During school I participated in a course called Cisco 1. This course taught me about the basics of the OSI model, TCP/IP stack, and enough to setup a simple network with routers, switches, and other hosts. However, I switched my degree and never ended up taking the other 3 Cisco courses that my school provided. Throughout most of my time in Cisco 1, we used their Network Academy and Packet Tracer to learn concepts before practicing them in a lab with real hardware. I don't really have any issues with Cisco, but I would prefer to learn about switching and routing with as little proprietary fluff and barriers as possible. Is their any good material out there I could use and practice with in a home lab environment using equipment such as Ubiquiti switches and routers?
Saturday, October 5, 2019
VPN Handshake - where is it?
Hi
I've setup an OpenVPN connection to my home router (PfSense) as a demonstration for a school project. I need to show how VPN works under the hood with handshake, key exchange and so on.
When I inspect with Wireshark I can see a lot of OpenVPN packages, but not the key exchange. Is it possible to see it?
I was hoping some clever person here could point me in the right direction :)
Thank you in advance.
Aruba 2930 AAA Auth Configuration
Hi Guys,
I just started my new student networking technician position at a Hospital. They have very recently got on board with Aruba switches.
I'm attempting to setup RADIUS authentication as primary and local authentication as secondary on the Aruba switch. I have the local authentication working properly, but I seem to have a tough time in configuring RADIUS authentication.
I've used the following lines to configure the switch. AAA using radius was not successful. Maybe I am missing something. Please let me know what are your thoughts guys. Just FYI I did go into the NPS server and enter a new client for our Aruba, but that didn't seem to work. I appreciate your help. Thanks. If you need any clarification, do let me know.
Config
Radius-server host *ipaddress* radius-server key
Radius-server dead-time 3
Radius-server timeout 1
Radius-server retransmit 2
Aaa authentication num-attempts 3
Aaa authentication login privilege-mode
Aaa authentication ssh login radius local
Aaa authentication ssh enable radius local
Write mem
Show authentication
Show radius
Network Monitoring for MSP - looking for suggestions.
Hi,
We're looking to create a monitoring setup for a NOC-style service offering for SMB/Small enterprise customers (5-200 network devices).
In the optimal world, we'd be able to do this with a central monitoring server/servers in Azure/AWS, and a remote probe/proxy/poller at each customer. We do not have any physical hardware. If at all possible we'd like to avoid having S2S tunnels to each customer.
PRTG can do this, but sizing is a big issue here - as well as needing the core server on physical hardware.
LibreNMS looked promising at first, but the requirement for distributed pollers to have direct access to SQL/memcache etc. seems to prevent this sort of setup.
NetXMS seems to do it via proxy agents, but haven't found any documentation on whether the proxied SNMP etc. is encrypted between the core server and the agent. Not a big fan of cleartexting everything between customer sites and Azure/AWS. SNMPv3 may not be an option for all devices.
Anyone have experience with a similar setup, or have other insight on this?
Is Mediacom’s Router Throttling my Internet?
So I recently moved, had Mediacom’s for a year never had an issue. Was paying for a 100 down plan and on direct line I was usually getting over that and around 40 upload and on WiFi I was usually getting around 50 down and 10-20 up. So I moved a couple weeks ago and decided to upgrade my package & since I was going to be in a different service area I had to return my old router/modem and get a new one. So I get it installed, everything seems fine on the direct line, getting between 300-500 down and 40-80 up. Then I go to test the WiFi. For the 2 weeks I have tested I cap at 5 download and my upload is typically at 20-30. Its obviously time to return this and just get my own but was just wondering if this is a sign that they’re intentionally throttling my Internet? I’ve never seen such a large discrepancy between a hard line and a router/modem before.
Pure DC (Direct Current) power standard for servers
Hi all – Is there a DC power standard for servers? I mean Direct Current, not datacenters, though the latter figure into the question.
I read that some (most?) datacenters are using centralized DC power instead of converting from AC to DC for every server and switch individually. In other words, servers in such scenarios don't have traditional power supplies. So what do the servers have? What sort of electrical interface is it?
And where do I get the equipment so I can experiment with it? I don't see DC servers listed anywhere, meaning servers with some sort of pure DC interface instead of the usual converting power supply.
I'm also interested in any UPSes that feed DC only to such equipment, rather than the standard NEMA AC plug.
Thanks for your feedback.
MX/MPC licensing
I'm looking into getting a MX10003 pair for SP edge. If i were to get an MX10003-LC2103-R MPC which straight comes with R mode license, what does that exactly mean for built-in 6xQSFP and for the 12xQSFP28 with an additional MIC (JNP-MIC1)?
Does that mean that only the 6xQSFP ports are R mode enabled, and for additional ports on the MIC one would need an additional 2x license S-10K3-ADD6-R for the MIC ports to get R enabled as well? How do the MIC ports without the S-10K3-ADD6-R license behave in that case, are they deactivated completely until a IR-mode 6port extension is enabled that matches the IR-mode from the MPC?
Thanks in advance!
Apple iOS IKEv2 VPN to Microsoft RRAS
We have a fully functioning AlwaysOn VPN setup for our Windows 10 devices using IKEv2 to two load balanced Windows RRAS servers. We are using certificate authentication, and have separate servers for Radius AAA, two Microsoft NPS servers.
We would like to utilize this same infrastructure for VPN for our iPhones. I have tried numerous permutations of settings on the iOS client and I cannot find a variant that works. I have also looked for anyone else doing iOS with IKEv2 and PKI authentication and cannot find someone with a working config to go off of.
The permutations result in one of two error messages on the iPhone:
User authentication failed An unexpected error occurred With either of these errors, I did not see any hits on the NPS servers. So it looks like it is failing before trying to authenticate. I am trying to figure out how to read the logs under %windir%\tracing on the RRAS servers however I am not finding anything useful thus far.
Using MDM to configure iPhones, VPN settings are as follows (anonymized):
Connection name: Test VPN Profile Server IP: server.doman.com Split tunnel: disable Remote identifier: server.domain.com (Note: this matches the IKEv2 server certificate) Local identifier: null Client auth type: User Authentication Auth method: Certificates Certificate: For testing, I specified the one we are currently using for WiFi auth. Certificate type: RSA Dead peer detection rate: medium Perfect forward secrecy: Enabled Certificate revocation check: disabled Use IPv4/IPv6 internal subnet attributes: disabled Mobility and multihoming (MOBIKE): disabled Redirect: disabled Security Association Parameters
Encryption algorithm: AES-128 Integrity algorithm: SHA2-256 Diffie-Hellman group: 14 Lifetime (minutes): 1440 Child Security Association Parameters
Encryption algorithm: AES-128 Integrity algorithm: SHA2-256 Diffie-Hellman group: 14 Lifetime (minutes): 1440 The settings above give me: “An unexpected error occurred” error.
Does anyone have a known working iOS VPN settings for Microsoft IKEv2 with PKI they are willing to share?
Does anyone have any advice on how to read/parse the RRAS %windir%\tracing logs or other RRAS logs to help troubleshoot this?
Are there VPN logs on the iOS iPhone that I am unaware of that can help with this?
I welcome any other thoughts, experiences, resources, or suggestions?
Thank you!
CCIE R&S 5.1 Written
Been a CCNP for almost a decade, dabbled in various other technologies but decided to re-up on my cisco cert with a swing at the Expert level. With the new certs coming Feb 24th, i figured it would be easier to pass an existing test for which plenty of training material exists prior to new cert roll out. Plus, i would be grandfathered in as a CCIE specialist.
My question is this - what are the best self study materials out there? I have purchased and am reading the Cisco press CCIE books and taking detailed notes, etc. but retaining that level of knowledge (and passing a written cert with it) seems tedious.
I'm not shy about buying equipment to practice (that's how i passed NA and NP) but i know there's steeper cost.
First IT Job!
Hey, I start my first IT job next week with a company who provides infrastructure services to the legal sector. For the first couple of months I will be on helpdesk, I am very anxious as I feel like I'm not prepared. Does anyone have any tips/advice for my first few months?
Thanks!
Apple now has a wireless diagnostics profile available!
An installable profile lets you go in and see all the gory details about your connection. Much usefulness. Jerry Olla (formerly of Ekahau) posted about it on his twitter feed:
Suggestions on Simulated Network Testing (I.E. GNS3 or Others)
I would like test my configuration before buying equipment.
I am setting up a core network to take into account new growth. Up till now most of the network has been rather flat so a simple hub/spoke has been working well. I cant afford a proper stacking switch to properly take into account LACP connections from multiple devices so I am going to have to get fancy with the stp/rstp. I want to test this before buying any equipment or at least evaluating if the limitations of the equipment I plan to get will make it not work correctly.
Other then GNS3 what other options are there for network emulation and testing? All I really need is layer 2 but I will have layer 3 capable switches at my disposal. I have setup GNS3 and have access to some cisco based router ISO's setup as etherswitch to test with but are there other pieces of software out there that could make my life easier/quicker to test with as I am not super up to date on my IOS commands? While I can figure out how to do this in cisco I am trying to do this quick and wouldn't mind using a GUI (Think Ubiquiti Edgeswitch) of some sort to put it together quickly. (As best as I can tell there is no ubiquiti OS appliance available for GNS3)
I also took a look at open vswitch but havent had time to read up on how to actually use that.
Is GNS3 the way to go or are there other options?
VMware vSwitches in lab environment?
Currently have a single host for my lab, and a couple of physical switches. I’d like to have a physical 10G-SR link from the vSwitch to each of those pSwitches (the host has the interfaces available), but as near as I can tell, there’s no obvious way to have a vSwitch with multiple single physical links, and it wants to either aggregate/team the links, or use them in a failover configuration. Am I missing something (tbh, I haven’t jacked with VMWare ESX in close to a decade), or is that as good as those vSwitches get?
CCNA exam closing-help troubleshooting
Edit- solved. Stupid hasty move on etherchannel
https://hastebin.com/alixelodut.diff Problem, I can ping Access 2,3 from Core 1 But can only ping Access 3 from Core 2 Need more info?
Hi is there a way I can share a text file here which has the config files of devices? I need someone to look at it and tell me where it went wrong
Adva network devices for SD-WAN solution?
Hi, Currently studying this Adva device but I'm having hard time to identify some basic key points and got stuck to that, This box is connected to an openstack controller.
On port level may I know the meaning and purpose of the following?
- What is Vport? is it associated to the physical interface?
- What is IP port? is it associated to the physical interface?
- What is port0.1-transparent / service port?
- Are these port/interface can be manually configured and if there limit or number of interface you can configure?
I would like to ask if you could share some configuration guide or manual on how to configure this or any reference? Since I'm verify to its syntax and how to manage this. Kinda hard also to find reference.
Thanks
Emigrating to Australia but struggling to get any replies on job ads
I'm a network engineer with 2 years experience under my belt and I hold a CCNP certification. I was working at an ISP in London and was considered a senior engineer of my team. I used to get get recruiters trying to head hunt me most days.
So when I decided to emigrate to Australia I didn't think I'd struggle so much in even getting a response from employers. So far I've applied to 40 jobs and have had 3 rejections without interview and the rest haven't replied.
My question is: is it just really hard to get a job in Sydney or am I doing something horribly wrong?
ECMP of public addresses over two Internet links
We’re in the process of setting up a geographically diverse backup site for all of our operations. We currently get an internet service into our head office which connects to a Palo Alto NGFW. All of the remote offices then connect back to HO through a variety of private links. We want to setup one of these sites which is connected by dark fibre as a redundancy site in the event of failures at HO. This site has an internet service with the same provider as the HO.
We’d like to install a second Palo Alto at the new site to connect to that internet service and run them as active/active. What I’m stuck on is how we will handle the /29 public block that we own which is currently statically routed to us through the HO internet service. We don’t talk BGP to the ISP and we run OSPF internally.
Am I correct in assuming that the provider can just put another static route on their edge to point our /29 towards the second internet link and it will just work through ECMP? The Palo Alto’s being active/active should then be able to handle any issues with asymmetric routing. Ideal scenario is that we can lose an internet connection or a firewall can die and everything will work without manual intervention.
SDN using old consumer routers running DD-WRT or OpenWrt?
I'm a computer science student and attend a university with no WiFi (yes - sad, I know); we have great wired connectivity, but it's really hard to work in classes with no WiFi (for obvious reasons)
After some discussion with friends; we've started a new program where students donate their old wifi routers to us; and we re-configure them with DD-WRT and deploy them as access points (just in the school of computing).
This has worked pretty well for us (despite the fact that the university won't fund new access points or this project).
Now, we'd like to explore the possibility of SDN, mostly for easy centralized management and the ability to hand-off devices across access points as they move (which I believe is done by the client devices right now).
Are there any platforms that would let me do this? I checked out opendaylight, but couldn't really understand how to deploy/use it.
Any help or suggestions are highly appreciated!
Friday, October 4, 2019
Multihoming with BIRD without full routing tables
I'm broadcasting a /24 through one upstream and am working on adding our second. This is my first time doing this with Linux/BIRD. I have two routers speaking eBGP to each ISP, one is giving me a default route only (0.0.0.0/0) and the other is giving me a default route along with a partial routing table.
I have the network on our side segmented into /28s, which will have each /28 on its own router and talk to the two eBGP routers via OSPF. Right now all the /28s are on one router while I set this up.
When I bring up one or the other upstream, everything works perfect, but when I bring up both, we have problems. OSPF will choose 0.0.0.0/0 as the best path for whichever eBGP router comes up first. If eBGP A comes up first, 0.0.0.0/0 will point to eBGP A. In this case, any traffic from eBGP B will be dropped, even though the /28 is still in eBGP B router's table and "ip route show to/from/etc" shows the correct path. If I take down eBGP A, eBGP B will automatically be installed as the default router via OSPF in the /28 router and all will be fine.
is my /28 router rejecting traffic from eBGP B in this case because it isn't seen as a valid upstream path to originate this traffic by iproute2? Do I need to add a second routing table to the kernel to mitigate this? Does anyone else have experience multi-homing with BIRD eBGP/OSPF in this way?
I've tried all sorts of other things, and really think it's related to the 0.0.0.0/0 route, and perhaps it taking precedence and creating a routing loop with the eBGP routers, or it rejecting routes on the /28 because of the origin of the traffic not matching the "default" gateway. My main goal is high availability and not load balancing, so not having the routing table to pick routes isn't a high priority for me.
net.ipv4.ip_forward is set to 1, and rp_filter is disabled while I test.
Does anyone have advice on joining a new switch stack to an existing to extend customer ports?
The place I work at has a setup pictured as follows on the left of the diagram.
https://i.imgur.com/90CijiM.png
Hoping to add a new stack in to extend the amount of copper ports/customer ports and not sure of the best approach. Current stack is a ring topology using Ruckus/Brocade campus switches and supports a maximum of 12 in the stack hence the reason for a new stack being created.
Any advice on how best to structure this moving forward would be great. Thank you.
Can I upgrade APIC/ACI from Version 1.x to 4.x directly?
I know in production I would not do that but what about a greenfield ACI lab?
I just got mine (finally) and the APIC is running 1.x...I want to skip the inter and go directly to 4.x. Is that doable? It is a blank ACI Lab kit...
Using BGP as an Alternate Path to a failed Circuit's Subnet
Hi All,
I am the Network Engineer for an international hub-and-spoke VPN-based network consisting of 164 branches and a data center with two ISP circuits in the US. Presently I have no automated redundancy (not my choice). The two ISP circuits live on different firewalls, but connect to the same 6509 core switch. The way I have it set up presently is all of North, Central and South America all VPN into ISP #1 connected to firewall #1, and all of EMEA/APAC VPN into ISP #2 connected to firewall #2. The 6509 core switch then has static routes to the subnets of the branches, pointing to whichever firewall the VPN is built on for a given branch. The firewalls then have the mandatory default route out to each respective public gateway. The downside to this, of course, is that if one of the ISP's goes down, half of the my sites go with it, because there is no automatic redundancy to fail the sites over, since all of this is static.
My VP came to me this morning. He wants to use BGP to fix this, but the way he understands it working is not a way that I've ever understood BGP to work. All of the coursework I have studied about BGP suggests it can be used in the following ways: iBGP backbone routing, eBGP ISP peering, or eBGP CPE peering to ISP (with prepending for failover if you have two ISP's) for WAN connectivity. However, his understanding is that you can have one firewall, with both ISP lines connected into it, and set up a trust between ISP 1 and ISP 2 and eBGP peer to both of them from your ASN to their ASN. Then, when ISP 1 fails, ISP 2 will take over in such a way that is NOT traditional active/standby circuit failover, but is rather that ISP 2 will provide the transport routing via an alternate transport path to the outside interface IP of my firewall's port connected to ISP 1 (failed ISP).
The end result would be that although ISP #1 is unreachable over it's own ISP's transport infrastructure for whatever outage related reason, BGP would change paths to provide connectivity to ISP 1's subnet IP that is assigned to my firewall outside interface port, but over ISP 2's transport infrastructure, and that would mean that all of the branch firewall's static IPSec VPN configs (peer IP address) would never need to change to ISP 2's address when ISP 1 is technically down.
Has anyone ever heard of this? I would think if this is possible, there would be no need for SD-WAN, as this seems like the ultimate redundancy solution.
Can you pass L2 transitive traffic through an AWS VPC?
Background: Small company, ~150 users, two locations. We've got a few servers in a AWS VPC that our users access via IPSec tunnels from our edge firewalls. We have two locations that are also connected with IPSec tunnels (Palo Alto firewalls).
We're looking at getting Direct Connections from Comcast (what they're terming an Ethernet Private Line) into our AWS VPC at a specific datacenter in the NorCal region. It'll look something like this. I know when setting up VPCs in different regions and peering them to each other, you can't do transitive routing through one VPC to another as Amazon describes here.
But. Can we move transitive data from our Seattle office to our California office through our VPC, using the EPLs that are going into our VPC? Can I, for example, set up an OSPF neighbor relationship between our two locations using the VPC? We'd still keep IPSec tunnels directly between our locations as a backup, but I'd adjust the metrics to always use the VPC connection if it's up.
Am I talking nonsense here?
Is Extreme any good now?
Been seeing Extreme at a lot more places lately. Would like to know if they have any good benefits. Not looking to switch or anything just like to know what’s out there.
On Wi-Fi what is their go to right now? Wing, enterasys, or areohive? What are the benefits of each?
What is their main push for switching now? Is it the avaya Technoloqies what they push the most ? Still big on SPB?
Anything they do better than everyone else?
VTP Pruning Exception list
So pretty simple question, and can't seem to find a good explanation or solution on Googler.
I have a trunk link, and VTP running. Everything works as expected, but I would like to have a simple elegant solution to prune all VLANs other than the management VLAN. There is a command that is clearly intended to do exactly this but it doesn't work. Consistent with what everyone else seems to experience my scenario is this:
works fine
swi trunk pruning vlan 1-19,21-1004
kicks error "Command rejected: Bad VLAN pruning list on this interface: Gi1/0/1"
swi trunk pruning vlan except 20
Anyone have any explanation of why this command, which is clearly intended to work in such a manner, simply errors out? I mean, I get I can just workaround it and do it the way that doesn't error but accomplishes the same thing. Just curious why this option exists if it doesn't function. Or am I just missing something?
Aerohive - Roaming and Skype/Slack issues
Hi all,
Unfortunately I'm not much of a wireless gal so hopefully someone more clever than I can help me out a little bit; I'm having two issues.
The first one is that clients, a mix of Dell XPS/Latitudes and Macbooks, are having some issues roaming. I am therefore looking into perhaps enabling 802.11k/v/r but am unsure if these are a good idea to run together? Am I even in the right mindset here or should I look to just add another access point in the mix?
The second issue is that Skype/Slack audio and video seems to be cutting out seemingly randomly even when sitting right below an AP and being connected to that one specifically, I have no idea what the cause of this could be and am wondering if anyone has experienced this before. Microsoft Teams seems to be more stable than Skype/Slack for some reason.
The access points in question are AP130s.
Thanks in advance!
CommScope Certifications to meet CommScopes Requirements for Jack Repairs
Does anyone know the exact CommScope certifications needed to complete jack repairs? I know you need to be certified to perform the repair and maintain the warranty, but I was unsure exactly what certifications were required.
I appreciate the assist!
Longshot- Anyone ever have Cisco CUIC reports where daily totals and monthly totals aren't adding up?
Our call center reports are showing different totals for daily vs. monthly reports. My boss says our Customer Service department reports this as an issue every 2-3 years, he opens a ticket with Cisco, and they say there's nothing they can do as the totals are pulled from different databases, or some such thing. Can anybody shine some light on this for me?
Why do some workstations show up and others don't time to time?
So we got a new Dell server, and while we are setting it up, we set shared folders in two different workstations, plus a USB flash drive on Readyshare on Netgear. Now some computers can see it, others don't. When I type \Readyshare\ into address bar, it does give me all shares in dropdown, but it is not showing up in network computers. What could be the reason for this?
CenturyLink or Comcast for 1Gbit/s circuit... The best bad answer?
A new company that I am consulting for has the option to go with Comcast or CenturyLink for a fiber circuit. Comcast has quoted us $1600 / mo for 1Gbit/s and a few static v4 addresses. Haven't yet gotten CenturyLink's numbers yet, but if I do and they're comparable, which one would you pick?
11th International Conference on Network and Communications Security
11th International Conference on Network and Communications Security
November 23 ~ 24, 2019, zurich, Switzerland
https://cseit2019.org/ncs/index.html
Scope
The purpose of this conference is to publish latest & high-quality research works on Network and Communications Security in theoretical and practical aspects. This conference aims to promote state-of-the-art research in the area of Network and Communications Security.
Topics of interest include, but are not limited to, the following
· Access Control, Anonymity, Audit and Audit Reduction & Authentication and Authorization
· Applied Cryptography, Cryptanalysis, Digital Signatures
· Biometric Security
· Boundary Control Devices
· Certification and Accreditation
· Cross-Layer Design for Security
· Security & Network Management
· Data and System Integrity, Database Security
· Defensive Information Warfare
· Game and Software Engineering
· Denial of Service Protection, Intrusion Detection, Anti-Malware
· Distributed Systems Security
· Electronic Commerce
· E-mail Security, Spam, Phishing, E-mail Fraud, Virus, Worms, Trojon Protection
· Grid Security
· Information Hiding and Watermarking & Information Survivability
· Insider Threat Protection, Integrity
· Intellectual Property Protection
· Internet/Intranet Security
· Key Management and Key Recovery
· Language-Based Security
· Mobile and Wireless Security
· Mobile, Ad Hoc and Sensor Network Security
· Monitoring and Surveillance
· Multimedia Security ,Operating System Security, Peer-to-Peer Security
· Performance Evaluations of Protocols & Security Application
· Privacy and Data Protection
· Product Evaluation Criteria and Compliance
· Risk Evaluation and Security Certification
· Risk/Vulnerability Assessment
· Security & Network Management
· Security Models & protocols
· Security Threats & Countermeasures (DDoS, MiM, Session Hijacking,Replay attack etc,)
· Trusted Computing
· Ubiquitous Computing Security
· Product Evaluation Criteria and Compliance
Paper submission
Authors are invited to submit papers through the conference Submission system by October 05, 2019.
Important dates
· Submission Deadline: October 05, 2019
· Authors Notification: November 12, 2019
· Registration & camera – Ready Paper Due: November 15, 2019
Contact us
Here’s where you can reach us : [ncs@cseit2019.org ](mailto:ncs@cseit2019.org)
Cisco Containers for CI/CD?
Hello,
Less on the CD Here.
I am now a DevOps/Cloud dude however, I have a deep background with Networking. I want to write playbooks to configure Devices and offer those playbooks to anyone. Are there any of these containers available?
My goal is to have them run in like GitLab automatically as part of a pipeline.
Cisco because thats what I'm used to but there are plenty of other companies I like.
Thanks Family.
DDOS flood attack on our internet Edge Router
We are seeing a lot of traffic (TCP packet with URG flag bit set) coming from multiple IP's destined to our Edge Router (CISCO2911/K9) on ports 3153, 16169, 13386.
. This is basically causing the router to go 99% CPU usage.
Should this control plane policy effectively block? Any suggestion?
class-map type port-filter match-all CLOSED_PORTS-FILTER match closed-ports ! policy-map type port-filter CLOSED_PORTS class CLOSED_PORTS-FILTER drop ! control-plane host service-policy type port-filter input CLOSED_PORTS ! Right now i'm waiting for the attack to come back to check if this is will work or not.
Could use some help on cisco switch config.
Hi everyone,
First time posting. I'm relatively new to networking. Got my Network+ cert but I'm not a super savvy network admin. Mostly a book worm and just having the opportunity to apply my knowledge at work. To the point. I'm installing Grandstream VoIP phones on 5 cisco catalyst 2960 switches.
The issue we have on one switch in particular is trying to connect multiple devices, phone, pc, printers, etc on an unmanaged switch to the port. Either the phone will connect just fine but when a pc is plugged in, the "network down" status on the phone comes on and nothing works. If I have the pc plugged in to the unmanaged switch it will run fine but then plugging in the phone the phone wont connect(network down). So it seems to be one or the other but they work with everything else plugged in just a conflict when the pc and phone are connected.
I've tried static ip's to the phone, voice vlan, cisco phone and pc on the smartports, different dumby switches, changing port security features, comparing configs to working ports there is nothing different that I can see. When looking at port security on a particular port 3 mac addresses show up but the phone won't. I've tried to change vlan settings in the phone itself and nothing works. I've set access on those ports to voice vlan and a data vlan I created and nothing. If I had hair I'd be pulling it out right now. Any help with suggestions that you can explain greatly appreciated. The dumby switch is netgear and it's 4 poe and 4 regular ports to the incoming wall. Cables are fine everything is cat 5e and above. LLDP is enabled globally. I tried to look at port security saw that 2 mac addresses were enabled per port and set that to 10 to test that. I've plugged the phones directly into the ports from the switch and they will run fine in each one.
Thanks for anyone that helps out.
I need advice on how to avoid being dragged down by a messy team and terrible management.
We have lost a lot of great engineers very quickly, currently the remaining team members are very new and many of them are very anxious about learning difficult/new topics. Most are happy to work on what they know and I feel this starting to rub off on my behavior. Almost like a shared sense of hopelessness. I've seen this before at University where a large group of the cohort refuse to learn something and find other people who are in the same boat. They form somewhat of an echo chamber and this just perpetuates the self-doubt.
The managers are non-technical and so focused on appeasing their upper managers they forget they're actually managing people, not robots.
I understand that "just change jobs" would be a practical solution but unfortunately I won't to become stronger willed and not just run. I've found that most jobs are no better and this one pays well.
PS: I work at a vendor TAC
Some thoughts so far:
-
Isolate myself and focus on my own work
-
Work from home more often
Any thoughts, ideas?
Thursday, October 3, 2019
VLANing my management network
I'm a complete neophyte at VLANS. I understand the basics, but I want more!
I have a network with a half dozen sub offices all on MPLS links.
I was wondering if it is possible to "span" a single subnet across all the sub-offices for my management network
site 1 - 172.22.28.x
site 2 - 172.22.40.x
site 3 - 172.22.48.x
site 4 - 172.22.56.x
Management vlan across all sites - 172.22.4.x
Or is bad/wrong/stupid?
Switches are Dell.
Why do people not encrypt data over MPLS and leased lines?
I've been reading a lot of stuff about SD-WAN lately, and I constantly see examples where people are like:
So I've got a VPN tunnel that I use as a failover if my MPLS isn't working [...]
I also have heard it from my peers several times over the years - stuff like:
Well maybe we don't need the bigger firewall if we have this point to point and the IPsec is only used as a backup.
I have spent my last 6-7 years in IT in sectors where there's very sensitive data (defense, banking, healthcare), and to me, an MPLS connection is just another connection over an untrusted network (ie. a network that I don't control), and I wouldn't dream of sending unencrypted packets across it. According to HIPAA, if my service provider takes a PCAP, I've gotta report a breach.
Is it just me, or do a lot of people actually use MPLS without IPsec?
Arista, Aruba, Juniper - multi-site deployment
A little background first:
200 users, dispersed across 27 locations. We are looking to refresh switching and access points.
We’d prefer to go with a single vendor but understand it may not always make sense - cost, features, limitations, etc...
Also our corporate office has 7 servers - so we’ll need some 10g networking there, replace the core (collapsed or leaf/spine?). We’re mostly layer 2. All routing is on our firewalls. We would like to do some L3 on switches but we’re not there yet.
I looked at Juniper and seems the EX2300/3400 would be great for access switches and the 4600 for the core.
The Aruba 2540 and 2930 for access, 3810 for core?
Not too familiar with Arista models yet. Same goes for the APs across the three.
Then there’s the storage network - we use iSCSI. Maybe EX4600, 3810M, 7050?
What would be your go-to?
What are some strengths and weaknesses?
Especially on cloud management side of things since we’d like centralized control, monitoring, etc...
I see a lot of praises for all 3 and a lot of issues with them as well. Juniper seems to have okay support and buggy firmware, I haven’t seen anything particularly bad with Aruba except for maybe the APs not being on a controller. Arista seems more DC focused and expensive...?
Our NOC is being moved into a different building and we have the ability to weigh in on the remodel. My supervisor has asked us NOC leads for input. If you were remodeling your NOC, how would you change up your area to make it better?
Like the title says, our NOC is moving into a different building that has a large room in it (probably 30 feet wide by 50 feet long if I had to guess) and a remodel will be taking place. If you guys/gals had the ability to change up your current areas (or NOCs if you work in one), what features would you want in the room? I am a big proponent of comfort since we're in here 8-12 hours a day so why not at least be comfortable? We'll have windows to the outside finally (hooray!!) so that will be nice. We have 12 NOC techs currently as well as three of us leads and our supervisor.
What sort of desk setups would you choose? Standing or sitting? I am trying to think of everything and anything I can and figured why not ask those who do the job saily what they would choose? I've done some searching already and in the older threads it was always set up a NOC from scratch. We've been established now for almost 20 years so our procedures/escalations paths/etc. are good to go.
PLC Remote Access with VPNs with same IPs/Subnets on the PLC
Hey Everyone, I hope someone can help me. I have softether running on windows server on a VPS. I have successfully setup up server and clients and can connect via PC and the 4G LTE Route (Teltonika RTU240 ) and can access siemens s7-1200 PLC. I have a NAT setup on VPN server with 192.168.5.1 and have given PLC static IP of 192.168.5.10 and Have set static IP on TAP Interface on PC with 192.168.5.15 and have Installed virtual ethernet adapter (microsoft loopback) and assigned a satic IP of 192.168.5.20 and bridged the connections in softether server to the virtual hub. This now gives me access from server to PLC ( I can ping PLC from Server and Engineering PC ) I can connect to the PLC from PC fine.
The Problem I now have Is I have a lot of PLCs at remote sites already set up and they all have the same subnets and they can not be changed (connected to other devices in the network I have no control over) I have thought about setting up individual NATs on the routers I will be installing but it seems the OpenVPN TAP client in the router is bridged to the local lan and can't be altered.
The other issue I see is the SCADA software running on the server needs to access these PLC ( I set the PLC IP address in the software for which one they connect to) I now have an issue as they all have same IP so I was possibly thinking about setting PLC IP in the software as the NAT ip set on the Router and then create static route to the PLC on the router.
If I need to access PLC network from Engineering PC I will just connect to server and set the TAP IP to the NAT the PLC is on and may need to cascade the connection to that particular virtual VPN Hub.
I will link a diagram for a better understanding
If anyone has any better ideas or ways of achieving this would be great
Enterprise Switch Help.. AP plugged into switch not showing on switch.
I am trying to figure out which switches are on which floors, so I followed ap to patch panel to switch.
When I go into the switch back end, it seems to have few to no clients connected, none which are the AP.
Many APs are visible on other switches but none of the switches that I traced the APs to are saying they have APs connected.
The switches are linked together. Could anybody shed some light on how this works or maybe some reading resources to figure out why this is behaving this way? It looks like one switch is mapping the APs to another switch but I would like to know how this is happening and how to trace where they originate and end.
edit
Aerohive switches SR2324P and 2224P. Aerohive access points AP250,122,150W
I saw a post about airline content filtering that works even if the user has a vpn. Do you all know where I can find that thread?
I think it was a post on here in the last few months. Any help is appreciated.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Cisco ISE Wireless 802.1x Compute Auth
I’m setting up Cisco ISE with a Cisco WLC to allow only Domain Joined Computers on the the Network (That single SSID). It’s a Windows 7 native supplicant which I configured for WPA2 enterprise AES and used the Computer Authentication Only (in the new wireless network setup).
The client is unable to connect. ISE is showing the following error: “client didn't provide suitable ciphers that are allowed on ise”
I have my policy admission criteria configured to Radius called station ends with [ssid name]. Inside of the policy AuthC is set to check AD and AuthZ is configured to PEAP and Member of domain Computer.
This is on ISE 2.6 patch 2.
Any idea why I get the error in ise live logs “client didn't provide suitable ciphers that are allowed on ise” and the client is unable to authenticate.
Also if I remove ISE and just use PSK on the WLC client is able to successfully connect.
3PCC Cisco phones
Hi guys,
Would really appreciate some help on this one. A client ordered CP-7841-3PCC & CP-8865-3PCC phones. Today he comes back to us saying the 3PCC firmware is not compatibale with ''Cisco Unified Communications Manager (CUCM)''. After searching the internet for a couple of hours i did not get any wiser. Is there a way we can make this work? or is there a way to Change the firmware on the phones to 'K9' so it would work?
Thanks in advance!
Viptela on Eve-ng, vedge and vmgmt stuck?
Currently building a Viptela lab and I would like to ask if maybe you encountered this kind of issue.. my vEdge and vMgmt is not running, Copied the YML details on the documentation to all of my viptela component but these two seems like not working.. Do I need to tweak something on YML file?
Heres the output image:
https://imgur.com/a/SgVx7uR
Also maybe you can answer the below question.
1. Vedge and vbond has the same image which is also documented on EVE-NG method.. Is this correct and can still able to run a lab?
-
Have you used and serail/lincense to run this?
-
How to do you config the vmanage is it via CLI or Web (supposed this should be via web)?
Currently using Vmware hypervisor and Eve(free) 2.0.3-95 with 12-CPUs 24gb-memory is this ok?
Thank you
Cisco SG200-08 latest firmware really from 2014?
https://software.cisco.com/download/home/283454003/type/282463182/release/1.0.8.3
Is it because this model was basically a Linksys switch?
All of the other SG200 models have recent firmware updates from what I'm seeing. I just wanted a switch that has the ports in the back while offering VLAN's and LACP that wasn't TP-Link.
Adding BFD to multiple (100+) eBGP sesions on an ASR1000
We have around 100+ eBGP peers to customers. We use BGP for failover purposes on their assigned ranges. Obviously the timers for BGP can be a bit long so if their WAN goes down then failover can take a few minutes. This hasn't really caused us any problems but it would be nice to have a faster failover.
Has anyone noticed if adding BFD to multiple BGP peers to add much of a performance hit at all? This would be on ASR1002 routers but I would also probably want to add it to MX104 PE's as well.
thanks
Netmiko ASA Failover Issues
Hello everyone. I've run into a roadblock with creating my own "in service" upgrade software script in python, and I'm hoping someone has already solved this problem:
Whenever it is time for me to send a forced failover to an ASA HA pair (in this case it is active-passive), I am able to fail over the device, the script will hang until the default timeout period has expired. When that happens, my whole script quits. This part I understand because when you send the command failover exec standby failover active the ssh connection will break, which is expected. I've tried breaking the connection with the net_connect.disconnect() function after sending the command, but of course it cannot get that far. Netmiko is stuck trying to look for the prompt when the ssh connection is broken. I should mention telling the ASA to reboot and force a failover is not desired as there is a large (10s) delay in handing over services to the secondary.
The end goal is to have my script continue with a new ssh connection. The workaround I thought of for this is to break up the upgrade process into multiple scripts, but that isn't really a fix. Source is here if anyone is interested (please excuse the formatting, it's not finalized).
Edit: I've solved the problem in the comments.
Palo Alto Management Access
Pretty new to Palo Alto but so far very impressed with them. I have what seems like a pretty routine task, but I can't nail it.
We have a PA220 that we manage for a customer. We have a management profile applied to the outside interface, allowing https, ssh, and ping from our company public address. It works as expected.
Cogent wants to monitor it as well with pings, but if we add their source IP addresses to the management profile, they will also have the ability to ssh and https. I know they can't login, but on principle they should only have pingability.
It's not possible to assign multiple management profiles to an interface. And it looks like when we add a regular security rule to allow pingability on the outside interface from a specific source, the management profile takes precedence.
I was considering removing the management profile and using only security rules to allow our management access and Cogent's monitoring. I also something about NATing to a loopback address, but that sounds overly complicated. And something about configuring the management interface as another security zone, but again that sounds like it shouldn't be needed.
I've done a fair amount of Googling and so far have not found the ideal solution. I even found a Reddit question for the exact same scenario, but nobody actually answered the question.
Any suggestions?
Cisco 9800-CL on hyper-v?
Need to deploy one of these as we have a bunch of new compatible access points, and our current/old wlc is end of support/eol.
Officially it only supports Aws/KVM/esxi, but has anyone tried running it on a hyperv host?
Our only current esxi host is falling to bits but we have a couple of new hyperv clusters it can run off if it works in hyperv
Unusual behaviour of ping responses
Hi everyone!
Have a curious situation here, and I THINK I know why it's happening, but I just wanted to confirm. We are currently testing some new ACL's where I work, and we are getting some unusual responses to our test pings. When we attempt to ping a gateway (say 10.2.2.1) from a network (192.168.0.0/24), the ACL's work correctly. When we attempt to ping a network/broadcast address (/24, so 10.2.2.0, or 10.2.2.255) I BELIEVE the router is proxy arp'ing back, with the Interface closest to the source, so say 172.16.1.1 for example.
My question is why does the router respond with a proxy-arp when it's the network/broadcast address, any not any other address behind the network? Is it because it see's itself as 'owning' those addresses, or belonging to that subnet on those addresses?
Any further info on this would be greatly appreciated!
Steve
10Gb noob
I'm really wanting 10Gb Ethernet as I would quite like a faster network connection. What else would I need if I haven't listed it?
Cat7 Ethernet cable 10Gb switch 10Gb network card
Trying to create a network infrastructure for a medical clinic
I am new in this field, as I am a trainee security engineer, and i'm also on my way to get my CCNA certification.
I was asked by a friend of mine if I can create the network infrastructure for a medical clinic with 8 doctor's offices that he just built and I am wondering what should I primarly focus on.
Instead of the AD, routers and switches what is mandatory to be in this network? I am not really sure if I should choose between a Firewall or an IPS or have both of them or something else, as there will be protected health information that shouldn't ever get outside of the network.
Some help / pieces of advice would be much appreciated. Thank you
Buying C15M cables in bulk?
I'm in the middle of color coding all cables in a datacenter and I'm having trouble finding C15M cables for juniper/cisco devices.
I need several lengths and several colors, I can't seem to find that online. Does anyone have a good source for them?
More Access Points or Fewer Higher Density Models?
Hi
When planning wifi deployments for high density environments such as open plan office spaces, is it best practice to go for more access points to spread the load or fewer access points but of a higher end model e.g. more antennas etc.
We are a Meraki user and I am weighing up whether to go for Meraki MR33 or one of the higher end models such as MR42 or even MR45 taking into fact that for the price of one of these I could get atleast 2 MR33.
Wednesday, October 2, 2019
How important is it to replace carpet flooring in a future MDF?
Hello! I wanted to know the importance of replacing carpet with VCT tile for our future MDF. I will be bolting down a rack on the floor which will hold network & server equipment.
Based on the room size, the estimated cost to replace with VCT tile and replace the base cove would be around $120 + labor. I am aware of static concerns but has anyone dealt with this same situation? If so, what should be done? The people in charge only want necessary changes, so I need to give them reasons to replace if needed.
Thank you.
Able to ping external but unable to ping own network
Anyone came across such issue before?
I have two Linux VM each with their own IP address and sharing a virtual IP.
From the two VM:
- can ping external IP
- cannot ping IP within same subnet (even gateway)
From machine in same subnet
- can ping everything except the two VM and virtual IP
- cannot hit any open ports on the two VM
From external network
- can ping the two VM
- can access all open ports on the VM
Things I have done:
- check virtual adapter is correct
- net mask is correct
- no mac address collision
- disconnect one of the vm and ping the other (unable to)
- arp table on gateway has mac address of both vm and virtual IP
How to pick the best router to match with ISP speed limits
I am looking for a new home router. We have been using a pretty basic one for years (Linksys E1200) and I think it is time for an upgrade.
I must say that I have no issues with this current router, other than wanting better coverage outside our home to extend to the back deck and front lawn. We’ve had no major issues with speed, although the newer ones with dual-band could be faster? I use one wireless extender to boost the signal in the bedrooms, and it works quite well.
We get our internet via a satellite dish, and according to our ISP the top speeds are 30mbps down and 5mbps up.
I know these numbers are pretty basic and nowhere close to city residential speeds. Is this perhaps the reason why this basic router has been enough for us?
I have been looking at the newer models and their specs and prices seem overkill given the limitations of our ISP.
My current router is single-band Wireless-N at 300mbps. If real wireless speeds are cut down in half due to interference, this means it is still more than capable at 150mbps given that it only takes 30mbps as input. Is this correct?
Cisco SG350XG-24F Crash from request to neighboring DNS server
Hi all,
My work place have a few building that use HP 5130 as a distribution switch, all of those HP 5130 connects to a single Cisco SG350XG-24F as the (new) main switch/router (replacing an aging HP 5500). The Cisco connects to a Mikrotik CCR1036 as a main gateway/firewall/router.
Since Mikrotik NAT reflection is causing problems, we used a DNS interception (between main switch to gateway) to redirect request to a domain name with public IP to an internal IP. This used to work when using the old A5500 (for some years), but it did not works with Cisco SG350XG (it will crash (then reboot) the Cisco.)
Just for a test, I enable DNS service (allow remote request) on the mikrotik CCR gateway and tried to query it from a client connected directly to the Cisco ( a simple dig @gateway reddit.com) , as soon as I hit enter, the Cisco would blink all its light then reboot.
Does anybody have any idea about what's going on?
Juniper SRX345 WAN Interface DHCP Issue
I've been asked to configure an SRX345 for a small office (its a left over from a DC we've moved out of) and I'm having a terrible time getting DHCP address on the WAN interface. The only address I ever get is 192.168.100.10, which is obviously the cable modem fallback address.
srx345> show dhcp client binding detail Client Interface/Id: ge-0/0/0.0 Hardware Address: 40:71:83:2b:20:01 State: REQUESTING(LOCAL_CLIENT_STATE_REBOOTING) Server Identifier: 0.0.0.0 Client IP Address: 192.168.100.10 Update Server Yes I get this 192.168 address for a few minutes, and then it goes back to 0.0.0.0.
This is the config for the device:
version 15.1X49-D140.2; system { host-name office-srx345; time-zone UTC; root-authentication { encrypted-password "xxxxxxx"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } name-resolution { no-resolve-on-input; } login { user nouser { uid 2006; class super-user; authentication { encrypted-password "XXXXXXXXXXX"; ## SECRET-DATA } } } services { ssh; telnet; xnm-clear-text; dhcp-local-server { group default { interface ge-0/0/1.0; } } web-management { https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } security { log { mode stream; report; } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone employeeData; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone employeeData to-zone Internet { policy All_employeeData_Internet { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone employeeData { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; dhcp; } } } } } security-zone Internet { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; } } } } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp-client { update-server; } } } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.254/24; } } } fxp0 { unit 0 { family inet { address 172.31.249.11/24; } } } } protocols { l2-learning { global-mode switching; } rstp { interface all; } } access { address-assignment { pool default { family inet { network 192.168.1.0/24; range default-pool { low 192.168.1.20; high 192.168.1.199; } dhcp-attributes { name-server { 8.8.8.8; 8.8.4.4; } router { 192.168.1.254; } } } } } } I can plug in my laptop to the connection and pull a valid public IP, so I know everything upstream of me is fine. I did find some older documents referring to a need to increase the ttl, so I updated net.inet.ip.mcast_ttl via the shell and no success there. Anyone run into this before?
EDIT: System OS version JUNOS 15.1X49-D140.2
Finding prices for research
I'm working on a risk review / case study for a security class and part of it is estimating prices for what I want to recommend to install. I'm having trouble tracking down legitimate prices of solutions as everyone wants to sit down with you and give you their pitch before they'll discus price. As a full time night student, father, and full time employee, I don't have time to go through that with every little device.
Is there somewhere I can quickly go and find prices for common solutions?
For example, I want to install an IDS, Computer World says a CISCO Secure IDS starts at $8000, but I can't find where to verify that price, or what model and version that is referencing from a first hand source.
Cisco SAN Zone Creation HELP!!!!
Need some help sorting out best practice vs what other people decide to do.
I have been tasked with creating a new storage zone for a new server in our system.
SAN Switch: Cisco MDS 9250i - 2 for fabA, 2 for fabB.
Storage: Hitachi Gwhatever
Platform: Cisco UCS with VMware
Questions I have:
- I am seeing zones using only FCalias' or only device-alias'. SOMETIMES I AM SEEING ZONES WITH ONE FCALIAS AND ONE DEVICE-ALIAS TOGETHER IN THE SAME ZONE.
- Isn't it preferable to use device-alias over FCalias?
- Is it safe to assume our SAN switching has had multiple hands in it and one tech preferred FCalias and one preferred device alias? and now i'm seeing their work put together in fancy ways?
- I am assuming FCalias and device-alias can be used together in a zone as long as the FCID remains correct for its use?
- caveat that an FCalias thats created in a VSAN has to stay there, but device-alias can be used across any VSAN?
- Can you have a PWWN as both a device-alias AND an FCalias?
- Im guessing this is not advisable because why would you?
Can you connect a single fiber media converter to a switch?
Recently took over a network, one of the sites is using 2 pairs of media converters for some longer runs to pole mounted cameras. My question is, do I need to maintain a media converter on both ends of the run, or since I have available fiber ports on my switch can I connect the near side right into the switch and leave the media converter on the far side?
Its not a high priority endpoint so I can just give it a try, but I need to order some multimode patch cables and SFPs. Wanted to ask before I spent the money. Switches are Cisco btw.
Thank you!
Is luxul any good?
At my work we have a client that wants us to redo their patched together network. He asked me if I could get a list together of products. I was used to ubiquiti so I put a list of parts and prices together amd handed it off to my boss. My boss then asked if I would felt comfortable using luxul and what I thought about it. I know why he wants to use luxul, it's the the price we can buy it through our vendors compared to ubiquiti. I've used their switches before with ip camera systems but never anything else. I'm very cautious about what I like to call AV network gear and I'm having a hard time finding any kind of non promotional luxul information. Was curious what anyone here thinks of them and are they ok equipment for a small business?
Assistance with Cisco Prime
Hello All! I'm attempting to learn Cisco prime and am trying to create a template that will target only access ports (switchport mode access) and am having a hell of a time figuring this out. Would you be able to assist? Any help would be much appreciated.
Thanks!
Multicast Rendezvous Point Traffic Flow
Probably a pretty basic question but I can't find clarification on my question:
We have HQ and multiple branches. One of our branches was the only one needing multicast for their door video system (on its own subnet) so we had a multicast rendezvous point inside their site. Needs changed and now HQ needed multicast for certain equipment that took higher priority so we moved the RP to the HQ site. The door video system at the branch site still "sorta" works but video either freezes or is very choppy.
My question is: When someone presses the doorbell at the branch site, does that multicast traffic flow to the HQ's RP and then back to the branch site? Or, does the multicast traffic take the known best route which would be only one hop away at the branch site?
Thank you in advance!
Windows DNS Server and Root Hints
Our POS vendor fat-fingered some migration of their licensing server so the www subdomain was not resolving to anything. And that is the URL that the software is reaching out to for license info. After a lot of back and forth it seems it is finally resolving on 'most' name servers. But of course it is not resolving on the root servers defaulted in our Windows DNS server for our domain. I added dns.google [8.8.8.8] to the root hints as it is resolving with them. But it is still not on that particular domain. Is there something I am missing or some other thing I need to poke to get it resolving. I've not had to mess with Windows DNS server a whole lot as it usually just works and we don't have a very complicated needs. I've seen where adding a Forwarder is discouraged in this scenario. Is that right?
The URL in question is: www.microsale-pos.net
I'm lost on what certification or skill I should learn to develop my career path.
I graduated this August 2019 and got a job as a 'Network Engineer' at a large telecommunications company.
I'm kind of looking for a certification or some course I can do, apart from my job, so that I can put it on my resume to show that I'm continuously learning. Something like a marketable skill and also to keep myself busy.
I currently have CompTIA A+, Cisco CCENT (similar to Network+), Cisco CCNA Cyber Ops, and CompTIA Security+. (I'm not really looking to start on a Cisco certification right now due to them being changed in 2020)
The thing is, I don't know what certification to do and was hoping I can get some recommendations on what skills to learn. My interest lies in Networking and Cybersecurity.
Handy tools? Software? Want to help my team spend end of year budget
Hi r/networking!!
Boss told me we have an "undisclosed" amount of money and is taking suggestions on the network teams wish list of tools or ideas to spend it.
Anything handy or cool you guys use?
Not looking for super expensive automation software or stuff like that; just the smaller stuff
Help with subnetting by hand
I have to subnet by hand for my MS Servers class. I have tried subnetting in other class for the last 4 semesters of school and I can not understand it. Is there anyone that would be willing to maybe hop in a discord call and help me out?
Automating graphs / metrics
Hey all,
We use a combination of LibreNMS and Grafana / Influxdb / Telegraf for graphing and metrics. LibreNMS makes it possible to just drop in a device and go. It also currently does our alerting. We use grafana with telegraf separately due to the fact we can get much better and more granular graphs this way, with 30 second polling.
One thing that's been nagging me for a while is figuring out how to automate the creation of graphs with telegraf and grafana.
Anyone have any good experience with automating the telegraph / grafana part of this picture? LibreNMS is great as a catch all for graphs, but grafana is far better for graphing.
configure terminal revert
I've seen so many old posts on this i don't know how commonly it is used. We are running IOS 15.5 or IOS XE Everest on our devices. Is anyone using it regularly on either of these IOS versions? I know some older versions had issues, so I'm wondering if we can feel safe on newer IOS versions.
Is there a specific order in which I should connect an SMA antenna to a PCI express wifi card?
This is the Antenna I purchased to hopefully give my signal a boost: https://www.amazon.com/gp/product/B07NKD6VS6/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
This is the card I am going to plug it into:
i need help with layer 3 inter vlan routing and pinging my layer 2 switch.
i having trouble with pinging on my layer 2 switch.
i created vlan 99 on a my layer 2 switch and i want to use it as my management svi.
so on vlan 99 i assigned a IP address of 10.0.0.4 255.255.255.248
and for the default gateway i used 10.0.0.1
i made trunk ports on both my layer 2 and layer 3 switch on my layer 2 int g0/1 and on my layer 3 i did int g1/0/23 as trunks ports and allowed vlan 1-99 through.
and on my layer 3 switch on interface g1/0/24 i connected it to a router and i used the no switch-port command
and gave it ip address of 10.0.0.2 255.255.255.248 on my int g1/0/24.
my router int g0/1 has a ip address of 10.0.0.1 255.255.255.248.
but for some reason i cant ping my layer 2 switch vlan 99
why ?
Does anyone here have experience with configuration management tools, such as Ansible, and Check Point firewalls?
Which configuration management tools (for example, Ansible) do you use in combination with a Check Point gateway / Security management server, and what do you use them for?
Just curious.
ELRP vs STP
Hi there,
Anyone there with Extreme networks switches and particularly Extreme Loop Recovery Protocol? Can you do a comparison between the proprietary ELRP and STP? Pros and cons, experiences/horror stories?
While STP is far from perfect, slow, inefficient, it's still the standard and is well known and understood protocol. Call me an old fart (cause I am one), but as the saying goes, better the Devil you know.
Is there a way to have an STP domain with an ELRP domain? Even if there is it's probably a really bad idea, better just configure the Extreme Switches with STP.
Using ISE as a Guest WLC Anchor replacement?
I am coming up to replace me Cisco WLCs with new 3504s. our VAR told us we could use our ISE with ACLs to completely replace our Guest WLC Anchor that is located in our DMZ.
While i understand that it should work. but i am worried on how secure this will be. from my limited knowledge of Cisco Wireless the Guest WLC Anchor is used to isolate the Guest in the DMZ so it is completely off the Production network.
Should i go ahead with my VAR suggestion or stick with Guest WLC Anchor. what is consider more secure or best practice?
How do you export a "universe" IP list in CA Spectrum?
Hello all,
Have an issue with one of my customers where I need to interrogate their network with a tool but they dont have an excel sheet or anything of the kind with all their IPs (poor documentation yaaay....) but what they do have is CA Spectrum. Only problem is that they built out their Spectrum view where one Universe (we'll call it the "state") then has multiple smaller universes(we'll call those counties) and then even that one has smaller universes(cities?). Im new to Spectrum, never had to use it before and dont know how to go to the top level Universe and export a list of all the IPs underneath it, including the smaller universes. I know how to export the current universe im looking at but any of the smaller universes underneath dont show IPs. I have to go into each individual one and export the IP list.
SO! Is there a way to go up to the "State" level and export everyone's IPs?
Thanks in advance.
HP L3 certifications
Hi guys,
Let me start by saying I got my MCSE cert 5 years ago and I have been a sysadmin since then, but my new job requires me to work with a lot of complicated (IMO) networks. Lots of HPE L3 switches and 50+ VLAN's with one particular client. I know some basics, like how to do VLAN tagging and how to do basic configuration but any more complicated than that, for example static routes, and I am fully reliant on Google. Which doesn't always work out as planned.
My company and the clients are all very serious about certs and being qualified. We only have a handful of Cisco switches installed at clients, and they are all configured for L2, I have figured out everything I need to do on them with Googling. HP switches are extremely popular in my country and IPv6 is not going to be a thing here for many years, so it really doesn't make sense to get a CCNA.
I did research about HP certification paths but they are extremely unclear. Can someone please tell me what is the HP equivalent to CCNA and CCNP? And I assume it might be possible to do those via HP University?
Adding legacy AP firmware to new WLC
Hi Guys, noob here.
At work I've stumbled into this task where I needed to update our virtual WLC from 8.1.133 to 8.10.2.2. However in addition to new APs (9120) there are still APs (2702) in use that are not supported by the new WLC.
I've been told to just upload the bundle containing the old firmware to the WLC and I should be good. At the moment I am struggeling with that task. I've been provided an ap3g2 bundle as an tar archive.
Could someone kindly point me to where to upload this to the WLC. download > code is not working since this is not accepting the file type. All I find are guides on how to update WLC SW with an provided AES file. Am I missing something obvious here?
Thanks for your help!
Tuesday, October 1, 2019
I created a Simple Network Automation Program
I call it SNAP.
Why: I work for a customer that has new devices coming in and going out all of the time. Needed a way to quickly load a pre-generated configuration on the device and send it on its way, I also have guys that I work with that use the program as well to load configurations, its simple and works.
Works with console ssh and telnet.
User Credentials are not stored.
Load configs easily and walk away.
I added some buttons for troubleshooting easy issues.
Single exe can be found here.
While the source code can be found here.
Credits:
Netmiko, PyQT5
HA pair Palo Alto 3260 vs Fortinet 600E
Besides the PA having more network ports, what does the 3x price difference buy me with Palo Alto? According to Fortinet docs, they have much better performance (7Gbps performance with inspection enabled vs 4.7Gbps on the PA, more max concurrent sessions and more new sessions per second). PA seems to have better technology such as App-ID.
https://www.fortinet.com/content/dam/fortinet/assets/competitive-guide/web-600E-comparison-table.pdf
best solution for temporary office in Peru for small tech startup with broadband and preferably cellular failover
Our team is going to Peru for 2 months and we want to have stable internet. Speed is not as essential as stability. We will be in Pisac, outside of Cusco, where broadband is recently introduced and not super stable. the provider guarantees a whopping 99.5% uptime. lol. Cellular networks there are more robust with higher quality service, but prices per GB can be high. And they can also have occasional downtime or slowness.
There will be about 15 people who will need internet for web browsing, web apps, email, occasional video calls, etc.
I was thinking of getting something like a CradlePoint AER1600 mobile broadband router and connect that to the WAN as well as two cellular carriers and hope for the best. I also looked into Peplink MAX series of multi carrier routers. There are also more consumer brands such as Huawei 4G routers. I could also just get everyone to tether from their own phones (if they are carrier unlocked).
I want to find a resonable solution that combines cost hopefully less than ~$1500 as well as ease of use and setup (I can manage things if the software is reasonably easy to use) and of course performance and reliability.
Any advice on how to approach this problem. Should I hire a consultant, call the companies above for advice? I'm reasonably tech savvy, but not exceedingly so, so i need some help! I'd like to buy hardware this week.
Network security ransomware attacks
I work at a factory manufacturing auto parts. Our customer was hit with a ransomware attack. Today in our manager meeting, as we talked about the incident, I asked the IS guy what protections we had. His reply was that he has contacted ATT (our ISP). Am I missing something or is this guy a complete idiot?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
netmiko question (3-prompt system)
I've got some VM appliances that are CentOS-based and I want to do some automation on them. I can't use the Linux device type because the vendor is using klish to present an application-specific shell that has a prompt terminating with >. I can use something like terminal_server or alcatel_aos to get stuff working, but I'd rather get something more usable. The klish shell allows you to drop out to a bash shell with a $ terminator and then, of course, you can su to root and get a # terminator. I wrote my own device type and hacked the source to get it working with all three prompts and implemented the admin functions, but I don't really like that solution either.
Is there a way to include a new device type without going through the submission process? I'm not experienced enough to handle all the requirements for submitting new device types (black, plint, etc). I'm a little below intermediate at best in python. I've noticed that packages like pygments allow runtime "plugins" through the use of entry points. Is that something that can be done with netmiko?
Do you use DNA Center?
-Topic- Do you use DNA Center and if so, whats your favorite feature? Do you like where the platform is moving?
How often is OSPF FRR and Fast Hellos actually used in real world?
As title I'm curious to how often they are used im real world especially FRR with OSPF. I can imagine BFD is commonly used over fast hellos if it a requirement.
SD Networking or Traditional Deployment? Stability vs new features/easier management
I know this is a loaded question but to summarize as much as possible. What does the professionally tech community think is better for the Org? I work for a VAR I have seen many deployments. Some very basic and some very advanced using bleeding edge tech such as Cisco SDA. VARs typically love new tech so they can sell more stuff so to speak. Based on what I have witnessed, I feel that the bleeding edge is cool but typically much more expensive and full of bugs/downtime. Products such as Cisco SDA or ACI promise easier management but when troubleshooting, it almost seems not worth it. They also come with extensive compatibility matrices that are just another thing to keep in mind.
From an IT standpoint which is more important? Stability through traditional/tested tech or newer technology with new features that may be easier to manage?
Palo Alto PCNSE Practice Exam
I'm happy to say my Palo Alto Networks PCCSA practice exams are doing well and helping others. This month I received another email from someone telling my exams helped them pass their PCCSA exam.
I've been working on my PCNSE practice exams and now have about 400 questions. They are true/false, multiple-choice, match, and free text and some with graphics.
Within the next two weeks, I will make the first PCNSE practice exam available for purchase as I continue to study and create the second half.
Please review a free 15 question demo in the link below and I appreciate any feedback.
https://www.classmarker.com/online-test/start/?quiz=6mg5d8ab86833233
Reserved WiFi bandwidth per user
Hi Guys,
I am designing a new WIFI6/5 network for around 500 users and I was wondering what is a safe number for guaranteed bandwidth per user taking into consideration the future proofing? Would 10 Mbps per user be enough?
What are you using for network automation?
What technologies, if any, are you using for network automation?
- Ansible, YANG/OpenConfig, other, none?
If you are using something, how big is your network (devices)? When did your organization switch from manual configuring stuff to automation? Why did you choose the system that you ended up going with?
If you are not using anything, do you see yourself using something in the future? At what point is it worth the effort to roll out? Are you considering something in particular?
Arista VXLAN low throughput
Any Arista VXLAN users here? We're having an issue where throughput gets severely impacted. Running iperf on 2 servers on 2 neighboring leaf pairs, I've seen throughput get as low as 1gbps on 10gbps link. I am pretty sure it is because packets get received out of order, causing duplicate ACKs, which in turn causes the sender to reduce its congestion window.
Have an open support ticket but they are fixated on finding a bad link , which is totally not the case.
Has anyone experienced anything similar?
Azure MFA plugin for NPS - slow? anyone else?
I've never setup this particular thing before and I got it configured and working but when using it for cisco anyconnect there is a pretty substantial delay and you often have to put in bogus keys a few times until you finally got a text/app message with correct code.
since I've never set this up I was wondering if anyone else has and saw this issue?
Ethernet and Fiber OTDR Certification
Our company is trying to put together a training program for our employees in order to train helpers to become technicians and allow technicians to continually educate themselves. Let's say we were going the cliche route of Belden for ethernet cabling and Corning for fiber....It seems to me very unlikely our company would have the resources to send our helpers around the country to the different training sessions available...Do you all recommend an in-house program? Get the manufacturer or manufacturer's representative to travel to us? If an in-house program is the way to go, what programs are recommended? Fluke? CNet? Other? Thanks for the read.
Cisco ACI Multi-Site Vs Multi-Pod Design
Trying to architect a design to plan for the future,
Is there any drawbacks to deploying ACI Multi-Site vs Multi-Pod and for the context, this is in a healthcare environment so redundancy and availability is a very critical component to our design.
We have two locations, 1700 Miles apart, and I can't go into anymore details for privacy reasons. I believe we are currently set to deploy this as a multi pod deployment, but It makes more sense to me at least to do a multi site deployment because of the ability to stretch the fabric and be able to disaster recovery with EMR systems that are VM Based, so Data vMotion is essentially the major basis of this plan (Not sure if Storage based vMotion could span that distance without consistency check errors occurring in the stored data).
Any thought's/Pro's and Con's?
[Extreme switches] how to auto fill port alias fields
Have ~50 Extreme switches... with about 60% of the ports unlabeled/unaliased.
Read a few things here and there about running LLDP advertising from Window PCz... anyone have thoughts on doing this?
Trying to think of a better approach than manually tracing every port, which seems wrong in several ways
What is your favorite banner art?
\\|// (o o) -----oOO---(_)------------ ************************************************************** * THIS COMPUTER SYSTEM INCLUDING ALL RELATED EQUIPMENT, * * NETWORKS AND NETWORK DEVICES ARE PROVIDED FOR LEGITIMATE * * BUSINESS PURPOSES ONLY. UNAUTHORIZED ACCESS, USE, OR * * MODIFICATION OF THIS SYSTEM IS STRICTLY PROHIBITED. USE * * OF THIS COMPUTER SYSTEM CONSTITUTES EXPRESS CONSENT TO * * MONITORING AND RECORDING OF ANY ACTIONS TAKEN WHILE USING * * THIS SYSTEM. EVIDENCE COLLECTED DURING MONITORING MAY BE * * USED IN LEGAL PROCEEDINGS OR DISCIPLINARY ACTIONS. * * UNAUTHORIZED USE MAY BE PUNISHABLE BY TERMINATION OR * * CRIMINAL OR CIVIL LITIGATION. * * -------------------------------------------------------- * * If you are not an authorized user, disconnect now. * ************************************************************** ------------------oOO----- |__| |__| | | | | What to learn or where to move next? Need advice please (From Cisco to...)
Hello Guys,
I am new to this forum, and I am seeking for advice.
At the moment I am trying to decide in what direction I should develop myself.
Brief description of myself:
I have finished UK University with Networking course in 2011. For next 5 years I have been working as Network engineer in a few Companies(changed 2-3 Companies) and obtained CCNA, CCNA Security, CCDA, CCNP. Last three years I have job that combines Network Engineer and IT manager roles. During these 3 years and start loosing my networking skills as its only 30% of my daily routine.
Now its time to start think what to do next, and I have spent so many hours looking for what could be better for me.
First thought was to start preparing for CCIE. This would remind me all forgotten skills and I will learn a lot from it. Although, its difficult exam, I know this path, I been in Cisco world for so many years, I know how it works and what it requires.
But.. there is that mind in my head. Network Engineers are not on demand anymore. I remember time 7 years ago, when it was the most valuable IT job on the market with high Salary and a lot of vacancies on the market. I am not seeing this anymore.
I am living near London, so will use London as an example. Average Salary for Senior Network engineer is about 50k - 70k. But this mean you most likely will be responsible for entire Region, for example be responsible for entire EMEA. I am not against this, as even with my current position I am responsible for EMEA region and that's ok.
Now, if we will take average Python developer, his salary will be about 60k, and he will not have that much responsibilities on his shoulders.
Nowadays, if you compare junior job Salaries from different areas you will see something like this:
· Junior Network Engineer 25k
· Junior Java developer 47k
· Junior AWS engineer 42k
All this leads me to conclusion that network engineer job has no future. Yes, I can try to get CCIE in 2 years, and I will find the job with the salary of 60-80k, but I am pretty sure in 3-5 years time I will have the same question in my head, does the energy I spend worth the money I earn?
I can only imagine how much I can learn about Azure, AWS, Java or Python during these 2 years instead of CCIE preparation.
I cannot decide if I should start a new carrier or carry on with Cisco.
I like Security. You would say go for CISSP. But then it will be the same scenario, in the future I can find 80k job in Security, but this will most probably be Security department lead with huge responsibilities.
I like Ethical hacking and penetration tester jobs. But this is new carrier and I will probably not be able migrate from Networking to Penetration tester without loosing Salary. Junior penetration tester salary can be 35k, when my current salary is 50k. Also another thing is, at the moment I am responsible for EMEA region and this make me feel myself very important for the Company. it will be difficult to accept the fact that I will be junior again...
I do not mind programming paths, but I have a fear, what if I will spend 2 years doing programming, and then will come to conclusion that CCIE would be better choice.
I like Cisco and I like networking, but I just do not want to be that old school guy who is denying the fact that he need to evolve and learn something new.
As a last option, I think I am knowledgeable enough to open my own Company that will be providing Networking Services. But there is a fear:
-
What if this company will not be successful. I never had my own Company.
-
I will just reproduce what I have seen on the market(I have worked for a few Companies that providing Networking Services), I will not create something new. Hence, I will many competitors, competitors who already on the market for a long time.
It would be great to hear your opinion regarding this.
Thank you
Recommendations for 10 gigabit switch?
We're a small office doing media production, and move massive amounts of Terabytes every month.
Several of our new desktop workstations are equipped with 10 gigabit network interfaces, and we have two new servers also capable of 10 gigabit (Synology NAS machines with 10 gigabit interfaces and RAID 10 volumes that can definitely outperform 1 gigabit in both read and write).
What switch would you recommend? We need no more than 6 ports at the moment, and would prefer a plug-and-play unmanaged switch.
I give up...
So, I have had one simple project I have been attempting to work on one simple project: connect my Cisco 7970 SIP to my OBi202 connected to Google Voice number. These are the things I did on my OBi202 so far:
Service Providers -> ITSP Profile D SIP -> ProxyServer: 127.0.0.1
Service Providers -> ITSP Profile D SIP -> X_SpoofCallerID: Checked
Voice Services -> SP4 Service -> AuthUserName: 3603
Voice Services -> SP4 Service -> X_RegisterEnable: Unchecked
Voice Services -> SP4 Service -> X_ServProvProfile: D
Voice Services -> SP4 Service -> X_Proxy: Checked
Voice Services -> SP4 Service -> X_InboundCallRoute: {3603>(Msp1):sp1}
Voice Services -> SP1 Service -> X_InboundCallRoute: ph,sp4(3603@local_client)
3603 = UserId of IP phone
and I and my SEPSN.cnf.xml is here at https://docs.google.com/document/d/1UID5iUXRRZYGC2IOF0wDiSNZkNG5xsrppm3T1geftsE/edit?usp=sharing. I will post any other files you may need upon request. If anybody can point out my issue or send me a link to a guide that I can follow that will show me how to properly configure my setup, that would be greatly appreciated.
Wi-Fi for ~1000 devices during the event
I am tasked to find out about the capacity of Wi-Fi network for about 1000 devices (500 laptops + 5000 phones). The event will take place in a hotel, where we will have different conference rooms. So this is something I should take into account. How to you approach this kind of task? What should be overall bandwidth? How many APs we need to put there? Now it is expected that users will not misuse the network to watch streaming videos and etc.
Switch redundancy
Hello,
I have a couple of machines (running FreeBSD) connected to an HPE 2530-24G switch. I'd like to add redundancy in case of switch failure and plan to buy another HPE 2530-48G, and interconnect the two through the SFP+ ports. We have several (tagged) VLAN. What I'd like to do is to add link failover at first and aggregation in a second time, so basically on each server connect IF1 in switch 1 and IF2 in switch 2.
Failover can be done fairly easily I think, with LAGG and failover as the aggregation protocol (which is the default), but I'm wondering if I could use LACP as the aggregation protocol when two switches are involved and if something special should be configured on the switch part, apart from the trunks groups?
To take a concrete example let's say that machine1 has port 1 connected to switch1 and port 2 connected to switch2, with one virtual LAGG interface in LACP mode. If the two switches are operationnal the traffic will be balanced across the ports in the LAGG, is it correct? How could I configure one trunk group with a port for switch1 and a port from switch2? In case of switch failure will the traffic no longer be sent on the interface connected to the dying switch?
Thanks!
Need help/suggestions for different Wifi networks for 4 or 5 different apartments
Looking for some basic pointers on hardware, setup and anything else needing consideration for the following scenario. We're starting from scratch, except the ISP provided router which we don't have much control over. This is quasi-commercial, so felt it best in this sub rather than /r/HomeNetworking ... hope you agree. [Realised I ought to X-post]
Setting: This is at a holiday complex where we own 5 apartments. We're not always there to do on-site admin, and we don't want to have someone from there 'on hand' to fix things.
Need to have: Remote admin control, so am hoping to set up a Raspberry Pi [or similar, discreet device] so I can remote into the router settings from abroad if and when needed. Some steerage on this would be great, not used Pi before. This would used to change Wifi passwords for each of the Wifi access points (ie different for guests etc) - would be good to know if someone is hammering the net and making it awful for other guests, for example, and then to be able to throttle or disable access. If the net goes down entirely that's another matter, and not really what I'm worried about finding answers for here.
Ideal Scenario: The aim is to have a single access point, ideally PoE to avoid having to find wall power always, in each of the apartments (model/brand suggestions please!). This will be based off ONE inbound internet connection in the most central apartment of them all.
Yes, I know it's going to go south in terms of bandwidth, however this is for email checking and Facebook for our guests, not torrents/streaming/etc. It's a ~70mb fiberoptic line. This is to save (a LOT of) money and to centralise control of the connections, ideally remote admin as mentioned.
The apartments are not one next to the other, nor would we want to share wifi networks between say two apartments, so we plan to run ethernet cables (from the router) to a sensible spot in each apartment, where we will have a Wifi beacon.
Maximum distance from router (ISP) to apartment is about 150ft, 120m, nothing more.
Any ideas welcome, I have about 1 month before I head out and would like to either buy the parts in the UK before flying out or at least know what I need to order (in Canaries).
Many many thanks in advance. If this would be better in another sub, let me know!
How would you setup a semi-permanent packet capture for your WAN interface?
We have an application that requires a port-forward to function (according to the developers - it's niche software, so we don't have much room to argue). They won't disclose the IP addresses initiating a connection, so it's wide-open at this stage.
The router/firewall device is a Netgate appliance running pfSense 2.4.4. WAN circuit is 100 Mbps, although I would not expect to see much traffic, if any on the port-forwarded port?
What is the best way of setting up a long-term packet capture (filtering for the port-forwarded port), on the WAN interface?
The firewall appliance doesn't have a lot of storage (and it's a slow eMMC drive), so I assume I'd want to offload storage to another server on the network, right?
I assume I'd also want some kind of rotation going.
I've read there's tcpdump, dumpcap, wireshark etc.
What would people suggest here?
(Some people mention setting up a SPAN port - however, I assume that means I'd need another switch that sat in front of the WAN interface on the Netgate firewall, right?)
Monday, September 30, 2019
Diagramming Design Research Survey
Hello, we're doing a survey for a design project for class, looking for people from all backgrounds that diagram...should take less than 2 minutes. https://forms.gle/Tz2SAWJGjmoTcFHD7
Please remove if not allowed..thank you <3
Show logging information in SNMP
Hi,
Is it possible to gather all the logs using snmpwalk and what would be the equivalent command/oid for the current logging exist on the device?
example command using snmpwalk:
snmpwalk -v2c -c public 10.13.1.21 <oid/snmp> Tried several object but I'm not able to see the logs on device buffer vs the snmp objects output result.
clogNotificationsSent , ciscoSyslogMIB , clogHistMsgName
Thanks
Questions about Juniper SRX firewall config/operation
Hi,
I am trying to understand if we could do the following with a Juniper SRX3000 series firewall.
We are behind our organization's data center firewall. We are one of the units behind the firewall. Out default gateway for our externally routed subnets are on the SRX firewall. We would like to bring down the routing (for all our subnets, both internal and external) to our new layer 3 switches and use the SRX as our default next hop. Our network and infosec team are saying that the SRX cannot operate as a transit router (I don't know the proper term for this function) without massive changes to its config and how the firewall is operated. I tried to understand the necessary changes by reading the SRX manual. I couldn't find any info on how the firewall needs to be changed to act as transit router with filtering.
Can you throw some light on this issue? Is the firewall operation that different between it acting as default gateway vs transit router?
Thanks!
Anyone moved into security
I am a network engineer with CCNP level experience. I have worked with large networks of about 80,000 and small networks of under 100. I have grown increasingly bored with networking. I tried learning automation but there isn't much to automate at my job so lost interest. I have lately picked interest in security mostly infosec . Has anyone moved from Networking to security? If yes, what would be the best way to go about it.
iperf 10gbps servers in us?
From iperf3 servers list I only see two France and one Netherlands.
Trying to test 10gbps ips but with France servers i'm only getting close to 5Gbps.
Thanks in advance.
5 Ghz and 2.4 Ghz problem, what I can do pls?
Hello everyone, so I'm really not good with everything related to internet etc that's why I need your help
I have a device that need wifi to work, but the huge problem that I didn't see coming is that he's not compatible with 5 Ghz and my router of course is 5 Ghz...
Then I had to change some settings of my router, I activated the 2.4 Ghz and desactivated the 5 Ghz but even after all this, my device show "Not compatible with 5 Ghz"
If I changed the 5 Ghz into 2.4 Ghz then why it's still not working? How can I resolve this?
Thanks for reading
SSH Attempts from Public IP reaching TACACS Server, They Shouldn't!
Hello Network people,
I have an HPE MSR edge router that has an ACL on the VTY interface which permits only private IPs. However today I get an alarm from the TACACS server that there are too many failed auth attempts. So when I see the logs on the router I see failed auth attempts from 182.61.163.252 (China), when simply put these attempts should be dropped by the router like many other IPs by virtue of the ACL.
This is the configuration for the VTY 0-15 lines
user-interface vty 0 15 acl 2023 inbound authentication-mode scheme idle-timeout 15 0 protocol inbound ssh This is acl 2023
acl number 2023 description VTY Access rule 10 permit vpn-instance management source 10.0.0.0 0.255.255.255 rule 65534 deny I tried to log in my self from a public IP and the ACL works as expected. Looking in the logs this is also the case for many other public IPs. Below are some log entry's for this IP that is somehow entertained by the router:
%Sep 28 14:11:24:527 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER www-data. %Sep 28 14:11:23:855 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:23:821 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:23:591 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:22:890 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:22:863 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:22:626 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:21:934 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:21:904 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:21:685 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:21:027 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. and below is a sample from the logs of normal behavior:
%Sep 30 08:43:30:613 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:587 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:556 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:552 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:25:032 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 35.197.227.71 on VTY0 due to IP restriction.. %Sep 30 08:43:19:944 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 222.186.31.136 on VTY0 due to IP restriction.. %Sep 30 08:43:11:801 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 49.88.112.70 on VTY0 due to IP restriction..
Can anyone think of a reason why the IP in question is able to bypass the ACL?