IPv6 Proxies: 2021-11-28

Saturday, December 4, 2021

I’m supposed to come up with a DDOS preventive solution on our edge network. Need inputs

(Ours is a fairly large company equivalent to a cloud provider and we see DDOS attacks everyday and quite large as well)

Existing conditions:

We have an in house solution that scrubs traffic (using a10 devices) once it has identified it as a DDOS attack.
We have edge ACL and bgp filters which block the usual bad actors (rfc 1918 etc)

We still see a lot of spoofed attacks.

My manager and his manager are half convinced that we need to implement uRPF (BCP38) on our edge routers and asked me to design/implement this solution. The goal is that we avoid spoofed attacks instead of trying to mitigate them.

After an initial analysis, I found that this solution (strict urpf) would prevent spoofed traffic but it would most definitely drop legitimate traffic from customers as well since a lot of our peers, exchanges are sending traffic from prefixes they’ve not announced on that Edge router directly. (They might have announced it in some other region or site to us) Is this normal? In an ideal world this shouldn’t be the case but internet is not ideal.

Loose uRPF wont work because we have almost the entire ipv4 internet prefixes in our rib.

I mentioned that this solution wouldn’t work to my manager and he says i need to come up with a solution doesn’t matter what tech. So I’m not sure how to proceed at this point

Some other things:

We pretty much have the entire internet (ipv4 prefixes) in our edge routers RIB.

We use juniper ptx.

Im sure I didn’t include all the info you need to give me an input since there is so much info, so please do ask whats needed and I’ll reply in the comments or update the post.

Which of these four books is recommended for gaining a deeper insight into the TCP/IP suite?

I would like to gain a deeper insight into the TCP/IP suite.

I've seen four books recommended. I don't wish to read them all, as they will most likely have overlapping knowledge.

The books are:

Which of these four should I get?

Thank you.

ICX 6610-48P does not route between VLANs

Hi all,

I am transitioning over from Cisco to Brocade, and I am having some confusion. I added my VLANs, added router interfaces to each of them, and added my ports. I am able to ping connected devices from my switch, but am unable to ping the devices from devices in other VLANs, and it doesn't seem to be routing the traffic between them.

Say I have a device in vlan 1 (192.168.21.2), I can't ping the device in VLAN 2 (200.1.1.2) from that first device, while the switch is able to ping both. I also can't ping any of my router interfaces from (192.168.21.2). How do I get the switch to route between my VLANs? Do I have to enable routing? (I read that all you need is the correct firmware). My show ip interface, shows that all router interfaces are part of default-vrf. Do I have to create a VRF?

Thanks for the help!

show flash:

SSH@ICX6610-48P Router#sh flash Stack unit 1: Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin) Compressed Sec Code size = 7762230, Version:08.0.30nT7f1 (FCXS08030n.bin) Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5 Code Flash Free Space = 46399488

show ip route:

SSH@ICX6610-48P Router#sh ip route Total number of IP routes: 9 Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric BGP Codes - i:iBGP e:eBGP OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 Destination Gateway Port Cost Type Uptime 1 10.0.5.0/24 DIRECT ve 5 0/0 D 58m7s 2 10.0.6.0/24 DIRECT ve 6 0/0 D 58m7s 3 10.0.8.0/24 DIRECT ve 8 0/0 D 58m7s 4 10.0.100.0/24 DIRECT ve 100 0/0 D 58m7s 5 10.0.102.0/24 DIRECT ve 102 0/0 D 52m31s 6 10.0.103.0/24 DIRECT ve 103 0/0 D 58m7s 7 10.0.200.0/24 DIRECT ve 200 0/0 D 58m7s 8 192.168.21.0/24 DIRECT ve 1 0/0 D 58m7s 9 200.1.1.0/24 DIRECT ve 2 0/0 D 58m7s

show ip interface:

SSH@ICX6610-48P Router#sh ip int Interface IP-Address OK? Method Status Protocol VRF Ve 1 192.168.21.1 YES NVRAM up up default-vrf Ve 2 200.1.1.1 YES NVRAM up up default-vrf Ve 5 10.0.5.1 YES NVRAM up up default-vrf Ve 6 10.0.6.1 YES NVRAM up up default-vrf Ve 8 10.0.8.1 YES NVRAM up up default-vrf Ve 100 10.0.100.1 YES NVRAM up up default-vrf Ve 102 10.0.102.1 YES manual up up default-vrf Ve 103 10.0.103.1 YES NVRAM up up default-vrf Ve 200 10.0.200.1 YES NVRAM up up default-vrf

show run:

SSH@ICX6610-48P Router#sh run Current configuration: ! ver 08.0.30uT7f3 ! stack unit 1 module 1 icx6610-48p-poe-port-management-module module 2 icx6610-qsfp-10-port-160g-module module 3 icx6610-8-port-10g-dual-mode-module stack disable ! ! ! ! vlan 1 name DEFAULT-VLAN by port router-interface ve 1 ! vlan 2 name SwitchRoutedTraffic by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 2 ! vlan 3 name down-stream1 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 4 name down-stream2 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 5 name med-trusted-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 5 ! vlan 6 name low-trust-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 6 ! vlan 7 name iot-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 8 name guest-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 8 ! vlan 10 name static-external by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 11 name web-proxy by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 12 name external-dc-joined by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 20 name internal-services by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 21 name vdi by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 22 name uag by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 23 name automation by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 60 name 5GDev by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 70 name med-trust-lab by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 71 name lab2 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 80 name low-trust-lab by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 90 name k8s-cluster by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 100 name management by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 100 ! vlan 101 name management-vpn by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 102 name dedicated-management by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 untagged ethe 1/1/9 ethe 1/1/21 ethe 1/1/48 router-interface ve 102 ! vlan 103 name power-control by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 103 ! vlan 104 name wifi-control by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 105 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 200 name data-fabric by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 200 ! vlan 201 name user-vpn by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 248 name vuln-scanner by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! ! ! ! ! aaa authentication web-server default local aaa authentication login default local console timeout 30 enable super-user-password ..... enable aaa console enable user password-masking no fast port-span ip dhcp-client disable ! no telnet server username AridDay-local password ..... password-change any cdp run fdp run ! ! web-management https web-management frame bottom web-management page-menu ! ! ! ! ! ! ! interface ethernet 1/3/1 speed-duplex 10G-full ! interface ethernet 1/3/2 speed-duplex 10G-full ! interface ethernet 1/3/3 speed-duplex 10G-full ! interface ethernet 1/3/4 speed-duplex 10G-full ! interface ethernet 1/3/5 speed-duplex 10G-full ! interface ethernet 1/3/6 speed-duplex 10G-full ! interface ethernet 1/3/7 speed-duplex 10G-full ! interface ethernet 1/3/8 speed-duplex 10G-full ! interface ve 1 ip address 192.168.21.1 255.255.255.0 ! interface ve 2 ip address 200.1.1.1 255.255.255.0 ! interface ve 5 ip address 10.0.5.1 255.255.255.0 ! interface ve 6 ip address 10.0.6.1 255.255.255.0 ! interface ve 8 ip address 10.0.8.1 255.255.255.0 ! interface ve 100 ip address 10.0.100.1 255.255.255.0 ! interface ve 102 ip address 10.0.102.1 255.255.255.0 ! interface ve 103 ip address 10.0.103.1 255.255.255.0 ! interface ve 200 ip address 10.0.200.1 255.255.255.0 ! ! ! ! ! lldp run ! ! ip ssh timeout 30 ip ssh idle-time 20 ! ! end

Need Assistance with Cisco SG350X-MP24 - Access Ports

Hello!

I would first like to mention that I am not a Network Engineer, however I am a System Administrator but I have not played with any Cisco device before.

I acquired a Cisco SG350X-MP24 to be used as an IPMI/iLO/iDRAC and PoE switch. So far I have configured 1 VLAN and made it the IP MGMT interface. This VLAN is both the MGMT VLAN for the switch, and also the VLAN for the IPMI/iLO/iDRAC thus only require 1 VLAN for this switch.

What works:

I have created a Trunk port on te1/0/4 and tagged VLAN 11. I have created an IP interface on this VLAN and I am able to reach the switch and I can reach other devices and services from this switch.

What does not work:

I have assigned a couple of interfaces to be Access ports on VLAN 11. The endpoints on these ports are not accessible and I can not figure out why. I know these endpoints are correctly configured because I have a Juniper EX4200 that I am familiar with that works after I made an identical configuration for this setup. The only reason I switched is because the EX4200 is too loud.

Configuration:

Trunk Port: interface TenGigabitEthernet1/0/4 description "Link from pisw01" switchport mode trunk switchport trunk allowed vlan 11 VLAN Interface: interface vlan 11 name infra_mgmt_11 ip address 10.1.11.3 255.255.255.0 sntp client enable Gateway: ip default-gateway 10.1.11.1 Access Port: interface GigabitEthernet1/0/15 switchport access vlan 11

overlapping subnet problem.

Good afternoon, I am having issues with an assignment for school that asks me to change my topology subnet completely. They give the example 192.168.200.0 and I am going with 192.168.44.0/26 I used Solarwinds online advanced subnet calculator to make 5 subnet IP ranges for the 5 different sections of my network but every time I go into a router for instance and on gig/8 I input 192.168.44.1 then for the next subnet I do 192.168.44.8/29 it is saying overlapping address and if I used the calculator why would it be giving me overlapping address?

Feel free to message me to explain as well, and I can even jump on discord but can not find a youtube video solving my issue.

Here is the response from solarwinds:

192.168.44.0/26 (255.255.255.192)

(8 subnets)

(6 addresses per subnet)

1st =router

2nd=sales

3rd=engineering

4th=manufacturing

6th=wifi

Subnet Start Address End Address Network Address Broadcast Address

192.168.44.0/29 192.168.44.1 192.168.44.6 192.168.44.0 192.168.44.7

192.168.44.8/29 192.168.44.9 192.168.44.14 192.168.44.8 192.168.44.15

192.168.44.16/29 192.168.44.17 192.168.44.22 192.168.44.16 192.168.44.23

192.168.44.24/29 192.168.44.25 192.168.44.30 192.168.44.24 192.168.44.31

192.168.44.32/29 192.168.44.33 192.168.44.38 192.168.44.32 192.168.44.39

finding a device's ip

Hello! I was wondering if anyone knew of a way to find a devices ip address by directly connecting to its ethernet port. I have a mac directly connected to a NVR id like to get the ip address from to do some configuration to. I was going to try Wireshark but i believe it requires me to know the subnet that it is on (i dont have that information).

Career change from construction

I’m thinking of switching my career. Currently work in construction. Towards the end of the medical jobs I do, I see these dudes with giant bundles of cables, working on their laptops. Started looking into it and far as I can tell they’re network managers?

Found a local cc that does a program for it: https://www.waketech.edu/programs-courses/credit/computer-technologies/network-management

Does this program look good? And am I making the right connection between the dudes with the cables and network management?/r/

Can you design a communication protocol without the Data Link Layer

Can there be a system where we may skip the Data Link Layer by modifying the current communication protocols or a whole new system since what we are using is decades old.

Skipping the DLL may require less bits in framing and hence the lesser bandwidth, what advantages and disadvantages can your hypothetical system have.

Downloading problem

So I had a problem with my internet 2 months ago, so we changed the router and now my downloads are messed up. Old one had no problem with downloads but with this new one my downloads are always stopping. It always says something like "Network error" or "No internet connection" but I was on Discord in voice call while download and I wasn't disconnected. I discovered that it only happens when downloading trough Steam or any browser like OperaGX or Explorer Edge. If somebody knows what's the issue please help.

Friday, December 3, 2021

PCI compliance in small businesses

I work in the amusement game industry, maintaining all sorts of arcade games, digital jukeboxes, pinballs, etc. and often encounter network deployments at small businesses (bars, diners, etc) that were obviously put together by someone who has no clue what they are doing.

switches daisy chained together and hanging by their wires from the ceiling, or left in a heap behind the bar, equipment that they don't even realize is still there, tucked away somewhere and still hooked to the network, Open AP's, or ones with passwords provided to patrons hooked to the same equipment their POS is on, etc.

I have recently been hearing more about PCI compliance, and only know a small amount, like having to encrypt payment info, protecting pin pads from physical attack, etc. Since I deal with things like digital jukeboxes that take cash, and some online arcade games, I don't mess with POS devices as part of my job, but do see them at our customer's locations.

My question is this: How much of a security nightmare are situations like I've described above? If you have all of your equipment on one network (including cheap IoT devices), with only the very basic firewall provided by the ISP modem/router, and the network has APs with public access, are people's payments at risk if the business is using compliant readers/terminals for their POS?

I know this is a very common scenario, as so many people take the "I plugged it all in and it works" approach with no understanding of security, or the "my friend/son/brother/dog hooked it up for me"

Should I be worried about using my card at places that likely don't have a professionally managed network?

Issues with ASA passing vpn traffic to next hop

I have an ASA with a vpn tunnel on it. That tunnel has a network object-group in its encryption domain with 14 addresses in it.

Of these 14 destinations, 12 pass traffic onto the directly connected next hop firewall, and 2 do not reach the next hop. I verified routing for each address and they are all the same, and no ACL is blocking the traffic.

I tried deleting and re-adding the two addresses to the object-group.

Any ideas?

I am able to bring up the tunnel using packet tracer to initiate traffic on those IPs, so the IPs aren’t missing from the other side.

Redirecting traffic from one IP to another on Windows 10

Hi, I have an application that connects to a server with IP X.Y.Z.T where X, Y, Z are fixed but T is random. I would like to somehow force the application to use a specific T instead of random one.

One idea I've had was to somehow watch for all ingoing/outgoing packets and whenever I see X.Y.Z.A, just replace it with X.Y.Z.T where T is chosen by me. However, I couldn't find a solution for that.

How can I fix the IP/redirect packets/rewrite packets/etc?

Potential Networking shenanigans to protect Sonos

So Sonos does not allow you to password protect your devices. Any device on the network can access the Sonos.

Our environment: Aruba IAPs performing DHCP for WIFI on top of a Sonicwall performing DHCP for the APs and Hardline. Yes I need to overhaul it so we just have one DHCP, I know. I didn't set it up and it is currently working, so I'll handle it another day once I have fully inventoried my school and can come in on a weekend.

Anyways, my predecessor's resolution to the security of the Sonos was to buy a standalone home Wifi router to connect it to. I want to remove that router. I would like to prevent all devices but one having access to the Sonos, so I get that means creating a new SSID separate on the Aruba Controller that uses a different subnet. Is there a way that subnet can access our main Aruba and Sonicwall subnets, the ones we use for everything else, but not let the main subnets access the Sonos?

The biggest reason I'm going through this trouble is my Gym teacher who uses this is a vocal luddite and I want to remove forcing her to switch networks to airdrop her photos/print if at all possible.

If anyone has any other ideas that will work I'm all ears.

Decryption appliance deployment without certificate manipulations

Hello guys,

I was looking for Netscout`s network monitoring solutions today and saw decryption appliance description which is in the screenshot.

https://images2.imgbox.com/49/eb/zSmifKtV_o.png

As you see in there`s told that this appliance can decrypt packets without rearctitecting network and client device configuration. So its unclear how can this devices inspect HTTPS without certificate installation. Can anyone tell me how is it possible?

Anyone else recently moved to Dreyfus model for employees?

We are moving to the Dreyfus model for employee skill ranking and titles. I've heard it's been a mixed bag with high pay grades having to be considered expert by contributing to their area by lectures at conferences, making recommendations for changes to RFCs, and otherwise seen being a leader in the technology community not just at their employer.

This sounds like some insane ploy to justify not giving out raises and making it incredibly hard to get promoted. It also appears as if those people who were previously considered expert are going to have 1-2 years to prove their skill or get moved down a level which would result in a max exodus of tech workers.

I am not a fan this far but what do I know I am simply "competent".

Looking for an application to help map applications through the network.

I am looking for some guidance. Frequently I am asked to mimic or share documentation on how an application traverses our network. I am looking for an application that can do the following:

List servers
List load balancer rules applied to the IP address of the server
List firewall rules applied to it
Group all this information in a way that it can be labeled for future use
Periodically checks to make sure that this is all active
Turns this all into a human readable map that can be shared

I am assuming that this exists but for some reason I am completely drawing a blank. I am just really hoping that it's not something that is going to need to be created from scratch.

I am doing career day for an elementary school and want to get them excited about the possibilities of networking. Can anyone suggest a fun activity that helps them see the fundamentals? 3-5 graders.

I have set up basic labs in the past and let them plug in ports to get a ping to work. They enjoyed that. The last time I did it, the vast majority of student comments were either questions about how to be a hacker, or how Fortnite works. I ran Wireshark to let them see their ICMP packets get across the network when they got it cabled correctly. Just wondering if anyone else had any fun labs to show the students.

RJ45 Device that can serve as a IP host and respond to pings being sent to it

Hi,

I have know idea if anything exists like this, but the use case I have is for end-to-end testing in my lab in the hopes of not having to have a separate host connected to a network interface that I want to be able to ping. I understand that it would need to have the ability to have the IP information configured on it before hand. Has anyone heard of such a device or something that could fill the same purpose?

Python for Network Engineers free course starts next Tuesday (Dec 7th)

Periodically we run a free Python for Network Engineers Course.
The sign-up page is here:

https://pynet.twb-tech.com/free-python-course.html

The course covers Python fundamentals from a network engineer's perspective.

So it covers Python basics using examples and exercises that would generally be familiar to a network engineer. It is definitely a beginners course and doesn't assume any existing Python knowledge.

Towards the end of the course I transition into applying Python to Network Engineering (Netmiko and Jinja2). This is definitely a minor part of the course, however, relative to the Python fundamentals content.
The course weekly syllabus is as follows:

Week1 - Why Python, the Python Interpreter Shell, and Strings
Week2 - Numbers, Files, Lists, and Linters
Week3 - Conditionals and Loops
Week4 - Dictionaries, Exceptions, and Regular Expressions
Week5 - Functions and the Python Debugger
Week6 - Netmiko Basics
Week7 - Jinja2 Basics, Introduction to YAML and JSON, Complex Data Structures
Week8 - Libraries, Package Installation, and Virtual Environments

The course is an online course so the lessons are delivered via email and consist of videos, exercises, and additional content.

The course format is a lesson a week for eight weeks. The lessons come out every Tuesday morning (U.S. Pacific time).

A bit about myself, I am the creator and maintainer of the Python Netmiko library and also do a some amount of work on both the NAPALM and Nornir projects. I am a long-time network engineer and have been into network automation for several years now.

Let me know if you have any questions.

Regards, Kirk

How to create a ethernet 'bridge' on Cisco ios xr(asr 9000)?

I have googled for this but all the examples I have found were for more complex things than what I need. The examples had things like l2vpn, vpls, mpls etc...

But what I need is simply to bridge two ports on one ASR. Pass a couple of VLANs between two interfaces.

N5K-5672UP NetFlow Performance

Hello,

I want to enable Netflow on N5K-5672UP and send it to my Netflow analyzer to detect the DDoS attacks but before that, i want to know if that switch has a built-in in chipset or ASIC for Netflow or not.
If i enable Netflow during high and volumetric DDoS attacks it does not affect the switch CPU performance? or N5K-5672UP do the neflow in hardware?

Thank you.

Same subnet for HQ and DR site connected via dedicated L2 1Gbps E-Lan?

We have a dedicated 1Gbps L2 low latency connection between HQ and our DR site in addition to our 1Gbps Internet connections at each site. I plan to mirror HQ in DR with another SAN flash array synchronously replicating and another 3 node hyper-v cluster. The part I am not so sure about is networking. We have about 20 virtual machines and growing, many with static IP's and I need the failover to be as seamless as possible. I imagine it would be best to have the DR site on the same subnet as HQ, just like another office in the same building, but what about the firewall at the DR site and all our VPN tunnels from other sites? It gets a little confusing. Would I just establish those tunnels from both HQ and DR to all our other sites in advance so if HQ goes down they can reach our servers via the DR VPN tunnel? Any guidance on a best practice would be greatly appreciated.

For those that have pivoted to security ...

How hard did you find it to pivot towards security ?

I think I'm at the end of my network journey.I seem mentally checked out for the most part on the network side and probably need to hit something new and get some younger blood in my space.I've thought about management but I detest the management I have to deal with and would hate to become a copy of these drones. New projects do nothing to me as it's just part of the daily grind.

Any books,udemy vids or learning platforms or tips that you would like to recommend ?

I'm getting up there in age but I don't think my age is that much of a barrier for me as of yet

For context

CCNP/CCDP.

RHCE in a former life

Good ansible/git/api automation skills

Good AWS and Terraform skills

Okay-ish at Python.

Thursday, December 2, 2021

Small Office Networking Setup

Hi everyone,

A bit of background - I am expanding a small business into an office for about 20-25 stations. Currently we only have a small office for 5.

In the new office we have a pretty basic network setup, 2 cat5e cables are ran to each cubicle, one for the PC, one for the VoIP desk phone. The server cabinet is only going to have the modem and switches in there just to get everyone hardwire connected to internet. No actual server.

I will be using Office 365 and Microsoft Exchange with my domain for all of my employees emails and Microsoft Office subscriptions and I plan on using SharePoint to share files as it seems simple. (Been using this with our small team and it seems easy enough to scale up).

One of the challenges I’m facing might seem funny but User Accounts on the computers is making me scratch my head a bit. You see, I plan on setting up the 20 computer stations myself this weekend and I wanted to configure these PCs for my unknown future employees to have pre-installed programs like Chrome, Office, etc, as well as some customization like bookmarks on the browser, the desktop backgrounds as my company logo, and some helpful files like check-lists, guides, and common forms for newer employees to get a better grasp of things. After digging around it looks like Azure has something to do with the solution to my problem but what if I don’t have the user for the PC yet? I don’t know who is going to be at which PC and when setting up windows I’m not sure if I should setup as a personal computer first and make some kind of generic admin account, and follow up with creating a user later when I hire an employee?

Also, it would be cool to have people sign in like you would at an enterprise system like at schools etc. but I’m assuming you’d need a sever for that. I have a cloud server for my sales team’s dialing system but I’d imagine it would be too much of a mess to try and incorporate the user accounts and storage. I don’t think getting a server would be too beneficial for me especially in regards to storage. Each PC has 256gb SSD and we will only have small documents saved on each one with no heavy programs installed.

You tell me: Am I better off setting up an on-site server? How much would that cost to add to my server cabinet?

I feel like I’m hitting the nail on the head with Azure but don’t know where to start.

If someone could point me in the right direction that would be very helpful and greatly appreciated.

Intervlan ospf?

Hey guys im completely stumped im doing some labbing and just cant seem to make this work. I have a layer 3 switch connected to a router and just cant get them to have an ospf adjacency.any advice will be very much appreciated. Is routing using an int vlan even possible?

Switch

Vlan 51 Name test

Int vlan 51 Ip add 10.10.51.1 255.255.255.240 No shut

Router ospf 456 Network 10.10.51.0 0.0.0.15 area 51 Default information originate

Int g0/0 Switchport trunk encapsulated dot1q Switchport mode trunk Switchport trunk allowed vlan 51

Also tried

Int g0/0 No switchport

Router

Int g0/0.51 Encapsulation dot1q 51 Ip address 10.10.51.2 255.255.255.240

Int. G0/0 No shut

Router ospf 456 Router id 50.1.1.2 Network 10.10.51.0 0.0.0.15 area 51

I’m not sure if this is doable or I’ve read something about ethernet virtual circuit (evc) if that could help me?

Similar to Juniper Commit Command?

Are there any other network operating system other than Juniper's Junos that support commit and commit rollback type commands? We find these invaluable for remotely configuring networks.

Basic question about full duplex.

Given the problem, computer A and computer B is communicating with C at the same time.
C is full duplex. Will this cause a collision?

If you try researching what "full duplex" is, youd just get a bunch of explainations that says a full duplex device can both send and recieve at the same time. It says nothing about receiving and sending to multiple, at the same time.

Current lead times

Hi all,

We are taking part in a tender where we have to supply network switches. Im wondering about lead times.

I've read few other lead time treads dated back a month and more this teat. Is it still that bad?

What experience you have regarding lead times recently for manufacturers: • Cisco • Juniper • Alcatel • Aruba

Excuse me, I post this from mobile.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

"Wan port is unplugged" but it's not, can someone help?

I'm getting this error and i can't figure out how to fix it

Receiving default route from other hub site

I have to two hub site. Hub A and Hub B. On one of the spoke site, I am expecting default route from B,but I am seeing it from A.what is the basic thing to check.Please advise

VRRP

Hi,

I need your help for some vrrp tech. Today came one problem for me. Some user phones didnt get IP from DHCP. After i check the switch arps, I saw the phone vlan gateway on the port where vrrp is in back-up status. After refresh the arp, phones get IP.

My question is : If some packet send to port where vrrp back-up state, the router does it drop the incoming packet?

TYVM.

Auto-configuration applicance - are there any out there

I'm in the market for an auto-configuration appliance - something I can plug into the console and mgmt eth of a device, and have it connect to the device and do assorted initial configuration tasks (firmware upgrades, config application, testing that the config is working as intended).

Standard DHCP based ZTP would be lovely to be able to use, but a bunch of our kit has poor/uneven implementation, or annoying limitations (e.g. it'll take config, but won't do firmware upgrades).

If necessary I'll build something myself, but if I can throw (not absurd amounts of) money at someone and make the problem go away, that'd be great.

Is anyone aware of such a beast?

Okta Access Gateway

Anyone deployed this solution? OAG seems to like a reverse proxy that does authentication proxy.

It is being marketed as a Zero Trust VPNless solution for internal applications. But it seems like it's making the internal application public facing and rely on authentication as security. Or maybe OAG is the only thing that is public facing and the user won't be able access application at all until OAG as authenticated the user.

True that the user no longer needs a VPN to access the internal app, but making an internal application public accessible and relaying on authentication seems wrong to me.

There are other solutions like Zscaler Private Access and Azure App Proxy that does something similar without making the application publicly accessible.

Thoughts?

OpenGear console server console cabling question

I've found some opengear equipment that I'm interested in purchasing. The datasheet for the model I'm looking at lists the ports as Cisco straight. Can I use just normal cat6 cables to connect from the console server to the consoles on the devices, or do I need to use roll-over cables? Distance between the devices and the console server is about 15 ft.

The model has a cellular option. I'm thinking of using that to VPN back into an server at our main office site as a means of OOB access if the main network goes down.

Any Versa SDWAN engineers around? VLAN I created is not working

We're using a Versa SDWAN which is co-managed with a provider. Trying not to get the provider involved. I'm creating a VLAN however I can't reach that VLAN from a switch hooked directly up to the versa box. I created a sub-interface using VLAN 2. I did notice when I'm in the command line show interfaces brief show the interface I created with a tenant tag of 0; while the other interfaces have a tenant tag of 2? I'm a little confused what a tenant tag would mean exactly since I would think the whole configuration would be under our tenant. As usual when all else looks correct, start comparing what is different from items I know are working. lol

Any helpful insight would be greatly appreciated. thanks

Ruckus Switches and Licensing

Hello,

I am having some confusion with how the licensing for ruckus switches work in regards to the SFP/SFP+. We are planning an upgrade to Ruckus ICX-7150 Switches with a 10Gig backplane. Do any of the hardware switches come with the 10 GIG licenses? IF so, which ones?

These are the switches we are looking at purchasing:

ICX7150-48ZP - Qty: 17

ICX7150-24P - Qty: 5

ICX7150-48P - Qty: 9

ICX7150-C10ZP - Qty: 1

I don't know if I am correct in my thinking, but in this case we would need to get 15 upgrade licenses to enable SFP+ 10 Gig capabilities (48ZP Coming with it already?)?

Sorry if this is a dumb question... Thanks in advance.

Linux-based Terminal Server for network gear.

I'm planning a DIY Terminal server for console access of our mix of network devices. I'm thinking to purchase a couple 32-port PCIe card from Pepperl+Fuchs (COMTROL) and use a tiny server with Ubuntu for remote access and experiment with provisioning automation. Would be this a better option than purchase a Cisco Terminal Services gateway C1100TG-1N32A? I can repurpose some old servers for that function. Unfortunately budget is always a concern so can't just ask to buy expensive gear unless absolutely necessary. Any suggestions?

https://comtrol.com/products/rocketport-multi-port-serial-cards/rocketport-express

Cisco NCS 6008

I have a bunch of Cisco NCS6008 systems with NC6-10X100G-M-K cards. If anyone is interested in them DM me.

AWS inter-VPC routing quirks over peering connection and possible ways to bypass it

Hey all!

So I'm aware of the limitation in routing between two peered VPCs, where basically only one hop is allowed (AWS will not reference a route table in a destination VPC once the packet has traversed a peering link).

I'm attempting to build a Palo Alto VM in an AWS account that is peered with about 20 other accounts, each with a single VPC. This Palo will be used basically as a remote access VPN server. Due to the peering routing limitations, remote access VPN users are unable to reach resources in accounts outside of the account where the Palo resides. The traffic from VPN users reaches the remote resource, but return traffic is unsuccessful due to the route limitation.

I believe the typical solution to this is to switch from peering to transit gateway, but I was curious if there was a way to get around this using NAT on the Palo (or some other way). We plan to switch over to transit gateways for inter-VPC traffic in 2022 or 2023, but I was hoping I could design a stop gap solution that would allow VPN users to reach resources in other VPCs until that time.

Any information or suggestions greatly appreciated!

Block data exfiltration from virtual machines?

With company managed Windows devices, you can manage data loss by using locally installed DLP software.

However, if a user needs to work with a Linux virtual machine using their Windows box as the host (WSL2 etc.)?
What can be done at the host workstation level and the network level to detect any virtual machines being used to move sensitive information to unauthorized locations?

What about SSH, SCP etc.?

Wednesday, December 1, 2021

Sanity Check: Aruba CX6400 IEEE1588

Hey everyone,

Just checking if anyone can confirm if the Aruba CX6400 switch supports IEEE1588 Precision time protocol? I can see the 6300f/m series does but I was thinking "surely the 6400 series does" yet cannot see it in the 6400 data sheet.

Really hoping the 6400 series does because its perfect for what I need!

Any TZDIST RFC7808 public service?

I'm working on a DIY synchronized clock project, and looking for a service for sourcing timezone information.
I see RFC7808 exists since 2016, but I can't see any public service or open source server software.
https://www.rfc-editor.org/rfc/rfc7808.html

Question: I had port 22 open to the world by accident for 3-4 months. How likely do I have a hitchhiker in my network now?

Pretty much the title.

The device I use that had the port open is a Bobcat miner that uses a Rockchip PX30. The port was actually forwarded as well. The ssh login is not public knowledge and only known by bobcat support.

Knowing this, is it possible for someone to ssh into the rest of my network while not knowing the device ssh login?

The reason I ask is because I tried to setup a powershell smpt command and Microsoft straight up told me my IP is blacklisted. Going to https://check.spamhaus.org/ it looks like it's reporting HELO values that a device from my network is trying to reach. Having a hard time tracking down what's causing it.

Sorry if this is a stupid question, I'm not a network guy.

Edit: Spamhaus results

The most recent detection was on: December 1 2021, 23:30:00 UTC (+/- 5 minutes). The observed HELO values were f7t5ntu.giss.fr, k1kj.webacademy.com, pavuqt.adorebrides.co.uk, qwwg.leeandmorgan.com, xi7w.hotelzanzibar.com, jrhv3j.imex.ee, 5byonp5.themessinagroup.net, t5fkt.ericcrosson.com, tlyo8.izmirinvisalign.com, lew2.farmacom.med.br, rrfeq.promind.it, gwo7at.usd396.net.

QSFP Question

I have used SFP and SFP+ for a long time but I have not used QSFP really. I have a Juniper EX4600 that has 4 QSFP+ ports. I have seen references online that you can use a duplex single mode fiber and run 40gig over two fibers. Is that correct? If so how does that work? Does each fiber transmit on two separate wavelengths like 1270 & 1330?

Unifi-like auto IP discovery on layer 2 network (IPAM)?

I'm managing a small business network, think about ~80 connected end hosts both wired and wireless. Currently using the Unifi controller software as the DHCP server (with a Unifi router) but we're planning to eventually move away from Unifi, probably more enterprise grade or opensource router/firewall like OPNsense/PFsense.

I really love how I can have someone plug any device in or connect to the APs and 20 seconds later have its DHCP-assigned IP address and it's uptime on a nice GUI. I also like that I can assign static mapping to said IPs and basically make them "static" forever from the Unifi GUI, rather than through every single device individually, and making IPAM a breeze. It just makes my life that much easier, but I'm locked in the Unifi ecosystem to get it.

What is the best cross-platform, non-Unifi way to achieve something similar? Can be through command line too, but just need some advice as I've become used to this way of doing it through Unifi GUI. Bonus points if it supports DHCPv6 as well (Unifi does, but doesn't do static mapping like it does for IPv4 and it doesn't list the IPv6 addresses in the GUI either).

Thanks!

What is the proper way to trace a passive POE cable?

I install whole home wifi systems for a living. Been doing it for a while and I'm always looking for improvement.

We install wired APs, which usually requires cabling tracing. Most client's home have uncrimping CAT cables that are dead on either side. This is easy to map out and I generally just use my FLUKE CIQ-100 CableIQ Tester on the data jack, and my Intelitone to find the cable in their low voltage panel.

On occasion the clients have passive POE injectors (via a switch, or other power supply). I get the "high-voltage disconnect" message. I do, and either shut off the switch, or tone out a few of the CAT wires that have no power running to them.

What is the proper way to tone out passive POE cables? Does the MicroScanner2 from FLUKE allow you to tone out POE cables?

Cisco NCS 5500 and HSRP

Hi,

I'm deploying NCS 55A2 pairs in my network and am having issues with HSRP. Running IOS-XR 6.6.3. HSRP VIP is pingable upstream from NCS boxes but not downstream on 802.1q subinterfaces interfaces. HSRP and ARP tables on downstream devices look good but you cannot use HSRP address as gateway. Addresses on subinterfaces work as advertised.

Have any of you guys had issues with HSRP not working correctly on NCS? Thanks in advance.

router hsrp interface TenGigE0/0/0/23.4000 address-family ipv4 hsrp 4000 timers 1 3 preempt delay 300 priority 110 address x.x.x.41 ! ! ! !

Addresses on subinterfaces are .42 and .43.

IPv4 Groups: P indicates configured to preempt. | Interface Grp Pri P State Active addr Standby addr Group addr Te0/0/0/23.4000 4000 110 P Active local xx.xx.xx.43 xx.xx.xx.41

Cisco IOU images in lab or a proper image?

Hi, I'm about to build an SD-WAN lab in my work and have all the right things in place for it along with the VM running Ubuntu 64bit etc...I'll be using EVE-NG Pro to. The only extra thing I'll be needing are some generic L2 and L3 switches/router images. I have 2 ideas in mind, either download an appropriate image off Cisco's download page (I have pretty much full access to download whatever I want) or use an IOU images for the L2 and L3 "generic" devices I'll need.

So I guess my 2 questions are:

If anybody could recommend a good image to download off Cisco's site for L2 and L3 that fit that purpose, then please do.

Or, use one of Cisco's IOU images which would probably be less resource heavy as well. The only issue is I've not been able to find out how to get ahold of these. I can see on EVE-NG's site that they recommend 4 different types of these images. Could I download these off Cisco's site to? Because I haven't been able to find these anywhere on there, if not then where would be my best bet?

Thanks

iPerf CWND

Hi,

I am working on linux hosts and iPerf 3. I like how iPErf3 shows retransmissions. I am trying to increase my Cwnd and everytime i set bandwidth it never goes above 500Kbytes?

[centos]# iperf3 -c 10.196.250.14 -w 30m

Connecting to host 10.196.250.14, port 5201

[ 4] local 10.198.70.254 port 39240 connected to 10.196.250.14 port 5201

[ ID] Interval Transfer Bandwidth Retr Cwnd

[ 4] 0.00-1.00 sec 150 MBytes 1.26 Gbits/sec 140 434 KBytes

[ 4] 1.00-2.00 sec 114 MBytes 954 Mbits/sec 0 589 KBytes

[ 4] 2.00-3.00 sec 112 MBytes 944 Mbits/sec 0 711 KBytes

I have tuned TCP as well ?

Cisco Equivalent Command to Huawei

Dears, Doea anybody knows the equivalent command to create read-write community on Huawei router I tried [ ]snmp-agent Community read community_name But it won't allow me to write the same name at another command for write Cisco command( )# snmp-server Community Community_name RW

First-time QOS configuration in a Cisco environment

I was wondering if I could get some help with a basic Cisco QOS configuration.

We're getting close to implementing a new VOIP solution on our network and I need to get everything configured. This is a cloud-based VOIP system so everything will be going out our ASA to the internet.

The vendor provided this for me to work off of so if I could get some pointers on where to look or a starting place I would appreciate it.

Information provided from vendor:

- Confirm QoS (Quality of Service) is configured on all the Routers

- Confirm LAN is honoring and prioritizing DSCP 26 for SIP at Layer 3

- Confirm LAN is honoring and prioritizing DSCP 46 for SIP at Layer 3

- Confirm LAN is honoring and prioritizing COS of 5 at Layer 2

There's some additional steps provided as well but this is where I need to start with everything.

Our firewall is a ASA 5516 and our core switch is doing all the layer 3 work, it's a 4500X.

I have a pretty good understanding of networking but QOS is one of those things I've never messed with. Anyone have some sample configs I can look over or some good websites outside of Cisco to get me started?

Thanks

Can one machine address non-overlapping subnets?

Sorry for this noobish question, mods please let me know if this is inappropriate. Suppose I have two different subnets where all the machines involved have static IPs defined within each machine (i.e. not as reservations in a DHCP server). Devices on both subnets are physically connected to a single unmanaged switch.

Subnet A: 192.168.0.x, 255.255.255.0

Subnet B: 192.168.1.x, 255.255.255.0

Now suppose I have an isolated workstation, call it workstation C, which I want to use to be able to monitor devices on either subnet, but still keep the subnets separate. Could I achieve this by simply connecting workstation C to the switch and assigning it a static IP of 192.168.x.x with subnet mask 255.255.0.0?

Suppose I pinged a device on either subnet A or subnet B from workstation C. Intuitively, workstation C should be able to send a ping out on either subnet, since either subnet falls within workstation C's addressable range. However, I don't think devices on either subnet would be able to reply unless workstation C had either a 192.168.0.x (subnet A would be able to reply) or 192.168.1.x address (subnet B would be able to reply). I understand the best-practice for subnetting is to avoid overlapping subnets and set up routes between these subnets, but is my predicted behavior correct?

MPLS as a Customer

An engineer that left the company ordered an MPLS circuit from a well known ISP to replace and existing P2P link. I’ve never used MPLS as a customer and while I could speculate as to why he ordered the circuit, I need to figure out the best way to use it. I wish I had another network engineer at my company or a mentor to ask but since I don’t I’m coming here 😄. Perhaps this is a dumb question, but what is the best way to use an MPLS circuit to replace a P2P circuit? Should I update our vpn tunnel to use the new non-private addresses? Or make some kind of vpn tunnel on the routers so that my same private IP address are what the firewalls see? Or something else entirely? Any resources or answers provided are greatly appreciated.

Difference between Panduit OM3 fiber-optic patch cords with Standard IL vs Optimized IL?

I am looking to order a boatload of fiber-optic patch cords with end of the year money to refill our data center new in package patch cords. Last year we purchased some Panduit push-pull style fiber-optic patch cords and they are an Optimized IL style. I went to order this year and following their pattern I noticed they offer a Standard IL, Optomized IL, or Ultra IL/Straight Through option when selecting the performance/construction of the fiber-optic patch cable. I have no idea what this means. Could someone explain like I am five?

This is the part number configurator I am looking at: https://www.panduit.com/content/dam/panduit/en/products/media/3/03/203/6203/100366203.pdf

Sanity Check - Dual datacenter, 2 cores in each, dozen branches. BGP Best Design Practice

As the title says, consider two datacenters. Call them US Central and Europe West, Each regional location has two routers. Actually PA firewalls, but for this purpose consider them routers. Need cross connectivity, and of course access to branches.

I am thinking each DC has an AS, and in each datacenter, both routers have iBGP with it's peer. Between the datacenters each core is full mesh with the other two via eBGP. route-map and prefix-list to control exchanges. The branches utilize communities to reach their respective regions. Is this still a sane way to accomplish this, is there something else I should be considering?

Do APs defeat the object of DAI?

I am in the process of planning an implantation of DHCP Snooping and Dynamic ARP Inspection. The network is using Ubiquiti AP’s with Cat 2960X switches.

The AP ports are configured as trunks with the necessary VLANS tagged. However, there will be a few locations where roaming will push you onto a new access switch as you enter a new block. My thinking to combat this is to ‘trust’ the AP ports so DAI doesn’t go mental when someone switches switch.

However, doesn’t that defeat the object of DAI in the first place? Now an attacker can “connect” to the WiFi and start an ARP poisoning attack, and I’m allowing it!!

Is there any other way around this? Like access switches being able to share their DHCP Snooping bindings?

Originally posted on r/Cisco but thought it might get a more traction here with other vendors involved.

Best practices for installing large scale wireless connection

Hi there,

The company that I work for are facing some issues regarding wireless connection, the main problems are now are:

Wireless interference
Network jamming

The wireless interference is happening because there are many routers in the company, and I think all the wifi radios are working on the same channel (with different SSID names), so what could be the best practice for this type of issue?

Network jamming, it's happening because the Head office is located near a presidential place, and most probably they have network jammers. I don't know if we can avoid this, but if there were any suggestions, please tell me.

Thanks in advance!

Juniper l2circuit ccc

I have been wrestling with an issue for a bit now that has left me perplexed.

I am trying to get a pseudowire build for transporting traffic between two sites (two Cisco 3750G MLS peering with OSPF) across my provider network and I cant seem to get it to function.

root@SPCORE01# show | display set set version 12.3X48-D105.4 set security forwarding-options family mpls mode packet-based set interfaces ge-0/0/6 description TXP-0001 set interfaces ge-0/0/6 encapsulation ethernet-ccc set interfaces ge-0/0/6 unit 0 family ccc set interfaces ge-0/0/14 description "*To SPCORE02 ge-0/0/14" set interfaces ge-0/0/14 flexible-vlan-tagging set interfaces ge-0/0/14 native-vlan-id 1 set interfaces ge-0/0/14 mtu 2020 set interfaces ge-0/0/14 unit 0 vlan-id 1 set interfaces ge-0/0/14 unit 0 family inet address 172.24.0.5/30 set interfaces ge-0/0/14 unit 0 family iso set interfaces ge-0/0/14 unit 0 family mpls set interfaces ge-0/0/14 unit 250 vlan-id 250 set interfaces ge-0/0/14 unit 250 family inet address 10.0.250.1/29 set interfaces lo0 unit 0 family inet address 172.22.0.3/32 set interfaces lo0 unit 0 family iso address 49.0000.1720.2200.0003.00 set interfaces lo0 unit 0 family mpls set routing-options router-id 172.22.0.3 set protocols rsvp interface ge-0/0/14.0 set protocols mpls explicit-null set protocols mpls no-decrement-ttl set protocols mpls label-switched-path SPCORE02 to 172.22.0.4 set protocols mpls label-switched-path SPCORE02 no-cspf set protocols mpls interface ge-0/0/14.0 set protocols isis lsp-lifetime 65535 set protocols isis level 2 wide-metrics-only set protocols isis level 1 disable set protocols isis interface ge-0/0/14.0 level 2 metric 50 set protocols isis interface lo0.0 passive set protocols isis interface lo0.0 level 2 metric 1 set protocols isis interface vlan.1000 passive set protocols isis interface vlan.1000 level 2 metric 5 set protocols ldp track-igp-metric set protocols ldp explicit-null set protocols ldp transport-address router-id set protocols ldp interface ge-0/0/14.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 172.22.0.4 interface ge-0/0/6.0 virtual-circuit-id 1 set routing-instances TELEMETRY instance-type virtual-router set routing-instances TELEMETRY interface ge-0/0/14.250 set routing-instances TELEMETRY routing-options static route 0.0.0.0/0 next-hop 10.0.255.126 set routing-instances TELEMETRY protocols ospf area 1.1.1.1 interface ge-0/0/14.250

-------------------------------------------------------------------------------------------------------------------------------

root@SPCORE02# show | display set set version 12.3X48-D105.4 set security forwarding-options family mpls mode packet-based set interfaces ge-0/0/6 description TXP-0001 set interfaces ge-0/0/6 encapsulation ethernet-ccc set interfaces ge-0/0/6 unit 0 family ccc set interfaces ge-0/0/14 description "*To SPCORE01 ge-0/0/14" set interfaces ge-0/0/14 flexible-vlan-tagging set interfaces ge-0/0/14 native-vlan-id 1 set interfaces ge-0/0/14 mtu 2020 set interfaces ge-0/0/14 unit 0 vlan-id 1 set interfaces ge-0/0/14 unit 0 family inet address 172.24.0.6/30 set interfaces ge-0/0/14 unit 0 family iso set interfaces ge-0/0/14 unit 0 family mpls set interfaces ge-0/0/14 unit 250 vlan-id 250 set interfaces ge-0/0/14 unit 250 family inet address 10.0.250.6/29 set interfaces lo0 unit 0 family inet address 172.22.0.4/32 set interfaces lo0 unit 0 family iso address 49.0000.1720.2200.0004.00 set interfaces lo0 unit 0 family mpls set routing-options router-id 172.22.0.4 set protocols rsvp interface ge-0/0/14.0 set protocols mpls explicit-null set protocols mpls no-decrement-ttl set protocols mpls label-switched-path SPCORE01 to 172.22.0.3 set protocols mpls label-switched-path SPCORE01 no-cspf set protocols mpls interface ge-0/0/14.0 set protocols isis lsp-lifetime 65535 set protocols isis level 2 wide-metrics-only set protocols isis level 1 disable set protocols isis interface ge-0/0/14.0 level 2 metric 50 set protocols isis interface lo0.0 passive set protocols isis interface lo0.1 level 2 metric 1 set protocols ldp track-igp-metric set protocols ldp explicit-null set protocols ldp transport-address router-id set protocols ldp interface ge-0/0/14.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 172.22.0.3 interface ge-0/0/6.0 virtual-circuit-id 1 set routing-instances TELEMETRY instance-type virtual-router set routing-instances TELEMETRY interface ge-0/0/14.250 set routing-instances TELEMETRY routing-options static route 0.0.0.0/0 next-hop 10.0.255.254 set routing-instances TELEMETRY protocols ospf area 1.1.1.1 interface ge-0/0/14.250

ge-0/0/14 is connected to wireless a wireless point-to-point bridge pair and normal traffic passes fine. The Telemetry routing instance functions fine, MPLS/LDP however appears to not function.

Both sides report up

Neighbor: 172.22.0.3 Interface Type St Time last up # Up trans ge-0/0/6.0(vc 1) rmt Up Nov 30 18:15:09 2021 1 Remote PE: 172.22.0.3, Negotiated control-word: Yes (Null) Incoming label: 299904, Outgoing label: 299904 Negotiated PW status TLV: No Local interface: ge-0/0/6.0, Status: Up, Encapsulation: ETHERNET

And both LSPs show up

Ingress LSP: 1 sessions To From State Rt P ActivePath LSPname 172.22.0.3 172.22.0.4 Up 0 * 120PRK-SPCORE01 Total 1 displayed, Up 1, Down 0 Egress LSP: 1 sessions To From State Rt Style Labelin Labelout LSPname 172.22.0.4 172.22.0.3 Up 0 1 FF 0 - 301MAIN-SPCORE02 Total 1 displayed, Up 1, Down 0 Transit LSP: 0 sessions Total 0 displayed, Up 0, Down 0

Occasionally bursts of 1k or less cross the interfaces (symetrically when showing stats on both PSW interfaces) but the symptom appears to be arp related on the 3750Gs. They cannot ping or complete arp messages across the PSW.

COREMLS01#ping 10.0.0.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds: Dec 1 07:24:30.952: IP: s=10.0.0.5 (local), d=10.0.0.6 (GigabitEthernet1/0/7), len 100, sending Dec 1 07:24:30.952: ICMP type=8, code=0 Dec 1 07:24:30.952: IP: s=10.0.0.5 (local), d=10.0.0.6 (GigabitEthernet1/0/7), len 100, encapsulation failed COREMLS01>sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.0.5 - 64d9.8976.05c3 ARPA GigabitEthernet1/0/7 Internet 10.0.0.6 0 Incomplete ARPA

Any pointers?

Mac Flap Logging Issues

I know that on a majority of Cisco devices:

mac-flap-syslog-enable

Is the command used to enable logging for mac flaps when they happen, but for some reason I cannot get a Cisco NCS 520 or an ASR 920 to actually take this command. I'm coming up short so far on finding another command that will work with these devices. Any possible suggestions would be appreciated.

Tuesday, November 30, 2021

Switch supporting 16+ span/mirror instances

Are there any switches out there supporting this?

We have a situation where we need to mirror customer internet vlans in a data center, and each customer internet vlan must be mirrored to a customer-specific hardware appliance. We need to support at least 16 customer’s worth of this, and the in-place QFXes only support 4 mirror/span instances.

Our thought is to use a single QFX mirror instance sending customer vlans x,y,z out over a 20H LAG into some switch that support “lots” of span instances and then hang the hardware appliances off that switch.

Alternatively, we’re looking at e.g. Garland Network Packet Brokers.

Rack Cable management inspiration needed

Hey chaps needing some thoughts on this

I have the pleasure to re-arrange this naturally evolved networking rack (and some more) and want to properly re-do it, yet lack experience. I already cut down on anything unnecessary, but now lack inspiration on how to arrange it.

https://imgur.com/a/EmvDNXx

Telephone patch panel Analog? patch panel Fiber patch panel Telephone patch panel to different floor Telephone patch panel Telephone patch panel Patch panel 24P Switch - will be replaced w/ 24p/4sfp 16P+8 Fiber - will be replaced w/ 24p/4sfp ISP #1 Fiber modem Fiber patch panel ISP ISP #2 Fiber modem ISP #2 Fiber modem backup WAN 24P Switch 8P Switch -> distributes WAN ISP #2 to Watchguard (mounted in different rack, will be moved to this network rack) AND Sophos cluster a few devices of a client that has its own firewall

my approach would probably be:

ISP stuff top, firewall next, patch panels, switches, client stuff

I'd love to get these but I dont think they will fit (8.4 depth, enclosure only has ~10cm to the door). Big side verticals obviously wont fit https://www.fs.com/products/64186.html

any other ideas?

P.S. any ideas how to route cables to the next server rack next to it? It used to be a massive tangled mess lying on the ground, which i cut down to a single cable by installing a switch in the rack itself - do I just add a conduit to protect it or are there some kind of top - cable trays that I simply havent seen yet?

Ping and DNS via Zscaler

Hi there. My team is working on implementing Zscaler ZIA and ZPA across our company. One ZPA limitation that has been most annoying, mostly for our IT teams, is the inability to ping/nslookup an host and get the associated internal IP address. You instead get the IANA special shared address space IP (somewhere within 100.64.0.0/10) (even for servers on the network, not just laptops/workstations on Zscaler). It's a minor annoyance, but I'm curious if anyone that has implemented Zscaler has found a way around this or an alternative. Thanks.

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

WPA3 Enterprise on Unifi

Hello there,

In my company, we are currently using Ubiquiti UAC-AP-PRO APs configured in WPA2 Enterprise and authentication is based on FreeRADIUS through EAP-PEAP (GTC).

I'd like to implement WPA3. Our Unifi Network controller version is 6.4.54 and I updated an AP to 5.42.52 to do my tests.

I configured a new Wireless network with "WPA Enterprise", "Support WPA3 connections" and "PMF: required". I tried to connect my iPhone on last iOS. It says WPA2 Enterprise.

Any suggestions ? A problem with the radius server ?

Thanks :)

NGFW solution - Palo Alto 400 series vs Fortigate F Series

We are looking for a ngfw solution for all our schools and we've tested out Palo Alto's 450 and 460 models as well as the Fortigate 100F series.

What I'm not sure of is if we are comparing apples to apples between the two. The best comparison I could come up with was as follows:

PA-460 ~ 200F

PA-450 ~ 100F

PA-440 ~ 80F

PA-410 ~ 60F

We tested a 450 and 100F at the same location and tried to make sure all the scanning settings were equivalent on both and we found the 450 to hit a peak of maybe 40% on the data plane and the Fortigate seemed to consistantly get up to 80% memory usage but the cpu numbers seemed fine.

SE for Palo Alto went through all the performance metrics and couldn't find any reason that this box wouldn't handle the load from this school with room to spare. The SE for Fortinet however said that the 100F was at about its limit and should look at possibly sizing up.

The kicker here is pricing for the Fortigates ends up being higher than Palo Alto on a 1, 3 and 5 year term.

So assuming my comparisons above are somewhat close is there any reason we shouldn't choose the Palo Alto 400's for our ngfw solution?

Thanks all!

Career/Cert Advice

Hey guys, I got my CCNA in 2020 right before the exam change (I took icnd1/2) and have essentially been forced into sysadmin roles since. I recently started a new position (on my 3rd week) and the network admin is retiring next week.

His position requires CISSP, CASP+, or CCNP-Sec in addition to a CCNA. I was told to choose a cert, they would send me to a boot camp and I could fill his role if I wanted.

That said the scope of the environment goes beyond CCNA and I was planning to go for CCNP-Encor next because I wanted to learn the material. Should I just try to snag the CASP+ to meet the requirements and then study for ENCOR? We do use Cisco so the CCNP-Sec would actually be useful information to learn but don't think it's something I can just pick up with a boot camp.

I'm also very nervous about the scope of work in general with my experience (mainly small l2 networks, some l3 switches and roas setups) but also see this as an amazing opportunity to get where I want to go. Just not much time for training and a lot on my plate, also it's a solo role so I'd mainly be assuming someone else's network and learning on the fly.

Any advice would be great, thanks if you took the time to read this.

How is this for a preliminary network diagram?

Hi everyone, I am working on a network diagram to bring Wi-Fi to a remote office in the mountains. I am working on a budget, and would like to get this as close to right as possible right from the start.

Data usage: 1TB per month, for non-critical remote work, for about fifteen people.

Site notes: We plan to use a Starlink as the primary internet connection. There is no fiber or cable access nearby. LTE is only available 200m away on a hill near the upper building—that point has line of sight to a cell tower ten miles away. 25 Mbps over LTE is consistent.

Burying conduit will not be a possibility before early summer.

Distances: Hill <-200m-> Upper office building <-300m-> Lower office building

Hill: there is AC power here. I will have a Pepwave LTE router here, with an ATT 100GB /mo data-only SIM. Planning to use a Nanobeam to send data to the upper building.

Upper office building: Multi-WAN router connected to Starlink and Pepwave LTE connection, using Starlink as primary, failing over to LTE if Starlink goes down. One PoE nanobeam pointing up the hill, another pointing down toward the lower building.

Wifi: We have been using Eero Pros but I am open to suggestions.

Lower office building: PoE Nanobeam aimed at upper office. Nanobeam connection plugged into switch switch connected to a Wi-Fi setup similar to that of the upper building.

Here is the preliminary diagram: https://imgur.com/a/ApzAvvF

My main questions:

How can I choose the appropriate Ubiquity wireless bridges? Are they easy to set up and reliable? Do they come back online automatically after a power outage?
Besides Eero, what is a good Prosumer or inexpensive professional Wi-Fi solution? We can wire everything with ethernet cables.
Are there inexpensive Multi-WAN routers which can gracefully failover to the backup internet connection, then test the main connection every minute or so and switch back over when it is back up? I imagine this will mess up the public-facing IP of all of our users—however, I am not sure we need to aggregate the links, so maybe an occasional failover and jumbling of IP addresses isn't so horrible.

Any advice much appreciated! thank you.

MSS Problem

So today I got in a situation like This.
3 weeks ago I was reviewing some pcap in our network and noticed that the MSS is always 1380 at max. I found out about the ASA default and had one of those "I need to change that" moments. so I uncapped that everywhere except for the ones with IPSec tunnels.
After a week, my colleague from L1 team contacted me about that printer on one of our branches that just doesn't scan into email. I did a capture of the SMTP traffic which always ended with the mail header and then stall for a minute followed by RST by the printer (which was the configurable default in the printer menu). I tried to send a mail from the router with telnet and it worked well so I blamed his crappy printer and went onto another things. I had him try another one until I started investigating more on this. It appeared that I couldn't ping that one branch router with 1500MTU. It just timed out.
He gave me an exact date when the users first reported the issue and I looked into my chrome history. There were multiple sites about ASA and MSS..
So at this time I was pretty sure this is not a coincidence.
So there is surely something in our ISP's MPLS that has 1496 MTU configured.
As I uncapped the MSS adjustment on our DC ASA to unlimited, every TCP connection was now 1460 bytes MSS. Clients on that branch probably were not affected because of PMTUD?
I did a workaround by setting the MSS on the branch router's vlans for printers to lower size.
My only concern is why doesn't the packets just fragment? When I ping our router or anything else on that branch with 1497 to 1500 MTU, it doesn't even say "Packet needs to be fragmented but DF set.".
It just times out. But when i ping with more than 1500MTU, I get the message about fragmentation needed...
I had the ISP guys investigate on this but I'm pretty curious of what could that be.

Getting Public IPv4 Address, (Good idea or ;( ?)

Greetings,

I recently joined a mid-size company that has handful of public IPv4 addresses from two ISPs. I am thinking of getting us IPv4 addresses as we are planning to move to a new location and didn't want to get us tied to the ISPs. I wonder how to start the process and your suggestion on whether I should sweat to get us IPv4 addresses or not.

We have a hybrid network with presence in all three public cloud providers, and planning to go to SD-WAN soon.

Thanks,

Dell os10 VLT failover

I understand how to setup VLT on Dell os10, my question is how it handles core routing. For example, I have 2 core switches, call them A and B. Now I want to setup interface vlan1 with IP 192.168.1.1 with failover, how do I accomplish this? If I set switch A with the IP addr and it fails, will switch B be able to failover with VLT? Since VLT differs from stacking I am wondering if both switches will answer for their partner's respective configs. Or maybe there is a way to setup vlan interface IP addresses on both switches without conflicts? Thanks.

Dark Fibre (UK)

Its possible we are going to move out our existing single office into two new locations in a Centre City which has virgin. Duplication of the same services at each new site would be costly. We have alot of low latency high bandwidth services. So was wondering if anyone had any dark fibre experience? (UK or elsewhere very welcome) - is it as simple as two switches with single mode fibre SFP's? or much much more complex... I am assuming danger here be dragons.....?

ArubaOS

Hi to all.

for SMB customer I was used to buy HPE Aruba 2530 series switches. Now this product is EOL.

Aruba say that replacement model is the 6000 series, but I've see that this series have AOS-CX software.

Is old ArubaOS (the one in provision switch) died ?
Someone could tell me a replacement model for 2530 with ArubaOS (if it exist?)

thanks

Cisco ISE with Fips

Anyone implement Cisco ISE with FIPS?

FIPS disables PAP. Cisco switches use PAP to authenticate with Radius using ISE.

So after enabling FIPS on ISE and switches, auth attempts fail and live logs are saying because the PAP protocol is not allowed.

It doesn't appear like I have the option of changing the auth protocol on the switch side.

What am I missing here?

TCP RESET

Hi, guys! For example, we made a connection between client and server. After that client sent single 2 bytes and wanted to close a connection(FIN=1). But server was disconnected for some reasons. As I understand, something should send RST packet from server side(maybe firewall, because server is inactive). If I understand correctly, client will make a connection with server again(3 way handshake) and try to send those 2 bytes again? Do I understand correctly how it works? P.S. sorry for my English, hello from Belarus!

Site 2 Site VPN - Port Forwarding on the Opposite Site WAN IP

I have 2 Sites with 2 Wan IPs, Site A i cannot port forward, and Site B i can.

I setup a Openvpn Tunnel from pfsense running on Site B, and using and
Edge Router X i connected that from Site A to Sites B's VPN Server. I
have 3 Subnets, the Tunnel network, Site B, and Site A Networks. I want
to be able to forward a port from a client that will be plugged into the
edger router trough the Site B Wan Side.

My initial idea is if i can make the tunnel network accessible from Site
B's pfsense lan then could i port forward that ip/port out to the
internet?

Can some please help me with any ideas or advice i can use to make this easy to accomplish?

Trying to set up an iCamera2 without a Masters Degree in Networking

I got these two (iCamera2) cameras from a pawn shop for really cheap, I'm starting to realize why they were so cheap. When attempting to set them up I found out that the instructions were not user friendly at all. They go from plugging them in to power and your computer to how to accessing them from your browser, completely skipping the step on HOW to obtain the cameras IP address. The manual never addresses this and every forum (besides this) and video I've seen never addresses this. Any advice would be greatly appreciated.

Bridged modem connected to router via VLAN

I would like to virtualize a PfSense router that is now a physical box, without having to pull extra wires. The problem is that there are several walls between the modem and the server room, and neither device can be moved.

I don't fully understand how a modem functions in bridge mode, other than it 'just works' when plugging it into the WAN port of a router. So I just went ahead and made a test setup with wherein the modem interface is directly connected to a static acces switchport in VLAN 7. The PfSense VM has one trunk interface, on which several VLAN interfaces are defined. This VLAN 7 (and several others) works and is accessible from the switch port as well as the virtual machine.

But as I expected, the PfSense VM's WAN interface doesn't get a WAN IP from the modem. I've read somewhere that the modem tries to negotiate with the first MAC it sees, so perhaps the modem is trying to hand out a WAN IP to the interface of the Cisco switch it's connected to?

I hope anybody knows whether or nor this setup is possible.

Here is a quick drawing of the test setup

Using a VPS as a VPN, I'm able to achieve 250mbps on a speedtest. However, when directly uploading files to the VPS, the upload speed drops to 80mbps. How does this makes sense?

Basically title. I'm using wireguard to set up the VPN.

Here's another similar situation on another set of VPS.

client -> Storage VPS (upload speed - 200kbps) client -> VPS1 as VPN -> Storage VPS (upload speed - 200kbps) client -> VPS1 with Storage VPS drive mounted on it (upload speed - 250mbps)

Somebody who can help me with cisco work ?

Arista MAC Address Issue

Hi all -

I've got an issue whereby when I do a "show mac-address table" on an Arista switch connected to a Cisco switch, the MAC which is learned by the Cisco is different from the MAC address on the Arista itself.

I have 4x instances of this. Sometimes it's very similar, but still different.

e.g.,

MAC learned ends in c9f6, but MAC showing on Arista port ends c9f5.

Other times, the MACs are quite different indeed.

e.g.,

MAC learned ends 0600, but MAC showing on Arista port ends 05ff.

What's more, I can't actually see the "learned" MAC anywhere on the Arista device. (i.e., do a "show interfaces" command and grep/ctrl+f for the learned MAC address and no results).

Any thoughts?

EPOs in IDFs?

Got a vendor who's insisting that electrical code REQUIRES us to put EPOs in every single IDF and MDF we're putting into a new facility we're building at work. Looking over the electrical code, from what I can see they're SUPPOSED to be for rooms with raised floors that have non-plenum cabling running under it, and it's completely optional and unnecessary in a room without a raised floor.

This is a new building in a hospital campus, where none of the other buildings (including ones completed in the last 3 years) have EPOs in their closets, and we're just starting to look at revamping closets in other buildings on the same campus. I, my boss, the Project Manager, and a couple of the other guys working on this think this is a contractor trying to pad the bill and install a bunch of stuff that simply isn't necessary.

Is this a recent change in electrical code? Does anyone else have EPOs in IDFs with concrete floors? We understand and fully get that our new MDF, which has a room-scale UPS, needs and should have an EPO, but one of the justifications for the IDFs is that we're using rack-mount UPSes larger than 750VA, which again we've been doing for years.

Just want to get a feel as to whether or not this is a normal practice other places - it hasn't been here, nor was it at my last job - or if we're looking at someone trying to scam us for more work.

What do you monitor on devices?

I know this varies by situation a dozen other things, but i was wondering what are some things you monitor on switches, routers, UPS, WLCs, etc.

I know there are more useful items to monitor aside from just up/down status.

I've been tasked with completely redesigning our zabbix monitoring system. In many cases the default templates have been used all all that comes with them. I was wanting to slim this down to what we absolutely needed.

I appreciate any input, thank you.

Confusing between TCP/IP 4 Layers and 5 Layers?

I'm confusing between those TCP/IP Modules

as we know 4 layers are (Application - Transport - Internet - Link)

and Updated TCP/IP Module have 5 layers (Application - Transport - Internet - Data Link - Physical)

My questions are :

Is Link Layer in original TCP/IP combine between Data Link and physical in updated module? (or there us no exist of physical layer in original one?)

What is data type of each layer (packets - segment - frame ..) for both?

What is the difference between Link in original module and Data Link & Physical in updated module?

Is Link Layer of original module responsible for MAC, Ethernet, Cable and NIC?

What is the exactly difference between both of them?

Enterprise password managers?

Hello everyone.

I have been tasked to investigate of a potential enterprise password manager for the network team of around 30 people.

Since this is a large organization, things are pretty much silo-ed here, which means no virtual appliances and no cloud stuff.

Current setup: we use KeePass with YubiKey as 2FA to access our shared database. The database used to be on a dedicated Windows file-server behind an internal VPN firewall that only the network team would access. It has been migrated to the public cloud now, hence this thread.

Ideally what I would want is:

- Dedicated hardware appliances; no windows or linux applications, but I guess if there are no appliances, that can be considered.

- YubiKey support or other hardware token 2FA support.

- Ability to sync the database between an Active/Standby appliance

- Backup

From what I have seen there are only cloud services or virtual appliances. Does anyone know if there are dedicated appliances for this?

Any recommendations for a VLAN and Segments management application?

Hey Network warriors,

I was tasked with searching for an application for keeping track of our VLANS and Segments allocations,

Like when were they created and by whom for what purpose stuff like that,

We were using a private website that we built from scratch but it is quite unaffective since we expanded quite a lot.

Does anyone know such software? I don't even know how to call it.

We are using SolarWinds as our IT management system, But i don't think it can keep track of any new VLANS or networks added

firepower blocks with no reason

I'm looking at a problem with some provisioning of devices that require connection to external services with Apple. We have some firepower 4150 firewalls. I have noticed that blocks are occuring of return traffic. I cannot see why this would occur, and the rule referenced is a block rule at the end of the list or rules that someone created to say "no external to internal" basically.

I'm a little confused, as surely this is standard stateful stuff and should not hit our last rule of block external to internal inwards It should be part of the normal rulesets. We have connections out, so the block referenced is typically saying the initiator is the external IP, sourced tcp/443, to one of our internal IPs, on the sort of tcp port you might expect, like 49552. Obviously Apple aren't initiating those connections... The fact it is mapped back to an internal IP means it's matching outbound translations, and permit rule.

I don't see any reason for the block given, just block. It's a bit of a headache, especially as our accounts seem to have bungled our support contract for the devices.

Anyone got any quick ideas about this while I sort out support. People are asking me to whitelist IPs, which is going to be unmanageable, as I notice it's not just Apple external 17/8 as seen in https://support.apple.com/en-us/HT210060, but cdn as well. I'm obviously not going to whitelist akamai am I? :| Sadly I've never done any firepower course, only had the old ccna sec. I see I could maybe create a reputation list or similar to feed a whitelist to the device, so I have little in the way of ideas. I could create a massive list of trust policies outbound in case it is snort, but initial testing didn't seem to help, only phsyically whitelisting IPs seems to have any results. Day to day I personally only really manage ASA devices myself currently, and our guy that deployed the firewalls moved on. I try keep firepowers firmware up to date, though now knowing support is lapse I have deferred upgrade to 6.6.5 from 6.6.4 in case of a fault.

Cisco 5506x EOL - move to FPR 1010

I am currently running a failover pair of ASA 5506X with very few issues. I was in the process of renewing the support and noticed the EOL on these boxes. While they can be covered for a few more years yet, I am wondering if I take the opportunity to move to the new FPR devices.

I have read that you have 2 choices, ASA mode of FTD mode. I am trying to understand what I might lose going either way. We don't have a large number of requirements, failover, 20+ VLANs, site to site VPN, virtual interfaces, ACLs.

As far as I read, I lose the CLI if I go with FTD, but does that still allow me to configure all of the above and what do I then gain from FTD over and above the ASA side of things.

For what it's worth, I will be running a pair of 1010 with sec plus.

Thanks

Monday, November 29, 2021

Ideas for cheap console server?

Need at least 8 ports. 19" wide 12U rack. As light as possible, trying to keep it relatively portable.
It's for a small CCNA/JNCIA lab. Cleaner is better.

Some I've thought of;

Avocent Cyclades. Can be tough to find under $50 with rack ears
Repurpose a 2600 after picking up an NM-32A. 2600s are a bit too heavy for what I want. (I already have a working 2511 with cab-octal-async, but it's also on the heavy side and ancient).
Small computer with a pcie to 8x or 16x db9 adapter?

Anything I haven't thought of? Maybe something else that can be repurposed?

Cisco (mostly) blocking second gateway on network

Hello.

We have setup a site-to-site VPN using Softether VPN.

Here we have 2 network:

Datacenter: 10.0.80.0/24

Customer: 192.168.1.0/24

VPN-Gateway at datasenter is at 10.0.80.254

Custerom VPN gateway is a t 192.168.1.254

Routers at both locations has a static route added:

Datascenter: 192.168.1.0/24 -> 10.0.80.254

Customer: 10.0.80.0/24 -> 192.168.1.254

So here is the kicker.

We can ping from customer to datacenter through the link, but we cannot ping from the datacenter to our customer. So ICMP can be initiated one way. But no TCP or UDP is allowed.

In the logs from the Cicso ASDM we see:

Denied ICMP type=0, from laddr 192.168.1.10 on interface inside to 10.0.80.6: no matching session

I have tried to run: same-security-traffic permit intra-interface, but no change.

AND, if we just add the routes manually on a computer at the customers location, everything just works. And since ping works one way, there is just something in the firewall, or ACL or where Cisco hides this stuff, and no error in the vpn-gateway or routes.

Thanks in advance anyone who can help :)

Using Azure VPN gateway (point to site) Azure AD authentication connect with on-premise servers possible?

Hi everyone,

I am new to Azure networking. I have a question regarding Azure VPN (point to site).

Is it possible to connect Azure VPN (point to site) azure virtual network gateway connect with cisco asa on-premise server?

For example : user connects to Azure VPN ( assigned with private IP from azure gateway).from here then user can access on-premise resources ( behind Asa-5506)

Thanks

Telecom GOAT?

I think the best bit of kit ever made was the Cisco (originally Cerent) ONS 15454. I'm sure there are a lot of them still in service. Those things were beasts! You could use and abuse them and they kept ticking. We had a dozen in service for years with no equipment failures. Just a well thought out and designed bit of equipment. Also, some of the best documentation and training ever available. There was a procedure mapped out for just about everything.

Any others you think deserve a spot in the telecom hall of fame?

Sessions Persistent cookies on F5's

Hi, I have a query regarding the Session Persistent on F5's, forgive me if some of these queries are "soft", but I'm a novice with F5's still and still getting to grips with them. So an example I'll give is that we have 3 servers in one stack, all 3 are configured in a pool to a VIP, round robin balancing. I get a call off the head off infra/networks asking are these 3 servers being properly load balanced, so I go onto the VIP and see that the statistics for it are showing that it is load balancing perfectly across all 3 servers in the pool, he wanted to know if "sticky sessions" were enabled, after some digging I could see that there was no "Persistent Profile" attached, meaning no session load balancing surely? I have read that by default the F5's perform load balancing based off TCP connections rather than HTTP, so after the initial TCP connection is established, they send that particular TCP flow to the same pool member permeantly, could this mean that flows are still "Session Persistent" in someway?

I have a few questions regarding the options and the way the F5's use their session persistent feature to. For the "Cookie" and "SSL" profiles in particular:

Are the SSL session ID's readable without the use of an SSL proxy by the F5's?

Is the SSL session ID not the same as a "Cookie"?

Does the F5 insert its own Cookie to load balance?

All the different options on the SSL profile such as "Mirror Persistent", "Match Across Services", "Match Across Virtual Servers", "Match Across Pools" all refer to what in this context?

All the different options on the Cookie profile such as "Cookie Method", "Cookie Method", "HTTPOnly Attribute", Secure Attribute", "Always Send Cookie", "Cookie Encryption Use Policy all refer to what in this context?

Thanks again for the help everyone

Data

Hi guys want to ask some opinion from you guys, i need to do some data backup operations.

Option 1,

-red hat server 4x 1GB --> Switch

Option 2,

red hat server 1x 10GB --> Switch

a) Which option would you proceed with?

b) What are the potential downsides of both options?

c) What are the potential issues you may face with streaming backup traffic?

Thank you guys really appreciate if u all can share some opinion

Linux Host as Packet Capture device

I am using a Linux VM as a inline packet capture device. I have noticed when gathering the pCAPS the length of the frames are well beyond the physical link. I have disabled TCP Seg Offload/Large Segment Offload but still see frames reassembled and large in the pCAP.

Anyone doing something similar and able to see the frame size as the link size, not the reassembled packet?

Outdoor poe 24&48vdc output switch?

Looking for an outdoor or at least temperature hardened switch, 4-8 ports, that can output 24 and 48vdc. Trying to run a ptp radio and a few cameras. Avoiding anything Unify. You guys run into anything like this?

DHCP reservations vs static addresses

Are there are good reasons not to use DHCP reservations for hosts with fixed addresses? Like printers, camera systems, access control systems, etc.

Are there are industry guidelines for this? Because a colleague was asking why many enterprises still use static addresses for non-network infra (things other than routers, switches, etc).

Redundant Internet & UPS home worker equipment.

Hi all,

I am looking for hardware / ecosystem recommendations for the following:

Scenario

About 10 home workers in different countries, not all have reliable power or internet connections.

Device(s) Requirements:

Primary Internet Connection (Ethernet/ADSL2+) with 4G Backup, auto-failover
- Depending on the connection we may need just a Ethernet WAN, or a modem as well. Mostly likely the WAN would plug into existing customers modem, but looking at options.
- Same with the 4G, This may come in the form of Integrated 4G, WAN2 or USB 4G modem.
Cloud Management (Need to be able to configure / fix this remotely, Plug and Play to get online from end-user perspective)
Metrics (Dynamic DNS and SNMP absolute worst case, graphite export or something similar would be better).
USB for UPS monitoring
Wifi and LAN Port Out.

Metrics & Alerting

I am looking to centralize the alerts, monitoring, etc ideally into something like Grafana, or if the ecosystem can do this for us, that is also fine.

Monitor the status of a wired & wireless backup internet connection (I need to see if the backup goes down before there is a primary failure).
Monitor the status of a UPS system. I want to see when there is power and when not how much backup time is available.
Both Real-time alerting is required as well as viewing historic data to notice any trends (e.g How long do power outages last on average, do we need a bigger UPS, how reliable are the ISP's, latency monitoring would also be useful)

I have played around with pfsence and tunnels, with snmp, etc. I can make it work, however there is too much technical overhead required for management, lack of centralized management cloud and complexity for end user setup.

Meraki and Ubquity seem like ok options, but I really don't know enough about what better solutions may be available, or within these specific brands what combinations would work best. I am also not looking at spending thousands per deploy.

Thanks in advance.

Multicast Routing Troubleshooting

I have a new application which requires multicast routing between a few subnets. This is my first time configuring Multicast routing in a production environment.

We have elected to use PIM Sparse Mode and a static RP configuration. The L3 VLAN Interfaces all live on a Cisco 4500X VSL Stack. These interfaces are already routing Unicast traffic.

I have configured IP multicast routing on the core switch using the ip multicast-routing command, and specified the static RP address using the ip pim rp-address x.x.x.x command. The RP address is a Loopback interface on the same core switch stack. I have configured PIM Sparse Mode using the ip pim sparse-mode command on each of the applicable VLAN interfaces and RP LO Interface.

After configuration, I attempted to test multicast using a pair of devices running a multicast testing tool (One Server and One Client). The client PC is not receiving any multicast traffic, except when on the same subnet as the server. The multicast group address (239.0.1.2) is also not appearing in the output of show ip igmp groups on the L3 core switch . IGMP V2 is enabled on all of the associated L3 interfaces. All of the enabled interfaces do appear in the output of the show ip pim interface command.

Did a bit of Wireshark inspection as well... I am seeing the IGMP group join messages coming from the client device, and the MC trafffic sourced from the server. It does not appear the MC stream is making it to the client subnet at all though.

I have a feeling there may be something else required to make multicast work, that I have missed. Any ideas or troubleshooting next-steps would be appreciated.

Is possible to apply VLAN segregation with layer2 switch?

Hi all,

on my project i have to implement Network segregation (logical or physical).

The problem is that they only have FORTISWITCH 148E that it's a switch layer 2.

So as far i know is not possible to use this switch for VLAN implementation and segregation because it's allows only the communication INTRA-VLAN and not INTER-VLAN (between 2 different VLANS)

The only way is through a physical segragation, right? or there is some way to go on with logical?

Also on on fortinet site they report for this switch:

- VLANs Supported

they means that it's support the INTRA-VLAN communication right? because its a little misleading.

thanks in advance!!

Retro-networking Question: PRI over ethernet

(This a hypothetical/play/homelab/fun question and not for any production use, as I know PRI/T1 are fairly obsolete-ish, but it does involve enterprise networking, and may be of use to someone in real use cases.)

Just curious if there is a piece of gear I can get that can adapt a PRI to IP without using SIP? An example use case would be two Legacy PBXs on the same property but in different physical locations. I know I can use a crossover cable, but let's say I needed to use wireless, like WIFI to connect the two. (Again, this is just for fun, not for real-life/daily use).

I understand there's carrier-grade gear to do this currently as its how most PRIs are delivered anymore, but I'm not sure if there's something I would be able to use without some kind of concentrator/etc that would normally be on the CLEC side of things.

Also curious if a standard old Cisco router would accomplish this as well (T1 I can see it working, but what about PRI?). I'm not a Cisco person but I know Cisco treats a T or PRI as serial channels. I think it was common back in the day to set up a Cisco lab to connect 2 T1 access routers together using a T1 crossover cable, but what about doing the opposite and connecting them via ethernet instead?

I also don't want to use a sip channel bank or any sip converters - I'd like the PRI to be a "real" PRI with TDM data and timing, and not SIP.

PBX --> PRI --> Ethernet (WIFI) --> PRI --> PBX

I suppose I could use 2 Asterisk instances with PRI cards, but not sure that would keep the PRI pure, as it would have to use some interim channel protocol like SIP or ZAP, like this:

PBX #1 <-- PRI --> PRI Card (Asterisk) <----> SIP/ZAP <----> Asterisk (PRI Card) <-- PRI--> PBX #2