Hello folks, I’m looking at the most cost effective way of making a credit card machine on my local area network to be PCI compliant. The CC is currently connected to a switch which is connected to my R7000 router. Switch also has a Magic Jack connected to it. From my understanding, the CC has to be on its own network to be PCI compliant. Will adding a second router to the switch and connecting the CC machine to the 2nd router solve my problem? Can anything be done on the R7000 end instead of buying a 2nd router? Thanks in advance.
Saturday, January 26, 2019
Resume Service Advice
I have seen in the past few resume service websites in this sub. A search couldn't help me, and please let me know if you know a site that is tailored for Networking jobs
My resume is few years old and I need to refresh it
Thanks,
Salt Napalm junos.ping errors
I am able to run certain modules. but for some reason junos.ping and state.apply (click here) are giving me issues. please see the debug below. i really dont see anything bad besides the bottom half of this. does anyone have any insight?
sudo salt sj1e2 junos.ping "10.255.255.6" count=2 -l debug
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: **************
[DEBUG ] Missing configuration file: /home/julius/.saltrc
[DEBUG ] Configuration file path: /etc/salt/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: ***************
[DEBUG ] Missing configuration file: /home/julius/.saltrc
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'*****************************master', u'tcp://127.0.0.1:4506', u'clear')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://127.0.0.1:4506
[DEBUG ] Trying to connect to: tcp://127.0.0.1:4506
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] LazyLoaded local_cache.get_load
[DEBUG ] Reading minion list from /var/cache/salt/master/jobs/b6/1e423215539192fc2cbb2a5c71b2befe94131def163c1d409863c65ff2ce2e/.minions.p
[DEBUG ] get_iter_returns for jid 20190126195925478362 sent to set(['sj1e2']) will timeout at 19:59:30.487877
[DEBUG ] jid 20190126195925478362 return from sj1e2
[DEBUG ] return event: {u'sj1e2': {u'jid': u'20190126195925478362', u'ret': u'The minion function caused an exception: Traceback (most recent call last):\n File "/usr/lib/python2.7/dist-packages/salt/minion.py", line 1607, in _thread_return\n return_data = minion_instance.executors[fname](opts, data, func, args, kwargs)\n File "/usr/lib/python2.7/dist-packages/salt/executors/direct_call.py", line 12, in execute\n return func(*args, **kwargs)\n File "/usr/lib/python2.7/dist-packages/salt/modules/junos.py", line 560, in ping\n conn = __proxy__[\'junos.conn\']()\n File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1155, in __getitem__\n func = super(LazyLoader, self).__getitem__(item)\n File "/usr/lib/python2.7/dist-packages/salt/utils/lazy.py", line 106, in __getitem__\n return self._dict[key]\nKeyError: u\'junos.conn\'\n', u'out': u'nested'}}
[DEBUG ] LazyLoaded nested.output
sj1e2:
The minion function caused an exception: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/salt/minion.py", line 1607, in _thread_return
return_data = minion_instance.executors[fname](opts, data, func, args, kwargs)
File "/usr/lib/python2.7/dist-packages/salt/executors/direct_call.py", line 12, in execute
return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/salt/modules/junos.py", line 560, in ping
conn = __proxy__['junos.conn']()
File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1155, in __getitem__
func = super(LazyLoader, self).__getitem__(item)
File "/usr/lib/python2.7/dist-packages/salt/utils/lazy.py", line 106, in __getitem__
return self._dict[key]
KeyError: u'junos.conn'
[DEBUG ] jid 20190126195925478362 found all minions set([u'sj1e2'])
Salt/Napalm state.apply module getting LockError but user is Super-User
is it possible this could be related to a bug? i am getting the LockError when attempting to run state.apply but the user it is referring to is a super user
/srv/pillar % sudo salt sj1e2 state.apply DrainSJ1SG1secondary
sj1e2:
----------
ID: Drain SJ1SG1 secondary
Function: netconfig.managed
Result: False
Comment: Cannot execute "load_merge_candidate" on *.*.*.* as SALT. Reason: LockError(severity: error, bad_element: lock-configuration, message: permission denied)!
Configuration discarded.
Started: 15:09:34.276672
Duration: 1146.165 ms
Changes:
----------
diff:
Summary for sj1e2
------------
Succeeded: 0 (changed=1)
Failed: 1
------------
Total states run: 1
Total run time: 1.146 s
ERROR: Minions returned with non-zero exit code
This is the juniper device config related to user SALT
set system login user SALT uid 2003
set system login user SALT class super-user
set system services netconf ssh
here is the sj1e2 (proxy-2.sls) and the Top.sls under /srv/pillar
proxy:
proxytype: napalm
driver: junos
host: *.*.*.*
username: SALT
password: ******
port: 830
base:
'sj1e2':
- proxy-2
When running -i dug with the state.apply command there are two things that stick out besides the LockError
State 'netconfig.managed' was not found in SLS 'DrainSJ1SG1secondary'
Reason: 'netconfig' __virtual__ returned False: "netconfig"" (/usr/lib/python2.7/dist-packages/salt/states/netconfig.pyc) cannot be loaded: NAPALM is not installed or not running in a (proxy) minion
but netconfig.managed is in DrainSJ1SG1secondary.sls here
DrainSJ1SG1secondary:
netconfig.managed:
- template_name: salt://DrainSJ1SG1secondary.conf
also napalm is installed on the minion and the master cut a lot of lines out
saltminion% pip install napalm
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
Requirement already satisfied: napalm in ./.local/lib/python2.7/site-packages (2.3.3)
Requirement already satisfied: asn1crypto>=0.21.0 in ./.local/lib/python2.7/site-packages (from cryptography>=1.5->paramiko>=1.15.2->junos-eznc>=2.1.5->napalm) (0.24.0)
[2019-01-26 18:18:43-0800] saltminion% salt-minion --version
salt-minion 2018.3.3 (Oxygen)
and above i posted the proxy-2.sls (sj1e2) which shows the proxytype as napalmproxy:
proxy:
proxytype: junos
host: ****
username: SALT
password:****
port: 830
which is is the /srv/pillar dir on the master along with the top.sls. also i could do the configure exclusive from the SALT user name on the device cli
SALT> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode
{master}[edit]
SALT#
i can run other modules fine but its state.apply that is specifically giving me issues, so connections to the device isnt a issue.
Any advice for getting into Wireless Networking?
I have a CCNP R/S and a couple years NOC experience. I think I'd like to specialize in Wireless installations, configuration and support. Is the Cisco route the way to go or should I focus on another vendor? Should I look to do the vendor agnostic CWNA cert or something vendor specific?
Packet loss / Latency changing
I was just wondering if theres a way to simulate packet loss or latency to gain higher ping by using firewall methods so it can be toggled?
Also, i can't use any software cause of detection of "Lag switching"
Help me brainstorm some ideas for a network design
I have been tasked to redesign a network that uses three metro ethernet (10Gb each) to ISP, it was configured with Bridge-domain to bundle up bandwidth and redundancy. Recently We found out the ISP was having an issue keeping up with the MACs from three interfaces because they didn't want to match the configuration on the ASR so they don't want the BDI Virtual MAC in their network anymore. I was tasked to figure out how we can use the three interfaces for bandwidth and redundancy. The network is running OSPF, Any Idea how I can achieve this?
"Un-manage" a managed switch?
This is really more of a curiosity question that something practical, but if you wanted a Cisco switch to act like an unmanaged switch, is there a list of commands you'd have to use to make it work? Off the top of my head, I can think of disabling Spanning-Tree, CDP, and LLDP, but how would you make it pass traffic from any VLAN the way that an unmanaged switch would? Or would you hard-code trunking on with no negotiation?
Ansible for automation - rant post
Just wanted to see if I'm the only frustrated engineer in the crowd...
Out environment is rather large, mostly Cisco - that includes switches/routers in datacenter/WAN/LAN. Recently we've been trying to have our "devops transformation" (fill in whatever buzzword you see fit), started using ZTP and Ansible for automation in the datacenter environment (a rather new Cisco deployment - vPC, EVPN, lots of BGP etc.)
Rant is - Ansible integrations seems really frustrating and bugged. Just from the top of my head -
- Nexus switches (N9K Gen 1 & Gen 3) - NXAPI gets stuck, sometimes returns errors, isn't reliable enough (I'm sick of running playbooks twice just for the sake of being sure!)
- Cisco's Ansible support - some of the modules simply don't work with new versions (9.2.2), some of the functions are not even in a well built module so we use nxos_config (basically SSH to the device and pour on the config)
- Length! My Lord, what is it with Ansible that turns every 4 lines of BGP config into a 100 lines playbook (not mentioning the directories, and host_vars, and inventory to manage etc.)?
- Ansible can't handle logic at all. If you wanna deploy, for example, a few pairs of ToR switches and every one of them has a management IP that's driven from the rack number - you can't even do that math normally (and reside to creating a huge number of variables per switch, not even talking about subnets, loopbacks, BGP ASN, OSPF process IDs etc.).
Seriously considering moving to NAPALM, eNMS, or try some Netconf/YANG stuff with python. Any other suggestions that aren't Anisible?
High Deny inbound traffic from firewall devices, is it bad?
So my work basically is to monitor network traffic for a client, which pushes their devices' logs to us. Occasionally, there will be an active external host performing a network scan from time to time, and resulted in about a million occurrences within just an hour. But all of them are deny traffic. Upon checking the external IP at the AbuseIP database there are some records of it.
I'm wondering, do deny traffic harm the network/devices? Is it worth to contact the client for a possible intrusion attempt, even though the firewall already blocked the traffic? How high could the threshold be for the network to break?
Need help interpreting this pingplotter
I have been having packet loss and lag while online gaming and I am trying to figure out the culprit. I have a wired connection to the router. Is this issue caused by me or the ISP?
House with built in Ethernet ports, half of the ports are not working
They’re 12 ports in this house, my electrician patches all those ports and I’ve bought a 24 Port PoE switch, and connected everything up, but only like half of the RJ45 jacks are working. I’ve connected every patched port from the patch panel with the switch and they’re still not working, some are, some aren’t!
What can it be? It seems like everything’s correct
My router is in the basement, next to the switch and the patch panel
The connection goes Router -> Switch -> Patchpanel -> Wall jack
Thanks in advance
What are PTR records actually useful for and would one make PTR records for hosts using private IP addresses?
I was reading up about PTR records, as I was unsure about what the point of them were and came across this site, where there is an an example where there are a records made for hosts with private IP addresses.
I'm assuming that CloudDNS know more about networking than I do, so this is something that is done for some reason.
https://www.cloudns.net/wiki/article/40/
So, what are PTR records used for? Are they for authenticating email delivery source, like SRP and DKIM records?
Why does the example on this page have PTR records for hosts with private IP addresses pointing to x.0.168.192.in-addr.arpa?
Keep layer 2 or move to layer 3? Need an outsider perspective.
Long post, sorry.
I have 3 sites adding a 4th soon for disaster recovery. 2 of the sites have computers, phones, etc. The other 2 site are a data centers. The main site and the satellite site are connected to the data center. Anyway, for now I'd like to worry more about the main site and I can replicate that to the satellite site as it's a lot smaller.
The main site is connected to the data center with two 10 gig dark fiber connections and a 1 gig peer-to-peer. 99% of the things we do are layer 2. The main site has 14 switches in somewhat of a star topology with a "core" switch having routes to the firewall, then out in the data center. Everything at the main site goes through the core switch out to the data center.
So, the only failover on the core switch is manually done by shutting down the 10 gig ports and turning on the 1 gig. I'd like it to be more automated (routed). But my boss would like me to do research on whether layer 3 would actually be beneficial to us. Would just like some options on leaving it or would layer 3 be the next step?
Labelling ports
Having to label ports in a building where the last tenants left everything as the default printer 1-24 in the patch bays with no map.
There are 3 floors, so thinking of labelling the ports B1 (basement 1), G1 (ground 1), F1 (first 1), S1 (second 1).
The building is only the 4 floors so I can't see any issues with that in the future, and may make ports a bit easier to find in the rack.
I've not dealt with a mutlifloor networking setup before. Is this the best way to go about it? Any other suggestions?
Best way to connect Arista switches with QSFP+ ports with each other, and with SFP+ servers?
We have a mixture of Arista switches with QSFP+ ports, and servers with SFP+ ports:
- Arista 7050TX-64 - with 4 x QSFP+ ports
- Arista 7150S-64 - has 4 x QSFP+ ports
- Arista 7150S-24 - no QSFP+ ports, but has SFP+ ports
- Servers with Mellanox ConnectX-3 cards, and SFP+ optics (10GBASE-LR, SFP+, 1310nm)
We have bundles of OS2 duplex fiber optic cable running between the switches (although apparently I should have used multi-core MTP/MTO instead).
We have also bought LC-LC UPC Duplex OS2 patch leads.
For the QSFP+ ports - I have Mellanox QSFP+ to SFP+ adapters - however, according to here I should be using 40Gbps optics and breakouts instead.
My question is:
- What's the best way of connecting up the switches (QSFP+ to QSFP+ and QSFP+ to SFP+)?
- What's the best way of connecting up switches to servers? (i.e. which optic and breakout cables exactly should I be using?)
For example, I saw there's this optic for pretty cheap - however, it's 40GBASE-SR4. I assume it won't work with my existing 10GBASE-LR optics at the other end in servers? So should I be getting this optic instead? (Pretty big price increase).
Then for the breakout cable - is something like this breakout cable what I want?
Or if anybody knows a better way?
Do you know the PJON protocol?
Here is the implementation: https://github.com/gioblu/PJON/tree/11.2
Here is the specification: https://github.com/gioblu/PJON/blob/master/specification/PJON-protocol-specification-v3.1.md
Smallest UPS?
What is the smallest UPS available to just provide continuity to a single switch and router? Not hours and hours of runtime.
COAX/RG6 Balun CAT6
Hi All - Saw a few posts similar to my situation so thought I’d ask about Baluns. Had never heard of them until now. Here’s my proposed setup - will the routing here deliver the OTA HD content to the TV? One of my RG6 runs is busted so hoping to leverage an existing CAT6 run to make up for it.
OTA HD Antenna>RG6>Splitter>RG6>Splitter>Balun>CAT6>Balun>TV
**Link to Balun
**Runs aren’t long and splitters are two way. May buy an in-line amp if necessary.
Alternative to Ubiquiti mFI-THS Temperature Sensor
I am looking for something similar to the Ubiquiti mFI-THS Temperature Sensor. I understand Ubiquiti has discontinued that product line.
What I want: a cheap sensor (temp and humidity) that helps me to log data by using an existing Ethernet cabling in a house. I prefer not to use wifi or batteries. I do not bother if I need some additional central device to manage/query the sensors.
Switch timeout EAP, but send access-accept to client
Hi,
I got a strange issue at a customer location and would like the opinion of the 802.1x wizards.
For several month now, we found some computers are taking more than 30s to authenticate via EAP on 802.1x enabled wired ports.
Issue arise after the computer boot.
Only one customer site is impacted. Others sites never had the issue.
All of the computers are installed from the same Windows image.
All of the switches of all locations are the same hardware, using the same software release and using the same configuration template.
If you take one of the computer of this specific site to another site, you won't be able to trigger the issue.
If you take one of the computer from another site to this specific site, you will trigger the issue after some tries.
From PCAP, we found that the delay is caused by the client, not the Radius server.
From EAPHost Windows events, we confirmed the client was taking an average of 50s to authenticate.
We were not yet able to find a reason why their Windows behave like this.
I'm waiting for the customer to enable debug and analytics logs on EAP events to troubleshoot this further.
- So 802.1x Windows wizards, please let me know if you have an idea about the reason why Windows behave like this.
As 30s is the default supplicant timeout configured in ALE OmniSwitch, they timeout the client authentication and consider it as failed.
But when they finally get an answer from the Radius server (which is an access-accept most of the time), they relay it to the client.
The client receive the Access-Accept, thinks it's authenticated and don't know the switch consider the authentication as timed out.
The client then won't try to authenticate and is stuck unauthenticated in the guest VLAN...
We thinks the switch doesn't do its job here as he should tell the client something went wrong.
We searched across RFCs to know how the switch is supposed to behave regarding supplicant timeout, but didn't found anything.
-
So 802.1x RFC wizards, do you also think the switch isn't doing its job here?
-
Can you point me to a RFC or resource to show to ALE support so I can request a behavior change in the software?
Thanks for reading me.
PS: Yeah, I know I can change the supplicant timeout value. But I'm interested in fixing things, not working around it.
extreme vs cisco
Hi all!
I need to replace old Cisco 3560G switches.
I have got prices for Cat 9200L and extreme networks X440G2.
Extreme is much cheaper compare to Cisco, but are they good? are stacking stable like catalyst?
I know extreme support sucks compare to Cisco TAC, but for access switches I don`t care.
About to setup my first server cabinet
I am about to setup my first server rack for my job, it will be simple to start off but we plan to add more later. It's a 18U wall mounted rack and I'll be installing a switch, patch panel, and UPS, I am hoping to add a NAS later on or if there is anything you guys can recommend, I can look into that too. I've never set up a rack on my own before and wanted to see if this sub had any advice for me, thanks!
Friday, January 25, 2019
Building a Firewall for a Deployed System?
Hi all,
I have an approach I would like feedback on for building a firewall for a system that is already deployed (i.e., multiple servers running in the field with no firewall whatsoever). All of the servers in question are running Linux (RHEL 6 to be exact).
My thought process is to run netstat on each of the servers and look for listening ports (netstat -lnp | grep $pid for each pid I know I care about), and then just add each port to the iptables configuration (using system-config-firewall-tui). The /etc/sysconfig/iptables file would then be saved and controlled for the next deployed system.
I’m sure there are holes in my plan, but does anyone have any suggestions for making this work? Do I need to include any ports other than the listening ports on each server? Is netstat sufficient for finding these ports or do I need to use another tool (e.g., wireshark)?
Thanks for any help!
Edit: after some research, I also plan on using nmap and potentially lsof to find ports in use
New network admin. What are the forums and websites you follow to keep up with tech and get/give help?
I’m looking to add a few to my reading rotation.
I don't know how to find the correct modem.
I hope this is a good place to ask this question.
I am a student, who is looking to set up a network in my home. I would like to replace the Century Link router/modem/switch combo that I currently have.
The internet that I am paying for is fiber-optic from Century Link, however, from what I can tell, the line that plugs into the current router is a DSL line. So my assumption is that the fiber-optic ends at the street, and then switches to a DSL line running up to the house. Is this probably a correct assumption?
I have already purchased a stand alone router and switch that I plan on using, from ubiquity. I need to find a modem to take the DSL line from Century Link and convert to Ethernet to plug into the router.
My main question is what do I need to look for in a stand alone modem? I would like one that has the most up to date hardware that I can get. I have shopped around and I see a lot of modem/router/wifi combos. But since I plan on doing routing and wifi separately, these don't seem to fit into my network right.
From what I can see, DOCSIS 3.1 is the fastest I can get. Is this correct and is there any other things I need to be aware of?
I appreciate any help. Thanks.
Network-connected temperature sensors
Hi Geeks, Can anyone recommend some quality low-cost products with built-in 24-hour temperature monitoring? We need to place several sensors in a building and remote monitor, ideally with SNMP. We have access to POE throughout the building, but wireless (plus an injector) would also be a good option. Web interface not important as we can send it to an existing system, just need to reliably collect the data without a big outlay for this requirement.
Freeradius + WPA2 Enterprise crypt-password question
Hi all,
I currently have a freeradius system setup and properly authenticating against WPA2 Enterprise. My problem is that the passwords stored in the mysql DB are all clear-text (never good).
Does anyone have any resources to show how to make it work with crypt-password? By default radtest will work on the radius box no problem with crypt-password users, but if I try to sign onto the wifi with a user that has a crypt-password it will always fail. I'm sure there is something I need to do differently, just not sure what and it seems the examples I find are centered more around just basically getting it up with the default clear-text.
Port forwarding on Cisco
Hi,
Trying to forward a port. When I try and run ip nat inside source static tcp 192.168.1.10 3389 interface fastethernet8 3389 it gives me an error at the word NAT. Any ideas?
Edit: 3389 was an example!! I’m not dumb don’t worry! I’m actually trying to port forward a VPN :)
What are the biggest cybersecurity challenges in SMEs?
Since networking is so entwined in cybersecurity I thought this could be a good place to ask. I was wondering what are some of the most pressing challenges in cybersecurity for smaller and medium size businesses? This is particularly interesting to me since SMEs may not be aware of all the cyberthreats out there and may not be prepared at all, it could be also that they are not knowledgeable enough to care.
PacketFence, Active Directory, Realms, Usernames, Authentication Sources...pulling my hair out.
I'm playing with PacketFence and Active Directory...and I have some significant knowledge gaps that I'm trying to fill.
I'm trying to understand the relationship between PF, AD, FreeRADIUS "Realms", Usernames (to strip or not to strip and why?), domain join vs. authentication sources.
I have so many questions that I can't seem to find concrete answers on in the PacketFence documentation.
- What exactly is a "realm" in terms that an AD administrator can understand? Is a realm equivalent to a "domain" or "workgroup?" Why would I use them over the "DEFAULT" and "NULL" domains?
- What exactly is accomplished by linking a Realm to an Active Directory Domain (NTLM Configuration)?
- What is accomplished by linking a 'AD' internal source to an 'associated realm'? So Authentication sources are linked to realms and realms are linked to domains?
- What is accomplished by username stripping? When would I strip and why?
Single host destination unreachable
I have a lone user with connectivity issues. We have a Meraki MX firewall providing client VPN access. Said user connects and has issues with RDP to one server. Anything else is reachable.
When pinging from the server to the client i get destination host unreachable but can ping other machines connected to the VPN. It is my understanding that host unreachable is an issue at the gateway, but packet captures show no traffic generated from the server.
I went so far as to add a route in the server for this host with no success.
Any ideas?
Extend MPLS over VPLS?
We have a couple of rack in data centres around UK and Europe connected via P2P links, running MPLS L3VPN across our core network.
Due to a company merger we also have a number of racks in USA, Hong Kong, Australia, that we want to connect all back to each other.
The other company pre merger had a number of p2ps linking these up but the cost was extortionate and they suffered numerous outages(unprotected).
The plan is to get all our dc's connected up. Our current thinking is to source a vpls from a third party, and then emulate point to point links by tagging subinterfaces ie USA to London vlan10, London to Sydney vlan20.
Does that sound workable so far or are there better solutions?
We would also want to extend our MPLS to the previous companies DC's, giving us the ability to carry customer, and our own, vrfs across the emulated point to points via the providers vpls.
Is this possible or should we be looking at a different design/solution?
here's a rough and ready implementation idea we have in mind:
East coast RCN outage?
Anyone else experiencing RCN outage in NYC?
Seeing BGP flapping, I shut down the link.
Setting Optic Port Speed from 10g to 1g on Juniper ex4300
Hello all.
I'm not real familiar with Juniper's and i'm running into an issue. I have a Juniper ex4300 and a 4 port 10g module (xe-0/1/0 through 0/1/3). I inserted an optic in the port and i'm trying to set the speed to 1g but i'm unable to. Could be an optic issue, and i'm trying to get another one to test but just wanted to know if anyone has experience with these boxes?
For example, I know with the 4200's, port 1 and 3 are 10g hard coded and cannot be changed, but ports 2 and 4 can be changed. Not sure if there's something similar with the 4300's and I can't find anything in the KB's. Any help would be appreciated.
Removing CounterAct from Environment
I have been tasked with sunsetting CounterAct and they don't have a lot of documentation around removing it. Has anyone gone through this experience? Really looking for caveats as we bring the appliances down and any best practices or "gotcha's" that you ran into.
Thanks!!
Interview presentation on the topic of 'The benefits of SDN in the SDDC'
Hey /r/networking,
I'm currently interviewing for a position and part of the hiring process is to present to the panel on the topic of 'The benefits of SDN in the SDDC'. I've already started white boarding some ideas, however so far I've mainly been focusing on the technical benefits such as E/W routing, stretched L2/VPN, hybrid cloud extension and micro segmentation. I also have plans to address some business advantages such as automation and cost savings due to not having task-specific hardware devices.
I'm really looking for some input from the community for pointers on topics, resources I can consume, and really any assistance or guidance you can provide, please.
The audience are Sales Engineers, Account Executives and their tech-savvy Managers. I have 20 minutes maximum, and it's vendor agnostic.
Thank you in advance for any input you can provide.
Rapid-pvst on a Dell EMC networking S4100 series switch working with rapid pvst on a Cisco switch
I have to connect a Dell switch to our Cisco 6880-X-LE switch but I am confused about STP in this case.
Our cisco has spanning-tree mode rapid-pvst configured.
On the Dell I can also choose spanning-tree mode rapid-pvst! Does this mean it is fully compatible?
When I search the internet, I find a lot about having to use MST in this case (connecting a dell to a cisco) and I can hardly find anything on rapid-pvst on Dell. Is it something new? Are they sneakily different kinds of rapid-pvst?
Extending a cat6 cable with a cat5e coupler?
I have 2 cat6 cables I want to join and was wondering if I can use a cat5e coupler and if so would I have any signal degradation?
2960 SFP ports dropping
I've got three 2960's that are dropping their connections. Two of the switches connect back to the other with copper gbics. I replaced the four gbics yesterday, just to get it out the way. It is only dropping those 2 sfps (copper), the uplink back to the main closet, which is fiber, stays up fine. Both of the SFP's are setup as trunk ports, with almost the same config on all three switches. From the logs, it appears to disconnect both ports 50 and 51 every hour, almost the exact time (off by 3-10 seconds).
I'm wondering if it may have something to do with the software version, 15.2(2a)E1.
OID for Configured Duplex, Not Current Connected Duplex State
Hello everyone. I have some Cisco 2960s and I am trying to find the specific OID for an SNMP walk to pull the configured duplex, not the state of the connection. On the switch CLI I would run show int gi0/0 status. But I am making a script to pull the configured duplex across a few switches for testing. I have googled the heck out of this and looked through many a OID tree trying to find the right one. The closest I got was an OID that returned a result only if something was connected and the unconnected ports were unknown.
Thanks for your help!
Inventory
How do you maintain a hardware inventory for all of your equipment? Looking for examples to improve how we manage our assets?
Calculating band width cap for hotel guest network
Hi all,
I am much more into phone and POS work than I am networking, so I'm hoping you could help me with a quick network question.
Client is a 118-room hotel, averages 80% occupancy. They had been receiving a lot of negative guest reviews and complaints about poor wifi speed, so they upgraded to a 250/250 Mbps fiber circuit. The managed wifi provider previously had a cap set on the guest network per-device speed of 5 Up/5 Down, but I was able to get them to go to 15/15 on the new circuit.
My question:
How do you calculate what an appropriate speed cap is on a guest wifi network? Is there some sort of calculation about number of users/incoming bandwidth?
Bonus question: Based on the circuit speed & number of rooms, do you think we could go higher than 15 up/15 down speed cap on the guest network?
I appreciate any insight you can provide. Management wants guests to have the best wifi possible, and I'm trying to help with that. I've done TONS of googling, but can't seem to figure out how to word this question in a way that gets me an answer. I've also asked the managed wifi provider, but not much luck there.
Thank you!
How are companies connected to an ISP? Honest Question :(
This is an honest question. At home, we are connected with a wall outlet, where TV, Internet, and telephony get split into different cables. The coaxial cable for the Internet goes into the modem, which we received from the ISP. I guess that is pretty straight forward.
Let's say a company uses a Palo Alto. What type of cable, connector or device is needed to connect the company edge device to the ISP?
I feel really dump and after 4 years of college, it was never explained to me. I feel like this is the only place where I am able to ask such questions and get honest answers. Hopefully, you can help me because at the moment I feel really insecure and I need to know this before I land a job in this business. Thanks in advance <3
Edit: I am thankful for everyone (private) messaging me! I got some further research to do now but this helped me a ton <3
Hosting provider
Does anyone here work at hosting provider?
Do you have any tips and what to expect for someone trying to get into this environment?
Technology that we should know about?
Arista veos inaccessible via ssh
I am new to arista and just begun to learn Python network programming. In order to setup the local lab environment I installed Arista VM in Oracle VM with Microsoft KM Test loopback adapter as bridged adapter. The same Microsoft KM Test loopback adapter is installed/enabled in my local desktop also.
I am able to ping the arista VM but I can not ssh to that machine.
The output of 'show management ssh' shows it`s enabled in VM.Could someone help here.
Moving from HP to Cisco, delivery just arrived.
Edit: Correct link: https://i.imgur.com/E6qCTZV.jpg The one below is our Meraki deployment from last year.
https://i.imgur.com/12PpNKY.jpg
That's 25x 2960X-LPD-L's with stacking modules, stacking cables, and SFP+ modules to go with. We've also got out core switches being delivered soon.
Never seen a pallet of networking gear before, it's super exciting. Now I just need to work on a migration strategy that results in the fewest number of hours worked past 5pm
For a class, I need to create a theoretical web server, a dns server, database server and remote backup solution for a cloud web service for my “company” and secure these systems.
All we’ve been asked was:
“how would you design this cloud-based network”
“how would you secure it?”
“what type of resources would you need in addition to the above mentioned system?”
—————————————————-
So I’m looking for some resources to point me in the right direction of wrapping my head around this...I’m somewhat of a visual learner so I’ve been looking for images that conceptualize this (or something close to it)
We’re using Azure for a couple of assignments so I thought that I would use some cloud service like Azure, AWS, Google Cloud Platform, etc. in my design.
I would use separate virtual machines for the web server and DNS server.
I would put firewalls in front of each.
Only allowing port 443 for the web server and only allowing UDP 53 for the DNS.
Do I want a VPN for the web server and DNS server?
I’m not familiar with database servers so I don’t have a clue about how to secure it.
Would I want to backup to my company’s or backup to another cloud solution?
And how do I make sure the backup is secure in transit? VPN?
Despite this being a 2 week course, I’d really like to figure this out so I have a better understanding of how networks work with respect to the above mentioned services.
Thursday, January 24, 2019
RSSI to Distance Calculation
So for a project of mine, I’m required to calculate the distance, in meters, of a device (phone) from an access point using the RSS (Received Signal Strength) value, in dBm, obtained.
I’ve done days of research and all of the formulae I come across require RSS to be in dB not dBm and since there is no correlation between the two conversion is out of the question.
I’m wondering if there’s any other way to go about this. Is there any other way to calculate the distance using RSS?
Please help. Any and all help is welcomed and thanked.
Brocade / Foundry Networks Fastiron Edge FESX424-POE-PREM as Simple Switch
I picked up a FESX424-POE-PREM for my home lab since it was a great price (free).
I'm trying to configure it to be a simple switch for now to power a bunch of poe devices I have and remove the injectors. I haven't done anything with Brocade devices before and I have tried finding documentation for how to do it but nothing seems to work.
Does anyone know how I can make it be a simple "dumb" switch? Just want all the ports on the same network with an uplink to the router. Also, if anyone knows where I could find the latest OS updates, please let me know.
Thanks in advanced.
I know literally NOTHING about networking
I am a complete and UTTER noob. I have worked with computers my whole life and somehow never picked up anything about networking. I know my IP should be kept hidden, I guess? But I don't know why. I think the most I did was I port forwarded like 4 years ago to play Minecraft with somebody. I used a step by step tutorial for that. Didnt learn a thing really.
But I want to learn, very bad. Unfortunately I would have to be treated like a kindergartener, essentially, because I know literally nothing.
Where can I start?
Beat practices for handing public IP space to customers?
What is the best practice for handing customers space on public networks? Historically, we have provided a single public IP on a public /24 VLAN while running VRRP on the gateway routers. To maximize security, I believe we should be handing out /29s on their own VLAN. However, VRRP only supports 255 unique VRIDs.
Question: With hundreds of customers needing public IPs, how should we support redundant gateways efficiently while also maintaining l2 security.
NFS and hard links
Here's my setup. I have a Windows 10 PC sharing files through the NFS protocol. I'm using haneWIN to do this.
Some of my files are hard linked files. One link in the shared folder and another in a separate downloads folder on the same drive.
I'm using Sonarr to manage my torrent downloads. Once my files finish downloading Sonarr creates a hard link of the file in the appropriate folder, with the appropriate file name. The original file stays in the downloads folder to be seeded. So two "files", but they share the same cluster on the hard drive. therefore only taking up the space of one file.
I'm trying to access these files to play on Kodi. All files work except the hard linked files. These same hard linked files work through a samba share.
Do hard linked files and NFS get along? Is there any setting I could change in haneWIN to get this to work?
Power over Ethernet Connection to Elevator
My condominium is looking at installing PoE surveillance cameras at a number of locations including the elevators. Is anyone familiar with specialty equipment to allow PoE wiring to connect to a moving elevator car?
DDOS your own compamy
I work for a company and we pay for a DDOS scrubbing center service. We have tested it in the past by having them advertise a small subnet from our public address space, and then we verify traffic is going through their scrubbing center. We have recently been asked by our Info security office to DDOS ourselves to prove the scrubbing center will work as advertised in a real attack.
Has anyone been asked to do this? Do any companies offer this as a service? If someone would offer this, couldn't this affect an ISP's other customers by possibly spiking some links in the ISP network?
I don't see a way to do this ourselves, as we would need enough bandwidth over the internet to max out my companies connectivity.
Route OpenVPN traffic to a proxy? (iptables magic needed??)
Hello all, I have an OpenVPN server running on a VPS with OpenVPN client running on my router on my home network. I'm trying to route my clients traffic over a proxy after it reaches the OpenVPN server so my vps ip is not exposed.. Can this be done with the iptables? I've tried a few steps from articles and forum posts I've read around the internet but nothing is working yet.
This is a diagram of my intended functionality.https://imgur.com/vb8vEK2
Thanks for any advice.
pcap storage in AWS S3's? Solutions that exist?
Hey r/Networking,
Was given the task to store pcap files in 15 day increments in AWS S3 for forensics, or "network time traveling" this is a redundancy our security team wants.
Basically, I have a solution that captures all live packet-level traffic from my AWS infrastructure that would feed this "storing" solution GRE tunnels. So I need something that Terminates GRE, creates pcaps and then manages the storage.
Do you guys know of anything that does this? or is there alternate solutions to this that I am not thinking of.
Thanks!
Is it possible for a device to mask it's traffic?
I have a device that is broadcasting video over wifi. I confirmed that it is, by deauthing it and video stopped outputting. The weird thing is that when I look on Wireshark, I see no traffic to or from the device. Am I missing something, what might I be doing wrong or not checking?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
[Suggestion] What are some good ideas for a Bachelor Diploma Thesis in Networking field ?
Just an overview , I study for software engineering , and this is my last year of university .
To be honest , I dont really like the programming field ,so i was thinking for my diploma thesis to work on networking field ,since i have more knowledge and i have more info than programming :P .
I was thinking to go with Implementation of IPv6 , the benefits , security etc . and my two other option were Iot and Cloud technology .
what u guys think ? Any other suggestion ?
Any suggestion and direction would be very helpful for me :)
PFsense appliance in production? Have you used it?
Looking for a router for a single site1000 users (a client). We showed them Meraki (MX) and even tried it and they really liked all the cool security features etc. They hate the cost of Meraki licensing and suggested that we look at pfsense appliances (Like a real appliance from pfsense, not pfsense in random hardware) . Has anyone here deployed pfsense appliances and what was your experience with it? They want to use:
- IDS/IPS features of the appliance
- Mail spam filter
- WAN load-balancing, and failover
- VPN
Its a single site.
Thanks for your input.
Is there SPF/RSS-like a framework for distributing firewall requirements?
I support a variety of internet-based B2B products. Some have internet-based servers (with clients deployed at customer sites), others have internet-based clients (with servers deployed at customer sites).
Customers inevitably write firewall rules that whitelist the internet addresses of the public component of these applications, complicating relocation of centralized components.
Is there a standard way of publishing firewall requirements info that can feed directly into firewall processes at customer sites?
I'm imagining something like an SPF record for describing required traffic flows at L3/L4. We already publish a written-in-English firewall requirements document, of course.
Whitelisting by domain would be okay (the internet-based servers are found by DNS), but it looks like most domain whitelisting is done by HTTP inspectors, not by vanilla stateful firewalls.
Switch maintenance on enterprise networks
The company I work for now is the only global company I've ever worked for [in IT anyway], so I'm only familiar with my own company's processes etc. I'm curious how other folks in similar environments handle the struggle I'm about to discuss below.
Like everyone else we have to periodically upgrade the Nexus 5k's which handle our servers in our DC's. We'll have for example various types of servers connected [primary link] to Switch01 and the redundant [secondary] connection into Switch02.
We will fill out a form to request the business and technical approvals to do the upgrade. We'll populate a spreadsheet which outlines all of the hosts connected to these particular switches. Then we assign tasks for each server group [Windows/Linux/Unix/AS400 etc] to check their hosts and make sure both NIC connections are online. Assuming we get all the approvals AND the various teams check their servers and give us the thumbs up...we schedule the upgrade for whatever weekend.
There are inherit issues with our process as it is now. The way I get the listing of servers on any given switch is to do a interface description dump. Not very scientific. The server teams I'm almost certain they just check to make sure both NIC's are connected....what isn't necessarily being verified is are they connected on both switches where they should be? We found a case where a server was connected to the same switch twice.
So I'm just curious in a nutshell what tools or processes other folks are using to ensure that when they take a switch down, things will fail over to the other switch and you won't have too many issues.
One process we are actually adding is to have a failover "test" the weekend before the actual upgrade. So we would shut down a fex at a time and see if any hosts go offline or not. If they do, within seconds we'll have them back up and then we can diagnose why the issue happened.
Strange Issues with our Credit Card Terminals
Hello,
We seem to have a very strange issue happening on my network. We have two physically separated networks with a DMZ between them.
We recently put in an HA pair of Fortigate firewalls to replace 2 ASA's in an HA pair. The DMZ is between an HA pair of Fortigate firewalls and a single ASA. After switching from the original HA pair of ASA's to the fortigates, our credit card terminals will randomly lose connection for a second and then come back online. It's just a flicker up and down notice we get. We notice most of them drop every 4 hours on the mark. Some flicker throughout the day.
There is traffic from our Fortigate side( credit card terminals) that needs to communicate over the DMZ to the single ASA side (Server). We thought maybe it was an arp related problem, but I flushed the arp tables on our core switches and firewalls.
The only thing we have rebooted are the credit card terminals. No servers or networking equipment has been rebooted other then the Fortigate HA pair.
We have 1 static route, routing the credit card terminal's to the DMZ on the single ASA and on the Fortigate, we have the server subnet to the DMZ
Subnets:
Server:10.x.x.x
Credit Card: 192.168.x.x
DMZ: 172.x.x.x
Route on the ASA
Interface: DMZ IP 192.168.x.x gateway: 172.x.x.254
Route on Foritgate
Interface: DMZ - IP: 10.x.x.x - gateway: 172.x.x.253
I know you will need more information, but I thought I would start with this and hopefully someone would be able to ask some questions to pop some ideas in my head to look at next.
VTP version 3: where to place clients (vs secondary servers)?
Once there is a "Primary Server" in a domain instance, does it matter if the remaining devices are "Secondary Servers" or "Clients"?
Please correct or add to my thinking on this.
Clients
- Ver3 clients will maintain their vlan database in temporary memory (dram).
- on a reboot, Ver3 clients will request an update
- Clients can forward updates also.
Servers
- Only one Primary Server per domain instance. Is only device that can modify vlans.
- on reload, a Primary Server will come back as a Secondary Server.
- Secondary Servers store their VTP info in permanent storage (nvram).
The question is, in a hub and spoke of switches (several daisy chained), where to put Secondary Servers and Clients? Just make them all servers (very small vlan database) or mostly client with some secondary servers as sort of backups?
VTP Version 3 https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/solution_guide_c78_508010.html
DMVPN hub on Azure with EIGRP?
Is it possible to implement this in Azure? I tried an initial DMVPN hub config on a evaluation licensed CSR in Azure and then a spoke config on an on-prem 2900 router (copied from a working dmvpn cloud config) but the tunnel is failing to come up. Any gotchas in Azure that would prevent this?
Hardened Carrier Ethernet NID
Anyone using a hardened 10G Carrier Ethernet NID? I am having a difficult time finding a compact mounted unit, one that could be DIN rail mounted. We are about to evaluate a Telco Systems unit but want to find other mainstream vendors that we can evaluate. Not finding much on Google, only other one is from Accedian.
Cisco Reflexive ACL assistance
I'm currently working on an issue that may or may not be due to a mis-configuration with a Cisco 2921 Reflexive ACL not working. I would like to rule out that the Reflexive ACL is working as it should before I start looking elsewhere.
Basic topology
User subnets -> Palo Alto FW -> Cisco 2921 -> ISP
Subnet 1 NATs to 16.18.22.99/27 when routed from the FW to the Cisco 2921 (internet works)
Subnet 2 NATs to 16.18.22.105/27 when routed from the FW to the Cisco 2921 (Internet does not work)
Both subnets share the same physical connections, same firewall security rule. Only difference is the NAT rule.
Looking at the Reflexive ACL, I do see entries for the .105 IP. Which tells me that the Subnet 2 is correctly NAT to the Cisco router and making it outbound from the router. Correct? The return traffic never shows up on the Palo Alto network captures. So, I'm assuming that the Reflexive ACL may not be working correct?
Here is some config info pulled from the Cisco router
Both of these ACL's are applied to the outside interface on the Cisco 2921.
Extended IP access list Inside_to_Outside
10 deny udp any any eq 3544 log (637629 matches)
20 permit ip host 25.0.0.2 9.7.43.32 0.0.0.7 log
30 permit ip 9.7.43.32 0.0.0.7 host 32.63.97.5 log
40 permit ip 9.7.43.32 0.0.0.7 host 32.63.96.5 log
50 permit ip 16.18.22.64 0.0.0.63 any reflect REFLEXIVE-ACL-LIST log (3893795435 matches)
70 deny ip any any log (64 matches)
NOTE: I believe rule 50 should match both .99 and .105 for outbound access?
Extended IP access list Outside_To_In
10 permit ip 1.7.12.32 0.0.0.7 host 25.0.0.2 log (4451008 matches)
20 permit ip host 1.63.7.5 9.7.43.32 0.0.0.7 log (65001 matches)
30 permit ip host 1.63.7.6 9.7.43.32 0.0.0.7 log (73010 matches)
40 permit ip 16.17.43.17 0.0.0.7 9.7.43.32 0.0.0.7
50 permit ip 16.17.34.0 0.0.0.255 16.18.22.64 0.0.0.63 log (260997410 matches)
60 permit icmp 9.7.43.32 0.0.0.7 any log (89 matches)
70 deny icmp any any log (21465826 matches)
80 deny ip 16.18.22.64 0.0.0.63 any log
90 deny ip 169.254.0.0 0.0.255.255 any log (65 matches)
100 deny ip 127.0.0.0 0.255.255.255 any log
110 deny ip 10.0.0.0 0.0.255.255 any log (549 matches)
120 deny ip 0.0.0.0 0.255.255.255 any log
130 deny ip 192.0.0.0 0.0.0.255 any log
140 deny ip 172.16.0.0 0.15.255.255 any log (6949 matches)
150 deny ip 169.0.0.0 0.0.0.255 any log
160 deny ip 224.0.0.0 15.255.255.255 any log
170 permit tcp any host 16.18.22.66 eq 443 log (3228 matches)
180 permit tcp any host 16.18.22.67 eq 443 log (3292 matches)
200 permit udp any host 16.18.22.66 eq isakmp log (221 matches)
210 permit udp any host 16.18.22.66 eq non500-isakmp log (48 matches)
230 permit udp any host 16.18.22.67 eq isakmp log (203 matches)
240 permit udp any host 16.18.22.67 eq non500-isakmp log (50 matches)
250 evaluate REFLEXIVE-ACL-LIST
NOTE: I believe rule 250 should allow for all traffic to return for .99 and .105?
A few random entries I copied out of the REFLEXIVE-ACL-LIST
permit tcp host 12.253.131.111 eq www host 16.18.22.105 eq 46456 log (5 matches) (time left 224) (no internet access)
permit tcp host 65.26.225.254 eq www host 16.18.22.105 eq 56694 log (3 matches) (time left 239) (no internet access)
permit tcp host 23.62.7.169 eq www host 16.18.22.105 eq 1730 log (9 matches) (time left 187) (no internet access)
permit tcp host 35.186.220.184 eq 443 host 16.18.22.99 eq 50948 log (30 matches) (time left 227) (internet works!)
Cisco IE2000 and IE4000 Industrial Switches, CLI Commands for SD Flash Sync and Auto Sync.
So I'm trying to figure out if anyone has any success with the Cisco IE4000/2000 Switches and the CLI commands to Sync / Auto Sync the onboard SD Card.
I want to stress that I can configure this SD Flash Sync and Auto Sync without issue if I use the Web UI but I'm looking for a quicker way to do it was part of my switch builds using CLI.
The documentation I'm working with is from the Cisco IE2000 located here > https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie2000/hardware/sd-card/sd-card.html
from the information provided by Cisco, the portion of a non-config "Sync flash: sdflash:" works no problem but if you immediately follow that up with "show sync status" it will report that the config and iOS on the SD card "are not in sync".
from the information provided by Cisco, the portion of a config "auto sync enable" flat doesn't exist.
If I do a "auto ?", I get
Switch(config)#auto ? qos Configure AutoQoS global security Configure AutoSecurity global
Anyone have any insight or know the proper commands?
Thanks
RADIUS issue
Hi all -
I've been chasing down an issue with RADIUS for a while now, and I feel like I've hit a dead end.
I have a NAC pointing to a NPS server for RADIUS. According to the logs, my supplicant successfully authenticates after a number of Access-Challenges (the NAC logs reflect this as well), but is never actually assigned an IP. Here is an excerpt from the RADIUS logs.
What do you think I should turn my attention to? Everything looks fine up until the supplicant. Thanks!
Anyone on the East Coast Experiencing Intermittent Outages with Cox?
Figured I'd ask here. We have multiple circuits provided by Cox. This includes a Cox optical internet circuit, SIP trunk, metro ethernet and they are the last mile provider for our MPLS. Throughout the day we have experienced a series of outages where the circuits stop passing traffic intermittently for several minutes. Wanted to see if anyone else on the east coast has experienced similar issues today. I have a ticket open and waiting to hear back from them. I am in VA.
*** EDIT: I received confirmation from Cox that it is their issue in my city. Thanks for the downvote :D
What is the currently considered the best way to get your CCNA (honestly)?
Hello,
My boss has recently put on my "objectives" to earn this cert for my position as our head NA. Whether you agree with it or not it's what he wants and the quality of my increase depends on it.
What is currently the best way to get this cert? I'm no stranger to the process: define the knowledge, study your ass off and then take the test. However, i'm seeing different things and want to know before I begin that I have a well defined scope of what to expect on the test and then the correct information according to Cisco.
Thanks advice would be much appreciated! Thanks!
How to configure IS-IS in Quaggabetween two virtual machines (Ubuntu)?
Is there any tutorial that would walk me trough how to do it from the very begining?
Cisco Switch input errors with AT&T BiB Router
We have Cisco 3750-24-PS-S connected to a AT&T BiB router. We have 4 access ports connected to it on 4 different VLANs.
The errors we are seeing are as follows...
-
input errors (via show int fa0/1, etc)
-
CRC errors (via show int fa0/1, etc)
-
runts (via show int fa0/1, etc)
-
undersize frames, FCS errors and "valid frames ,too small" (via show controllers ethernet-controller fastEthernet 0/1, etc)
...ever increasing for the past year and a half. I've gone through escalated support with AT&T several times and each time, they continually state that they don't see any errors on the BiB router or the Cienna box. We've swapped switches/switch models, cables, ports, set speed/duplex to auto/auto, 100/full (per their suggestion).
Anything we plug into the BiB router sees those errors.
It doesn't seem to have affected our connectivity. But I would think that we shouldn't be seeing continuous errors, right?
Anyone else experience this? Other ideas?
Itential network automation
The company I work for is looking at http://itential.com to help automate some of the maintenance tasks on oue network as well as speed up provisioning new services. Anyone have experience with this tool? Do you see any gotchas? Thanks
Guest Wireless Terms of Service
By law, is it necessary for an organization to provide their Terms of Service for guests and visitors who join the guest wireless network? If the Terms of Service were not provided, and the guest did some malicious activities on our network, would there be any interference when it comes to disciplinary/legal actions? Thanks!
Cisco WLC and AP Upgrades
A little back story first. I started at this company about 6 months ago, they had no network monitoring, no real plan for the network. They had had companies install and setup the network in the past. The IT team comprised of a Manager, and two desktop support techs. Last year they decided to hire two Network/System Admins. I got hired to manage the network and the other Admin is on the VMware side.
OK so here is my issue:
We have 32 AIR-LAP1242AG AP's that need to be replace. They ordered AIR-AP2802's to replace them. But the 2802's need the firmware upgraded on the WLC in order to work, and if we upgrade the firmware on the WLC the 1242's will stop functioning. So my idea to replace the AP's/upgrade the firmware is to spin up another WLC with an evaluation key and connect the 1242's to that WLC. Then upgrade the firmware on the WLC. Then go out and replace the AP's and connect the new ones to our main WLC. I am concerned that the Main and Secondary WLC's will not talk to each other and keep users connections alive between the 1242's the new 2802's. I am looking for feedback on if my idea will work, or if there is a better solution.
Umbrella blip?
Did anyone else just have trouble getting name resolution from Cisco Umbrella servers? I lost resolution for public domains for a minute until I added a forwarder for 8.8.8.8.
Looking for modern-time networking books
Hello community,
I have recently given a Virtual Lab administrator position in my current job, so I'm the guy responsible for troubleshooting and setting my team's lab environment. I have only basic networking and subneting knowledge, so I am looking for some book/s who can cover real life companies topologies.
To make it more clear, the networking concepts that I am dealing with every day is proxy (working for security company) HTTP/HTTPS, DNS and generally any type of networking connection that Virtual Machines have in Virtual Lab.
I was thinking of buying books related to CCNA, but CCNA covers wired networks, so I can't find any similarities with my actual tasks. I am NOT even dealing with virtual switches and routers or with subnetting, so would CCNA material would be a good study for me or is there something more useful to what I am looking for? Thanks in advance.
Internet Exchange
Does anyone know anything about the licensing or regulations that apply to Internet Exchange providers (IXPs)? Or even a good resource to start finding basic info. Thanks!
Which is more used in totality - ISIS or OSPF?
Was having a debate with someone recently and I thought he was mad for saying that ISIS was more adapted than OSPF. While ISIS definitely is more used in flat networks and telecom networks, surely OSPF in terms of what’s used in the grand scheme of things is higher than ISIS?
ASR1K not sending syslog out of Management interface
Im trying ot get syslogging working on a Cisco ASR but i cant get it working via the management interface. Heres output of "show logging":
Trap logging: level debugging, 1131 message lines logged
Logging to 17.22.4.202 (Mgmt-intf) (udp port 514, audit disabled,
link up),
97 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
GigabitEthernet0 Mgmt-intf
I've carried out a packet capture on the upstream switch and i dont see any syslog traffic out of the management interface. When it si configured like this i also do not see syslog traffic out of the interface to the global vrf. If i set a syslog server without specifying mgmt-intf vrf then i see traffic out of the global vrf, but that doesnt help as the upstream gateway is in a customer vrf, not our management vrf.
Heres the config:
login on-failure log
login on-success log
logging trap debugging
logging facility syslog
logging source-interface GigabitEthernet0 vrf Mgmt-intf
logging host 17.22.4.202 vrf Mgmt-intf
Any ideas? We have the same setup on a c9300 and it works as expected
Migrating to new firewall
We currently have 2 CISCO firewalls which we are about to replace with one newer one.
Firewall A is for general use and Firewall B is for VPN's to remote sites.
Firewalls A & B each have an internet facing interface which are on the same network. These then connect to the ISP's onsite router. Which we have no console access to.
The issue we're having is we can't move both of these internet interfaces onto the new firewall as you can't have 2 interfaces on the same network, on the same firewall.
We have 30+ worldwide remote VPN sites. So manually configuring all of these to a new VPN endpoint isn't really an option. As we can't guarantee that these sites will be 'online' during the migration.
Also getting the ISP to make changes (routing etc) has (from previous experience) taken far too long to be another viable option.
Any ideas? Hopefully there's something easy and obvious I've missed.
Thanks
Can SLAAC not provide DNS information?
I am doing an aprenticeship as an IT-Specialist for Systemintegration. My graduation-projekt will be setting up a IPv6-test-environment. My coworkers advice me to use SLAAC with privacy extensions. But what about the information like the adrress of a DNS DHCPv6 could additionaly provide. How do clients obtain those and what other informatio is there that DHCPv6 could provide but SLAAC dosen't?
Wednesday, January 23, 2019
Help me understand MPLS label switching
So I'm trying to understand MPLS. I know what it's typically used for, and I understand the benefits over IP routing under those circumstances. What I don't understand is the label switching and why the protocol is designed this way. From what I'm reading, it seems that every router along the path replaces the label with a new one. I don't see why the label couldn't just be static.
For instance: You assign a label (100) to a packet/frame as it enters the PE, which then forwards it to the next router. At the next router, and the next, and the next (...so on...), you have a label forwarding table. If the label remained 100 throughout its entire journey, each table just has to know what to do with a packet having label 100 (just like IP routing tables, only faster because the table is smaller, the number is shorter, and there's no masking involved). Simple enough, and you can build your pre-determined paths, just as you could build pre-determined unidirectional paths with static IP routes.
I don't understand what you gain by switching the label at every stop... But I'm sure there's something I'm missing. Can someone please explain this?
Managing firewall rules for dozens of sites?
How do you guys go about managing firewall rules with multiple sites that connect over VPN? Do you allow anything in the LAN zone across the VPN? Do you filter by subnet? By user/groups matching?
We have 30+ sites and right now it's free-for-all. However, I'm trying to lock things up a little bit.
Our current setup right now has 3 sites that provide resources for the 30 remote sites (DC's, File Sharing, Applications, etc)... All the remote sites connect via VPN to the 3 main sites.
However, we have a VLAN at a remote site for example that operates our point of sale systems. Obviously it doesn't need access to all our resources, except DC's to authenticate, WSUS, WDS, and Print Server. When I map out the rules on paper, it seems overly excessive and difficult to manage. Especially since WSUS/WDS share the same subnet as some application servers.
Goal is to try and improve security but at the same time, creating host/IP networks or host/IP groups in our firewall for 30+ sites that have 40+ subnets each is going to be very time consuming and possibly cause performance issues on our firewalls. Not to mention thousands of firewall rules.
I was thinking of limiting it down to three rules, the last one being the free-for-all if it doesn't match the first two, but then things like Apple TV's will have access to everything.
Example:
Rule 1
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Application Servers, Printing, File Share
Match Users: Domain Users
Rule 2
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Any
Match Users: Domain Admins
Rule 3
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Any
Match Users: Disabled
Need Solution for Home Lab
I've volunteered for a local academy, teaching young adults about computer networking. Essentially I'm just going to teach them CCNA concepts. I was wondering if I could set up a lab and access for 20+ students in AWS. I will need basic cisco routers and switches probably 2 of each. I'd also like to throw in an ASA or Palo Alto.
I do have my doubts about AWS so another option is to buy devices third party then host a small network out of my house.
My last idea is virtualizing everything, but cloud/virtualization isnt my strong suit. I'm open to learning but have only ever worked with hyper v and VMware workstation 15.
Need help fast! Any advice welcome!!
Help, newbie here
Hi, i am looking to consolidate physically distant, separate networks into one. The only problem is that both have separate internet dsl connections which i want to use as failover for each other and add one more 4g modem (both adsl are from the same isp, and sometimes the exchange link goes down.) How do i do it? I am a newbie. Tried looking up pfsense but it seems that pf requires a direct hardline connection to the modem, to a physical port. This is an issue as there is only one ubiquiti wireless air fiber link of 100 mbps to join the two networks, and it can either carry lan traffic or a direct hardware link to the pfsense device. Kindly correct me if i am wrong., or any options if i am missing.
How to block unauthenticated 802.1x traffic using iptables?
Hi,
I've got a proxmox virtual lab and I'm struggling to setup a test 802.1x network. I used hostapd as and authenticator with external freeradius server. Hostapd machine has a bridge that bridges both the LAN and the insecure network for 802.1x supplicants. Authentication works fine with both linux and windows supplicants - unfortunately the unauthenticated traffic is passed by since hostapd did not implement any blocking of unauthenticated wired traffic. On a real managed switch - is an authenticated traffic whitelisted by mac address? Or some other way?
I know the best solution to test 802.1x setup would be to either use a physical switch or use Cisco virtual environment. I can't order a physical switch at the moment (time + location constraints) and Cisco vms are not compatible with proxmox.
Any ideas how could I make it work _fast_? Any non-cisco switching vms I could use on proxmox? openvswitch does not support 802.1x, neither does pfsense.
Can Elfiq work as a DNS server?
I was given this project at work. We are replacing Elfiq with our own equipment for a customer and I was going through the Elfiq configuration. The on-site IT guy doesn't have any clue about how his network is built. There is this feature called iDNS in Elfiq which basically responds to all the DNS requests and points them to the A record. Does this mean Elfiq is the DNS server or Elfiiq has the DNS servers on LAN side? Their documentation says the request comes to Elfiq and Elfiq replies back. My manager says there are servers on the LAN side that are handling the requests but the config guide says the DNS NS records can be configured in Elfiq.
PS: Sorry I used "Elfiq" too many times.
Network response times faster over VPN than straight internet
I have a monitoring station that does a simple web page check on a bunch of web servers at several sites, just checking to see if they are up. Around 12/20/18 the response times increased by a factor of 10 and in some cases 20+. I set up additional sensors to check the same sites via VPN and the response times are normal, a fraction of the time it takes over the internet. From what I've read the usual explanation for VPN being faster is that your ISP is throttling you, but it's just a sad little 1.5Mb T1 so I can't imagine it's being throttled.
I set up additional sensors to check over the internet by IP rather than DNS but they are just as slow.
I set up a second monitoring server about 1000 miles away and it returns normal response times, much faster than the monitoring station which is relatively local to the remote sites.
Trace route from the monitoring site to the remote sites doesn't showing anything unusual. I guess I need to call the ISP but they're generally pretty useless for anything other than basic stuff, so I thought I'd ask the folks here if you have any ideas what might be going on, or what other tests I could try.
802.1X with Cisco SF300 SMB switches and Polycom IP Phones
Hey guys, quick question about these SMB switches with 802.1X and IP phones (specifically polycom but not sure if that is important).
We're currently using mac based port security with a mac limit of 3 addresses which works fine with PCs and IP phones on the same switchport, but it sucks whenever the support team needs to move someone's PC to a new location. I'd like to implement 802.1X to solve this problem but I'm concerned I will have issues because all of our access switches are these Cisco SF300 SMB switches. As far as I know, they don't have the multi-auth configuration ability that standard catalyst switches have to allow you to use a PC and IP phone on the same switchport. So I'm wondering: 1) am I correct that this is a problem and 2) are there any workarounds I can do to get this to work other than purchase all new catalyst switches to replace the SMB switches (something I'm sure I won't be allowed to do)?
Thank you in advance if anyone has any suggestions!
Question for the group as I've always hit a snag at least once on a new piece of tech nobody in the org knew, and an SDN question for the group given rise of "cloud" focused infrastructure now dominating job ads.
Would you want to have access to a lab environment you could tinker with at your own pace that was physically near you, so you could have hands on time without risking your job?
I'm doing a survey for such a place and seeing if there's interest in the community given a lot of folks (myself too) have /r/homelab setups, and I know less well off folks that can't afford online setups or homelabs and want to learn when not at work.
If you do decide to take the survey and are not local to /r/nova please check the other comments box on the last question and reply with outside target area for survey, the town or state you're in (or country), or just leave the location checkboxes in 10 blank.
Here's the link: https://www.surveymonkey.com/r/QRV2P9W Please keep in mind this is a place to grow on your own outside of work, help others in person or remotely, and general grow the technology focused community outreach for our field (boo competition for my desk!) because we'll eventually hit the timeframe like air traffic is now that half the folks are double the age of the next group coming in, and could cause issues long term for our society/fields.
Seriously thanks, all I love seeing the community here, and the depths commentators go to help others.
I'll also be launching /r/neteng to encourage young and weathered engineers alike to grow the learning lab community in addition to contributing here whenever I can. I just got mod rights to neteng not long ago as it had been left abandoned, so go nuts if you want but i'll be doing a launch purge down the road as I wait for folks to call me back.
Man this redditor won't stop typing!
SDN Q for the group
As a Question for the group separate from the above I was recently asked about types of SDNs used in production by a recruiter (I'm actively seeking immediate employment) and it occured to me has the market exploded past NSX, vswitches, vds, and OS software bridge layers (vmware host to VM, vm to container bridges, inter container), VRF and ACI?
Catalyst 9500-40X Stackwise Virtual
Hey All,
Is anyone running Stackwise virtual on Catalyst 9500-40X? If so what version are you running and any issues to report? I have a deployment coming my way next week and not had much luck with software versions for Cat 9ks so far, all initial software versions that I selected had bugs :-(
Thanks
IP route question
I have an ip address that as gone defunct. I'll use scrubbed addresses but I hope the point shines through.
Lets call it 10.30.200.202
It is on a /29 network 10.30.200.200. range .201-206. wildcard 0.0.0.7 bcast .207
There is an ip route:
10.30.200.200 255.255.255.248 11.20.10.253
11.20.10.254 is a local vlan 20
Then 11.20.10.254 is listed under OSPF which crosses an ISP to get to the main systems.
This doesn't strike me as "its getting out" and I think that's what I need to nail down.
If the 10.30.200.200 network is run to gateway/router 11.20.10.253 which is then under vlan 20 with gateway 11.20.10.254, then its a gateway within a gateway and won't route out, right?
Trying to find out where this device actually physically sits.
Virtual Labs for Learning
Good Afternoon,
Not sure if I can post this or not but it seemed appropriate to post since this is networking. I work as tech support but recently finished windows server administration at college (windows server 2016) The way the class worked is that we logged into cengage and did virtual labs. So there were no VM's that we had to set up or anything. Now that the class is over I would really like to go back and keep practicing and maybe do more labs. wondering if anyone knows of a company that offers this as a monthly or one time fee service.
You basically log in and the servers are all there, you follow the instructions and work through installs, Setting up Print servers, DC's Etc.
Thank You,
Cisco or Juniper?
Hi guys,
So my company has always been a Juniper house, end to end. I love the tech and haven’t had any major issues with it. It just works.
Now since Cisco bought Broadworks,which is our voice platform, my boss wants us to try transition to using Cisco since we would get better discounts
Have any of you made this transition? I’ve never worked on Cisco before and all my certs are in Juniper. What are your thoughts on which is a better vendor? Thanks!
Best Practice to distribute vlan (from core to access)
Hi guys,
thinking about whats the best way to distribute a new vlan from the core to the access switches in a new branch office.
The first thing that came in my mind was MVRP (HP/Aruba only env) or Ansible? What would you guys use?
Thanks!
*The Accessports using dynamic vlan assigment via Radius.
VXLAN BGP EVPN vs VXLAN EVPN Multi-Site (Cisco Licensing)
Morning, All -
Currently getting ready to start work on a VXLAN EVPN-Based DCI project, and trying to make sure we have all of our licensing squared away.
In Cisco's NXOS Licensing guide, they note that VXLAN BGP EVPN functionality is included in the "LAN Enterprise Services" license, while VXLAN EVPN Multi-Site functionality is part of the VPN Fabric license.
Does anyone happen to have any info on what exactly the difference is here?
Cheers!
Associates degree
Hello,
I have just completed my associates in networking administration. I'm working on getting my ccna. I was wondering if anyone had advice on jobs. Every job I've seen they want 2 or 3 years experience. Is there a route I should take maybe try and find a help desk job first?
Thanks
SD-WAN: Velocloud Vs. Riverbed
I've been looking at these two products an came to the conclusion that their features are quite different. Riverbed is more focused on management of access infrastructure such as switches and APs while Velocloud is more focused in load balancing and visibility of traffic. Am I getting it tight?
Tools for TCP packet tampering on windows?
I've got a bit of a annoyance that I'm trying to hack my way through.
I have an old chat app on my android phone that I use occasionally to keep in touch with some acquaintances. Once you've reached a contact limit you can no longer add any more. The problem is there's a bug in that app that appeared in one of the recent versions. It seems it's reading your "blocked contact" list (used for spammers etc) as part of your contacts. This in practice isn't that big a deal because you can just remove blocked contacts to free up space (doesn't fix the bug though). The problem is that the developer changed the flag (a single byte) to signify a blocked contact but didn't include it in the check. Contacts blocked before whatever version that changed was made still have the old flag. So while the app still receives this list of "old" blocked contacts it doesn't display them on-screen (it doesn't know how to interpret the "old" flag) so I can't delete them. The author isn't responding to any emails so I doubt this app is even supported any more.
I've already tried reverse engineering the APK, changing the generated SMALI and recompiling the APK but it didn't work so I'm guessing there's another obscure check hidden in the (obfuscated) code. But I reckon it would possibly be simpler to just alter the legacy "blocked contact" flags in the network packet itself to what the app expects.
I've already inspected the TCP packets and I've got a reasonable grasp of the particular packets I'm looking for (sadly, it's not as simple as HTTP tampering) so now I just need a tool to change them.
My home network:
WAN -> Opnsense -> Windows PC -> Android Emulator (virtual ethernet adapter).
I've read about netsed. Will this work? i.e. Forwarding data from the host server to netsed, then altering the TCP packet before forwarding to the emulator?
If not, are there are tools I can use to do this?
Cisco ISE & Linux AD Group Authentication
I am currently trialling Cisco ISE in our company. The way I would like Linux machines to work is if the machine in AD has a certain security group, then it will be allowed on to the network. However, I am having some difficulty with this mainly in regards to configuring the supplicant on the linux machine itself. I would preferably like to do this without using certificates and purely group authentication as I can do this on Windows.
Has anyone had experience with Cisco ISE and Linux machines? If so, how did you do it?
Cheers.
PSA: Severe network destroying Bug identified on multiple Cisco Catalyst 9300 Software Versions
We've been working with TAC recently on a catastrophic fault we experienced on multiple catalyst 9300 switch stacks:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn30950
Essentially your stack will split without warning creating two separate switches with odd forwarding behavior.... In our case layer 2 loops.
This issue affects 16.10.1, 16.9.2, 16.9.1, and 16.6.5 release (and 16.6.1 - 16.6.4).
Posting here in the hopes of preventing some potentially career threatening issues for others as version 16.6.5 in particular is an MD release
Could I run WAN traffic over VLAN?
A manufacturing shop has 2 offices, and 1 rack in each office (MDF and IDF) with a 180’ fiber between them. The ISP coaxial cable enters the building in the IDF closet and runs 180’ to the modem in the MDF. The modem can’t bond upstream channels from the MDF closet, but can from the IDF closet.
The key is to minimize the coaxial cable length, and moving “everything” to the IDF is not an option for this morning. I want move the modem to the IDF, then configure an extra port-to-port VLAN between the two switches (from the modem in the IDF to the router’s WAN port in the MDF). Would directing WAN traffic over LAN equipment cause a security issue even if it was in its own VLAN?
And thank you in advance )
(If this doesn't belong here, please don't delete, let me know so I can move it to another sub)
Issues with Cisco APs in local mode over MPLS ?
Hi guys,
We have a Cisco 5508 HA cluster (SSO) in our head office that provides a Corporate SSID, 802.1x certificate based authentication.
The APs at head office are registered to the WLC in local mode so the clients break out at an interface on the WLC as not at the AP - CAPWAPP tunnels and all that jazz :) no reported issues of poor performance / slow logons / network dropouts by users at head office using this SSID.
We have 2 remote offices that connect over a third party MPLS network, that also register their APs in local mode back to this WLC so the same SSID is broadcast and clients are subject to the same firewall policy based on the IP address the get etc - not reinventing the wheel, I've seen this set-up quite a few times before and it works well.
However, we are getting reports (anecdotal at the moment) of the wireless network generally being slow to log on (some clients take 20-30 mins) sometimes at these remote sites, network unavailability for short periods of time. I can't figure out what could be at play. The only thing I could potentially put my finger of was the overhead of the CAPWAPP tunnel causing fragmentation issues over the MPLS, so I dropped the MSS on the remote offices APs but we are still getting reports from users.
Any ideas on how I can troubleshoot this ? Anything obvious I'm missing ?
Getting other computers information on a network
Hello,
I'm doing an internship and one of the tasks is to get all the network's computers information, (OS, Computer Name, even hardware if possible).
I've been doing some research, I found a software called "Network Inventory Advisor" which is exactly what I need, however I'm having trouble setting it up, it is getting the information I need but only from my PC (I have all the info on it, OS, RAM...) it can detect other PCs in the network but without giving their information, I've also read that WMI has to be enabled with its proper settings (firewall and admin rights...) and I've followed this guide :
https://iphostmonitor.com/kb/remote-wmi-monitoring.html
It still doesn't work, now my main question is: do I have to do this on every PC on the network considering there are 100 of them? if so I think there is no point at all in me using this software.
Or can this software work and give me the network's computers information with only installing it on the server?
Thank you for your help, have a nice day.
What is the purpose of native vlan?
As per my understanding, native vlan is used to send untagged traffic like CDP and other management traffic through trunk port. Is this the only responsibility of native vlan or am i missing something? If a port to which a host computer is connected to is not assigned to any vlan, will native vlan be used to send it's traffic?
Changing interface names on ASA?
Hi Guys,
I have an ASA 5516 with 2 WAN links, one is named outside and the second name backup. Backup line used to be just 4G dongle to keep us online if main line dies, but it was upgraded to a nice, 300/300 mbit connection. The main line is actually 100/100, so I would like to make the backup line the main line. Of course I could just change the default route, but I don't want to end up with outsideinterface being a secondary, and backup interface being the main one.
So what would be the easiest way to swap them around? Can I just rename them and all the NAT / ACLs will be renamed as well? Or is this a weekend project...?
Tuesday, January 22, 2019
A year to kill. What to do/learn?
I find myself in a situation/opportunity. My organization is being phased out. Without getting into specifics, we are being outsourced. It will be a year long migration for our customer. There is a nice severance package to stay until the end.
Until then we will basically be keeping the lights on and the ship afloat. All projects have been scrapped. It will be a boring year which gives me a year to focus on professional development and learning some new tricks.
10+ years in networking; LAN/WAN/datacenter. For the geographic area I have a strong skillset to gain re-employment at a competitive salary. I just have a lot of time to kill and figure I have a tremendous opportunity to tinker around and learn something new to boost the resume in the meantime.
High on my list is to learn Python with an emphasis on network automation.
We already paid for VMWare NSX so we figured we’d go ahead and implement that since it’s no cost at this point. Just another learning opportunity and something to add to the resume.
Figured I may go back to the CCNP curriculum. Not too focused on the certs so much as the gained knowledge.
What are some things you guys/gals would do with your time to increase your marketability and skillset with all the time?
Is my use of proxying doing what I think it does?
Hi,
Im trying to make a service for myself where I can have a single endpoint which points to a cluster of docker containers and each container is a different websocket server for a different app.
Here's how I am currently implementing it, the part I am confused about is step 5:
- user makes request to someapplication.mysocketservice.com
- the request follows the DNS record and resolves an ip address from one of the many cluster servers.
- Each server has one daemon container, and then a various amount of application containers.
- the daemon container is the only one that can receive traffic on port 443 (for secure websockets!) so it then has to proxy the request to the correct application container based on the Host subdomain (so it looks for 'someapplication' and finds the local ip address of the server which has that container, and also finds the correct port)
- Once it resolves the local ip, and port it does the following: (nodejs)
const server = require('http').createServer(app) const httpProxy = require('http-proxy') // other logic... server.on('upgrade', (req, socket, head) => { const { applicationIP, applicationPORT } = resolvePortAndIp(req, socket, head) const proxy = new httpProxy.createProxy({ target: { host: applicationIP, port: applicationPORT, }, }) proxy.ws(req, socket, head) })
and this successfully proxies my websocket connection request to the proper container, however what I am confused about is: once the user has connected to the application container, do all future socket messages go directly through the application container?
Is there any overhead remaining on the daemon server after it successfully proxies the request? Ideally the daemon server would simply act as a resolver for the correct container, ie: I want the daemon server to have very low memory/cpu usage so that the other containers running on the same server can use up the rest of the servers resources.
Computer Room Visibility Standard
Hello.
I have some sales people in my company pushing to "decorate" the glass walls of the main computer room with their decals and they are winning over the C-Levels.
I'm trying to fight it but I want to have something to backup my push against this. Is there any standard that someone can point me to?
much appreciated
Best way to create mesh VPN tunnels between 9 sites?
Hi all,
I have Juniper SRX300's at 8 sites and an ASA 5512-X at 1 site. Looking to set up VPN tunnels between all sites in a mesh. This will never need to scale beyond the 9 total sites. Would like no site to be dependent on another site for access to anyone else such as in a hub and spoke. Some sites also have terrible internet and latency.
I'm about to set up route-based VPNs - just create 8 /30's on every device (st0/vti) and configure BGP (Junos doesn't support OSPF over IPSec unless I'm mistaken?) I'm wondering if there's a more efficient way to do this? Any recommendations?
Thanks!
Palo Alto Syslog Forwarding... broken after upgrade?
Hey /r/networking,
I hope everything is going well. I have a bit of an odd question. Over the weekend a separate team upgrade our Palo Alto Panorama system to its latest version. I'm not sure what happened but it seems to have knocked off Syslog Traffic Logging.
I'm no longer seeing those logs in my Syslog-NG collector. So far everything looks alright. The Syslog server is set to the correct destination. Traffic logging appears to be enabled and allowed through the firewall. And it looks like Traffic Logging is tied to the correct Syslog profile.
Any advise on what I should focus on next? I'm a noob in the Palo Alto world. Still learning about the system.
Thank you in advance for your advice,
acebossrhino
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Maritime communication standard/protocol
Hello, I'm doing a research for a class project regarding communications standard/ protocol used by ships. So far, what I have found to be relatively unique for maritime communication are the NMEA standards. Are their other standards/ protocols out there that is often used for ships and such? I would also like to know where I can find official documentation regarding the standards, so I can learn about the mechanism and how well they do against attacks like ddos, man-in-the-middle etc.
Wifi to Ethernet Bridge
Today i came across an issue at my workplace where I needed to boot a pc into safe mode with networking but since it is connect via Wifi, i was not able to login because I did not remember the last credentials I had used to login on this machine. (We use AD and passwords are changed every 3 months by policy). I did not have ethernet close by so I am having to remove the PC from its location bring it to my workspace and work on it from there where I have ethernet.
Is there such a device that exists, that is not too expensive that would connect to our Wifi and provide me with a RJ-45 jack to connect to a PC? I thinking it would work something like those wireless hotspot devices.
Subscribe to:
Posts (Atom)