Stupid question, but is openssl able to perform non -HTTPS requests?
Saturday, May 9, 2020
Dealing with legacy apps - vm or remote desktop?
I run a small business (8 staff including my self), we run 2 servers at the physical office. We don't really need the servers to do much except to act as a backup for our google drive and running as host for two very old legacy apps.
Since the COVID lockdown, we haven't had too much issues since most of our work can be done over the cloud (the apps we use most regularly are cloud based - think quickbooks online, etc).
Unfortunately, more recently, these two apps have experienced a surge in usage (the two legacy ones that require local hosting).
My solution right now is pretty much a band-aid one, I just ask my employees who need to use these apps, to remotely access their work pc from home (We been using the Chrome Remote Desktop).
Few obvious issues and concerns so far - security, and Chrome RD just haven't been a good experience (lack of a lot of functionalities).
Possible Solutions: I am looking for a better way to solve the above issue.
Solution 1 - I started trying out paid applications like Team Viewer/Gotomypc (both lags and costs very high for 5+ machines). Does anyone have better recommendation for a RD app?
Solution 2 - one of my servers have decent spec, and I bet could handle running VMs. Would it be possible for my employees to access this server and run vms to access the apps? Can I just use the Windows Hyper-V? (this server is running 2016). My follow up question on this would be, it possible to set up a URL that my staff can access via browser to access these VMs?
Appreciate any comments or guidance (or i posted in the wrong sub, please let me know).
Thanks
Equipment recommendations for moving away from UBNT gear
So, we've been selling UBNT gear for the longest time as we've found that in the price bracket, there are few competitors while at the same time the gear is good enough that it can give us "good enough" performance for clients that don't want to pay too much in small-medium office settings. We use their access points/switches (never routers/firewalls) and the camera gear. The fact that their cameras included "free" NVR and the networking gear included a "free" controller was a nice touch.
But as with all things, it appears when it is "free", you are the product.
The last few firmware/controller releases, UBNT has been collecting telemetry, first starting without making it obvious to us that they were doing so. It was an opt-out rather than an opt-in. The most recent release, they've begun collecting even more data and making it very hard to stop it. My concern is even if I stop it, there is nothing stopping them from pushing out another update that collects more data.
https://www.reddit.com/r/Ubiquiti/comments/gfxwsw/new_firmware_for_unifi_line_431311253/
Since I care about my privacy, I must investigate other options that fit the bill. Historically we have stayed away from many "industry standard" gear like Cisco/Ruckus due to costs, but now that may be justified.
What equipment (switches, access points in the 1st instance, ip-cameras & NVR software in the 2nd) would you suggest to someone that wanting to no longer use UBNT gear?
Our key requirements (in order of importance) are:
- Equipment performance & stability
- Ease of management (central management ideal, but not essential)
- Available at a price point that won't get us laughed out of small businesses
Thanks for reading.
Looking for rugged LTE/ WiFi network deployment case
I am looking for a pre-built LTE/ WiFi solution for less than 5 devices to connect to, all packaged in a rugged travel case with the priority being the ability to use external antennas for strong coverage that can pack away in the case.
I am not looking for high end or bonded solutions as I want to keep the budget limited and I only need minimal speeds (under 10Mbps).
The idea solution would include a battery (ideally 12-14hr run time)/ AC plug option and LTE modem that is not locked to a specific carrier.
Happy to build the system myself if I had a parts list.
Ubuntu GRE Tunnel - Not Reachable
Hello,
I am having trouble routing my game-servers through GRE.
What I am attempting to do:
I have a DDoS Protected IP from a service known as Vultr. I am attempting to route my game-server through the DDoS Protected IP from Vultr with a GRE tunnel. (I am running the Pterodactyl panel).
Here are the commands I have run on both servers:
VPS (w/ DDoS Protected IP Address):
- echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
- sysctl -p
- iptunnel add gre1 mode gre local UNFILTERED_IP remote DESTINATION_SERVER_LOCAL_IP ttl 255
- ip addr add 192.168.168.1/30 dev gre1
- ip link set gre1 up
Destination Server (Game Server Host):
- echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
- sysctl -p
- iptunnel add gre1 mode gre local DESTINATION_SERVER_LOCAL_IP remote UNFILTERED_IP ttl 255
- ip addr add 192.168.168.2/30 dev gre1
- ip link set gre1 up
If I did not provide enough information, please let me know and I will update the post ASAP.
ANY Help is appreciated; Thank you so much!
Wireshark Filters as Recommended by the Experts
18 Wireshark Display Filters Network Analysis Experts are Using
I saw these and they are a must have for any Wireshark filter list.
Where/How to learn more on Network Operating Systems?
Hi all,
All the apologies out of the way first. Apologies if this has been answered before but my Googlefu is particularly weak this evening. Apologies if there is a subreddit that is better suited to this question.
My question centres around how the Network Operating Systems are built. The IOS, JunOS, EOS so on and so forth. Now, I am thinking it is heavily down the computer science path and similar to programming any OS, Windows, Mac, Android etc. However I haven't been able to find definitive answers and my online searches take me from ARPANET to Novell to MacOS (none of them have been thorough either).
Is there any specific site or really, anything? I'll take whitepapers or copies of old NOS code at this point. I am keen to learn more but I don't really know where to start.
Thanks
TL;DR - I like Network Operating Systems where can I learn more?
Why are MPO-12 connectors required for 8-strand optics? Is MPO-8 not supported, and if so, why?
It seems wasteful to have 4 fiber strands that would be unused in this case.
Buggy Android Devices Causing Havok!
Hi Everyone.
I have inherited some Buggy Android tablets and they are causing me a massive headache.
Every so often, a couple of tablets at random will start flooding the network with ARP broadcast requests. There is no pattern to this. I have even factory reset a few and they still persist.
Is there anything I can enable on the switches (HP OfficeConnect) or ruckus wifi to help mitigate this? Unfortunately the network is a flat /22 so when a few of them get chatty, it causes a massive storm. There aren't any STP loops, the devices just spam requests out for what looks like every IP in the /22 network.
Any help would be greatly appreciated.
Benefit of IPS on SRX acting as Perimeter Firewall
Hello,
Since SRX has the antivirus feature and it's acting as a perimeter firewall, is there any real benefit activating the IPS on it? knowing that the antivirus profile is enabled.
As per my experience, they usually enable the IPS feature on data center firewalls.
SRX DHCP client renew the 'old' way
How do you get an SRX using the 'old' dhcp daemon to renew the dynamic IP on its outside interface?
request dhcp client renew all
is the new way which does not work with the older dhcp, but I can not find any reference to how to do it the old way. I have disconnected the interface and restarted the dhcp service but neither causes a renewal.
I am trying to get propagate-settings to work so that the DNS servers that my outside interface gets from its dynamic IP from the upstream dhcp server will be set in the global settings of the dhcp server running on the SRX and available to my internal clients in the dhcp options they receive.
I configured dhcp server on my SRX320 in "system services dhcp ..." which is apparently the older of two ways that it can be done. I forgot the 'update-server' directive on the interface and now that I have added it, I think I need to get it to renew the IP so that it updates its dhcp server with the dns server ips.
Thanks,
--BobG
Global Protect VPN with two ISPs
I’ve got a pair of HA 5250 Palo Alto Firewalls that connect to a set of IRF linked HP outside routers and then to our ISPs, we have two that are the same size pipe and one router connects to one CPE and the other data center to another. We let it free flow with BGP and it’s been working pretty well the last 8 months.
The issue I’m noticing is when I drop out one of our ISPs for maintenance, the VPN client using that ISP doesn’t notice it went down and users can’t connect to our resources. Is there an easy way of link monitoring or setting within the PA I can do between the outside router (which would know the cpe is down) and firewall to force the client to reconnect?
What is the point for core cross connects
Would anyone be able to help me understand the point of directly connecting a redundant core switches?
We currently have a redundant core/distribution 3850s 24XS stacked with a 4 members in each. I was also just wondering the best way of connecting these together. Should we just connect one 10G link between stacks? or should we create an ether channel and create multiple direct cross links? or just let it run through a downstream access switch?
Any help would be greatly appreciated.
Need help trying to network two PC's to external hard drives
I have a problem. I have a desktop and a laptop. Both my desktop and laptop are in my home office and the desktop is where i have 2 external hard drives connected to it. I am wanting to have it so that I can network the laptop as well to both of these drives, so that I can read and write files to these two drives just like I already can with the desktop.
I followed this advice but I can't get it to work.
https://smallbusiness.chron.com/two-computers-one-external-hard-drive-56819.html
I have the first PC (desktop) set up like in the link saying to but when I go on the second PC (laptop) it doesn't see the first computer in the network menu.
I didn't think it was this difficult to network two computers to be able to access the same ext drives.
TIA
Big Sporting venues WiFi question. How can a network serve such a large guest population?
We have a sporting venue with 60k seats. With back of house and office space, total clients are around 61k. During an sporting event even if only 10k people are simultaneously connected to WiFi, with 2 mbps speed, that is 20Gbps throughput. Our internet circuit is only 10 gbps. How does the network handle this load? The WAN interface, I have never seen more than 40 percent utilization. How is this even possible? Is there some kind of internal cache goin on so that end user is not getting out everytime for his content?
SRX Destination NAT - why does pool include port?
At home, I only have one dynamic public IP to work with so I am figuring out destination NAT.
The juniper wizard produces config like this to forward a single port to a host inside...
``` pool 172_16_22_101_443 { address 172.16.22.101/32 port 443; } ... rule 0_Web_Server--DMZ_443 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; destination-port { 443; } } then { destination-nat { pool { 172_16_22_101_443; } } } }
``` Why does the pool include the port? Isn't it sufficient that rule matches the port?
The reason I ask is that I am writing config to dnat a two port service and the pool statement does not allow multiple ports but I can leave out the port. The rule match clause does allow multiple ports. Is there a problem if I do that?
Thanks, --BobG
Route lab traffic through vpn adapter of windows client
I have a test network with domain controller, clients and pfsense firewall. The whole lab setup is on hyper-v running on my laptop.. The pfsense firewall reaches the internet using the hyper-v virtual switch connected with the wifi adapter of my laptop. My laptop is not hardwired to the home adsl router and connects to the internet using the wifi adapter. I also have a commerical windows vpn client on my laptop. Would it be possible to route all traffic from my pfsense firewall to go through the vpn client of my laptop rather than directly to the adsl router to the internet.
What's a basic run down of how iBGP routing works?
I'm having a hard time finding details on internal BGP, mostly finding explanations for external BGP.
Say a user on ISP X is connecting to a server also on ISP X's network to download a file, what would the basic steps of this routing process be? I understand that in eBGP the autonomous systems will communicate the subnet reachability information with neighbouring autonomous systems and then send that information to the internal routers of the AS, but how does this work internally if both machines are using the same ISP in say the same region, as thats one AS (I think)?
I'll appreciate any help.
GPON - ONT/ONU in Status O3 should it work?
I thought I post that question here, because I thought it would be too technical for /r/HomeNetworking. Feel free to delete it if it doesn't fit in here.
I have been reading up a bit about GPON and the G.984.3 specification. So if I understand it correctly to set up the line with the OLT it goes through the states 01-05, where O5 is the operating state.
So far so good.
Now I noticed that for 2 months now (according to the manufacturer - this might be untrue!) my ONT at home is operating at the O3 state (serial number state, waiting for ID/authentication).
I couldn't find if the state 03 is a working state (but the OLT is not assigning an ID/no authentication with the whitelist) or if an ONT in state 03 means that the line is not set up correctly and it shouldn't work.
Maybe someone has an idea, I'm pondering over that for a while now.
Juniper EX4200 not detecting physical link
What's up people?
I have an issue configuring a trunk between a Juniper EX4200 and a Cisco 4500. On the Cisco device, I have link lights and the trunk is up. However, on the Juniper side the port is stuck in admin up / link down. I've swapped out cables and tried 8 different SFPs but cannot get the Juniper device to recognize the link. It sees the SFPs because when I remove them the port disappears from the config and reappears when I reinstall it. I have very little experience with Juniper devices. Any ideas?
Recommended Firewalls for SSLVPN
What enterprise products would you guys recommend for SSLVPN? We are a Cisco shop and both ASA and Firepower couldn’t do its job properly. We have a FP2130 and it says it can do as much as 7500 remote connections (of course we know it’s not possible) but at 680 users we are hitting 90% CPU. Not even 10% of their documented throughput. Problem is due to compliance we are seldom allowed to do split tunnels. So we are looking if there’s a good product (for sure there is) that can do up to 5000-6000 users. Our ASAs are no good as well. I have heard good things about Fortinet FortiGate firewalls. Are they really good as they say that it is? TIA.
Why doesn't Cisco make 10GBASE-T SFP modules?
10GBASE-T over Cat6/Cat6a is very much a thing and many Cisco Nexus switches support it natively on their built-in RJ45 interfaces... so why doesn't Cisco make 10GB RJ45 SFPs?
Friday, May 8, 2020
Does an IRF stack (to use HPE terminology) provide adequate resiliency for a cluster of VMware hosts?
Apologies if this sounds more like a question on an exam. I’ve been in IT for about a decade and exposed to most common infrastructure but more managing and maintaining than designing. I wanted to expand my knowledge a bit.
I’m just curious how the general perception is on core switch redundancy and whether the board feels an IRF stack (or whatever the Cisco equivalent is) provides enough resiliency for running a cluster of hypervisors assuming each host is connected to at least two switches in a stack? Also whether or not using two separate blades in a chassis would be a better or worse option? It’s something I’ve seen a lot in campus type scenarios. What are the chances an entire stack or chassis would fail?
What would people recommend as an alternative? Two completely separate stacks? Stretching the cluster over multiple stacks / chassis? Interested in hearing some opinions / best practices on this. I imagine cost is the limiting factor in a lot of this as well.
Cisco RPL - am I doing something wrong?
Not sure if this is the right sub.
I have a route in my ibgp table, for a clear example lets say 192.168.0.0/24. This route has a community applied to it on import elsewhere in the network and this route and community is visible on the router I am applying the below export policy:
if destination in (192.168.0.0/24) then
pass
elseif community matches-any community1 then
drop
else
drop
endif
end-policy
My understanding of RPL is that a pass ticket defeats an implicit drop unless a drop ticket is added later in the sequence. I would have expected this route to be dropped on export as it's associated with the aforementioned community, however it isn't. Do I need to specifically match on the prefix AND community in a single if statement?
Cheers
Online courses with demos and hands-on labs on Windows Server, Azure Microsoft 365 and Docker
AT PROMO PRICE $9.99 FOR THE NEXT 6 DAYS
I will be constantly updating the links in this post to reflect the latest and current discounts.
Windows Server 2019 Hyper-V, Storage, Clustering and NLB
What you'll learn
- Design and implement a highly available, modern datacenter
- Plan and implement a highly available disaster recovery solution for your Datacenter
- Gain the necessary skills to implement a load balancer solution for your web apps or frontend workloads
- Create highly available Failover Clusters for your critical workloads including Storage Spaces Direct
- Master all the skills you need to properly manage your failover clusters
- Explore all the ins and outs of the Hyper-V hypervisor along with its new features introduced in Windows Server 2019
- Explore the built-in monitoring capabilities of Hyper-V on Windows Server 2019
- Master the skills you need to manage VM movement within a cluster
Description
Windows services these days almost never stand alone. Our need for always-on applications means that just about everything you manage must be made highly available. The need for always-on applications in this day and age is at an all-time high, and so is the need for high availability technologies. This course explores preparing, configuring, and managing high-availability technologies in Windows Server 2019 and at the same time preapres you for the 70-740 MCSA exam, covering all the topics.
COURSE OBJECTIVE
This course explores a range of high availability technologies available in Windows Server 2019 for Hyper-V, as well as other common Windows services. You'll explore the preparation, configuration, and management of Windows Failover Clustering, both with and without Storage Spaces Direct. Later, you'll delve into Storage Replicas, Hyper-V Replicas, Network Load Balancing, Shared Nothing Live Migration, and Stretch Clustering, among a range of supplementary out-of-the-box technologies for Windows workloads. You'll also extend your skills by implementing and managing Failover Clusters and Storage Spaces Direct, and you'll manage VM movement in clustered nodes.
By the end of this course, you will have the foundational knowledge to be able to implement a highly available Windows Server 2019 environment like a pro.
APPROACH
The course takes a hands-on approach with practical demos on each topic performed in its virtual labs. It is recommended that students build their own lab environment (as detailed in Section 1 of the course) and follow along with the demos. The course offers hands-on instructions, interesting and illustrative examples, and clear explanations of each topic.
Azure Administrator Associate AZ-103/104, with hands-on Labs
This course is a complete preparation for the new Azure AZ-103/104 exam. ( Including hands on Labs)
The opportunity in cloud computing is clear. Most companies are implementing or investigating how to implement cloud technologies within their operations. Don't be left behind. Be ahead of the curve by getting Azure certified, and be ready for the opportunity to advance your career.
All video lectures will cover all AZ-103/104 exam topics and include hands on demonstrations on each topic.
The course has been structured to follow the exact official Microsoft training plan. So if you want to pass your exam on your first attempt hit the enroll button now and you will get:
- Video lectures on each topic of the exam with demos that fully prepare you for your exam as well as ensuring you can administer Azure like a Pro
- Review questions at the end of each section (quizz) to test your knowledge on the topics learned in the section
- LABS at the end of each section. The labs follow the official Microsoft training labs and they are designed so you can practice yourself at your own pace when you aren't watching the videos. You will have step-by-step instructions available to complete each lab and ARM templates to prepare your lab environment and deploy the necesarry resources for the lab with just a few clicks of the mouse (so you don't need to do it manually)
- Links to official Microsoft resources/blogs/videos for further documentation available for each lesson on each topic
Microsoft 365 Fundamentals MS-900, with hands-on Labs
Learn the fundamental concepts and advance your career with a high paid job as a certified Microsoft 365 Administrator
This course is a complete preparation for the MS-900 Microsoft 365 Fundamentals exam. ( Including hands-on Labs)
What you'll learn
- Understand cloud concepts
- Understand core Microsoft 365 services and concepts
- Understand security, compliance, privacy, and trust in Microsoft 365
- Understand Microsoft 365 pricing and support
Implementing Docker Containers with Windows Server 2019
What you'll learn
- Deploy containers with Docker on Windows Server 2019
- Prepare for the Microsoft MCSA 70-740 exam
- Container management and resource management
- Preparing hosts on physical and virtual environments
- Installing and creating Windows containers and Hyper-V containers
- Pulling, pushing, tagging and removing images
- Building custom images
- Working with Powershell, Docker daemon and Azure
- Managing container networking
- Managing data volumes, resources and repositories
COURSE OBJECTIVE
The primary objective of this course, is to introduce you to all the features and functions of implementing and managing docker containers on Windows Server 2019, and at the same time prepare you for the 70-740 MCSA exam.
Knowing how to implement and manage containers on Windows is helpful for any IT professional looking to build new skills, get a promotion or a new job.
You will learn all the below and much more:
- Deploy containers with Docker on Windows Server 2019
- Container management and resource management
- Demonstrations for every lessons so you can follow along step-by-step
- Preparing hosts on physical and virtual environments
- Installing and creating Windows containers and Hyper-V containers
- Pulling, pushing, tagging and removing images
- Building custom images
- Working with Powershell, Docker daemon and Azure
- Deploy container hosts in Azure
- Managing container networking
- Deploying Software Updates
- Managing data volumes, resources and repositories
- Much more...
The course will take you by the hand throughout the course, via live demonstrations on the latest server operating system Windows Server 2019. Just follow along and practice your new skills.
When you are finished with this course, you will have all the necessary skills and you will be able to implement and work with containers technology, which will help you in your IT job or when interviewing for your new job.
ARE YOU READY TO LEARN DOCKER CONTAINERS ON SERVER 2019?
Please press the "Take This Course" button and start learning 2 minutes from now!
Microsoft Enterprise Cyber Security Fundamentals
Introduction to Enterprise Cyber Security Fundamental Concepts (Network security, information security, OS security,etc)
ISP Switch ports
We have two routers connected to our switch, and one connection from our switch to the ISP switch port (RJ45). We are in the /29 subnet. I've asked the ISP to enable one more (RJ45) port, so I can eliminate our switch, but they said that if this is done, the D/U bandwidth will be split in half for each port.
So my question is, is the ISP playing with me, or they really cannot specify the bandwidth on the fiber optic port?
RSVP TE For Internet Destinations
Question about using RSVP-TE for routing internet traffic. We have a service provider router with several internet circuits that all use traditional MPLS with LDP for routing all traffic, following the IGP. If we have one large circuit, can we implement RSVP TE to route only this one circuit to a particular POP router for all internet destinations or would all internet circuits take that path?
Forwarding RADIUS Accounting to Content Filter
I'm just going to cut to the chase. I have a Windows Server 2016 Datacenter edition that is refusing to forward RADIUS accounting packets to a content filter so that the content filter can know who is logged into the wireless and apply their correct filtering policies.
I have gone through and added the Content filter in NPS as a Remote RADIUS Server Group and then added that remote RADIUS server group to the Accounting setting for the Wireless Connection Request Policy for the wireless connections.
I've fired up Wireshark and there is zero traffic going in or out of port 1813 (RADIUS Accounting). Can anyone think of any reason why my server is refusing to forward RADIUS accounting to my content filter? I have verified that no packets are going across to my content filter another way by running a tcpdump on the content filter and it isn't picking up any packets through port 1813 either.
802.1 x authentication
How authentication could be held on the Cisco hierarchical (three-layer) ? If the network has RADIUS server on core layer and separate broadcast domains with multiple access switches connected to the multilayer switches?
Cicsco PRIME-
I am having some trouble using Configuration archive on Cisco Catalyst 9200L Switch Stack.
It's says Archive avaible : No.
Any idea how to fix this little problem ? :)
Survey NSM
Hey guys, for my thesis im doing a project around NSM and FPC.
I was wondering if anyone was interested in participating. I know it can be annoying doing these surveys but you're really really gonna help me out.
This is the link to the form, https://forms.gle/hvbrDJsr6zWJNpHx7
Thank you so much!
K
Cisco asa 9.6 to 9.8 now shows FXOS?
Hi,
We upgraded our ASAs from 9.6.x to latest 9.8.x and now the « sh version » shows Firepower extensible os... is that a wanted behavior?
We don’t use sfr nor any other module.
« sh module » show all the modules disabled.
Using a few Asa 5525x
Thanks
Alternative to TCP-IP Illustrated Book By Richard Stevens?
Hi, First I'm sorry if my question might sound a bit dump, I'm new here.
I was always interested in pen testing, I have put a lot of effort into learning Linux, Metasploit, networking basics. I hear some people talking about ''TCP/IP Illustrated'', saying it's one of the best books to learn TCP/IP protocol suite. However, it's really difficult for me to read it since English isn't my first language, it's worth mentioning that I didn't find any books in Arabic.
So, I'm asking if there is another option, maybe a book with less complicated words, or even videos?
Best way to give a host internet access through a kvm virtual machine.
Hi guys. I have an intel router with linux debian installed and 6 gigabit interfaces.
I configured a anonymous bridge (wanbr) and attached one interface to it to act as a WAN port. I also configured another anonymous bridge (lanbr) and attached 4 interfaces to it to act as a LAN switch. Then I instantiated a opnsense VM and connected it to that two bridges. The VM worked as expected. So far so good.
I left one interface for the host, configured with a dhcp server to give me access to the bare metal if something happens to the VM. Now I would like to configure on the host a default route to get internet through the VM. By doing that I will get connectivity and packet filtering for the host and for the device connected to that interface.
Problem is that, as the LAN bridge is configured as anonymous (L2) to give the VM the possibility to change subnet addressing without having to change anything on the host system, I am unable to add a default route without specifying the gateway.
What would be the best solution for this scenario? What do you think?
``` WANBR |- eth0 |- vnet0 (opnsense)
LANBR |- eth1 |- eth2 |- eth3 |- eth4 |- vnet1 (opnsense)
eth5 (dhcp-server) ```
Asking for high school network architecture recommendations
Hello,
First, I'm so sorry for some stupid questions I may ask. I'm doing my best at my level of knowledge.
I'm working for a year now in a high school, and we plan to change our network infrastructure. From the opening 20 years ago (that was a small high school at that time), it has been a flat network. It is now fragmented into VLANs (into the same network, yes), and thanks to Huawei hybrid vlan, we can say "that vlan can communicate with that vlan, but not with that vlan, even if they both are in the same network". But it's a "all or nothing", of course as it's layer 2 we cannot filter on ports.
This brings us great performances as it's a full layer 2 "network", BUT it's a bad security option, and it's quite horrible to manage.
I would like to transform this in order to have a more standard topology, easier to understand, to manage and with as good performances. Here is what we have in terms of needs:
- 2500 students
- 20 classrooms with around 40 computers per room, those classrooms are in 3 buildings (8 - 8 - 4) within 5000m²
- 50TB iSCSI shared by multiple active directories (SMB, complex NTFS rights) to those 800 computers
- This 50TB SMB share is also shared by SFTP on the internet through another dedicated server
- There is multiple licences servers
- We need a great bandwidth between those 50TB share and computers, big amounts of data are transferred as it's mainly 3D projects,...
- There are also multiple (around 20) web servers/dbs for high school services
- Computers within a classroom can communicate together, but can't communicate with other classrooms
I already checked the most popular options for big networks:
- 3-tier topology: I've got shared feelings because of this:
- Aggregation layer, that is meant to route trafic beneath the aggregation switch L3 wouldn't route anything as there is anything to route between classrooms
- I don't know where I should put servers:
- 50TB Share at core layer for better performances? But It may be better to evitate coming to the core to access a file share? So not the ideal topology for our use case?
- Should the other servers be under a distribution switch?
- Spine-leaves: Seems too complex and not suitable for our use case (also very expensive)
- I guess we can have something easier for such an easy use case: 800 computers must access to one share with great performances, to internet and to multiple licences servers.
We also had a question about DMZ: In our case, the SFTP server that shares to the internet our 50TB iscsi should definitely be in the DMZ. But this SFTP server is linked to a SMB share, which is shared by a DC, which is linked to the iSCSI. Should that DC be in the DMZ? That would make no sense to put a DC inside a DMZ, but then I don't see how to publish on this share on the internet without having such a security issue.
Thank you VERY MUCH in advance for all your recommandations and ideas.
Moupsy.
How to configure ngnix server in a wifi router?
Is it possible to install an ngnix server(proxy server) in a wifi router to block sites and IP addresses
How to learn more about mobile (3G - LTE - 5G) core network engineering?
Hey, I'm interested in studying how a cellular provider works, focusing on the areas of the core network and everything related to how a cellular client gets to the internet - what are the components of that process, which protocols are involved, and in general on what is the usual architecture / network design used for that purpose. I'm less interested in RF and everything related to what happens between the device itself to the RNC / MSC.
I'm of course interested in both 3G and LTE (and the differences).
Are there any recommended books, video tutorials or certs focusing in these areas?
Issues with multi-area ospf and spanning tree?
Hi, despite coronavirus I still have to do my university coursework but I have less access to resources during this period so I'm hoping someone here can give me a hand maybe :)
Firstly the topology: https://i.imgur.com/2C5xUSU.png
secondly, some context. I've setup multi-area ospf for this network along with spanning-tree at the switched core. The ospf is split into 8 area with the core being area 0. The rest of the areas are the parts with end devices and the serial links between the routers.
Lastly the problem. Whilst i believe I have setup everything correctly my end devices on the far right cant ping past the router or into the spanning-tree section. router_inverness has no problems pining the routers on the right but it cant ping the end devices either. Im sure i've just completely missed something but its worth a shot posting here to see if anyone has any ideas.
I really appreciate any help or advice in relation to this.
Thanks, David
How does TAC support for pay-by-the-hour CSR1000V at AWS work?
Anybody using (or selling?) TAC support for CSR at AWS?
Apparently Cisco TAC support services for the pay as you go CSR is available for purchase through any Cisco Partner.
From reading further on that page, it looks like there are SKUs for various throughput levels and AWS instance sizes.
So... How does this work? Buy the contract and then attach an AWS UDI key?
Is there a way to handle ephemeral-ish CSR workloads? Like an auto-scale group for DMVPN or AnyConnect?
What if I do upgrades by replacing one CSR instance with another running a new software release?
The support situation here is kind of interesting... This is the only case I can think of where you license IOS(XE) with bug fixes independently of TAC support. (Yeah, I think that other thread shouldn't have been locked... Lots of interesting space to explore there.)
Is it possible to resolve/map an IP address to another address
We have some OVA appliances deployed which have been configured with the wrong DNS servers. Vendor has told us that we can't change them without wiping the appliances.
I am wondering if it's possible to map an IP address to another address? Sort of like the host to IP mapping in /etc/hosts -- or is this insane?
Thanks.
Cisco vs ?
I was about to buy some cisco gear but heard last second about their fraud business scheme called "service contract" etc. to prohibit firmware updates, maximize waste, environmental and safety hazards. The same bs HPE is doing. I hope those people goes extinct very soon. Anyway
As I do not want to support fraud, I need something else than cisco. What I need:
-
Support for products. If I buy a product, I expect it to work without extra payments
-
Enterprise grade hardware (obviously)
-
Overall stability, price is not an issue but I am not buying from cisco or similar fraud companies.
What other brands are there? Enterprise seem to equal fraud but there must be a good company out there?
Edit: typo
SQL Server Connection fails "no trusted domain"
Hello,
I have a PC on my Network running an SQL Server, now i am trying to connect to this SQL server using another PC.
The Problem is, that i can send a ping to the PC and the PC also respondes to the ping, sdo ADO and DAO request are both working. But if i try to connect to the SQL Server i get following error message:
"The login is from an untrusted domain and cannot be used with Windows authentication"
i went to system control to see what the domains are for the different pcs.
the pc with the sql server on it does not have a domain but it is in a workgroup named WORKGROUP same is for the other PC. could this be the problem?
I dont really know how to fix the problem bcs i an not very good with sql servers and networking, so i hope one of you can help me.
i hope i gave you enought infos but if not you can just ask me in the comments and i see what i can do for you.
Help would be very appreciated.
Thursday, May 7, 2020
Sonicwall zone reassignment from LAN to VPN
I’m running a site to site VPN between a VMX100 and a Sonicwall.
The Sonicwall subnet that I have participating in the VPN is in the “LAN” zone, which is unencrypted, and I need to switch its zone to “VPN” so that it will be encrypted or else traffic won’t flow.
Will switching the subnet’s zone from “LAN” to “VPN” kill the existing connections or cause any problems? It’s a remote site so I can’t just flip the switch and test it.
VoIP Softphone over VPN
I’ve got Avaya Softphones installed on laptops with a software vpn installed. Are there any settings that would improve call quality. Some calls are perfect and others can be garbled. Is that just the best voip can be over a software vpn?
I’m looking at testing QOS GPO settings tomorrow but not sure if that will help at all. I also wondered if using an IPSec connection for the vpn would be better then SSL because of the lower overhead.
Any other good tips or things I should look at would be great.
I’m also considering just getting cell phones for everyone but it would be cool to use the softphone because we already have a VPN and Softphone licenses.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Cisco ASA as anyconnect server only behind PAN firewall
Hey all, probably going to sound like a fool because I have zero experience with ASAs.
Basically, I'm trying to setup an ASA 5585-X to only act as a anyconnect server so people can access our internal network. I honestly have no clue on how to do this due to the fact it's behind a firewall already(PAN)
Anyone have any ideas on how I would configure this? I've tried googling but I don't think anyone has been weird enough to try this sort of setup.
Thanks.
Cisco 9200 default gateway
Am I the only one who couldn't get his first 9200 talking to the rest of the network (with its own IP address), because I didn't realize it required a default gateway to be set?
I just assumed the 9200 series was a (much nicer) 2960X, so I configured it just like I would one of those, and had a heck of a time connecting to it unless I was on the same subnet...
Trying to run a game server but my authentication port is flooded with udp requests from random ips?
So my authentication port for my game is being flooded with udp requests from random ips in europe and whenever they are blacklisted a new one pops up shortly after. This causes no one to be able to join the server. The server is hosted on vultr.
It's a small game server and not enough to attract serous attention. Is there anything I can do to stop this?
Thank you in advance!
Does Windows Server 2016 RRAS support two-factor authentication?
Hi, I wonder if anyone could share their experience / opinion about integrating two-factor authentication into Win2016 RRAS? We have been using simple L2TP for few remote users over years. Due to our business nature, we don't heavily rely on remote access, until the recent shelter-in-place. And we foresee that it could become "normal" down the road so we wanna a better protection.
I never did that before and Google search brings me a lot of info. Look like MS doesn't have one native come with RRAS. I saw few 3rd party options like Duo, or SAASPASS. But I have zero experience so I am looking for some. Hopefully, it would be just like FB, whenever the RRAS detects a login from a new IP, it sends out a txt, or email, or asking for the 6-digit code like Reddit does. We are not looking for a big complicate system. We have around 200 users in office. But during the normal time, we might have only 5 random connection over a month. So I am sure my boss will not want to pay monthly for this, but paying by connection license would be an option.
Some of you might agree with me. By working with some old age top management, it is very difficult to convince them making a 8-chars password would be much safer than just "1qaz". Yes, my boss never implement password enforcement policy as 99.9% of logins would be on LAN only.
Thanks to all. All inputs would be welcome.
Vendor wants to put Meraki VPN Concentrate behind our firewall
Hey all,Long story short a vendor has a user in our network that goes out to a publicly accessible Citrix environment on their network, but it's broken as hell, so they want to just ship us a Meraki VPN concentrate, have us put it behind our firewall, and then work on routing necessary traffic through it.
I have not done that before and while it seems pretty straight-forward we like to try to keep it really tight here due to the nature of our business (healthcare). Any concerns with this I should be aware of?
I'm trying to put my foot down and get them to just fix what they broke, since it was working at one point, but so far no such luck.
EDIT: ***concentrator, not concentrate. typo.
ISP has DNS addresses pointed in the wrong direction
If this isn’t the right place to post this, please let me know. I am an individual, not a network technician or administrator, but I figured you guys would be the best people to ask. I signed up for spectrum a couple of days ago and none of my devices are able to get outside of my internal network. If I run an IP config in command prompt, it shows that I’m connected to spectrums network, I have a WAN IP address, but nothing seems to be able to get out of my network. They can see my modem and it shows it’s connected. If I just do a very basic troubleshoot, windows tells me that there is a DNS issue. Every time I call spectrum and mention this to them they seem to be clueless. However, one customer service rep I talked to said that he went in to my modem and saw that the DNS addresses were pointing in the wrong direction. Now he told me that he changed the DNS for one specific IP address, so now the only thing that works on my network is my PC. If I hardwire any other device to my network, I get the same DNS issue. I called back and the next rep I talked to was completely clueless about what the previous one could have done. Is there anyone who might be able to tell me what that guy did, and how I could phrase it to the next customer service rep I talk to?
Ansible role for ASA DAP records
Hi guys,
I created an Ansible role to automate DAP policy creation. I wanted to post it here in case it helps anybody else out.
Obligatory use at your own risk. Cisco advises not to do what this role does (update the dap.xml file outside of ASDM), but it has saved me a heck of a lot of time and I haven't had issues with it yet.
Extending to support more options should be relatively easy, so if you have something that you'd really like to use it for that's outside the realm of the currently supported options let me know and I'll see what I can do.
Novice subnetting question
Doing some practice questions to study for a cert and one of the questions I was going through asked, "What is the first valid host address for a node residing in the 10.119.136.143/20 network?"
I came up with a network address of 10.119.128.0 and when checking my answer for the first valid host I noticed it was 10.119.128.1. Why is the answer that and not 10.119.129.0? Seems all the other subnetting questions I've answered up until this point just add a 1 to the "interesting" octet, but this one rolls over into the next.
Sorry for the dumb question!
Holy Shitsco
*using a different account for this to limit possible blowback
I just had a truly bizarre experience with a network security vendor and need to brain dump a bit.
Like many, I have a home lab that I use to keep up with emerging technology. I like to refresh my lab every 5-7 years and it just so happens that the Covid stuff was a perfect time for a refresh.
Along those lines I bought a brand-new shiny firewall (personal, not professional purchase). My intention was to use it as the default gateway for the lab and dhcp server for all the network segments. Also enable all the security filtering and app level security stuff just to experience it and be able to speak intelligently to it.
So, the DHCP server on this thing is laughably limited. It doesn’t allow reservations (what?!?!?) and doesn’t allow setting any DHCP options for NTP, TFTP, route insertion, etc. I just can’t believe this firewall from a tier 1 vendor is this brain dead so I start looking for answers and see that there is a full major version update of firmware available. So, I try to pull the firmware to see if it improves on DHCP services.
No dice, even with a valid brand-new registered firewall the support site won’t let me pull the firmware. I contact support and spend the rest of the day going back and forth. The answer I got from them completely blew my mind. The vendor will NOT provide firmware without a service contract except in cases where a major security issue is discovered.
I’ve got a few problems with that which I voiced:
-It creates an environment of diverse firmware levels across installs. While some may argue that this is a good thing, it is security through obscurity which is pretty universally accepted as a flawed security strategy.
-It encourages administrators to “let it ride” on updates for their first line of defense. They aren’t going to be constantly checking for updates if there is no expectation that updates will be available.
-Any product within 30 days of purchase should put its’ best foot forward by allowing the very latest and greatest version of that product to be used.
The vendor, as they tend to do, dismissed all of those concerns. Now, I try to be a straight shooter with my vendors. I wasn’t trying to throw my weight around and I intentionally left this part off until the very end of the conversation with the vendor because I need to experience how our vendors deal with our administrators without any special treatment. I happen to be the CTO for a very large state university in a very large state. I paraphrased all of the above back to the representative with the qualifier that, “I need to understand this and be clear on it because it will impact my recommendations for technology platforms professionally”. The vendor representative verified that all of the above was indeed the position of the vendor.
Realistically, the 1-year support license is about $100. It isn’t a huge deal, but the posture of the vendor is important. A security vendor is intentionally taking a position that makes their customers less secure, at least that is my opinion.
It just so happens that as a CTO I have been reviewing a $500k-ish conversion to this same vendors’ server offering. My official position up until now was, “the product is slightly more expensive but the technology stack is worth that expense”. That position changed to, “I think this vendor has lost their way on security and I have serious concerns about moving forward with their products”.
All I can say is, great example of penny ($100) wise, and a pound ($500,000) foolish. If you made it this far, thanks for listening and letting me vent.
TLDR; vendor doesn’t want you to be on the latest firmware for a week old security product unless you pay the support tax.
Help with Vlan creation.
Having some real problems with this set up/end goal.
Work has some areas that are pretty messy IP wise. So we want to clean them up with subnetting each area.
On the parent switch, I see this when showing vlan brief.
336 VLAN0336 active Gi1/0/5
so to me it seems like the Vlan is active and ready to roll. port 5 is the port I configured to access the vlan. So that checks out for me. If I run show inter vlan 336 I see what looks to be all good. The address is set and its reading up.
When I go to change the IP on one of the end devices im unable to ping the device. Is there a chance the IP is being used somewhere else and im running into that?
Any help would be awesome! Thanks!
Cisco Firepower 2130 w/ASA code and Microsoft Windows 10 VPN client (Always On) using IKEv2 w/AES-128 with Machine certificate authentication:
Cisco Firepower 2130 w/ASA code and Microsoft Windows 10 VPN client (Always On) using IKEv2 w/AES-128 with Machine certificate authentication.
Draft: #1
Hopefully this will help out anyone trying to get MS Windows 10 (always on) VPN working with ASA. I was having some issues online trying to find out more information on how to set this up. I got it working in my environment so figured I would try to share something I learned.
But Motavar why? Questions:
- Why Cisco ASA and not a MS VPN /RAS box. Unfortunately spinning up another set of VPN services results in additional systems to support. From servers, to network route changes, firewall changes, to border security, to ownership, documentation, everything. Sometimes it may be easier to point new VPN clients to an existing VPN headend (Cisco ASA) which is already setup.
- Why MS VPN Client. "Some People" wanted to move to Always on VPN over AnyConnect. Not my call..
Please Note:
- This documentation assumes your Cisco Firepower 2130 ASA is running 9.13.x code to support Appliance mode. I'm not going to go into details on how to do this..
- We are also assuming that under your "AnyConnect Connection Profiles" section you enabled "Allow user to select connection profile on the login page" is checked and you're using a custom connection profile for AnyConnect users.
NOTE: This is important since a custom profile for AnyConnect will make sure your users are not using the "DefaultRAGroup" for connetions.
NOTE2: 3rd party VPN clients such as the MS Windows 10 VPN client will be using the "DefaultRAGroup" for the connection. You have to make sure no other IPSec/AnyConnect clients will be connecting to this group. We are going to modify this for MS clients use only.
- We are assuming you rolled out Machine certs from a local CA. Also make sure your machine certs have a subject name field or else the connection will fail as the ASA uses the SN for tracking who connected. Without a Subject field you won't be able to connect.
- We are assuming you are using MS VPN Client for Windows 10 that supports IKEv2 w/PFS
- We are assuming most work is done in ASDM
Lets Begin!
NOTE: Some timers/settings may vary on your particular setup. So make changes as needed for your org. This is only a helpful framework to get you closer to getting your MS clients to connect. You know your environment so the changes you make and what you break... is on YOU.
Create a Group Policy:
------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Group Policies"
* In this example we are creating a Group Policy called "AOVPN" for Always On VPN.
So create group policy "AOVPN".
Inside of the policy setup set your max connection time to "unlimited" and Idle timeout to "30 Minutes"
* Setup your DNS, scopes, etc
IMPORTANT NOTE: This is required for PFS use: Failure to do this step will result in the VPN client failing to pass traffic after re-key event. The default MS VPN client IPSEC Child SA settings are 3600 seconds and /250000k.
* Go to Advanced section and down to IPSec(IKEV1) client. Enable PFS (perfect forward secrecy". While this is listed under the IKEv1 section it's actually used in the IKEv2 settings. Yah, Go Cisco!
Setup your IKEv2 Policies and IPSec Proposals
------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Advanced". Then down to "IPSec" tree item and down to "IKE Policies".
* Under IKEv2 Policies create an Entry as follows:
DH Group 14, Encryption AES, Integrity Hash "sha256" and Pseudo Random Function PRF hash "sha256" and lifetime 86400 seconds.
* Setup your IPsec Proposals (Transform Sets).
Go down a menu item to "IPsec Proposals (Transform Sets)."
Under IKE V2 IPsec Proposals:
create an entry with AES and Integrity Hash "sha-256"
Apply the IPSec Proposals to your Crypto Maps
-----------------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Advanced". Then down to "IPSec" tree item and down to "Crypto Maps".
NOTE: This is important because while we created the IKEv2 settings they are not added to the dynamic crypto map for some reason..
* Find your "Dynamic: 65535.x" dynamic map for outside/inside and edit it:
Under the "Tunnel Policy (crypto map) - Basic" tab find the "ike v2 ipsec proposal" section and add in "AES-128/sha-256" IKEv2 proposal we created above.
* Put a check mark next to "Perfect Forwarding Secrecy " and select Diffie-Hellman Group: Group 14
Install your CA Certificate for Machine cert auth:
--------------
* From your Internal CA create a cert and install that onto the ASA
* In the ASDM go to the "remote access VPN" lower left menu then up to "Certificate Management"" at the top tree menu and down to "Identity Certificates". Pop in your cert and/or go up to CA certs and add it there. This is used for the machine cert authentication.
* Name the Associated Trustpoint something like "VPNMachineCert"
Setup the IPSec(IKEv2) Connection Profiles
-------------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to IPSec (IKEv2) Connection Profiles".
* Find "DefaultRAGroup" and check the box under "IKEv2 Enabled".
Edit the "DefaultRAGroup" and perform the following:
-Check box next to "Enable Certificate Authentication" under the IKE Peer Authentication section
-Check Box next to "Enable RSA signature Hash" under the RSA signature section. NOTE: This is used when AES is enabled in the MS VPN Client. If using default settings in the MS Client I believe this may not be used.
- In the IKE Local Authentication section: Check the box "Enable local authentication" and select "Certificate". In the dropdown box select the cert we want to use.. the trustpoint name would be "VPNMachineCert" or whatever you called it.
- User Authentication section server group would be LOCAL
- Setup your DHCP stuff..
- Default Group Policy: Select the group policy "AOVPN" that we created earlier. Make sure "Enable IKEv2 Protocol" is checked below that item.
- On the left menu tree go into the "Advanced" section and down to "Authorization". Under authorization section select "use the entire DN as the username".
I believe no other settings are required so okay and exit out.
Enable Interfaces for IKEv2
--------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "AnyConnect Connetion Profiles".
* Make sure "IPSec (IKEv2) Access is enabled on your inside/outside intefaces. So check mark "allow access" and "enable client services".
* Find the "DefaultRAGroup" and edit it. Confirm the following:
Authentication AAA/Local group
Confirm client address pools
Confirm the group policy is still "Aovpn"
confirm "enable IPSEC(ikev2) client protocol is checked and DNS/Domain info is in there.
NOTE: Most likely all this was already configured under the IKEV2 settinsg from before but doesn't hurt to check it here.
MS Windows 10 VPN client.
---------------
* Windows 10 - in your search bar type "VPN" and bring up the VPN settings.
* Create a VPN connection
VPN Provider: Windows (Built-in)
Connection name "VPN"
server: your ASA outside IP /DNS name
VPN Type: IKEv2
Type of sign-in info: certificate
check box next to rememebr my sign-in info.
Save that
* Go into your Windows 10 settings section and find "Network & Internet"
Select "change adapter options"
Find your VPN adapter and right-click it:
go to properties and over to the "Security" tab:
under the "Data Encryption" section move the check box to "use machine certificates".
Okay out and save that
Final steps...
Now we have to harden/change the VPN setup to use AES..
MS Windows 10 VPN client (harden)
------------------
* Command prompt /admin time.. so launch a command prompt
* Launch powershell
* Enter the following:
$connection = "VPN"
Set-VpnConnectionIPsecConfiguration -ConnectionName $connection -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
Launch the VPN client:
------------------
Click your windows network icon in the lower right and launch the VPN client and connect. Debug whatever you need to do on the ASA to confirm working.
AFTER TESTING CONNECTIVITY NOW ITS TIME FOR REVOCATION:
We save this for last since revocation can be a pita to test.
Setup Certificate Revocation
-------------------------
* Back into ASDM
* In the ASDM go to the "remote access VPN" lower left menu then up to "Certificate Management"" at the top tree menu and down to "CA Certificates".
* Find the Trust point for the Machine certs.. something like "VPNMachineCert"
* Edit the Trust Point:
under "revocation check" table enable "Check certificates for revocation".
Move CRL over to the right side.
* Under the "CRL retrieval policy"
Check box "use CRL distribution point from the certificate"
* Under the CRL retrieval method"
Disable LDAP
Enable HTTP
* Under the "advanced" tab:
update your cache timers. Mine is 60 mines
check box "enforce next crl update"
other options:
I have accept certs issued by this CA
Accept certs from the subordinate CAs of this CA
leave CRL check none: (we'll fix this)
And finally... to work around ADSM bug with Enabling the CRL check
-----------------
* SSH to your VPN gateway and enable yourself
* Config T
Enter into your trust point (example)
type: crypto ca trustpoint VPNUSER_CA
type: revocation-check crl
type: crl configure
type: no protocol ldap
Note: most likely no protocol ldap was already enabled but .. meh.. you have it again :)
NOTE2: Perform the steps above for any TrustPoints that have -1 or -2 or whatever else was created.
Revocation Time
------------
Have your server friends put your machine cert on hold.
Then have them push out the revocation to sub ca's
Then go into ASDM trust point and retrieve CRLS and confirm your client is blocked.
Then unrevoke, push out changes on server, retrieve CRLS on the ASA and test you can re-connect.
When Revocation/or un-revoke doesnt work:
------------------
When in doubt do the following:
Have the server team push out revocation changes to the Sub CAs or whatever they do (again).
Go into ASDM and over to the "Monitoring" tab at the top and down to "properties" in the lower left corner.
In the Tree menu find "CRL" and go into that section.
View ALL CRLs...
Delete /clear all CRLS
Go back to your trust point and update CRLs.
Test again after a minute.
Well.. I hope this helped someone?
I wish you all luck if you're crazy enough to do this..
And as always, stay safe out there and wear a mask :)
Cisco ONS 15454 - 100G licensing
Hello community,
After I tried to understand the datasheet, I'm having trouble understanding Cisco's 100G licensing on the LC for ONS 15454.
Can someone bring some clarity over this?
I would like to understand the difference between:
- 15454-M-100G-LC-C
- 15454-M-100GC-LIC
- 15454-M-LIC-100G
My main question is this 15454-M-100G-LC-C fully fonctionnal or do I need to purchase extra license on top?
Thank in advance,
Deploying Cisco 9200L switches
Hi!
We have a very limited time to deploy around 160 9200L switches across 80 sites. Each site is connected to our DC through MPLS and has a different subnet. I was thinking of using ZTP to automate the deployment with a python script but I read on the 9200L data sheet: "This feature is supported on C9200 SKUs and not on c9200L SKUs"... We also have a Cisco DNAC brand new, not installed yet.
I'm just an intern at this company but I want to help and LEARN as much as possible.
Will it be more efficient to install/configure the Cisco DNAC first and then use PnP / Templates in DNAC to configure these switches ?
How do you usually do these deployments ? Ansible, NETCONF, RESTCONF, Netmiko ? Lots of automation tools out there.
Thank you very much :D
Juniper MX104 how many VRF's supported?
I've looked everywhere but cannot find it documented. Does anyone know how many VRF's the MX104 routers support?
Thanks
Sophos XG330 VPN Performance?
Hi Guys
My company is considering installing a Sophos XG330 firewall. We are hoping to use the built-in SSL/IPsec VPN. Does anyone have any experience using Sophos firewall VPN's? I can't find much/any documentation on this device or the reliability of it. We are a company of about 150 users and a maximum of 50% would be actively connected at one time. Our needs are simple and this VPN is purely for encryption purposes.
Any suggestions appreciated! :)
wireshark: help to find cause of slow communication stream.
Hi,
I'm having a hard time setting up an application: A web server sends a command to a second server which in turn relays it using a different protocol to an endpoint. This process takes almost a full minute for something which should be a mere second.
When I manually generate a command on server2, the data is instantly sent and confirmation is returned in under a second.
Using wireshark I captures the packets on the second server to figure out what's going on:
- I filtered out all traffic that is not between server1 and server 2, there is a bit of TCP, but most of it is DCERPC.
- Timestamp shows the passed time since the last displayed packet: I see long delays (+20seconds) at some points.
- I went down the TCPstream until I recognized some of the packet bytes that contain the first command from my code which is meant for the endpoint. (packet #2020)
- I opened a tcptrace from server1 to server2 and found that this packet #2020 is sent 46 seconds after the TCP stream started.
- After the start of the TCPstream, I see a 22sec delay, some throughput, and then a delay again for 22 seconds after which the actual command stream starts and then finishes after 6seconds.
- Looking at the packetstream, each block of data (DCERPC protocol) that comes through is ended by a TCP ACK and then a long delay.
I don't really know where to go from here to figure out what's going on. Any suggestions?
Help with Syslog Setup on HPE FlexNetwork 5130 (JH326A)
Hey,
i am trying to setup syslog so that all logs the switch writes to its logfile (ports, dhcp, cpu, etc.) are also send to a remote syslog server. pls help with config :-)
Software version: 7.1.070
Resolving batch of IPs
Hi, I Have a list of about 300 IP addresses and am looking for a way to automate the lookup of the owner, the isp, the network it belongs to and whatever more information I can receive from such Whois request. Mabe there is a way to write a python script that throws the information in a file?
Wednesday, May 6, 2020
ASA - Why is my double NAT not working?
I have been running in circle for the past few hours trying to solve this. I have a ASA (SiteB) with two site-to-site VPNs connected to it:
SiteA and SiteC
Both site to site VPN are working fine. But I am trying to set up a double NAT hairpinning so that the devices at SiteC can reach a server at siteA.
SiteA servers: 10.10.x.x
SiteB devices: 172.17.1.x
SiteC devices: 172.17.2.x
Internal devices at SiteB can reach the server at SiteA using a double NAT, but when I use a similar double NAT for the traffic from SiteC, it seems like the ASA is only translating the source IP and not the destination.
Here's the config on SiteB ASA:
nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER nat (outside,outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER object network INTERNAL-NETWORKS subnet 172.17.1.0 255.255.255.0 object network NAT-INTERNAL-NETWORKS host 10.9.1.1 object network NAT-SERVER host 10.9.1.100 object network REAL-SERVER host 10.10.1.100 object network SITEC-NETWORKS subnet 172.17.2.0 255.255.255.0 object network NAT-SITEC-NETWORKS host 10.9.1.2 same-security-traffic permit intra-interface
This is the error I am getting in the log:
Duplicate TCP SYN from outside:10.9.1.2/56221 to outside:10.9.1.100/25 with different initial sequence number
Most likely caused by a loop on the outside interface. I don't get this error from devices on the inside interface.
This is the packet tracer results for devices coming from inside siteB:
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: NAT divert to egress interface outside Untranslate 10.9.1.100/25 to 10.10.1.100/25 Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 172.17.1.254 using egress ifc inside Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Static translate 172.17.1.10/25521 to 10.9.1.1/25521 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: SFR Subtype: Result: ALLOW Config: class-map CM-SFR match access-list ACL-SFR policy-map global_policy class CM-SFR sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 7 Type: INSPECT Subtype: inspect-smtp Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect esmtp _default_esmtp_map service-policy global_policy global Additional Information: Phase: 8 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information: Phase: 10 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 12 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Phase: 13 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 16 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 626947750, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
This is the packet tracer results for devices coming from siteC:
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.2.3.4 using egress ifc outside Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.2.3.4 using egress ifc outside Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (outside,outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Static translate 172.17.2.1/25521 to 10.9.1.2/25521 Phase: 4 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: SFR Subtype: Result: ALLOW Config: class-map CM-SFR match access-list ACL-SFR policy-map global_policy class CM-SFR sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: inspect-smtp Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect esmtp _default_esmtp_map service-policy global_policy global Additional Information: Phase: 10 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 13 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 16 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (ipsec-spoof) IPSEC Spoof detected
#show nat (inside) to (outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER translate_hits = 23072, untranslate_hits = 23081 (outside) to (outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER translate_hits = 18, untranslate_hits = 0
Why does it only translate the source and not also the destination for the traffic coming from siteC?
Why the F are the pings in this small network so screwed up?
I recently connected an Aruba WiFi Bridge 501, linked to an L2 HP switch, which leads to my laptop, to my company network to test a couple of things.
After initial setup and verifying that the Bridge is connected and working as intended, i did some ping checks to test the other devices, and here is where i dont get how this is possible. Both the WiFi Bridge and Switch are out-of-the-box with minimal configuration.
Here is a small michelangelo to show what pings work and which dont (it looks as confusing as it is to me)
both laptops and the management interfaces (that were used to ping) on switch and router are in the 192.168.169.128/25 subnet. the wifi bridge's mgmt interface is configured via DHCP by a DHCP server in the company network. DHCP does currently not work on the switch/laptop behind the bridge.
my main confusion right now is why the switch cannot ping ANYTHING at all, even though the connection from laptop to laptop or laptop to wifi bridge works.
The Switch is an HPE OfficeConnect 1820, the WiFi Bridge an Aruba WiFi Bridge 501. I am so incredibly confused, i hope anyone even reads this. Also hope this is the right sub for this.
Site to Router VPN?
Let's say we have this:
Site A <----> Router A <----> Router B <----> Site B
There is a VPN tunnel setup between sites A and B through the two respective routers. Router B is port forwarding for a server at site B, and a device at site A is trying to connect to it by connecting to the forwarded port at router B.
Is there a way to ensure this traffic is encrypted by the VPN tunnel between Router A and Router B?
The way IPsec tunnel configuration looks on my routers, you have to assign local sites and that locks in the routing of the encrypted tunnel to go through the routers, but not stop at the edge of them. My routers do not support transport mode, is that what I need?
Exactly what does a network engineering manager do, and how do I get there?
Hey folks,
I've reported to a network engineering manager in the past and thought I knew what he did, but I'll post a bit about what I do in my job currently and hopefully will get some solid advice from you all.
Just to begin, I do have a bachelor's degree, a CCNP and a slew of a million other certifications (including project management) and have been doing strictly network engineering for 6 years.
When I began here, there was only one infrastructure team of the four of us. We're up to 10 now, split up into teams and reporting to a director. However, the person being reported to is much more involved with the server/storage design/expansion/etc, while I take care of everything on the networking side (with the help of my junior guy and security guy of course).
So, I design the network infrastructure, including the new core design we are implementing in our two data centers, plus designing our third data center. I take care of Cisco support renewal, Meraki licensing, managed services contract renewal and maintenance, low voltage vendor procuring, WAN and private fiber circuit procuring, equipment ordering and pricing negotiations, pretty much whatever you can think of. I bring in vendors to discuss new designs and partnerships, and pretty much serve as the point of contact for many of these companies with our company.
Really though, no one has ever told me to even do anything, I just always identified what needed to happen and did it. It has been acknowledged by management that this is the case too, but I am not sure what else a network engineering manager would be doing? I am working on soft skills and attend a weekly leadership meetup, and have been reading books too. I do get advised to delegate work out a bit and lay out the vision, and have been given some opportunities to lead projects which were successful. I have also vocalized my desire to move into a leadership role, but there is just no network engineering department here. I would like to understand from everyone here what else I could be doing to get to where I want to be. This company has 2500 employees and 25-30 locations, so we are decently sized and do a billion dollars in revenue a year. I know the technical work stands for itself (we've also put our entire branch office infrastructure into ansible and our core switches into ansible too, which fits the DevOps narrative around here) but at 93k/year in a major city, I'm starting to feel underpaid and also underappreciated, with no real path forward. I would like to make it work here though but I am just so lost. I threw out some feelers on some high end networking jobs that paid a good bit more, but none seemed to put me closer to management than the job I am in right now.
Can you all help me out a bit?
Port Channels
Hoping there are some networking specialists in here who can help me out...
Customer has two WatchGuard M200s in a Active/Passive configuration and in this configuration you need to have everything patched to both the M200s concurrently (e.g. LAN, DMZ, Internet etc.) so that in a failure it will failover within 1-2 packet drops.
#Primary Issue#
The customer has a NBN FTTP internet connection that has a single ethernet hand off from the NTD - this needs to be plugged into two M200's concurrently.
They have been plugging the ethernet hand off into a 5-port hub switch then having two other ports plug into the M200s.
They currently have stacked N3000 L3 POE switches that would be a much better use case than an non-managed / non-redundant hub switch.
Now i've configured the N3000's with a port channel (e.g. PO4) on the interfaces gi1/0/44-45 & gi2/0/44-45 with switchport access vlan 30 configured.
The concept was that you would plug in the ethernet hand off into gi1/0/44 then have gi1/0/45 & gi2/0/45 plugged into the M200s (gi2/0/44 in case gi1/0/44 dies, you simply move the ethernet hand off).
The issue is that when I plugged in these ports from the N3000s into the M200s the interface is shown as failed on the watchguard.
I'm assuming that it might be because I've not configured the WatchGuard external internet interface with the VLAN ID and/or no link aggregation - would this be correct or is there anything else that needs to be considered?
(The ISP does not require a VLAN to deliver this service either, it would be an internal VLAN only)
Appreciate any help
Is it possible to mirror...
hey guys, I was wondering if it was possible to mirror a set of link aggregated ports on a switch. after doing some reading it seems there's mixed results on this. some switches can, and some switches can't. if I can't do this with a managed switch then is it possible via some other method?
Opinions regarding subnet sizes
Hey all. I'd like to solicit opinions regarding using /24 subnets vs using /23 subnets for end users, specifically in making it easier/harder to manage tagging end user access ports in switch stacks.
Is it easier because you can tag more ports with the same vlan for that subet? Is it harder to deal with that size subnet because of broadcast traffic, naming, etc? That kind of thing...
Basically I'm trying to plan for growth why making things as simple and straightforward as I can. I'm using Juniper switches in a virtual chassis, but I think it would apply to any manufacturer. Any other thoughts regarding subnet size design welcome too. Thanks in advance.
How would I find out if I’m hitting an artificial limit?
We have supposedly 1Gbps circuits in Huntsville AL and the other in Seattle, Washington. They both supposedly have a 300Mbps provisioned with 1Gbps provisioned.
In iperf3 I can hit exactly 300Mbps on a single stream.
Server1: iperf3 -s server2: iperf3 -c server1 -R -t 60
This results in exactly 300Mbps for the 60s test. It will fluctuate to like 298, 301, 300, 300, 296, 300, 306, 302, 301, 299, 300, 300 etc.
Server1: iperf3 -s server2: iperf3 -c server1 -R -P 4
It will get a total of about 850-870Mbps or about 210-220 per stream. If I run 2 streams they will each be 300Mbps.
This seems too much of a coincidence that a single stream will hit 300Mbps and our supposed provisioned in 300Mbps.
Is there any way to validate that this isn’t a tcp window size and stream size issue with a tcpdump?
AT&T ADI - Is it VLAN Tagged or does it have the option to be VLAN Tagged?
Hi there,
I am looking through the publicly available docs on the internet, trying to understand if ADI can be delivered as a tagged service to a router. Does anyone have experience with ADI and the deployment options available?
This would be for ADI service inside a carrier hotel where an AT&T Network Node already exists; single mode fiber hand-off.
Recommended cat6 terminator?
Hey all, my team has to terminate a bunch (around 100) of cat 6 cables over the next couple months, and I'd like to buy them a really good crimper. Good ergo, good crimping ability.
Anyone know what the preferred professional brand is?
Apologies in advance if layer 1 stuff doesn't fit this subreddit.
Maintaining STP in a large network environment
I just want to know how do some of you maintain STP in a large layer 2 network environment? Basically i have a collapsed core network. I have 19 stacked 3850’s acting as our “core/distribution switches” with 2 of those switches hosting about 75% of the vlans and about some 350 2960s as our access layer. Also I have about 100 vlans in this network and some of them span across the network. I’m just curious to know what some of you are doing and hopefully it can help me manage this monstrosity.
Is anyone else experiencing issues with Palo Alto’s Prisma Access Cloud VPN?
We’ve had nothing but terrible performance out of our Prisma VPN for the last two weeks is anyone else seeing similar issues or is it just us?
Route AWS EC2 private instances to a public OpenVPN
Hi!
First of all, I apologies if it's not the good place for posting. But, while I'm not sure it's an AWS or OpenVPN issue, I'm positive it's a networking one.
Also, I'm new to all this, from AWS to VPN and networking in general. Don't hesitate to tell me if I need to give more detail of any sort. Despite the fact I'm new to it, it's for my work place, not home networking at all.
Feel free to remove this post if I'm definitively lost. If you keep it, I'll be able to cross post on r/aws and r/openvpn.
So, here is the thing : https://gitlab.com/pcoves/vpn_test
This is a small network (single VPC) hosted on AWS composed of : 1. One OpenVPN server with a public IPv4 address on a public subnet (10.0.0.0/24), 2. Two Debian instances in a private subnet (10.0.1.0/24) that can be joined from within the VPC.
Note that the VPN server does push "route 10.0.0.0 255.255.0.0"
so that the client is aware of the AWS subnet.
I can ssh
from my local box to the VPN server (using either it's public ip or 10.8.0.1
so I know the VPN is working) and from there, I can ssh
to the private instances. Once I'm on the private instances, I can ping
/ssh
back to the VPN server. So, I know, each machine can communicate with the other on the 10.0.0.0/16
VPC.
Now, I'd like to access my private subnet from my local box through the VPN. As far as I understand, when I do ping 10.0.1.*
from my local (192.168..) box, it goes to the VPN server, then goes to the private machine (I don't know how to verify that, you know, new to networking... Open to suggestion). Once there, the ping
has to come back but the private machine has no clue what 10.8.0.1
(the VPN server) so the packets are lost.
So, my question really is : what does one has to do in order to route the packets from the private subnet to the local machine through the VPN?
Many thanks in advance for your patience!
PS : many pages on the net advise to disable the source/dest check on the VPN server instance. This is done and does not change anything.
Need Help Choosing new Networking Brand for Startup
So I'm working in a startup that needs networking for management and general internet for our compute nodes and storage nodes. I'm building a small sampling of everything in my home right now due to Covid-19. I am currently using an infiniband switch and Ubiquiti switches which is fine for now since its my home.
Going forward though, I want to use real switches that can be used in a datacenter. My experience has only been Cisco in the past where I managed a team of networking engineers. I had to negotiate all the licensing contracts with Cisco and hear all the griping about some of the issues about it that has left a sour taste in my mouth.
So I am looking into other brands right now for networking. The plan is to keep on using the mellanox infiniband because we need the speed, but need a legit switch for management.
I'm leaning towards Juniper, Dell, or Mellanox in that order. Any other brands I should look at or which one of these should I choose?
Some basic requirements * easy to manage for myself, but can grow into it * Easy to script (I heard JunOS is easy due to the Python API) * Easy accessibility to used gear * Easy accessibility to talent for hire or contract * No paywall to upgrade equipment software/firmware * Avoid licensing hell (I've heard that Juniper is going down the same road as Cisco)
Any thoughts? My networking experience has been theoretical as I am a software guy, and I usually delegated this stuff in the past to others. So I value simplicity as well.
Azure BGP received routes
Trying to see the routes I'm receiving in Azure from my on-prem network.
Get-BgpRouteInformation returns an error that the cmdlet is not recognized in powershell. I can see the routes I'm advertising to on prem with the Get-AzureRmVirtualNetworkGatewayAdvertisedRoute. it seems that none of the BGP commands work in powershell in azure.
this is one of the documents I was looking at - https://docs.microsoft.com/en-us/powershell/module/remoteaccess/get-bgprouteinformation?view=win10-ps
EVE-ng and IoL L2: SPANTREE-2-BLOCK_PVID_PEER: Blocking Ethernet0/1 on VLAN0050. Inconsistent peer vlan.
Hi.
I'm labbing some topology we're going to implement soon in one of our locations and am stuck with two devices working as core switch (these are before mentioned IoL L2 images).
The connection is simple:
----------[CORESW1]-(e0/1)------------[NETWORK SIMULATING LAN]------------(e0/1)-[CORESW2]----------
CORESW1 and CORESW2 are connected with e0/1 trunk interfaces to that NETWORK item.
There's couple of VLANs and SVIs configured on each (same set on both devices). I even removed part about native VLAN, leaving 1 as the native.
interface Ethernet0/1 description TRUNK TO LAN switchport switchport trunk encapsulation dot1q switchport mode trunk duplex auto
Unfortunately I'm getting SVIs blocked by STP:
*May 6 14:47:51.776: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Ethernet0/1 on VLAN0105. Inconsistent peer vlan. *May 6 14:47:51.776: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 106 on Ethernet0/1 VLAN1.
I updated EVE to 2.0.3-110 and it didn't change anything.
My image is i86bi-linux-l2-adventerprisek9-15.6.0.9S.bin. Could it be that Network item in EVE doesn't really work with trunks? Unfortunately I can't connect the switches directly as I need more devices in the LAN.
EDIT: when I start disabling STP for VLANs, devices close (probably crash).
Using public DNS for large public wifi - will I hit rate limit issues?
Has anyone had experience with a very-large public wifi using free DNS as a resolver? Specifically Cloudflare, Google, and Quad9. Historically I have been pointing our guest traffic at Google 8.8.8.8 and 8.8.4.4 and haven't had issues but we are going to install some larger venues soon and I worry about potential rate limit issues when I do NAT overload. Some of our large locations can hold well over 100,000 people - if we get a large uptake on wifi usage it could be interpreted as a denial of service attack.
Has anyone dealt with this issue or is this not a problem? I've read that Google limits to 1000 queries per second, I can't really find info on Cloudflare or Quad9. Do I need to just build my own resolvers and use root hints? Should I just make a large NAT pool to spread the queries over a bunch of IP addresses?
need help making a specific routing path for multi area ospf
I have a multi area ospf network that looks like this:
ALL CISCO
(R1 Area1) ---(R2,R3 Area0)---(R4 Area2)
I am looking for R2 and R3 also has interfaces connecting to both Area1 and Area2.
I am looking for the following path for R1 to talk to R4:
R1-->R2-->R3-->R4
and vice versa
R4-->R3-->R2--->R1
But I need to make sure that R1 and R4 will connect to R2 for the R2 networks and R3 for the R3 networks.
Where do your security teams sit in the organisation?
There are multiple ways to slice and dice where functional teams sit, but I currently work in a large enterprise where all Information Security sit in one large org, Plan, Build, and Run based on technology platform.
Looking for examples of where possibly firewall policy management sits in Information Security, but the RUN of the appliances sits in network.
Flow Monitoring Software
What is your favorite flow analyzer software and why? Looking to configure Juniper MX series routers to export IPFIX flows. Additional bonus points if the software can do automated BGP blackhole or BGP flow spec to protect against DDoS.
Kentik and FastNetMon are two I have found, but are there any others?
Multiples VPNs from same Site
My company provides IT services for about 30 other companies. So, we have around 6/8 vpn clients(anyconnect,forti,globalprotect,windows). As you can imagine, is really complicated to connect and manage users with this.
Our plan is to centralize this in some kind of solution in our office in order to connect only to our vpn and from there to anywhere else. No idea how to do this yet.
My question are:
- Anyone has a similar problem?
- how would you solve this?
- Is there any software/hardware that can help?
Thanks!!
Overloading/Reusing public CIDR via multiple B2B IPSec partnerships
My company is currently working to provide a large enterprise customer with a private AWS web application accessed via IPSec tunnels. We are in initial discussion with the customer's various IT/Networking teams but are working out possible architectures before the full design coordination meeting.
Key components of our current VPC design:
- VPC is a /16 RFC 1918 space e.g. 10.1.0.0/16
- Access to the application is via an internal AWS ALB with multiple AZs.
- The ALB client endpoint IPs are private and dynamically assigned and updated in DNS.
Anticipated Customer Constraints
- To avoid IP conflicts, Customer will not peer/reserve/route to RFC 1918
- We need to provide target IPs in advance (static IPs/CIDRs)
- Future changes are slow. Stable design is important upfront.
We are looking at ways to solve this and came across what is probably a bad idea, but we can't see why.
What if our company purchased and registered a public /24 but did not advertise routes on the public internet. Instead we add our new public range to the VPC as usable IPs (again not publicly routable or registered with AWS for public advertisement). We then configure the load balancer to use IPs from this CIDR as it's endpoint addresses.
To the customer, we provide this new privately-owned "public" range which they route across our B2B IPSec tunnel.
Conceivably this guarantees no conflicts on their end and makes it easy for us to dynamically use IPs from a given subnet (rather than randomly assigned non-contiguous AWS EIPs).
Here's the crazy idea: What if we reused this architecture and "public" CIDR with multiple customers (lets say 25 unique large enterprises)?
Pros:
- We only have to buy one public CIDR block.
- Design is standard and reproducible for customers
- Customer only has to configure routes for a single subnet rather than multiple /32 addresses.
Cons:
- Our org cannot access multiple customer stacks simultaneously without DNAT. (not an issue for us)
- Cannot advertise public CIDR on the internet.
What are we missing?
802.1x: Introduction and general principles
IEEE 802.1X is an IEEE Standard for port-based Network Access Control to prevent unauthorized devices from gaining access to the network. It defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, known as “EAP over LAN” or EAPOL. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.
https://www.ciscozine.com/802-1x-introduction-general-principles/