I want to intercept image requests from a https external server (https://externalserver/image/imageId) and return images from my local server (http://localhost:3000/image/imageId), is there a way to do that on linux?
Saturday, March 21, 2020
Where can I find the documentation for a Cisco routers capabilities?
for example - I have a router that is the hub of an encrypted DMVPN (phase 1) and I want to know
- maximum dmvpn spokes
- maximum encrypted throughput
Here is the product page https://www.cisco.com/c/en/us/products/routers/3925-integrated-services-router-isr/index.html
https://www.cisco.com/c/en/us/support/routers/3925-integrated-services-router-isr/model.html
I guess this leads me into another question -- when you are given requirements how do you go about selecting the gear you need?
MACsec Key Exchange?
I’ve been studying about MACsec, specifically static CAK mode. One thing that sticks out to me about this is that it appears the pre-shared key (CKN and CAK) are sent over the link in clear text, which are used to authenticate the remote end of the connection, then the key server sends keys over the link periodically. No challenge-hash for authentication or Diffie Hellman for key exchange? How is that secure? Maybe the documents I’ve been reading are over simplifying. Can anyone explain more thoroughly how MACsec does key exchange over the insecure link?
9300L multigig port
Anyone would know or have experience on how the multigigabit port are arranged on these switches?
C9300L-24UXG - 24 UPoE 8xmGig
C9300L-48UXG - 48 UPoE 12xmGig
so which 8 or 12 mGig ports from the 24-port or 48ports are the mGig ports respectively? Search through all the data sheets and couldn't find any detail
Should i assume it's the last 8/12 ports? or if they are auto-negotiated
Cisco Switch Question
Hello all I was given a Cisco SG200 26 port POE switch and I would like to get a SFP DAC cable. All I can find is SFP-H10GB-CU1M, and I cannot find if it is compatible with the switch. I went to the cisco web site and it dose not give a list of compatible SFP adapters. Any help would be greatly appreciated.
Leap from R/S to Network Security
Looking for some training content for the following. Doesn't matter if it is books, online vids, paid training, certs, vendor training programs, blogs, etc. -Radius -Network Authentication Control -Proxies -WAF -Certificates -TLS -IKEv2 -Wireless security best practices -VPNs -Network design from a security perspective -Anything else network security related
Question on VM NAT routing. Please help!!
So I was wondering if anybody could clear this concept out for me because I am having trouble understanding it.
So say you set up a VM on NAT mode. How is it that the VM can access the internet but cant communicate with any other machine on the Host's network.
So say for example you try to ping a machine on the Host's network, he sends the packet which gets sent as the Host, the packet gets to the other machine and replies (im guessing), but the reply gets to the host machine but doesnt get forwardid to the VM. I am guessing this is the process why it cant ping any other machine on the host's network.
But following this same process, wouldnt any web server reply get to the actual VM either??
Water company coming over to install a machine in my home for their work (phone operator) any one know what this machine will be?
I have wifi setup in my home and I'm wondering if they're going to screw it up, I'm also wondering if this machine will run up our phone bill since they'll be making a ton of calls from home now.
Wish I had more info but ill come back later to share more.
Share here your Any Connect experiences.
I don't know if this is the right r/ but the idea behind this post is to share any lately discovered issues working with Any Connect and their possible solutions. I work as a T1 technical support and FW admin, and due to everybody moving to H.O. and opting for this VPN client I've been receiving a sh*t ton of tickets and calls in regards to Any Connect not working, so I'd like to hear from any support tech colleagues their experiences, workarounds and help each other, so please, feel free to share here your experiences, doubts, and whatnot. Cheers.
How does a web server know my public ip address??
Okay so quick question : how does a web server know my public ip adress if the last device in the routing chain will be the web servers router, so the ip source of the packet should be the ip address of the router right? So how can the web server know my routers original public ip address?
L2TP Split Tunnel Manual Routes
Hello,
So we've set up a VPN using L2TP on the Ubiquiti USG. The setup works quite well for something that was never really meant to be a complete work from home solution. We set it up really quick only for us in the IT Department but we had to deploy it everyone due to the corona crisis.
At the moment the biggest problem is because L2TP cannot push routes automatically all traffic is being tuneled through our work VPN which is of course causing bandwith issues.
I had seen that you might be able to manually create thes routes and then push them out some other way. I have experimented but i havent much luck making the correct routes and getting the dns to work.
so basically we have a 192.168.3.0/27 and our main work network is on 192.168.0.0/23. Additionally it seems the USG assigned something between the network on a 10.255.255.0 subnet.
The idea would be to allow all traffic from the 192.168.3.0 subnet to access the 192.168.0.0 subnet but route all other traffic via the local connection.
Is there a way to do this
Secure FTP for System Backups
Currently I'm investigating some options for SFTP to perform system backups for Infoblox and Avaya Voice systems. We have GoAnywhere used for other processes within our organization so I'm investigating if that is a good tool for these use cases. I wanted to see what other networking teams use for SFTP concerning system backups and what use cases they have with said products/configurations. Do you also use these systems for network device backups or images as well?
The patching method I use, and the process I use to deploy it.
I'm sure this question gets asked a lot. I myself have scoured the web in search of the "best" layout for patching cables from the panel into the switches without running into issues like a bunch of excess cable length, or vastly different cable lengths. Terminating custom cables I'm sure looks nice, but is a pain in the ass, takes time, and you don't get as good of a cable with a man-made cable as a pre-terminated cable. Also, using more than 2 different cable lengths is also a pain in the ass, so How do you get a nicely dressed, intuitively laid out patch schema, using pre-terminated cables of only one or two different lengths?
I've been using what I would call an "inside-out" method, where you patch the outside of the patch panel to the middle of the switch, and work your way across, maintaining row for row on the panel and switch.
Obviously it works best when you have the same number of patch panels as you do switches/copper cards. -Sometimes you have to get creative when you have more patch panel ports than switch cards.
Rule of thumb being to never cross the center line of the ports.
Example: Patch panel A-1 would (on a 48-port Cisco switch) be connected to g1/0/23. A-2 would be g1/0/21, A-3 would be 1/0/19 and so-on until you get to port A-13, which would go to G1/0/47.
Starting with A-25 in 1/0/24, you repeat the same process.
So far, in multi-switch or multi-card racks, I have been just going top patch panel to top switch, but I wonder if it would be better to go top panel to bottom switch and work inward panel to switch, so that bottom panel goes to top switch.
This has allowed me to use the same length patch cable all the way across the switch and not end up with too much extra length or come up short. Generally I use 5 foot cables.
Since I mostly have to deploy this method on existing cabinets, it requires a re-mapping of the interface configs to match where they will land with the new port matrix.
Usually I do pre-work to save time during the maintenance window, but you could theoretically do everything on the same day.
Here's my process:
Step 1: document your existing connections. This is arguably the worst part of the process. Generally you can't rely on old documentation, and you have to be 100% sure of all of the connections, because they're all going to be moved. This means hand-tracing each cable (which is uaually a spaghetti mess in my current environment.) It helps to have a buddy with a laptop to document what patch port goes to what switch port, so you can focus on tracing, and call out what goes where when you find it.
Step 2: lay out your exiting connections and plan your new matrix.
In a spreadsheet, I take a copy of my current network layout and transpose it into columns and turn it into a table so I can sort by patch letter, or by switch port. Now is a good time to highlight important things, and also to find ports that aren't being used that can be disconnected. Hopefully if you're doing this, it's because you're either replacing or adding equipment to your rack or whatever and can plan growth into your re-cabling effort. This was the case for me in the example below.
Example *disclaimer* I moved the green ports around to better distribute PoE load because they are AP's.
Step 3: map your ports to your new config:
Using excel, transposing your existing and planned port layouts can help you create tables so you can see what port configs need to be changed. I put two tables together showing the existing layout and the new plan, and then merge the patch panel port with its current and planned switch port. I then sort that list by the existing switch port number. This will show a sequential list of your existing switch ports and what new port that config will go on.
Step 4: build your config script.
Save your running config, and then copy out the interfaces portion.
Using the table, all you have to do is run down through the interfaces in the config document and change the interface number to the planned interface number.
(be sure to take out any ports that you skip from the config, so they don't overwrite the ones you change. Example: if your config changes port 1/0/1 to port 1/0/5, and you won't be using or moving g1/0/5 to a different port, make sure you remove port 1/0/5 from your config script, or it will be written back to g1/0/5 when you paste in the config script.)
Step 5: do the migration.
You can do this part in whatever order during your maintenance window, but you'll need to disconnect all of the old patch cables from the switches, patch in your new cables according to your planned matrix document, and default all of the interfaces to blank configs, and then paste in your new interface configs from your plan config script. I would only paste in a handful of new interface at a time, to be sure you don't overwhelm the buffer on the switch.
Then you can go back through and fill in any (intentionally) blank ports with a generic interface config.
It helps to have plenty of cable wrap / velcro tape, tak-ty whatever you use to manage your cables on hand during this step so you can dress in your cables as you go.
Step 6: test / check-out
Since you can't really roll back (I mean, you can... you have the documentation to) you need to do checks and test. The more complex your network (more vlans, deviated port configs) the more you want to check and re-check. A lot of this process relies on a lot of focus on very tedious tasks like tracing cables and documenting them correctly and changing interface configs. You need to take your time with that, and also with your check out. I usually break it out over three days. Day 1 (hopefully a maintenance window) go in and trace down the cables and document the current situation. Day 2, during the week I build my matrix and my config script for my interfaces. During production I like to take a ping sweep of the switch, get running configs, CDP neighbor lists, etc. Day 3 (maintenance window) is when I do the migration and the testing.
I hope this helps somebody.
I don't get on much, but if you have questions about my method, or have some advice for me on a better way, please leave a comment or send me a message.
I'm also looking for new ways to name network drop locations and access points. (currently using a column grid, but sometimes there are no columns, or the drops are at different elevations/ floors.) preferably a convention that will fit on a patch panel label.
Thank you.
Dialogic SBC - Add P-Asserted-Identity to invite?
Like a lot of you probably right now, im rushing around all weekend trying to add capacity to our voice infrastructure, which means bringing a pair of Dialogic SBC's into production, with me suffering from knowledge gaps. Hoping someone here has prior experience with these units and can assist!
For outbound calls we want to present our defaul number, so need to add P-Asserted-Identity to the invite. Im trying to create a SIP profile which does just that:
<Action>
<Insert><SipHeader Header="P-Asserted-Identity" Field="Address"/><String Value="+44111111111"/></Insert>
</Action>
SBC doesnt like it and says:
Error: Attribute 'index' not allowed when inserting SipHeader, LineNum=6. Column=66
It obviously doesnt like the combination of field and value type i have chosen.
Anyone familiart with these?
Complex IPv6 subnetting
I am currently doing a Cisco curriculum. I am trying to subnet a hypothetical IPv6 network across 3 countries, states, cities, offices.
Let's say I have 3 countries, 40 states, 43 cities with 2 offices per city?
I would have a /50 for countries. [ 3 countries = 22 - Leaves us with 14 bits. (64 (subnet bits) - 48 (fixed bits from ISP) + 2 (new bits)) ]
I would have a /56 for states. [ 40 states = 26 - Leaves us with 8 bits. (64 - 50 + 6) ]
I would have a /62 for cities. [ 43 states = 26 - Leaves us with 2 bits. (64 - 56 + 6) ]
I would have /63 for offices. [ 2 officers per city = 21 - Leaves us with 1 bit. (64 - 62 + 1) ]
For countries, the address would go up per 4000.
For states, the address would go up per 100.
For cities, the address would go up per 4.
And for offices, the address would go up per 2?
For my example below assume:
-
Canada - 2001:db8:cad:0000::/50
-
America - 2001:db8:cad:4000::/50
-
UK - 2001:db8:cad:8000::/50
Would that be:
2001:db8:cad:4000::/50 - America
----2001:db8:cad:4100::/56 - CA
--------2001:db8:cad:4104::/62 - San Francisco
------------2001:db8:cad:4104::/63 - Office A
------------2001:db8:cad:4106::/63 - Office B
--------2001:db8:cad:4108::/62 - San Jose
------------2001:db8:cad:4108::/63 - Office A
------------2001:db8:cad:410A::/63 - Office B
--------2001:db8:cad:410C::/62 - Sacramento
------------2001:db8:cad:410C::/63 - Office A
------------2001:db8:cad:410E::/63 - Office B
Is that correct?
What to study during quarantine
So I am still in school and still have a job (so far), but I also have actively been looking for a job in networking since I earned my CCNA back in January. Since finding a new job at the moment might be a bit harder due to the virus, what are some good skills to learn on my own time while under the quarantine, i.e. Juniper, Python, Linux etc. that would go a long way in the networking field?
IPv6 Multicast test tool/receiver
Hello All,
I am looking for a tool I can use to generate and test multicast routing on a network, I cannot find a tool which will send the correct ICMP packet to join the stream to act as a receiver, nor something which will generate multicast IPv6 traffic, however I believe IPERF can generate the traffic.
Thanks
Rate limit settings in Aerohive/Extreme AP
I'm mostly unifi user and normally I don't touch rate limits as bandwidth limit is handled some other way. But at my job they use Aerohive and still cannot find a sweet spot for this settings. According to them best practice is to disable B rates essentially, but they are still needed for multicast and other traffic that uses low rates, not to mention some IoT devices
This is what I've come up to, maybe someone can give me a general idea for their setup
Newbie here
What’s the best way to understand network? How long learning did you take to be able to create a network by yourself?
Friday, March 20, 2020
VPN issues for colleagues working at home
Hi all,
We have a RADIUS server setup that users connect to via Windows VPN connection, and now with many full-time staff working from home some issues have come up where several colleagues have been unsuccessful connecting.
I've exhausted a number of things including:
- turning firewall off temporarily
- changing their home network connection from public to private
- Windows and system updates
- removing and re-adding all the WAN Miniport network adapters
- changing VPN server address from friendly name to IP
- changing the VPN's protocol to PPTP (what other successful connections are using) from automatic, though automatic has worked fine before and is working fine for the majority of staff
- verifying that no one was using a static IP address (had issues with that one time in the past)
...the list goes on.
Common denominator between the handful of colleagues who can't connect is they all have fairly recent service through Spectrum and are using Spectrum issued routers (Sagemcom I believe [never heard of before]). I even tried adding a custom firewall rule on the router to allow PPTP for outgoing and later outgoing/incoming, as the list of custom rules did not include one for PPTP nor did it allow the VPN connection to be successful when the firewall was set to "Low - Allow All". It's possible I created the rule wrong as I wasn't entirely sure what to put for the port (i tried 1723 as well as leaving it blank), but nonetheless I was still striking out.
I still have a gut feeling that it's the Spectrum router hardware, but after hours reaching out to them and getting escalated to tier 3 support they insist it has nothing to do with anything on their end. One thing that could possibly clear their culpability is that a hotspot and phone tethering of the workstations in question wouldn't work either, but neither did my own computer when using my iPhone as a hotspot (maybe iPhone doesn't do PPTP either?). My computer connects to the VPN fine when connected to my home WiFi network (Spectrum but with own hardware).
I come to you, the wise and talented individuals of r/networking, in hopes that someone might have a suggestion or perhaps even a similar experience with definitive solution. Many thanks in advance, as I know I've pooled very helpful responses to questions I've had in the past.
With gratitude...
Laid Off from MSP
Laid off today. I have a CCNA and about 2 years hands on experience from this company. Previously worked at an ISP. Just generally asking around to see if people are still really hiring during COVID19 or if the better path would be to file for unemployment and fine tune skills while waiting for the storm to pass.
Azure and SCCM network requirements
Hi All,
We are looking to have SCCM in Azure with compute in the cloud to serve 5000 roaming users.
Has anyone done this and what are the networking requirements for setting up a hybrid solution with minimal costs?
The Mars Rover Satellite Angle Problem
Hi,
Just had a quick question. You know when, for example, you've connected to the local side on your WAN router, and there's a duplex or speed mismatch with the far side, so you hop onto the far side, and do a "no negotiation auto" or "duplex full" and it kills your connection. And then you have to drive out to the far side and console in to fix the problem.
Or when you VPN onto your intranet to change the VPN IP scope, only to have it kill your connection because you're using a vpn client. And maybe you weren't careful and typoed and now no can VPN in.
I'm wondering what that sort of problem is called. I figured I would call it the Mars Rover Satellite Angle Problem. Where basically, you can make a change, but the change results in your inability to make any more changes. I'm sure there's a more proper name for this.
Thanks,
rpartlan
PoE timeclock with SSH support
Hello Reddit,
Can anyone recommend a PoE timeclock that can be configured over SSH? I'm seeing lots of clocks that support Telnet, but I've been tasked with finding a model similar to this with SSH support.
Textfsm online interpreter
Hi guys,
I've spun up a little online textfsm interpreter to help you write your templates faster
Link is below
Are we going to need to ration the internet?
I have seen a few articles about big players limiting bitrates and heard some personal stories about migrating everything possible online. Will this continue? Will we end up with something like time of day pricing for electricity but bandwidth? What are some factors in this massive migration online?
CCNP-SP vs CCNP-ENT
I was scheduled to take CCNA in about a week but due to the pandemic looks like am going to have to hold off for a while. I am trying to plan whats next after CCNA and I think am down to CCNP-SP or CCNP-ENT. I work at a mid size service provider in the US so ive been leaning towards the CCNP-SP but ive been poking around this sub and the discord and have seem to pick up on that most people go for ENT then SP. I would like to learn move about the SP stuff because we use alot of the stuff that SP covers. Sorry ill finally get to my question now.
- Should I take ENT before SP? If so why?
- Are their any affordable training material for SP? Maybe a book?
VxLAN Configuration in NXOS CLI
when vxlan configurations specify the multicast group for BUM traffic, how do you know what IP address to input and what typically does that IP represent?
Example:
!
feature vn-segment-vlan-based
feature nv overlay
!
vlan 10
vn-segment 10010 ------> 10010 is VNID
!
interface nve1
no shutdown
source-interface loopback0
member vni 10010 mcast-group 230.1.1.1
!
interface eth1/2
!
ip pim sparse-mode
!
interface loopback0
ip address 10.1.1.1/32
ip address 10.1.1.10/32 secondary
ip router ospf 9k area 0.0.0.0
ip pim sparse-mode
!
feature vpc
!
vpc domain 1
peer-switch
peer-keepalive destination 10.31.113.41 source 10.31.113.40
peer-gateway
!
interface port-channel1
vpc peer-link
!
interface port-channel112
vpc 112
!
I was going to guess like a IP dedicated to the VNI for both segment configurations, but I have no idea and I haven't seen it specified anywhere as to how you derive the IP to be used for that section.
Being asked to setup SNMPv3... with a community string?
So I'm currently assisting an MSP with onboarding a new client of theirs and the direction I've been given is to enable SNMPv3 on their Cisco gear and let them know the community string. They're adamant that we use SNMPv3 and all I need to give them is the community string.
Now, I haven't done a ton of SNMP setups in my short networking career but I was under the impression SNMPv3 did away with community strings in favour of username/password and an encryption key. Am I wrong or are they getting mixed up with their SNMP versions?
Best tool for determining saturated upstream BGP AS's?
So now that everyone is at home, working over vpn.....I mean watching netflix all day, I feel the next order of business for us will be to show its not the network, it's the internet. What tools do you guys use to show saturation in AS paths from a customer standpoint? Something that makes reports and colors for dumb managers is a plus as well.
CUCM - no incoming calls to new site over tunnel. Outgoing works fine.
Good morning networking! I've had a TAC case open now for about a month and been transferred to 4 different people, so I'm reaching out here because I'm sure I"m just missing something. To start, I'm not ultra familiar with voip. We recently set up a new site, which is currently connected back to our main site over a site to site tunnel. We're still waiting for our local DIDs and mpls circuit, so in the meantime we're registering phones over the tunnel back to the main site. Phone's register just fine. We can call out both to external phone numbers as well internal extensions. However, incoming calls fail. The calls are coming in a Centurylink trunk to CUCM, then over the tunnel (ASA to Meraki firewall) to the phone.
I've apparently stumped multiple TAC engineers with this issue. Let me know if I can provide any further information. Thanks!!
IPSec problems on Spectrum in NC market
Folks,
Not sure you want this post here, but I wanted to turn to people I knew might have some insights. I'm a Sr. SysAdmin/Network Engineer for a company in the NC market predominantly. We've switched everyone to a WFH model as of EOB today. So far, it's been hell trying to get everyone to use our SonicWALL IPsec (GlobalVPN) client. In normal times, it works just fine for folks, but we've had increasing problems with it since every company has gone WFH. Bandwidth over VPN is *VERY* slow, like 0.07 Mbps slow, but reverts to normal when we take them off VPN. We're looking through the logs and we don't believe it's our firewall, like any QOS or DSCP tagging for example. In fact, we have switched some folks on SSTP/SSLVPN and that seems to work fine, but the IPsec client side seems to work very hit-or-miss. Is anyone having issues with Spectrum residential, specifically, with getting client IPsec VPN to work properly? I suspect QOS queues are flooded with IPsec traffic and that it's getting squashed at the headend, but I don't really know the ISP side of the puzzle very well--hence asking you all.
Any insights would be extremely helpful. TIA, colleagues.
EDIT: VPN policy is split-tunnel, so only office routes go through VPN. Using modern encryption ciphers. We have 1Gbps uplink at the office, which is 20-30% saturated at any moment. No throttling rules applied on inbound IPsec traffic.
I can't see webpage normally, but from Google cache I can?
I would like to ask about technical level thing so that I can learn more knowledge of the web. Here I will describe the case (happened recently) and would like to know the reason for this.
(I am NOT using VPN at all in the following case)
So, there is webpage that I can see result from the Google search result. I click the link, but it seems like that the webpage doesn't exist anymore because I can only see the main page.
However, if I click the Google cached version (cached version was from the last day), I can see this webpage. This webpage was last updated 20th October 2019, so this means that the webpage is still existing and has not been deleted yet.
Why I cannot see this webpage from normal Google search result or by typing the url to the address bar? Why I can only see via Google cached version?
I am not sure how Google cache works in detail, but I know that the Google cache can only display the results that the web crawler have managed to find recently (from couple of days). Could this be somehow explained with webpage's geo-blocking? For example, it doesn't allow my country access to it. But it allows Google cached version to access it? However, I have always thought that Google cache use the same IP address as my local computer?
VPN DMZ Setup? Need some guidance...
I need to be able to connect printers at homes to our network in order to communicate with a dev server. So, in order to maintain some sort of security, and to avoid doing site2site connections at everyone's home, I had this idea:
What if I set up something like an OpenVPN server, and configured routers to connect to it, and handed those out? The VPN network would just be like a DMZ, where the only thing open to that network are the necessary ports on the dev server. So, users could connect anything to the router, and they wouldn't be able to do anything other than the printer stuff, so it would discourage them from connecting things in the first place.
My questions:
1 - Is this a good approach? Any better ideas out there?
2 - Being primarily a server guy, I'm not amazing at network stuff beyond the basics. Would I put the OpenVPN server in front or behind the Sonicwall? If I put it in front, I could just port forward the couple of things to the dev server. If I put it behind, I'd just forward VPN traffic to the server, and then put the DMZ on a different VLAN? Is there a better way?
Router kicks me out after password
Cisco router kicks me out instantly after I enter username and password. Anyone have that before and know what it is?
Nobody talks about us but what is new?
Just wanted to say good job to all the folks working late and making sure systems stay up. We are often the unsung heros and will most likely remain that way. But from one worker to another good job folks.
SonicWall SSLVPN DHCP Range Explanation?
So I've set up a couple of L2TP VPNs in the past along and seen a ton of PPTP ones working (Ive gotten rid of all of them by now). On these configs, I've always seen and set up the DHCP range for the SSLVPN clients to be the same as whatever network they are remoting into. So if when they are on the LAN their Subnet is 192.168.0.0/24 I'll give them an address in that subnet. I set SSLVPN up the same way and, though clients could connect, many times they would stop being able to connect randomly and come back. After a lot of banging my head against this and giving Sonicwwall a call they told me the DHCP Range is supposed to be on a different network, for example 192.168.100.0/24 but I don't completely understand why. The VPN is working now but it makes no sense.
Could anyone explain?
VPN bonding anyone doing it
We have several locations. Most have redundant ISPs. As such we have redundant VPN tunnels. Had the thought of combining these tunnels. Looking through several firewall vendors we use they dont offer vpn bonding. Doing a search yields devices that have this capability. Wondering if anyone utilize one and how are the results?
After generating a CSR, I've now been given 3 SSL files from GoDaddy, of which I need to convert to a PFX file ... having issues though.
So i've been given a PEM File, Security Certificate, and a PKCS#7 file .... im now trying to get a PFX file out of these 3 ... but am running into problems. Can anyone walk me through the proper steps to do this? I've been trying openssl but have had no luck.
P2P Network Equipment
I need help picking equipment for a P2P network.
Main building has a Comcast Business Gigabit connection with exiting UniFi equipment.
the campground is 360 meters away (power avaliable ) will be an outside install AP. There are 24 sites avaliable only about 12 used at a time.
The Shop is 560 meters away AP will be indoors
WiFi: Sometimes underperforming
I have a standard WiFi router from my internet provider. We have an iPad, 2 mobile phones and 2 3 sonos speakers connected to it. Maybe a laptop, but we use these with a LAN cable most of the time.
In the surrounding there is only 1 other AP, from our solar panels, but other than that no other AP around. Checking WiFi Analyzer doesn't offer better channels.
Though at the moment my daughter is watching Netflix and I am playing Brawlstars on my phone. To my surprise the network connection is failing a bit.
What else can I do to improve WiFi quality? Or if buying another router is a possible solution what to look out for?
I have an IT background, understand the basics, but am not tech pro.
Making sense of ENTITY-MIB::entPhysicalTable
I am improving my switch management web application. One part of that is improving handling of hardware information. For modular switches I need to get list of linecards. That's what ENTITY-MIB is for. My current code parses the value of entPhysicalName, which looks like this (Cat6800 VSS cluster, each node with three linecards):
ENTITY-MIB::entPhysicalName.3000 = STRING: Chassis 1 5 ENTITY-MIB::entPhysicalName.4000 = STRING: Chassis 1 1 ENTITY-MIB::entPhysicalName.5000 = STRING: Chassis 1 3 ENTITY-MIB::entPhysicalName.6000 = STRING: Chassis 2 5 ENTITY-MIB::entPhysicalName.7000 = STRING: Chassis 2 1 ENTITY-MIB::entPhysicalName.8000 = STRING: Chassis 2 3 Single Cat6500 looks like this:
ENTITY-MIB::entPhysicalName.1000 = STRING: 6 ENTITY-MIB::entPhysicalName.2000 = STRING: 7 ENTITY-MIB::entPhysicalName.3000 = STRING: 2 ENTITY-MIB::entPhysicalName.4000 = STRING: 8 ENTITY-MIB::entPhysicalName.5000 = STRING: 9 ENTITY-MIB::entPhysicalName.6000 = STRING: 3 ENTITY-MIB::entPhysicalName.7000 = STRING: 4 ENTITY-MIB::entPhysicalName.8000 = STRING: 5 ENTITY-MIB::entPhysicalName.9000 = STRING: 1 Single Catalyst 9410R looks like this:
ENTITY-MIB::entPhysicalName.1000 = STRING: Slot 1 Linecard ENTITY-MIB::entPhysicalName.2000 = STRING: Slot 2 Linecard ENTITY-MIB::entPhysicalName.3000 = STRING: Slot 3 Linecard ENTITY-MIB::entPhysicalName.4000 = STRING: Slot 4 Linecard ENTITY-MIB::entPhysicalName.5000 = STRING: Slot 5 Supervisor ENTITY-MIB::entPhysicalName.7000 = STRING: Slot 7 Linecard ENTITY-MIB::entPhysicalName.8000 = STRING: Slot 8 Linecard ENTITY-MIB::entPhysicalName.9000 = STRING: Slot 9 Linecard ENTITY-MIB::entPhysicalName.10000 = STRING: Slot 10 Linecard As you see, there's variation even with one vendor. Therefore I started quite significant rewrite of the entity handling code to actually understand the entPhysicalTable interrelations, since that table is organized as an implicit tree by using entPhysContainedIn field. I have found, that all Cisco linecards follow the "chassis--container--module" pattern. The container's entPhysicalParentRelPos then gives the slot number, which is also the linecards number within the system. That in turn makes it possible to make sense of port names in form chassis/module/port. I have implemented this and everything looked fine. Well, until I ran my code on the 9410R...
1. chassis=1 slot=1 idx=1000 name="Slot 1 Linecard" 2. chassis=1 slot=2 idx=2000 name="Slot 2 Linecard" 3. chassis=1 slot=3 idx=3000 name="Slot 3 Linecard" 4. chassis=1 slot=11 idx=5000 name="Slot 5 Supervisor" 5. chassis=1 slot=7 idx=7000 name="Slot 7 Linecard" 6. chassis=1 slot=8 idx=8000 name="Slot 8 Linecard" 7. chassis=1 slot=9 idx=9000 name="Slot 9 Linecard" 8. chassis=1 slot=10 idx=10000 name="Slot 10 Linecard" I guess you can see it. The supervisor is presented to user as being in slot 5, all the ports on it are 5/n -- but it's presented as being 11th container in the chassis according to ENTITY-MIB, breaking the pattern. FML.
It looks like there's no generic way of getting the linecard numbering without special-casing stuff even if we limit ourselves to Cisco. Or is there? I'd definitely like to know.
Setting up VPN for remote worker
Hi guys,
Not sure if this is the right place for this but here goes. P. S. On mobile so sorry for the formatting.
So I'm trying to get a VPN setup for some of our workers in order to work from home. We were originally using PPTP tunneling for this with a local user on the router. This works ok for the most part but wasn't really ideal as it didn't really give us access to company resources on our network properly.
So I decided to setup an L2TP/IPSec connection which uses an ipsec psk and LDAP for L2TP authentication. Now the connection is established ok but we're still having issues accessing resources and pinging known good host names doesn't yield a response. I'm guessing DNS issues?
Is there anything I can check as this also seems to affect GPO updates to the remote pc.
Has anyone had any experience setting up this kind of VPN?
Router we have is Draytek 3900 if that helps any?
Any advice would be appreciated.
Thanks
CISCO ACI - overhead on multi POD and multi SITE
As far as I know, ACI-OS, NX-OS and IOS don’t take in account ethernet header (14 – 18 bytes) whereas IOS-XR includes the ethernet header when you have to estimate the right size of the MTU. Everywhere, looking about the MTU overhead on Multi POD and Multi Site implementation, I read the message: "Keep in mind when configure Spine and IPN/ISN nodes to consider an extra bytes of 50".
My question are two:
1) First, why 50 and not 54 being the multi pod and multi site implemented on a sub routed-interface on Spine (Alan tag 4) that involves so +4 bytes on top of the rest?
2) Second, why I should consider however an extra of 50 bytes instead of ONLY 36 bytes on spines (then on IPN/ISN it will depend on platform chosen and OS if add or not other 18 bytes for the L3 header overhead) if ACI-OX is not counting the L2 overhead?
Thanks for your answers
Mario
Thursday, March 19, 2020
Can i receive wifi signal with a router?
I know it might sound like a rhetorical question, but is it possible for me to receive wifi threw my modem in another room using router? I always used like the mini wifi adapter with the mini antenna, and it never worked perfectly. Is it possible and/or better to use a router in this situation?
Thanks for the help :)
Extending Cat5e / Cat6 Copper Wiring Greater than 300ft / 100m
Hi, I am aware there is a few ways to extend Cat5e and Cat6 greater than 300ft / 100m. Ways that I know of is to use an intermediary switch, use long range ethernet extenders, or even use media converters to convert the copper to fiber to carry a long distance and convert back to copper on the other end.
Someone told me that instead of an intermediary switch, that I could save on overall cost and just opt to use a patch panel instead. Is this true? Here is an example of what I mean: https://imgur.com/mj4sv9r
Is there any other ways of extending copper that I am not thinking of?
Is it possible to extract the MAC of previously connected gateways on Windows 10?
Howdy folks. I have a situation where I have changed a router, but all the Windows 10 PCs are saying that this is a new network (you've probably seen this - eg. https://i.imgur.com/OneLz7e.jpg). This is normal, but I would like to spoof the MAC of the old router so that the systems know that they are still connected to the same network. We have some systems that rely on the firewall being set to "Private network" on some portable devices and it's getting really annoying, and we don't have a domain environment in this particular instance which makes it extra annoying. I know Windows has the ability to remember networks, so the MAC is stored somewhere in a registry string most likely, I just have no idea where. Has anyone else been able to find this before? TIA!
Edit: the old router is very much gone, sorry! I usually have access to the old router, but not in this case.
Restrict SSH Access ACL Issues
So I've been having trouble with what should be a fairly simple task, but ACLs have never really been my strong suit.
I've got a Cisco ISR 4331 and it's sitting in front of our firewall. I want to be able to SSH into it from the MGMT port, but obviously only from the internal network. It should definitely block SSH from the Internet.
I've tried to restrict SSH access to the MGMT IP using the below ACL, but when I apply it it starts blocking SSH traffic. When I remove the ACL I can access it again.
I've set it to log both on allow and deny, and I can see a log entry when I try to access from the public IP, but when I try to access the management IP it says connection refused and doesn't log anything.
I've tried both standard and extended ACLs and I can't get it to work. I've had to disable SSH until I can get this fixed up.
If anyone has any suggestions on how to get this to work. I just need to stop SSH access from the public internet.
Diagram: https://i.imgur.com/wsJjH3D.png
The ACL config:
ip access-list extended SSH-ACL permit tcp 10.0.0.0 0.255.255.255 any eq 22 log deny tcp any any eq 22 log exit line vty 0 15 login local transport input SSH exec-timeout 5 access-class SSH-ACL in exit How to run network cable between floor joists
I am running CAT6 in a new build currently and I have heard so many different things on how to secure them. I have a bundle of about 12 cat6 cables in the cavity between floor joists. How should I secure them to the joist? The electrician said to use Velcro and just leave it as a floating bundle. I don't like that idea -- I would prefer them secure, and I really don't want to run conduit as it's a small run.
Using T59 staples seems like overkill for 12 lines. Should I just use hooks maybe?
How do you guys stay up to date with what's going on in the industry?
Curious to know. I like packet pushers though I don't listen to it nearly as often as I should.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC.
Advice on setup for multiple subnets to communicate with one master UPS on its own subnet.
We currently have one cabinet of servers running off an Eaton UPS via RS232 to the main server, each subsequent server in the rack receives its power source from the master computer. In the event of a power outage the UPS triggers the Main server, which then cascades down to all our secondary servers. This works fine, everything is on the same IP range 192.168.1.x.
I've been tasked with adding two more cabinets, and two more master servers in each rack with a few secondary servers, lets call those racks 192.168.2.x and 192.168.3.x. Each cabinet will have its own switch, and we do not want traffic or computers visible from one subnet to another. We do want the UPS to control all systems for shutdown and power, so I'm leaning towards pulling it off the main 192.168.1.x system, tossing in an NMC and putting it on its own IP range, something like 192.168.100.1.
I think the best solution is to setup a master switch (We have Dell S4128F switches for all of this running 10gb fiber) to have the UPS on Port 1, rack 1/2/3 on ports 2/3/4 and setup a VLAN so that each rack can talk to the UPS port, and the UPS can talk back, but keep traffic private so that each rack can't see each others ports.
Does that sound right? I saw that APC's NMC offer unicast support so you don't have to do anything like that, but it looks like Eaton does not. Any advice would be appreciated as I've been out of the game for awhile.
Cisco CUBE - maximum SIP sessions
Just trying to get my head around what Cisco mean by a session.
The below link:
States that ASR 1001-X does 12k sessions, but does that mean 12k calls, or 6k? im not sur if their figures are uni-bidirectional or if they mean 24k active "legs" (2legs per call)
VTP and BPDU
Hey I'm new to networks so i don't know if this is stupid question
Does VTP advertise vlan updates through BPDU?
Possible to have manual text entry for the 'Group' field on AnyConnect?
We have a central Cisco ASA firewall in our datacenter which serves multiple clients of ours.
Does anyone know if it's possible to configure both the AnyConnect landing page (Through the web) and through the AnyConnect client to not display a drop down box (That lists all our clients) and instead just only allow plain text entry?
Hyper-V - Static team with no switch configuration - Consequences?
I've come across a setup with Hyper-V configured with a NIC team set to static teaming, but there is no configuration on the switch for a LAG/Port channel or anything.
Re-configuring the switch and the NIC team is already planned (going to LACP);
But I am curious if anyone knows what effect or consequences the current setup may have, if any?
The team interface shows traffic going across different NIC's.
I tried it in a lab environment and ran wireshark expecting to see some anomalies, but everything looks ok, not really what I expected.
Is there a limit on how much traffic the internet can handle before "breaking down"?
Seems relevant with the current COVID-19 situation...
Lenovo RackSwitch G7052 - Janky ACL = normal?
Folks,
Wearing my (former) Cisco hat I feel my "working" Lenoco Rackswitch ACL is janky. TLDR - I want to limit a single port to 2 different MAC addresses. In lieu of no real port security options to address this directly, I had to use an ACL (shown below).
! access-control list 151 ethernet source-mac-address AB:CD:EF:GH:IJ:KL ff:ff:ff:ff:ff:ff access-control list 151 action permit ! access-control list 152 ethernet source-mac-address AB:CD:EF:GH:IJ:KL ff:ff:ff:ff:ff:ff access-control list 152 action permit ! access-control list 153 ethernet ethernet-type any access-control list 153 action deny ! access-control group 150 list 151 access-control group 150 list 152 access-control group 150 list 153 ! interface port 22 access-control group 150 Note: I did remove the real MAC addresses from the above.
Note #2: I do know there is no G-L as valid options in MAC addresses.
- I can't seem to figure out how to have a single ACL with multiple source MAC addresses listed -- is this a limitation or are my expectations wrong? I find it "wrong" to have to have an entire ACL for specific MAC addresses
How do ISP's handle DDOS attacks on LDAP UDP 389?
I work for a small service provider and we are getting hit almost nightly by DDOS attacks to customers primary on UDP port 389 using LDAP protocol. Is it safe to set up filtering on edge routers to filter out traffic to udp 389 without breaking anything on customer ends? Our ISP says they can create a ACL for this in our providers router to filter this out. Is there any legitimate reason why customers would need to use this port over the internet?
Favorite ap? Aruba, hpe, ubunt, Cisco/ect
I am looking at putting an access point in a remote shed. There is already cat6 ran to the building. And the network room is not far away. Preferably with gigabit Ethernet and VLANS but Poe is off my radar. Looked at tp link access points. But I may need an controller.
Any suggestions?
Ansible x Huawei - CE commands
Hey folks,
We work with Huawei routers and switches, and we're experiencing some issues with CE_config command.
My Ansible is version 2.9.4 and is running under Mac OS 10.15.3. I have no problem using Ansible with Linux servers.
I am able to run command like (replacing with my owns parameters obviously), but no playbook runs... :
ansible -m ce_command -a 'host=10.10.10.10 port=12347 username=*** password=*** commands="display version"' localhost --connection local I have tried a simple playbook like :
- name: CloudEngine config test hosts: ROUTERS_TH2 connection: local gather_facts: no vars: cli: username: myusername password: mypassword transport: cli tasks: - name: "Configure top level configuration and save it" ce_config: lines: sysname testansible save: no provider: "" But I got the following error and found nothing interesting from a google search :
unable to set mmi-mode enable I don't know what to do anymore, and don't even if the CE module is still maintained...
FYI I used the following documentation : https://www.ansible.com/hubfs/pdf/Automated-Deployment-of-CloudEngine-Series-Switches-Using-Ansible.pdf?hsLang=en-us
Thanks for your help, feel free to PM.
what to do with extra time.
My job is mostly reactive, so i have not a lot of time for proactive, or "cool" helpful projects. So with working from home and my users dropping from thousands to a few hundred.
Ok what are people doing with extra time, or what things as a network professional have you wished to get up and running and never had time.
ISP-related forums
Hi, does anyone know of any other good forums I can visit to discuss networking, telecoms, ISP news, etc.?
ISE API - Add MAC Addresses to Group from External Web Interface
Hi
A customers servicedesk needs to easily add MAC Addresses from end user computers to an ISE Endpoint Group to allow them access to Pxeboot, AD, PKI etc.
New PC's are enrolled from a staging switch that does not run 802.1X, so this is not a problem. Only concern is existing machines that needs to be re-enrolled, and this would typically happen as part of an ongoing troubleshooting process with the servicedesk.
We want to avoid teaching the servicedesk how to operate ISE, and have to collect the end users MAC address manually, so the ideal situation would be to tell the end user to go to a specific URL (Example: enroll.domain.com) Log in using AD Credentials and then have the clients MAC Address shown along with an "Add" Button that would create an API call and add the MAC Address to an EndPoint Group.
This EndPoint group would then have a Purge Policy that would wipe the MAC Address 24 hours later.
Does anyone know if there is a system for this already, or know any integrations that could potentially support this? I had a look at the Mydevices portal, but you have to manually enter the MAC Address of the device you want to add which makes it too complicated for the end user.
2x ZTE DSLAM Rebooting multiple times a day - "Self-healing System Reboot"
Hi all,
Apologies, The network guru in our team is away for quite some time, possibly indefinitely. I'm trying to fumble my way through the following issue with the documentation I've been able to find online. Even searching the exact log entries returns Zero results?!
We're running 3 x ZTE 9806H Dslams and two of them have this, with one with not many ports seemingly fine.
It seems 1-2 times a day the logs show the following;
2020-03-18 15:17:06 System Start (warm 25)
2020-03-18 15:16:07 Self-healing System Reboot
2020-03-18 12:16:45 Port 1/17 link up
2020-03-18 11:41:52 Port 1/18 link up
2020-03-18 11:41:32 Port 1/18 link down,lossOfFraming||lossOfSignal||lossOfLink
2020-03-18 11:38:17 Port 1/5 link up
2020-03-18 11:37:06 Port 1/5 link down,lossOfSignal||lossOfLink
===================Redacted repeat Logs===================
2020-03-18 11:36:05 Slot 2 online
2020-03-18 11:35:53 Port 1/5 link up
2020-03-18 11:35:53 Port 1/1 link up
2020-03-18 11:35:34 Slot 1 online
2020-03-18 11:35:07 Port 5/2 link up
2020-03-18 11:35:07 Port 5/1 link up
2020-03-18 11:35:01 System Start (warm 24)
2020-03-18 11:34:03 Self-healing System Reboot
To me it seems that after a few 'Link down' entries the Dslam then kicks off self-healing and reboots. I'm looking to at least stop the Dslam rebooting and then investigate the link down.
- Can I turn it off to prevent the Dslam rebooting?
- I cannot for the life of me in the list of commands Find anything remotely close to this.
- I've checked both the User Manual and Troubleshooting Guide Here without luck
Additionally, 'Show System' has the below entries on each Dslam. Does anyone know what this means in terms of operation (Again, searching online and the documents above returned Zero results?!)
Dlsam #1
reset-suspend mode : none
Dslam #2
reset-suspend mode : fatal
Exporting the Config and running-config from each of the 3 Dslams doesn't offer any clues of differences in the set config that to me explains the rebooting and/or reset-suspend mode above.
CAT5E 10GBase-T SFP+
Hi,
I understand that you can use CAT5E cables for 10Gb network up to around 50 meters.
I understand that you can use SFP+ 10GBase-T adapters through up to 30 meter long CAT6 cables.
But can you run 10Gb with SFP+ 10GBase-T adapter through 30 meter long cat5e cable?
Any one have any expirience with stuff like this? Customer needs 10Gb network for workstations, they have CAT5E wirings, I want to know if I can use SFP+ switches for this or if I need to use switches with native 10GBase-t interfaces.
IE-3000-8TC + 8TM Expansion = 8TM Expansion port 8 not working
So as the title says:
When I use an 8TM expansion, port number 8 on the expansion does not work. I have tried with another expansion but the problem remains.
If I add one more expansion to the system, first expansion still has a problem with port number 8 but the second one is fully operational.
Am I missing something on the configuration side or it's a hardware fault?
If it's a hw problem, is it possible to fix it?
Monitoring amount of active SIP calls - Cisco
We have a bunch of Cisco ASR's acting as SBC's with cube lite, im looking for a way to monitor the amount of current active calls on each device.
Does anyone do this? If so, how?
We have solarwinds, but i think we would need a custom udnd poller and a specific MIB to poll
Wednesday, March 18, 2020
IPAM Suggestions?
My company had been looking at an IPAM solution. Excel spreadsheets are wearing us all out. I looked at NIPAP, but I’m concerned about that project’s maturity. Had a lot of compatibility issues on latest Debian distro, plus we typically use CentOS, for which it is not really developed. PhpIpam is the next project I’m looking at. What other suggestions does anyone else have?
Staring down the barrel of a firewall cutover... Seeking guidance on AnyConnect licensing.
I'm replacing some ASA 5525s with a pair of 4110s in order to escape the 750 session max with the 5525 hardware. I'm due to cutover to the 4110s in the middle of the night and I still have some anxiety about AnyConnect licensing (due to ignorance).
Here's the "show license feature" output:
License mode: Smart Licensing Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 1024 Inside Hosts : Unlimited Failover : Active/Active Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 10 Carrier : Disabled AnyConnect Premium Peers : 10000 AnyConnect Essentials : Disabled Other VPN Peers : 10000 Total VPN Peers : 10000 AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Enabled Advanced Endpoint Assessment : Enabled Shared License : Disabled Total TLS Proxy Sessions : 10000 Cluster : Enabled Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 1024 Inside Hosts : Unlimited Failover : Active/Active Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 20 Carrier : Disabled AnyConnect Premium Peers : 10000 AnyConnect Essentials : Disabled Other VPN Peers : 10000 Total VPN Peers : 10000 AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Enabled Advanced Endpoint Assessment : Enabled Shared License : Disabled Total TLS Proxy Sessions : 10000 Cluster : Enabled I'm interpreting this output to mean that the device is currently entitled to 10k AnyConnect sessions without applying/transferring additional licensing. Is this correct?
Just trying to avoid the surprise of having next to no throughput for AnyConnect sessions due to some obscure licensing requirement that isn't made clear in the above output.
Thanks much.
What about getting new routers/etc because of covid-2019
Amazon said they are only shipping medical supplies. So that means I can’t get network equipment. But my nearest Best Buy is far. So what does this mean for the network industry? It is already hard enough to get a new phone. So I’m technically screwed.
On Call. First 30 days in IT. Whole system just went down. Help.
I work for an MSP and I'm on call. I only have 30 days of IT experience and am essentially tier one but have the fancy title of client engineer. A whole clients network just went down and a NOC in India called to let me know. Where do I even start. The main server is no longer pingable. I see some Aps that are accessible but I have never once been in the CLI of one. Any advice on how to get into the server or trouble shoot where the outage is coming from.
Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC
About 3 weeks ago I did a speed upgrade on my Xfinity Business line and they threw in SecurityEdge for Business as part of the package. I have no idea what it is or what it does... There's no place to configure it and it's not real clear what it is based on any literature I could find.
On Mar 17th I started noticing a huge number of outbound DNS queries taking a LONG time to return, I started doing some digging. When I switched some systems over to DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away.
I started doing more testing from one of our web servers that hosts a recursive DNS server for looking up RBLs and such (since they rate limit using public name servers usually results in some sort of a block).
What I found was queries to root name servers were returning IP addresses.... That's... not possible.
[root@web ~]# dig google.com @198.41.0.4 +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace ;; global options: +cmd . 600 IN NS i.root-servers.net. . 600 IN NS j.root-servers.net. . 600 IN NS k.root-servers.net. . 600 IN NS l.root-servers.net. . 600 IN NS m.root-servers.net. . 600 IN NS b.root-servers.net. . 600 IN NS c.root-servers.net. . 600 IN NS d.root-servers.net. . 600 IN NS e.root-servers.net. . 600 IN NS f.root-servers.net. . 600 IN NS g.root-servers.net. . 600 IN NS h.root-servers.net. . 600 IN NS a.root-servers.net. . 600 IN RRSIG NS 8 0 518400 20200331050000 20200318040000 33853 . v/tMTMhCpk16kk2iM6ckfFftGalf7yKrrgmOHZkWPIUA97vfkR0YqRtPOzXe8wy9GxR7OXMUKweqfHpgmK/tduGh3a8qdaZ69rFI+bhARgg8r+2TnsLDMgGaJL1s3VvjF10l4pKJ7NILeXz1BtoowxHh9u4ug2Z5SWVGp+NLdXpVjWNFtk3HJlyFYftFoeFJpN+W7yisfNQ3M/zj5Mn/qjFz00dh+1B2aFicUiOErlSV3LuHvKi5dMji1pCnDSkB/nMnRcOXC844G2WWt401p8eSBJ3Ycz3HO+f881PJbxo0QJQ/CH91z09yUPn/LShvZz1NIWt+XAYfaOPz v6ksKA== ;; Received 1086 bytes from 198.41.0.4#53(198.41.0.4) in 37 ms google.com. 93 IN A 172.217.10.142 ;; Received 55 bytes from 192.203.230.10#53(e.root-servers.net) in 4 ms Started doing more digging and doing timing tests. I was seeing traceroutes to the root name servers in the realm of 20-40ms but I was getting DNS query responses back anywhere from 3 seconds to never. However, when I would get one quickly, it was WAY too quick, in the < 10ms range. This told me it had to be the modem.
Called Comcast Business and started talking it through with them, we went through the usual steps and on a hunch I asked them to remove SecurityEdge. After the change was made and it was removed, I started getting full proper traces..
[root@web ~]# dig google.com @198.41.0.4 +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace ;; global options: +cmd . 518400 IN NS e.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20200331170000 20200318160000 33853 . qgasYmvTaMw/ft2FJz7Ze3a8EYdfzDR3E/n9ffoT8zkgJZhW74Yf1Tdnyt7zJUoZjZSL0px3bOccsey7rwAAt7PG3PKsG50hINxFU/G65DdLn5Fe0E3wqLh7J2oix+own3AHEUyntF3nuL/surpqvvZpLoS+DU4enbMfJlZfKSu2/73I+n6tx57gGWnekkFlgq7JVBS6MDry5UsFR4C3GwBInUqcFiQQATVi6s9+xcWmTWhUOLtZa9JyStBDWanch24001hD51VLFix7DOnA1+oG9IcdQjqO4WTbzk2TgfRGNvax6IPeVWwLOTaDfpH/1UjfqI6OVNldnXSE xBsI6g== ;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 17 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20200331170000 20200318160000 33853 . IqOJ6nE+fKiwc8jNJy+qBpMo2fMSJSYGRbfNO6sz4VejsuoYGDuEdrb4 g/bcwebIXaCWIn/d3pOQaf7f0jweWvykYr4uyKj6Q1fu+ppvzLHyvLxw +OmqOStuZXXgw/kiMEyEFaRGuFShZd74clSc/LJnOjtRXZ3vIb1LSXZZ cTT9nBKIgCe/yS/cbZwWLdkoK4q0vqEJgcdIhdrUsghfti+EVAieq/W/ lYuafNiOdh474NuPdJLM1FRdYey49TLVdyUoZ8n3M+JmRygPLEqH4RAk BFN5Z0DZsWEj7Ny/gAxnxApvM3w1Bog9X4Zl9DvI5DV53Ek4U2b7GCd3 ijCY4Q== ;; Received 1170 bytes from 198.97.190.53#53(h.root-servers.net) in 20 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200322044927 20200315033927 56311 com. pKi3j2T+MmOgxjdmTcZS3YYGSfTSSb0jX5woxUr9roiXvsiM6gxczhHa 43lZFia30VmrYsRNrA43ddnO03iC0bAU0QOfsMSZ0SasKx6fAb+Ynj0H Z/MlenueBOVWr11KlixRNF5hZgLIl+c/+nVM48BkKM6Xfoju4j8+Wedm Nm9phbpnEyd+awJ31vZJAvXDfwOT1SAqqKEq2F06iYoR4g== S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84EDELLAUPA96DT12TJKJN32334NGL3 NS DS RRSIG S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20200323044922 20200316033922 56311 com. dFM5sEzSJFsZb1+NeVpo9AeapUhEs/PM/sXDlQO9Mg0wCKLr5HzR3iTK pJ2bUaxuM24osIK/DndpkUQ+TBQF8uXxc9Trrq9kIlzfrylYuRWpOJSy lNXlEkwy51hcGC7i3h5yTDU7ARKQJwquX3BvzTITfbdRbkXCNMichVPg 25PwuWoHZIdsEuiKoWIYCbiUhNeWNhHggvqJ+zxC3+dd6A== ;; Received 836 bytes from 192.43.172.30#53(i.gtld-servers.net) in 18 ms google.com. 300 IN A 172.217.13.238 ;; Received 55 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms Shield validation with Fluke intellitone 200 pro
I noticed in my manual ( https://images-na.ssl-images-amazon.com/images/I/918+MVsG5RL.pdf ) for the above mentioned tool the "shield validation".
In particular, to set this mode, you have to install the battery with the tool at different positions.
Can you explain how it's actually working and testing the shield?
Thank you!
A firewall that visualizes threats and shows where traffic is coming from, is this possible?
I have OPNsense set up right now and I want to be able to see where the treats are coming from without going commandline/having to set up a complicated graphics server.
At the very minimum, I want to be able to see for example:
FROM 1.2.3.4 DESTINATION: 0.0.0.0 PORT: 3389 RDP
Can someone recommend options? Or does this already exist in OPNsense?
what do people use for unauthorized device surveys?
What do folks use for 'rogue' or 'unapproved' or 'unauthorized' device surveys? For our purposes this means someone, authorized or not, that plugs a device into the wired network that's not listed in the system inventory.
We've got boxes running librenms at each site (mostly for system health monitoring). It regularly does an autodiscover survey but only detects and lists devices that respond to snmp. This is not exactly useful for a comprehensive unauthorized device detection.
Suggestions? If it matters, we are *nix-savvy and it's our preferred environment but if we need to use another one for best results we can.
4G Failover Solution for Field Employees - Questions about Cradlepoint
I handle the IT for a very small company, and we have groups of employees that work in the field. They are primarily at our clients' offices and typically access WiFi through a travel router. At some locations, the service is temperamental or unreliable. I would like to add 4G failover to deal with any WiFi interruptions. I am looking into Cradlepoint options, but I'm not sure what to use. I would need the WiFi as WAN feature. It seems like the AER1600, IBR600LE, or IBR650LPE would work, but I can't tell what would be best. I did find out that we have some MBR1400s from an old project, so that may be an option too. They are a discontinued model I think. I'm also open to other options if they're worth considering (Meraki, etc.). I don't have a lot of experience in this area, so I apologize for the questions. I appreciate any input/advice.
Need help clarifying how PMKID is used in WPA2-PSK.
I have successfully performed an attack that utilize the "PMKID attack vector of a WPA2-PSK network" (the one discovered by author of Hashcat). I tried this against a range of APs, where the only vulnerable AP I found, was configured with "WPA2-PSK", with both a 2.4 and 5 GHz network. I understand that PMKID is used for "reducing the delay when roaming between APs" - but does this apply to roaming between the 2.4 and 5 GHz networks under same AP? I also understand the the PMK is equal to the "secret" in PSK networks, and that the PMKID requires this PMK (in additional to MAC etc.).
As this is kinda unclear to me still, i apologize for poor explination and appreaciate all feedback :)
Wait, WHAT? Your whitelisting IPs on the azure VM
Not even lunch and I feel I could use a beer.
So one of our users needs to gain access to one of our VMs now that we are all working remotely, No problem I figure, fire up the VPN client, log into the firewall and create a new user and download the OVPN file and included client. In the meantime our cloud admin reply's he's got this, cool I email him and the user with the files and login info, figure all is cool.
10 minutes or so go by and he says all is good, he whitelisted her Public IP at home, she can just RDP in. Wait, WHAT? (Not going to even get into the fact she has a dynamic public IP at home) We setup the VPN over a year ago so people that are offsite can VPN into our network and route from there so we only have 1 IP whitelisted (layers of security).
I get a hold of the said admin and let him know that he has the files in his inbox and I would highly recommend connecting that way (my title is just computer technician so I can't come down heavy handed).
After a few attempts the admin cannot get it to work, I do some googling and find a nice guide from a VPN website that goes over the install and import of OVPN file and which Client to use, forward this all to him. I figure, OK, we will be good now.
Buzz Buzz goes my phone, it's the third of the Lone Gunman IT dept. Hey man, he's tried and its not working, let just keep it the way it is, as she is able to connect. I respond to the group that while I don't want to step on any toes, I am willing to login and get the client running, my only concern is the security of the VM, but if you two feel its a non issue, I'll stand down.
So here I am, standing down. We will be reviewing our VM login process when we are back at the office.
I just think back to one of my dads sayings "If you don't have time to do it right, you'll have to make time to do it twice".
Correctly shutdown a SonicWall HA pair?
Hello
I wanted to know if there is a proper way to shutdown a SonicWall HA pair. How can force to connect to the primary and the secondary? Is there a order that needs to be done? Is there a command (couldnt find anything in the GUI)?
Couldnt find anything. Just want to make sure as we need to swap the firewalls for something else.
installing ECC cert on Cisco Firepower 1140
Hello,
We're trying to get another VPN connection up for our company and running into issues getting the ECC certificate installed on the Cisco Firepower 1140 via the FDM web gui. I read that you have to use OpenSSL to create the private key and CSR. We did this and it wouldn't accept the private key file that we generated with the certificate. Anyone else have this issue?
Satellite video vs internet video - which is faster?
I live in Europe and I want to broadcast a local live show from Sri Lanka to Europe with near 0ms latency. What are my options? What would be the topology? Can it be done without going personally to Sri Lanka
StrongSwan private VPN
I set up Strongswan on my linux centos server. I am able to connect to it successfully. However, I am not able to load any websites. But when I access apps like whatsapp or telegram, everything works per normal.
I checked the ports etc and enabled http and https services but website still don't load.
What could be wrong?
Quick dhcp question
Hey guys. So i am new to a position and the network is a little different from what i am used to. Basically running a class A 10.231.xx.xx network. My DHCP scope shows [10.231.32.0] 10.231.47.1-254 I am trying to understand how/why only certain IP's have external access to the web. My exp with scopes has always been straight forward. This is a highly secure network with very limited access to the web. Mostly i am trying to understand how this is configured to only allow 10.231.47.225-240 web access. Appreciate any insight you can provide.
AWS Direct Connect?
Currently using a mix of VPNs/TGWs across multiple AWS accounts and wanting to move off that to AWS direct connect. I am wondering how you dudes have implemented this? Also wondering is it per VPC so I can essentially point a route to it on-prem and down at the VPC level and be done? If so where are you terminating the AWS link? on a FW or core?
Good value/cost certifications?
I am on a limited budget for but want to spend my off-time at home building competency. Currently I hold a CCNP Enterprise and am looking for something to accompany it with on my CV.
What is are some good "bang for the buck" certifications within networking/automation/governance?
Fortigate 60E - VPN logs
Like everywhere in the world we all have a lot of our people working from home.
Is it possible on Fortigate 60E to see when each user logged in to VPN and duration of session?
I can see VPN Events but I can see it's logging only errors.
Thing is - where can I see when each user connected?
Thanks
Tuesday, March 17, 2020
Setting up wireguard with openwrt router
Have a gl.inet travel router I got for fun/learning. It actually can run a wireguard server itself. However I configured the wireguard client on my pc and the wireguard server per the manual and the 3way handshake never completes.
I am wondering if I need two of these devicss one to be configures as a client and one for the server.
Or what am I doing wrong?
My travel router is down stream of the main home router. It seems to work fine in a lan/wan mode, if I switch it to an extender or ap I lose access to the admin console. No loops were created thanks to STP and it handled all traffic from the my switch fine.
Just can't get wireguard working.
Troubleshooting
I am looking to develop my network troubleshooting skills, I want suggestions on how to develop and proceed with networking. I really appreciate any auggestions.
Datacenters & Burstable Bandwidth
Hello everyone,
This is probably a novice question but I wanted to make sure I'm understanding correctly.
When you're sold burstable bandwidth w/ commit does anything control the burst allowance on a standard 1g port? Now I know if its capped below a gig obviously something is policing it but lets say you've got a 400mb commit w/ bust to 1g. Is there anything provider side that allots the 401 to 1000 bandwidth based on a metric or do you just get 1000/1000 and pay for usage above commit?
Thanks!
Stuck creating an infrastructure for a fake software company for college project
I posted this in /r/softwaredevelopment, too but it's still waiting on mod approval :/ Anyway...
Hello everyone, I’m hoping someone could provide some guidance. I’m working the Capstone for my cybersecurity degree and it consists of solving a (security-related) problem for an organization. I’m really into quantum physics and cryptography, so my topic combines those two into a project which I’m sure we’ll see a lot more of over the next decade or so.
My project is to harden a small business from quantum attacks. To fit with a realistic threat model, my scenario will address a small software developer with valuable IP that a foreign nation (one with advancing quantum computers) would consider to be of high economic value. This fake company makes software for autonomous vehicles.
Here’s where I’m stuck. I’ve never worked in software company or as a developer. I'm trying to put together an imaginary firm's infrastructure so I can conduct my analysis, but my lack of experience in such a company is slowing me down. I was thinking of following a basic startup infrastructure laid out in this article https://about.gitlab.com/blog/2017/08/07/how-startups-build-it-infrastructure/ though it doesn’t give any attention to the physical network layout at all (I’m not sure how important that is either).
After laying out the infrastructure, “my security company” will harden the network as per guidelines set out in the book Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto by Roger Grimes. That book is the foundation for my IT solution which will involve ensuring systems are “crypto agile”, or can switch out cryptographic modules for algorithms that are quantum-resistant. The other main protections are increasing key lengths for symmetric and hash algorithms in use.
So, I just want to create a realistic network that I can modify to be protected against breaches of confidentiality, even if their data were intercepted. I was thinking of making a situation where the company moves source code and databases onto self-hosted systems and to make my improvements from there, but I don’t even know how realistic this is for an autonomous car software startup. I have so many questions, but many of them will depend on what sort of feedback or direction it’s suggested I take. I’ve started using Packet Tracer but I’m not required to create the network with it all, I just like it a lot. I would certainly appreciate any insight or resources I can learn from. Once I have something to fix, I’ll finally be able to move forward!
P.S. I also found the article at https://medium.com/@olley_io/what-software-do-autonomous-vehicle-engineers-use-part-1-2-275631071199 to be quite interesting, but it still doesn’t lead to me how their IT infrastructure might be set up. Also, stay safe and I hope you all stay healthy through this tough time.
Bgp evpn using benifits of using ebgp
I've been reading and labbing bgp evpn for a little while now. I'm still not seeing the benifits of using ebgp for the ipv4 and evpn address families. Insead of using bgp evpn address family with an igp (ospf eigrp etc).
How many people have these in live environments. Have there been any shortcomings from using an igp? Has ebgp data plane made things easier? If ao, how?
The only arguments ive seen for ebgp - fast failure dectection = only if not a unidirectional failure. Otherwise bfd is required. - simpler config = many more commands required and more divergence between leaf configs - see the as path = why? the rd is there - fast convergence = All the tweeks still give it the same convergance as rip or anything else.
Help with SuperMicro and Mellanox ConnectX-4-based NIC - no network interfaces are appearing?
I have a SuperMicro server, and I've just installed a new SIOM (proprietary SuperMicro form factor) network card - AOC-MHIBE-m1CGM.
From the specifications, this seems to be based around the Mellanox ConnectX-4 chipset.
The SuperMicro website mentions it can do either Infiniband or 100Gbps Ethernet.
(I'm pasting screenshots, because the box doesn't have network connectivity yet, and I'm doing this over IPMI)
Anyhow, when I check ip addr listed, I don't see the 100Gbps interface come up (either on Infiniband or Ethernet):
https://i.imgur.com/M3B4rYa.png
If I check dmesg output, I do see "mlx" mentioned:
https://i.imgur.com/TwUorXY.png
mlx5_core 0000:21:00.0: firmware version 12.21.0000 mlx5_core 0000:21:00.0: 126.016 Gb/s available PCIe bandwidth (8 GT/s x16 link) ... mlx5_core 0000:21:00.0: Port module event: module 0, Cable plugged mlx5_ib: Mellanox Connect-IB Infiniband driver v5.0-0 Also - if I check lspci, I don't see Mellanox mentioned at all.
Any ideas what's going on? Is there something wrong with the card, or do need to do something special to get it to work?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC.
Show connected ports in a certain vlan
Need help. Trying to show just the connected switchports in a particular vlan on Cisco Catalyst switches. Tried "show int status | in (Vlan432)|(connected)" but think this is more of an "or" statement. Anyone have any ideas? This will be run as a job so that I can daily see if someone has plugged into (in this instance, an unrouteable vlan). Still working on 802.1x, but need this for now.
Cisco - Advertise local host routes
Is there a way to advertise a local route to a BGP neighbor? Let's say I have an interface with a /30. The local IP of the interface shows up on the routing table as a /32. I want to advertise that /32 to a BGP neighbor.
I tried network statements and static routes, but they didn't work. I'm able to do this on a Juniper box with redistribution, but I can't figure out how to do it on a Cisco router.
Custom Connectivity Application on All Users Computers?
Does anyone know of any application that we can deploy to all of our users computers that lets us configure any type of connectivity tests we want and then have it package the results so it can easily be sent to us? Was thinking we could program it to run through various things like iperf, ping, dns checks, etc. Ideally want to deploy to PC and Mac.
HTTPS requests crashing ASAv 9.9.2 on FPWR chassis
I just stood up a couple of FPWR 4110s in ASA mode, which will be dedicated AnyConnect firewalls. Everything was going well until I set up failover between them. Now, when I initiate HTTPS traffic to the management interface (either through ASDM or browser), the Active firewall crashes and reboots. Because HA is enabled for the interface, a failover occurs and then the secondary is hit with the same bug. So, basically, any HTTPS request crashes both firewalls.
Outside of TAC (which may be inevitable for this issue), I was hoping that someone here may have come across a similar issue and found a fix.
Needless to say, I am unimpressed with Firepower so far... As if there isn't a mound of criticism against it already.
What kind of High Availability/Failover/General testing would you do during your business closure that you normally wouldn't?
I work at a casino so I have NEVER had the luxury of a true maintenance window, let alone a 2 week+ maintenance window. This casino has not closed one day in something like 17 years. This is golden egg type territory here to actually be able to re-arrange network racks, change scary configs, test out redundancy etc etc without the fear of a network outage on the floor.
So the question is: What kind of maintenance and testing would you do for your network given the opportunity to break it at will?
We run a pretty simple network here. Nexus 7010 core/Catalyst 6500 distributions/Catalyst 3650 Access Switches. Cisco UCS with VMware on top for the compute side of things, and cisco MDS with Hitachi storage for the SAN part.
Network Testing
Hey all, I'm one half of a 2-man-band that focuses on network testing. We've been working for equipment manufacturers, testing the routers/switches/firewalls etc. that they are developing.
We need to look for a new client now though and I was wondering how much testing goes on in other parts of the industry (VARs, enterprise networks, ISPs etc.).
Would anyone be able to comment on what testing happens inside your company and why? How much of it is informal 'plug it in and try it' vs documenting, executing & possibly automating the tests more formally?
It seems like a lot of the testing we have done on the manufacturer side (system, solution, performance, scalability, security testing etc.) would apply but it would be great to hear what actually goes on.
Need some advice to extend wifi from our main building into our parking lot a few hundred yards from main router. [X-post from r/Wifi]
Hey all. As the title says I want to extend internet access to our parking lot. We have some semi-trucks that park overnight and we need them to have wifi access to the internet. We will be setting up some scheduled file transfers via tablets in the truck and their cameras which need to be able to connect to the cloud via a wifi source. We currently do not have power at the parking lot. The parking lot is about 150-200 yards from the closets roofline in the building that has internet.
In the past, I have installed a point to point bridge for a hardwired computer with good success but that was at another location and was for the single connection.
Could someone point me to an access point I could attach on our roof, that would cover that sort of distance? Is this the correct hardware for what I am wanting to do? It does not have to be omnidirectional. If possible maybe find an AP that I could change out to a high gain directional antenna?
I would have to have the AP hardwired to a router and not just a switch right? It would need to be able to have multiple users connect and pull at once even it takes a lot longer.
Second internet connection for live streaming
Hi, I live stream for a living. I'm using 4g wireless internet (no wired option here) and it drops out almost everyday for a minute or so which results in huge loss of people watching.
What do you guys recommend for redundancy internet connection? I really need to get this fixed.
I heard you can combine two isp speeds into one, that would be pretty neat. Also I need low latency
Bandwidth Allocation Protocol? How is traffic prioritized and configured?
A) Happy National VPN Concentrator Appreciation Week
B) There are major rolling internet outages being reported by users to providers all around the country. Barring their VPN issues and such - I assume that this is because 'residential' internet is optimized for *prime time* hours (4pm-11pm) and is not setup to essentially handle 'business' traffic during business hours. I use 'quotes' because I am assuming all of this traffic travels along the same hardware (ie regional cabling, etc) but is somehow optimized/prioritized through software by the telecom provider.
C) Am I correct in that assumption? Can you explain (like I am maybe 10) how this works? What protocols/etc are used?
Thanks!
AnyConnect VPN, some users with Linksys routers unable to resolve DNS once connected.. have to set public DNS servers
Hey all, my company has a VPN group / profile setup specifically for using our VOIP software phones and when some users connect with certain linksys routers it seems like they are losing DNS capability. The only fix seems to be going into their personal home routers and setting up public DNS servers (such as Cloudflare, Google, Quad9, etc). Then at that point I can connect to that Voice VPN profile and we're good to go.
Is there any logical reason why this would be happening? I can't quite suss it out lol.
We're using anyconnect client connecting to a Cisco ASA.
Running OSPF on F5
Greetings Fellow Engineers,
A colleague of mine and I are debating whether to run OSPF on our F5 load balancers. However, our initial implementation was unsuccessful. We called F5 support to get root cause analysis and we asked the experience F5 support personnel if he gets a lot of calls on OSPF running on F5. His answer was "no, not really".
So my question is for the F5 load balancing folks, how many of y'all run OSPF on your F5s vs. static routing? If you do run OSPF, what are the advantages over static routing?
Warmest Regards
Is it stupid to combine an inbound and outbound firewall rule into one rule?
I am working on a large firewall change on our Palo Alto 5060's and the customer indicated this traffic is initiated from both sides. The traffic will be sent to the same destination port regardless of who initiates the traffic. Is there any harm in basically combining the inbound and outbound rules into one rule? Basically the source zone would include both the trusted and untrusted zone, as would the destination zone. The source IP would include both the local IP on my side and the far end IP. Repeat for the destination IP.
Is there any harm in this? I've discussed it with my colleagues and the only argument against this I've heard so far is that troubleshooting may be more difficult to troubleshoot/differentiate the inbound vs the outbound rule matching since they would both be in one rule.
Thanks in advance for any help.
Pulse Secure: Remote users have direct access to fileservers ?
Hi, A little bit of panic here: A new customer has a Pulse Secure cluster, and I am completely new to this. As far as I understood from the guy on-site who is more or less their on-site first line support, only ip-s mentioned under the Resource policies\VPN Tunnel Split Tunneling\policies can be accessed from outside, by someone who establishes a VPN connection to the company. They only need to access a terminal Server farm.
Now I hear from people within this company, they are able to access their file servers from their homes when the have set up a VPN. This worries me a lot, due to security concerns. So I have a few questions: Is is true that only servers who are in the split tunnel policy can be accessed by the Role it's been assigned to, when they set up a VPN ? Is there a way that I can deny access to the fileservers ?
VPN works on Windows, but not on OS X with openvpn?
Have a Sophos XG firewall where the Windows VPN application works fine, but using the configuration with openvpn on linux or OS X breaks everything. Says DNS will not work because it's not a public IP so It can't be routed. Why would this work on Windows and not OpenVPN?
When do you replace equipment due to issues?
Brief background:
I've been through several network equipment changes over the last 10 years and now starting to wonder if it's time to switch again. We started out with HP Procurve in the beginning and then went on to Brocade, followed by Aruba. The last two changes have been due to issues which affect production adversely.
Now we're starting to see a lot of bugs and it feels like I'm upgrading switches every two weeks because of it.
My question now is when you think it's time to move to new equipment/vendors because of issues?
When is it the "last straw" so to speak?
Remote Access VPN with Centralized Internet and Massive WFH Trend Issues?
For those of you administering remote access VPN where default route is pulled over the tunnel into the hub site, how is this design holding up with such a massive inflation of working from home employees? Any recommendations for those who’s infrastructure might be suffering under the weight of this additional load?
BIRD - Export path for visualisation
Hello,
I am currently using bird and iBGP to route nets between multiple datacenters over a VPN. This is working fine so far.
Is there any way to get a "nice" visual representation of the current route map? E.g. get a graph that shows which subnet is flowing over which routers.
This is not really neccessary but nice-to-have.
Aruba APs - integrated Zigbee support?
Hello r/networking,
Currently I use a single AP515 in instant mode with the latest firmware 8.5.0.3_72498. When it was introduced about one year ago a main selling point on the data sheet was the upcoming Zigbee support. However, no documentation ever mentioned it again, it's not part of the webgui and HPE support told me to contact my vendor, even though I mentioned that I am not a company and just own a single device of theirs.
Has anyone tried that Zigbee support yet or at least knows what devices are supported?
I'd like to cut down on the various "connectors" and bridges that seem to universally lack PoE, and hoping for a better signal to devices further away (despite the broadcasting nature of Zigbee I keep having connectivity issues). I thought I'd ask here since this is the most likely place for people to have Aruba APs deployed. Thanks a ton!
Potential stupid question...(if asked on the wrong subreddit please point me to the right one)
How much does a 24f armored ofc cable cost in terms of per meter? and does the price go down with the age of the cable. Asking this because i have about 800m of it. My dad used to lay ofc cables underground connecting two towers and i dont know much about the work but he left some cable at my place so i'm looking to sell it to a local isp.
Monday, March 16, 2020
Looking for Fortigate/Cisco Small business switch help
I recently replaced an old Fortigate 92D with an 80E. Manually copied the config over to the new device. There were 3 internal VLANs configured on lan port 1 (we'll call them VLANData, VLANVoice, and VLAN3), which are trunked to the Cisco small business switch. Now, once I put the new firewall in place, I cannot ping devices on VLANVoice from VLANData. I can however, ping the gateway address for VLANVoice from the VLANData network. I changed nothing in the switches, yet it would seem that they lost the ability to route between the two?
SSL Decryption?
New to networking and security. I understand Meraki cannot decrypt SSL, is SSL decryption absolutely necessary for an small office (<50 employees)? Also, would you want to do a Meraki + F5 or rather go with Fortinet?
Captive Portal
Anyone with ideas on how to create a captive portal or "splash" page that would require a click through before gaining internet access ? I don't mean wifi. I am coming from an ISP and looking into using this for emergency notification. I do understand it's not a normally acceptable practice. Thanks for any ideas.
RSTP Protocol Confusion
I've been studying for the JNCIS-SP exam and I think I am confusing myself more and more about RSTP.
After root bridge election, who initiates BPDUs? I thought the root bridge initiates configuration BPDUs and then the other bridges forward that BPDU along, modifying a few of the fields. Is this correct? Are these configuration BPDUs the same as Hello BPDUs?
I am not understanding the max age - message age timer interaction. The default max age is 20 seconds, and the message age starts at 0 at root, and is incremented by 1 as each bridge forwards the BPDU. If the message age is equal to or greater than the max age, then the BPDU is expired (sort of like a TTL). Does this mean the STP topology is limited to 20 levels by default? And what does a bridge do if it receives an expired BPDU? Ignore it?
Losing Internet frequently
So every 30 minutes or so (sometimes less) I lose the internet. Everything keeps pointing a dns issue with the ISP. Problem is that I switched our router to not use our providers dns servers. I’m still getting the issue.
Is it the router itself? Or is something else causing the dns to go out? I really need help because it’s frustrating me and the support guys aren’t very helpful.
Just brought down VPN for 1k users by inserting an SFP in ASR1001-X
In prep for a new 10g internet circuit, I inserted a Cisco SFP-10G-SR= into Ten0/0/0 of our ASR1001-X. No fiber patched in, simply inserted the SFP into the slot.
Immediately after, Gi0/0/0 goes hard down which is our current 1G internet circuit. Gi0/0/0 transceiver is a Cisco GLC-LH-SMD.
This has to be a bug?
Mar 16 10:33:52.538 CDT: %TRANSCEIVER-6-INSERTED: SIP0/0: transceiver module inserted in TenGigabitEthernet0/0/0
Mar 16 10:33:53.286 CDT: %LINK-3-UPDOWN: Interface GigabitiEthernet0/0/0, changed state to down
Service Provider Tools
Hi fellow nerds!
Was wondering if anyone working in a Service Provider company could shed some light on the tools they use to hold customer information and monitoring etc?
Currently we use PRTG to monitor our core and customer networks, Lucid chart for network diagrams, and rancid for config backups. And alot of other sharepoint sites and documents for info capturing - very manual and messy from Sale to Support cycle.
Is anyone using some sort of single plane of glass? If so was it premade or built in-house? We’d like something that can both do in-depth traffic monitoring (like PRTG), CMDB and DCIM, with an added touch of NMS if possible (automatisation, network topology discovery)
Thanks for any suggestions!
PBR on WAN Interface of ASA
As title states, I am wondering if I can use PBR on the WAN interface of an ASA?
Scenario is this: Currently, all end user, web based traffic, is to be routed to a VTI on the ASA, then to ZScaler. This works just fine. ACL defined. Route-map statement, match ACL and next hop to VTI. Policy-route route-map xxx applied to Inside interface, no problem. Id like to include AnyConnect web based traffic to this tunnel as well. That would mean applying a similar policy-route route-map config to the WAN interface as that is technically the source of the AnyConnect traffic. Is this possible? Or is this something in the AnyConnect group-policy that I need to define? If there is any further information needed, let me know. Thanks!
Firepower 2120. VPN stats via snmp
Hello, I'm trying to find some OIDs with info about numbers of active remote access users, active sessions etc. Have someone any advice here?
thanks for support Pet
Port monitoring
So when I configure port monitoring to monitor a port on my local connection, i lose connectivity. My connection still displays live but I cannot ping and visit any sites. I although am still able to monitor traffic from the targeted port using Wireshark. Could this be because my port cannot handle the traffic from both lines?
Is case sensitivity normal when using TACACS?
I just setup a CentOS 7 box and installed tac_plus and joined to my AD. I have a mixed Cisco/Fortinet environment. I configured tacacs first on a Fortigate, and it works when I use all lower case username. When there are any capital letters, login fails. Is this normal?
Does anyone have experience with the tac_plus package that could help me some with tying back to an AD group?
Subscribe to:
Posts (Atom)