Tech Tip: Determining MTU via MacOSX Ping oh yeah and Windows

The command:
ping -D -s 1472

What the command does
ping = Obvious
-D = Don’t fragment
-s <value> = the ping size.

Why did I start with 1472? That is the total packet size plus 28 bytes, which equals a 1500 byte packet.

Example Output:

Justins-MacBook-Pro:~ j2sw$ ping -D -s 1472 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 1472 data bytes
1480 bytes from 4.2.2.2: icmp_seq=0 ttl=57 time=426.164 ms
1480 bytes from 4.2.2.2: icmp_seq=1 ttl=57 time=110.762 ms

--- 4.2.2.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 110.762/268.463/426.164/157.701 ms

Justins-MacBook-Pro:~ j2sw$ ping -D -s 1473 4.2.2.2

PING 4.2.2.2 (4.2.2.2): 1473 data bytes
ping: sendto: Message too long
ping: sendto: Message too long
Request timeout for icmp_seq 0

If you want to learn how to do this on windows:
https://kb.netgear.com/19863/Ping-Test-to-determine-Optimal-MTU-Size-on-Router

Common Questions: masquerade vs src-nat action Mikrotik

One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.

The Mikrotik Wiki Entry
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

Updating your Bind DNS for latest trust anchors

A little Background on the rollover

From: https://www.icann.org/resources/pages/ksk-rollover/#overview
ICANN
 is planning to perform a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement [TXT, 99 KB].

Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root’s “trust anchor.” The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

If you are running bind the quickest way to check is this:

If your configuration shows dnssec-validation yes;, you must change it to dnssec-validation auto;and restart your server before taking the steps below. This is in your named.conf

Fluke Networks explains fiber polarity

https://www.flukenetworks.com/blog/cabling-chronicles/b-c-s-fiber-polarity

Polarity defines direction of flow, such as the direction of a magnetic field or an electrical current. In fiber optics, it defines the direction that light signals travels through an optical fiber.

To properly send data via light signals, a fiber optic link’s transmit signal (Tx) at one end of the cable must match the corresponding receiver (Rx) at the other end.

 

Cambium and Management vlans

Just a quick diagram on how to separate Management traffic on an ePMP network. The aps and CPE are in bridge mode in this setup. The Cambium CPE are in bridge mode with CNPilot routers doing PPPoE, which the ISP has control over as a managed router.

Our netonix has a tagged vlan for the management interface and an untagged vlan for the customer (PPPoE traffic).

The mikrotik router is trunked to the netonix on port 12 to complete this setup.

Skinny cables and the lowdown

The new ANSI/TIA-568.2-D cabling standard which now allows for the use of 28 AWG patch cords. What does this mean and how does it affect you? Read this article from Fluke networks.

Number one takeaway.
-Recommended length no more than 15 meters. This means it is great for dense racks and patch panels.

http://www.flukenetworks.com/blog/cabling-chronicles/skinny-28-awg-patch-cords

Lab Network

I am starting an ongoing series involving a semi-static set of devices.  These will involve different tutorials on things such as OSPF, cambium configuration, vlans, and other topics.  Below is the general topology I will use for this lab network.  As things progress I will be able to swap different manufacturers and device models into this scenario without changing the overall topology.  We may add a device or two here and there, but overall this basic setup will remain the same.  This will allow you to see how different things are configured in the same environment without changing the overall scheme too much.

We will start with very basic steps.  How to login to the router, how to set an IP address, then we will move to setting up a wireless bridge between the two routers.  Once we have that done we will move onto setting up OSPF to enable dynamic routing.  After that the topics are open.  I have things like BGP planned, and some other things. If there is anything you would like to see please let me know.