Moronic Monday! Networking |
- Moronic Monday!
- Ubiquity Firmware with mandatory device metrics
- Is it possible to have the Tunnel Transport MTU larger than 1500 bytes?
- SYNFLOODs from AWS & other networks (Germany or hole Europe)?
- What VLAN for switch/router mgmt ports, iLO/out-of-band-mgmt, VMware ESXi etc?
- Working for Juniper JTAC
- Searching for a central manageable layer 2 network switch
- is there a way to stick to one port in a tcp connection?
- Iptables rules generator
- Build Yang data model
- Eve-NG - only IOL images work (and nothing else)
- Tagged or Untagged Ethernet Circuit
- Naming convention for your devices?
- ACL troubleshooting
- How do you protect yourself from misunderstandings and misinformation?
- Cross posted on r/Ubiquiti - Routing help!
- Vlan routing issue with SG300 and XS728T switches
- Cisco Industrial Ethernet Switches
- HP Procurve Firmware updates -
- OOBM design brain fart. cant route.
- Detecting whether a given server is locally hosted
- FortiHell
- Troubleshooting Client connection (mac filtering enabled)?
- Looking for options for small business firewall
| Posted: 03 Nov 2019 05:04 PM PST It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. [link] [comments] |
| Ubiquity Firmware with mandatory device metrics Posted: 04 Nov 2019 02:38 AM PST Since some people here might be using the products from Ubiquity for small installs / branch offices I wanted to share this, because the fact and the way ui handled this honestly shocked me. Ubiquity has included a phone home "feature" in all their devices in their new firmware. This "feature" transmits all of the device metrics, including sensitive data like type and time of all connected devices, first 8 digits of the MAC addresses, transferred data amount and speed. And no this is not optional or connected to the automatic firmware update feature. ALL devices with the current firmware do this! Eaven if you block the access points but still have a USG - it collects the data from them circumventing the firewall.
Here is a link to a thread detailing some of the ways they messed up Honestly I don't trust the company any more and as a result will not use their product in any new installs. Also I have to inform some people here that their new policy is not compatible with European data protection law and thus their network needs to be significantly - imagine their joy in that... At least all be warned not to update to this firmware since downgrade is difficult and at the moment the only short term solution [link] [comments] |
| Is it possible to have the Tunnel Transport MTU larger than 1500 bytes? Posted: 04 Nov 2019 11:30 AM PST Two Cisco routers have a VPN connection between them. The IP transport between their tunnel source interfaces fully supports Jumbo 9000-byte packets. You can ping from one router to the other with DF bit and a jumbo sized packet. Yet, the tunnel transport MTU is 1472 and I don't know how to change this. Does Cisco lock 1500 bytes - overhead? I was under the impression it would use the source interface's MTU, but that doesn't appear to be the case. IP MTU on the tunnel interface doesn't appear to affect the "tunnel transport MTU". Trying to avoid fragmentation - as we should be able to fit a full 1500 byte packet with the additional headers across this link. [link] [comments] |
| SYNFLOODs from AWS & other networks (Germany or hole Europe)? Posted: 04 Nov 2019 06:29 AM PST Hi, we are seeing on quite every public-facing machine in our globally routed network and some virtual machines in other networks in Germany not a small amount of syn floods (~100p/s per host) from mostly AWS (and some shady eastern europe) network(s) [1]. All requests are for now directed to 22, 80 and 443. The strange part is that I receive these "floods" also on my private (v)servers and my private internet connection. Are you seeing the the same and has anybody information about these "flooding"? best xiconfjs [1] some ips/nets (last 2 are the most active for us at the moment): UPDATE (2019-11-04 16:00 UTC): reported these problems to amazon abuse team. They are on it. [link] [comments] |
| What VLAN for switch/router mgmt ports, iLO/out-of-band-mgmt, VMware ESXi etc? Posted: 04 Nov 2019 03:10 PM PST Do you have a dedicated "admin" VLAN that has all the goodies in one place? Thinking: - admin interface for switches/routers/firewalls - admin console for VMware ESXi - HP iLO out-of-band server (KVM-style) mgmt Would you want to isolate those things from each other for any reason? [link] [comments] |
| Posted: 04 Nov 2019 08:11 AM PST I am a Network Engineer with 6 years experience with a current salary of 115K. If I go for JTAC, and get 140-145k, would it be worth going into a support job? I also see it as a way to learn Juniper, and to get my foot in the door. If I end up going for it, maybe I stay in that role for a couple years before making a transfer internally. Now the question is, will I lose my sanity along the way and is that worth it? [link] [comments] |
| Searching for a central manageable layer 2 network switch Posted: 04 Nov 2019 12:43 PM PST Hi, currently I'm running a few Netgear and D-Link smart managed switches. As I only need basic layer 2 functionality (VLAN, STP) they fit quit well, except for the point that they are not central manageable. I know that there are full manageable switches out there from Aruba, Cisco and so on, but they all have a ton of functions with an according price and I don't need these functions. So, my question is: Do you know a switch manufacture who offers basic layer 2 switches with central management capabilities like a REST API? Thanks [link] [comments] |
| is there a way to stick to one port in a tcp connection? Posted: 04 Nov 2019 02:49 PM PST hi, let's suppose I am receiving data from a web server. Is there a way to stick to one client port all the time? For instance: server:80 -> client:50568 After ~ 50s server:80 -> client:50664 Is there a way to avoid the change from 50568 to 50664? Notice I have control of everything: client, server, LAN (I am doing an experiment). If you're familiar with iperf, it's easy to do that with the -p option in the client... But I am doing some experiments with video streaming and I automate sessions using a firefox driver for selenium in python. Idk who changes that, I imagine it's the OS (client is a linux machine). I guess it could the application as well (my python scripts). Anyway, is there a way to use a fixed port in the client, or at least stop the client from changing its port every now and then? Thank you! [link] [comments] |
| Posted: 04 Nov 2019 09:22 AM PST Hi all, We're starting to think about how can we write iptables rules the clearest and cleanest way possible, and then generate them based on a configuration file. We're at the point where we think about kind of a csv file like : We're really at point zero on this but I was wondering if something hasn't already be done which would looks like that. We know iptables wrapper like ferm or ufw but we are unsure about the use of them. What do you think ? [link] [comments] |
| Posted: 04 Nov 2019 08:14 AM PST I wanted to reach out and see if anyone has had any success taking the plain .txt based running-config from enterprise network gear and through Python or other coding method converted it to a yang data model to use for automated network management? As most folks do we have a large deployment of multiple vendors as I am working on building our automation solution and one key step in this is to get away from "old school' config management and move toward model-driven configuration management. This will require hand converting what can't be pulled through NetConf and RestConf method already. We've already automated several tasks such as large scale local break-glass account resets, large scale updates such as ACL's and Vlans but we have many other items that are much easier to accomplish with model-driven configuration management. Preferred language for this would be Python as that is what I am comfortable developing in, however, I am not opposed to learning other languages as well. [link] [comments] |
| Eve-NG - only IOL images work (and nothing else) Posted: 04 Nov 2019 11:51 AM PST I'm running Eve-NG on ESXi 6.0. I can use IOL images for cisco L2 and L3 but absolutely nothing else works. Nexus, fortinet, microtik or even vios Cisco etc. It shows as 'starting' but they never do. Followed all instructions to the letter. Thinking it must be my environment that can't do the specifics maybe, but what.... Any ideas? [link] [comments] |
| Tagged or Untagged Ethernet Circuit Posted: 04 Nov 2019 06:11 AM PST Just want to check with you guys if there are any advantages getting a circuit tagged instead of native. We have about 50 MPLS circuits and deliveries are not pretty consistent. Some ethernet circuits go native and some are configured with dot1q tag. The only thing i can think of using a tagged ethernet is the CoS field on L2 but our L3 ToS byte is being marked anyway. Getting the circuit tagged also adds 4 bytes additional header. Which is the better way to go for MPLS connectivity then just to keep things consistent moving forward? Thanks! [link] [comments] |
| Naming convention for your devices? Posted: 04 Nov 2019 07:39 AM PST As title states, how do you name your networking devices? Currently we do it differently depending on type of equipment. rtr-1.street.city.technology.dns-suffix - this would be a typical CPE name. fw-1.customer.dns-suffix - a firewall could be placed anywhere :/. nex-1.datacenter-room.dc-location.dns-suffix ( could be a datacenter switch where customers or shared services is connected ) My biggest problem is that we have been part of a company merge 6 smaller ones, getting into 1 big. And still this day a few years later, we still use different naming conventions. Seems like a subject everybody is afraid to talk about. [link] [comments] |
| Posted: 04 Nov 2019 01:22 PM PST On a Nexus 7k, I have unique PACLs applied to two L2 interfaces that are part of the same VLAN and on the same line card. On one of the interfaces the ACL is working as expected. On the other...it's not working as intended. For example, the first entry on both ACLs is identical, and allows ICMP between the device connected to the interface and a specific subnet. On interface A I see the counters increasing when pinging the server that is connected to it from the subnet that is specified in the acl entry. On interface B I do not see the counters increasing when pinging the server that is connected to it from the subnet that is specified in the acl entry....and I'm actually able to ping the server from any subnet. This would seem to indicate the ACL isn't being used to evaluate the ICMP replies on interface B. However....I know the ACL is partially working...because further down there are rules that do have increasing counters. Also, I have a rule on interface B that says that the connected server is allowed to communicate to a specific host inside a given subnet...three hosts in that subnet (that were not included in the acl rule) were still able to communicate with the server though. A 4th host inside that same subnet was not able to....but once I specifically added that host to the acl then it was able to. I know it sounds like a mis-configuration, but I can guarantee that the 2 ACLs are configured similarly and correctly...they aren't long or complicated ACLs. I've spent the last 2 days reading and testing and can't figure out what's going on....unfortunately I don't have smartnet on this switch so I can't open a TAC case. Curious if anyone here has any ideas or has ever run into a bug with ACLs? Here's a very simplified illustration - https://imgur.com/tj77lfq [link] [comments] |
| How do you protect yourself from misunderstandings and misinformation? Posted: 04 Nov 2019 03:57 PM PST I am currently putting in place a firewall solution to filter inbound traffic to some devices. All traffic outbound from these devices is allowed. I have explained this in simple terms to those that really don't understand networking. But its becoming obnoxious how they are blaming me for issues that are not at all present on other devices that are in the same VLAN. "Can't access this website can you permit it?" I check other PC's in the same VLAN have access. "Not me buddy, check website admins or check desktop service" That's just one of a few. [link] [comments] |
| Cross posted on r/Ubiquiti - Routing help! Posted: 04 Nov 2019 02:35 PM PST Hey Everyone, This is mostly with Ubiquiti gear but I thought the masses here might be more straight forward from a routing perspective. Here is an breakdown of my setup: Ubiquiti USG: WAN = 192.168.X.Y/32 (Connect to eth1 on Edgerouter) LAN = 10.0.X.Y/16 (Multiple VLANS) and 192.168.Z.Y/24 (Mgmt) Edgerouter: eth0 = WAN1 eth1 = LAN1 (192.168.X.X - Connected to WAN on USG) eth2 = WAN2 vti0 = AWS VPN Tunnel 0 (169.254.X.X/30) vti1 = AWS VPN Tunnel 1 (169.254.X.Y/30) AWS: VPC = 10.1.X.Y/16 other end of AWS VPN Tunnel Issue: I'm trying to get my 10.0.X.X/16 Network on my USG to talk to my 10.1.X.X/16 Network in AWS. I have a VPN Tunnel up between AWS and the Edge Router, But I'm not sure what route statements to put where to get the traffic where it needs to go. (For security precautions, the network subnets are changed - but still represent my dilemma accurately) My current thought process: The USG should automatically send the 10.1.X.X request our the WAN (Could be wrong) On the edgerouter - I should require a route statement for 10.1.X.X to use the 169.254.X.X/30 (or VTI interface? not sure) as well as a 10.0.X.X to 192.168.Y.X (WAN) to route return traffic to the USG - But up to point this has not worked (routes currently removed) AWS would need a static route back to 10.0.X.Y/16 to the Tunnel 1 - I have no static routes currently entered on any of the above devices/networks (Clean slate) 2 - While the above make sense to me, when I populate my proposed routes, I do not get pings/traffic as assumed. 3 - USG and Edgerouter explaination below. Any help would be great! Backstory if required: Could not get the AWS VPN from USG to AWS working. With the EdgeRouter, the VPN works, but passing traffic has been a nightmare. I plan on trying again with the AWS VPN on our new USG-PRO I got - and remove the Edgerouter from the equation - but in the mean time, I need help with this, as that project is down the pipe a bit further. Again, Any help would be greatly appreciated! [link] [comments] |
| Vlan routing issue with SG300 and XS728T switches Posted: 04 Nov 2019 12:51 PM PST So I have a Cisco SG300, and a Netgear XS728T. The SG is static'd on VLAN 1, the XS is static'd on VLAN 40 and I can reach the XS just fine.. both ICMP and HTTPS. However a device I static'd on VLAN 30 is inaccessible on the XS. I have added all VLAN's as tagged to the requisite ports from the firewall down (FW is acting as L3 device). If I static a device on any tagged VLAN then hang it off the SG directly I can reach it. But, in this case a new QNAP NAS, on VLAN 30 I cannot ping it nor can the Qfinder app see it. I uplinked it's secondary nic and left it on DHCP for VLAN 1.. it pulled a valid address and was discoverable. The XS and SG are uplinked via Fiber 1G SFP, I just verified those two ports are set to untagged VLAN 1, Tagged VLANS 20, 30 and 40. Also the Firewall LAN interface is also set to U VLAN 1/T VLAN 20,30,40 For the life of me I cannot figure this out and I know it's something stupid. EDIT: Diagram here: https://imgur.com/gallery/8ZETlqb [link] [comments] |
| Cisco Industrial Ethernet Switches Posted: 04 Nov 2019 08:43 AM PST Has anyone deployed ant of the Cisco Industrial Ethernet switches? Our Mine is wanting us to deploy these because they will rack up with the existing equipment they have. Here is a link to Cisco's page on them: https://www.cisco.com/c/en/us/products/switches/industrial-ethernet-switches/index.html Looking at the site they should work fine. I just wanted to check with you guys as well. Thanks for your input. [link] [comments] |
| HP Procurve Firmware updates - Posted: 04 Nov 2019 08:13 AM PST Hey All I have a number of switches at my new employer that are REALLY out of date (like, 2014 out of date) I'm having trouble with HPs firmware update site - some switches show stuff like this: If your software version is: Your next step should be: K.11.11 through K.12.29 Update and reload into software version K.12.31 or K.12.62 (BootROM K.11.00 - K.11.03) K.12.31 through K.13.55 Update and reload into software version K.13.58 or K.13.68 (BootROM K.12.12 - K.12.14) K.13.58 or newer Update into software version K.15.15.xxxx (BootROM K.12.17 or newer; (BootROM K.15.30) use "show flash" command) K.15.15.xxxx -K.15.16.xxxx Update into software version K.15.17.xxxx or K.15.18.xxxx K.15.17.xxxx - K.16.01.xxxx Update directly into software version K.16.02.xxxx Whereas some of them dont. If they're not showing this, can I just update straight to the latest firmware, or am I still likely to need to do this in steps? [link] [comments] |
| OOBM design brain fart. cant route. Posted: 03 Nov 2019 03:52 PM PST Hello network gods. building up a new greenfield and spending some time making a robust OOBM between two sites. need guidance as to what i'm doing wrong.. Two sites, Two OOBM switches in each site. L2 and L3 within each site. L3 OSPF between sites. Attached is a diagram of the design and current config. Im having issues being able to route from one site to the other. Site 1 being 10.x.18.0/24 Site 2 being 10.x.19.0/24 Anyone able to point me in the right direction? Diagram: https://imgur.com/a/9BP7lTO IPN101 Config show ip route vrf OOBM IPN101 ping to Site B 10.x.19.1 HSRP address IPN101 traceroute to 10.x.19.1 HSRP address Shouldnt this traceroute be 2 hops ? IPN 201 show ip route vrf OOBM IPN201 ping to Site A 10.x.18.1 HSRP address IPN201 traceroute to 10.x.18.1 HSRP address Shouldnt this traceroute be 2 hops ? IPN102 show ip route vrf OOBM IPN102 ping to Site B HSRP address IPN102 traceroute to 10.x.19.1 Site B HSRP address Shouldnt this be two hops ? via the OSPF interlinks ? IPN202 show ip route vrf OOBM IPN 202 ping to siteA 10.x.18.1 HSRP Address IPN202 traceroute to siteA 10.x.18.1 HSRP address Shouldnt this be two hops ? via the OSPF interlinks ? [link] [comments] |
| Detecting whether a given server is locally hosted Posted: 04 Nov 2019 10:51 AM PST Hello /r/networking As part of solving a larger problem, it would be useful for me to find web servers which are hosted locally - i.e: not in a data center, but on the premises of a business. Are there any hallmarks of a site or server which is hosted on-premises, vs hosted on "the cloud"? Are there any ways to scan for hosts of this kind? [link] [comments] |
| Posted: 04 Nov 2019 10:20 AM PST Has anyone ever seen an issue on a Fortigate (virtual appliance in this case) where the firewall can intermittently reach/ping resources on the same subnet as it's main LAN interface? I.E. 2 pings out of 30 will succeed, the rest fails. Everything worked yesterday and this morning it's hell on earth... EDIT: Resolved. Out of the blue, service provider called and told me they applied a change 6 hours ago that was supposed to be done later this week (and coordinated with 3 other people)... [link] [comments] |
| Troubleshooting Client connection (mac filtering enabled)? Posted: 04 Nov 2019 05:51 AM PST Hi All, I'm troubleshooting a case in where Guest client can't access the portal from it browser, The AP is in local mode so traffic is passing thru capwap tunnel and we are filtering using external server ISE. Now, this setup works before then the issue pops up today that all client can't authenticate. From client, we can able to get an IP and from AP and can resolve the portal address but can't fully access the portal and it has no display on guest client browser. Note: this is Cisco WLC and APs. Question:
State is: Client State..................................... Associated Policy Manager State............................. CENTRAL_WEB_AUTH AAA URL redirect................................. https:xxxxxxxxxxx From Debug mac address client: *Dot1x_NW_MsgTask_5: Nov 04 13:13:53.571: [PA] 1x: EAPOL frame with dst MAC 00:ea:bd:b1:71:20 and BSSID 00:ea:bd:ae:ab:40 discarded *Dot1x_NW_MsgTask_4: Nov 04 13:17:24.185: [PA] 1x: EAPOL frame with dst MAC 00:ea:bd:a6:03:60 and BSSID 00:ea:bd:b1:84:e0 discarded Thanks [link] [comments] |
| Looking for options for small business firewall Posted: 04 Nov 2019 08:52 AM PST Have request to upgrade a infrastructure for a small, slow growing business. Currently they are utilizing ISP provided gear. There are ~6-10 users on the network at a given time. They had another vendor quote them a Meraki setup, seemed a little overkill on what was proposed to them. Normally I would use a Sonicwall TZ platform. Looking to see what other might be using for a similar sized network. Their primary asks in addition to having a better firewall, is having the ability for VPN access. There are some addition UTM features they would like to. i would like to find them something that is not so dependent on a subscription based platform like Meraki products. Thank you in advance. [link] [comments] |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment