FreeZTP: Zero-Touch Provisioning for Cisco IOS Networking

---

• FreeZTP: Zero-Touch Provisioning for Cisco IOS
• What does everyone use to test LAN throughput?
• What would be the best way to have close to 30 Ethernet connected IoT devices spread over a large area?
• ACL to block networks from seeing each other
• VPN for home devices?
• Performance Issues on 10.0.0.0/8
• Very weird internet issue, beyond my ken.
• IPV4 /22 networks leasing to 3rd party
• Network Enclosure in X-Ray Room?
• Tools to create maintainable network diagrams?
• network design help 1
• Blackhole device WiFi traffic from 1 Cisco WAP - Looking for suggestions
• Access points installed in elevators
• Documentation Request - Application dependency firewall template
• Tip for documenting rack (rackdiagram)
• ISE Tacacs help!!
• Anyone doing SD-WAN with multi-connectivity into CoLo/peering/exchange sites ...
• nativ L2TP/IPSec not working after Windows 10 Spring Update
• Branch office PoE switches with little inter-switch traffic: 1x48 vs 2x24 port?
• FreeRadius BYOD auth
• Anyone remember the Microsoft bluetooth alternative from 2000?
• I'm paying $60/yr for Dyn Standard on an IP that might change once a year. Any alternatives?

FreeZTP: Zero-Touch Provisioning for Cisco IOS Posted: 18 Apr 2018 10:06 PM PDT I finally got around to publishing this project I have been working on for a while. It is an open-source zero-touch provisioning system for Cisco IOS which allows you to create unique configs for your switches by serial number. The GitHub page has all the info as well as a link to the install demo video. Check out the GitHub Page submitted by /u/packetsar [link] [comments]

What does everyone use to test LAN throughput? Posted: 19 Apr 2018 07:54 AM PDT I am testing an Wi-Fi AP. The datasheet says with Link Aggregation I can achieve speeds up to 2Gps, and I want to test that it will at least get above 1Gps as advertised. I have a 10G LAN. Thanks in advance for the advice. submitted by /u/Technology_Counselor [link] [comments]

What would be the best way to have close to 30 Ethernet connected IoT devices spread over a large area? Posted: 19 Apr 2018 01:39 PM PDT I cannot use any type of wireless technology for this project due to regulations. I'm thinking I'll have a Switch at the main data entry point and that will split off into the IoT devices. The problem is that many of them will be greater than 100m away from the Switch and there are no access points that far away. What would be an affordable solution to this? Some kind of ring structure where they are all connected with some kind of signal booster at certain points? submitted by /u/hyperformer [link] [comments]

ACL to block networks from seeing each other Posted: 19 Apr 2018 10:18 AM PDT Hey All, Have a question about ACLs. I have one setup on the SVI of vlan 502 that does the following Extended IP access list DENY-NETWORKS-IN-ACL 3 deny icmp any 10.5.4.0 0.0.0.255 (133 matches) 4 deny icmp any 10.5.20.0 0.0.0.255 (54 matches) 5 deny icmp any 10.3.20.0 0.0.0.255 10 permit udp any any eq bootps (3726 matches) 20 deny ip any 10.5.4.0 0.0.0.255 (21572 matches) 30 deny ip any 10.5.20.0 0.0.0.255 (115978 matches) 40 deny ip any 10.3.20.0 0.0.0.255 50 permit ip any any (176199809 matches) On my core switch I have vlan 504 configured with a address of 10.5.4.1 and on my access switch i have vlan 504 configured with an address of 10.5.4.11. These are both the DGs on their respective devices with vlan 504. So everything works great, except that when I do a port scan from the 10.5.2.0 network of the 10.5.4.0 network I get responses from both DGs saying that ports 22 and 443 are open. I would figure that they would be completely blocked but they are responding to the scans. So my questions are... - Is this normal behavior since they are gateways? - Is there are way to create an ACL so that they arent responding to scans from the 10.5.2.0 network on 22 and 443? submitted by /u/hcyrus68 [link] [comments]

VPN for home devices? Posted: 19 Apr 2018 03:51 PM PDT Is there any good products to protect home devices like console etc. Hardware or software I'm not bothered. submitted by /u/lHombre [link] [comments]

Performance Issues on 10.0.0.0/8 Posted: 19 Apr 2018 03:39 PM PDT I was called to help out a local church with some significant network stability problems; intermittent speed, timeouts, etc. Fairly large, they see around 800-1000 people in a service. Started digging around and discovered they were set up on a 10.0.0.0/8 subnet - I know this makes ARP attacks pretty easy, but could 16 million possible IPs be contributing to the network instability? submitted by /u/mrdavecoles [link] [comments]

Very weird internet issue, beyond my ken. Posted: 19 Apr 2018 02:57 PM PDT Hi. We have a new internet circuit through Verizon (unsure of LEC), business class, 100/100. We get those speeds as long as we stay in the metro NYC area. Once we go out - to California, Chicago, etc - those speeds drop to 10/5. Latency cross-coast seems normal, but we aren't used to this. I understand as latency goes up, our throughput goes down, but it shouldn't be like this. My best guess is a BGP table entry error somewhere? duplicate paths once we get outside the LEC network? Or maybe a peering choke, but that shouldn't happen with such a small circuit on Verizon, right? I have no idea how to troubleshoot this, and Verizon says "you're getting your 100mb, not our issue". Thanks in advance. Scary edit: traceroutes. latency is 72ms. NY to LA: C:\Users\username>tracert -d 70.231.54.177 Tracing route to 70.231.54.177 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.1.3 2 2 ms 1 ms 1 ms 207.86.176.141 3 2 ms 2 ms 43 ms 216.156.16.212 4 2 ms 2 ms 2 ms 216.156.16.133 5 13 ms 3 ms 3 ms 206.111.13.246 6 79 ms 70 ms 71 ms 12.122.131.86 7 71 ms 71 ms 70 ms 12.122.1.2 8 73 ms 72 ms 70 ms 12.122.2.53 9 74 ms 71 ms 71 ms 12.122.28.77 10 74 ms 71 ms 71 ms 12.122.28.46 11 76 ms 71 ms 77 ms 12.122.1.185 12 72 ms 74 ms 71 ms 12.122.85.37 13 * * * Request timed out. 14 71 ms 70 ms 71 ms 75.20.1.78 15 * * * Request timed out. 16 73 ms 72 ms 72 ms 64.148.105.209 17 72 ms 72 ms 72 ms 104.191.67.108 18 73 ms 73 ms 72 ms 70.231.54.177 19 72 ms 72 ms 72 ms 70.231.54.177 Trace complete. LA to NY C:\Users\username>tracert -d 207.86.176.142 Tracing route to 207.86.176.142 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.3.3 2 <1 ms 205 ms 79 ms 162.195.124.1 3 2 ms 1 ms 1 ms 64.148.105.208 4 * * * Request timed out. 5 4 ms 7 ms 7 ms 12.83.38.201 6 6 ms 7 ms 7 ms 12.122.128.101 7 4 ms 4 ms 4 ms 205.158.79.241 8 70 ms 70 ms 70 ms 207.88.13.10 9 70 ms 70 ms 70 ms 207.88.12.182 10 70 ms 70 ms 70 ms 216.156.16.179 11 72 ms 72 ms 72 ms 207.86.176.142 12 72 ms 72 ms 72 ms 207.86.176.142 Trace complete. image of d/l test from various AWS points: https://imgur.com/a/ENNrJJn submitted by /u/scaryberry [link] [comments]

IPV4 /22 networks leasing to 3rd party Posted: 19 Apr 2018 10:24 AM PDT Has anyone here used one of the 3rd party brokers to lease out an unused /22 ipv4 network before? Looks like the going rate is $350USD/month for these. Any idea on the procedures for doing this (i.e. do I need to notify ARIN or do anything with it?) submitted by /u/EventualTitan97 [link] [comments]

Network Enclosure in X-Ray Room? Posted: 19 Apr 2018 02:07 PM PDT Would the x-rays interfere with the equipment? I can't seem to find solid advice one way or the other. I've seen PCs in the suites before, but those won't take down a whole wing if they crash. We're looking at a wall-mount enclosure with patch panels and a few switches, and possibly a small NAS. The X-ray is a basic DR table - not anything high-output like a CT or fluoro C-arm. The client wants the cabinet to live there so they don't sacrifice any other space, and they are worried about the noise putting it in office areas. submitted by /u/dwargo [link] [comments]

Tools to create maintainable network diagrams? Posted: 18 Apr 2018 08:51 PM PDT I have during the years used Visio and/or Dia to create my network diagrams (mainly for documentation) but the graphical tools tends to take more and more time to deal with when you need to rearrange diagrams because you suddently added another device or for that matter when you end up with complex networks with plenty of network connections (that is physical network diagrams) or for that matter plenty of link aggregations - quickly it becomes hard to see which cable goes were (or Im just lacking skillz to properly use visio/dia ;-) Using something like graphviz is something Im looking forward to but I havent managed to get any good output from this. Anyone in here using graphviz (or similar that is textbased tool where you define the connections and then "compile" into a pdf or such) successfully and can share good examples? I recently stumbpled upon the diagrams made by Cumulus on their documentation pages but I dunno if the graphviz reference is purely programmatically (that is they cheated by creating the diagram in Visio anyway) or if the picture shown at "Basic Topology Example" (https://docs.cumulusnetworks.com/display/DOCS/Prescriptive+Topology+Manager+-+PTM) actually is rendered/compiled through graphviz? If not (that is they cheated) the picture of the topology example is what I would define as a good looking and easy to understand physical network diagram, any of you who knows if its possible to use graphviz to create such? It doesnt necessary need to have all the coloring (Im happy with black/white rectangular boxes as devices). submitted by /u/Apachez [link] [comments]

network design help 1 Posted: 19 Apr 2018 04:29 AM PDT Hi all, I'm hoping for some help, full disclosure this is for an assignment so please steer me in the right direction if i'm way off. Appreciate any help that i can get and try not to laugh at some of my questions :) Task: Redesign a corporate network, key points: All wired, no wireless permitted VPN access is required for remote users Currently uses public site-to-site VPN but would like a private WAN between offices HQ needs a DMZ to provide a www server for public Currently performance issues with the WAN, its a slow 1Mb link at the moment WAN needs to be capable of voice and video to be added at a later date Concerned about security Unlimited budget There is a domain controller at each site Approx 60 users at Corporate Approx 30 users per branch Approx 15 remote access VPN users Here is a picture of what i've designed (rough draft): https://imgur.com/a/zKEzTpu Notes: Use vlans: office, infrastructure, management Use EIGRP for the routers Use stack switches, one stack for servers and network and another for access Connect stacks via etherchannel Suggested hardware: Cisco ASA 5555-X Firewalls Why: Clustering VPN FirePower https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html Cisco 4431 ISR routers Why: Redundant PSU's More ports zbfw and firepower https://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html Cisco 9300 48 port stacks Why: Stackable Lots of ports 48P with POE+ Opt with secondary PSU https://www.cisco.com/c/en/us/products/switches/catalyst-9300-series-switches/index.html Security notes: EIGRP with MD5 passwords Enable firewall on ISR's? Use firepower? Disable VTP Shutdown unused ports Enable port security sticky-mac Multi factor auth for VPN users Enable banners and domain authentication for all Cisco devices Enable syslog Enable snmp with password Backup configs somewhere? Questions: Private WAN, i had originally thought i would get provider to connect the sites by providing an Ethernet cable and some ip's for the company. The routers would communicate routes via BGP and it would be some sort of 10Mb link or there abouts. But everywhere i keep seeing MPLS, from what i've read it labels packets and sends them via the path on the ISP's network? I'm a little lost at what i need to do as customer to make this work from my CE at a high level? Firewalls, i have been going around in circles. The Cisco ISR's have firewalls built in but i can't quite work out of its a normal firewall or somehow limited. I would think its better to have a separate firewall vs an integrated one or possible use both? Firewall placement has got me a little confused here, i would have thought the very outer edge to the ISP makes sense but most designs are just inside the customer router. Security design, i'd like to go off some sort of best practice, as per my picture i'm heading towards the zoning design. Is this still current, is there a new and improved design practice? https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html Internet connection, would the ISP usually provide access to the internet via the one connection? Is it better to have one connection from private WAN link and one for public internet? I'd like to push the traffic through some sort of filter first, i read the firewall's i've selected can do filtering, is that what others would normally do. As far as branches access internet, it would go via the wan and back out corporate internet connection. I've gone with a hierarchical design approach with collapsed core and dist, considering there is no budget constraints is it generally better to separate it out? Is this still the best approach or is there another way? http://study-ccna.com/cisco-three-layer-hierarchical-model/ QoS, i'm still trying to get my head around QoS, but i'm thinking it should use it for at least the servers at this at point and give them priority, when i think of QoS i usually think of IP Phones. Would you give priority to servers over users in this design? Any other considerations? Any links to best practices or designs welcome, i'm pretty green in this space. I'm just trying to get the high level stuff sorted and will drill down into further detail as i go. Thanks in advance. submitted by /u/popotatoe [link] [comments]

Blackhole device WiFi traffic from 1 Cisco WAP - Looking for suggestions Posted: 19 Apr 2018 11:53 AM PDT Hello - I'm looking for suggestions and hoping to get some thoughts. My problem is that we have employees spending far too long in the restroom, we believe on the internet on their phones. Only 4 stalls for 100+ employees has made this a bit of a challenge. I've been asked to find a way to limit connectivity to the room, in hopes of limiting time people are spending in the stalls. We run a WLC 2504 with 3 access points covering ~12K sq ft (open floorplan). I was thinking about installing an additional access point into the room with the intention of forcing all WiFi connections onto that AP but am wondering how I could then just blackhole that traffic. I'm not looking to impact device connectivity throughout the rest of the space so changing routes/dns/etc. may not be feasible. Short of building a Faraday cage or a signal jammer, does anyone have any thoughts or suggestions? Thanks in advance! submitted by /u/TM-44 [link] [comments]

Access points installed in elevators Posted: 18 Apr 2018 10:38 PM PDT Recently visited a customer that have APs physically installed in moving elevators. Now i never thought about it and to be honest, it is the first time that i see this. The rationale behind it was to ensure signal coverage of people inside the elevator, but i think it is actually going to create more problems than it resolves, because you have continuous movement of APs up and down Any experience? Thanks submitted by /u/Edmondo_Dantes [link] [comments]

Documentation Request - Application dependency firewall template Posted: 19 Apr 2018 09:19 AM PDT Hey /r/networking, One of the most frustrating things in my job is working with other teams (Dev, DevOps, Systems, etc) and trying to pull firewall rules for how their new App works, especially during acquisitions of smaller companies. I know there are paid software/client tools as well as physical appliances that do this... however what I'm looking for is just a documentation template or similar that I can hand to the other side of these projects and help walk them through the 'firewall conversations' that happen in their app flow like DNS lookups, outbound internet access, web tier (internet facing) to DB and to App tiers, DB to App tiers, etc. I did a few differently worded google searches but didn't find anything useful, if it doesn't exist maybe I'll try to make something and post it for consumption. Give me your thoughts, feedback and post any documentation templates! submitted by /u/mog44net [link] [comments]

Tip for documenting rack (rackdiagram) Posted: 18 Apr 2018 08:40 PM PDT Perhaps Im late on this story but I found out the other day that rackdiag (part of nwdiag which is part of blockdiag which is a python package) is a great tool to document rackdesigns and wanted to share my finding with the community (assuming more people than me will sooner or later end up having to document stuff). If you are on an Ubuntu/Debian installation you can do this to install the needed python-package: sudo apt-get install python3-nwdiag and then this if you want to use more familiar fonts: sudo apt-get install ttf-mscorefonts-installer Then you create a file with a filename of your choice (example.diag) which you fill with (for example): rackdiag { // define height of rack 42U; // define width of rack, 1RU to 19" ratio node_width = 434; // define description of rack description = "RACK 1"; // define rack units 42: PATCHPANEL SMF 48xLC 41: PATCHPANEL MMF 48xLC 40: R1 39: N/A 38: R2 37: N/A 36: N/A 35: N/A 34: N/A 33: N/A 32: N/A 31: N/A 30: N/A 29: N/A 28: N/A 27: N/A 26: N/A 25: N/A 24: N/A 23: N/A 22: N/A 21: N/A 20: KVM //19: N/A 18: SERVER1 [2U] //17: N/A 16: SERVER2 [2U] 15: SW1 15: SW2 14: N/A 13: N/A 12: N/A 11: N/A 10: N/A 9: N/A 8: N/A 7: N/A 6: N/A 5: N/A 4: N/A 3: N/A 2: N/A 1: N/A } Then to compile the above example.diag into a pdf-file you can use this in your command line: rackdiag3 -T pdf -a -f /usr/share/fonts/truetype/msttcorefonts/verdana.ttf example.diag You can also output in png or svg by changing "-T pdf" into "-T svg" or such. The above will look like this: http://interactive.blockdiag.com/rackdiag/?compression=deflate&src=eJxVkEFrg0AQhe_7KwbPBTPjNjWWHEQshcQQtKaHEkKIJi4FLcbSQul_7wafaTw9dt_M995uuz-8F2Z_oh-lXJeK8mjqkqrSnKqOmiO11lda8sdb-8sUXTW4d8RpTl1DPHPsRWcaVTdFueuH5qQ9PVouyvOhNR92rr4G3N7NyUnDaEHsjNYuc_RZm-5s6wS0Dl-i53W4ipeUJU-k_e9lpDSPjOTfmASUsvJmAa3cUHm-PYryHnCcQu-hGupBBcrQSa8CnPhQ8AQ8AU_AE_AEPAFPLG-xSexjGUS2xCxON3HK9Cb59mIBztPBkt5im5K9MlQUI42RxkhjpDHaIwrdQUdzFB_-ATWx34v6VX9aHoiE Documentation is available at http://blockdiag.com/en/ submitted by /u/Apachez [link] [comments]

ISE Tacacs help!! Posted: 19 Apr 2018 02:29 AM PDT Morning guys, We have been testing tacacs using ISE. Got authentication working but when logging on at privilege level 15 it drops into user exec mode rather than privilege exec :( Been though all the settings but can't seem to get it to work. Any ideas would be much appreciated. submitted by /u/Bigair454 [link] [comments]

Anyone doing SD-WAN with multi-connectivity into CoLo/peering/exchange sites ... Posted: 19 Apr 2018 06:11 AM PDT ... vs traditional MPLS & Internet, i.e. is anyone dual connecting remote offices, globally, into large exchanges, where they bring the MPLS, Internet, cloud connectivity (and consume security services)? Additional Q: are you also hosting in those locations (Co-Lo)? submitted by /u/ntwrk-guy [link] [comments]

nativ L2TP/IPSec not working after Windows 10 Spring Update Posted: 19 Apr 2018 01:51 AM PDT Regular L2TP/IPSec VPN with PSK in Windows 10 to a Cisco ASA 5506-X. After the update, the connection is terminted directly after connecting successfully (phase 2). Anyone experience the same or similar issues with the nativ Windows 10 VPN Client? submitted by /u/flatman7020 [link] [comments]

Branch office PoE switches with little inter-switch traffic: 1x48 vs 2x24 port? Posted: 19 Apr 2018 02:05 AM PDT I'm debating 1x48 port vs 2x24 port PoE switch configuration for branch offices where I need more than a single 24 port switch. Space in rack, power outlets, and few ports lost going 2x24 would not be a concern. Switches will be HP 2530G. If I uplink each switch through the firewall (1 per switch), the only inter-switch traffic through the firewall's interface would be for printing, and that would only be for users on the switch not connected to the printer. No concern with traffic in terms of firewall load. All remaining traffic is out through internet, there are no other local services. Even if I uplink switches to each other than single GbE port out to firewall, I honestly don't have concern about the inter-switch traffic, as the internet connection at these locations is going to be 150/20Mbps or less, so there's just no way to max out a single uplink short of some local computer-to-computer transfer we may need to do for some random reason. I like the redundancy aspect of 2x24 switches, so that should one switch fail, at least I can keep part of the office up. That being said, there would be a SPOF in many other areas--firewall, power, internet, so it's minimal redundancy gained. I also recognize that in offices that only need a single 24 port switch, I have switch SPOF, and the majority of the office are single switch. Opinion on which way to go and why? submitted by /u/HDClown [link] [comments]

FreeRadius BYOD auth Posted: 18 Apr 2018 06:22 PM PDT Hi there, My company asked me to implement BYOD for our employees throughout our main location + 36 branches. They would like something pretty "simple" in the fact like : Employee creds: ok > mac@ known > connected to secure network or Employee creds: ok > mac@ not known > dump to BYOD network. I was thinking about using FreeRadius to do so however I have very small knowledges about it and I found that It is not very easy to find proper documentation online. Do you guys have any recommandations ? Cheers! Xzi. submitted by /u/xzi_vzs [link] [comments]

Anyone remember the Microsoft bluetooth alternative from 2000? Posted: 18 Apr 2018 07:42 PM PDT I remember seeing a demo back in 2000, developed at Microsoft Cambridge (UK) with collaboration from Microsoft Harvard (USA) where they had developed a network that was superior to bluetooth. It was hugely faster, had a range 100s of times the distance, more reliable could even locate based on signal strength and was capable of establishing its own network. The demo i saw shown how stores would know you were outside that store and could message you with offers available in that store. Also shown two people private messaging each other from almost a mile apart just using this tech. Ive searched everywhere and can't find any info on it. All i remember is the lead on it was called John and he attended Cambridge university. What was this called and what happened to it? Can you imagine how advanced this would be now, this was almost 20 years ago, you dont just shelve this kind of tech. Ive searched the Cambridge phd papers too and can't find anything about it either. submitted by /u/thisisgettingworse [link] [comments]

I'm paying $60/yr for Dyn Standard on an IP that might change once a year. Any alternatives? Posted: 19 Apr 2018 12:43 AM PDT I also pay them $75/5yrs for a .net domain name registration. I like my domain name which I want to keep and maybe switch it to another registrar in a few years before it expires, preferably one with their own DDNS service. Otherwise, the only part of the "dyn standard" package that I really use is the DDNS service. I'm sure there's another DDNS provider that has better pricing and would make it easy to switch to while maintaining the domain name I have registered for. Any suggestions would be greatly appreciated, I don't have a lot of experience with domains and registrars, I have used dyns free service with a subdomain for many years before I wanted to get my own proper domain name. I basically just use this for personal and friends usage to access a couple of services on completely non-standard ports. submitted by /u/A_Large_Polar_Bear [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States