Saturday, February 6, 2021

How exactly do "Virtual WAN IPs" work, and is that what I'm seeing?

Hey there,

Been trying to find the right terminology and I'm a little stumped, as well as my direct boss doesn't have an answer.

I work for an MSP and some of our clients have been having Firewall or internet upgrades, and while I'm not sure if my experience today was based off of the same thing I'll describe, I know a previous experience or two was.

So our clients usually have Comcast. They have Static IPs. We often see that their WAN IP is something like 73.x.y.z when remote connect software reaches out to us, or when someone is on-site and checks Whatsmyip, and that's what we use to configure our site to site VPNs. These are normally persistent through firewall firmware updates. But sometimes when we perform an upgrade or they get an internet upgrade, we are given IP config information that is very different, usually a 50.x.y.z WAN and Gateway. Example, I recently did a firewall install at a new location that had a static IP through Comcast. Their WAN IP was 73.x.y.z, but over the phone, when discussing configs with the rep, I was told that their IP and Gateway IPs were 50.x.y.z. I was told that the 73.z.y.z was some sort of "Virtual IP" but they couldn't explain any further. After working with the rep, Whatsmyip showed the 50.x.y.z address I had used on the firewall and expected to see, rather than the previous 73.x.y.z.

I don't know a ton about SDWAN, or if that is what is the root of all this, but multiple times we've had to update configurations that we weren't expecting to update, and don't always have someone with the credentials to perform adjustments at our Co-location. I saw another IP go from a 73. to a 50. today after an upgrade, which has broken a VPN I can't fix with my credentials, while the user was told they kept their same static IP, so is there a misunderstand on my part here or something more complicated on the ISP side of things?

Thank you,



How to spoof a WAN IP address

Hello to all -

I am looking for a way to spoof the WAN IP address on my Windows PC to a specific IP address. How would I do this? I have not been able to find any information on this.



Weird WiFi cut outs

Hi so I live with a lot of friends and the WiFi is always good until my other friend comes over and the WiFi acts funny and loses connecting and ms and ping go higher than before and weaker WiFi ? Any clue as to why this is happening? Thanks 🙏!



Rj45 cat6a termination. Individual wire diameter

I'm more than competent in the majority of networking. Terminated thousands of times, no issues.

I'm currently working a job at a hotel and right at the end we've run into the issue that our cat6a individual wires are simply to thick to slide into the rj45 plastic aligner/guide that then slide into the connector.

They are cat6a rated rjs. What are we missing here or are we simply using the wrong rjs somehow?

At this stage we're going to terminate to mechs and uses patches. However this is a massive expense as we have 80 odd cables to terminate



Lab in 2021

I was wondering if there’s anyone here who runs a lab using devices beyond L3 (ADC, firewalls, etc). What are you using in prem (VMware, etc)? What about AWS? Is that a viable option?

I just got a hold of a server and thinking of setting up a lab network at work. We don’t make a lot of changes in infrastructure so i don’t anticipate us running it all the time. With AWS (which I have little to no experience with) maybe it’s a less cumbersome way to go about it, even if it involves $$. If the fee is low enough I’ll probably just open a personal account.

Thoughts?



Firepower - how does it compare to the competition in 2021?

Hi all, yet another Firepower thread. It's popcorn time!
Jokes aside, it is my intention to spark some constructive criticism or at least some neutral conversation.

Let me start with a statement: I am well aware of the bad reputation of the platform, and you might have seen my comments here and there at r/cisco and r/networking. I am familiar with the legendary "firepower rants" here on Reddit. I happen to be administering a Firepower box in the 4k series.
I tend to alternate between bashing the platform and self-reassuring myself that "it has become better" (coincidentally, not more than 2 days after I mildly defended FTD, our 3 HA pairs started acting up after a year of no issues. Karma).

Housecleaning done, my question is: ignoring the questionable architecture, the occasional instability, the slow and dated GUI, the cost, and the painful upgrade process, does FTD actually have the potential of being a solid and competitive platform for NGFW/IPS?

Based on the several books I have been reading and the online courses I attended, FTD seems to be a pretty capable platform, overall. I do wonder if the capabilities and the potential are overshadowed by the many horrendous limitations I listed above.

Thanks. I welcome your thoughts.



Flow control disabled on Mikrotik, now seeing RX Overruns/discarded packets

Recently deployed CRS305 (10Gb) had Flow Control enabled by default (SwOS) which I started seeing TX Pauses here and there so I decided to turn it off and see what happens and now I see some packets being discarded/Rx Overruns during a Veeam backup job. The issue is between a Veeam proxy and repository.

Should I enable flow control back up as it was obviously doing what it was supposed to do or try and dig deeper? I have two hosts (ESXi) being backup to this repo so it could simply be that the host is having a tough time handling it?



Brocade 6610 - budget lab equilivent

I started a new job where the core switches are Brocade 6610's and they have a handful of access brocade switches as well. I have no experience with this brand and wanted to set up a home lab with some used ebay brocade l3 switches. What would be the most affordable used model to purchase that has the same cli commands and l3 functions. They do not use too many advanced features, just ACL's and such.

Thanks!



Is there any software where I can simulate network topologies?

Hello everyone.

I'm looking for software or simulators where I can build network topologies and possibly compare their speeds. If anyone would happen to know anything similar to this description please suggest here or in a direct message. Thank you.



Is my firewall config up-to-date with current IETF spec (IPv4 & IPv6)?

This is deployed on MikroTik RouterOS v6 stable.

So I referenced from MikroTik's new 2020 dated documentation domain/site and built the IPv4 and IPv6 firewall from scratch + I also read up on some RFCs (IPv4 only as of now with some general idea on IPv6 as it's too complex for me at the present) and build the firewall which I believe is fully IETF complaint and matches with 2021 current networking practices.

Also, I took advantage of the "Firewall RAW" feature offered on MikroTik. I excluded ICMP from RAW filtering as it's

  1. Already rate limited at the kernel level
  2. Already filtering it directly in the firewall filters section
    1. But if this isn't CPU efficient or a bad firewall design, I'd like to know. Should I remove it from firewall filters and directly process ICMP in the RAW section?
  3. Note I'm not black-holing ICMP. Just specific types.

MikroTik sources:

  1. https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
  2. https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

TL;DR I'd like some expert opinion on the overall firewall-config plus my ICMP "RAW vs Filter" concern above to ensure it's as per current best networking practices.

MikroTik Forum Thread

Neatly commented/formatted each rule to explain their purpose including disabled rules.

IPv4 firewall

/ip firewall filter add action=accept chain=input comment "defconf: accept established,related,untracked" connection-state established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment "defconf: drop all not coming from LAN's interface list/subnets" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment "defconf: accept established,related, untracked" connection-state established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment "Drop tries to reach not public addresses from LAN" dst-address-list not_in_internet in-interface-list=LAN out-interface-list=WAN add action=drop chain=forward comment "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp add action=drop chain=forward comment "Drop incoming from internet which is not public IP" in-interface-list WAN src-address-list=not_in_internet add action=drop chain=forward comment "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!lan_subnets add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types" add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers add action=accept chain=prerouting comment "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_in_internet add action=drop chain=prerouting comment "defconf: drop forward to local lan from WAN" dst-address-list lan_subnets in-interface-list=WAN add action=drop chain=prerouting comment "defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=!lan_subnets add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet #Disabled as my ISP uses this very subnet on their access concentrator add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet add address=255.255.255.255 comment=RFC6890 list=not_in_internet add list=ddos-attackers add list=ddos-targets #My LAN subnets add address=192.168.80.0/24 comment="LAN subnets" list=lan_subnets add address=192.168.81.0/30 comment="LAN subnets" list=lan_subnets add address=192.168.82.0/31 comment="LAN subnets" list=lan_subnets add address=127.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="RAW Filtering - RFC6890 reserved" list=bad_ipv4 #Disabled as I do use Multicast routing services add address=224.0.0.0/4 comment="RAW Filtering - multicast" disabled=yes list=bad_src_ipv4 add address=255.255.255.255 comment="RAW Filtering - RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 #Disabled as I do use Multicast routing services add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" disabled=yes list=bad_dst_ipv4 

IPv6 firewall

/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=drop chain=input comment=dropLocalLink_from_public in-interface=pppoe-out1 src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="local clients to public" in-interface=!pppoe-out1 src-address-list=allowed add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6 add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=fd12:672e:6f65:8899::/64 list=allowed add address=fe80::/16 list=allowed add address=ff02::/16 comment=multicast list=allowed add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6 add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6 add address=::/128 comment="RAW Filtering" list=bad_src_ipv6 add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6 add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6 add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 


Linux Firewall and Routing

Hi All

I am starting to build a network of Linux routers which VPN to each other and talk BGP, I’m looking for suggestion on an easy ish firewall application to secure each Linux Router I don’t want to over complicate this process just secure the Linux boxes on the public internet facing interface and generally allow all traffic on the VPN interfaces, I know raw iptables would be a good solution but I’m not too familiar with the command set so wonder if there is any good overlays or alternatives



Australia <-> US L2/L3 subsea cable options

Hi guys,

Reddit is my starting point for my Australia <-> US L2/L3 due diligence so please excuse my ignorance on this topic. I think this is more of a product sales question more than anything else, but do providers like Cogent, HE, etc provide L2/L3 solutions where you can specify the submarine cables to use for your Continent <-> Continent solution? For example, if I wanted a solution that specifically used the Telstra Endeavour submarine cable (Australia <-> Hawaii) and then the SEA-US submarine cable (Hawaii <-> US) is this something providers offer? If they do offer this what is it called (L2, L3, L2VPN, L3VPN, MPLS, IPVPN)? Ideally they would be able to hand this solution off to me as L2 in Australia and US (West) if it exists. Obviously, I will have colocation and a Router in Australia and US (West) Data Centres as a minimum. I assume Cogent, HE, etc all have capacity on these cables so my guess is they might be able to provide a solution like this?

The reason I want to cherry pick the subsea cables is to guarantee I am using the lowest latency option from Australia <-> US (West). I plan on using https://www.submarinecablemap.com/#/ to get the shortest cable lengths from Australia <-> US (West) and using them. *I am by no means suggesting Telstra Endeavour & SEA-US are the lowest latency cables AU <-> US it was just a random example*

TLDR; Do providers (Cogent, HE, etc) provide Continent <-> Continent solutions where you can specify the subsea cable used?



CCNP without CCNA

Hello therr, I don't have ccna certification, can I start directly with ccnp?

~ 5 years of networking experience



Cisco ASA 5510 Site to Site VPN is not establish

Hello,

Is there anyone have problem with site to site vpn which is using Ikev1, after done configuration I it was still shown There are no ipsec sas:

# show crypto ipsec sa detail

There are no ipsec sas

# show crypto ikev1 sa detail

There are no IKEv1 SAs

Here is my configuration:

######Configure IPSEC for SiteA

Phase 1:

crypto ikev1 enable WAN

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 174.x.x.x type ipsec-l2l

tunnel-group 174.x.x.x ipsec-attributes

ikev1 pre-shared-key xxxxxx

Phase 2:

object network inside_lan

subnet 10.150.206.96 255.255.255.224

object network outside_lan

subnet 10.250.24.0 255.255.255.0

access-list 80 extended permit ip object inside_lan object outside_lan

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address 80

crypto map outside_map 20 set peer 72.x.x.x

crypto map outside_map 20 set ikev1 transform-set myset

crypto map outside_map 20 set pfs

crypto map outside_map interface WAN

nat (LAN1,WAN) source static inside_lan inside_lan destination static outside_lan outside_lan

######Configure IPSEC for SiteB

Phase 1:

crypto ikev1 enable WAN

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 72.x.x.x type ipsec-l2l

tunnel-group 72.x.x.x ipsec-attributes

ikev1 pre-shared-key xxxxxxx

Phase 2:

object network inside_lan

subnet 10.250.24.0 255.255.255.0

object network outside_lan

subnet 10.150.206.96 255.255.255.224

access-list 80 extended permit ip object inside_lan object outside_lan

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address 80

crypto map outside_map 20 set peer 174.x.x.x

crypto map outside_map 20 set ikev1 transform-set myset

crypto map outside_map 20 set pfs

crypto map outside_map interface WAN

nat (LAN1,WAN) source static inside_lan inside_lan destination static outside_lan outside_lan

------------------------------

I really appricated for your advice and idea.

Thank//Keven



Friday, February 5, 2021

Is my firewall config up-to-date with current IETF spec (IPv4 & IPv6)?

This is deployed on MikroTik RouterOS v6 stable.

So I referenced from MikroTik's new 2020 dated documentation domain/site and built the IPv4 and IPv6 firewall from scratch + I also read up on some RFCs (IPv4 only as of now with some general idea on IPv6 as it's too complex for me at the present) and build the firewall which I believe is fully IETF complaint and matches with 2021 current networking practices.

Also, I took advantage of the "Firewall RAW" feature offered on MikroTik. I excluded ICMP from RAW filtering as it's

  1. Already rate limited at the kernel level
  2. Already filtering it directly in the firewall filters section
    1. But if this isn't CPU efficient or a bad firewall design, I'd like to know. Should I remove it from firewall filters and directly process ICMP in the RAW section?
  3. Note I'm not black-holing ICMP. Just specific types.

MikroTik sources:

  1. https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
  2. https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

TL;DR I'd like some expert opinion on the overall firewall-config plus my ICMP "RAW vs Filter" concern above to ensure it's as per current best networking practices.

MikroTik Forum Thread

Neatly commented/formatted each rule to explain their purpose including disabled rules.

IPv4 firewall

/ip firewall filter add action=accept chain=input comment "defconf: accept established,related,untracked" connection-state established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment "defconf: drop all not coming from LAN's interface list/subnets" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment "defconf: accept established,related, untracked" connection-state established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment "Drop tries to reach not public addresses from LAN" dst-address-list not_in_internet in-interface-list=LAN out-interface-list=WAN add action=drop chain=forward comment "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp add action=drop chain=forward comment "Drop incoming from internet which is not public IP" in-interface-list WAN src-address-list=not_in_internet add action=drop chain=forward comment "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!lan_subnets add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types" add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers add action=accept chain=prerouting comment "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_in_internet add action=drop chain=prerouting comment "defconf: drop forward to local lan from WAN" dst-address-list lan_subnets in-interface-list=WAN add action=drop chain=prerouting comment "defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=!lan_subnets add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet #Disabled as my ISP uses this very subnet on their access concentrator add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet add address=255.255.255.255 comment=RFC6890 list=not_in_internet add list=ddos-attackers add list=ddos-targets #My LAN subnets add address=192.168.80.0/24 comment="LAN subnets" list=lan_subnets add address=192.168.81.0/30 comment="LAN subnets" list=lan_subnets add address=192.168.82.0/31 comment="LAN subnets" list=lan_subnets add address=127.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="RAW Filtering - RFC6890 reserved" list=bad_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - multicast" list=bad_src_ipv4 add address=255.255.255.255 comment="RAW Filtering - RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 

IPv6 firewall

/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=drop chain=input comment=dropLocalLink_from_public in-interface=pppoe-out1 src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="local clients to public" in-interface=!pppoe-out1 src-address-list=allowed add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6 add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=fd12:672e:6f65:8899::/64 list=allowed add address=fe80::/16 list=allowed add address=ff02::/16 comment=multicast list=allowed add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6 add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6 add address=::/128 comment="RAW Filtering" list=bad_src_ipv6 add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6 add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6 add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 


Enterprise DNS Hybrid Architecture | Data Center | Cloud

Hello r/networking!!!

Looking for some reference material or resources outlining common best practices for enterprise DNS architecture.

\*I'll be using terminology (Ref:) https://en.wikipedia.org/wiki/Master/slave\(technology)))

Primary/secondary

In December 2017, the Internet Systems Consortium decided to allow the words "primary" and "secondary" as a substitute for master/slave terminology in their DNS server software BIND.\11])#cite_note-11)

  • DDI solution
    • Infoblox
    • BlueCat
    • <other>
  • Custom
    • *Nix
    • <other>
  • Active Directory integrated
    • Yes
    • No
  • Footprint:
    • Management
    • Authoritative
      • Single primary/authoritative for internal/external zones
      • Separate primary authoritative for internal/external zones
    • Internal Recursion
    • Root hint Recursion
      • Dual role with internal recursion?
      • Separated and restricted where only internal forwards to root hint caching
    • External zone authoritative (secondary)

I have started researching this and currently navigating the sea of mislabeled and sales articles, figured I would drop this sub a note.

-Cheers



Clearing NAT Policy Statistics on SonicWall

What are some common ways, to clear NAT Policy statistics on a SonicWall NAT Policy without having to directly change anything about the policy? I was told that in an HA pair, even without the Active device not restarting to initiate failover, if it’s initiated by a disconnected cable from the Active device, failover will kick in and reset all traffic statistics. Is that true?

Thanks.



4510R+E, Sup8E only allowing 4 10G interfaces to work

We have a SUP 8E on older (3.06.08) code and plan on doing an upgrade tonight. We were told in single supervisor mode that all 8 SFP's will support 10G. After 4 connections, anymore don't work. The switch sees the SFP in SHOW INVENTORY, but there is no connectivity. We are upgrading to 3.11.3a. Should this resolve that issue?



Confusion about MPO/MTP Breakout

Hi everyone,

I am a bit confused if this setup will work. Setup is quite messy, unfortunately I was only involved in any of the planning at the very end. Customer has two DCs connected via MMF-OM5 over 250m with LC-patchpanels. We need to get 40G of a pair of nexus 9300 from DC1 to a pair of catalyst 3850 switches in DC2. The Catalyst-40G-modules do not support any LC-transceiver that can get 40G over 250m. So my idea was using MPO-transceiver and breakout cables to the LC-patchpanels, splitting the connection over 4x 10G, which should no problem over 250m:

Nexus[MPO] <---> [4xLC]Patchpanel <---OM5-over-250m--->Patchpanel[4xLC] <---> [MPO]Catalyst

Now I though this would be a common use case but I cannot find any other design doing it that way, up to the point where I question if it is even possible. Can some verify the setup?

Thanks



BGP and VRRP

We have the following topo:

NET (2 ISPs)

switch stack

| \

R1 R2

| /

core switch

etc

Scenario is : 2 ISPs, the network on the "inside" is public (ex. 92.0.0.0/24) . Routers have IPs on their internal interfaces 92.0.0.1 and 90.0.0.2 .vrrp is running between them with OSPF configured between the routers and the switch stack. the VIP is the same as the R1, which makes it Master. From the outside we can ping R1, but not R2 (90.0.0.2). When we force a failover, we can ping the second routers internal IP.

Up until now there was a single router with IP 90.0.0.1 and BGP peering with the ISP was done with that IP. We don`t want to run BGP on the VIP and so there must be 2 BGP sessions at the same with with peers R1 and R2.

Right now we have a lab scenario, and until we figure it out can`t take the whole thing into production. In short: is it normal that we can`t ping R2 from the "outside" (while it is backup vrrp router) and does that mean there can`t be a BGP session on it?

Sorry for bad english.



High CPU creating VLAN SVI's

Hi Guys,

After a little help if possible. We're having issues simply creating a VLAN and SVI. As soon as we create these we see a MACFLAP log and high CPU usage:

%SW_MATM-4-MACFLAP_NOTIF: Host 706d.15fa.305f in vlan 472 is flapping between port Te1/0/14 and port Te1/0/13

If we remove the VLAN and SVI it disappears.

I've traced the MAC and it points directly to these:

Switch1#show mac address-table | inc 706d.15fa.305f

416 706d.15fa.305f STATIC Vl416

420 706d.15fa.305f STATIC Vl420

Could someone point me to troubleshooting steps for this? I've looked at Etherchannels, Trunk Ports, Spanning-Tree per VLAN but stumped.

Cheers,



Expand LAN subnet

Hello everyone, in my company I have a /22 subnet for VLAN1 where I have switches, routers and clients connected to it.

The DHCP is ran by my AD server for VLAN1 and each PC client have a static lease to be assigned and tracked.

Now, the problem is that I'm starting to run out of pool and I'd like to know what is the best practice to expand it because I wouldn't want to edit manually 200+ devices subnet mask.



How to copy ios image from PC to GNS3?

I need to practise IOS upgrade activity lab in GNS3.

How do i copy ios image from my PC to a virtual PC or some other device within GNS3 so that i can then upgrade my router within GNS3? Thanks in advance



When did you "get" it?

Good morning guys, My name is Parker and I am 2 years into my IT career. I started off by obtaining my A+ and landing a job on a helpdesk for an MSP, 6 months of hard work and good initiative I was moved to tier 2 support. I worked in that role for a year and found my self learning so much but ultimately being burnt out due to poor culture. It happens. I was hired at a new MSP as a "Senior Support Tech" It's a much better fit and I even have a few friends that have worked here for years. I'm now working towards my CCNA. I try my best to study but finding myself discouraged because the topics are really complicated to me. I'm about half way through Odom's first CCNA book. I have a MUCH better understanding of networking concepts and good practices for networking but whenever I browse this subreddit I get really lost and have to google a TON of things to be even able to follow along with the posts. My question to you guys is when did you get it? When did you become proficient in computer networking?



DHCP Headache

Recently clients that have been away from the office for extended amount of time are not able to get a dhcp address when returning. More specifically they get it for a second, then lose it and gets marked as BAD ADDRESS in DHCP server. The client reverts to a 169.x.x.x ip address.

After deleting the BAD ADDRESSES and restarting dhcp server service it will usually then give out the same ip addresses that were marked BAD but work this time and stick.

We recently upgraded the local firewall to the global corporate standard with checkpoint (not sure if related). I checked for rogue dhcp server but didn't find anything. Really strange, anyone have any ideas?



Speedtest.net ... but for the LAN

I have a use case for a site like speedtest.net, that could be hosted at one or more sites in the corporate WAN (this particular customer has dozens of sites connected in a mix of MPLS PIP and VPN). iPerf, what I usually use, is not going to cut it in this case, end users need to be able to use it.

A bunch of Meraki equipment has this functionality built in, but this customer doesn't have any Meraki.

Is there anything modern-ish I can deploy in IIS or Apache or VM appliance that would do this, or is there a keyword my google searches have been missing?



how to increase the available bandwidth between two switches

what's best way to increase the available bandwidth between two switches?



Is my firewall config up-to-date with current IETF spec (IPv4 & IPv6)?

Deployed on MikroTik's RouterOS.

IPv4 firewall

/ip firewall filter add action=accept chain=input comment "defconf: accept established,related,untracked" connection-state established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment "defconf: drop all not coming from LAN's interface list/subnets" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment "defconf: accept established,related, untracked" connection-state established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment "Drop tries to reach not public addresses from LAN" dst-address-list not_in_internet in-interface-list=LAN out-interface-list=WAN add action=drop chain=forward comment "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp add action=drop chain=forward comment "Drop incoming from internet which is not public IP" in-interface-list WAN src-address-list=not_in_internet add action=drop chain=forward comment "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!lan_subnets add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types" add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers add action=accept chain=prerouting comment "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_in_internet add action=drop chain=prerouting comment "defconf: drop forward to local lan from WAN" dst-address-list lan_subnets in-interface-list=WAN add action=drop chain=prerouting comment "defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=!lan_subnets add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet #Disabled as my ISP uses this very subnet on their access concentrator add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet add address=255.255.255.255 comment=RFC6890 list=not_in_internet add list=ddos-attackers add list=ddos-targets #My LAN subnets add address=192.168.80.0/24 comment="LAN subnets" list=lan_subnets add address=192.168.81.0/30 comment="LAN subnets" list=lan_subnets add address=192.168.82.0/31 comment="LAN subnets" list=lan_subnets add address=127.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="RAW Filtering - RFC6890 reserved" list=bad_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - multicast" list=bad_src_ipv4 add address=255.255.255.255 comment="RAW Filtering - RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 

IPv6 firewall

/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=drop chain=input comment=dropLocalLink_from_public in-interface=pppoe-out1 src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="local clients to public" in-interface=!pppoe-out1 src-address-list=allowed add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6 add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=fd12:672e:6f65:8899::/64 list=allowed add address=fe80::/16 list=allowed add address=ff02::/16 comment=multicast list=allowed add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6 add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6 add address=::/128 comment="RAW Filtering" list=bad_src_ipv6 add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6 add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6 add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 


DNS: direct nslookup resolves, dig does not

My company makes a device which is placed at remote customer sites on networks we do not control. The device communicates with our cloud service over HTTPS. Simple stuff typically.

Occasionally we run into network issues as our customer's networks are often locked down hard and their IT staff doesn't always have skill. We get called and there's a period of blaming our device for the problem before we figure out some bit of configuration they got wrong.

But today we ran into one that I haven't been able to figure out. DNS is not resolving. Our software, written in python2 (yes we have a python3 port complete but the upgrade hasn't made it to this site), gives a "Name or service not known" error.

The device runs a slightly older Debian (9.0, stretch), with connman installed. Connman replaces /etc/resolv.conf with a symlink to /var/run/connman/resolv.conf, which points to a local DNS resolver on 127.0.0.1. Connman's resolver is bound to this address on the correct port.

connman is correctly configured with their two DNS servers. I can use nslookup to query both these servers directly for our domain (we'll call it "my.company.com").

dig +trace my.company.com (querying through the connman resolver) returns a SERVFAIL after about 4 seconds. To me this means connman's forwarding mechanism is responding, but the forward is timing out.

This same device works fine on hundreds of other sites, so we immediately suspect something odd with this network. But what? An nslookup query to their DNS servers works fine.

And this customer has TWO of our devices exhibiting the same problem.

How might I further debug the issue? Any ideas on what might be going wrong?



Sensitive data

When using network monitoring software that captures network traffic, we are accessing information which may be sensitive in nature. What are the implications of storing this data?



Does the Draytek block incoming from WAN as default?

I have a 2862n and I cannot find any rules under the Firewall section for an implicit deny all incoming traffic? I cant see any Draytek documentation saying this either, however I have seen others posts say it is blocked by default? Is there anyway to see this within the web interface?

Under Firewall general settings there is "Block incoming connections initiated from ipv4" and this is unchecked, should this be enabled or is this more talking about local ip addresses say on the VPN? The same setting for ipv6 is checked.



Nexus 5k won't admin password wont reset

I have a Cisco Nexus 5000 that is a bit older however through the last couple years and changing of employees we managed to forget the Local login in password to the switch. I have gone through the process of trying to get the password reset using the cisco guide below. However I can not get it to work after step seven (I am using an older OS so I am doing the control shift B) However the switch still reboots as normal. Any tips on what I can do?

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/password_recovery/b_nx_os_pwr/nx_os_pw.html



noob questions about brocade san switch

I don't have any test environment for SAN network that's why I have to learn on production :)

I need to add few aliases and create zone in Brocade 5100. SAN fabric contains mentioned brocade 5100 and brocade 4900. They are connected together with E-Port. 2 x Brocade 4900 are primary - most of ports there are used. Brocade's 5100 is using only E-port and other 3 x F-port which I connected to servers recently.

My biggest doubt is about saving and enabling configuration. Is it that simple just to add aliases, configure zone, save config and enable it? I'm planning to use GUI not the CLI. My worst imagined nightmare is when I enable configuration all of the configuration disappears :)



Thoughts about KB CCIE Datacenter Training?

Hey Folks,

I'm planning to signup for "KB CCIE Datacenter" and would like to know your thoughts the said training? Is it good and helpful to your CCIE DC journey ? What preparation do I need if ever I'll be signing up to that training?

https://kbits.live/courses/ccie-datacenter

List few points of the training

  1. The Workbook contains 80+ Labs
  2. The detailed online LIVE classes will last 4 hours each

Does it mean I still need to build a lab or to have an equipment to complete the workbook labs? Reviewing some of the feedback and some how its good.

Thank you



Thursday, February 4, 2021

How is the destination port number determined in case of TCP connections ?

I was reading the chapter on TCP in 'Computer Networking a Top Down Approach'. It said the following regarding destination ports in TCP:

When a TCP segment arrives from the network to a host, the host uses all four values to direct (demultiplex) the segment to the appropriate socket. In particular, and in contrast with UDP, two arriving TCP segments with different source IP addresses or source port numbers will (with the exception of a TCP segment carrying the original connection-establishment request) be directed to two different sockets.

So if I have

HOST A running Process A at port 8000 and Process B at 8001 communicating with Process C at port 1100 on HOST B.

Both processes A and B have TCP connection with Process C then both would have same destination ports but different source ports. The book says they will be assigned different sockets. From this I understand that they will get different port numbers lets say 1102 and 1103 to send data to.

Then how would the process at 1100 know that Process A and B were trying to communicate if the data is not send to 1100. Is there some kind of mapping stored in the HOST B?



IKEv2 FlexVPN with Cisco 9200 switch?

I have a Cisco 9200-24P switch. Im trying to setup an IKEv2 (flexvpn) tunnel that can encrypt traffic and dynamic routes. I seem to have that much working, The tunnel is up, EIGRP is exchanging routes. I can reach the switch from the far end devices (ping, SSH, TFTP, etc) However, I have a laptop connected to the switch and it will not communicate over the tunnel. The router on the far end is logging these messages:

%IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000640913545780936 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 172.16.13.5, src_addr= xx.xx.xx.xx, prot= 47

So seems like the switch is trying to send unencrypted packets over the tunnel. Basically I'm trying to turn this switch into a branch router. And maybe that's just not what it's designed to do. But I haven't found any official documentation stating it doesn't support routing over an encrypted tunnel. And, obviously it IS working, but just not in any functional capacity.

Anybody else tried this or know whether or not it can be done?



How would I connect another building to our network?

I have two switches in two separate buildings. One switch has FTTP and the other has no wan connection. I was looking into running ethernet between the switches. The building is only around 50m away.

I was looking into using SFPs with an RJ45 connection, what is the benefit of this?

Why couldnt I just run ethernet from the 1st switch to the 2nd and just plug it into one of the ports not needing to use SFPs?

How would you do it?

Thanks.



Why is ethernet so far behind Thunderbolt and USB 3.1?

I don't understand why Ethernet seems to be so neglected and out of date. Thunderbolt-3 can do 40Gbps, USB 3.1 can do 10gbps, heck even USB 3.0 is 5gbps and my thumbdrives slightly warm up but they aren't about to melt. Why are 10gbe adapters so ridiculously bulky and run so hot?

Why is it taking so long for 10gbe home routers and ~20 dollar 10gbe switches to appear on the market??

100BASE-T came out in 1995, and 1000BASE-T came out in 1998!

22 years without any consumer penetration??

Am I missing a physics problem here?
Why did we flatline at 1gbps?



Has anyone else done a large-scale AP Deployment, Aruba, Cisco, or other?

Has anyone else done a large-scale AP Deployment, Aruba, Cisco, or other?

- What was your overall experience with the product, support, & features?

- Was it a successful deployment?

- If you had to do it again, would you choose the same vendor?

My company recently purchased into the Aruba 7240XM Controller & 303H AP products for a long-term work from home solution for 2000+ employees. I have a network background and was tasked with implementing it. I've worked with many network vendors including Cisco, Juniper, Adtran, Brocade, Palo Alto, Fortinet, even pfSense. We had to come up with naming conventions in the configuration, authentication schemes, testing of connectivity/provisioning among the rest, but the hardest part of it all has been the incredible amount of unexpected behavior from the Aruba products. I've noticed lack of documentation, typos in the CLI, ambiguous error and help messages, inconsistent hardware & software behavior, and even an ACL not denying traffic as intended. It seems like every time we go to implement another feature, we run into unexpected behavior and have to troubleshoot it for days and hours. In most other network deployments I've done, I've been able to read documentation and deploy something successfully with relative ease, but that's not been the case here.

I'm just curious, I am having this experience alone or this typical for this type of deployment?

Thanks



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



TCP Optimization solutions for SDWan

Okay, I'm getting close to wits end on this one.. I need a solution for TCP Optimization for my two LFN (long fat networks).. I contacted my Cisco Rep directly for how to set all this up, and the email I got back from them is below.Tijuana and Changshu, China from the USA have too much latency, and my 100mb metroE connections get completely crappy service. Maybe 8-10Mb at most on a good day..I am running Cisco SDWan with a mix of ASR/ISR/Vedge devices and they advertise TCP Optimization everywhere, but it seems, even they don't even know how to do it.So, what am I to do? I need a decently priced TCP Optimization solution that can solve this issue for me.

Email from Cisco:

Wanted to supply a quick update on this. I found out why there is a lack of information on TCP Opt and why I haven’t found a good resource internally. Apparently, nobody is using this feature as it has diminishing returns (often no use-cases) where TCP opt will work. The algorithm is currently still being worked out and is likely something to be visited later. I proposed your issue to a friend of mine who is an SDWAN architect to see if he had any recommendations - waiting response. I will also be meeting with my EN architect Monday to discuss this as well. I know this isn’t ideal but I am definitely working on it to get you something!



Quick question - does anyone have a HP1920s switch with a management VLAN set on it?

Hey all, performing a change this weekend where I chuck all the switches onto the MGMT vlan, want to pre-write the switch configs to save me time. I know how to make the change in the GUI, I just don’t know what the config file looks afterwards (and I can’t make a change during production).

Does anyone have this in their environment? Could you post the line of the config that sets the MGMT VLAN? Much appreciated



Help with a router and switch

Hi, I have 5gb of fiber hired by my operator but due to your router I can only take 2.5 for one ethernet port and 2gb for 2 gigabit ethenet ports, I was wondering if it was possible with a swtich to pull 3gb from the link to my internal network forget to talk about the router does not support lacp I think you can fool with a mac clone or something For more information follow the model of the router.

Model:Freebox POP(Free ISP France)



How to go from Network Administrator to Network Engineer

Good Afternoon,

I've been a network administrator for going on 6 years now. I have my Network +, Security +, and CCNA. I'm looking to get into a network engineer role and make that next step in my career. How did some of you manage to make this jump?



Network refresh - Resubnetting - Aruba CX & Clearpass

We are in the process of refreshing our campus network. Currently we have everyone subnetted out, staff, printers, byod, security, phones, ect. We are going to be coming with aruba CX switches and tunneling everything back to clearpass. So the question got brought up about resubnetting.

There has been talk of making 1 big subnet and letting clearpass handling all of the policy stuff so one group of devices can talk to another group if they do not have permissions. All the rules would be set up in clearpass, 802.1x would be used on both wired and wireless.. the goal is that someone would have the same experience/rules with their same account regardless if they were on wired or wireless.

This seems like a crazy idea to me and I dont seem to fond of it but wanted to get other peoples opinions if you have done something like this.



Fluke CableIQ Wiremap error

Hi guys! The company I work for bought a fluke CIQ-100 and it’s been amazing thus far. Only issue is we hired a few greenhorns recently and thought they were trustworthy enough to hand this equipment over to. Sure enough when I attempted to test a drop today I have both lines 3,and 6 not showing at all. I’ve checked the connections and tested multiple other cables with it and it’s showing the same results. I’ve even used patch cords straight out of the bag that I know are good with the same result. Anyone have any ideas with how we could fix this without having to buy a new one? This is impeding the progress on multiple projects to timely responses will be appreciated vastly.



Advice on cutting dead cables

We've just leased a new office that was heavily ethernet cabled for a small space. We pretty much don't need anything more that 6x wired connections and a wifi signal. I'm good doing that, connecting router to the switch, wiring the patch panel to the offices.

Here is my problem. I have no wiring experience and we are blowing through our start-up budget quickly. The previous tenant left cables in an open area that were from all the cubicles they took away. https://cathcam.files.wordpress.com/2021/02/pxl_20210203_211355223.jpg

I've traced the cables and they attach to this panel https://cathcam.files.wordpress.com/2021/02/pxl_20210203_211406203.jpg

Since we will be keeping that part of the office open with no desks or cubes my first reaction is just to cut the ends off the cables to get them out of the way.

Am I missing something? Since nothing is plugged into the patch panel they are terminated in...



Need recommendations for sites to purchase SonicWall license keys from.

As the title states. I’m looking for recommendations for good websites to purchase SonicWall license keys from. Specifically, I’m looking to purchase a key for the Comprehensive Gateway Security Suite.

I’ve done some searches but I’m getting all kinds of results and I’ve had bad experiences in the past with some sites.



Cisco RV340 - Limit inside IPs to specific WAN only

I'm new at this, so I beg your kind indulgence.

The router in question is a Cisco RV340, which has dual WANs operating either with failover or load-balancing. I have mine set to failover currently, but...

I need to force specific inside IP addresses to use only WAN2, and others only WAN1. Is there a way to do this? I've gone in circles for hours and none of the built-in capabilities of the router seems to do what I need. This is driving me nuts.

Please advise. Your help is much appreciated.



Nexus 9Kv OSPF works without the "layer3 peer-router"

Hey guys,

any idea why am I able to run OSPF perfectly over a vPC design WITHOUT the layer3 peer-router commands without it being stuck in INIT/2WAY/EXSTART, please?

I mean, this is not a "Why it DOES NOT work" post. It's a "Why it DOES work" question. :-) Are the NX9K virtual somehow different? I've tested with 7.0(3)I7(4) and with 7.0(3)I7(9).

According all articles I've read, the layer3 peer-router was introduced exactly to eliminate the TTL issue and allow the OSPF to work over vPC.

I want to run OSPF on top of our vPC design. I know what vPC is, I know how to use is. And in theory I know what peer-gateway & layer3 peer-router features are used to. Before I deploy is on real HW (NX9504), I wanted to simulate the behavior in an EVE-NG lab, but I watched in disbelief all routers to come up.

I have 2 DC, 4 devices, running square vPC design. NX11 is connected to NX12 and NX21, and same on the other side: NX22 connected to NX21 and NX12 (i.e. not a full mesh cabling).

Thank you!

Jozef



Does anyone know how long an update on a Palo Alto 3020 takes?

So I'm updating a single 3020 from 8.0 > 8.1 > 9.0 > 9.1 > Latest patch(I know. It's way behind). I was just trying to get a rough idea on how long each of these updates take.



Cat 8 distance question.

All of the specs I read about Cat 8 list a distance of 30m. Is this hard limit or does it behave like other ethernet standards where longer distances are possible at lower speeds?



Palo Alto, PBF and NAT?

Hi all,

I'm currently setting up a location with dual ISPs for redundancy's sake and as such I've went down the route of utilising PBF for failover but I'm having what I believe are NAT issues.

Currently, with PBF, traffic goes from Eth1/2 to Eth1/1 which is inside to outside. All is well.

When I fail over to let my routing table take over, outside traffic is supposed to leave through Eth1/4 but I believe it's still NATing traffic through Eth1/2; if I remove the NAT rule from Eth1/1 to Eth1/2, traffic starts flowing as intended through Eth1/4.

I feel like I'm missing a step but the documentation on Palo Alto's website is quite straight forward: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps.html

Has anyone ran into this issue before and could possibly help?

Many thanks.

Edit: To add, this is all on the same virtual router.



Netgear vs HP - Costing up 10x switches for a total infrastructure refresh.

Hi

Currently running a network on dumb switches, wanting to move to managed for ACL/VLAN control etc.

I've always been a Netgear user, but our supplier is bullish on HP and has some really good pricing apparently, so I want to explore all options.

If I were going pure Netgear, I'd be looking at the following: 7x NETGEAR GS752TPv2 380W 1x NETGEAR GS728TPv2 190W 1x NETGEAR GSM7248P 308W

The GSM7248P would be our core switch, handling all the inter-vlan routing, DHCP relay etc, the rest handling their own VLANs & providing power to every port.

In terms of the HP switches, I've costed up the Fully Managed equivalents, and obviously they're much more costly... but I'm not sure if I NEED the Fully Managed option, as the Netgears are Smart Managed.

Are the HP Smart Managed switches just as versatile in terms of VLANning, Inter-VLAN routing, DHCP helper, ACL's, RADIUS etc? I have no need for console/SSH access and our only L3 switch needs to be the core switch.

I realise this is a bit wishy-washy, but any advice is appreciated.

Thanks!



Someone posted a nice SNMP guide with a bunch of cmd's

I forgot if it was posted here or systemadmin blogs, for the life of me I cannot find it, can someone repost if they have it handy ? it was about 15 to 20 pages I think



Wednesday, February 3, 2021

Mesh WiFi that shows data usage per device

I currently have a TP link deco mesh system. I’m wanting to upgrade and would like a mesh system that has an app which shows data usage per device. What systems/ brand do this?



Visual traceroute/ping analyser

Hi,

I’m currently working on an application which graphs the hop RTT. I started the development because I needed to graph this and the main application in this field is crippled unless you buy a license.

I have made my application open source and it also runs on macOS, Linux and Windows, I work on it in my spare time and although I wrote it for myself, I decided that open sourcing it would be a good thing to do.

I’d like to ask people is there any features you’d like to see in such an application, anything from basic stuff to more advanced stuff, I’m happy to take onboard any suggestions!

The application itself has been designed to be completely modular, so it’s possible to make plugins for it that extend the functionality very easily.



802.1X Wired

A question for those of you running colorless ports. Are you really trunking to every switch every possible vlan that a user or device can authenticate to?

That’s a ton of unnecessary L2 traffic even if using high bandwidth uplinks. Not to mention the higher exposure to a broadcast storm with all that ARP traffic flying around.

I’ve seen Juniper ex3400s kneel over at 3K MAC addresses even though they advertise a table that can handle 32K. At what table size does performance become affected?



Firewall Node is stoped after a click on it in the eve-ng

Hi guys, I recently started working on the EVE-eng community version for my Firewall Class.

In my first experience after installation, I added the FortiGate firewall, when I started the node, the Firewall icon stops (revert back to gray color) after a couple of seconds. anybody have this issue before?



Cisco SACS replacement?

My last position had a really nice TACACS+ server. For dealing with all our customer devices, it was practically invaluable.

When I asked why my new company does not have such a product, I was immediately put in charge of finding a solution. (of course) However, all the products that I can find are really disappointing. Little support if any, no to little 2FA support, and they are all developed by companies whose website fills me with no confidence.

Come to find out, Cisco had their own product that did this which was even sold as a deployable VM. And like Cisco they discontinued it, and provided no replacement product on their EOL sheet. Can anyone share how their firm / position deals with SSO on their Cisco products?



DHCPDECLINEs

I’m losing my mind on this one, and so far I haven’t found an answer anywhere.

I’m running ISC DHCP server on an Ubuntu 20.04 box. It’s set up with four VLAN interfaces, each of which is tied to a bridge, and it’s been serving up DHCP fine.

Suddenly, I’m getting devices that are giving me DHCPDECLINE messages. Some times with an abandon - sometimes not.

When I get on my laptop (a MacBook Air), it falsely tells me that there is an ip conflict and it can’t get an IP address. I do static DHCP leases for known devices, so I know that’s not it. Even when I nuke the static DHCP lease and restart the server, I get the same issues. I just get them on a different IP address.

I’ve seen this across multiple device types, so it’s not like it’s just Apple devices or whatever.

It’s also across multiple VLANs, so I can’t isolate it that way.

Has anyone run into this? If so, what’d you do? This is honestly driving me crazy!!



Open networking Solution recommendation? Software + Hardware?

Hey guys,

I have a customer currently running a bunch of Cisco (Catalyst 9ks + Nexus 9ks/3ks) and Arista switches. They are looking for an open networking solution and it looks like there’s a lot of options out there. Is there any in specific that you guys have experience with and that may recommend?

We’ve looked into Cumulus (Owned by VMWare) and BigSwitch (Owned by Arista now) in the past.

I know the Cisco catalyst chipsets don’t support open networking but the Aristas do so it is most likely coming down to purchasing new hardware that is also compatible with the solution.

Any info or insights that you guys have will be greatly appreciated.

Thanks.



How much for an install?

I just need an approximate here.

I consult but do RV Parks with Wifi, and I have a job that is a lawyer's office, with three rooms, 5 PCs, everyone's cells need connecting, and they have the cable drop and nothing else. NO Cat5 installed, nothing. they want a network drive, and they need me to interface their legal software so it is networked as well (say 4 hours to 6 hours work) and a few other things like that. So I would need to firewall, put in a netdrive, wire up all the PC's include 2-3 Wifi APs and then make all their software work with it.

What would you think is an APPROXIMATE good quote price for this?



Service Providers meeting SLA's

Hello everyone,

As I'm fresh in networking industry then my questions are probably very basic, sorry if that's the case. My questions are: What goes into SLA in terms like bandwidth, uptime, delay? How do providers and customers track if expectations are met? How is it different for providers doing it for companies to those doing it to end customers or anything else that follows customer/provider relationship ?

Looking forward to Your responses :)



ASA TLS-PROXY

So i came across this message and i was wondering what's it about. this firewall has 2 contexts and is in HA, each in a failover group to have each context have an ASA for itself. this particular firewall handles a lot of SRTP/SIP traffic. So i don't know how this TLS proxy message came to be since we dont have any TLS-proxy configured on it. any thoughts?

ASA5516x/admin/pri/act# show version | i TLS

Total TLS Proxy Sessions : 1000 perpetual

The Running Activation Key feature: 2000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

ASA5516x/admin/pri/act# show tls-proxy session detail

0 in use (0 established), 0 most used



Fortigate VPN issue

I have an error that says ‘SA is not ready yet so drop’ for vpn tunnel from different subnets. It Routing until tunnel interface dropping it there. Any idea of what the issue may be? The tunnel is up by the way. But not able to ping



JunoSpace Security Director API Firewall Policy Locking Modes

Hello!

I'm currently doing some research on using the security director API for creating/editing SRX Firewall policies.

After looking through the API and User guides for our versions, I've noticed that it appears locking of a policy is only available from using the GUI, I have referenced the edit firewall policy section on the API guide and haven't seen any functionality to lock the config from a programmatic perspective. Is this the case? or is the locking function hidden behind the scenes on the API side?

Any info or documentation you can point me towards would be much appreciated!



What are these connectors called?

I ran into These today.

Apparently they are ethernet connections. The other end of the grey cables are standard RJ45 plugged into a switch. And at the other end of the punch-down blocks are standard RJ45 wall sockets.

I'm trying to find out what the connectors are called, but I can't find anything.



Is it best practise to block outgoing traffic except 80/443?

Looking for best practise advice really when settings up small networks.........I am installing a Draytek 2862n (this is what they had) a small business (5 users) and the Draytek comes with a default block incoming rule setup but wondered is it best practise to do a "block all" outgoing then open the outgoing ports needed such as 80 & 443 to help keep it secure?



Someone please help.

I've been racking my brain on this issue and need some help. Here is the situation. We have 2 dmvpn eigrp tunnels to a gateway router in a different country. We normally connect these tunnels through commercial sims cards via a cisco isr c1111 or a cradle point (can't remember the model number atm.) transport only the tunnels reside on a cisco 5915. The 1111 and the cradle point are only configured nat to dhcp then out the sim. No additional acls. Now we also host voip phones off these tunnels and we have 2 models the sccp 7945s and sip 8861s and they connect to a callmanager on the other end on the tunnel. Here is my issue: When the tunnel connects through the cradle point everything works fine. All traffic works and all phones register. When the tunnels connect via the 1111 all traffic works and the sccp 7945s will register but the sip 8861s do not. They get stuck on phone is registering. The 1111 only has configs in it to make the sim pull an ip and to nat a dhcp pool. I can not figured out for the life of me what could be causing this issue. Any suggestions would be greatly appreciated.



Aruba Clearpass Help

Hello

It’s been about 4 years or so since I’ve worked with Aruba Clearpass. I have an upcoming install that I’m completely not prepared for. Unfortunately, my company will not pay for any training or classes.

Are there any online, free, or cheap tools / videos you recommend that could refresh my memory and get me somewhat comfortable again? I’d try to pay for training but it’s $3500 which I don’t have.

Anything helps. Thank you so much.



HPE Switch RADIUS authentication no longer working

For whatever reason, all of our HPE switches (ProCurve / Aruba) no longer allow you to authenticate in with RADIUS. Our NPS server, which is on Windows 2016, and I have not been able to identify something in the log that may be contributing to this. The switches are on multiple different subnets, some reside directly on the same subnet as our NPS. Firmware wasn't recently applied to any of the switches either.

I realize this is pretty vague, but has anyone ran into a similar situation where it was working and then stopped? If so, what did you do to resolve it? I'm leaning towards the NPS server or something with a certificate, but I'm looking for advice.



Alternatives to Mobility IP (without cisco)

Hi All,

Currently looking at refreshing WiFi/switches for a densely packed school. Looks like we will have several hundred wireless devices in each building and as many as 800 in the main building (3 floors 150 classrooms + communal) at any one time.

Due to the asinine way that the original contractors fitted the building roughly a third of the building is covered by each of the patch rooms and instead of dividing that up by floor (or other logical area) they are at opposite ends of the building and they overlap. Therefore we have access points on multiple floors from the same patch room and neighbouring classrooms (in a few cases the same classroom) can go back to different patch rooms. Right now that isn't a problem because we have about 100 wireless devices so they are all on the same VLAN/subnet.

Roll on next academic year we are looking at students having a tablet each. I'm worried about broadcast traffic from everywhere to everywhere if the VLANs were to be set up in the same way - in total we would probably have roughly 10 VLANs competing for air time across the entire campus. Between buildings there is an air gap so at least the satellite buildings can have a different subnet but in the main building as I say kids could literally walk from room to room and have connection issues for the duration of time it will take to re-issue the new IP - although less of a problem I also imagine if I left the APs to their own thing that I would get tablets hopping between APs constantly (will deal with that later).

So /r/networking does anyone have any suggestions that doesn't involve bankrupting the school to buy cisco APs and/or switches?

Thanks!



Optimizing Network for Transfer Speed

I have a customer's very small network I've been tasked to optimize and I've been kind of running into a wall with that and wanted to get some outside input. There's about 10 workstations, 2 servers, two switches, and a security appliance acting as our router and security. AFAIK, the switches are trucked so they don't have to go through the ASA. It is a pure Cisco environment and everything was purchased within the last 3 years. I can get models if it's necessary.

There is a lot of data being transferred between servers and work stations. The workstations are the ones that are used to extract these large sets of data and upload them onto the server where they can be viewed/manipulated. We're talking about 500GB to 5 TB size transfers ranging in 500 files to 200,000 files over the network between this server and work stations. It's definitely a mixed bag. When more than one work station is uploading to the server, the users are complaining of slow transfer speeds but when I attempted to test this I was getting somewhere in the 888-904mbps (111-113 MB/s) when two work stations were transferring. I thought this was acceptable, but I've been advised the customer want to get as much throughput as possible. As close to 1Gbps (125 MB/s) as I can.

I've considered everything from QOS prioritizing the specific ports that windows uses to transfer data (if I'm understanding and can even do that with QOS) to link aggregation of some kind, to even enabling jumbo frames between the workstation interfaces and server interfaces but I'm worried that would cause more problems than it would solve. What would you guys do in my situation? I appreciate the input a lot, thank you.



VPN through firewall but VNC is not working.

Vnc doesn't work if I don't open the command prompt and ping it.

Depends on what?



Upgrading Cisco ASA 5506

Hi

At the moment we are using Cisco ASA 5506-x. I see that the next generation of firewalls from Cisco is the Firepower. Should i go with it, assuming this is the easier path or should i switch to another vendor?

Thank you



Cisco ASA 5506/08/15-X EOL Announced

Cisco have announced EOL and EOS dates for ASA 5506-X, 5508-X and 5515-X firewalls.
Last sale date - 02/08/2021
End of support - 31/08/2026

What are you all replacing these with?
I've not heard great things about the firepower series so far, is the 1000 series any better?

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html