about native and disabled VLANS. Specifically, I've heard:

  • Never use VLAN 1 for anything
  • Make trunks' native VLANs an unused VLAN
  • Put disabled ports on an unused VLAN

I'm curious about the following with regards to best practices both in theory and in practice (i.e/ "can you do X" in this case means "is it generally recommended to do X and are there real-world limitations that influence this".

  • Can the trunk native unused VLAN be the same as the disabled port unused VLAN as long as they are not used for passing data?
  • Can we use VLAN 1 for this unused VLAN? That is, is VLAN 1 dangerous inherently or just because it is the default.

I can't think of a reason for either of these not to be the case, but I'd like some knowledge from experience.


IPv6 DHCP Prefix Delegation

I've been playing around with IPv6 and SLAAC. While researching, I came across DHCP prefix delegation which is another awesome IPv6 feature. I'm pretty clear on how this works in a single router, but I'm curious how (or if it is even possible) that prefix is used beyond that.

Here are my basic understandings about IPv6 which may be causing this confusion:

  • No more NAT, everyone can use a global unicast address
  • The whole network uses the same global prefix
  • Subnets should be /64 (I'm aware of the debate on this)

Let's say I have a router CORE1 at the edge connected to ISP. We autoconfigure our interface with ISP and store that prefix for later use as PREFIX. This allows us to provision the downstream interface (connected to DIST1) with a PREFIX:1::/64 EUI address. Awesome. Our ISP-provided prefix can change and we still keep everything globally routable.

On that link to CORE1, DIST1 can then use SLAAC to match the /64 subnet on the upstream interface with its own EUI address, also awesome.

How do we "distribute" that prefix beyond this? DIST1 has no way of distinguishing which bits of the /64 are usable. Let's say there is a link between DIST1 and ACCESS1, how do we keep this link in the same prefix but provide a separate subnet, like PREFIX:2::/64?

Cake day
August 31, 2012
Trophy Case (1)
Five-Year Club

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.