anyone been in this situation with shared public space and vendors want their own unique ip for site-2-site vpn tunnels?
Saturday, October 23, 2021
Designing a new network Sub/VLANs
Hello,
I'm in charge of designing a new network from scratch, this is what I have come up so far. I really want to hear opinions from other professionals, on what can be changed or added.
VLAN ID - VLAN Name - Description - IP/Mask
1 - M_LAN - Management Local Area Network - 192.168.1.0/24
2 - ALAN - Admins Local Area Network - 192.168.2.0/24
3 -HLAN - Hypervisors Local Area Network - 192.168.3.0/24
4 - ERLAN Servers Local Area Network - 192.168.4.0/24
5 - WLAN - Workstations Local Area Network - 192.168.5.0/24
6 - PLAN - Printers Local Area Network - 192.168.6.0/24
7 - SLAN - Staff Local Area Network - 192.168.7.0/24
8- GLAN - Guests Local Area Network - 192.168.8.0/24
9 - VOIP - Voice over Internet Protocol - 192.168.9.0/24
10- CCTV - Closed-Circuit Television - 192.168.10.0/24
11- IoTLAN- Internet of Things Local Area Network - 192.168.11.0/24
12 - ULAN - Untrusted Local Area Network - 192.168.12.0/24
Trunking between Nexus 9K and ASR 920 being difficult
So, here I am, minding my own business, migrating from an ASR-1002x and I come to realize ASR 920s require the BDI format.
So, I setup the basics on the n9k. NOT using the mgmt0 port, I want to access the switch via an SVI, so I type
feature vlan-interface
Then I add my SVI and assign an IP, no shut it, and configure my uplink port to the router as a trunk.
I then proceed to configure the router for subinterfaces, and I get invalid syntax.
So I look at reference material and realize the 920 doesn’t support subinterfaces, but instead BDIs.
So I configure my BDI something like this:
interface GigabitEthernet0/0/0
service instance 1 ethernet encapsulation dot1q 401 bridge-domain 401 ! end
interface BDI401 ip address 10.11.51.1 255.255.255.0 end
Both ports turned up, trunk on the nexus doing its thing,
I then go to check basic things like pinging from the switch’s vlan interface to the router and… no luck.
I then check the ARP tables. I can see the Nexus’ entry on the BDI, but I can’t see the router’s entry on the Nexus’ arp table.
The question is this: Has anyone ever encountered a similar scenario? Seems like something that should just work as-is
A switch with rear ports and front LED indicators.
Please help. I am looking for a 24-port network switch that has all the ports in the back and all the LED lights in the front. Most switches have all ports and lights located in the front, so when looking at the switch from the front, if you want to see the port LED indicator, you must also see the cable twisted and plugged into the port. That looks so unprofessional and ugly. Thanks for your time.
CA cert error in Android 11 and above for EAP-TLS
I have configured Windows ADCS and generated user cert and radius(CA) authentication cert for EAP-TLS. It is working fine for all the devices having android 10 and below but, since android 11 CA cert requires CA:true flag ( X509x3 Basic Constraints) and am not sure how to set that flag using Windows ADCS.
Thank you.
Looking for old book
Back in 2003/2004 I was a young network admin for a small ISP and I had this book. It was a thick tome, around 800 pages, with an absurdly colorful cover for a time dominated by O'reilly's animal covers. I had found my copy at Barnes & Noble. I can not, for the life of me, remember the title or publisher, and I long ago lost my copy.
This book was a godsend. It had plain english explanations of networking concepts and design, as well as step-by-step examples for implimentation. While doubtlessly out of date nearly 20 years later, I often find myself wishing I still had it.
I know my description is light, but if this rings a bell for anyone, I'd love to be reminded of the title. Every few months I go back into search mode and always come back empty handed. Thank you to anyone who can take a moment to help.
Cisco IOS-XE code quality blog
What has your experience been? Not sure why they specifically hone in on the CAT9K. Doesn’t the same IOS-XE also run on ISR/ASR/SD-WAN ?
https://blogs.cisco.com/networking/the-cisco-catalyst-9000-software-quality-mindset
$2.8 trillion. That was the estimated cost impact of poor-quality software to organizations in the U.S. alone in 2018.[1] With 100 times more code being managed in 2020 than 10 years ago, the chances for software error and resulting costs are increasing exponentially and globally. The importance of software quality has never been higher.[2]
Software quality is one of the most important ingredients that has led to the incredible success of the Cisco Catalyst 9000 switching family, the fastest ramping product in Cisco history. With four million+ units deployed in mission-critical networks at more than 70,000 organizations globally, the Cisco IOS XE software stack and specific feature sets for the Catalyst 9000 have proven to be incredibly reliable. It didn’t happen by chance. Starting with software design and architecture, Cisco developers adhere to a quality mindset culture that spans from product architecture to customer experience.
In the Cisco Enterprise Switching team, we follow four fundamental tenets to deliver quality in products such as the Catalyst 9000 and related solutions.
Quality@Source starts with product design and architecture. Catalyst 9000 consists of five different product families of fixed, stackable, and modular switches such as the Cat9200, Cat9300, Cat9400, Cat9500 and Cat9600 with over 100 SKUs and 10+ different NPUs. Despite thousands of combinations, the Cisco development team built common Cisco IOS XE code with a single binary. It has significantly cut down the time it takes our customers to certify and deploy the Catalyst 9000 in their networks. The development phase includes comprehensive code reviews, intersection analysis, pre-commit sanity checks, and unit testing to achieve baseline integrity. The code is built with serviceability in mind and is evolving with predictive analytics. It enables Cisco engineers to proactively analyze and fix issues before failure occurs. They can then take corrective action on the network or provide patches proactively. Automation
In every release of Cisco IOS XE running on the Catalyst 9000, tens of new capabilities are added. To augment the quality maintained during the development phase, automated tests are run continuously to make sure that the quality of the baseline features is protected while new features are added. As new automated scripts are continuously added to the software repository, engineers measure the efficacy of the scripts to optimize runtime and effectiveness.
During the Solution Focus phase, the team tests and validates code maturity by testing customer use cases and with stress, scale, and longevity tests that simulate the way features are deployed in real-world networks. Due to a rich set of features and capabilities, Catalyst 9000 is deployed in thousands of networks with very different deployment architectures. For example: The network architecture of a very large university is very different than a network deployed in a hospital environment, and they are both very different than a large financial institution with thousands of branches. The Catalyst 9000 team has built multiple customer vertical profiles based on our knowledge of these networks. These customer profiles contain use cases simulating large customer configurations that are closer to real-world deployment scenarios. Customer Validated Design profile configurations and use cases are made available to customers on the Cisco website for planning their lab certifications and deployments.
Customer Focus
After solution focus testing, the code is tested in the field. The code is deployed in Alpha network which is used by developers and testers every day to do their work. It provides them with a real network simulation and provides feedback on how the product is functioning. After it has been tested on the Alpha network, the product is made available for Early Field Trial (EFT) to customers. Once feedback received from EFT is addressed, the product is ready for First Customer Shipment (FCS). As World War I hero William A. Foster famously said: “Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution.” The Cisco Enterprise Switching Software Team truly believes in this philosophy and models it every day. [1] “The Cost of Poor Quality Software in the U.S.: A 2018 Report,” Consortium for IT Software Quality, 2018. [2] “Devs are managing 100x more code, in more languages, for more platforms than ever,” Sourcegraph, 2020.
Strange issue with speed being capped to 100mbit
Hey guys I’ve got a strange error that I don’t even know where to start troubleshooting. Any ideas would be appreciated. I have a 1Gbps connection that Keeps limiting itself to 100mbit, what happens is: I boot up and run a speed test and get 8-900mbps, then shortly after I lose my connection and when it comes back up I am speed capped to 100mbps.
No other computers on the network lose connection when mine does. I’m running windows 10 and a deco m5 mesh wifi system.
Thanks for any replies
Friday, October 22, 2021
CABLE HELP
My NBN (Internet) connection comes in as RJ11 and I can connect it to the DSL port on my Telstra modem and it works fun.
The problem I have is the router I want to use is in a different room and doesn't have a dsl link. I have run a cable from next to the rj11 to the room with cat5 / rj45 but connecting the rj11 to a splitter and then to the router doesn't seem to work.
Iv even tried doing this and going to the Telstra router WAN port still no luck.
Any help/advice will be greatly appreciated?
SALTSTACK Nornir proxy and network automation use cases
Was working for quiet a while on SaltStack Nornir Proxy Minion module and thought it worth sharing the results. As of now can manage network infra using various methods, techniques and protocols.
List of features:
- CLI - Can use Netmiko, Scrapli and NAPALM
- NETCONF - over Ncclient and Scrapli-Netconf libraries
- RESTCONF - Requests module support to manage devices over HTTP(S)
- gNMI - supported using PyGNMI library
- TESTING - Test suites supported to verify network state or use Python API
- WORKFLOWS - Simple/complex workflows supported to codify execution steps or use Python API
- STATE - Learn, Diff and Read task results allowing to explore previous network state
- PROCESS - transform, parse, modify, filter results using xpath, jmespath, ttp, tabulate and etc. libs
All above is in the context of SaltStack and Nornir - frameworks that has many plugins available to address various use cases coupled with capability to use Python API to interact with your network.
For those familiar with docker
What you think are the most important aspects that network automation system must possess?
Query regarding bgp path selection
So I have been labbing bgp quite a bit recently, I have a scenario where say there is 1 customer edge router and say 5 provider routers, how do you influence path selection so that bgp knows to select only specific routes based on say some requirements from the customer router in the outbound direction (and inbound as well) I know that you can use BGP weight and as path prepend attributes (have seen lots of examples on these 2 attributes while googling) but which attribute is used for which direction (outbound/inbound) can they both be used for either one of outbound or inbound? Also any configuration examples of such a scenario (I'm pretty sure this type of scenario is very common in the real world) would be very helpful!
Thank you in advance.
Do you know of any major cable ISPs anywhere in the world that have enabled DOCSIS 3.1 upstream?
Cable modems have supported DOCSIS 3.1 2x2 for a while, and most ISPs have now enabled a single downstream channel, but as far as I know no one has enabled an upstream channel yet, which can provide up to 890 mbps upstream.
Wireless Network Won't Talk to Data Network
I have two networks on my lan, one for all devices that are physically connected via ethernet and one for the Wireless AP. I have these configured on a cisco L3 switch and both networks have full connectivity to the router and internet via static routes on the router.
For some reason though, I don't quite understand, why Airplay won't connect to the physically connected Roku or Syncthing won't sync to my NAS from my iPhone on the two different networks when the two networks can fully ping each other.
WPA2-Enterprise RADIUS Authentication Options
I am looking to deploy more secure wireless authentication for the company that I work at. Currently, we are using standard WPA2 encryption. This could cause an issue when someone leaves the company, as they still would have the wireless credentials, so could access the network. We have enough devices that it would be impractical to change the key every time, so I am looking to deploy WPA2-Enterprise and give all users their own credentials. I do have a trusted root certificate (I created a rootCA for internal use) installed on all workstations, which is used for SSL encryption to local web apps. I have setup a FreeRADIUS server with PEAP-MSCHAPv2 authentication with a certificate generated using the internal rootCA in a lab environment. User credentials in this test setup are stored in an OpenLDAP server hosted in the same VM, with LDAP Account Manager as a web GUI to manage credentials. Main question that I would have is whether PEAP-MSCHAPv2 authentication is still considered secure, and if not, is there another alternative that would better meet my use case. I considered EAP-TLS, but I don't currently have anything as far as PKI infrastructure to distribute individual keys (I distributed the root cert by sending an email to a company wide distribution list with instructions on how to install it and to contact me if you have any issues). Thanks in advance.
How can I backup VMware ?
Hello,
I want to ask I'm using LIBREnms with Oxidized to backup my network devices ?
is there any way to backup VMware hosts configuration ?
Best Regards
Is this a shit idea for a protocol with privacy built in?
The sending node sends out a packet asking for the receivers public key, when the sending node receives the key it can send to the receiver using packets encrypted using that key.
Anyone trying to man in the middle would find it impossible to read any of that information.
Does this already exist? What’s it called?
Cloud-based VPNs recommendations?
Looking for some input on cloud-based VPNs. I'm working with a healthcare-related entity that is looking for a cloud-based VPN. It will be used to provide access to a web-based SaaS. The VPN is needed to give all users a static IP to come from since the web app uses a IP whitelist to access it. The VPN client also needs to support split-tunneling so local network devices/resources can be accessed, if needed. Would prefer the split-tunneling to make use of FQDNs for tunneling rather than just IPs. Total user count will be about 50 users. The company is cloud-based, so there is no on-prem equipment and the users are spread out working from either home or shared office space.
So far I've looked at:
Palo Alto Prisma Access - Would fit, but requires a minimum of 200 user licenses. $$$
Palo Alto VM-series firewall in Azure - No idea what cost would be since I don't have a frame of reference on what Azure costs would be.
NordVPN - Doesn't support split-tunneling per their representative
ZScaler - pending a call with a sales guy
Perimeter81 - Never heard of these guys, but was refered to by NordVPN
Are there any other good VPN providers out there?
Edit: Would prefer stuff based on Azure if it's a solution that needs to be hosted. Just because the company uses Azure/O365 and it would be nice to contain everything there.
Looking for network cabinet recommendations
Hey all,
I was hoping to get some network cabinet recommendations, as our current solution leaves room for improvement.
Our most installed cabinet we use currently for our clients is this:
NavePoint 22U IT Wall Mount Network Server Data Cabinet Rack Glass Door Locking Casters https://www.amazon.com/dp/B01A6JQ5D0/ref=cm_sw_r_apan_glt_fabc_8AYQQAN8EXHBNANS30WY?_encoding=UTF8&psc=1
The biggest downside to this cabinet is really the wall mount solution. The cabinet hooks onto a bracket from the top only. And the cabinet can only support 130 pounds. Most of the time we are stretching that limit and need to fabricate something to support the bottom. Otherwise it starts to bend the mounting hooks.
Anyone have a better wall mount solution that is 22u- 26u?
Thank you.
Configure both local and tacacs+ authentication on a router
Hi, I am trying to create a configuration to achieve the following: Authenticate an user through the local database on the router, if the user is not listed there, have the router look it up on the tacacs+ server.
However, the local portion of it it's not working, I can authenticate as an user created on the tacacs server but not using an user created locally on the router. The router is an ASR9k. This is the configuration:
tacacs-server host 10.1.1.1 port 49 key tacacstest aaa group server tacacs+ TACACS server 10.1.1.1 aaa authentication login TACACS-LOGIN local group TACACS line default login authentication TACACS-LOGIN Reading the documentation, this should do what I want it to do, in practice it doesn't. Anyone has any idea? Thanks
Thursday, October 21, 2021
Cisco ASR1000 ESP Throughput doubts
Hello Redditors,
I've got an ASR1004 with ESP20 and SIP40 and 2x10GE interfaces, as far I can understand, the ESP20 means the router can output up to 20 Gbps of traffic (according to this documentation this should be the case unless I am missing something https://www.cisco.com/c/en/us/support/docs/routers/asr-1000-series-aggregation-services-routers/200674-Throughput-issues-on-ASR1000-Series-rout.html)
Currently, this router has a LaCP link towards a switch (2x10GE), everything was working fine until this link started to receive over 11 Gbps of traffic (basically sits at 11.5 Gbps in and since we don't deal with multicast, it's also 11.5 Gbps out), now I am seeing a lot of input drops (overruns) in the interface and the overall latency increased by 30 - 40 ms. Below 10.8 Gbps everything starts to work normally again.
This leads me to believe it's congestion and the latency is due to buffering, but I really don't know why this is happening, shouldn't this router still be capable of processing at least 8 Gbps of additional traffic? There are no other interfaces aside from this LaCP.
Or the 20 Gbps "output" was just marketing and the real number is just 10? and they say 20 because is the sum of the "input + output" (which I find misleading tbh). Anyone with experience using this platform that can share some light?
Thank you in advance
One PC on LAN can only be pinged from the server
So I have a Windows Server 2012 box and I have one machine on the network that I need to be able to access via remote desktop. Previously we had another machine which we used exactly the same way. I can ping the server from this client, and the client from the server, but I can't ping the client from any other machine, either by IP or hostname. Pings and traceroutes time out.
Details: Client is running Windows 10 Pro. The server is a VM running on Hyper-V with a virtual hub and acts as DNS server, VPN server, and file server for a simple one-segment office network. It's set up this way so people can connect to the VPN and then RDP to the target client as if they were local. There's a Ubiquiti Edgerouter connecting the WAN to the server and acting as a switch for the single WAP that connects the office. It's all on the same subnet, nothing unusual.
The client machine is showing up in the server's DNS records. I've allocated it a static IP for simplicity's sake, outside the DHCP pool.
Things I've tried:
- Verified that remote desktop connections are allowed on the target control panel
- Re-registered the target client DNS
- Removed and re-created the DNS entry on the server
- Disabled the firewall on the target
- Ensured that the target has network discovery enabled
- Made sure all network discovery services are enabled on target
- Flushed the DNS cache on the machines I'm using to contact the target
- Ensured that the server address is added to the DNS list on the machines I'm using to attempt pinging (but again, IP pings don't work either)
- Restarted everything
- Argh!
If anyone has some ideas, I'd be very grateful!
Can I use my VPN on my linux PC?
I have a VPN on my phone which I want to use on my linux PC. Apparently, I can't use hotspot. Is there any way to do so?
I don't know if this is the right place to ask this, lol. Can remove it later.
Securing management IP on switches
Hello, looking to get ideas on how to secure our switch management interfaces. We run Aruba OS, all of our switch management IP addresses we put on the same vlan. Id like to put an acl on our network to restrict access to that vlan from the rest of the network. Ideally, I'd like for IT staff to have their own subnet/vlan and from that vlan you can access the switch management IPs. Everywhere else on the network is blocked by the acl. I've been told by management that this is not the preferred method. Not sure what an industry standard would be. Aside from dynamic segmentation or something else I'm not sure what else we can do.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Defending against BPDUFilter
If someone were to use a switch with interfaces running BPDUFilter and connected them to your network switching, creating a loop, then BPDUGuard is of no help. The loop exists yes?
Other than having NAC or physical security, is there any mechanism to proactively save yourself if that occurs?
Fortinet License isn't optional these days...
I have just updated my Fortigate 200f cause the sd-wan monitor didn't work. And now is asking me a license for "sd-wan network monitor"
Someone have seen this same issue? fortigate will of course tell me buy a license but i don't want
im guess if i roll back to v6.2.4 and leave the appliance without dns, will work again but is a mess to stop the production environment just for those tests
Migration from Cisco to Aruba
We are seriously considering moving wireless and switching to Aruba. I have some demo units and have run them through their paces as much as time allows, and just based on the time I have spent, it seems like a no brainer to make the jump.
Has anyone done this in an enterprise environment that can give me an idea of anything I may run into that would give me buyers remorse.
I have been weary of how they do stacking and some other dumb little things, but no show stoppers yet. The things that bother me so far pale in comparison to Cisco since DNA became a thing.
Thanks for any input.
For all the other ISE n00bs out there like me, that cant figure out why the admin CLI password reverts to an older password suddenly after maintenance....
There is a write mem command....
I know, we never use the cli and thought it's linux with an alias "password" for passwd command.
Oh, and theres a conf t as well, and you can create multiple users, for when the admin account gets mysteriously locked from time to time.
Do people really pass the CCIE lab with no networking knowledge ?
There was many threads lately talking about recruiters having to deal with candidates that had their CCIE number but were clueless about the most basic networking principles.
I would had just thought that they were just exaggerating and didn't even bother checking the credentials of the candidates before interviewing them. but the astonishing amount of people in comments that relate to the experience made me doubt.
Is it even possible to cheat the lab ? and even if someone cheated I would still expecting them to be highly knowledgeable about the fundamentals. So how come there are people with a # after their name that don't know how STP work ?
Packet loss to HyperV VM
Hey everyone,
To preface this, I am more sysadmin than networking guy, but as the sole guy here it is up to me to figure this out.
We run an application from an SMB share (Server 2019 VM), looking at the traffic between these two devices there are frequent "TCP Previous segment not captured" then generally about 100 Dup ACK packets back and forth with "TCP Out-Of-Order", "TCP Fast Retransmission" sprinkled around among them.
This will happen about 15 times when trying to open 1 window inside of this application, and I am pretty sure this is the reason this application runs so slow. It seems like it only happens when running this app, copying files back/forth, RDP, etc does not produce these kind of packet issues.
I am assuming this is not normal operation, but I don't know enough about the real nitty gritty to know where to look next.
Cisco 1000 series Switches??
Anybody use any of them lately? Are they any good? My work is potentially looking at them to replace a lot of old Dell switches and unmanaged ones we have currently.
TIA for any advice and knowledge about them.
Dell Z9100-ON 10GbE breakout configuration help
I purchased a cable from fs.com part #48770 and I'm trying to get it working with my Dell Z9100-ON switch. I see the laser light coming out of the breakout fibers (and they're on the correct side), but doesn't link when I plug any of them into a workstation. Perhaps I don't have the Dell port configured properly? I used this command to reconfigure the 100GbE port: "stack-unit 1 port 21 portmode quad speed 10G" and now I do see interface TenGigabitEthernet 1/21/1 through 1/21/4 available in the switch config. I set them to "no ip address", "switchport", and "no shutdown" (keeping it simple for now). But I still don't get a link light when plugged in. The workstation is definitely not the problem and it works fine when I plug into a different 10GbE switch. Any suggestions?
Local User Setup WinServer2019
I'm trying to get a Windows server set up for the first time ever, and I am struggling. I'd like each user to have their own partition that they work in, with one partition that is shared. What's the best way to set this up? I have very little experience in working with Windows Server. I've always been a tech support guy until very recently, and I feel super overwhelmed. We are not using AD. Everyone has a local account with the option to connect to the server with RDP.
YIKES! Cisco UCS Manager Not Discovering Connected Servers
Help!
I am trying to connect a UCS c240 M5 server to a pair (one active, one passive) of Cisco 6454 Fabric Interconnects. The server is connected to the FIs with a 25gig uplink. The Cisco flavor of ESXi is installed on the UCS server.
It is apparent in the ESXi GUI that the UCS c240 M5 can "see" the Fabric Interconnect. ESXi reports that it knows it is connected to a device running NX-OS (the OS on the Fabric Interconnects) and that it knows it is plugged into Eth1/37 on the device, which is true.
Now here's the rub...
UCS Manager is not "discovering" the new UCS c240 M5 server that I have connected to it. UCS Manager, does however, see the 10 previous servers that have been connected (these servers are all HX 220c M5 boxes).
What am I doing wrong? What do I need to do in order for the new UCS c240 M5 to show up in UCS Manager?
Thank you for all of your help!!
Differences in Ping across Windows, Linux, and MacOS
We ran into a network outage for customer today, where some traffic was allowed to the firewall and some not. In the process of troubleshooting the customer's firewall externally at the same office, we had some inconsistent results with Ping. All macos devices were would receive "request timeout", while windows and linux machines were able to successfully receive responses from the firewall.
Does anyone know if there are differences in how theses OSs handle just a normal ping request (similar to windows using icmp probes for traceroute, while linux uses udp probes)?
Total network traffic for a specific application (or port) over a period of time.
Hi, I would like to measure the overall network bandwidth used by a specific Windows application over a 24 hour period on a single workstation. Alternatively, the same thing but for a specific network port rather than the application. What is a good tool for this on Windows 7*? The monitoring would be done on the workstation itself.
*If Win7 is a sticking point, I could potentially adjust plans to do it on a Win10 workstation.
Has Cisco stopped developing IOU/IOL images?
I haven't seen a new one come out since 2018... which is super disappointing as they're such a nice/lightweight way to build a lab while still getting enough throughput for real-life traffic flows.
FTD and ASA AnyConnect VPN Auth - AAA+Certificate
Hi, All
I've been running an FTD and an ASA using AAA (Windows NPS) authentication for quite some time, but it's become apparent that I need to do cert auth as well to keep users from downloading our client and connecting their personal computers.
I can't do machine group on the AAA (NPS) side because I have some users with Mac devices not joined to the domain. They are, however, managed by JAMF so I can push a certificate to them when needed.
I understand how to make the Connection Profile change to AAA+Certificate on both the ASA and the FTD, but what I don't understand, is how to tell it what certificates to accept. I want to use the already issued domain certificates on the computers (and we'll enroll the Macs via our Enterprise Sub-CA), but really don't understand how to tell the FTD or the ASA to ONLY accept machine certs issued from our Root CA chain.
I've gone through the documentation, and I'm obviously missing something big here. Anyone have any hints?
Can't get ASA to redistribute BGP into EIGRP
I have an ASA connected to a 9k switch. I have a working EIGRP relationship between the ASA and 9k. I just can't seem to get BGP routes on the ASA redistributed via EIGRP, all evidence is that the ASA is not trying to advertise them. This setup is a lab being done in CML. Anyone have an idea as to why?
Here is the relevant ASA config and routing table:
!
prefix-list EIGRP seq 5 permit 10.10.50.0/24
prefix-list EIGRP seq 10 permit 10.10.51.0/24
!
!
route-map EIGRP permit 10
match ip address prefix-list EIGRP
!
router bgp 65244
bgp log-neighbor-changes
bgp router-id 1.1.1.1
address-family ipv4 unicast
neighbor 10.10.30.2 remote-as 65244
neighbor 10.10.30.2 activate
network 10.10.20.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
router eigrp 2
default-metric 1000000 5 255 255 1501
distribute-list EIGRP out
network 10.10.30.0 255.255.255.0
network 10.10.40.0 255.255.255.0
redistribute bgp 65244 route-map EIGRP
!
asav-0# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is not set
C 10.10.20.0 255.255.255.0 is directly connected, INSIDE
L 10.10.20.1 255.255.255.255 is directly connected, INSIDE
C 10.10.30.0 255.255.255.0 is directly connected, OUTSIDE
L 10.10.30.1 255.255.255.255 is directly connected, OUTSIDE
B 10.10.40.0 255.255.255.0 [200/0] via 10.10.30.2, 20:19:52
B 10.10.50.0 255.255.255.0 [200/4096] via 10.10.40.2, 20:14:39
B 10.10.51.0 255.255.255.0 [200/4096] via 10.10.40.2, 20:14:39
B 10.10.52.0 255.255.255.0 [200/4096] via 10.10.40.2, 20:14:39
Cleartext Transmission of Sensitive Information via HTTP
Hi!
I'm pretty new to this, so I'm not quiet sure what to do here
I ran an Openvas test on a router from ubiquiti, and it returned with only two vulnerabilities; "TCP timestamps" and "Cleartext transmission of sensitive data via http"
I can't find any options on the router to change this... should i write to ubiquiti? is this something that needs impleementation in the firmware?
thanks in advance
Sub-Interface Bandwidth
Hi there, if I have an interface with a bandwidth 20000 statement on it, and then a sub-interface on that main interface in a VRF and with a bandwidth 10000 command attached to it, would traffic on that sub interface be limited to 10000 or will it run to the 20000 from the parent interface? Thanks!
Network redundancy layout question
Would this be the ideal setup if my switch stacks are in 2 separate locations? (2960Sx4)
https://nextcloud.reinencaressa.be/s/dDaXZGW7JiyGEjW
Looking for interconnecting 2 buildings next to each other, but the provider is asking way too much to install a second CPE...
Upgrading EPLD on Nexus 93180YC-EX
Hello,
I've two Nexus 93180YC-EX Switches, one with NXOS version 9.2(2) and other one with: NXOS version 7.0(3)I7(8). Planning to update both straight to 9.3(8). EVerything is quite clear, but i got some questions about EPLD upgrade. Especially the keyword - golden.
On older version switch, i see that it's booted from golden epld region and that golden image is older than the primary one, as it's natural, when someones forgots to upgrade the golden one.
2020 Sep 14 09:19:47 SWTICHDCI02 %CARDCLIENT-2- FPGA_BOOT_GOLDEN: IOFPGA booted from Golden 2020 Sep 14 09:19:47 SWTICHDCI02 %CARDCLIENT-2-FPGA_BOOT_GOLDEN: MIFPGA booted from Golden 2020 Sep 14 09:19:47 SWTICHDCI02 %CARDCLIENT-5-MOD_BOOT_GOLDEN: Module 1 IOFPGA booted from Golden 2020 Sep 14 09:19:47 SWTICHDCI02 %CARDCLIENT-5-MOD_BOOT_GOLDEN: Module 1 MIFPGA booted from Golden But when i'm trying to even check the possiblity to upgrade golden, it doesnt even offer the the "golden" keyword:
SWTICHDCI02# install epld bootflash:n9000-epld.7.0.3.I7.9.img module 1 ? <CR> SWTICHDCI02# install epld bootflash:n9000-epld.7.0.3.I7.9.img module all ? <CR> So, how to upgrade the golden Image ?
SWITCHDCI02# show install epld status 1) Module 1 upgraded on Mon Sep 14 09:16:55 2020 (980911 us) EPLD Install Image: EPLD image file 7.0.3.I7.9. built on Wed Aug 26 22:03:35 2020 Status: EPLD Upgrade was Successful EPLD Curr Ver Old Ver ------------------------------------------------------- IO FPGA 0x15 0x9 2) Module 1 upgraded on Mon Sep 14 09:16:55 2020 (980867 us) EPLD Install Image: EPLD image file 7.0.3.I7.9. built on Wed Aug 26 22:03:35 2020 Status: EPLD Upgrade was Successful EPLD Curr Ver Old Ver ------------------------------------------------------- IO FPGA 0x15 0x9 3) Module 1 upgraded on Mon Sep 14 09:05:06 2020 (462441 us) EPLD Install Image: EPLD image file 7.0.3.I7.9. built on Wed Aug 26 22:03:35 2020 Status: EPLD Upgrade was Successful EPLD Curr Ver Old Ver IO FPGA 0x15 0x9 4) Module 1 upgraded on Mon Sep 14 09:05:06 2020 (462389 us) EPLD Install Image: EPLD image file 7.0.3.I7.9. built on Wed Aug 26 22:03:35 2020 Status: EPLD Upgrade was Successful EPLD Curr Ver Old Ver ------------------------------------------------------- IO FPGA 0x15 0x9 SWITCHDCI02# show version module 1 epld EPLD Device Version --------------------------------------- MI FPGA 0x4 IO FPGA 0x9 Layer 2 and Layer 3 devices
So I think I may have just realized something but I'm not sure if I have this completely figured out yet. I'm new to networking so go easy on me if I have this completely wrong.
Layer 2 switches forward frames. Frames consist of MAC addresses and not IP addresses as that is a layer 3 protocol. When switches forward frames in a LAN, they forward them using their SAT (Source Address Table).
So here's my question. If I'm connected to other computers via switch and we're all connected to a router. If I wanted to ping the IP of another pc. Does the pc keep a record of the MAC addresses and their corresponding IP addresses? I'm not sure how switches are able to correctly identify the PC I would want to ping since layer 2 does not deal with IP addresses.
Would it be forwarded to the router to correctly find the correct PC with the matching IP address?
Thanks in advance!
In an HFC deployment, is bandwidth shared at the optical node level or the trunk cable level?
Let me clarify what I mean. In a typical HFC deployment, you have an optical node connected to the CMTS at the regional hub with fiber. Then at the optical node you have 4-6 trunk coax cables. So when customers share a certain DOCSIS deployment, say DOCSIS 3.0 32x4, is that at the trunk cable level? In other words, you have 32x4 channels going into each of the 4-6 trunk cables, and then at the node they are all aggregated into a single optical analog signal and sent to the regional hub's CMTS via a single fiber cable (or multiple?). Is this correct?
Sorry, it's a very specific question, hope someone can chime in.
Combine 802.1x and vlan on linux host
Hello,
I have a linux host that I create on it physical interface a vlan. I want to use 802.1X to make authentification with RADIUS. In other word I want 802.1X messages be tagged with Vlan ID.
Is it possible ? If yes could you please tell me how to configure it ?
Moving on-prem VoIP/PBX to hosted SaaS solution - will it increase bandwidth usage?
Hi all,
I have trouble figuring this out, since I'm not strong in networking or VoIP.
We are considering decommissioning our local PBX/VoIP server and moving to a hosted VoIP solution.
How will this affect the bandwidth usage? Will it increase since the PBX will be located at the providers network? Or will the network-usage just stay the same?
In my head the SIP-connections / usage would probably be the same, only difference is that the routing will go through the providers PBX and from there the SIP-trunk. So my guess it that latency will increase a bit, but bandwidth? I really can't figure it out.
Hope my question makes sense. I just want to know if we might have to upgrade our internet-connection if we do this.
Thank you :-)
Service Provider design question
New to SP world, how do I find which is the correct vrf the prefix belongs to in case there overlapping subnets? Like I do show ip route vrf * and I see multiple vrfs with overlapping subnet output Thanks in advance!
Troubleshooting intermittent network outage (whole office)
I'd like to preface this with an apology first - I'm not a networking guy. I'm from a 1st/2nd line background parachuted into a small business to be the general IT guy. Part 1st line, part sysadmin, part whatever-the-f-the-boss-wants. This is my 2nd week in the job.
3 times this week we've had a full network outage (about 40 users). I (strongly) do not believe it to be external/ISP related as no other reports in the local area. Also a server reboot fixed it this time.
I am struggling to come to terms with the infrastructure on site. It appears to be a router > firewall > switch > windows server 2016, with various other local switches across the building. There are no indicative logs within event viewer as to what is causing the outage.
Local devices suddenly have no internet access and cannot ping the server 192.168.1.1
Finally, I know that DHCP is NOT setup on windows server. Using >ipconfig /all | find /i "Server" I can see the DHCP server IP address 192.168.1.250, but that is all. I can't see it within the Server 2016 dashboard.
So the question is where do I go from here? There's nothing obvious in Windows server. There are obviously no DHCP related event logs as DHCP outsourced to 192.168.1.250 but cannot get on to that. I don't even know if it's a standalone device or what.
Apologies again for the noobishness and long post, but I am very much stuck and have been given no information from my new employers. I am working backwards with domain admin credentials and that's it!
calculating packet loss in a hybrid network (omnet++)
Hello
so i have built this hybrid network which contains wired and wireless clients, i have set the number of nodes for wired to be 10 and wireless from 5-50. i want to calculate the packet loss of each run (example first run is 10 wired and 5 wireless, next 10 wired 10 wireless..until i reach 50 wireless). i want to calculate packet loss for each run but i dont know what vector i need to use , is it packetpopped vector ? is it the difference between packetsent vector and packet dropped vector?
Wednesday, October 20, 2021
Load balancing the load balancers
Currently I have a system where I have installed HAProxy on one machine and my other 3 machines serves the webapps and the fourth machine for the database. Now I need to add another load balancer in my system so that any one of the load balancer could pick the request and process it.
But I don't understand how exactly are we going to configure a second load balancer if my domain say example.com is pointing to the IP address which is the load balancer currently. When I add a second load balancer
- Will there be any third machine where something needs to be installed so that it can redirect the request to one of my load balancer? Again if this is so, it again is a single point of failure and creates a bottle neck.
- If at all I am going to have 2 machines running load balancers then how exactly is the request going to come in because both machines will anyway have different IP.
CCIE isn't worth the paper it's printed on
It seemed like 10 years ago, CCIE exams were hard but not impossible. If someone had CCIE on their resume, you could at least partly trust that they knew what they were talking about. Maybe 5 years ago, it seemed like CCIE made their exams harder and it seems like the only way to pass now is cheat.
I have recently interviewed maybe 20 - 30 candidates with CCIE (one or multiple on their resumes) and not a single one has reflected the knowledge/skill that it would require to pass a CCIE. They can't answer basic questions about why you'd use OSPF vs BGP (CCIE R&S), the difference between WEP and WPA2 (Cisco CCIE Wireless) or the difference between SIP and SIP/TLS (CCIE Collaboration). The best I've had is a CCIE R&S stating that the difference between UDP and TCP is whether it's using IP or not. How about a CCIE R&S telling me that to do a health check on a Cisco Switch, they'd just check the version of IOS, that's all. Don't even ask them to troubleshoot anything, most don't have a clue how to think through that.
If you had some of the knowledge and experience and were cheating to "slightly" reach for CCIE, you probably cover it. But people without CCNA level knowledge seem to be trying to pass as CCIEs.
I mean, I'm sure there are exceptions to the rule and people who have actually worked hard at getting their CCIE. I'm saying that I haven't found anyone like this in the past 5 years and 20 - 30 interviews. If I see CCIE on a resume, in general, I just don't interview them anymore. It's just not worth the time.
Is everyone experiencing the same? Am I wrong?
Anyone noteworthy experiences with standalone hardware-based KVM-over-IP
Dear friends and wise mentors I’m not seeing a clear front runner for a KVM-over-IP standalone hardware solution. Extremely specific use case, that is for the sake of this post, theoretical entirely. (sandwich making mostly).
Ports 80 and 443 problem
Hi,
I have noticed that opening these two ports on my router for self hosting Nodejs apps (Website and API) using Nginx makes my internet drop multiple times a day! I use Cloudflare as a proxy yet I feel like I am getting DDoSed regularly.
Of course when closing these two ports I instantly do not have that problem anymore.
Is there something else I can do to open these ports but not getting exposed like that ?
Thank you
Need help, Public Ip reachable but nothing behind
Basically,
We got one site that is on vpn IPSEC. the tunnel is UP. from my firewall (fortigateA) I cant ping the public IP of the site(FortigateB). But im not able to ping the actual local IP of the firewall(FortigateB) or anything behind. but everything behind the remote firewall(FortigateB) is able to ping the main firewall(Fortigate A).
From a route perspective on the remote fortigate (FortigateB) in static routes you have one 0.0.0.0 0.0.0.0 WAN1 to go outside and one rule for the inside 10.XX.0.0/16 Internals.
Sorry if I might not be very clear let me know if you have any questions
Multicast and VPNs
Hi my fellow networking friends. I am fairly new to this field, and very new to anything using multicast. However we have two servers using multicast across a customer provided network. Our vendor states not all of the multicast traffic is getting through, and that the customer is blocking this somewhere. Our customer claims they are not blocking anything.
When we put in a VPN tunnel between the connection, everything flows through just fine. When we remove it, it fails.
Is it possible multicast would require a VPN over a point to point connection? Thanks in advance
TCP RST Instead of Final FIN ACK
I'm looking for advice on a packet capture. Our service sends two RST packets instead of the final FIN ACK. Is this common?
Also, why would there be a TLS encrypted alert packet between the ACK and the FIN ACK from the client? Is this considered a half open connection at that point, before the client has sent the FIN ACK?
I'm not used to troubleshooting TCP connections at this level, so any help would be appreciated.
Advice on setting up network, servers, domain
For starters I am not an IT guy so please don't butcher me if my jargon is wrong. I am starting a new business and need the capability of having 75,000 users with around 5,000 online at a time. I do not want my domain to be thru another entity that could shut my site down if they disagree with my business model. That is of the upmost importance to me. I want the best security for it as well to protect user data and payment processing. I have heard of Barracuda Network Solutions. Not sure who is the best though. Does anyone have any clue what the ball park cost is to set something up with these parameters or something similar? Thank you in advance.
Help with a connection multiplexer solution
Hey everyone, I am researching solutions for a project. I have two sites and they have identical infrastructure (Separate WAN IP):
- ISP --> Routers --> VM Host Server (I have Port forwarding privileges)
Can I set up some sort of connection multiplexer, so that it connects to both sites at the same time, and I can add more sites as time goes on? Thank you.
Blaming the cables
We are currently experiencing WAN problems to one of our sites and one of the carrier support reps tried to tell me that we might have a bad cable causing the problem. I am seeing no errors on router interface so is even possible that it could be a bad cable in that case? The device is in a colo in another city so it's not like I can easily run over and replace it.
Eve-ng server committing denial of service (DoS) attacks
Hey guys! I recently installed eve-ng server in GCP platform and I been getting emails from google stating that my eve-ng server appears to be committing denial of service (DoS) attacks, mentioned to take action or they will be suspending the server.
Did anyone experienced similar issue? not sure how to resolve this issue and just fyi all devices in my lab are shutdown ( instance is still running) but google somehow seeing that my eve-ng server is commiting DoS attack.
Learning Novell NetWare in 2022?
I am working on a Network Administration degree and I noticed that next semester I will be taking a course called "Network Administration Novell NetWare". The course description is as follows:
"Preparation to effectively manage a Novell NetWare network. Topics include network components, user accounts and groups, network file systems, file system security, and network printing. "
Why are we learning about a network operating system that was discontinued 7 or so years ago? Is NetWare something I will realistically run into in the wild, or is the course maybe just using NetWare to teach the basics of managing a network?
Any input is greatly appreciated!
EDIT:
Here is a link to the full degree plan if anyone is willing to evaluate its usefulness:
https://www6.austincc.edu/cms/site/www/catalog/programmaps/programmap.php?ap=6646&aos=COSIS&yr=2022
I would hate to be wasting my time
What was your first experience with asynchronous routing?
We are a smaller shop, that is growing a bit and I've had to introduce multiple routers, etc and I just experienced my first asynchronous routing problem. Pre-production luckily, but still!
PING worked so my brain was broken for about 30 minutes, but nothing else would. SSH, SMB, etc.
I thought the traffic was simply just not getting there, until I opened up wireshark on the destination server and saw a lot of TCP re-transmit errrors, etc.
PING obv worked because it's stateless, but anything TCP based (SSH, SMB, etc) did not because the sequences were all WAY out of order.
Netmiko Cisco Help
Hi all,
I wrote a simple Netmiko script to update my radius server configuration on a bunch of cisco switches in our production network. I want them to get saved to the start-up config, so I don't need to do "copy run start on each of them".
I am getting a NetmikoTimeoutException Error. When I logged in manually into one of the switches, I can see that the added commands are in the running config, but when I use "show archive configuration differences", I see that it is not added to the startup config yet.
I tried to add "do copy run start" to my commands but I still get same issue. Any ideas why this could be happening? Basically the script works but it just does not save to the startup config like I want it to.
Thank you.
Connecting OOB Cradlepoint to an Opengear for remote access
How can I connect the CradlePoint CBA850 OOB to an Opengear OM-1208-8E, so I can reach the Opengear terminal device via OOB (Cradlegrave)?
I tried port forwarding (Pub IP to NET1 Private IP) on the Cradlegrave to forward to the NET1 port on the Open Gear, but no luck. I believe I'm missing something or not connecting it to the right ports.
The Cradlepoint is registered CradlePoint CBA850 (CELL) Ports - Lan1,2 and console port Opengear OM-1208-8E Ports - Net1/2, 8 Serial, 8 Switch Ports and USB etc
Observium alternatives due to polling intervals
My company has been running Observium for the last 5 years or so to monitor our core and edge network, plus managed customer devices, and this includes our upstream peering links (we're a small ISP). We occasionally get tiny outages reported by some customers, where they might lose connectivity for 30-60 seconds. Unfortunately, the customers might only be doing 50-100Mbps at the time, and we're normally pushing 3Gbps over our main peering link. When you combine that with Observium’s 5 minute polling interval it means these "outages" are impossible to see on the core links.
I've seen it's possible to tune Observium to a lower polling interval, but that affects every sensor, and we're monitoring a lot of stuff so the load on the server would increase massively. The only other NMS I've used extensively is PRTG but that's outside of my company’s budget for the time being, but that did at least allow you to set custom polling intervals on individual sensors.
So, my question is, what are people’s recommendations for network monitoring? Windows or Linux based, either is fine. It doesn't have to be free either, there is some budget for this. It'll be monitoring mainly Juniper but also some Cisco and Extreme, around 100-125 devices total.
Thanks in advance!
Viability of open source networking solutions
I have recently moved to networking as a career, currently working in a NOC and dealing with networks at several large organisation - mostly Cisco and Juniper with some Aruba sprinkled in here and there. Due to the variety of customers, amount of legacy equipment etc., things are held together with copious amounts of proverbial duct tape - they work, but not in the most elegant way.
I've always found open source solutions to be very elegant - provided that they work at all, that is - and I am wondering what is the state of play for open source networking solutions for enterprise. I am thinking primarily about wireless management, network monitoring, automation and security in the context of a smaller organisation (let's say up to 100-200 users).
Beyond academic interest (I'm a lifelong user and enthusiast of open source solutions), I suspect there is a market niche that can be served with open source solutions. I am thinking about smaller companies and mid-sized NGOs that have grown well beyond SOHO but don't have the budget for the latest and the greatest in enterprise solutions (note: I am based in CEE, where budgetary constraints hit harder that in Western Europe or North America).
looking for a repository of best practices commands for network devices routers and switches (cisco focused)
The reasoning behind this, is to build out a list that can be referenced using python. it would be used when building out or sync network configurations. I have gathered around 160 commands give or take in a non organized fashion. Im looking to add to this list. Any chances anyone knows of a organized repository of these recommendations. I can post my list if anyone what's to see it.
Firewall options for cloud (AWS specifically) environments
Hello,
I am helping to move an application stack to AWS and trying to figure out how to maintain reasonable security posture while getting out of IP management business. I am mostly concerned with internal communication, as the external one is reasonably well hardened with WAF and other existing services.
Currently the setup is traditional - you have services that are exposed on a specific IP, that IP is in DNS, the firewall has rules allowing traffic to communicate to this IP via specific port. I want to not have to deal with the IPs in AWS at all, rather just assign a FQDN to the service and specify in rules that this FQDN can be accessed by system X on port Y. And while the IP of the service in AWS is not going to change often, it still will change and I don't want that change to cause an outage. To further complicate matters, there will be multiple VPCs and multiple accounts involved in the communication.
So my question is - are there any good solutions out there that can filter traffic between different VPCs/accounts connected via transit gateways based on the FQDN? Or is that a pipe dream and I should either lock down IPs or figure out other methods of controlling traffic flows?
Thanks!
Looking for advise on design software, what do you use?
Right now I'm doing top level design only, or that's what we can it. I've been doing everything in visio and have been putting in all of my switches, routers, servers, and other appliances and showing ambiguous lines that describe nothing more than X connects to Y but I'm going to be doing more of what you might call layer one design too now. I'll need to show lengths of cable runs, more details on which cables connect to which spots in patch panels and I'll be overlaying most of this with maps of our sites. I'm looking into using autocad because that's what I'm familiar with for things like general wirediagrams and many engineers use it as a standard but I was hoping to hear what others use and find helpful.
Best tool for baselining network activity?
Best tool for baselining network activity? As part of a project on security I'm asked as the network tool to find a decent product for this purpose. These are the players I've found. Palo Alto and Aruba/HP shop.
Solarwinds NetflowSplunk feeding into a log aggregatorAuvikDatadog
Task: Baseline and analyze network activity over a period of months to determine behavioral patterns so that normal, legitimate activity can be more easily distinguished from anomalous network activity (e.g., normal vs anomalous account activity). Keep cost in mind.
Any experience with these, recommendations, or tips? Thanks.
Public IP for a new DMVPN/mGRE network
In situations where you're peering with one or more ISP using their /30s (or whatever uplink IP space they tell you) and you're advertising out your own public IP space to them, which IP should be used for spoke sites? It seems odd to use a tunnel source on an IP/interface that's not egress, but using a carriers IP or an IP that isn't yours feels like you'd run into issues down the road if you ever have to change the NHRP address.
I'm also trying to figure out the best way to even advertise my own public space. I'm assuming that using a public few IPs in the internet edge for connectivity between routers/firewalls (I think in a lot of cases the firewall is handling NAT and the router is there to just route) and advertising the public IP space within the BGP routing process is the general way, but I've been told to put public IPs on loopbacks at the internet edge.
Apply VPN tunnel with dynamic IP
Greetings to you all
We have two branches we want to connect between them with vpn ip sec , the main branch have public ip , and the other is with home shared modem with dynamic ip .
Is it possible to create vpn tunnel between them with Palo Alto firewall on both branches ? And is there any draw back ?
Cisco Vs Huawei
Hi guys
I work for an Enterprise. I have two quotations with me Huawei RnS which is cheaper than Cisco's. I want Cisco to be implemented because of their integration with NAC , theatgrid, XDR and other NextGen solutions.
But my top management is failing to understand why they need Cisco. Either Iam too naive or they are.
What does your experience says ? Which one is better TECHNICALLY
Tuesday, October 19, 2021
Fortigate BGP&OSPF&VRF Lite
We are in the process of choosing NGFWs for out two datacenters. Our network uses BGP + VRF Lite and we are going to add OSPF. I am trying to understand if Fortigate supports it and works well in such environment. Does someone have any experience using Fortigate with BGP, OSPF and VRF Lite?
Mystery double VLAN tag in VWLC on ESXi
Hello /r/Networking!
I'm setting up a learning lab and have an instance of VyOS working in an ESXi VM using a VGT trunk (VLAN 4095) and it's working fine. But I'm stuck trying to set up dynamic VLANs in Cisco's VWLC in another VM on the same hypervisor: data doesn't flow out properly from the management interface. Dynamic VLANs aside, I'm able to provision a WAP using CAPWAP configured via DHCP option 43 from VyOS; I can also log in using RADIUS and use the wifi connection. I suspect the issue stems from some VLAN tagging weirdness. Any and all help is appreciated. Thanks in advance :)
The setup
This lab is running on a laptop with a single NIC; VWLC seems to indicate the use of a dedicated vSwitch necessitating another NIC but a) this seems to be to avoid having promiscuous interfaces on the primary vSwitch (I'm not terribly concerned about security for this lab) and b) the issues I'm seeing don't seem to be related to this configuration. Please correct me if I'm wrong about this :)
The VWLC service port (172.28.8.65/27) is on a vSwitch access port (VLAN 31) and works just fine - I can initiate connections to/from the service port (ICMP, TCP). The VWLC management interface (172.28.8.98/25) is on a promiscuous vNIC on a VGT trunk and is using tagged VLAN 41. I can ping the management interface from another machine in VLAN 41 -- but the reverse is not true.
What I've tried
In addition to the connectivity tests above, I've done some packet dumps to try figure out what's going on. I used a VM on a VGT trunk on the same vSwitch to record these packet dumps.
These are ICMP captures are between the router's interface on VLAN 41 (172.28.8.97/25) and the VWLC's management interface.
Router pinging VWLC. Wireshark says that the frame has one 802.1Q chunk inside (the response from the VWLC does as well and it is received properly by the router).
0000 02 00 00 76 55 4e 00 0c 29 d1 a0 16 81 00 00 29 0010 08 00 45 00 00 54 29 98 40 00 40 01 a8 15 ac 1c 0020 08 61 ac 1c 08 62 08 00 8f c0 0f 38 00 01 ae 94 0030 6f 61 00 00 00 00 7b 3d 01 00 00 00 00 00 10 11 0040 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 0050 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 0060 32 33 34 35 36 37 VWLC pinging router (via CLI). Wireshark says that the frame has two 802.1Q chunks inside. The router does not respond to this. Similarly, pinging other IP addresses outside of the management subnet are properly directed to the gateway, but with an extra 802.1Q encapsulation so they're ignored by VyOS. I have no idea where this extra 802.1Q tag is coming from. And it's the same as the management tag (VLAN 41). My understanding of VGT/VST/EST suggests that EST won't help here.
0000 00 0c 29 d1 a0 16 02 00 00 76 55 4e 81 00 00 29 0010 81 00 00 29 08 00 45 00 00 68 1d d1 00 00 40 01 0020 f3 64 ac 1c 08 62 ac 80 08 61 08 00 15 d5 d8 04 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 1c 1d 1e 1f 20 21 22 23 24 25 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 Edit: I forgot add: Packet capturing on the VWLC itself does not show the extra tag.
Oddly, the VWLC, when pinging other machines on the subnet, does not send out any ICMP packets, not even for broadcast.
Weird network issue after power outage.
I'm running into a strange issue I haven't encountered before.
The above image has been simplified, but what I'm running into is that, in regards to the image, the host at 10.1.255.10 cannot ping 10.2.255.10. It CAN ping 10.2.255.11.
Even stranger, 10.1.255.11 can ping 10.2.255.10.
I've checked the firewall, and the packets are showing as accepted and not being blocked.
Even more strange, running tcpdump on 10.2.255.10 shows no ICMP packets hitting it from 10.1.255.10, yet, when 10.2.255.10 pings 10.1.255.10, the host replies back, but the reply never reaches back to the 10.2.255.10 host.
Here's the kicker -- this was all working COMPLETELY fine and there were no issues at all until recent events: a Transformer exploded nearby and knocked out power to the entire building for hours. Backup batteries only lasted so long before everything sort of died down in a dirty state which I've been able to mostly recuperate from, except for this bizarre issue.
I've compared switch config backups and absolutely nothing has changed -- only the power outage, which seems to have some effed up lingering effect.
Any ideas?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Mcast Bidir for more than 2 Router
Hi
I am reading a paper about Cisco IPN solution: Interco of 2 ACI Fabric using an IPN (InterPod Network architecture).
It seems PIM for Mcast routing is configured in Bidir mode
I have an issue with PIM RP Phantom configuration:
- How will the RP be elected (Phantom RP/Designated forwarder election means for me that a VIP is advertised for RP basically)
- Cisco gives an example in the paper with 2 IPN routers (IPN for ACI Fabric on site 1, IPN for ACI on site 2)
- Each IPN router will advertise a loopback IP with an IP address in the same range than RP, but with different mask
- For example 192.168.1.1 is configured as RP, loopback 1 on IPN_RTR1 is configured with IP = 192.168.1.2/29, the other one, IPN_RTR2 has loopback1.@IP=192.168.1.1/28, this mean RP is advertised by 2 routers, but IPN_RTR1 will be elected as DF
- This means we are using the longest match rule to break the tie.
- My question: how about I have more than 2 routers ? (more than 2 sites to connect)
- What about the IPN routers on a site that are in a more complex topology (for example I have 2 IPN routers on one site and they must run in VPC or something close ?)
It would be cool If you can highlight me.
BR
Switch Dell S3048-ON died after a shutdown and reboot
Switch Dell S3048-ON died after a shutdown and reboot
I have 2 S3048-ON in stack, and after 1 year without reboot, we turn off and turn on the switches, and one switch dont back. On startup switch show errors and reboot again and again... We already remove switch from stack.
I try to uninstall ONIE and install again, but I cant install because receive errors about cannot read /dev/i2c-2, unable to found serial number and not found base mac address. appers to read eprom errors.
Ideas about this problem?
DIAG results: pastebin.com/72yxz5id
testall results: pastebin.com/aSD2QuBE
Intentional multi-path packet duplication
Is there a name for feature/s to facilitate packet duplication for redundant transmission over multiple lossy RF links?
Either vendor names/features or Linux or BSD kernel features. Searching on my own the closest thing I found was a firewall feature that duplicates log packets, for security reasons, but it sends the duplicates to the same IP.
Ideally I would duplicate packets sent to a particular subnet on a set of UDP and TCP ports and each duplicate would be sent out a different egress device (e.g. LTE1, LTE2, LTE3, CBRS, WiFi1, WiFi2, et. al.)
Network switch and voip.
Can I connect 3 desktop pc and one voip phone to a netgear 5 port switch. Gs105 is the model. Or do I need to connect the switch to the voip phone pc port and then connect the pc. Which is the best solution.
Suggestions on implementation projects for an introductory communication networks course?
So I have a group project for this semester in my communication networks course, and we can choose between three different types of projects, one being an "implementation", which is the only one that actually involves coding. I'm leaning towards that one but I'm not sure on what sort of thing would actually be a reasonable project concept to implement. Does anyone have any suggestions for this type of thing?
Cisco Nexus 9300 On The Shelf/Lifetime Warranty
Our clients are experiencing crushing lead-times and delays. We have on the shelf stock.
PART ID: C9300-48U-A
DESCRIPTION: CISCO C9300-48U-A CATALYST 9300
LIST PRICE- 11,050.00
PivIT PRICE- 5,920.00
Creating an HTTP server using Python sockets | Sessions?
Hey, I am creating an HTTP server using Python sockets and ran into a problem.
What I am currently doing is creating a thread for each "client" that sends a request to the server in order to receive in an infinite loop any incoming requests. What I noticed is that every request sent from the same browser, a new thread is created, meaning a new client.. Is this supposed to happen or am I supposed to have some sort of client session?
Thanks!
SFF iperf testing boxes with 10Gbe
Needing to do some performance testing using iperf among other things (Linux based) but i'm having trouble finding SFF or micro PC's with 10Gb interfaces (copper or SFP based). I found some oddball Supermicro boxes but they're like a grand before adding ram/drives/etc. Looking for low cost boxes to toss out at a site. Anyone ever use/create something like this?
End of year spend ideas
So got roughly $30k I need to spend by end of year, and coming up short on ideas.
We are already using additional $ for EOL device replacement, as well as some other services, so coming up short on what to spend the remaining on.
Any ideas?
DCI interconnect (2DCs) with stretched L2 - Routing
We are planning to expand with a second Datacenter. There is a wish from our server team, to do L2 DCI (VXLAN in both DCs) due to easier transition in a disaster recovery situation. (and to be able to have active-active services)
We have every sites connected to our HQ via MPLS (Single Multihomed). Til now, every site has its own prefixes for routing, which makes it easy.
With the second DC, (and partialy same Subnets), we would have to route the same prefix to both sites.
This would work, but in case of loss of the crossconnects (2x10G) we would have a split-brain situation.
--- RT1------# HQ #------RT2--------- | | @@@@@@@@@@@@@@@@@@@@@@@@@@ MPLS @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | | | | | | | | -----------# DC1 #---------- <-- 2x 10G LACP L2 --> --------- # DC2 # -------- RT1 RT2 | | RT1 RT2 10.10.10.100/24 | | 10.10.10.200/24 10.10.10.0/24 | | 10.10.10.0/24 | What would be best solution here? How could we route the same Subnet to both locations, but have no issues with Split-Brain?
Using HAProxy load balancer with apache web server
I have 2 web apps on cloud both serving the same content and everything else is identical. Both currently have their own APache web servers set up, when I visit the website using the IP the web servers there serve the content.
Now I want to have HAProxy in between so that the request first is processed by the load balncer then forwarded to my either of the machine which then can process the request. Also I will setup the same database for both of my machines to use.
I need blog/videos/detailed answer explaining the theory, with the help of some diagram and how exactly this will work. For eg if I configure HAProxy do I still need to run Apache/Nginx on both of my machine etc
In Summary :
I was trying to setup a load balancers in front of my web servers to redirect the request to any one of the machines. I know Nginx itself can do that. But I wanted to use HAProxy load balancer for the same. I have 2 machines on cloud serving the websites, independently using the IP address of the individual machines. Now I want to have a load balancer that will first receive the request and then forward the same to any of my 2 machines having same django code, basically I want to make my system distributed.
How can I achieve the same?
OSPF Route Filtering
This weekend I was working with a managed customer to help somewhat re-design their network. We ran into a problem however with routes propagation in OSPF and as it's been a long time since I had to tune OSPF to any degree I couldn’t workshop a solution before the change window ran out and we reversed everything.
Basic network topology:
Meraki VPN concentrator (site A) - SRX FW (site A) - SRX FW (site B) - Cisco 4500 (site B) - Meraki VPN concentrator (site B)
I manage the SRX's, the customer manages the Meraki's and the 4500. The whole thing will be in area 0 and doing OSPF between the SRX and 4500 at site B is new, currently it's just statics. The issue is that the customer connects site to site and end user VPN's into the Meraki's and the same subnets are dished out at either location. These subnets are advertised via OSPF into the network, meaning the routing can get confused. The customer wants us to filter the routes on the SRX's, but as I've learnt it seems you can't filter internal routes, only external on the SRX's. So, there's no way on the SRX's to block routes in or stop advertising the routes.
What I'm looking for is specifically a way on the SRX's of blocking the routes from the site A Meraki device, assuming changing the OSPF area is not possible.
In my head I can't see a way, and I think the customer needs to sort out how the Meraki's handle the subnets that are handed out, or how they are advertised in OSPF. That or the area needs changing so I can filter external routes. But that doesn't seem ideal as then the network will never route traffic back to that Meraki (site A one). Or we don't do OSPF between the SRX and 4500 and add in high cost static routes that are installed in the routing table if the OSPF routes are ever lost.
IOS - retrieve interface name from cmnHistMacChangedMsg SNMP notification
TL;DR: How do I extract interface name from a cmnHistMacChangedMsg (mac change) message?
Hello,
I am trying to write a script for my switchs (mostly 2960s / 3560s) that would catch MAC learning events (sent through SNMP notifications), for audit purposes. It is mostly going well, switch is sending the SNMP notification when a new MAC is learnt, my script catches it successfully and extracts the payload. One thing I am having trouble with is deducing the switch interface from that data. Based on CISCO-MAC-NOTIFICATION-MIB ( ftp://ftp.cisco.com/pub/mibs/v2/CISCO-MAC-NOTIFICATION-MIB.my ) and relevant object (cmnHistMacChangedMsg), payload is in the form of: operation,VLAN,MAC,dot1dBasePort. I had assumed that dot1dBasePort was referring to an entry in the BRIDGE-MIB, where I could look up dot1dBasePortIfIndex to get the corresponding IfIndex and from there get the ifDescr (ie human-readable name of the interface).
However, the SNMP notification (or corresponding SNMP-get on the same OID) doesn't seem to follow that logic regarding the dot1dBasePort field. For example :
# snmpwalk -v 2c -c public MySwitch 1.3.6.1.4.1.9.9.215.1.1.8.1.2 SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.1 = Hex-STRING: 01 00 0A AA BB CC DD EE FF 00 18 00 So 0018 is the port (don't know why the trailing 00 byte btw), which in decimal is 24, and it turns out that the relevant interface is actually Fa0/24 (I have tried with other interfaces, got same pattern). On the other hand if I try to follow what's written in the MIB, there is no element 24 in dot1dBasePortIfIndex, actually there are not a lot of elements in there, not even one per UP interface (10 interfaces were UP at the time of this request):
# snmpwalk -v 2c -c public MySwitch 1.3.6.1.2.1.17.1.4.1.2 SNMPv2-SMI::mib-2.17.1.4.1.2.1 = INTEGER: 10001 SNMPv2-SMI::mib-2.17.1.4.1.2.22 = INTEGER: 10022 SNMPv2-SMI::mib-2.17.1.4.1.2.25 = INTEGER: 10101 SNMPv2-SMI::mib-2.17.1.4.1.2.26 = INTEGER: 10102 compared to an ifDescr lookup, which yields the expected data:
# snmpwalk -v 2c -c public MySwitch 1.3.6.1.2.1.2.2.1.2 IF-MIB::ifDescr.1 = STRING: Vlan1 IF-MIB::ifDescr.10 = STRING: Vlan10 IF-MIB::ifDescr.10001 = STRING: FastEthernet0/1 IF-MIB::ifDescr.10002 = STRING: FastEthernet0/2 IF-MIB::ifDescr.10003 = STRING: FastEthernet0/3 IF-MIB::ifDescr.10004 = STRING: FastEthernet0/4 IF-MIB::ifDescr.10005 = STRING: FastEthernet0/5 IF-MIB::ifDescr.10006 = STRING: FastEthernet0/6 IF-MIB::ifDescr.10007 = STRING: FastEthernet0/7 IF-MIB::ifDescr.10008 = STRING: FastEthernet0/8 IF-MIB::ifDescr.10009 = STRING: FastEthernet0/9 IF-MIB::ifDescr.10010 = STRING: FastEthernet0/10 IF-MIB::ifDescr.10011 = STRING: FastEthernet0/11 IF-MIB::ifDescr.10012 = STRING: FastEthernet0/12 IF-MIB::ifDescr.10013 = STRING: FastEthernet0/13 IF-MIB::ifDescr.10014 = STRING: FastEthernet0/14 IF-MIB::ifDescr.10015 = STRING: FastEthernet0/15 IF-MIB::ifDescr.10016 = STRING: FastEthernet0/16 IF-MIB::ifDescr.10017 = STRING: FastEthernet0/17 IF-MIB::ifDescr.10018 = STRING: FastEthernet0/18 IF-MIB::ifDescr.10019 = STRING: FastEthernet0/19 IF-MIB::ifDescr.10020 = STRING: FastEthernet0/20 IF-MIB::ifDescr.10021 = STRING: FastEthernet0/21 IF-MIB::ifDescr.10022 = STRING: FastEthernet0/22 IF-MIB::ifDescr.10023 = STRING: FastEthernet0/23 IF-MIB::ifDescr.10024 = STRING: FastEthernet0/24 IF-MIB::ifDescr.10101 = STRING: GigabitEthernet0/1 IF-MIB::ifDescr.10102 = STRING: GigabitEthernet0/2 IF-MIB::ifDescr.10501 = STRING: Null0 So either the MIB is wrong, the switch is not behaving as it should, or I am missing something. Now as this alleged dot1dBasePort field seems to be in fact almost the interface name I guess I could take that for granted and go this route, but as I have about 100 switches in various models, IOS versions and configurations, I would like to take a deterministic approach and understand what I am doing.
Any ideas?
Umbrella design query
Hello,
We are deploying Cisco Umbrella with two VAs. For improved security, I would place them one-armed into a Firewall DMZ., where I can have full control that the VAs can only reach the systems they need to reach. DNS traffic from users and servers will pass through the firewall.
Trying to wrap my head around the real security benefit of this design.
Any suggestions?
Dot1x IBNS 2.0 - start session after applying config
Hi all,
I'm making a design for dot1x based on ISE C3PL Switch Config Template - Google Docs. Now, I'm running into an issue where the authentication is only triggered when a device connects to the switchport. Windows clients seem to trigger authentication after half an hour or so (either dot1x or mab), but regular clients like printers just sit there and maintain their connection, without mab being triggered. These ports don't ever show up in 'show access-session'. It seems like the 'session-started' event from the policy-map is only triggered after a shut/no shut or when a new client connects.
Has anyone solved this before? I'm looking at the policy-map for solutions, but I'm having trouble finding an event that would be triggered right after applying the policy to an interface. Or am I just going to have to shut/no shut the ports to trigger authentication?
Authentication server: ISE 2.7
Switches: Cat9200 running 16.9.5 & C2960X running 15.2
Cisco smart licencing : "Fail to send out Call Home HTTP message"
I'm trying to register two C9500's via smart licensing.
I've setup the 'call-home' section as below:
service call-home
call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications
contact-email-addr sch-smart-licensing@cisco.com no http secure server-identity-check
profile "CiscoTAC-1" active destination transport-method http
no destination transport-method email
I've setup the source-interface for http and made sure I can ping tools.cisco.com which is fine.
every time I redo 'license smart register idtoken ***' it fails however with the "Fail to send out Call Home HTTP message" error.
looking at the logs it's coming up with https://tools.cisco.com/its/service/oddce/services/DDCEService (ERR 207 : Connection time out)
I've checked through some guides and I think I have everything needed but I must be missing something unless the smart licensing is glitchy?
If it's using https do I need to generate a RSA key for it to work on the C9500?
It's normally a closed off unit so doesn't have one.
Thanks
Monday, October 18, 2021
Security Information and Event Management cheat sheet (free) just released:
https://theartofservice.com/security-information-and-event-management-kanban
2144 Ready to use prioritized Security Information and Event Management requirements
This Kanban will help you plan and manage your Security Information and Event Management roadmap.
How do you...
-
Know if a provider has the technology resources to meet your security needs.
-
Manage the information to help end users sense the urgency of security breach events.
-
Bring data together across the entire organization in order to reduce the impact of adverse events and improve inventory and manufacturing performance.
-
Know what data will be important to you six months from now.
-
Prove that you deployed proper security controls and that they have been active.
-
Deal with the massive amounts of information (logs, events, alerts and flow data) created by independent network and security devices.
-
Test and evaluate your security controls.
-
Ensure accounts only have access to the services/data for which they have been authorized.
-
Control and limit access to data in cloud apps.
-
Ensure business continuity in the event of system failure.
Transform the data into actionable views for your organization: business data changes, so how you view it should be flexible. Create the perfect view that's right for you.
Put your workflows on autopilot: Help your team go faster and focus on what matters by automating your processes. Upload and use the Kanban with your favorite apps and services like Asana, Airtable, Basecamp, Monday, Atlassian, Trello etc.
Knock down data silos: Align your teams around a single source of truth with real-time data from different sources. Point. Click. Stay in Sync.
Use it's flexible reporting for your unique use case: Whether you're "no-code" or you "know-code", the Kanban is the foundational tool to show what you want to who needs to see it.
Is download UDP QoS really possible?
I was thinking about this today. If I have a symmetric 50 Mbps from my ISP, and implementing something like CBWFQ, is it really possible to properly schedule that traffic in a way that preserves some traffic for class A vs. class B for example?
My thought is, if 50 Mbps of class A traffic is coming in, there's nothing that can be done on the WAN interface to give any bandwidth to class B because class A traffic is saturating the 50 Mbps from the ISP.
TCP I could see working because of the ACKs, but I'm not so sure on UDP. Am I missing something or is what I'm saying making sense?
ASA/AnyConnect Users Unable to Access Remote Datacenter after MPLS cutover
I hope this to be an easy oversight at our remote facility. We had installed a new MPLS circuit We were able to get the new link plugged into our core and updated the AS number, based on what the carrier provided. I can confirm that BGP is up, and connectivity back to our remote datacenter has been restored.
The issue:
VPN users in this remote facility (with the new MPLS) are unable to access resources at the datacenter.
From the ASA, tracing an IP to the datacenter times out:
Tracing the route to 10.1.12.1 1 125.213.167.70 18 msec 18 msec 20 msec 2 10.55.253.190 18 msec 17 msec 18 msec 3 10.55.252.54 18 msec 18 msec 10.55.252.58 18 msec 4 10.55.253.2 22 msec 18 msec 21 msec 5 * * * 6 * * * The only relevant configuration on the ASA that I saw was for EIGRP, but restarting its process didn’t seem to help:
router eigrp 18 eigrp router-id 10.5.254.1 network 10.5.0.0 255.255.0.0 passive-interface default no passive-interface inside redistribute static And on the core, where the MPLS terminates, relevant config:
router eigrp 12 network 10.5.0.0 0.0.255.255 redistribute bgp 65005 metric 100 1 255 1 1500 passive-interface default no passive-interface GigabitEthernet1/0/1 eigrp log-neighbor-warnings 300 ! router bgp 65005 bgp log-neighbor-changes redistribute connected redistribute static route-map STATIC-TO-BGP redistribute eigrp 12 neighbor 10.5.254.5 remote-as 3452 neighbor 10.5.254.5 prefix-list no-default-route in I must be missing something basic - but I haven't been able to pinpoint it.
Again, onsite users can access resources at the remote datacenter. It appears to only be VPN users.
Does anyone have suggestions, or please let me know if I can provide more detail
An odd question
Hey all,
Scratching my head here. Our client- who is providing the wiring - “tested” the fiber connections. Their form of testing was using a flashlight to check if the fiber is good.
Now, I have not had much experience with fiber. But I have never heard of this. We have confirmed that the fiber types are correct, the sfps are correct. But are not getting connection.
It is my understanding that there is a lot more to test to ensure fiber is working other than light shining through a cable. Am I wrong? Did I miss something?
Many thanks for any responses
Question about the uniqueness of IP addresses
Hi, I am currently learning about networking. My current understanding is that any isolated network that implements the internet protocol can connect to another network that is already in the internet, and become part of the internet. Now, how is one prevented or discouraged from using an already existing IP address (either accidentally or purposefully) for their network? In other words, how do people prevent duplicate IP addresses from appearing in the internet network? I have googled this online and haven't found a clear answer on the prevention part. I have learned there is a non-profit organization called IANA that manages allocation to regional registries, which in turn allocate to ISPs and orgs. But are there laws in place to prevent duplicate IP networks from connecting to the internet?
Palo Alto 403 Error On Capture Portal
Hey PA peoples,
I'm working on a project (on a pair of PA 5220s on version 10.0.6) to have two zones on a vwire (one trust, and one lab). In order to get to the lab zone from the trust zone, I've created rules to only allow authenticated users to go through, and I've created my capture portal in accordance to their vwire documentation:
However, I'm getting a 403 error when trying to manually access the capture portal. I've been looking around trying to troubleshoot this, but I've come up dry. I have a ticket open with PA, but I thought I'd ask here in the mean time.
All traffic in the traffic monitor shows as being allowed, but the bytes received in the details tab shows as zero.
I can't find any docs or info on a 403 error for PAs Capture portal. Anyone else run into this issue before?
How do you fix an office where all wireless clients only ever join to a single AP? (Meraki)
This is what I'm dealing with. An office and manufacturing facility with ~40 users on site and a plethora of access points, but every wireless device (which are scattered pretty evenly through the building) will only ever connect to a single access point.
It's all Meraki MR52 access points in the office space, MR42s in the warehouse/shop space. All have identical RF profiles assigned, the standard generic indoor profile (with rate limiting to disable .b devices). 40MHz channel widths for 5ghz, 20mhz for 2.4.
Majority of clients are iPads for the zoom rooms, personal phones, company laptops, smartwatches, blah blah. The usual generic small office mix, and similar to all of our other locations.
Unfortunately I'm 1200 miles away from this office, so going on site with insidder or a specan isn't an option.
Where would I even start sorting this out?
Apple & Android Tablets On Enterprise Wi-Fi
What is the best, secure, and proper way to authenticate these devices (non-windows tablets and smart phones) on to enterprise Wi-Fi these days? We have a sandbox SSID just for these devices to reach the Internet. We are deploying Meraki APs.
Currently, we are using Windows domain credentials, but it is a PITA every time someone needs to reset their domain password.
Are you (or should we be) using an MDM first to push out the Wi-Fi authentication related settings/certs? We currently have no MDM, and its a bit of wild-west when it comes to tablets and phones. I want to work on correcting that.
VACL vs other ACLs
Are VACLs equally as secure as PACLs or RACLs? The concept is new to me, but is potentially required for a current project.
DHCP Solution for Meraki
Hey folks,
Could use some ideas here. I currently work for a state agency, at a school district. Every single agency in the state, has to work with our state IT department. I'm just going to call them XYZ. XYZ has certain policies and procedures we have to work around, and it creates a TON of logistical issues. As such, I'm a network admin, but my ability to access and modify things ends at our switch. The router and firewall are all handled by XYZ, and as such, I'm not allowed (or even able) to do anything with them.
We currently have 4 VLANs broadcast in the schools. Protected, Student, Guest and BYOD. They are all on separate subnets, and there's no relay between them, so none of them talk.
Currently right now the set up is that there are two servers in every school. One is a Linux CentOS DHCP server, which runs DHCPD for the Protected network, along with some other VMs for a handful of other things, and the other is a Windows machine that had some magic performed on it, which I believe is the multiplexor protocol from Microsoft. The previous network admin managed to virtualize the internal NIC card and allow it to have 4 VLANs - It's a shitty old Dell Optiplex 780 with a single ethernet port, which gets an address on the Protected network (as that's our native VLAN), but has 3 other "virtual network ports", each assigned to one of the other VLANs, and it runs a DHCP server for Student, Guest and BYOD. I have absolutely no idea how this was set up or how it manages to work. I've only ever dealt with Windows DHCP for a single scope, and when using VLANs, we used the router/appliance (WatchGuard, Aruba, etc etc) for DHCP and VLAN configs.
I want to acknowledge that it's a total hack job that was created out of necessity and lack of resources, and it wasn't created by me. I absolutely hate this set up and I'm looking for ways to simplify it.
Where my problem comes in, is that the district has acquired a new building, and we're going to be using it for a handful of people.These same VLANs will need to be broadcast there (minus Student), and we're trying to avoid having to set up two physical servers like in the other schools. My first instinct was to get a Meraki switch that had DHCP functionality built into it, but upon watching a set up video of it, I almost immediately saw a roadblock, in the form of the "MX IP" field.
For those that don't know, MX is the line of security appliances Cisco Meraki sells. We don't have an MX security appliance. We've got a router that's 100% controlled by the state, and they will not run DHCP on there "for security", which means I need DHCP to come from another source. Is it possible for any of the Meraki switches to run their own DHCP server, and have them point the gateway to the router that we currently have? I called in and spoke to a Meraki rep, and while I'm sure he's good at his job, I could barely understand a word he was saying due to the accent, and ended the call not having a clue what he said, but he seemed to imply that DHCP on the switches won't work without a Meraki gateway. Is there ANY Meraki device that fits this bill?
If there isn't a Meraki device, does anyone know of any other sort of device that does? I've looked at DNSBox and a few others, and they're all MASSIVE overkill for what we need, on top of being too expensive for a school district. Any help or other ideas would be appreciated.
Need advice about the expanding role I'm being asked to fill.
Since I have started as the network admin at my local municipality, we have made some nice strides in terms of security. I designed and rolled out our VMWARE nsx firewall to protect East West traffic. I am currently in the process of separation of public traffic off our internal network by means of a new circuit and firewall. We also hired a new managed security vendor that has brought to light a lot of blind spots in our security.
I am seeing a more expanded role in security and while I love the challenge and learning opportunity, I feel like I'm getting overwhelmed and compensation for all this work seems hard to come by.
I'm not sure how to ask my management to either promote me to full time info sec engineer or hire someone from the outside to do this because I'm finding I have no time to be an administrator since I'm working all the time on projects and security related things.
I don't know of how to pose this to management in an eloquent way where I'll be taken seriously. Any admins out there can share their experience with being in charge of security? We currently have 2 edge firewalls(1 more on the way to be for public traffic) 1 internal fw protecting public safety and the next firewall for East West server traffic. Also...my sys admin keeps trying to dump the endpoint security on me. Any advice would be greatly appreciated. I can take any criticism as well ;)
Leased line provider
Hi,
We were looking at upping our internet speeds on our leased line with our service provider. It was billed as a "easy" task with IP's/ connections and everything else staying the same.
Sadly they pushed the button on it this morning and the internet to site has been down since then.
They have admitted its an issue on their behalf and are claiming its an issue with their VLANs, I was just wondering if anyone had ever come across something similar & if so how long did it take to rectify, we've had no internet to site for 6 hours now.
Subscribe to:
Posts (Atom)