Troubleshooting a VPN connection that succeeds, but doesn't

I have an issue that I suspect has one of those terribly obvious solutions I've managed to overlook:

Trying to set up laptops to connect to a Cisco rv345 using Anyconnect for access to local storage and software licenses. The machines will connect to the router and ask for approval on the cert, it takes the login info which shows as clearing in the router logs, and will show the banner message on the laptop. then the connection fails. Only error I can spot in event viewer is a RasClient "The user SYSTEM dialed a connection named (ConnectionName) which has failed. The error code returned on failure is 2250."

This is happening consistently across 3 Windows 10 machines, all with different antivirus setups and from different networks. I can't find any errors related to the initial handshake, it seems like it just craps itself once it comes time to actually create the tunnel. Any help is very appreciated.

Network analyst interview tips?

Hey all, I’m fresh out of college as a network communications major, ended up landing a interview at a big bank here in Canada and I’m super nervous! I really wanna land this job as it would be a huge start to my career and it’s location is basically perfect for me.

anyway, I was just interested if anyone can provide some tips? Maybe typical interview questions they ask or Somthing along those lines,

thanks so much in advance!!

HTTPS traffic blackholes over S2S VPN

Hi folks,

I’ve been working on a site standup and I’ve got a fairly interesting problem I could use some perspective on. If you wouldn’t mind lending me your minds for a few, I would greatly appreciate it.

Topology: HQ Firewall <— S2S routed IPsec Tunnel —> Remote Firewall

Routes are exchanged over the tunnel between the two firewalls, running OSPF in Area 0.0.0.20 (normal area). Both endpoints are redistributing any static routes.

HQ Core is a pair of Nexus 9ks, with a number of static route remote office prefixes that point clients to the HQ Firewall to then egress via VPN tunnel. (Don’t ask me why they didn’t set them up with OSPF...).

Remote office core is a pair of FlexFabric 5900s. All routing in this office is handled via OSPF, Area 10 between the internal site routers. The remote firewall participates and receives prefixes from Area 10 and pushes them out in Area 20 (VPN S2S).

What I see: I see the routes are getting learned on both firewalls. The remote gets HQ’s prefixes and HQ gets remote’s prefixes. That’s great! I can pass ICMP traffic from the HQ end to a host on the remote office end and get responses, and vice-versa. I can RDP to computers in the remote office. So traffic is passing.

However, when I go to try logging into iLO or VMware at this site, the HTTPS traffic just seems to die. The browser—all of the browsers—I’ve tried just seems to spin and eventually it times out. A packet capture shows ACKs, SYNs, eventually ACK PSH... but eventually it appears as if the connection times out after a while. I do see RSTs being sent back to the client on the remote end, but the local end does not see those RSTs.

I’ve worked with the firewall vendor to ensure there is no sort of traffic inspection, IDS/IPS involvement, firewall rule blocking or changing flags/states, or NAT rules redirecting. They’ve officially pointed the finger at routing because they did not see anything that indicated the firewalls were involved.

If I SSLVPN to the site directly, HTTPS traffic works just fine. The only think I can think of that could be happening is that maybe there is some sort of misconfiguration in my routing or S2S setup that the packet is either getting misdirected or dropped. Oddly, I do see the packet emerge on the remote office end, see the reply come back through the VPN.

Would any of you happen to have run into this sort of issue before? I’m really at my wit’s end and I’ve got to have this site up and functional for Monday, so I’m doing my best not to lose my cool and be objective.

Thanks for any tips you can offer in advance. If you would find it helpful to see code or RIB/FIB of any of the devices in question, I can get post those up. Many thanks to you all in advance.

/edit: late night grammar fixing

Port Forwarding a Port Forward?

I have a system setup with Comcast Business that includes an all-in-one into a fortigate. We handle all the portforwarding etc on the fortigate. I have one problem though, none of my port forwards actually work.

The way it works now is that behind the fortigate I have a server running nextcloud and I want my users to be able to access this. On the fortigate, i have a port forward setup to go from the fortigates wan port 445 to the 10.1.5.67 address port 443.

On the comcast all-in-one, i am then forwarding the real wan connection to the static IP of the fortigate on port 445.

This isn't working at all though.

Any and all help is appreciated!

Is it hard getting resumes past bots these days?

TL/DR I'm not really sure if I'm venting it asking if everyone is having issues moving on to new opportunities these days. Anyway...

I've had some issues getting call backs on my resume, to the point I've even done the resume "help" thing from LinkedIn. I've had it reviewed by peers as well as professionals, of which no one seems to agree. On person says never do that, while another says always do it.

Either way, it seems pretty crazy to get a rejection letter for a job your way overqualified for (I'm looking at you Starlink). I've never had issues with job performance, or with office interpersonal interactions and such. To be fair, I'm not actively looking for a new job currently, not in this economic environment anyway. Not that I would reject a nice offer to sweet gig.

But we do want to be prepared to move on to a new state in 2 - 3 years, which means I'll need a new job. And typical me I want to start preparing now. So I've been submitting my resume around to get a feel for the pickup rate and keep the interviewing skills sharp. So far my pickup rate has been abysmally low, like 5-10%. Of the two interviews I did do, I immediately responded to one with "I don't think I would be a good fit for this organization". The other I would have likely moved forward with, but they decided to not move forward with the position. So either COVID killed it, or I wasn't strong enough in the interview process.

The truth about SASE?

Sorry if this is better suited for a netsec sub... but it seems you fellow networkers will be the ones who can best see through this smoke screen from the sales bots. I just feel like implementing a SASE solution just makes such little sense from a networking and security perspective. These vendors try to make this solution sound magical and vague, to where you don’t really understand what it does, so you’ll believe it’ll do everything.

But the truth is... it’s just firewall in the cloud. That really seems to be it. So you’re just outsourcing Firewall to the cloud. And adding all the latency involved with doing that. Giving up latency and throughput and honestly yes, security. It’s less secure. All your sensitive data now belongs to another company and all your data is sharing a virtual instance of a firewall used by many other customers. And you’re giving up control and visibility at the same time.

Am I missing something? Why would you do this? I just can’t come up with any real benefit here.

Splitting Armored Cable

Anyone have advice? I've watched YouTube videos and the electrician who thought he could do it have all failed me. It's Corning Altos Lite Single Jack, Single Armored Cable. After cutting the outside it is impossible to remove from the steel jacket and cutting through both you have a very high chance to hit the fiber. The sales sheet says easy to split polyethylene jacket..lies. Can't get in the jacket to get to the rip cords. Videos make getting through the jacket look easy, then cut the armor, twist and remove..as if.

BGP peering from NSX-T edge to Cisco 9K switch

Hi All

Just wanted to get a second opinion. When peering from the NSX-T edge nodes to the ToR switches, I created VLAN 10 on leaf A and VLAN 20 on leaf B..Each VLAN has an SVI created and I use the SVI for the BGP peering. In the BGP config I just add update-source vlan 10/20 on the respective leafs.

Anything I need to watch out for with this config? Not sure if I should switch to using loopback and create ebgp multihop?

Cat6A RJ45 Ethernet Network Keystone Jack Wiring Help...

I have these jacks. I need to wire my Ethernet cables to them. I've never seen a configuration like this before.

The top side is labeled (colored)

• 8 - Brown
• 7 - Brown White
• 2 - Orange and Green
• 1- Orange/White & Green/White

Bottom Section is

• 6 - Green And Orange
• 3 - Green/White & Orange/White
• 4 - Blue
• 5 - Blue/White

My cables are wired in this order

1. Orange/White
2. Orange
3. Green/White
4. Blue
5. Blue/White
6. Green
7. Brown/White
8. Brown

My guess is that this

I know the Blue goes to 4 and the Blue/White goes to 5. Brown goes to 8 and Brown/White goes to 7.

Where am I putting the Green, Green/White, the Orange and Orange/White wires? It's showing them in the same places and it's throwing me off a bit.

There's also an A and B on the Green and orange sections. I'm guessing that since I used the T-568B wiring technique, I need to put the wiring according to the B setup?

I think I got it but I just want to make doubly sure.

Also, I'm probably going to have to pay attention to some of my older CAT5e cabling because I think I used a different coloring scheme there too (GW, G, OW, B, BW, O, BrW, Br).

I'd like to wire this up tomorrow since I'll be off work that day.

How to start ipv6 first time?

We are ipv4 only shop and now trying to build new datacenter so thinking about to try ipv6 (we have spine-Leaf EVPN infrastructure), i asked my ISP to handover ipv6 public subnet but not sure - what kind of subnet mask I should ask for, 1000 ips or 10000 ips? - Can I advertise ipv6 subnet on existing ipv4 BGP peers? - Anything special I need to do on my existing EVPN network to adopt ipv6 routing or it will transparent to fabric. (I know I need to create ipv6 anycastgateway etc) - I have F5 Loqdbalancer, so can I put my front end vip on ipv6 and my pool member on ipv4? - anything else you folks suggest which I missed ?

Solution to an ISP monopoly in my rural town, how do i fix this?

Hello everyone at r/networking,

I read through the community rules and I think this meets all requirements. If not please remove it.

As the title states, over the last few years a semi-monopoly has manifested itself in my town. CenturyLink has ownership of the only fiber line coming into town, and they only offer their service on the north side of town. Everywhere else has to be covered by smaller ISPs that lease bandwidth off of CenturyLinks network. As it stands currently, we are paying $80/mo for our 35mbps connection. Drive 30 minutes down the highway, and the college town nearby is offering 1 gigabit connections for $69.99/mo.

As any rural area, we have always been years behind in tech - we are in a conservative state and our town is like 60% retirees. However, in an effort to increase tourism and build the town, over the last 15 years the city has approved the building of at least 5 different subdivisions of 200+ homes around town. We've been gaining evacuees from the high prices in California for years, but with the pandemic that rate has tripled and houses are popping up everywhere.

We simply don't have the IT infrastructure to support what's coming in the next few years. Now, I'm just a 22yo greenhorn in the IT department at the local school district, but as it's such a small town that my dad has known most of the people in the city council for 30+ years - and I think I can get some pull to get stuff moving if it's feasible. I've already sent an email to the mayor to try to set up a meeting, and he said he'd be happy to whenever works for me.

I've heard of communities setting up their own ISPs, I've also heard of towns providing incentives for ISPs to get larger coverage and faster speeds. Does anyone have any experience with anything like this? What direction should I try steering people towards? How feasible is it for a municipality to form their own ISP? How feasible is it to start running fiber in town?

One of our big issues is that 3 of the new subdivisions are geographically separated from the rest of town, and they are going to have as many or more houses than the main area of town in the next few years. Yet the best the ISPs have done thus far is put up one radio on the hill between the main drag and the subdivisions, and I've even talked to the technicians at the ISP and they say their radio is maxed out and can't handle any more households. They said they were even planning a price increase because demand is going up.

So if anyone has any starter advice or personal experience it would be greatly appreciated. I'd like to go to the mayor and council with at least some semblance of a suggestion as to what to do. I can provide much more info, but I didn't want to make a long post even longer. Thank you in advance.

Network visualization tool?

Let's say I did the work of gathering L2 neighbors throughout my network. Let's say I wrote a REST API where you could query a hostname and it would return a JSON list of all the neighbors.

How can I visualize this data, so that someone could pick a hostname and it would recursively call this API to get the neighbors 3-4 layers deep? I would want it to look like a "star" expanding outwards.

I see there are a number of JavaScript libraries (plotly, d3, others?) That can possibly visualize this type of node-link data. I'm curious if anyone has experience doing this kind of thing?

How to block YouTube at certain times on home router?

I read a little about opendns and cloudfare but I’m not 100% sure this is the way to go to restrict YouTube at certain hours of the day at home for multiple devices at home. My kids are on YouTube before, sometimes during and after school and I want to limit that to just after school. But I want to access it in my phone still. So I heard of people mentioning opendns. What is the difference of just restricting from out of the box router software vs something like opendns. I also know there are some iOS apps for blocking as well but they don’t block tv boxes so I’m more focused on something like opendns I guess. Or am I?

Help a simple programmer understand: How does the networking for CDN providers work (AS/BGP)?

So lately I've been thinking about how a CDN works, and how a company could build something similar by themselves. I'm trying to understand, and have written below how I think it works, any corrections or more info would be much appreciated!

Let's say we want to have 3 different datacenters around the country, both for availability and performance, serve static content from static.acme.com

My understanding is that the company would get their hands on an IPv4 block, and register an AS. We would, via our DC operator/ISP, announce our AS on each datacenter via BGP? Basically saying "IP's in this range can be routed here". We would have some kind of beefy router at each DC receiving that traffic and load balance it on the servers in the DC (either via L4 or L7).

On the DNS side of things we would have an A record for static.acme.com pointing at one of the IP's in our block.

Is it correct so far?

Then, what happens if one of the DC's become unavailable? Can we withdraw that BGP announcement somehow, how is that cached etc? What happens if the load become very uneven? E.g people with the cheapest route to DC1 use the service much more than users "close" to the other DC's, making it preferable to route some DC1-users to DC2/DC3, even though DC1 in "closest" ?

I'm trying to understand the black magic of large scale networking, would appreciate any pointers!

Aruba Central vs hardware controllers

We have chosen Aruba as our WAN solution- currently running Instant on a small number of APs. But we will be expanding (200-300 APs) and are considering either Central or HW controllers to manage them in the future.

Any thoughts? Pros and cons?

​

Thanks

Netmiko telnet login failure issue on some devices

I have a netmiko script that works fine on some IOS devices but fails to login on others. Only commonality is the three routers that it fails on are Cisco 7206 on TACACs. The odd thing is both netmiko's debug and session_log shows it is entering the correct username and password (and I can log in manually) but it returns with login failed error.

Anyone else experiencing similar issue?

Snippet from debug:

username: DEBUG:netmiko:write_channel: b'xxxxxx\r' DEBUG:netmiko:read_channel: xxxxxx password: DEBUG:netmiko:write_channel: b'xxxxxx\r' DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:write_channel: b'\r\n' DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:write_channel: b'\r\n' DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:read_channel: DEBUG:netmiko:write_channel: b'\r\n' DEBUG:netmiko:write_channel: b'\r\n' DEBUG:netmiko:read_channel: 

When do you take specific technologies & hardware off of your resume?

I'm sure that everyone doing this work for a while has at least a few things on their resume that they haven't touched in 5 years. Be it ISE, Call Manager, or some random brand of firewall. At some point you recognize that your knowledge of that product is either outdated/irrelevant, or so far gone from your memory that you would be very embarrassed if an expert on it was in the interviewing room.

Or do you leave every system you've ever worked on in there and hope that no one asks until you've had a chance to do some refreshing?

One port out of a set range is blocked?

Using a Zyxel ATP100

We have 5 servers set up to run cameras for a client. In order for the feeds to reach the worker’s computers or phones, we open a range of 10 ports which covers everything we need. For example, on server 1, we open 11000-11010, server 2 we open 12000-12010 and so on.

For whatever reason, 14008 is not accessible. I’ve had a few talks with Zyxel and they confirm it is set up properly, but this one port is giving me an issue. I test it with canyouseeme.org and the mobile camera application itself.

Things I have tried, but not worked: 1. Delete and re add the rules for the port forwarding 2. Create a rule for that specific port 3. Changing which port is used, and making a rule to match it

What else could be blocking it?

Network ReDesign - Need Some Advice

Hey everyone, hope y'all are safe.

I have been tasked with a very intensive network redesign for a new client (about 100 people) that let their IT team go. Either they were let go because documentation was shoddy, and nothing was kept up from an administrative standpoint or the management team made a huge mistake.

Due to inadequate documentation, there are servers and network devices that we do not have access to. The issues have been no passwords documented, no IP information documented, ACLs restricting access, etc.

As we introduce new hardware, and look to migrate existing networks to newly created ones, we are worried that communication will be lost between hosts and servers, servers and storage array's etc. We have currently found about 70 different VLANs and are looking to reduce that to about 10.

My thoughts were to create the new VLAN's and add the existing VLAN's on the switches so that we don't necessarily need to re-IP everything at once. This will allow traffic to flow, as we work to make the IP changes on servers and other hardware over time.

I was hoping that some of you more experienced gurus could provide some insights or gotcha's that you have experienced when working on this kind of project.

DHCP DNS Server order

I'm migrating to a new DNS resolver - it has some features I'd like but less guaranteed reliability. My current plan is to have DHCP supply both in preferred order. RFC 2132 states "Servers SHOULD be listed in order of preference". In the past every time I've listed a fallback it's also been an anycast server.

Are there any devices that are known to not respect this ordering?

Should I just list my preferred server and work on improving predicted reliability (thus making this concern moot)?

Is Palo Alto's "Wildfire" product actually worth it?

tl;dr - It's hella expensive and seems to just be a lot of "We do magic and buzzwords to keep you safe maybe!"

We're doing a review of all of our cyber-sec costs, and I'm always at a struggle to justify the utterly insane costs of Palo Alto's various licenses (especially for the really big firewalls). We're spending nearly $150k/year per feature, and I look at each of those features and thing "That could be the salary of a dedicated InfoSec employee, or another one of me so I can actually do projects besides only putting out fires".

I wouldn't ditch Threat Prevention, or URL filtering, but Wildfire I am having a harder time justifying.

Python CDP TextFSM

Hi

I dont know if this is the correct subreddit but I'm trying to figure out why my code for getting cdp neighbors is not working with TextFSM.

I'm using ntc-templates and there are two for cdp neighbors but my output doesnt change when using them. I tried it on http://textfsm.nornir.tech/ and there it seems to be working but not in my code, other templates are working fine. All im doing is using this code snippet

cdp = net_connect.send_command('show cdp nei', use_textfsm=True) print (cdp) 

Any ideas? Any help would be appreciated

Quick 3-tier L3 question

Pretty easy question I'm sure. When creating a networking using the 3-tier hierarchical model with L3 at the access layer, what do you typically use for the point to point links between switches? I would assume using /30 or /31 subnets but do you typically use one subnet (10.100.1.x) or mix it up for quicker identification of physical locations? (ie, distribution switch 3 has links 10.100.3.x and 10.100.33.x)

What’s the deal with vendor SFP+ transceiver prices?

Is it literally just “we charge an arm and a leg because we can”?

I’m putting in a couple of new runs for some IDFs we are adding and the vendor SFP+ transceiver is $700 while a compatible one is $20.

Do you guys usually buy the vendor transceivers or do you save the money with compatible transceivers?

Last time we had a compatible one laying around and I used it with no consequences. Just wondering if there’s really any benefit. The vendor hasn’t made any comments about the current transceivers in the past so I don’t really see the point of wasting budget on no perceived benefit.

Need sample network diagram - color code option

Anyone have a sample network drawing in PPT or Visio format that has the actual network ports on the switch color coded based on different functions? Just looking for something I can modify and run with. Thank you!

FTD SSL Decryption FQDN Objects

Can you use FQDN as the destination network object in SSL Policy in FMC? When I clicked on the FQDN option when creating new object it says “You can only use FQDN network objects in access and Pre filter rules only”

Aruba 2530 48G Programming Help

Very new at this so apologies for not being incredibly clear.

I'm working on a project at my job that involves adding a specific config to Aruba 2530 48G. The config is a script that changes the IPs of the switch based off which location the switch is going to. Our current method is editing the script every time for the different IPs, and pushing it via a terminal app. We are hitting a major problem of techs messing up the IPs, and just general human error.

I'm considering using Aruba NetEdit to update the switches, and to push the configs. Does anyone have any experience using NetEdit? I read a lot of good review but was hoping for some real world opinions. Or if no experience with NetEdit, maybe another potential solution. Any & all ideas appreciated!

Thanks in advance!!

Non-cisco VACL Capture like functionality?

Hey all, I'm with a telco and we make wide spread use of the catalyst vacl capture on the 6500 platforms (https://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html) for capturing SIP traffic without having to have a bunch of taps and span sessions in place. Of course the catalysts are extremely out of date so we are moving off of them. Trying to find someone with gear that would have that same type of features. Open to any and all vendors solution.

Thanks all!

How do I ID this IP?

Using Wireshark, I see a packet from a LAN host to an IP address not on my LAN. I used dnsstuff.com to look up the destination IP but it says :

" Failed retrieving record type from a name server. "

What might I do next? Here is the Wireshark capture:

https://imgur.com/a/hvRGLy4

Huge Cisco jabber vulnerability. Patch now

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO#fs

Cisco Umbrella vs Zscaler Direct Internet Access

We are going through huge POV's with both of these vendors and I see pro's and cons with both. I am interested in other's opinions around both of these vendors and what you prefer as a SASE solution for securing your remote users. I'm also interested in the larger picture which includes securing the 3 w's (workplace, workforce, workload) because the overall goal is to implement zero trust across various boundaries over time but the remote user side is the first part of our journey.

Much appreciated to all who are able to offer advice or personal experiences dealing with either vendor in these spaces.

And ... Go :)

4G and 5G Routers Help

Hello, I already know that 5G have three bandwidth low, mid and high, each with their frequencies and speeds. I also know that a WiFi routed could have either 2.4Ghz or 5Ghz or both. Yet, I still do not understand the following: Can I use a 5G SIM on a 4G WiFi router? Or should I change my router to a 5G router? If yes, or no. Is it about the frequency or the speed? As far as I know, 5G have multiple frequencies under 1Ghz all the way up to 95Ghz or may be more.

Thank you.

Running a routing protocol (ie- router eigrp .0.0.0.0)

I don't know if I even got the syntax correct when I wrote it above, but is there any benefit to running a routing protocol when its not necessarily mandatory to do so? I have seen a couple of diagrams from various tutorials that include this element but whomever doesn't go into detail. So back tho the question, would there be a benefit?

[HELP] Searching for a switch that DOESN'T DELETE statistics after reboot/power loss

Hi,

I'm searching for an >=8 port 1Gbit/s switch which doesn't delete the port stats (e.g. pkts or bytes rx/tx) after it looses power or gets rebootet. So far I didn't find one that's not total overkill with other features and price.

My current switch is a TP-Link TL-SG108E (~30€) which is perfect for me except the loss of stats...

How to stop Implicit Source Port Mapping in iptables?

I've got an embedded Linux device that needs to forward some broadcast packets to another embedded device that is part of the assembly, connected with a dedicated ethernet interface.Only the Linux device is exposed to the network, but I need to receive broadcast packets on the sub-device.

To achieve this I receive the packets on a raw socket, and resend them on the dedicated interface to the other device, spoofing the source and destination address. This works fine, but when the device wants to reply (on a specific port) it comes through the firewall configured with iptables, goes through the forward chain and gets masqueraded as expected, but the source port gets changed to 1024, which looks like implicit source port mapping to me.

The issue is I can't find any other process communicating on that port that would make this occur (checked with netstat).

I've attached a conntrack log for the message passing below.

[NEW] udp 17 30 src=10.1.1.45 dst=10.1.1.83 sport=51702 dport=44818 [UNREPLIED] src=10.1.1.83 dst=10.1.1.45 sport=44818 dport=51702 [NEW] udp 17 30 src=10.0.0.1 dst=10.1.1.45 sport=44818 dport=51702 [UNREPLIED] src=10.1.1.45 dst=10.1.1.83 sport=51702 dport=1024 

Does anybody have any ideas on what might be causing this behavior or how to get around it?

A few things I have tried:

• Pared to a basic fw config
• If any ports are open with netstat netstat -tuln
• conntrack -E
• Trying different socket configurations in forwarding script
• Change MASQUERADE to SNAT iptables -A POSTROUTING -t nat -o $ifc -j SNAT --to-source x.x.x.x

So I'm looking for some practice

Alrighty so I'm a student and I'm studying a CCNA and Security+. With the current layout of online training because of covid my ability to get some hands on troubleshooting experience is lacking. I do however have packet tracer and I'm working on building a very very low budget computer to be a server so I can do virtual machines and play around with that but that's a ways down the road.

I guess what I'm asking is if there is a place where I can practice fixing network things like a router going down. Or what would really be ideal is if theres packet tracer files that are designed to not work at first and the goal is to get it running.

If there are any other tips for helping me get my hands dirty I'd be very open to suggestions, in terms of my skill I'm a little shakey but I've got an ok grasp of basic CCNA routing and switching concepts and I'm pretty confident with my security+ skills.

Thanks a ton!

Changing Firewalls from Versa to... something

So, I have the opportunity to get away from Versa through CenturyLink (Lumin now) and I'm trying to figure out what to go with. We get Cisco NFR pricing at around 80% so I'm thinking of replacing them all with potentially Cisco Meraki MX-250s for the main office and MX-100's for the branch office. I'm also contemplating Cisco's NGFW (at least for the corporate office). We were pushed on the Versa's years ago because my company wanted to use SDWAN, but honestly we have 0 use for it, and site-to-site tunnels are fine.

Corporate office has maybe 200 users (or will after this stupid panic is over), branch offices have anywhere from 5 to 20 users.

Due to the NFR pricing, the it's obvious that we need to stick with Cisco, but is going with Meraki a bad choice for an enterprise network or should I push for the NGFW?

Help with OpenSSL

I am trying to implement a transparent HTTPS proxy, i.e. a proxy that can decrypt TLS/SSL-encrypted messages. I'm using the OpenSSL library and having a lot of trouble getting started and would appreciate any and all advice.

Something to note is that I have no intentions of making it publically usable, so I am happy to create my own CA and have my machine unconditionally trust it, or receive warnings from my browser (Using Firefox on OS X). Also, I am aware of the openssl command-line tool, but I am trying to use the C libraries, and stay away from the tool. If there is a good reason to use the tool, please let me know.

Right now, I am just trying to get the proxy to act as a server to a single client. I am trying to generate a single certificate and encrypt/decrypt messages to that client. Next, I will implement client functionality to communicate with servers, and continue to use the one certificate with the client. From what I have gathered, this should still work, but the browser will provide warnings.

The end goal is to dynamically generate and re-use certificates for all new hosts so there are no warnings. However, I am still stuck at the first step. I do not even understand how a single self-signed certificate could work for more than 1 host at all, but my best attempt at trying to make such a certificate is creating one with the Subject Common Name (CN) as *. Currently, I have been testing just using curl, and specifying the certificate with --cacert. However, I know curl can have some odd behavior, so let me know if I should start testing with my browser, even for just one client.

Any advice or instruction, even just how to create such a certificate, would be very appreciated. Additionally, guidance to other subreddits where this may receive more traction/support would be appreciated as well.

Stack 2960XR switches via uplink port

Hey there everybody, I am in a situation where we either push CAT6A to the limit (305m+) or purchase another rack setup which would be about 25m away from the current IDF. This is obviously too far for the stacking cables so I am wondering if I can setup this second switch as a slave via fiber and the uplink port. I found some conflicting information from a few sources that's a little bit outside my scope so I would like to ask the hive mind of Reddit's infinite wisdom.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

Advice on getting up to speed with VXLAN with BGP EVPN?

Basic working knowledge of BGP. CCNP Enterprise study-level knowledge of VXLAN. Tried to read the ciscopress BGP EVPN VXLAN book, it was immediately over my head. Anyone have recommendations on materials to help get familiar with this technology?

Help Needed on cable management

Hello,

Recently I’ve been working on our company’s network rack to cleanup the cable mess. It is becoming a quite a daunting task. The company has two networks with 24 port switch for one network and 24 port switch + 52 port switch for the other network.

The network rack holds 4x 48-port patch panels and switches all in one. From time to time, the cables gets plugged to the different switches which are on separate networks. The Patch cables run parallel to the network rack up and down. It looks kind of like a mess. Is there a way to clean this up? I’m not sure of how to do this. I would really appreciate your ideas. Thanks!

Cisco vs Arista - Pros / Cons?

Hi All,

We're a 100% cisco shop for everything L2 - L3 . Management is getting tired of Cisco's price structures, especially now that DNA is becoming 'required'.

One of our engineers has been flirting with Arista as a possible replacement. Does anyone have experience with Arista boxes? Do they perform better, are easier to manage, etc?

I'm always excited to branch out. We are mostly EIGRP from core to sites, but that's easily replaceable.

Multi-homed bgp

I'm not super versed on bgp, but I'm working something out and I'm hoping to bounce it off some peeps to see how I might do this.

I've got a firewall with 2 ISPs and doing bgp peering with both of them advertising the same /24 to both.

I have a use case where I need to force 2 IPs to only route IN via a specific IP.

My thought was to add an advertisement of the /32 out the specific ISP. Doing this with route maps and prefix lists.

With that being a more specific route it should be preferred over the /24 right? And even though the /24 might have a shorter path through one ISP, it should still route to the ISP that advertised the /32 correct?

Is this the right way to go about this, or is there a better option?

MPO24 to MPO12 conversion

Okay, so we have a BT Ciena with an 100g MPO12 termination on it, and an ADVA we are trying to connect it to with an 100g MPO24 tranciver in it.

I know we can't just use an MPO24 cable and plug it into the MPO12 as the fibres don't line up. But I can't find a clear answer on if a 24 to 2x12 harness cable (and just not plug in one of the 12's) will still work? I my head it won't because the MPO24 will 10g per fibre pair and the MPO12's will be 25g per pair and that doesn't line up.

But am I just talking rubbish?

Aruba switches and Cisco DNA?

Does anybody know, I can't find the documentation, can you integrate Aruba (3810 and 2930) switches into Cisco DNA?

SDN Step by Step Application Level Project Tutorial

Hi Redditors,

I need to do a student project about SDN. Although I know that some virtual machine environments have Mininet and ONOS, I can not find a proper way to go through it to make an application. Java and Karaf knowledge should be needed to fully understand what can be done with ONOS. Besides, I check for RYU and, I didn't find step by step complete application guidance. Furthermore, tutors of the project want this study to have a potential for attributing to literature, or at least it should be more complex than just a creating firewall in SDN.

So, please help, is there any some zero to complete project guide to be my entrance for SDN world? Is there any advice on what topic should be of the project?

Respectfully,

Need help wds problem

Hi i got 2 routers a tp link td w8961n and a tenda d 305 Don't hav a modem i plug the dsl cable directly to one of them when the tp link is the main router the tenda won't detect it in the wireless bridge ection of

Examples of Network as Code On Prem

Hey All, My background is not in Networking, but I'm helping some co-workers with getting started with automation in the networking space and i'm looking for examples, case studies, articles, etc, of companies that have actually implemented true Infrastructure as Code in the network device configuration space, for on prem (like Cisco 7000, NSX-T, Firewalls). It seems like a lot of the information I find when searching is people using ansible or something as a run book tool, for making changes to existing configurations.

The tools and modules definitely exist, but when it comes to full device configuration being stored in source control where the repository is the source of truth, that doesn't seem to be a pattern yet in the networking space. Am I wrong? Am I missing something? Thanks!

Networking Gurus please help me figure out whether this will handle my Double NAT situation.

I have a UDM Pro just like this article and an apple router and nest WiFi router behind it. I did like this says, and it seems to work.

Not sure if this makes sense. If not, please help me deal with this...

https://link.medium.com/n4MCqLzy6bb

Do you think ubiquiti could in the future be a bigger player than cisco in networking ? Why do you prefer ubiquiti hardware over cisco ?

Hi The title says it :) I'd like to know your opinion and experiences you've had with each of them. Cisco vs ubiquiti Thanks in advance for the answer I'll very much appreciate it.

MFA with TACACs for network device administration.

I came across a customer recently who, as a bit of a side project wanted some assistance setting up MFA using RSA Secure-ID and TACACs on Cisco ISE to login to their switches and routers. I had no idea this was even possible until they asked.

I didn't have to do too much on ISE to make this work with their existing TACACs policies, and someone else took care of the RSA side config.

It worked really well, and gor me wondering why it MFA isn't used for device administration more often.

Anyone else using MFA with TACACs, regardless of provider and TACACs server?

Deleting a very large txt file from flash : Cisco

A few years ago Cisco enabled event manager to record data on an ASR to a txt file which is stored in flash.

I've just noticed that the event manager is still running and so the txt file is over 2Gb in size now and stored in flash :/

I've tried to delete it from the bootflash but get the error 'error deleting eem-log.txt (Value too large to be stored in data type)'

I'd like this space back and I think if I reboot it the file will still have the same issue with being deleted?

Any tips on how I can delete this file?

Thanks

Squid with more than 128 ports?

Hello everyone,

We have a few Squid proxy servers with a total of around 400 different incoming ports, that we have been connecting to directly so far before going out to the internet. We have decided that we want to add a cloud instance in the middle, that will authenticate users and only then forward them to the squid instance.

I was thinking of using Squid for that as well, but we have to use over 400 ports, and I know Squid has a limit of 128. I also know that it is possible to build Squid in a way to will enable more ports than 128, but this comes with a performance hit.

What would be the best solution for a cloud-based forward proxy server that can be transparent, easily manage user and whitelisted IPs, have rich logs, and can support any number of ports?

Thanks.

Interesting routing loops

Traffic seems like it's not arriving at my server, xmsg.cfs.works, from any place on the internet. It seems to route around between a few IPs, haphazardly.

Weirdly enough it seems to work just fine if I send TCP/IP "Christmas tree packets."

Anyone interested to take a look? (And have a good Christmas everybody!)

Opening 2 tunnels for 2 NICs on the same machine

Hey everyone,

I am working at a company that needs clients to go out to the internet with a 4G connection.

I have a Raspberry pi 4 with Squid proxy running which is listening on 2 ports, for example - 3001 and 4001.

I would like to use a cloud service like AWS to open 2 different tunnels between the cloud and the Raspberry, and then open some ports on the cloud so I can reach the Raspberry from anywhere without forwarding any ports on the rasp itself (which is impossible on a mobile network in my region).

Traffic will take this route:

User on port 3001 -> AWS on port 3001 -> Raspberry on port 3001

User on port 4001 -> AWS on port 4001 -> Raspberry on port 4001

I know how to achieve this easily by using a VPN, but the issue is that I have 2 NICs on this Raspberry (USB modems), and using a VPN only opens one tunnel and is using only one NIC, creating a bottleneck.

how can I open 2 tunnels, each using a different NIC on the Raspberry?

This way "user3001" will have the full bandwidth of 1 modem, and "user4001" will have the full bandwidth of the other modem.

Thanks!

Extra interfaces on SNMP

Morning all,

I have something that I haven't seen before and can't figure out.

We have recently built a new Zabbix template to show if the interfaces descriptions are correct for our environment. In doing so we are getting alarms for interfaces on Cisco boxes that don't exist.

For example I have a 1921/K9 running Version 15.0(1r)M16 which on an SNMPwalk shows interfaces gi0/0, gi0/1 and gi0/2. However the box doesn't have a gi0/2! It has got an expansion card (0/0/0 - 3) which is polling correctly.

The output of the SNMPwalk is;[root@name ~]# snmpwalk -v 2c -c "community" "IP address" 1.3.6.1.2.1.2.2.1.2

IF-MIB::ifDescr.1 = STRING: Embedded-Service-Engine0/0

IF-MIB::ifDescr.2 = STRING: GigabitEthernet0/0

IF-MIB::ifDescr.3 = STRING: GigabitEthernet0/1

IF-MIB::ifDescr.4 = STRING: GigabitEthernet0/2 <------------- The box doesn't have this interface.

Has anyone seen this before? I can't see anything online about it, my first thought is that it's a bug in iOS as only a few devices are doing it and all the other vendors we have in the network are fine.

Thanks in advance.

Need help to narrow the issue here. / MSS MTU problem

Hello everyone,

I work as tech support for an ISP. We operate in country A. In country B, we have layer 3 agreement with another ISP to bring our services abroad. I've never encountered issues except their latest 4G VPN-MPLS link deployed in country B.

Link deployed : Ping towards VPN in country A works, with max sixe of 1394 (df bit set) Ping towards 8.8.8.8 with max size of 1394 works. Some websites are reachable, like all of google services (maps, youtube...) but not typical "simpler" webservers. Teamviewer si working. In Wireshark, I see dropped, RST, and TCP retransmissions sessions, because lengh is < 1398, and on the PC side, web page never loads.

I ask Provider B to set the ip tcp mss value on their link at 1382 because regarding the max MTU on the link, that's the max MSS we can allow.

They do it, in the SYN ACK exchange, I can see 1382 being well settled in the MSS option. However, later on, TLS and others protocols are trying to communicate with max lengh at 1398. Then, sessions are dropped because it is too big.

What am I missing ? Firewall are on my side (ISP Country A). If I manually set the tcp-mss value to 1382 on a IPv4 rule, everything is working and I can access every web servers.

What can I try ? Thanks a lot. Disclaimer : My english is bad, it's not my native tongue. :)

Cisco ASA error log

My friend encountered multiple folowing errors in Cisco ASA log. Does anyone know how to fix it?
3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x7a29d2d8, mess id 0xda080992)!

3|Dec 10 2020|13:48:25|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:25|733100|||||[ 10.5.99.6] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 8320

4|Dec 10 2020|13:48:25|733100|||||[ 10.60.100.11] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 8320

4|Dec 10 2020|13:48:25|733100|||||[ 10.5.99.4] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 8256

4|Dec 10 2020|13:48:25|733100|||||[ 10.30.7.43] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 8257

4|Dec 10 2020|13:48:25|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x7a29d2d8, mess id 0x3d71d3e4)!

3|Dec 10 2020|13:48:25|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:25|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x73e693f8, mess id 0xad0fcaf9)!

3|Dec 10 2020|13:48:25|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:25|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x790711c8, mess id 0x85b09098)!

3|Dec 10 2020|13:48:25|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:25|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:25|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x781ef500, mess id 0xb508e08c)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:21|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x8fe05300, mess id 0x71a1142a)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x73e693f8, mess id 0x6d1e1e42)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:21|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x781ef500, mess id 0xabeabad)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:21|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x790711c8, mess id 0x3fc3c39d)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:21|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x8fe05300, mess id 0x313c2ffc)!

3|Dec 10 2020|13:48:21|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:21|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:21|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x75294458, mess id 0x46b04fb)!

3|Dec 10 2020|13:48:17|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:17|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x73e693f8, mess id 0xf6b6da92)!

3|Dec 10 2020|13:48:17|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:17|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x8fe05300, mess id 0xbc048dd)!

3|Dec 10 2020|13:48:17|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:17|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x75294458, mess id 0x1b079640)!

3|Dec 10 2020|13:48:17|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

4|Dec 10 2020|13:48:17|113019|||||Group = 14.162.26.201, Username = 14.162.26.201, IP = 14.162.26.201, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, Removing peer from correlator table failed, no match!

3|Dec 10 2020|13:48:17|713902|||||Group = 14.162.26.201, IP = 14.162.26.201, QM FSM error (P2 struct &0x73118030, mess id 0xf86ea081)!

3|Dec 10 2020|13:48:17|713206|||||Group = 14.162.26.201, IP = 14.162.26.201, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Firewall loopback route?

Noob question: Would a front-end firewall require a loopback route?

EDIT:

Destination: 127.0.0.1

Gateway: 127.0.0.1

Interface: 127.0.0.1

Would that be a right assumption?

ASA 5516-X Upgrade w/ firepower

Hi All,

​

As per title, I'm looking to upgrade our 5516-x with firepower services appliance from 9.7.1 to 9.8.4.

We are not currently using firepower and have no interest in activating it.

​

As far as upgrades and compatibilities go, am I ok to disable firepower from the ASA CLI, and then follow upgrade procedure as if the firepower service wasn't present? Or am i required to upgrade firepower even though it is not being used..

​

Appreciate the help.

New IT Management Question

Hey everyone.

So a few months back I landed my first IT job out of school. I am the sole IT guy at a small business where we produce large amounts of video and radio productions. The previous guy in my position left on bad terms leaving behind no information on the network.

I have been trying to access the router, however the ip address gives me no web admin panel. I called the ISP and they said I have to submit a request because we have a SLA agreement.

So they manage our network? And I have no way of knowing if it's configured securely?

Can someone explain what this means exactly?

Debugging the Cavium Simple Executive for Liquidio

Hi there,

I don't think this one runs afoul of any of the sidebar rules.

I made a perhaps poor choice to acquire some CN6640-SNIC10E-G NICs. According to the linux-firmware git tree logs, these are CN66XX-based NICs which are supported under liquidio using the /lib/firmware/liquidio/lio_210sv_nic.bin firmware file, which is just a Cavium Simple Executive application that's supposed to pass packets from and to the host CPU over PCIe.

Sadly, this doesn't work. In the in-flash version of U-boot, the liquidio driver simply cannot hand the firmware over to the card; when U-boot is built from source (see the SDK here), the firmware transfer succeeds but liquidio claims the card stops responding (even though octeon-top and the serial console disagree).

I'm wondering if anyone here has any experience debugging Simple Executive applications for this or other MIPS OCTEON-based Cavium "Smart NICs" -- or whether this adventure in attempting to rescue older networking hardware is bound to fail.

Product Recommendation Requested - Small Home Wired Router. Disabling SIP ALG Required

I have several home-based contact center agents using Verizon provided G3100 and G1100 routers for their FioS network. These routers do not allow the customer to disable SIP ALG, which is a requirement for our screen recording software. According to Verizon support, the G1100 and G3100 routers can be put into bridge mode and connected to another router which disables the 1100/3100 SIP ALG setting. I am shopping for an inexpensive wired router with a gigabit WAN port and at least one gigabit LAN port that allows me to disable SIP ALG. My price point is $20 -$25 per router. What do you recommend?

Opening 2 tunnels for 2 NICs on the same machine

Hey everyone,

I have a Raspberry pi 4 with Squid proxy running which is listening on 2 ports, for example - 3001 and 4001.

I would like to use a cloud service like AWS to open 2 different tunnels between the cloud and the Raspberry, and then open some ports on the cloud so I can reach the Raspberry from anywhere without forwarding any ports on the rasp itself (which is impossible on a mobile network in my region).

Traffic will take this route:

User on port 3001 -> AWS on port 3001 -> Raspberry on port 3001

User on port 4001 -> AWS on port 4001 -> Raspberry on port 4001

I know how to achieve this easily by using a VPN, but the issue is that I have 2 NICs on this Raspberry (USB modems), and using a VPN only opens one tunnel and is using only one NIC, creating a bottleneck.

how can I open 2 tunnels, each using a different NIC on the Raspberry?

This way "user3001" will have the full bandwidth of 1 modem, and "user4001" will have the full bandwidth of the other modem.

Thanks!

Automatically parsing remote linux command output in Nornir/Netmiko using JC

Most people use jc* as a command-line tool to convert linux command output to JSON for easier parsing in scripts. But jc is also a python library and can easily be used within automation scripts to make your life easier.

In my latest blog you will learn how to use the jc library to automatically parse command output in Nornir scripts using the Netmiko to connect to a remote linux host.

https://blog.kellybrazil.com/2020/12/09/parsing-command-output-in-nornir-with-jc/

*Disclaimer: I am the author of jc

Cisco 9200 stack license requirements

Hi there,

We want to replace some of our C2960 by C9200. We want to stack the C9200 but can't find out what license is required.

From from what I read you have to purchase a 3 year DNA license. Will the DNS Essestials license do or do we need the Advanced license? I know just for switching you don't have to renew the license but what if you want to use the stacking?

BGP backdoor similar configuration for NXOS (7K)

I'm in a situation where we are swinging our traffic over to a new circuit BGP (AD 20), however, we also have a private circuit between two locations running EIGRP that are sharing routes. There are particular external EIGRP routes (AD 170) that we would like to continue to prefer that private circuit over the BGP path.

I know with IOS we could use the BGP backdoor path command, and optionally the distance command under EIGRP but this globally affects all routes.

Searched the interwebs and while I see topics and discussion for this particular scenario, not seeing any real solutions. Any tips?

Tracking L2L VPNs and Policy.

Our org has a fair number of VPN tunnels (200ish) configured with vendors and other organizations. Tracking of the specs for these tunnels is presently being done via spreadsheet and via a "VPN Form" saved on a share drive. I have been places that all seem to do the same thing, is there a better way?

East/West Traffic Monitoring

What recommendations, war stories, tips, etc. can you all share about monitoring east/west traffic?

Our core switch is connected to approximately 25 locations..

Junos Space (Security Director) - Migrate / upgrade device

Hi all,

I'm planning a firewall replacement / upgrade. I'm upgrading a SRX1500 to a SRX4100. Since this device and its FW policies are managed through Junos Space i'm looking for ways to make the upgrade as smooth as possible on the Junos Space side. I've tried a couple different options:

Put the device in RMA state
Yes this is a good way to swap a device when you're staying on the same platform. However migrating to a newer platform with different interface configurations etc (for instance ge-0/0/0 will map to xe-0/0/0) seems to fail: Space will remove the existing config on xe-0/0/0 and replaces it with ge-0/0/0 (which doesn't exist.)

Re-import the FW policy's and create the device as new instead of replacing the old deviceThis kind of works with the exception of the rules in "policies applied before 'device specific policies'". These policies will be imported under the "Device specific policies". With a rulebase of 600+ ruiles its a pain in the ass to manually correct these rules in the GUI. I could script this but its still a lot of work.

Configure the new FW with the old management IP's and adjust the config in SpaceNot going to work, Space does some SSH Key checking under the hood and sees a diff in the current config.

Did anyone else do a FW migration / upgrade with a platform change on Junos Space Security Director? Do you have any tips to make the upgrade smooth on the management side?

Communication between subnets without routing

Hello,

My 192.168.10.1/24 subnet is coming to a saturation. The hosts are connected to a server (192.168.10.10/24) that manage them all.

Since I need to expand the subnet to add new hosts, but I'd rather not rely on routing, could I extend the subnet mask of the server (192.168.10.10/23) and add the new hosts on 192.168.10.11/24?

I feel that it should be working but it seems to be non-standard to say the least…

Can you please explain whether this approach is relevant or not?

Thanks a lot.

Being so good that employers are begging to hire you. Is it possible?

Currently i'm a mid-late career Network Engineer looking to advance.

I've always told myself I want to be so good that employers are begging to hire me. My question is, is this even possible? If so, at what point does this happen? Is the job market a struggle, even for top level experts?

I want badly to be the best, but i'm not even sure that it's worth it anymore. I want people to know who I am because of what i've accomplished but I just can't see that happening. Am I being unrealistic here?

Cogent/Google dispute: Is Google withholding v6 routes, or in the same boat as HE.net?

Hey all! I'm trying to figure out exactly how to characterize the Cogent<->Google IPv6 split/dispute.

The main question I'm trying to answer is: Is Google using BGP communities to withhold their IPv6 routes from Cogent in order to coerce them into a peering agreement, or is Google (as with HE.net) only paying for IPv4 transit from providers that, in the IPv6 world, regard them as peers?

I was able to determine this in HE.net's case by looking at their communities+preference in Telia's LG. Their IPv4 routes have "customer" local preference (200) while their IPv6 routes have only "peering" local preference (150), and Hurricane isn't using any do-not-advertise communities on their v6 routes. So there isn't a "simple" configuration change that they can make to fix the partition (despite what I've seen Cogent sometimes allege), because Telia isn't even providing v6 transit service to HE.net.

Google (AS15169) seems to be in the same situation, but I want to make sure. Per Cogent's LG, Google's IPv4 routes arrive by way of Tata (AS6453 - is that Google's only transit provider?), and Tata's LG indicates that these are customer routes (as they have the 6453:50/customer community, not 6453:86/peer). I have tried to check the communities on Google's IPv6 routes but the looking glass appears to have a bug that prevents displaying any output.

​

Wondering if anybody here is in the know -- or has BGP peering with Tata to see the informational communities on Google's v6 routes -- who would be willing to elucidate. :)

Cisco ASA & FTD courses?

Hello guys,

I recently passed my ccna routing and switching and want to go deeper into security.
I Want to learn more about ASA firewalls and Firepower Threat Defense but i can't seem to find good content from scratch on those specific topics..

Can anyone recommend any particular course or resources that go from "beginner to pro" style on those topics?

​

Thank you in advance

can i get static ipv6 ?

i have simple network connection with dynamic ip's ( ipv4 not public ) but ipv6 is accessible over internet , is there any way i can make my ipv6 static ? so i can use my rpi , pc or mobilephone as mini servers ?

Hey everyone, I am looking to undertake some training/certifications that can provide me with a stronger knowledge of SDWAN specifically - is there anything you can recommend?

No text found

Could GeoIP issues be affecting download speed?

About 3-4 weeks ago there was a temporary outage (~10 minutes) from my local ISP. It’s a WISP who has generally been great the few years I’ve had them and been able to handily deliver 200-300 Mbit down and 200-250 Mbit up using Mimosa Networks tech.

After this outage, my download speeds took a dive and I reported the issue. They did some “network maintenance” and “replaced some equipment”.

After this I noticed I had a new and quite different IP than before. Shortly after realizing this, both my wife and I noticed we were being randomly detected as being in France instead of the US to some sites. For instance, I visited Ubiquiti Networks website store and was placed into the EU/France store and even my Raspberry Pi OS updates are hitting download mirrors in France instead of in the Bay Area where we live and I’ve seen them hit in the past.

*So my question at its core is, could this GeoIP issue be affecting my download speeds *because it seems like ever since all of this happened I haven’t been able to get more than 1-2 MB/sec download consistently from places like Microsoft, Apple, GitHub and more. Previously we could pull 25-30 MB/sec without trouble from all of these places.

ISP seems like they don’t know what is actually wrong. Nothing appears out of sorts. They do have a couple of other people reporting an issue. They’ve been in close communication with me asking me questions and telling me they’re “looking into it”, but not actually telling me a lot. They’ve asked me to do some tests with a tool called MTR which I’ve done.

I’ve definitely seen a couple of ZAYO and Level3 servers I’m consistently being routed through when downloading that are giving some pretty good packet loss in the MTR test, and I guess that could be it, but it doesn’t explain these other things that are also a little weird to me:

• Upload is not an issue. I can send 200mb sysdiagnose files to work all day long in seconds.
• We have had zero problems streaming content from Sling, Netflix, PBS, YouTube, etc. via AppleTV or iPad/iPhone.
• It just seems to be file downloads where we are experiencing this.
• Sometimes when I connect to a 3rd party VPN service, the speed issues completely disappear and I can download again at 25-30 MB/sec from MS/Apple/GitHub etc.
• This may also affecting work downloads via full tunnel VPN. When I run MTR tool while on full tunnel to an internal work download server I see packet loss there too.

Interested in any thoughts or insights on this situation.

Thanks!

When I ping different IP addresses, why are the MAC addresses the same ?

I used Wireshark for packet capture and pinged three different servers. The destination MAC addresses are the same: they are all the MAC of my router. Why is this?

BGP Filtering Question

Novice BGP question --

I've only been doing BGP for the last year on my internal network, no WAN. I'm going to begin advertising our first ARIN assigned subnet to our ISPs which will require BGP peering with them. Up until now I've had no Import/Export rules in place since it was all internal. Obviously I'll want to fix that before peering with our ISPs.

1a) On my (edge) Palo Alto firewalls to my core switches, is there any reason I shouldn't just write an export rule that limits the advertisement to my core to only the three RFC1918 blocks? Since my default route from the core is my firewall anyway, I don't see any reason why any explicit WAN routes would need to be on my core -- including even just the ISPs default.1b) To my ISPs, I'm assuming I'll want to limit my export rule to only include nothing but my ARIN assigned subnet... Nothing else?

2a) In the opposite direction, as for import rules, I'm assuming coming from the core to my firewall, it'd be fine to do the same of just writing an import rule that limits the advertisement from my core to only the three RFC1918 blocks?2b) For my import rules from my ISPs, they're supposed to only be sending me a default route (not the entire table) so I assume I should be able to write a rule matching only the IP block they're routing from and nothing else.

Does all of this sound correct? Anything I'm missing?

Thank you!

6 GHz access points?

Are there any 6 GHz currently available or do any of you when one could expect them to be available in 2021?

Thaks for your help!

Cat6 in 2001?

Hi all, hoping someone can remember this far back. I remember doing a cabling job in 2001 in the UK that had to be to Cat6 standard even though the standard wasn't ratified at that point. I remember using a cable/patch panel/outlet manufacturer that guaranteed their stuff would pass Cat6 standards when it was ratified (2002). I also had to hire a new Fluke tester to certify the cabling at that point. Would anyone remember any brands at the time that might have done this?

Commercial Support for SoftEther VPN

I'm trying to find a company who provides b2b commercial support (urgent bugfixes, patches) for the SoftEther VPN open-source project.

Does anybody know of a company who may do this?

I'm also interested to hear about any experiences with SoftEther.

Are there any good Cisco DevNet sanbox labs for practicing automation with python/ansible?

I was hoping to find one pre loaded with ansible. Do any like that exist?

OSPF MTU

Hi All,

We have a Cisco 9407 and a Juniper MX480 in an OSPF peering on our prod network. The C9407 has a system MTU of 9192, meaning all of its interface are set with 9192 MTU while the J-MX480 has been configured with a 9014 MTU specifically on the interface facing the C9407. This was the working configuration for almost 2 years until the OSPF neighborship went down. We resolved the issue by adding 'ip mtu 1500' and 'ip ospf mtu-ignore' commands on the C9407. Cisco TAC said it is an MTU mismatch but what we wanted to know was what triggered the sudden tearing of the OSPF neighborship that worked for almost 2 years. We cannot replicate the issue anymore. Anyone experienced something like this?

​

TIA

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Can you use gns3 and Vmware to create a fully functioning AD environment?

I'm looking into getting my networking and overall system administration skillesets down and I'm wondering if I can make a fully virtualized AD environment in gns3, so that I can practice both networking and Windows administration. Is this possible?

I see you can add vmware vms to gns3 and ping other devices, but can you have a real environment to do something like role out group policy from a domain controller to other vms through a virtual network created on gns3?

I've tried searching google but see nothing on the topic. If this is not possible, then is a physical lab the only way to practice a real networking environment with real Windows systems?

Books about building secure network architectures?

What's a solid foundational text for ensuring the basics? Where to place your firewalls? How to segment client data? Opening a route to the DMZ? I see these books in Amazon - what's everyone think? Add your favorites, thanks!

Security Engineering: A Guide to Building Dependable Distributed Systems 3rd Edition

Zero Trust Networks: Building Secure Systems in Untrusted Networks 1st Edition

Unusual login names and attempts.

Recently noticed an unusual login name attempting to access AirWave in our ISE TACACS logs. At least once a day username XOEL3G attempts to login to AirWave never at exactly the same time but around the same time daily +/- a hour.

QRadar logs show source and destination IP as our ISE server. Which is a little strange.

ISE logs show source IP as 127.0.0.1 (also strange) to AirWave, each attempt is sourcing a different unassigned port or some uncommon port. Each attempt is hitting port 49 TACACS.

Someone with our Telecom team says the name sounds like a carrier device, as in XO Telecom which is a part of Verizon who happens to be one of our ISPs.

The attempts out being more closely monitored now.

Had anyone seen or heard of something like this? Especially with the source IP being a 127 address ?

Thanks for any advice :)

Firewalls with native SAML Support for SSL VPN

Hi,

I'm just wondering what firewalls people deploy/recommend in SMB space which have native SAML SSL VPN client support? From what I can see, this is still pretty limited but Cisco and Palo Alto look to fit the bill. Last I checked Fortinet supported it via the web interface only.

Thanks for any input.

Port forwarding to multiple computers

So I am trying to better understand port management for a few of my company's clients. We generally forward ports 80/443 to a DMZ'd server to give staff access to Remote Web Access or Remote Desktop Services.

Now one client purchased a 3rd party cloud provider service that uses a RemoteApp RDS configuration that uses port 443 as well.

I mainly do sysadmin work (AD, DNS, office 365) so I know the basics of networking, but nothing too advanced. I am thinking that when the remoteapp tries to connect it connects to the cloud provider but when traffic comes inbound it is being redirected to the RWA/RDS server. We have a A record that points to there ISP's WAN address so if I put in rwa.companydomain.com:443 it gets sent to the RWA server.

I generally port forward because most of the services we use don't overlap. What is the best way to allow multiple computers on a LAN behind NAT to use the same port? I don't even know the terms to search for on Google to help get this working. So any help would be appreciated.

Interface descriptions on FEX devices

Hi,

I have a 2k fex connected via VPC to a pair of 5K’s l. I updated the interfaces on one of the 5K but the other 5K still has the same description. Do I have to change interface descriptions on both boxes or am I missing something?

Where are PMK/PTK/GTK stored

Does anybody know where the keys like PMK, PTK and GTK are stored on Linux? Can I access them and check when they are changing for example?

Thanks in advance!

CenturyLink Optical Wave?

Any experience with this? Is it any different than a traditional point-to-point circuit?

What are the dangers of using a self signed certificate on a firewall?

I'm in the market for a small business firewall and I came upon a reasonably priced device but the hardware uses a "self signed security certificate". I'm reading information that this is extremely dangerous because it exposes the network traffic to a MitM attack with https websites since there's a security warning the user must bypass and that traffic can be intercepted and used to obtain the self signed certificate to generate a fake certificate. Then it allows the third party to read and modify all data sent to or from the website by the target user...

How dangerous is this? How easy is this attack to accomplish? How skilled would someone have to be to accomplish this? Would this be novice teenage hacker wanabe level by just downloading some programs off the internet ... this like white-hat pro level ... or NSA level and its not as easy as the network crime dramas make it out to be?

If my employees were accessing normal office data such as PDF files & downloading/uploading documents and spreadsheets to a central server, could this MitM be used to change those files ? Could they change the data when its passing between the terminal and the server with the files appearing unchanged and signed like nothing happened?

EAP-TLS w/ AnyConnect - Remotely re-issue expired client certificates?

For AnyConnect, I'm currently using EAP-TLS authentication with machine certificates for clients at the FTD, then passing user credentials through to ISE for a second factor. If someone's machine cert expires (like they were off-net for quite awhile), I don't currently have a way to get a new valid machine certificate onto the machine without them coming on-prem and plugging into an auth-opened port.

​

Assuming someone else uses EAP-TLS like this - what do you do (if anything) to work around this? I can see at some point an executive will have a laptop they need to use "right now" but haven't used it in ages and it has an expired client cert so it fails AC auth. Coming on-prem isn't an option, so how do I get a valid certificate on that machine?

Requesting some Aruba MIB and CORE files for SNMP N-CENTRAL setup :)

Hey guys,

Anyone of you fancy lads that can get a hold of Aruba switch MIBS? its locked behind theire portal and i dont have a service account.

Thanks

Discord app- Different TCP port for spam, why?

I am doing a project investigating the Discord Application with Wireshark. One question that I wanted to check was if sent message traffic behaved differently in large volumes. Spam basically.

The results from Wireshark showed an unexpected result when we started to spam a chat. The current TCP connection would be replaced by another one or complemented by another one. While in normal conversation it remained static.
Meaning: The conversation used say port 64950 the whole time till we started to spam and a new port was established and traffic sent there instead. It would then go back to the old port which remained connected.

Also the difference between how many packets the Sender transmitted relative to how many the receiver received changed. Expect the new port package the data more efficiently
Meaning: Normal 10 packets (sender) -> server -> 7 packets (receiver)
Spam: 2500 packets (sender) -> server -> 200 packets (receiver)

I am just wondering if anyone knows a name for the technique of TCP port switch during spam for further reading. I am stuck. Expect it is to prevent TCP Attacks. Also, Discord seems to use Cloudflare if it is of relevance.

Grateful for any guidance, thanks!

How are y'all automating your network? Spare some ideas for someone newer to field?

This is a topic I've read on few posts and results seem to vary. Where I work currently the automation for networking, least within NOC is essentially we have one higher level analyst who has computer science background and builds scripts via "Expect" language which is based around TCL and I guess bash to some extent.

These scripts placed onto the jumpbox (RHEL) and we run them by for example "config 1234" 1234 being the location number. Then the script kicks off depending on what its intentions are checking ports, config something, ping a device etc.

I have been trying really hard to pick it up but I am god awful at scripting/coding I just do not grasp the "under the hood" pieces or constantly hitting roadblocks. Every time I start putting even a simple script together I hit a roadblock trying manipulate a variable or regexp... And its back to google and stack overflow.

More recently I am completely frustrated, clearly the guy (the only guy really) who makes these scripts -knows coding. Me, not really at all heck I only got my CCNA a bit over year ago (now older ICND1/2).

Yea, I don't know how to approach automating tasks or building scripts I feel like past months have been a sinkhole of time and effort. Where as compared to putting that same time and effort into networking aspects I feel like I actually make legit progress.

Any ideas here? Should I go down to caveman and barney levels here to really grasp scripting/coding? If so what resources do you recommend?

Best wireless card for a Razer Blade 15

Hey everyone

My wife has a got a Razer Blade 15 2019 (1660ti 144hz). I have upgraded the RAM and the both drives to Samsung QVO 1TB m.2 and Sata 3 (2TB total)

The next item I thought of upgrading is the Wifi card....has anyone got any good suggestion what card are good and fit???

Thanks everyone

How does a client know whether a server supports QUIC?

QUIC is defined in IETF drafts, but I cannot find how the client determines that it should trigger a QUIC connection or a TCP connection to the server. I would expect the server needs to support both at this time since TCP is prevalent.

Cisco ASA 5508 VTI Cannot ping directly connected VTI Endpoint IP

Hello,

I have configuration or VTI's using BGP as a method for failover on many different deploys ( 1 isp to 2) (2 to 2isps, etc). They have all worked fine. Tonight I was setting this up as a conversion from CMAP and no failover. I noticed the BGP peer for the secondary tunnel wasnt coming up. I figured it would be a BGP issue. I checked the tunnel, it was up/up with phase 1 and phase 2 being up. I ping's the tunnel IP on the farside, nothing. OK, so The far side ASA has only 1 ISP, there is a host route to it over the primary ISP with tracking (other sites i've done have this as well) When I remove this route, the secondary VTI comes up and the first goes down, and BGP peers over it, whilst the primary peer fails. If I add the route back the opposite happens. This proves failover works, but not why the vti endpoint cant ping, the direct connected route is in the routing table, so It shouldnt try to route over the default... This is the only time i've ever had this problem.

​

ASA is running 9.12.3 originally then I updated to 9.14.1

I checked the other ASA's just to be sure and they all have a host route to the tunnel destination over 1 tracked static route, and both tunnel endpoints are pingable. The only thing I can think of is, urpf or something. it must be some sort of asymmetrical issue

Can I share a managed AP with another network?

Sorry for the horrible title.

I set up AV systems. We always have a router in front of our system, pick up WAN from the customer's network. This can be direct from the ISP modem or from behind their firewall. Normally, we add our own wireless APs behind our router but for a job that I didn't spec, we don't have APs.

I need to get an iPad on our network for local control of some devices.

Assuming the client has managed APs, will this set up below work?

I'm thinking their IT Admin creates an SSID for AV. That network would untag to an AV VLAN. On their switch, they untag an Ethernet port to the same VLAN. Then, I connect that port on their switch to a LAN port on my switch. In theory, this would have our router assign WLAN clients IPs.

Thoughts?

What to segment by in VLANs?

A typical general best practice to read about is to put user data and management on separate networks/vlans. (The short Cisco answer I read).
So Windows end-user devices could be on one, and SSH to router/switches, etc. network management on another, great.
But, beyond that, would it then be normal to put things like UPS, Windows servers, and other administrative web access on the same management vlan?.
I guess in the end it's up to one self.
One can could put it all into almost "catagorys" of vlans, and make sweeping firewall rules for each network, or make fine grained rules.
What do you do?.

Outside Alerting Suggestions

My data center recently tanked for a few hours and nobody on my team got a notification from our alerting system. Obviously so, because the entire data center was down.

So now I'm obligated to find something external that will alert our team if the Data Center loses connectivity all together.

Does anyone have a good suggestion for this scenario? I would like to be calculated with this vendor choice rather than shooting from the hip.

DNS traffic generator

Can anyone advise on the best tool to generate DNS response traffic or DNS traffic with query payload?

I am looking to generate traffic and test my security appliance to pick up dns amplification attacks where victims receive dns response from domains to queries they never initiated. I am using Regex to capture on payload and block it that way but was looking to do some testing to auto-detect on dns amp type attacks.

For ex: dns response from domain.com(500k)—->victim:1.1.1.1/32 In this victim never requested the page domain.com but still received it

I have heard of Trex and Hping but wasn’t exactly sure to craft a packet that would generate lot of dns responses.

Any help would be helpful.