I have a piece of software that can interpret packets coming from another device in real time. I'm using port mirroring on my switch to send the packets to the software, but the software can't see the packets unless my NIC is in promiscuous mode. Is there PowerShell command or some way to enable promiscuous mode without running a capture software like Wireshark? I really don't want to capture packets since the software is decoding them in real time. There's no reason for the packets to be saved and use up memory.
Saturday, August 25, 2018
HPE product line segmentation
Is it just me, or is HPE's line in the sand getting a little nuts? My real pet peeve is airflow direction. It appears they're removing reverse airflow options from the entire Aruba/Procurve line going forward. I don't have anything inherently against Comware (honestly, I've never touched a functioning Comware switch, only some ancient 3com unit that had already failed), but for a shop where the campus switches account for 98% of deployment, using a different NOS for the 2% that belong in a datacenter is annoying.
I'm fine bouncing around for myself, and we'll have mixed environments with old Cisco gear for years to come, but multiple syntaxes make getting trainees up to speed far more difficult than need be. HPE is busy going after the SDN market with Altoline: why not let us choose ArubaOS or Comware for their campus/datacenter hardware?
Thoughts on 300-115
What is everyones 'go to' for studying for the CCNP switch exam? Best resources? I've got the OCG and Chris Bryant's udemy course already.
Juniper in the SMB space confusion
So I've never used Juniper in production (almost exclusively Cisco, Palo Alto and Fortinet) but from what I'v seen their CLI seems better than the CLI of IOS (to me anyway). I started looking at pries of their firewalls and they are very competitive but their switches seem very expensive for small shops who just need basic layer 2 (something compatible to a 2960).
Why would they price their firewalls so that they are within reach of most small offices but not make a switch that is the same? It seems like all their switches are overkill for a little branch office. Like I said though, I haven't used them and I may be missing something. I just wanted thoughts/correction from people who do use them.
route-map permit statement
Hello, Let's say I have the following route-map:
Router1# sh route-map static-to-eigrp
route-map static-to-eigrp, deny, sequence 10
Match clauses:
ip address prefix-lists: test11
Set clauses:
route-map static-to-eigrp, deny, sequence 20
Match clauses:
Set clauses:
route-map static-to-eigrp, permit, sequence 100
Match clauses:
Set clauses:
metric 100 1 255 1 1500
--------------------------------------------------------
Router1# sh ip prefix-list test11
ip prefix-list firevision: 1 entries
seq 5 permit 172.30.3.250/32
Does this route-map only block the prefix-list of 172.30.3.250 and allow everything else? Am I reading this route-map correctly?
2nd SMB design
Currently designing a network topology for a new client. As usual, I'm assign most SMB customers, with the only catch of, performance over cost. They require the fastest of fast networks (I don't know exactly why) for about 54 wired users, 1 physical; 4 virtual servers and 100+ wireless users.
My idea was using collapsed core design. Having 3 3650s 48P access switches all stacked while connected via etherchannel to a 4500x 12U 10P SFP+ switch acting as the core. So I'll have 6 10G connections to the core switch via an etherchannel using round robin and RPVST spanning 7 vlans inclusive of management, camera, IP Phone, SQL server, WinServ and POS terminals both mobile and registers.
Is this a good design? Should I opt for a Nexus 3000 (3524P) series for my L3 IVR? Or is the 4500x good enough for IVR?
Have a great weekend! Thanks!
Running Underground Fiber to 26 Buildings
Like many of you I'm sure, I've run plenty of CAT5/CAT6, set up plenty of switches, APs, routers, firewalls, servers, domain controllers, blah blah blah. But now I'm working on a design to run fiber to 26 buildings in midwest suburban town and this is where my knowledge drops off. I got a quote from a cable contractor that does fiber work all over this town and they suggested a route, which I have crudely drawn in green. The green line, including the one spur that will be optional for the customer, is around 13,500 feet.
My question is this, for those of you with experience in this kind of thing: what kind of cable should I run (single mode, how many strands, etc.) and how, physically, is the best way to design this? Instead of one big ring, I was thinking I should make two or three smaller rings and run 24-strand single mode fiber and then "peel off" a pair for each building. If I did that, would that connection be out at the road, on the outside of the building, or inside the building? These buildings get bulldozed and rebuilt sometimes, so I don't want to design a network that can't be reconfigured over time. And maybe my concept is completely off base. How do ISPs like Comcast and AT&T run fiber in a new neighborhood?
I've never done this OSP design kind of work before, and have very little experience working with fiber, so I don't really know what I'm talking about. But it seems to me that if I made smaller rings and had them intersect in two different locations, I could install two cabinets and put backhaul connectivity in each cabinet giving me some nice redundancy. At certain times of year, all hell will break loose if the end users don't have a working network, so redundancy is a must. I can also accomplish redundancy with a cell modem at each building but that won't provide nearly enough bandwidth to keep them happy during a prolonged outage (like if a drunk driver drove over a cabinet or something).
I want to provide 1 Gbps ethernet to each building and will probably have two 2 Gbps connections from two different ISPs and will load balance between them. I don't need help with this part; just the physical plant stuff. TIA!
What's in your documentation?
What sort of things do you store in your documentation? For instance, do you store subnet/VLAN information? "How-to" guides for troubleshooting, the "how and why" your network is set up the way it is, etc.
What experience/knowledge level do you target for your documentation? This is mostly for how-to type documents. For instance, do you expect the readers of your documentation to understand how 802.1x works, or do you explain that in your documentation? Or do you merely link to some $Vendor documentation?
Do your coworkers actually refer to the documentation? Or... do they just ask you?
VLANs and VPNs
While reading my notes, I have come across few diagrams with firewalls with VPN which allow remote access to the network. My understanding of VPNs are that a user would essentially get a LAN IP Address allowing user access to other network services.
1) However in no point of the notes did it mention whether the IP Address would have to be limitted to the VLAN of the firewall.
2) Notes also did not mention why a VPN server (which usually is the firewall for some reason, which I am not yet certain why), is usually right up top of a network diagram. Could I have my VPN server (firewall) sitting deep within the network? What implications would that bring?.
Thanks!
IOU/IOL or VIOS
Hi Guys,
I'm building a virtual lab for certification and came across IOU/IOL and VIOS and I know both of them lead to similar results, however, I clearly wanted to understand the pro and cons of each of these. From a perspective of doing CCIE Security certification, which would suit me better? (I'm specifically looking at doing DOT1X components for ISE)
DAE run into Cisco Catalyst 9500-48Y4C bug (?) with 1G SFPs 16.8.1a
Trying to work this through a TAC case but that will take some time.
Wonder if anyone else is running into this one ...
I have a rebuilt campus distribution based on the 9500 with 5 x 48Y4Cs and 2 x 32Cs. Everything is OK so far except for an issue where some links quietly fail and stop passing traffic.
At first I assumed it was older or failing SFPs but the same failure conditions have happened across multiple 9500s now and the far end has been a mix of different switches (3560X 3850 etc).
The nature of the failure is: 1. The link quietly stops passing traffic without a link state change 2. On both sides of the link TX counters have a trickle but RX counters are zero 3. No CDP neighbor information etc makes it through 4. Reseating or swapping the SFP on the far end (non- 9500) of the link has no effect 5. Reseating the SFP on the 9500 restores the link 6. So far this has happened exactly like this on 3 different 9500s and 7 different links 7. In every case this has been when a 1G SFP was in use (no failures for 10G or 40G links so far)
Across the 5 x 9500s we have for distribution we seem to have a link fail in this way every 1 to 3 days. So far it's been a different link each time except for one which has been our only repeat offender (swapped out optics on both ends of this one and got OTDR shots of the fiber to make sure it is good so waiting to see if it happens again).
Most of or buildings can be brought up at 10G but we do have a good number (50 or so) that can't either because of older switches or (unfortunately) old MM fiber. Before you ask the failure has happened on both MM and SM runs so far so that's likely not the issue.
[Apache] Notify when specific IP address requests a page
Hi
I was wondering if it's possible to have apache notify me by email/notification, when a specific ip address accesses the webserver. For example, by requesting a page.
I found apache-scalp, but I'm not sure if it's the right tool to use.
Would love to hear your advice !
How difficult would you say your job is? Fearing I'm not ready for the world of work
I'm in my third year of a Network Engineering degree that ran CCNP switching and routing modules. My last year is about to begin that involves some further modules on security and network design.
Truth be told though like although I'm aware about how to configure different devices I feel like my knowledge isn't practical, to a certain extent. I feel like I'll be found out as an idiot in the world of work. Is it like this for everyone? Obviously I'm aware you learn on the job but I'm worried I just don't have enough to work with.
Friday, August 24, 2018
Setting UP Extender/Bridge on hotel network.
I'm basically given up hope to get my securifi almond router thing to transfer data from my hotel wifi to a ethernet to my antminer x3.
I have the password to the hotel wifi. I'm trying to collect the wifi and transfer it to Ethernet to run my miner.
I understand this sounds dumb. I got the wifi adapter to power my computer for a couple minutes but i managed to configure it some more and I can no longer do that.
i'm backtracking and i need reddit help. I'm using https://www.amazon.com/Securifi-Almond-Touchscreen-Wireless-Extender/dp/B0087NZ31S and I'm trying to run a antminer x3.
i have no access to the router what so ever.
thanks, sorry for this noob post.
VoIP Traffic Flooding the Network?
Assume I am a networking noob. I just ran a packet capture off my workstation and was immediately flooded with broadcasts for ARP requests from my VoIP VLAN. Our workstations are all connected to our phones and then back to the Switch. Is this normal behavior or is there a way to isolate this traffic so it won't affect other VLANs?
Is SD-WAN just EVPN?
I've seen a few presentations from vendors about SD-WAN and how it's this magical thing that can maximize all the available WAN bandwidth, provide redundancy, encrypt, and compress, and...is it all just EVPN? Is it EVPN with some secret sauce on top to make the offerings more competitive and proprietary? Is EVPN just the standards-based alternative to proprietary SD-WAN offerings?
It seems there's a LOT of overlap here, and I'm trying to figure out why. If you know of a good writeup that compares he two, please link me.
Pulse Secure - Anyone know how secure application manager works under the covers?
We use Pulse Secure devices for remote access. We've had a few questions pop up about how we might utilize secure application manager (SAM) to handle some specific scenarios.
We use SAM today for allowing employees to connect and RDP into a "jump" server from their home computers (company issued laptops get a full VPN connection).
SAM works well in this scenario, but I realized that I don't have the foggiest clue as to how it works at a low level. It isn't a full VPN - there is no virtual interface and the client computer does not get an IP address on the corporate network. When you RDP into a host, the host sees the connection as coming from the Pulse Secure's IP address.
Somehow, the SAM client hooks into the tcp/ip stack on the client and proxies traffic meant for the host network via the Pulse Secure box.
Does anyone have any documentation on how SAM does its magic? We are particularly wondering about how DNS lookups are handled.
Lightower/Nitel DIA and Earthlink PRI
I've got a telecom broker shopping some services for me and they've come back with some carriers I have no experience. In NY Lightower for DIA Internet (100M and 150M) as well as Earthlink for wholesale PRI. In Las Vegas, Nitel for DIA Internet (100M) and 150M).
Looking for feedback on these providers to know if any of them should be avoided. All of my experience lately for DIA/PRI is AT&T, and in the last I've used a number of companies which are now all under CenturyLink.
FortiManager and honest review
So I wrote the below e-mail for the FortiManager team and tried to have my account representative share my experience with them. It's been a week and still no reply. Does any one know a better option to manage FortiGates, because I'm sick of the FortiManager?
This was the e-mail i sent to Fortinet. Let me know if you guys are having similar issues and came up with a work around.
First off let me start by saying FortiGates are one of the best firewalls I have ever tested or used. The FortiGates checked all the fields I was looking for my company. With that being said the FortiManager is the worst product I have ever been forced to use (the Forticlient and EMS is a close second (due to constant bugs)). A good centralize management tool needs to accomplish three thing. Number one: making changes on the manager needs to be faster than logging into multiple individual firewalls and making the change locally. Number Two: changes made on the local firewall should easily replicate to the manager and allow you to replicate those changes to other firewalls sharing the same policy. Number three: arguable the most important is the manager should be user friendly and simple to use. The FortiManager has manage to fail at all three areas. The only good part of the FortiManager is the built-in FortiAnalyzer feature (a great and simple to use centralize logging and reporting tool).
A brief background about me, I’ve been in the IT field since the early 2000’s. I started working on network devices in 2004. Since then I have work with and tested Cisco ASA’s, SonicWall’s with its GMS, Meraki Security appliance, Microsoft ISA, TMG, UAG, Palo Alto 3020 with Panorama, Check Point’s 5400 along with their management system, F5 Big IP, FortiGate’s with FortiManager, and Barracuda’s NG with its central Control. I’ve also attended Fortinet NSE 4 classes for Fortigate 1 and 2, NSE 5 class for FortiManager 5.2.1, and NSE 6 class for FortiWeb 5.6. I also have a bachelors in computer science with emphasis in information security.
In early 2017 we purchased 25 FortiGates to improve our security posture and redesign communications between the branches (move from MPLS to site to site VPNs). We also purchased a FortiManager VM with a FortiAnalyzer license. The initial deployment of the 25 firewalls was done without using the FortiManager. That should have been the first red flag. There was no real easy way to deploy new firewalls using a FortiManager. So I ended up using other programs to make templets that could push out a base configuration for each of my different firewalls after I entered the WAN and LAN information. At this point I decided I will attend the FortiManager training before I imported the 25 FortiGates into the FortiManager. After attending the class I realize the FortiManager had some limitations but most importantly the design of the product was solely geared to function instead of practicality. For example I can import and push configuration changes and even see the difference and what change the manager is pushing to the firewall but I can’t even take a simple backup of the firewall from the manager.
Other major issues with the design of the FortiManager is there is no way to create a shared policy package that that only affect a few policy on the FortiGates. For example if I have 12 IPv4 policies on Fortigate 1 and 6 IPv4 policies on Fortigate 2 but the only have 2 similar policies (like the HR traffic to the internet and All traffic to the internet) I have 2 options in configuring the policy package or packages in FortiManager (no option is ideal).
Option one: I can make one policy package that combines all the policies on both firewall and any policy that is similar can have both the installation targets (FortiGates) and the unique once and have it individual targets assigned. With this option you have one place to update the shared policies and one step to push it to all your affected FortiGates. The draw back to this is your policy package will get incredibly long (largely depending on how may unique policies you have on the grouped FortiGates). Policy placement also gets confusing because of the length and which firewalls the above and below policies apply to. You cannot make any changes on the local firewalls that is tied to the policy or objects. The reason you cannot make the changes on the local firewall is importing the change to the FortiManager assigned policy package with also delete any policies in that package not assigned to that Fortigate. This will wipe off important unique policies on other firewalls.
The second option: you have is having a second policy package for each Fortigate. This fixes the issue of not being able to make a change locally on the FortiGates and importing the change into the FortiManager. However you will not have the ability to share policies between the policy packages. So if you make a change to a policy in one policy package, you will need to modify each policy package that have a similar package manually. As much as that sucks, it gets worse. You will then need to push each policy package one at a time to each affected firewall. The FortiManager does not allow you to push more than one policy package at a time. With 25 firewalls (2 in HA so I have 23 Policy packages) it takes over 20 minutes to push changes that affect all the firewalls.
Other than the lack of user friendliness the FortiManager seems buggy at times. The reason I’m saying the product is not user friendly is there is almost no way a competent Fortigate administrator can integrate and manage the Fortigate without detailed training in my opinion. Even after attending the FortiManager training a user will still have issues using the product to its full ability. Since we have had the FortiManager I have personally open 18 tickets ranging from configuration issues to bugs in the program. I have to give credit to the Fortinet Tech. They are very knowledgeable and polite. They have help me fix mistakes I’ve made in my configurations and submitted issues to developers that have been found in the code. I have never been left hanging with any issue. They are also quick with sharing their knowledge and expertise with their product. It is an absolute pleasure working with the Fortinet team (from sales to Tech support).
The best part of the FortiManager application is the FortiAnalyzer portion. I love the ability it give us to run reports on all our FortiGates and maintain a centralized database of our logs. The threat analyst (fortiView) feature of the FortiManager for lack of a better work pretty cool. The Analyzer portion has help us playback attacks in the past, stop attack vectors in our Fortigate configurations, and track potential problems on our network. However using the analyzer feature of the FortiManager has caused performance problems with the appliance. This has forced me to open tickets because the FortiManager seems to respond very slowly at times. I was very shocked to hear the Fortinet Tech notify that my performance issue with the FortiManager is due to me using the FortiAnalyzer feature of the appliance. He (actually 2 different techs) then explain to me that it is not recommended to run FortiManager and FortiAnalyzer on the same box. I was very confused since we had Fortinet engineers size our Fortinet deployment. Also, why will you sell a product with a feature that won’t work properly? Add to that why will you charge a customer a fee to use the additional feature (had to buy license to use the analyzer feature) if it not recommended. I of course pointed this out to the techs. I was then told I will need to increase the resources to use the additional features. That of course make more sense so I told him that we can give it as much resources it needs and more. After he did his calculations based on the FortiManager and FortiAnalyzer requirement we increase the memory to 24GB (way more than needed based on his calculations). Since the increase the memory never reaches over 25%. This definitely helped at first. After the last update (5.6.5) the FortiManager once again has become noticeably slow.
Please understand I’m not trying to bash your product. Fortinet makes in my opinion one of the best firewalls on the market. In certain application, hands down the Fortigate is the best firewall. The only issues I have had with the Fortigate is memory leak issues and horrible QA in Firmware releases (the last not limited to the FortiGates). I like your products, but you guys need to do something about your FortiManager. It needs a full redesign. In my opinion Check Point did it right when I comes to seamless integration of a centralize manager for their firewalls. Even Dells manager for their firewalls is leaps and bounds simpler than the FortiManager. I’m to the point that I’m considering making a management solution that updates the firewalls via SSH myself. So is there any way we can get this issues fixed with the product? I would prefer to use the product we paid for instead or making one myself.
Duo Auth for Cisco ASA Administration
We're trying to set up SSH authentication to use our Duo servers as we have with many Cisco IOS devices however we're hitting an issue on the ASAs.
Attempting to log into an ASA via SSH with Duo configured is going as follows:
- Enter username / Password
- Accept Duo push message
- ASA responds with "Password authentication failed"
Issue is the correct username and password is entered and in the Duo logs indicate that an access accept message is being returned to the ASA, so all SHOULD be working. Searching google is turning up absolutely nothing related to SSH authentication for the ASA, the only documentation out there is for AnyConnect using Duo.
If anyone has managed to solve this problem in the past I would really appreciate hearing how you managed this.
Thanks in advance!
VDX Training?
Anyone have any sort of training for the VDX?
Only thing ive found is through extreme who want nearly 3K for their training class? -_-
Anyone moved from Nortel/Avaya CS-1000 to Asterisk/Other free PBX solutions?
We are still 70% (Approx. 250 phones) analog lines here and licensing for VOIP on the CS-1000 is costly. Any advices for "Going full VOIP" on the cheap?
vmware pfsense no traffic on vlan
Hello all,
I am at my wits end with trying to get this firewall solution to work.
I have a server running esxi 6.5.0 and have a VM loaded with pfsense. The vmware configuration has the necessary vlans assigned to the port groups on vswitch1. Vswitch1 uses 2 10gig ports as physical adapters. On the VM itself, I have the network adapters tagged. Pfsense detects the interfaces and I have them tagged as well (lan tagged as 209 and wan tagged as 45). The WAN upstream is 192.168.45.1 which is an SVI on the layer 3 switch.
I can access pfsense web gui from either the wan vlan 45 ip (192.168.45.19) or from the lan vlan 209 ip (172.16.160.1/20). I have the firewall basically open on both interfaces from * to * protocol any. I can ping the pfsense wan and lan gateway from all other vlans on any other switch on my network (example shown from vlan 100). But when I place a device on vlan 209 with a static IP (dhcp relay is not being passed) I am not able to ping anything. I cannot ping the gateway (172.16.160.1/20) or any host on that subnet. When I try packet captures or pings from pfsense itself, there is no traffic hitting the device.
Any hints or clues at what might be going on?
Looking for cheap and reliable CWDM 10G SFPs.
Any recommandations on 10G SFPs for CWDM SFP and MUX/DEMUX gear, cabling, etc.
Draytek VigorNIC 132 bridge mode does not work
Hi,
I just bought a VigorNIC 132 PCIe card.
I want to use it just as a modem.
According to the user manual I have to type "vigbrg on" in the Telnet client.
VDSL syncs well (VDSL2 with profile 17a), but PPPoE does not connect on my Linux Server (Gentoo).
Timeout waiting for PADO packets Unable to complete PPPOE discovery.
Anybody has a idea why?
Best way to test a firewall before deployment?
Upgrading to a newer ASA model. Copied old config over, fixing the differences between the two. What I've got setup right now: Test switch programmed with the same sub interface/vlan/ip etc as what's currently live, connected to the "outside" port of the new ASA and a device plugged into the "inside" interface of the new ASA.
Shouldn't I be able to ping the outside interface from the device that's connected on the inside interface?
Solarwinds Vs Prime EOS/EOL reporting
Hello all,
Anyone out there using Prime for EOS/EOL reporting? If so how has it been working for you? We are currently using Solarwinds and like the alerting features of it, but the reporting for EOS/EOL isn't very good. Just looking to see what other options there are.
Why do all the non IT workers and upper management think we don't do any work?
I feel like there is this running joke at my company that I don't do any work. I was just telling a coworker how my morning was swamped troubleshooting some bugs in the system. And all I got back was "oh you got work to do today?" Sounding very surprised. This was the first time something was said to my face, but I've had a feeling people have been thinking this for some time. I'm not saying I work every minute of the day, but damn, no need to assume the polar opposite.
How much more power is used for a DSL/Coax/Fiber connection at 100% bandwidth than when idle?
How much more power is used for a DSL/Coax/Fiber connection at 100% bandwidth than when idle?
Has anyone ever obtained the software to upgrade a GD Taclane cryto?
We have one that needs a software update but I have no clue where to obtain it from. Or what would be required to get it from the manufacture?
Active/Active L2 connections in same LAN as ISP
For some reason our customers would like to have 2 seperate connections at layer 2 and want them both to be active. In this particular example they have one main fiber cable and a copper backup. We're a small ISP and I've researched some solutions like TRILL and SPB but they failed due to compatibility between vendors, Big Broadcast domain and what not!
Now i've stubmled on overlay networking solutions like EVPN (MPLS,VXLAN,NVGRE) and VPLS. But in all these design concepts (RFC's) they use a enterprise environments and assume you would like to connect LAN from location A to LAN from Location B etc. I, however want to connect the same LAN environment over a ring topology. Is this possible?
I've linked an example from a customer in the link below, I would also like to note that we control de customer equipment to some extend.
MPLS over FTTC
We are going to set up several offices (about 10) and we would like to create a VPN between them
I know we can create a private VPN MPLS but usually that takes expensive infrastructure/bandwidth.
We have a provider in Italy, Klik network, that provides a VPN MPLS over all our branches, but that set up is very very expensive (thousands of Euro/month).
We don't want to spend that sum for our small agencies.
Can you create an MPLS over FTTC ? In general over a simple internet connection?
Aruba 2930F LACP Port Blocked?
Below is the output for the 'show lacp' command
Any ideas what could be causing 1 of ports to be 'blocked'
I have other Trks configured the same and are working fine.
Are there any other commands useful for troubleshooting this?
Thanks
LACP Trunk Port LACP Admin Oper Port Enabled Group Status Partner Status Key Key ----- ------- ------- ------- ------- ------- ------ ------ 1/2 Active Trk2 Up Yes Success 0 533 2/2 Active Trk2 Blocked No Failure 0 533
how do I properly secure an outdoor access point?
Hello,
so I have an outdoor AP (TPLink TL-WA7210N) on my barns wall. The barn is 30meters away from the main house.
The AP is connected via ethernet cable that is digged into the ground to my switch (CISCO 2960) in the house.
My scenario would be:
How do I secure my AP so that only traffic coming from the AP's MAC-address will be allowed to flow through?
I want to avoid that someone just disconnects physically the AP and connects his own device to the ethernet cable, gets an IP address assigned via DHCP and is then sitting in my internal network.
My idea was to configure and enable port security on the interface on the switch and only allow 1 MAC-address (the one of the AP).
But this doesn't work, as it seems that the AP operates as a switch too and not as a router.
I have found out, that the switch learns all mac-addresses of all wireless devices that connect to the AP.
How is this done properly?
How do you span a tree?
We used to be an all Cisco shop, so using RPVST+ was a no-brainer, but due to many ignored pleas, our network is now a mix of Cisco, Juniper, Brocade, and (with more ignored pleas) soon likely Extreme.
What do y'all use for your STP and stay sane?
Continued 5700 Chaos
Hi all, I hope that this is a suitable post as I painted myself into a corner and i cant figure out what Ive missed.
I originally had this issue and some of you kindly made some suggestions.
Me being rather impatient after trying these and then trying to work forward from the advice given, i (foolishly?) decided to factory reset the switches.
This obviously made my life a million times worse, so after a lot of swearing I managed to get the switch backup and running in an IRF with a simple config.
Heres the brain ache, I have a vlan (vlan 1) and this is the vlan all servers connect to in the business. I have connected one port of the core switch with all VLAN tagged on it to port 1/0/48 of this setup.
I have 4 non production servers connected to port 1/0/1 - 4 and these need to talk back to the core switch and out to the internet etc.
But i'll be buggered if i can work this out. I know its been a while since i did any form of networking but I think i'm just being really dumb here.
Any advice is appreciated
[HPE]display current-configuration
#
version 7.1.045, Release 2422P01
#
sysname HPE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
irf member 2 priority 2
irf mode normal
#
lldp global enable
#
interface range name irf1 interface Ten-GigabitEthernet1/0/49 Ten-GigabitEthernet1/0/50
#
system-working-mode StandardBridge
password-recovery enable
#
vlan 1
description vlan 1
#
irf-port 1/1
port group interface Ten-GigabitEthernet1/0/49
port group interface Ten-GigabitEthernet1/0/50
port group interface Ten-GigabitEthernet1/0/51
port group interface Ten-GigabitEthernet1/0/52
#
irf-port 2/2
port group interface Ten-GigabitEthernet2/0/49
port group interface Ten-GigabitEthernet2/0/50
port group interface Ten-GigabitEthernet2/0/51
port group interface Ten-GigabitEthernet2/0/52
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
#
interface FortyGigE1/0/53
#
interface FortyGigE1/0/54
#
interface FortyGigE2/0/53
#
interface FortyGigE2/0/54
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
#
interface GigabitEthernet1/0/29
#
interface GigabitEthernet1/0/30
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
#
interface GigabitEthernet1/0/33
#
interface GigabitEthernet1/0/34
#
interface GigabitEthernet1/0/35
#
interface GigabitEthernet1/0/36
#
interface GigabitEthernet1/0/37
#
interface GigabitEthernet1/0/38
#
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface GigabitEthernet2/0/1
#
interface GigabitEthernet2/0/2
#
interface GigabitEthernet2/0/3
#
interface GigabitEthernet2/0/4
#
interface GigabitEthernet2/0/5
#
interface GigabitEthernet2/0/6
#
interface GigabitEthernet2/0/7
#
interface GigabitEthernet2/0/8
#
interface GigabitEthernet2/0/9
#
interface GigabitEthernet2/0/10
#
interface GigabitEthernet2/0/11
#
interface GigabitEthernet2/0/12
#
interface GigabitEthernet2/0/13
#
interface GigabitEthernet2/0/14
#
interface GigabitEthernet2/0/15
#
interface GigabitEthernet2/0/16
#
interface GigabitEthernet2/0/17
#
interface GigabitEthernet2/0/18
#
interface GigabitEthernet2/0/19
#
interface GigabitEthernet2/0/20
#
interface GigabitEthernet2/0/21
#
interface GigabitEthernet2/0/22
#
interface GigabitEthernet2/0/23
#
interface GigabitEthernet2/0/24
#
interface GigabitEthernet2/0/25
#
interface GigabitEthernet2/0/26
#
interface GigabitEthernet2/0/27
#
interface GigabitEthernet2/0/28
#
interface GigabitEthernet2/0/29
#
interface GigabitEthernet2/0/30
#
interface GigabitEthernet2/0/31
#
interface GigabitEthernet2/0/32
#
interface GigabitEthernet2/0/33
#
interface GigabitEthernet2/0/34
#
interface GigabitEthernet2/0/35
#
interface GigabitEthernet2/0/36
#
interface GigabitEthernet2/0/37
#
interface GigabitEthernet2/0/38
#
interface GigabitEthernet2/0/39
#
interface GigabitEthernet2/0/40
#
interface GigabitEthernet2/0/41
#
interface GigabitEthernet2/0/42
#
interface GigabitEthernet2/0/43
#
interface GigabitEthernet2/0/44
#
interface GigabitEthernet2/0/45
#
interface GigabitEthernet2/0/46
#
interface GigabitEthernet2/0/47
#
interface GigabitEthernet2/0/48
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/49
#
interface Ten-GigabitEthernet1/0/50
#
interface Ten-GigabitEthernet1/0/51
shutdown
#
interface Ten-GigabitEthernet1/0/52
shutdown
#
interface Ten-GigabitEthernet2/0/49
#
interface Ten-GigabitEthernet2/0/50
#
interface Ten-GigabitEthernet2/0/51
#
interface Ten-GigabitEthernet2/0/52
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-admin
#
line vty 0 63
user-role network-operator
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
return
Hey kids, Santa delivered!
Okay, so, further to my post here, I consulted with two local MSPs. We lined up not only Meraki and Ubiquiti, but also took a look at Ruckus and Aruba. We ruled out Meraki due to their subscription model and cost, and eventually we concluded that Ubiquiti will be a suitable option for our needs. Since the hardware is cheap, my boss has accepted that if any of the Ubiquiti stuff fails, we'll just keep a cold spare ready to rack/fit and swap it out.
As a result, I've got this trolley full of toys to rack today: https://imgur.com/a/bFlX1sq
2x Security Gateway Pro firewalls
2x 10Gb core switches
3x 1Gb PoE client switches
10x UniFi AC Pro wireless APs
4x Executive and 1x Pro VoIP phones (Pro one is mine, need the desk space!)
MM fibre connections for everything
I also heeded the advice and scheduled two days for a professional to configure the setup (with me watching over his shoulder) and do a wireless survey of the office space to site the APs. I'm also learning how to subnet/VLAN correctly and have adjusted my plans accordingly.
Thanks to all who replied. I know some will question why we went for the cheap option over some more established brands such as Cisco/HP/Arris SMB ranges, but there are two main factors - 1. my boss and I strongly object to the idea of licensing hardware we bought, and that license expiring meaning not just no updates, but complete loss of functionality, is a real slap in the face considering the cost of the hardware 2. many sources, even on here, cite that Ubiquiti is great value for money, performs great and is reliable.
I'm also re-thinking my 'Do It Right, Once' idea as others have pointed out it contradicts what I'm trying to do here. I admit now, if I were to DIR-O, I would build the whole LAN with Cisco from the start, configure it once and leave it for 10 years. However, I have no experience with IOS and the company doesn't see the need to hire someone just to manage our LAN when all we need is an internet connection. What I meant more is that I want to build a stable foundation that will not need constant revisiting - as long as I can build on the core, add more switches/phones/APs as required without rebuilding the whole LAN, then that feels like 'Done It Right' to me. If Ubiquiti can provide that for us reliably, that'll do us fine.
How to start to Design a high bandwidth SAN & Network System
Hi Storage Experts,
I need to design a HA Storage system. The scenario is that we are recording HD Videos in cars and end of day we need to copy all these video files to our storage system for analysis.
1)Which would be the best tech in storage to transfer these PBs size loads of videos from car to SAN based storage wirelessly.
2)How should I design my SAN in the scale of PBs and make sure its future proof.
3)What are the latest hardware and software components I might require to accomplish this task.
I am software developer and am new to this domain. Kindly request all to provide the name of even the most basic of components required for the setup so that I can do a cost estimation and compare with other techs.
My novice solution so far:
- Transmitting module in car if using WiFi (802.11ac (aka Gigabit Wifi) max 200 Mbps speed) to transfer a file of size 15 TB to SAN Storage takes 7 days !!
2.SAN needs to be configured with High Availability.
Thanks a lot in advance.
Service Providers - DNS entries for Public IP's?
Recently moved to a small ISP, and have been asked to look at a file containing DNS entries for an IP range we own.
My question is, do we even need to have these DNS entries? My superviser is unable to answer as he is pretty new to this ISP world as well. Some of the entries i can recognise as devices and interfaces of some of our core devices, but most of the them seem to be just the reverse of the actual IP and not actually in use.
Can we get these entries deleted or do they actually serve some purpose?
Bought LinkRunner AT 2000 to replace MicroScanner2 - but is the MicroScanner2 a better cable tester?
I recently bought a Fluke LinkRunner AT 2000 to replace a Fluke MicroScanner2. (It supports 802.1x, IPv6, and MAC forgery).
For cable testing - the cheaper MicroScanner2 actually seems slightly faster? (I use this to make sure the cables I've crimped are in the correct order, no shorts etc.) Is this intentional? Or am I doing something wrong here with the AT 2000?
The MicroScanner2 can give me information, even for cables that are plugged in to a switch at the other end. However, the AT 2000 doesn't report anything - it only lets me tone the cable. Is this by design? Or is there some way to get information out of the LinkRunner AT 2000 here?
Should I leave POE testing on by default on the LinkRunner AT 2000? The manual doesn't seem to mention any drawbacks, not sure if I should just always leave it on, in case the switch does support PoE.
Also, I can't for the life of me figure out how to upload cable tests to the Link-Live cloud service - the save button does nothing on the cable test screen.
Any other tips for somebody moving from a MicroScanner2 to a LinkRunner AT 2000?
Should I keep the MicroScanner2 or sell it?
Thursday, August 23, 2018
DHCP Assigned IPs
I have a Cisco 2901 router configured with one DHCP pool this is the configuration.
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.20
!
ip dhcp pool MAIN
network 10.0.0.0 255.255.255.0
default-router 10.0.0.3
dns-server 8.8.4.4
!
!
I also have a 1602i AP with a few connected devices that pull DHCP IPs staring at 10.0.0.21 and 10.0.0.22 and so on. The AP it self has a static IP. But my main desktop which is hardwired in to my switch gets a DHCP address of 10.0.0.90, there is another desktop that pulls a DHCP address of 10.0.0.24 along with the other devices. Why would the one be different, both run windows 10 and are on the same vlan. The switch that I am currently using is an unmanaged cisco small business switch.
"Cisco Fast lane" on WLC
Fellow wireless dudes: Anybody using the "Cisco Fast lane" shit in AireOS 8.3+ (Apple+Cisco optimizations)? If so -- how has it been? Wireless is a fickle beast and I have a hard time trusting anything new, but the literature always sounds sexy.
How to interconnect a Nexus 5000 vPC Cluster with a Catalyst 4500 VSS Cluster
Is there any best practice guide ? What do I have to pay attention to, regarding the virtual port channel on the vPC side torwards the portal channel on the VSS side ?
Are there common mistakes, that can be made, that I have to watch out for ?
iPhone not connecting to correct repeater in hotel
I am currently in a suite and can get wifi in every other room but my own. The connection becomes very weak and eventually drops, despite having a repeater in the room. I thought it might have been the repeater itself but I switched it for one in the other room and the same problem happens. I think my phone is trying to connect to the repeater in the other room or outside for some reason. Can I force it to connect to the one in my room?
ELI5: WAN vs LAN IP Block from ISP
Hey guys, I work for a small company and we upgraded our ISP services from cable to a newly installed fiber base service that was brought into the complex.
When procuring the circuit the vendor gave us a /30 on the WAN side and a /29 on the LAN side, however, we were under the impression that we were going to get a public facing /29 on the WAN side.
When I spoke to our rep he noted that the services are cheaper because we went the route we did (not an issue) and seemed generally confused why we couldn’t utilize the /29 LAN block.
Setup: ISP NID Ciena 3930 in the buildings “Meet Me” is extended into our space via SMF where it is then directly connected to a Cisco 2921 router. We are currently utilizing the /30 to go DIA our to the gateway but would like a /29 to add voice services, HA, etc.
Can someone please explain: 1) Why is the vendor so confused by my request 2) Why would I need a /29 LAN block if I’m doing the routing. Can I even use the /29 LAN block? 3) Could they potentially just move the LAN block over to the WAN side? (Forgive the ignorance on the ISP side)
TLDR: Vendor gave us a /30 on the WAN side and a /29 LAN block but we were expecting /29 on the WAN side. What is the difference? Can we utilize the /29 LAN block if I’m doing the routing?
Juniper Zero Touch not quite Zero Touch?
I've been working on implementing ZTP for our EX3400 and EX4300 deployments. I got it working on a basic level without too many annoyances (get to those in a minute). I am noticing that the ZTP process on the zeroed switches does not seem to be kicking in until I go to the switch, console in, and go to cli mode. I then immediately see things kick off. If I just let it sit at the bash for hours nothing seems to happen at all (no config, no firmware). So, this is my main concern at the moment. I do not want to have to touch the the switch during zero touch for anything past verification that it's done, so if anyone has a thought on that, I'd really appreciate it.
Side questions:
- Pulling firmware to the switch via TFTP takes hours. Pulling via FTP, minutes. Pushing via FTP or TFTP from a server are both pretty quick. WTF?
- I want to get into the script side of ZTP for additional functionality (to deploy more than just the basic config that is identical to all switches). I'm kinda terrible with scripting at the moment, so I'd love if anyone has some sage advice here or a favorite guide. I've seen a few examples from others that are like 4-5 years old. Mostly SLAX. Not sure if I'm going to prefer config based on "where am I plugged in?" vs "what is my MAC/Serial?"
- How are others using ZTP? Or is anyone, really? Curious about any stories that might be fun/horrifying/interesting.
- How extensively are people leveraging dot1x for provisioning interfaces? I'm working with one huge campus and a bunch of smaller ones scattered all about, so things like "This is a WAP, configure for a WAP" would be very handy to automate. We have ClearPass that I'll be looking at leveraging this way after ZTP.
Thanks all!
ARP releasing
Hi, I'm having a issue in a pc where the arp doesn't bind to the gateway.
What happens is: PC sends a arp request packet to the ip 192.168.33.1, the gateway
The Router replys to the PC with its mac addr
The PC receives this packet but the arp table sometimes is updated, some times not, and when it is
updated its for a few seconds
The PC is a Windows 10 Home, with wireless card Intel (I will update this later)
Does anyone have experienced something like that?
I'm pretty sure it is the OS, but I'm in lack of options to the alternatives that I already have accomplished like update Intel wireless card and the SOHO router firmware.
Next try is look for windows network logs file
This is the .pcap captured with wireshark - https://imgur.com/2xHNeJ9
Does anyone have any good CoPP or CPPr templates?
Just curious.
Currently my method for doing this is creating a class-map for every protcol I use, then letting it run for a while to get a baseline at the normal traffic patterns. but I'm sure there are things I miss, how do you guys do it?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Can segmenting or subnetting improve online gaming performance?
Networking noob here. My brother's looking to find a way to prioritize gaming traffic, for shooters like Fortnite. Their internet is quite slow (10 megabit, on a farm). They can game on 3 or 4 Xboxes simultaneously, with no lag and decent pings. But as soon as anyone else in the house does anything significant on the internet, youtube video, or a device starts downloading an automatic update, etc, it instantly becomes a huge lag-fest.
This guy in another thread said that some kind of subnetting or "segmenting" can help with this. But I only understand half the words in the comment. Can someone explain this in a bit simpler terms? Maybe ELI9 or something:
https://www.reddit.com/r/GoogleWiFi/comments/7anujk/google_wifi_as_a_router_for_gaming/dpgbzn6
What exactly is the "buffer bloat" that this guy is talking about, and what can one do to prevent it?:
https://www.reddit.com/r/GoogleWiFi/comments/7anujk/google_wifi_as_a_router_for_gaming/dpboj4c
Would it help to put the 3 xboxes in their own subnet or segment or something? Can an ordinary router do that?
If they must buy a new router, Google Wifi can assign a priority device, but only 1. They have 3 xboxes. The Ubiquiti Amplifi HD system seems to let you mark several devices as "gaming" devices for priority, maybe that's better?: https://help.amplifi.com/hc/en-us/articles/115005226567-QoS-How-To
Thanks guys!!
How do you store your fail-safe device credentials?
We're finally about to implement AAA across our entire network (yay!) and as part of that project, we will be generating fail-safe credentials to use in case access to the RADIUS servers is down.
- How do you currently provide for fail-safe SSH access?
- Where do you store these credentials?
- How atomic are these credentials, per-device, per-site, global?
- When do these get changed?
- If you change them after use, how do you ensure this happens?
My boss jokingly wants to print these on colored paper and seal them in plastic so we can crack them open in an emergency, but I'm thinking a sealed envelope system containing the only plaintext is not a bad idea.
Dell to Cisco trunk ports and STP
Hey everyone,
I have what is hopefully an easy project. We are currently running a pair of Dell N2048's in a stacked configuration. We are replacing them with a pair of Cisco SG350XG-48T's to upgrade everything to 10G and then demoting the Dell stack to management and backups only. Both stacks are configured for Layer 3 routing and hold a number of VLANs. Ultimately, the Cisco stack will have VLANS 10-17 and the Dell stack should only need VLAN 15.
The problem I have is that I want to connect the 4 SFP+ ports on the Cisco stack to the 4 on the Dell stack without blowing STP up and crashing my network. Knowing that the Dell switches are, to say the least, twitchy when it comes to STP, does anyone have any suggestion on how to get this implemented? Portfast and BPDU Guard/Filter are NOT enabled on any of the SFP+ ports.
New vlan, laptop get DHCP address, can't ping gateway or DHCP server
It's probably something simple but I'm just missing it. We added a new vlan to our network, the test laptop can get a DHCP dynamic address on the vlan but there's no internet access. Further testing shows I can't ping the gateway or the DHCP server it got it's address from.
Any suggestions?
What are you using for OOB
So I think I have seen similar posts before, but curious what everyone is using for an OOB network management.
I would like something with a cellular backup.
Yes I know how to use Google just want to hear first hand experience with what you use.
Simple 1GB Backplane Router
Hi all,
I'm a beginner sysadmin, (really helpdesk), looking for a simple layer 3 device (switch or router) simply to "bridge" the connection between an ISP and a client site. Our requirements only seem to be that it has a 1G backplane and simpler is better. Price is less of an issue, we use exclusively Cisco Meraki's.
Apparently the client missed checking a box to rent a router and we need to get them up ASAP of course. It is their busy season. My boss originally wanted to go with getting them a Cisco 1921 that we had used for other clients before but is hesitant because of the licensing. I believe the basic IP License is all we need but.. if we can get something comparable we should.
We don't typically do any router work and KISS with Meraki's has worked well for us so far. This business is a regular office. Would something like an Ubiquiti EdgeRouter work for us? .
In need of some BIND help.
Hi!
A colleague asked me about some BIND help and since I'm on vacation I feel a bit brain dead and would love some help from you guys. Basically, one of my domains, let's say zoey.com, has the following records:
A 10.10.10.10 www A 10.10.10.10
Another domain, let's say zoey.ru, has the following records:
localhost A 127.0.0.1 www.zoey.ru. CNAME www.zoey.com
The question is whether the .ru domain will resolve both www.zoey.ru and zoey.ru to the .com domain properly, because I feel like it won't.
Whats the best option without having QoS?
I have a DG1670 Router and I don't see an option for QoS is there another option for to prioritize bandwidth?
Should I ask for more/title change? I am the only Net Engineer now.
Quick backstory, got hired into a company as a "systems engineer" but I was working directly as a Cisco network engineer under the network architect who reported to the CTO, I have a lot of network exp. about 6 years. I studied the network, built a physical and logical network and understood how it is all set up, set up a few devices and such, then the network architect, about a month after I got hired, accepted a new job, I was moved under the system architect manager, but now I am the only network engineer, and architect, I have been here about 2 1/2 months now, and I am holding strong, afaik they have no plans to replace the architect. The person I am under works mostly with vms, aws, server, and has no network experience so I am basically doing my own thing at this point. My question is, what should I do, keep riding this out? ask for a promo/title change as I am the only networking person now? Not sure if it has been enough time or not.
Am I missing something stupid? Policy-Based-Routed network, with traffic that needs to transit a site to site VPN.
Ok, bit of a weird set up but I'll try and be as clear as I can.
We have a 1gig bearer which we trunk into an ASA 5525, where we then split the traffic on our inside interface, into sub interfaces where we apply PBR so that different client LAN's can be passed straight to the (we only use the PBR for the next hop) internet, and QoS where we police the bandwidth our clients pay for.
Now we have a client who has had their PBR/QoS solution for a while and they have had no issues with it, been working fine. They have recently upgraded their Point of Sale system and now need a IPSEC site to site vpn to take inventory/update the tills.
I have built the Site2Site VPN as I have done a hundred times on an ASA, no real surprises there...other than its not building...or more accurately not even trying to build a vpn.
Is there a quirk of running policy based routing then asking a site to site vpn to pass specific interesting traffic across it which I'm missing? If anyone can help, or point me in the right direction that would be great!
Thanks.
Frin
Will setting PVID on a port strip the incoming packet of its original tag.(Original tag on packet is same as PVID on the port)
Let's assume the incoming tag is 2, and the PVID on the port is 2. When the packet enters the switch, will the tag be stripped or retained?
noob question, Arista login annoyance
I'm pretty confident the answer is a resounding 'nope,' but at least I will ask. Running through the configuration of the first set of Arista switches for a datacenter deployment, running 4.20.8M, and I'm slightly annoyed by the requirement to do 'enable' to enter privileged exec mode. The Cisco equivalent is to add 'privilege level 15' to the line commands and if a user is privilege 15 they will be logged in to privileged exec mode.
Ultimately what I'm looking to do is to prevent having to rewrite more scripts than necessary (yaay! more expects!) but I am not completely confident that it is possible to do this.
Can anybody provide some insight? So far most things seem simple, it just comes down to the network automation at this point that will suffer since all the scripts will have to be modified/rewritten if we cannot make this happen.
Aruba Switch Problems
Hi guys. I have a problem with Aruba JL322A switch. we migrated from Cisco Small Business to Aruba Switches. the problem is in the same vlan/ network. I have many cases when the PC1 (192.168.0.5) tryes to ping server 1(192.168.0.6) or printer 1 (192.168.0.7) they not respond. (is not the Windows FW) but from another device in the same network I can reach it. this issue is happening randomly in the network, all of them have the same gateway 192.168.0.1 and the netmask /24.
Any ideas?
RSVP-TE FRR
Hi all,
I'm trying to understand how RSVP-TE is intended to work in terms of fast-reroute. So we have one-to-one or bypass protection styles, can both be in operation on a single node at the same time? If so, how does RSVP choose which backup path to use when a failure occurs? And if not, could someone explain why?
I saw this post on here, which addresses the relationship between secondary paths and FRR, but I am still confused as to how RSVP or lower protocols would decide which path to take in the case of a failure.
In the case of a failure where we switch to a detour or bypass LSP, does RSVP change in its signalling or does it remain unaware of the failure?
Apologies for the pile of questions, RFCs are usually no problem for me to understand, but the RSVP related ones are proving hard to grasp.
Networking - Ideas what to career specialize in?
I'm only a year and a half into my networking career. Currently working on my CCNP R/S to get a good foundation.
I was curious what you mid and later career people specialized in? What do you wish you had specialized in?
From my understanding you can go Network Security, Voice, Wireless, etc.
PBR for 1G pipe on Cisco 4451?
With pref licence installed.
A design calls for PBR on a LAN facing interface, approx 800Mb traffic in future.
Internet router, receiving only default from ISP ebgp.
Wanna redirect traffic based on /24 src to another Internet router on LAN.
No other option possible other than src based routing.
Its gonna be punted to CPU eh? Will 4451 melt?
prepping for the next networking job
I'm currently looking for a new networking job. Right now I'm taking refresher networking courses on udemy. Mostly i've worked on the wired/routing and switching side of things and want to keep it along that path. Security is something i'm interested in but I'm afraid having very little experience with it will be a non starter for employers. As far as vendor experience i've worked on cisco, hp/aruba, and alcatel.
My question is what courses/books/etc do you suggest i take that would be most helpful? Would you go the vendor route? I've had roughly 5 years of experience doing networking, but being a guy that wears many hats--doing help desk/networking/everything else, i feel like that there are big gaps that i need to address (hence the network refresher). Thanks again.
Connect Fiber Optic Patch Cable Multimode OM1 to 10GB transceiver
If I have a OM1 Orange patch but 2 SFP+ transceivers distance is 10 meters. It will work? I dont have the equipment to test this configuration. Let me know if this valid,
Suggestions for a small router that only needs to be a gateway?
We have a legacy router we would like to repurpose that only serves as a gateway for a few devices. The devices that are connected will all be eventually setup on our main router, but those devices are not easy to configure and it will take time and various maintenance windows to finish. We want to reuse this older router as soon as possible, considering it has a lot of good features. In the mean-time, as we transition those old devices, we want a small router that serves as the gateway for those devices.
Any suggestions? It will literally do nothing except serve as a gateway. I've been told that max we can spend on it is $300, but I honestly think that's too much.
SrExperts - Las Vegas, Sept. 2018
Any fellow Telco nerds heading to Las Vegas in a couple weeks?? I'm pretty excited to check out some of the fresh 5G presentations from Nokia and well, just about everything else.
Cisco console over fiber
Has anyone found a solution that allows them to transmit device console ports over fiber ? I have the requirement of placing a single switch in a closet 500 ft from my core and I'm trying to find a way to extend the console as well. Do they make a media convertor that provides this?
SRX WAN Failover with stale xlate sessions.
I've got the RPM and IP-Monitoring setup to failover but it looks like the SRX is still forcing old sessions out the old interface after the IP-Monitor switches to the backup ISP. This is causing SSL/TLS handshake problems.
I essentially want to initiate a "clear security flow sessions all" to sever and re-establish the connections. Anybody know how to do this on Juniper?
A little help, please. Download JunOS SRX 210
Hi, I bought a used SRX 210 and I do not have Juniper account to download JunOS. Please, could anyone download it for me?
When I chain my routers the 2nd never works. Please send help
Hello Reddit.
I got a problem and I have been trying to fix it and have had approximately 0 success in doing so. So, the issue is, I have a few routers. The first one, ASUS RT-N12E, is connected to a Cisco modem. That one works fine. Then, I have a very long cable running through my wall into the bottom floor. It is connected to my ASUS RT-N11P router, I have tried connecting it primarily via the WAN port, but also tried LAN ports. I've changed the IP of the 2nd router so that it's not the same as the 1st router. I've also disabled DHCP on the 2nd router and left it enabled on the first. Now, the 2nd router as a standalone works perfectly fine, but when these two get chained together in any order, the 2nd one never seems to work. How do I fix that? Basically, what I'm trying to achieve is to have this 2nd router have either its own Wi-Fi network or serve as a repeater for the original Wi-Fi network, but I also want it to be able to provide a LAN connection that I can use on my PC and laptop.
Please help, any help is appreciated, thank you.
Unbound.
Local DNS for private adress A records?
Routing on the host / OSPF problem
In each rack, I've got a pair of leaf switches with every host connected to both and running OSPF with BIRD.
Originally, I intended for each rack (the links between the switches and hosts) to be its own area, and the links between leaves and spines to be the backbone area.
However, as the two spine switches are connected through the hosts and share an area, an intra-area route is generated. And since (TIL) intra-area routes always take precedence over inter-area routes, each leaf switch then uses the hosts as next hops to reach the other switch's subnet, rather than going through the spine switch.
At first glance, it seems like not a huge deal, because under normal operation, traffic between those two subnets wouldn't be a thing. But in the failure scenario that two hosts each lost a link on opposite switches, this means that the other hosts would carry the traffic between those two hosts, rather than it flowing through the spines as intended. Or, more correctly, it would be dropped, because I will have the hosts configured not to allow that.
One thing I tried was to make each switch it's own area, and configure BIRD on the hosts to put one interface in each area. But BIRD seemingly will not generate ECMP routes when the equal cost routes are in different areas. So this won't work.
I am tempted to just make the whole network one big area 0, but I'd really like to have the route summarization between racks.
Any suggestions?
Automating the configuraiton of firewalls' rules and IPSec tunnels
Hi guys,
I am fairly new (9 mo) at this job at a quite big ISP in Europe. We are really behind with the automation, we have not yet any scripts or automation tools being ran in our day-to-day activity.
I am trying to change this, I've taken some Python 3 courses and I think I might be able to write a script to configure a new IPSec tunnel or some rules.
But, still, I am curios. What do you use to automate these particular tasks? Should I also consider Ansible? I am asking because the whole processes of learning something new takes time and I want to ensure that it's the right thing I'm learning.
Thanks!
What info do you want to see in an incident ticket?
Hello fellow networking people
I am in the process of designing a set of guidelines for our B-level. One of the things we'd like to standardize is the information that should always be present in a ticket before they forward it to C-level. I've come up with some things already but I'm sure I'm missing some still. On the other hand, I don't want the list to grow too long, but regardless I could put some extra/optional guidelines in a separate document.
This is what I've got so far:
How many users are impacted?
- 1
- An entire floor
- Entire building
- Site-wide outage
- All users of a certain application
Specify the location.
- Site
- Building
- Floor
- Room
Give info about the affected device.
- Laptop name
- ipconfig /all output
Which troubleshooting steps have already been taken? (and mention the results)
- Ping
- Tracert
- Nslookup
- Netstat
- Route print
Describe the issue in detail.
- When did the issue first occur?
- Has the issue happened before, possibly with a different user?
- Did the user take a specific action right before the issue occurred?
- Can the issue be replicated?
Much thanks!
The command "ip protocol" on a sub interface
Hi, I have started a new job at an ISP of my country and right now they're having me doing the deletion of customers that are no longer with us. I am trying to understand this kind of configuration that I see on a lot of the interfaces I have to delete
interface ATM2/0.911 point-to-point description "xxxxxxxxxxxxxxxxx" ip unnumbered Loopback9 no atm enable-ilmi-trap pvc 201/130 protocol ip 89.97.3.143 ubr 1024 oam-pvc manage encapsulation aal5snap interface Loopback9 description "Interface Internet Top" ip address 89.97.3.129 255.255.255.128 ip authentication mode eigrp 12874 md5 ip authentication mode eigrp 11 md5 ip authentication key-chain eigrp 12874 FWPoP ip authentication key-chain eigrp 11 FWPoP ip ospf network point-to-point end
So as far I understand the /25 network is given to an access device like a DSLAM/MSAN or something, there's a lot of the interfaces on the PoP that have the "ip unnumbered" command I assume it is done like that to make it easy to add/delete customers without having to type each time an ip address and just
The ip protocol command I am not too sure what it does, the ip after it is the IP of the CPE at the customer's site so, is it just a declaration of what the next hop is or is it a way to sorta create a "fake" point to point link?
Thanks for the help
BGP Question
I have inherit a network that is in full mesh of point-to-point links and the protocol is OSPF. I have 10 hubs (main routers) across the US in this full mesh of point-to-point links. One of the main routers (R4) has access to the Internet through a default route and the other main router (R6) has a BGP peering with another AS. The whole network is using an RFC1918 IP scheme except for a small network hanging of the BGP router. We are advertising a /24 to our BGP peer and we are receiving about 20K routes (I think), but I am pretty sure it was not the full table.
The /24 we are advertising is own by another group, so to this point the only one who could use the BGP is the group who owns the /24 and the rest of the network has a default static route point to R4. If R4 to go down, we could not get to the Internet, but the group who could get out via BGP.
I was tasked to propose a design if either one of the Internet edge routers to go down, we could at least failover to the other router. My plan is to propose a couple of scenarios to my boss and let them pick and do their politics.
Both internet routers are Juniper MX series. One of the scenario, is a floating static with RPM (IP SLA tracking). If R4 to go down, it would use the floating static route to the BGP router. Then I guess the router would NAT the internal network for it to get to the Internet.
The other scenario that I have in mind is to use IBGP with two RR or EBGP internally. But I do not have a real world experience with BGP at all and need your help. I want to do this the correct way.
I guess I would need more public addresses. If this is true, I am thinking each hub router would get their own /24. As each hub expand, the hub can allocate public IP addresses to their own group.
Am I going the right way here?
What is the process of advertising the BGP to my public neighbor?
Do I need to register my info to a registrar like altdb.net ? Is this mandatory?
I definitely don't want to become a transit AS, how do I do this on a Juniper device?
How should I design this network?
Wednesday, August 22, 2018
For anyone running Meraki wireless
Here's the quick check to see if you're Meraki wireless system is vulnerable to the recent WPA/WPA2 vulnerability.
Why does SIP ALG exist?
I just ran into issues with it being enabled, and every voice/video deployment I’ve come across has SIP ALG disabled on the firewall or router. Seems like every support person you talk to and article you read says to disable it also.
If it’s always disabled, what’s the point?
Nexus 7K QoS Config Guidance
So im in the pre-configuration part of a VoIP deployment and were up to applying QoS on our Nexus 7Ks. We are trying to have a RTP PQ, Signal Q, Video, and then default traffic.
Is there any good documents or videos someone can direct me to? I am having trouble with alot of the syntax and commands.
DMVPN + Multicast Question about "ip pim nbma-mode"
So from my testing with CSRv's I see that these behaviors apply:
spoke to spoke multicast over dmvpn requires hub use "ip pim nbma-mode" (assume all PIM SM config is okay)
hub to spoke or spoke to hub multicast over dmvpn does NOT require the command (assume all PIM SM config is okay)
Does that sound correct?
Here's something really strange I noticed with IOU + IOSvL3, so I switched to CSRv.
Hub to spoke traffic seems to go to ALL spokes no matter what (even with nbma command)
spoke to spoke traffic seems to go to all spokes no matter what
Here's the hub:
interface Tunnel1
ip address
10.0.0.1
255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
ip pim nbma-mode
ip pim sparse-mode
ip nhrp network-id 1
ip nhrp registration timeout 60
ip nhrp redirect
ip summary-address eigrp 1
192.168.0.0
255.255.0.0
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel vrf WAN
end
Here's a spoke tunnel:
interface Tunnel1
ip address
10.0.0.4
255.255.255.0
no ip redirects
ip pim sparse-mode
ip nhrp map multicast
1.0.0.2
ip nhrp network-id 1
ip nhrp nhs
10.0.0.1
ip nhrp registration timeout 60
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel vrf WAN
end
Using a Firewall for inter vlan routing/security/segmentation
I was chatting with some colleagues when they mentioned that a group of consultants come on site hired by their CIO to look at the infrastructure overall. They were looking at the campus and particularly their Core Switch. Because ACLS, or VACLS are not in use they were kind of "dinged" on not having the best of network security practices.
Their recommendation was to use their HA pair Firewalls (Fortinet) for all their inter-vlan routing and to apply "only whats needed" between the vlans so increase their network security.
I have not heard of using a firewall in place for inter vlan routing and segmentation. How is this done? The SVI's sit on the Core switch and cross vlans at the core. Kinda confused by it but seems like a great thing to put into play for the future?
Thoughts from anyone on this practice or know of it?
Does multicast routing use the default gateway setting?
I have switch that routes udp multicast between vlans.
If I connect a device to VLAN on that switch with an IP address and Subnet Mask, but no default gateway... will the udp multicast sent by that devices be routed to the other VLAN?
I just tried this, and it being routed? Why, when there is no dg on the device sending the multicast?
Thanks
Palo Alto HA Active Passive Dual ISP Question
When you have HA up and running. How does the HA know when to flip to the other ISP? I have to configure the passive one with an IP from the 2nd ISP. Will its settings get overwritten when the configs sync?
My boss wants to know why I can't just give a vendor connecting via VPN access to the entire /16
My boss wants to know why I can't just give a vendor connecting via VPN access to the entire /16.
I'm tempted to just do it.
Question about 802.11.ad
I can't find any info about the 5ghz and 2.4ghz speeds on 802.11ad, is it possible that they are the same as ac, and the only difference is the addition of the 60ghz antenna?
Received router not being installed in XR prefix-set?
HI ,
Anyone here encountered received prefixes not being added in prefix-set?
We have a server that will verify and match the received prefixes then once verified it will automatically propogate to prefix-set config.
But, the thing it is not being added. What would be the issue of prefixes not being added to prefixset?
THanks
Troubleshooting IPSec routing issue when you only control one side
I'm sure this is familiar to some of you - we establish IPSec tunnels with various clients, and often have only limited visibility into what their configurations are.
The issue I am experiencing right now is this - we are establishing the tunnel from our CentOS host, which is behind an IPtables firewall with a static NAT. I can bring up the tunnel and it starts as expected, ipsec auto --status looks good and the other side also sees that it is established. I can send a ping to the remote host and a tcpdump on the firewall shows the packets going out, but I never see any replies. So far, in my experience, this has always turned out to be some sort of rule on the far side which is dropping my packets.
The wrinkle here is that the other side claims to be seeing the same thing as I am - they start a ping flood, and say they are seeing the packets go out, but I never see them.
Does anyone have any commands that they use in these types of situation for verifying that everything on my side is working as expected? I'm 99% sure it's not my side, since it's really a pretty simple setup and we have numerous other tunnels on the same box, but you never know.
Thanks for any advice!
Question on how to create a specific script to run in SolarWinds
Tiny bit of back-story. I have about 250+ Cisco 4331 routers that are being used only for our public WiFi at each site.
That's 250 different ACL's that need to be modified because someone copy-pasted the same one in each site.
I only need to change three lines but I need to only change the third octet in each line:
.8 .5 and .4 are respectively for Switch, backup-router, primary router.
access-list 90 permit 10.0.1.8
access-list 90 permit 10.0.1.5
access-list 90 permit 10.0.1.4
The next site in line would be:
access-list 90 permit 10.0.2.8
access-list 90 permit 10.0.2.5
access-list 90 permit 10.0.2.4
This is more of an example, it's not specifically as seamless as .1, .2, .3, .4
Is there a way that I could automate it? Because currently at every site it's "10.0.1.4, 5, 8. where we just need to strip and change the third octet variable.
Also, if there's another tool that is useful for this same sort of thing, I'm open to whatever to make this process faster.
Video training for cisco ISE
Anyone know where I can find some structured video training for Cisco ISE.. kind of like cbt nuggets??
Wireless site surveyors in the Midwest?
I'm looking for a wireless site surveyor, preferably a company specializing in Aruba and/or Aerohive. We're in the Midwest.
Anyone have any recommendations?
What is the lifespan of core routers?
There are a few different aspects of lifespan, all of which I am asking about. There are warranties, last patch dates, and dates of last support from an OEM perspective. And then just how long will the hardware do what it is designed to do (assuming it has a stable, recommended physical environment). Can anyone give me some insight to these timelines?
My underlying motivation to ask is that my company replaces core routers every 5 years at every branch. This surprises me, it seems wastefully aggressive. My thought process is that if OEMs are charging (ten)thousands for hardware with 2013 technology and manufacturing processes, it would be crap hardware if it had to be replaced in 2018.
A related question is, are partial refresh of hardware components a better strategy? I have limited background in the networking world but I know it's ordinarily highly cost effective to swap individual PC parts.
Sitting for the 210-260 CCNA Security exam tomorrow.
Well, after 9 months of studying and failing already 1 time, I am taking the 210-260 tomorrow morning.
So far I have read the OCG, Cisco Next-Gen book, 31 Days Before, Portable Command Guide, and a bunch of other resources on Safari Books Online and Cisco White papers. Watched a lot of INEs, Udemy courses. Practice tests from NWExam (so far I don't recommend them at all, a lot of false answers that had me scouring to find correct information directly from Cisco)
Feeling pretty confident after a couple of epiphanies over the past couple months since the last exam attempt. So who knows. Here we go!
Outdoor enclosure for network switch and fiber panel recommendation
Hello fellow redditors,
We are installing PoE+ cameras and WAPs on light poles around one of our facilities. To support them, I need a weatherproof network box for a switch and possibly a fiber patch panel. Does anyone have any recommendations?
We are looking to house the following:
· Possibly Corning SPH-01P Single Panel Enclosure (for fiber termination)
I’m looking at what CDWG has to offer but this will be our first time buying our own outdoor equipment. I’d appreciate any feedback or experiences members may have.
Thanks,
Mode Conditioning Patch Cables on Mixed SM/MM Runs
I read that the maximum length of a mode conditioned patch cable run is 550m over MM fibre. But is that the amount of just the MM run or the total run, including any SM portions.
Here's the situation. I'm trying to connect a building that is at the end of a ~440m OM2 (50um) MM fibre run (see ASCII art at bottom). However, the other end of the OM2 run is a "fibre hut" that then has a further ~1km SM run to the main telecom facility (where my core campus routers/switches are). Since the OM2 run is under the 550m limit I expect the mode-conditioned cable to work fine to the hut, however, if that's at the end of a longer SM run, I'm not certain it will work. I've used conditioning cables in the past but always on a pure MM run, never a mixed run like this.
How can I determine if this setup is likely to work?
ASCII art:
Main Telecom Room (MDF) Core Switch ---> ~1km Single mode fibre ---> Mode conditioned cable ---> 440m OM2 fibre ---> Building's distribution (IDF) switch
Subnetting Help
I need subnetting help to add proxy ID's on Palo Alto where 10.0.0.0/8 (excluding 10.253.19.0/25) need to talk to 10.253.19.0/25 to avoid overlapping. 10.253.190/25 is hosted on peer side of VPN tunnel.
Looking for stackable and ISSU/NSSU supporting 12-24 port switch recommendations
Hi folks,
I'm looking for a stackable switch with 12 to 24 ports non POE that also supports ISSU/NSSU firmware upgrades and that is relatively affordable with support worldwide as I'm looking to deploy a stack of them in potential places like HK, NY, EU.
So far, I got:
Ruckus ICX 7150-C12P (12 ports all POE) Ruckus ICX 7150-24 Juniper EX3300-24T Juniper EX3400-24T
So far, the ICX 7150-24 seems to be the most affordable but I'm looking for more options as I've never been too impressed with Foundry/Brocade/Ruckus firmware or support...
I'd like to avoid Cisco is possible but if it fits the bill, I'll consider it.
Thanks for your help.
Am I a dummy for quitting my networking job and becoming a full time student again?
12 years networking experience on my resume. Currently have CCNA, CCNA-Sec, and CCNP-Switch. I plan to keep this updated/progress while I'm going to school. I'm quitting my job and going back to school to become a full time student to complete my Bachelors degree. I anticipate 3 years of school, still trying to figure out which credits will transfer.
Part of the reason for this is to play a college sport that I love, part of it is I really should finish the degree. Bills will be covered since I am a Veteran and have GI bill money. The question is, how is it going to look on my resume when I haven't worked in the field in 3 years potentially because I was a full time student?
Anyone have experience in this? My perspective is it shouldn't be too big of an issue, but I'm open to criticism.
Ports needed for RODC in DMZ?
I need to setup LDAP on a server in our DMZ.
Currently, my plan is to setup an RODC for the server to pull for LDAP because my attempts to just open the necessary ports from my application server to my DC's isn't working, and I'm sure not the best method anyways.
If anyone has a cheat sheet for ports to open, I'd really appreciate it.
This is what I attempted from (client/application server) to (DC's)
UDP 389 & 88
TCP/UDP 135, 3268, 3269, 464, 53, 138, 445
I temp. turned off the block between the LAN and my DMZ (i know, bad.) to test adding to the domain and it worked (before I had issues where I could enter my creds but it error'ed out after(network path not found)
so I'm about to pull my hair out.
Router help for small business / public wifi
I'm working with a small business that has about 5-10 wired clients on a basic switch, including some HD video streaming. I've set up two TP-Link access points for wifi, with a public wifi and a private one. The private one probably gets peak 20-30 clients, and the public one can get up to 100-200.
All of this has been running on a modem/router/wifi combo from the ISP just with the wifi part turned off, but I have no access to the router settings and we're having them replace it with a newer modem.
We're adding some server hardware soon so I want to upgrade the router and get a better setup. Unfortunately I'm not super experienced with networking, but I am a software engineer and can typically figure stuff out. So i'm looking for something relatively simple to set up, or at least manageable. What do you guys recommend for this type of setup?
I also wanted to ask about how to best set up QoS and a firewall. I'd like all wired clients to take priority over all wifi clients, and i'd like to isolate the public wifi from the rest of the network and have stricter firewall rules on it. Is this something you would set up VLANs for? Could someone give me a super quick overview of what that should look like?
Thanks!
Network Tracking
What do you use to keep track of all your network information (VLANs with IP ranges, console IPs for devices in each range, static IPs, ect.)? Do you just use an Excel spreadsheet? Is there good software that you particularly like? I was handed down an extremely messy excel sheet with all of this info and want to see if I should pursue something else before committing to remaking the spreadsheet. Thanks for any input you have.
How is this PC able to get online?
So, dumb question. I have a PC that's on my VLAN1 (don't kill me plz.) Info as is:
VLAN1:
IP: 10.0.0.126 255.255.255.128
PC: (statically set)
IP: 10.0.0.100
Subnet: 255.0.0.0
G/W: 10.0.1.126
Now I'm wanting to say that the reason it's online is because the subnet mask of the PC overlaps the whole 10.x.x.x subnet. But if the gateway is statically set wrong, how does the PC know to use the correct gateway; 10.0.0.126?
Dell N2048P stack member reboot after uploading firmware from TFTP
I just upload the firmware from TFTP to backup on the switch, one of the stack member rebooted after the master propagated the firmware. Is it normal? i was trying to push the firmware to backup during business hour and upgrade after hours.
TIFU - Man this SVI sure is taking forever to delete...
Was reconfiguring/wiping old switches on my desk. Had cleared interfaces and was deleting an SVI...and it just sat there and sat there. Get a monitoring alert. My connection tab disappears. Realize I'm in the wrong terminal window. Goodbye, production SVI. oops. Double check your window/tab titles folks.
Internet IPv4 routing table is now containing more than 700K routes
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd x.x.x.x 4 ***** 7243439 50315 38606263 0 0 2w2d 700900
This is quite something! At the beginning of my (public routing) carrier, the routing table was containing no more than 100-120K routes.
Help please - need CPAM 15.3 SSL patch
Hey guys,
I need Cisco's patch for CPAM 15.3 SSL expiration issues, found here:
https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3
CPAM is unfortunately not among my Cisco entitlements - we "inherited" it through company acquisition - and issue is just a bit urgent. Can anyone help me out?
Thanks!
EAP-TLS 802.1x Computer Authentication
Hi All,
I’ve just setup EAP-TLS using a 4000 series Cisco WAC, Windows NPS server and a certificate authority.
I’ve created a GPO to deploy the SSID and the computer certificate. It all works well and users can only connect if they have a certificate issued by the CA.
Everything I’ve read says that EAP-TLS is the most secure method and best way to do this and that PEAP is less secure.
However as my boss pointed out only the machine is authenticated. Anyone who logs in on the domain has access to this network. Also what if someone just hacks the local administrator using something like the pogo Linux boot disk? They will full access to the network. Surely this is a massive hole in the security and flaw with this method?!
I can’t seem to find any documentation supporting an NPS/EAP-TLS policy that allows computer and user authentication. It all seems to be aimed at the computer being secured by a CA issued very.
DNS sanity check
hello! I am fairly certain this will work, but I need to double check since this will be a decent sized project going forward for us.
First details: clients manage their own DNS records, they have their site and other subdomains that point to other things, but we have one of their subdomains that point to our service (load balanced 443 web traffic)
Current: myservice.ourclient1.org (obviously example)
The A Record points to an IP address that is on our side, and load balanced. We have an SSL cert that is provided by the client
What I would like to do (we are moving to a new hosting environment): Once we are ready to cut over to the new data center with all new F5 load balancers, etc I would like to see it look like -
CNAME record of myservice.ourclient1.org point to ourclient1.publicDNSservice.com and then I manage what the A Record of what IP address this points to (also adds some DR functionality with managing this)
Any gotchas? anything I am missing? thanks for the sanity check!
Scanning a Network for Oracle Server Instances / Databases?
I was able to run PowerShell commands to scan a network to find SQL servers and instances that exist - I'm wondering if there is a way that I can do this to determine machines that are running Oracle server / instances? I have done about an hour or so of Google researching and have come up pretty empty handed aside from some paid solutions which are not a possibility at this very moment.
Any ideas?
Thank you!
Open-source IPS for small branch offices?
Hey all,
Does anyone use open source IPS solutions at small offices? I am familiar with enterprise grade stuff from Cisco, but am looking to see if anyone has any experience with some open source stuff for smaller/less critical offices (with no public facing servers or static NATs). I see some good looking options out there, but would love to hear a bit from the community on their experiences!